基于端口互动模式的入侵检测模型

针对链路层的海量高速数据流、信息易被伪装、较小异常流量占比等特征，提出了一种基于端口互动模式量化模型的入侵检测模型。为提高入侵检测模型的精度和效率，提出了一种从初始流量中获取流量特征的新方法，并重点探讨如何以流量到达时间分布作为一维特征。使用相空间重构、可视化等方法证明了模型的有效性，并进一步根据长会话和短会话各自的特征设计了基于卷积层和长短时记忆层的改进神经网络，用以挖掘正常和异常流量端口互动模式之间的差异。在此基础上，设计了多模型评分机制下的改进入侵检测算法，对模型空间内的会话进行流量分类。所提出的量化模型和改进算法在提高计算效率的同时，能够有效避免伪装身份信息的情况，降低神经网络训练成本，提升小样本异常检测精度。

An Intrusion Detection Model Based on Port Interaction Mode

According to the characteristics of link layer,such as massive high-speed data flow,information easy to be camouflaged,small abnormal traffic proportion,an intrusion detection model based on quantitative model of port interaction mode is proposed.To improve the accuracy and efficiency of intrusion detection model,a new method that obtains the traffic characteristics from the initial traffic is proposed,with focus on how to use the traffic arrival time distribution as one-dimensional characteristics.The phase space reconstruction and visualization methods are used to prove the effectiveness of port interaction mode.According to the characteristics of long session and short session,an improved neural network based on convolution layer and long short memory layer is designed to mine the differences between normal and abnormal port interaction modes.On this basis,an improved intrusion detection algorithm based on multi-model scoring mechanism is designed to classify the sessions in the model space.The proposed quantization model and improved algorithm can effectively avoid camouflage of identity information,reduce the training cost of neural network,and improve the accuracy of small sample anomaly detection.