基于改进三元组网络和K近邻算法的入侵检测

入侵检测一直以来被视作是保证网络安全的重要手段。针对网络入侵检测中检测准确率和计算效率难以兼顾的问题，借鉴深度度量学习思想，提出了改进三元组网络（imTN）结合K近邻（KNN）的网络入侵检测模型imTN-KNN。首先，设计了适用于解决入侵检测问题的三元组网络结构，以获取更有利于后续分类的距离特征；其次，为了应对移除传统模型中的批量归一化（BN）层造成过拟合进而影响检测精度的问题，引入了Dropout层和Sigmoid激活函数来替换BN层，从而提高模型性能；最后，用多重相似性损失函数替换传统三元组网络模型的损失函数。此外，将imTN的距离特征输出作为KNN算法的输入再次训练。在基准数据集IDS2018上的对比实验表明：与现有性能良好的基于深度神经网络的入侵检测系统（IDS-DNN）和基于卷积神经网络与长短期记忆（CNN-LSTM）的检测模型相比，在Sub_DS3子集上，imTN-KNN的检测准确率分别提高了2.76%和4.68%，计算效率分别提高了69.56%和74.31%。

Intrusion detection based on improved triplet network and K-nearest neighbor algorithm

Intrusion detection is one of the important means to ensure network security. To address the problem that it is difficult to balance detection accuracy and computational efficiency in network intrusion detection, based on the idea of deep metric learning, a network intrusion detection model combining improved Triplet Network (imTN) and K-Nearest Neighbor (KNN) was proposed, namely imTN-KNN. Firstly, a triplet network structure suitable for solving intrusion detection problems was designed to obtain the distance features that are more conducive to the subsequent classification. Secondly, due to the overfitting problem caused by removing the Batch Normalization (BN) layer from the traditional model which affected the detection precision, a Dropout layer and a Sigmoid activation layer were introduced to replace the BN layer, thus improving the model performance. Finally, the loss function of the traditional triplet network model was replaced with the multi-similarity loss function. In addition, the distance feature output of the imTN was used as the input of the KNN algorithm for retraining. Comparison experiments on the benchmark dataset IDS2018 show that compared with the Deep Neural Network based Intrusion Detection System (IDS-DNN) and Convolutional Neural Networks and Long Short Term Memory (CNN-LSTM) based detection model, the detection accuracy of imTN-KNN is improved by 2.76% and 4.68% on Sub_DS3, and the computational efficiency is improved by 69.56% and 74.31%.