A Real-Time and Ubiquitous Network Attack Detection Based on Deep Belief Network and Support Vector Machine

Hao Zhang,, Yongdan Li, Zhihan Lv, Senior,Arun Kumar Sangaiah,, and Tao Huang

Abstract—In recent years, network traffic data have become larger and more complex, leading to higher possibilities of network intrusion. Traditional intrusion detection methods face difficulty in processing high-speed network data and cannot detect currently unknown attacks. Therefore, this paper proposes a network attack detection method combining a flow calculation and deep learning. The method consists of two parts: a real-time detection algorithm based on flow calculations and frequent patterns and a classification algorithm based on the deep belief network and support vector machine (DBN-SVM). Sliding window(SW) stream data processing enables real-time detection, and the DBN-SVM algorithm can improve classification accuracy. Finally, to verify the proposed method, a system is implemented.Based on the CICIDS2017 open source data set, a series of comparative experiments are conducted. The method’s real-time detection efficiency is higher than that of traditional machine learning algorithms. The attack classification accuracy is 0.7 percentage points higher than that of a DBN, which is 2 percentage points higher than that of the integrated algorithm boosting and bagging methods. Hence, it is suitable for the real-time detection of high-speed network intrusions.

I. Introduction

IN this technological era, network and internet speeds have reached gigabyte-per-second and even terabyte-per-second levels. However, the possibility of cyberattacks resulting in stolen personal and secret information from computers and networks is also increasing at the same time. According to the“China internet industry market analysis report” released by the Internet Society of China, the growth rate of mobile internet access traffic in 2017 was 162.26%. Against the background of high-speed networks, network attack methods have gradually become characterized by high intensity, low cost,strong destructiveness, high concealment and gradual development to application layer protocols, among which denial-ofservice (DoS) and web application attacks are representative.How to quickly identify network attacks is one of the key technical problems of a hot research topic in the field of network security. Although existing protection software and intrusion detection systems (IDSs) can detect and block attacks that are occurring or have occurred to a certain extent, with the advent of the big data era and the continuous massive data flow problem, the existing protection software and IDSs have brought new challenges. The traditional network intrusion detection system (NIDS) often has a high packet loss rate and a high missed detection rate for current high-speed networks.How to address this challenge by establishing an intrusion detection model that can analyze high-speed data has become a key issue, which has broad application potential for effectively improving network security.

Aiming at the shortcomings of the traditional NIDS exposed by high-speed networks, a real-time intrusion detection method is designed in this paper. 1) This method is designed based on NetFlow to capture the data flow in a network, after which it preprocesses the data, including data format conversion, data cleaning, standardization, etc. 2) The method mines frequent patterns in data based on nested sliding windows (NSW) and a genetic algorithm. It then compares these patterns with a safe frequent pattern set and an attack frequent pattern set,determining whether they represent normal data, known attacks or unknown attacks, to detect network intrusion behaviors efficiently in real time. 3) For attack-type data, a classification algorithm based on the deep belief network and support vector machine (DBN-SVM) [1] is applied to accurately classify the attack type. 4) Compared with the existing detection methods,the intrusion detection method proposed in this paper is found to have higher accuracy and detection efficiency. Therefore, it is suitable for the current high-capacity and high-speed network environment.

The rest of this paper is organized as follows. Section II introduces the related research. Section III introduces the intrusion detection model. Section IV introduces the implementation of the IDS. Section V presents the experimental results. Section VI provides directions and suggestions for future work.

II. Related Work

In 1986, the IDS concept was first introduced by Denning [2],[3]. The research is mainly divided into two categories. One involves improving the efficiency of intrusion detection and the integrity of IDSs for networks. The other involves improving the accuracy of intrusion detection for public data sets.

In recent years, due to the continuous growth of data streams, many new methods have been put forward for network data. Storm is used to calculate data flow in real time[4]. Then, according to the characteristics of this flow calculation, an intrusion scene reconstruction system based on the flow calculation, which provides ideas for real-time alarm correlation analysis, is designed. Zhuet al. [5] use sliding window (SW) and data stream clustering technology to design a data stream clustering algorithm based on a sliding window and construct a network security defense model. However, its detection capability for unknown attacks still requires improvement. Ge [6] uses a sliding window model combining transactions and time; uses weighted bit objects and bit object groups to represent data and constructs a slightly frequent pattern tree; proposes an algorithm that can extract the maximum frequent pattern of a data stream with an unsteady flow rate. and then proposes an IDS based on data stream mining technology. However, this model cannot distinguish the differences among various attack types. Chuet al. [7]propose a real-time intrusion detection framework model based on data stream mining, which provides a new idea for intrusion detection research based on data stream mining. It combines the data stream mining field with the network security field but does not form a relatively complete system.Yuet al. [8] propose a data-stream-based anomaly intrusion detection mechanism and a two-stage anomaly intrusion detection method based on data stream clustering, which generates statistical information regarding network data online and detects intrusion behaviors by using statistical information reflecting the current network behavior. This method has better detection performance than the result of intrusion detection based on all historical data and overcomes the problem of insufficient system resources such as memory.However, its detection accuracy is lower than that of the method of intrusion detection based on all historical data.Sadhasivanet al. [9] propose a new adaptive-rule-based IDS— ARMA-IDS (auto-regressive moving average model –intrusion detection systems) for secure data transmission in networks. ARMA-IDS, which combines density-based clustering with many methods, including sniffer, filter, rule mining approach (RMA), anomaly detection approach (ADA),and rule-based approach (RBA), can address many situations effectively but cannot achieve real-time intrusion detection.Shamshirbandet al. [10] discuss the traditional IDS based on multiagents using computational intelligence (CI) technology and analyze the significance, limitations and prevention mechanism of various IDSs. Chauhanet al. [11] analyze various data mining algorithms used for intrusion detection in a distributed environment and defects in a distributed environment, such as a high false alarm rate and low efficiency, resulting in a low detection rate. Daviset al. [12]propose a data preprocessing technique based on anomaly network intrusion detection, which infers network hot behavior and DoS attack behavior based on time statistics.High variance and deviation are phenomena of traditional NIDSs. Joshiet al. [13] use both binary classifiers and multiboosting to reduce the variance and deviation. The binary classifier of feature selection increases the detection efficiency when new attacks arrive. Nadiammaiet al. [14] use the EDADT (efficient data adapted decision tree), a mixed IDS, and a semisupervised and variable HOPERAA (hopping period alignment and adjustment) algorithm to solve the problems in wireless sensor networks. These tools can be applied to distributed network environments, such as smart grids composed of various components, e.g., sensors, digital meters, and digital controls. Pandaet al. [15] propose an intelligent hybrid technology for intrusion detection. They use a 2-level classification strategy and 10-fold cross-validation.Biswaset al. [16] use the multiagent concept in a multilevel IDS, store various types of attacks in a database, and analyze the dependency relationship between newly arrived attack types and the database. However, their method does not meet the needs of real-time detection. Wanget al. [17] use the affinity propagation (AP) algorithm to learn behaviors in dynamic clustering and solve the problem of insufficient labeling data, which is an important problem in NIDSs. The classification of network activities as either normal or abnormal can effectively minimize the problem of error classification, but the classification of attack types is lacking.Chenet al. [18] propose D-Stream (a framework for clustering stream data using a density-based approach), a framework for clustering stream data using a density-based approach. DStream uses an online component that maps each input data record into a grid and an offline component, which computes the grid density and clusters the grids based on the density.Rathoreet al. [19] propose a real-time IDS based on Hadoop,which contains four layers: a capturing layer, a filtration and load balancing layer, a processing layer, and a decisionmaking layer. First, the capturing layer grabs a packet via the capture device. Then, the known data are filtered according to whether the data are “normal” or “abnormal” via the filtration and load balancing layer, which sends any unrecognized data to the processing layer. This unrecognized data are processed by the MapReduce computing framework of Hadoop, the results of which are then sent to the decision-making layer.

Various algorithms are widely used in the research on intrusion detection algorithms to improve accuracy. Liet al.[20], Abdullaet al. [21], and Terziet al. [22] apply the Knearest neighbor (KNN), SVM and K-means clustering algorithms to network intrusion detection, respectively. Syarifet al. [23] propose an intrusion detection mechanism based on particle swarm optimization and the KNN algorithm, with experiments showing that the method improves the accuracy of the KNN algorithm. Wagneret al. [24] and Khanet al. [25] use the SVM for intrusion classification. Ferreiraet al. [26] design an IDS based on wavelets and an artificial neural network for knowledge discovery as well as a KDD (knowledge discovery and data mining) data set. Sindhuet al. [27] eliminate redundancy by discussing the IDS, resulting in an unbiased feature selection algorithm, and improve detection accuracy by constructing a neural tree, thus performing redundant deletion.Louvieriset al. [28] propose anomaly-based detection technology to improve operators’ awareness of new attacks in a network and combine naive Bayes, K-means and the C4.5 decision tree to enhance the IDS accuracy. Karamiet al. [29]propose a hybrid IDS system, which includes training and classification stages, that uses particle swarm optimization(PSO), K-means and fuzzy methods to detect unknown attacks.In the training stage, a novel combination of PSO and the Kmeans algorithm, which has two cost function clusters and performs local optimization to provide the best number of clusters, is applied. In the classification stage, the fuzzy if-then rule is used to detect the normal and abnormal results in a new monitoring data set that do not appear in the training set. By using fuzzy rules, the false alarm rate can be reduced; however,the response time is increased during the training phase, and the real-time effect still requires improvement. The above methods improve the accuracy of detection to a certain extent, but most of them are trained on data sets, such as KDD cup 99, which means that they cannot meet the real-time requirements in real network environments, and lack model updating methods to detect unknown attacks.

Some existing systems and algorithm models have been discovered and attempted to solve the problem of intrusion detection for high-speed data streams. However, the DoS intrusion detection of high-speed data streams is hindered by lower calculation speeds and inaccurate classification of attack types. Hence, this paper proposes a real-time network attack detection method based on the flow calculation and DBNSVM. It consists of two parts: attack behavior real-time identification and an attack classification algorithm. The stream compute and DBN-SVM (SC&D-S) intrusion real-time detection system proposed in this paper improves the real-time detection speed and classification accuracy of IDSs and performs well in terms of detecting unknown attacks.

III. SC & D-S Intrusion Detection Model

The intrusion real-time detection model proposed in this paper consists of two parts: attack behavior real-time identification and attack classification, as shown in Fig. 1.

A. Real-time Network Attack Detection model (RTNADM)

Aiming at the current situation, in which data cannot be processed in time due to the rapid growth of network data and the accuracy of conventional intrusion detection technology decreases due to the high probability of attack caused by the complexity of the cloud computing environment and network,the nested sliding window genetic algorithm is used to mine frequent patterns based on the parallel computing technology of cloud computing, effectively solving the aforementioned problems. First, a pattern generator is used to extract the behavior characteristics; an attack map is constructed; the current behavior pattern library is formed; normal and abnormal behavior patterns are matched via a pattern matcher; and the matching results are fed back to the user about normal, attack and suspicious behaviors. At the same time, a training learner is used to study and analyze uncertain data thoroughly, and the normal behavior pattern library and abnormal behavior pattern library are updated incrementally. The core of the algorithm lies in the formation of a knowledge base and the construction of a learning process, that is, the construction of a user access pattern base in multidimensional mode, the screening of characteristic events, frequent pattern mining and querying of a multidimensional data stream.

Screening 84 features in the analyzed training set and keeping as few features as possible can effectively improve the calculation speed; however, a satisfactory detection accuracy must also be ensured. Therefore, a modified genetic algorithm is adopted to treat each feature as a vectorp= (x1,x2,... ,xn), in whichxi(i=1,...,n) can take a value of 0 or 1, with 0 indicating that the feature is included and 1 indicating that the feature is excluded. The values of each vector feature are regarded as genetic algorithm chromosome codes.

There aren×mentries in a sliding window. When mining frequent patterns, βijis used to indicate whether theientry containsjentry or not.

Mining frequent patterns from data streams can provide an important decision-making basis for data stream applications,as shown in Fig. 2. However, due to the fluidity and continuity of data streams, frequent pattern information in data streams continuously changes with the continuous production of the data streams. In most data stream applications, users often pay more attention to the pattern information contained in the most recent transaction data in data streams.

Maintain two sets of items: a frequent set (with high support and confidence) and an approximate frequent set (with a support and confidence below but very close to the threshold).Over time, the support degree of a frequent set will decrease,while the support degree of an itemset in an approximate frequent set will gradually increase. Update the frequent sets,discard those frequent sets with reduced support and confidence in subsequent time windows, and include some frequent sets with increased support and confidence. At the same time,accumulate and record the occurrence times of the itemsets in the approximate frequent set.

Records containing attack patterns are marked as attack records, records with frequent itemsets completely covered by normal behavior models are marked as normal records, records with frequent itemsets that cannot be confirmed by normal models and attack models are marked as suspicious records, and records without any frequent itemsets are marked as lowfrequency records. The user will determine whether a suspicious record is normal or abnormal. Further analysis of a low-frequency record can reveal whether there is an attack of the slow scanning type and enable automatically responding to an intrusion attack behavior.

Fig. 1. SC & D-S intrusion detection model.

Fig. 2. Flow calculation.

B. Attack Classification Model (ACM)

This model classifies attack types for identified and suspected attacks that have been detected. The first step is to normalize the data to obtain standardized data. Via layer-by-layer feature transformation of the neural network with multiple hidden layers in the DBN, a large number of high-dimensional and nonlinear unlabeled original data are subjected to feature dimensionality reduction, thus yielding an optimal lowdimensional representation of the original data and therefore significantly reducing the dimensions of the data, namely,preserving key important features of the data while removing redundant features, as shown in Fig. 3. The second step is to use a binary tree to construct a multiclass SVM classifier several times and identify the network attack behavior of the obtained optimal low-dimensional representation. Using a binary tree to construct four SVM classifiers, four attack states can be identified for the obtained low-dimensional data set.

Fig. 3. SC & D-S intrusion detection model.

The design of the multiclass SVM classifier is shown in Fig. 4.There are four attack states: DoS GoldenEye, DoS Hulk, DoS Slowhttptest, and DoS slowloris. This paper uses a binary tree to construct only five two-class SVM classifiers. For the SVM1 classifier, an output of +1 indicates a sample of normal BENIGN, while an output of ?1 indicates a sample of 4 kinds of attacks (DoS GoldenEye, DoS Hulk, DoS Slowhttptest, and DoS slowloris). For the SVM2 classifier, when the output is+1, it is DoS GoldenEye, and when the output is ?1, it is BENIGN and three attack samples (DoS Hulk, DoS Slowhttptest, and DoS slowloris). For the SVM3 classifier,when the output is +1, it is DoS Hulk, and when the output is?1, it is BENIGN, DoS GoldenEye, DoS Slowhttptest, and DoS slowloris. For the SVM4 classifier, when the output is+1, it is DoS Slowhttptest, and when the output is ?1, it is BENIGN, DoS GoldenEye, DoS Hulk, and DoS slowloris. For the SVM5 classifier, when the output is +1, it is DoS slowloris, and when the output is ?1, it is BENIGN, DoS GoldenEye, DoS Hulk, and DoS Slowhttptest.

The SC&D-S IDS adopts a multiprocess approach to realize the two-part model of the real-time identification of attack behaviors and classification of attacks. When network data streams enter the real-time IDS, frequent pattern mining is first carried out to quickly compare four situations: low frequency,normal, attack and suspicious. Attacks and suspicious data are first isolated and recorded to avoid them causing harm to the server system and database. Then, for attack and suspicious data,based on expert analysis, the attack types are classified.

IV. Implementation of SC & D-S Intrusion Detection System

A. Implementation of Frequent Pattern Mining

To solve the problem of low-accuracy frequent pattern mining resulting from a single scan of current data streams, a method combining the nested sliding window genetic algorithm with frequent pattern mining, known as the nested sliding window genetic method (NSWGM), is adopted based on cloud computing parallel computing technology. First, the current data streams in the current window are scanned by using the sliding window technology. Next, the data streams in the current window are partitioned into blocks to form nested data subwindow groups. Then, the frequent itemsets in each nested data subwindow are mined by using a parallel genetic algorithm. Finally, the frequent pattern in the current sliding window is formed by merging and scanning the block frequent patterns on the nested subwindows.

The NSWGM consists of three parts: the division of nested subwindows, frequent item mining of each nested subwindow and aggregate scanning, as shown in Figs. 5 and 6. The model inputs the data stream into the sliding window, and the output result is the most frequent itemset in the dynamic flow process of the data stream. The model consists of three main parts. First,the parallel genetic algorithm is used to mine frequent itemsets for the latest data of nested data subwindows in the data flow sliding windows. Second, the frequent items of each nested data subwindow are collected and scanned to obtain the final frequent itemset of the data in the current sliding window. Third,as new data flow into the sliding window and old data flow out,the old data stream is periodically deleted to form a new window data set. This two-step operation is repeated until the data stream stops.

Fig. 5. Incremental query model for data stream.

Fig. 6. Frequent pattern group formation.

In the first part, the data in the sliding window are preprocessed, and the simulation data of some dimensions are divided into fuzzy intervals and converted into signal data.The mining of frequent itemsets for each nested data subwindow using the genetic algorithm is carried out as shown in Algorithm 1.

Algorithm 1 Use of genetic algorithm to mine frequent itemsets

6. Output the maximum number of frequent items and a candidate frequent itemset.

B. Implementation of Real-Time Identification Model for Attack Behavior

The RTNADM (real-time network attack detection model) is divided into two stages: training and testing. The training stage includes normal behaviors and attack behaviors. First, the network system normal behavior database is established using the maximum number of frequent itemsets in a pure data set which was safe. Then, the attack database is established based on a training data set that exhibits the invaded behavior. In the detection stage, the normal behavior database and attack database obtained in the training stage are used to compare the frequent records in the sliding window; a sliding window is used to monitor the network traffic data; the maximum number of frequent itemsets algorithm is applied to the network traffic data; and the frequent itemset is determined and compared with the normal behavior database and attack database. Records containing attack patterns are marked as attack records; records with frequent itemsets completely covered by normal behavior models are marked as normal records; records with frequent itemsets that cannot be confirmed to be either normal models or attack models are marked as suspicious records; and records without any frequent itemsets are marked as low-frequency records. An expert judges whether a suspicious record is normal or abnormal. Further analysis of a low-frequency record can reveal whether there is an attack of the slow scanning type and enable automatically responding to an intrusion attack behavior.This repeatedly yields the most recent data sample from the sliding window, which is used to update the incremental library in the classification model.

To solve the issue of the query efficiency and real-time performance being relatively insufficient due to the fast incremental updating of data streams, this paper proposes a data stream incremental query model. As shown in Fig. 7, when updating data, the incremental database is maintained, and only the suspicious records are compared with the incremental database. When the normal or attack type has been determined by comparing with the incremental database, the query results are obtained via one-pass scanning to ensure a satisfactory realtime performance of the query operation. At the same time,based on the incremental query of data streams, pattern matching, correlation analysis and other data stream mining operations are carried out at lower computational costs.

Fig. 7. Scanning to obtain the final frequent itemset of the current window.

C. Implementation of Attack Classification Model

In the attack classification model, the DBN model is trained first, with the process used being the unsupervised layer-bylayer training of the restricted Boltzmann machine (RBM).The RBM is a kind of perceptron. It comprises an explicit layer and a hidden layer. The neurons between the two layers are all connected in two directions.Wis the weight between the display layer unit and the hidden layer unit; a is the bias of the display layer unit; andbis the bias of the hidden layer unit. Energy function of the RBM is as follow:

Probability of the activation of hidden neurons in the RBM is as follow:

The RBM is a biphasic connection. The probability of the activation of neurons in the display layer is as follow:

The DBN involves two processes, which are carried out to train the model.

1) Pretraining:Via an unsupervised and greedy learning method, each RBM network is trained layer by layer from bottom to top, and a large number of high-dimensional and nonlinear unlabeled original data are mapped to a lowdimensional representation to obtain a better initial model parameter. Each layer of the RBM network is trained independently and unsupervisedly to ensure that when feature vectors are mapped to different feature spaces, feature information is retained as much as possible. The greedy, layerby-layer training process is as follows:

One layer of the RBM is sampled and calculated, and the new visual layer variablevis sampled by the posterior probability p. Subsequently, the hidden layer variablehis sampled again in an iterative manner. When alternating Gibbs samples are repeated k times, the joint probability distribution is similar to a stationary distribution. The optimal representationhof the visual layer variablevbecomes the visual layer variable of the second layer of the RBM, and the same hidden layer variablehis sampled using the alternating Gibbs principle until reaching the last layer of the RBM, as shown in Algorithm 2. This greedy learning method is trained recursively and repeatedly.

2) Fine Adjustment of Weights:After conducting pretraining, some labeled data are attached to the top layer, the low-dimensional representation of the RBM output is received by the back propagation (BP) algorithm as its input feature vector, and the DBN model is trained from top to bottom in a supervised way. The BP algorithm propagates the error information from top to bottom to each layer of the RBM.Taking the maximum likelihood function as the objective function, the entire DBN network can be optimized, thus yielding the optimal low-dimensional representation of the original data. Each layer of the RBM network can ensure only that the weight in its own layer is optimal for the mapping of feature vectors in that layer, not for the entire DBN.Therefore, the BP network also propagates error information from top to bottom to each layer of the RBM, fine-tuning the entire DBN network. The process of training the RBM network model can be viewed as the initialization of a deep BP network’s weight parameters, which enables the DBN to overcome the shortcomings of the BP network, i.e., the tendency to fall into a local optimum and the long training time due to random initialization of the weight parameters.

Algorithm 2 DBN pretraining

The multiclass SVM classifier needs to construct only five two-class SVM classifiers. Then, five SVMs are trained.Finally, the voting method is used to realize multiclassification.

V. Experiments

A. Experimental Data

This paper uses intrusion detection evaluation data, i.e., the PCAP data stream corresponding to the CICIDS2017(Canadian Institute for Cybersecurity Intrusion Detection Evaluation Dataset 2017)-Tuesday data set, and simulates a real data stream push as an SC&D-S system test. The CICIDS-2017 data set was developed by the Canadian Institute for Cybersecurity, the University of New Brunswick (UNB)laboratory, using the B-Profile system [30] to describe and collect interactive network behaviors. This data set, which is based on the abstract behaviors of 25 users of, e.g., HTTP,HTTPS, FTP, SSH and e-mail protocols, is an authoritative test data set and has been used by Carnegie Mellon University, Johns Hopkins University and other institutions.

Each connection record of the CICIDS2017 data set consists of 84 attribute features, including 77 numeric attribute features and 7 string data features, including the source IP, source port,destination IP, destination port and protocol, etc. Among them,the minimum, average, maximum and flow duration related to the flow interarrival time are the most common characteristics of a DoS attach. Data set preprocessing includes the following:digitizing symbolic features and normalizing the data.

B. Experimental Evaluation

The filtered CICIDS2017 data are converted into a data stream format and pushed in a laboratory environment.

When training the real-time attack behavior recognition model, the SC&D-S initial model and the SVM and LogisticRegression comparison model are trained using 60%of the CICIDS2017 data stream containing markers. With the dynamic push of data streams, the SC&D-S real-time identification model is continuously updated incrementally,which makes the model more sensitive to the latest data changes and attack behaviors. The SVM and LogisticRegression comparison models can only be retrained. Then, 20% of the CICIDS2017 data stream is used to verify the correctness of the model. Finally, the remaining data stream is detected using the trained model. During the experiment, the flow rate of network data is adjusted to simulate the state of massive data when it is highly concurrent to verify the real-time detection performance for the system.

In Fig. 8, by comparing the experimental data, the SC&D-S network security defense system based on a data stream clustering algorithm is found to better meet the intrusion detection requirements of high-speed networks. The model system achieves good detection performance. At the same time, the SC&D-S system, machine-learning SVM and LogisticRegression are used to compare and analyze the training time (Tr) and test time (Te) for the data stream. The experimental results show that SC&D-S has a shorter model incremental update time and discovery attack time, is superior in terms of the amount of time needed to process stream data and perform real-time intrusion detection, and has better realtime performance, as shown in Table I.

When classifying attacks, training of the DBN-SVM is first carried out. Gaoet al. [31] discuss in detail the influence of the DBN network depth, number of hidden layer nodes and number of output layer nodes on intrusion detection performance. From[31], and through comparative experiments, it is concluded that the structure size of 41-30-20-10-5 is the best configuration under the existing server performance, as shown in Table II.

Therefore, this paper selects the number of nodes in the firsthidden layer, i.e., 41, as the number of dimensions that is closest to the number of nodes in the input layer and then selects 30, 20, and 10 to reduce the dimensions of the input data in sequence. That is, the DBN-SVM network structure is 41-30-20-10-5, and the DBN contains 4 layers of the RBM.The learning rate is 0.1, and the number of training cycles via BP is 30. The number of iterations of the pretraining algorithm is 30, and the number of iterations of the fine-tuning weight algorithm is 300. The DBN-SVM, DBN, SVM classifier and other machine learning methods are compared and analyzed in terms of the accuracy and false positive rate for different attack categories, as is shown in Figs. 9 and 10.In the analysis, three common evaluation indicators are used:

TABLE I Statistical Results of SC & D-S Real-Time Attack Behavior Identification Model

TABLE II Network Structure of DBN

TABLE III Statistical Results of SC&D-S Real-time Attack Behavior Identification Model

Fig. 8. Scanning to obtain the final frequent itemset of the current window.

Precision (Pr) or positive predictive value: This is the ratio of correctly classified attack flows (TP) to all classified flows(TP + FP).

Recall (Rc) or sensitivity: This is the ratio of correctly classified attack flows (TP) to all generated flows ( TP+FN).

F1-Score (F1): This is a harmonic combination of the precision and recall as a single measure.

Compared with the experimental results, the DBN-SVM algorithm is slightly better in terms of classification and detection accuracy than the DBN, SVM and other machine learning algorithms, effectively improving the classification accuracy and decreasing the false alarm rate, as shown in Table III.

VI. Conclusion and Future Work

To solve the problems of slow detection speed for massive data, difficulty in terms of model incremental expansion, and low-accuracy attack type subdivision in an IDS, this paper proposes an SC&D-S intrusion detection model based on the DBN-SVM, taking full account of the advantages of deep learning in the dimensionality reduction of high-dimensional nonlinear massive data. The method uses sliding windows to mine frequent patterns to form a pattern library, quickly detects whether there is any malicious behavior in the data stream, and can incrementally update the model conveniently. Then, a DBN deep learning method based on multilayer nonlinear mapping is used to reduce the feature dimensions of high-dimensional and nonlinear original data to reduce the number of feature vectors and preserve important data features. Then, one-to-all classification is carried out by using multiple SVM classifiers;the voting method is conducted to form multiple classifications;and intrusion identification is carried out on the lowdimensional feature vectors obtained by the DBN method.Experiments are carried out on the CICIDS2017 data stream.The results show that the SC&D-S model reduces the training time and testing time of the classifier and can well meet the realtime requirements of intrusion detection. Moreover, its detection performance is superior to that of the traditional algorithm. It is a feasible and efficient lightweight intrusion detection model. The work of this paper is based on the latest research on network security by Sharafaldinet al.[30] Further work will involve calling the detection program in combination with the system API, further improving the accuracy and efficiency of intrusion detection, and exploring new methods for combining various approaches.

Fig. 9. Comparison of different algorithms (average).

Fig. 10. Comparison of different algorithms (various attack types).