Research on Twostage Network Intrusion Detection Method for Outofdistribution Traffic Data

Abstract

Abstract: Existing network intrusion detection systems are typically trained under a closedset setting, and are prone to misclassification in practical applications for new attacks that do not appear in the training data. In order to improve the accuracy of unknown attack detection and known attack classification, a twostage intrusion detection method based on the combination of convolutional neural network and bidirectional long and shortterm memory network is proposed on the basis of existing network intrusion detection systems—twostage confidence intrusion detection (TSCID) method. In the first stage, the outofdistribution data detector categorizes input data into indistribution and outofdistribution samples by evaluating their confidence scores; in the second stage, the m+1 classifier performs open intrusion detection on the indistribution data as well as part of the outofdistribution data obtained in the first stage, which can realize the fine classification of the known attacks and the further identification of the unknown attacks. The method is experimentally evaluated on the KDDCUP’99 dataset and the CICIDS2017 dataset. The experimental results show that the AUROC and AUPR of the model on the data have increased and the false positive rate has decreased when compared with other methods for open intrusion detection. The study shows that the twostage network intrusion detection method that introduces an outofdistribution data detector ensures the fine classification of known attacks and effectively improves the identification capability of the intrusion detection system for unknown threats, providing a new idea for building a comprehensive network security defense system.

Key words: network intrusion detection, outofdistribution detection, convolutional neural network, bidirectional long shortterm memory, deep learning

摘要： 现有的网络入侵检测系统常在封闭集中进行训练，在实际应用中对于训练数据中未出现的新攻击容易出现误判的情况.为提高未知攻击检测和已知攻击分类的准确性，在已有的网络入侵检测系统的基础上，提出了一种基于卷积神经网络与双向长短时记忆网络相结合的2阶段入侵检测方法——基于置信度的2阶段式入侵检测(twostage confidence intrusion detection, TSCID)方法.在第1阶段，分布外数据检测器通过对数据的置信度进行度量，将其划分为分布内数据和分布外数据2类；在第2阶段，m+1分类器将第1阶段中得到的分布内数据以及部分分布外数据进行开放式入侵检测，可以实现对已知攻击的精细分类和对未知攻击的进一步识别.该方法在KDDCUP’99数据集和CICIDS2017数据集上进行了实验评估.实验结果表明，与其他开放式入侵检测方法相比，模型对数据的AUROC,AUPR均有所上升，且误判率均有所下降.引入分布外数据检测器的2阶段式网络入侵检测方法既保证对已知攻击的精细分类，又有效提高入侵检测系统对未知威胁的识别能力，为构建全面的网络安全防御体系提供了新思路.

关键词: 网络入侵检测, 分布外数据检测, 卷积神经网络, 双向长短时记忆网络, 深度学习

CLC Number:

TP183

陈颖, 王沁, 秦晓宏, . 面向分布外流量数据的2阶段式网络入侵检测方法研究[J]. 信息安全研究, 2026, 12(3): 265-.

References

［1］Hubballi N, Suryanarayanan V. False alarm minimization techniques in signaturebased intrusion detection systems: A survey［J］. Computer Communications, 2014, 49: 117［2］Yan Q, Wang M, Huang W, et al. Automatically synthesizing DoS attack traces using generative adversarial networks［J］. International Journal of Machine Learning and Cybernetics, 2019, 10(12): 33873396［3］Roopak M, Tian G Y, Chambers J. Deep learning models for cyber security in IoT networks［C］ Proc of the 9th IEEE Annual Computing and Communication Workshop and Conference (CCWC). Piscataway, NJ: IEEE, 2019: 04520457［4］Aldwairi T, Perera D, Novotny M A. An evaluation of the performance of Restricted Boltzmann Machines as a model for anomaly network intrusion detection［J］. Computer Networks, 2018, 144: 111119［5］Hendrycks D, Gimpel K. A baseline for detecting misclassified and outofdistribution examples in neural networks［J］. arXiv preprint, arXiv:1610.02136, 2016［6］DeVries T, Taylor G W. Learning confidence for outofdistribution detection in neural networks［J］. arXiv preprint, arXiv:1802.04865, 2018［7］Wei H, Xie R, Cheng H, et al. Mitigating neural network overconfidence with logit normalization［C］ Proc of the Int Conf on Machine Learning. New York: PMLR, 2022: 2363123644［8］车佳臻. 面向网络流量的分布外异常检测技术研究［D］. 哈尔滨: 哈尔滨工业大学, 2022［9］Liang S, Li Y, Srikant R. Enhancing the reliability of outofdistribution image detection in neural networks［J］. arXiv preprint, arXiv:1706.02690, 2017［10］Tzeng E, Hoffman J, Zhang N, et al. Deep domain confusion: Maximizing for domain invariance［J］. arXiv preprint, arXiv:1412.3474, 2014［11］Long M, Zhu H, Wang J, et al. Deep transfer learning with joint adaptation networks［C］ Proc of the Int Conf on Machine Learning. New York: PMLR, 2017: 22082217

[1]	. Smart Contract Vulnerabilities Based on Differential Evolutionary Algorithms and Solution Time Prediction Detection#br# [J]. Journal of Information Security Reserach, 2026, 12(1): 24-.
[2]	. Internet of Things Intrusion Detection Model Based on Federated Learning [J]. Journal of Information Security Reserach, 2025, 11(9): 788-.
[3]	. Fake News Detection Model Based on Crossmodal Attention Mechanism and#br# Weaksupervised Contrastive Learning#br# [J]. Journal of Information Security Reserach, 2025, 11(8): 693-.
[4]	. Encrypted Traffic Detection Method Based on Knowledge Distillation [J]. Journal of Information Security Reserach, 2025, 11(8): 702-.
[5]	. Research on Analysis and Detection Methods of Adversarial Crosssite #br# Scripting Attacks Based on LSTM and CNN#br# [J]. Journal of Information Security Reserach, 2025, 11(8): 761-.
[6]	. Active Tor Website Fingerprint Recognition [J]. Journal of Information Security Reserach, 2025, 11(5): 439-.
[7]	. Deep Learningbased Method for Encrypted Website Fingerprinting [J]. Journal of Information Security Reserach, 2025, 11(4): 304-.
[8]	. Research on Dataenhanced Multimodal False Information #br# Detection Framework#br# [J]. Journal of Information Security Reserach, 2025, 11(4): 377-.
[9]	. Privacypreserving Federated Learning Research Based on #br# Confused Modulo Projection Homomorphic Encryption#br# [J]. Journal of Information Security Reserach, 2025, 11(3): 198-.
[10]	. Design of Adversarial Attack Scheme Based on YOLOv8 Object Detector [J]. Journal of Information Security Reserach, 2025, 11(3): 221-.
[11]	. Fake Face Detection Method Based on ConvNeXt [J]. Journal of Information Security Reserach, 2025, 11(3): 231-.
[12]	. Research on Deep Learningbased Spatiotemporal Feature Fusion Network Intrusion Detection Model [J]. Journal of Information Security Reserach, 2025, 11(2): 122-.
[13]	. A Malicious TLS Traffic Detection Method with Multimodal Features [J]. Journal of Information Security Reserach, 2025, 11(2): 130-.
[14]	. Robust Malicious Encrypted Traffic Detection Method Based on Dual Confidence Sample Selection [J]. Journal of Information Security Reserach, 2025, 11(10): 924-.
[15]	. Research of Invisible Backdoor Attack Based on Interpretability [J]. Journal of Information Security Reserach, 2025, 11(1): 21-.