Considering the characteristics of network traffic on the data link layer, such as massive highspeed data flow, information camouflaged easily, and the phenomenon that abnormal traffic is much smaller than the normal one, an intrusion detection system (IDS) based on the quantitative model of interaction mode between ports is proposed. The model gives the quantitative expression of Port Interaction Mode in Data Link Layer (PIMDL), focusing on improving the accuracy and efficiency of the intrusion detection by taking the arrival time distribution of traffic. The feasibility of the model proposed is proved by the phase space reconstruction and visualization method. According to the characteristics of long and short sessions, a neural network based on CNN and LSTM is designed to mine the differences between normal and abnormal models. On this basis, an improved Intrusion Detection algorithm based on a multi-model scoring mechanism is designed to classify sessions in model space. And the experiments show that the quantitative model and the improved algorithm proposed can not only effectively avoid camouflage identity information, but also improve computational efficiency, as well as increase the accuracy of small sample anomaly detection.

Introduction

To avoid the serious losses caused by network attacks, it is important to build an effective intrusion detection model to explore the existing characteristic rules in mass traffic data. As a branch of machine learning, deep learning can recognize the internal law of a certain kind of things to the maximum through training multilayer neural network, so it has a unique advantage to explore the internal law of abnormal attack traffic in massive network traffic data. Among the many problems involved in intrusion detection, the anomaly detection method is the most important one, and its key point is to design a feature set that can accurately describe network traffic [1], [2]. At present, many data sets, such as KDD’۹۹ [۳], NSL-KDD [4], UNSW-NB15 [5], CIC-IDS-2017 [6], ISCX [7], which are widely used in intrusion detection systems, have a large capacity and rich characteristics, and the neural network can be used to mine the internal rules of these data sets to realize the intrusion detection. There are a lot of achievements in previous studies, while ignoring several problems. Firstly, to obtain the previous feature set from the initial traffic, it is necessary to check all the traffic data in the first two seconds and the first 100 connections at the end of the session, however, the intrusion detection system cannot be too complex because of the massive and high-speed traffic characteristics, in practice, according to previous research methods, building feature sets from the real-time generated initial traffic will cause a lot of computational burdens. Secondly, previous studies have trained neural networks based on a large number of high-level protocol information (e.g. logon status, flag). When attackers camouflage these attributes, the classification accuracy of neural networks will be greatly affected.