隨著計算機和網路的廣泛應用，駭客經由網路的入侵攻擊也日益增多。因此，企業以及國家單位多會以入侵偵測系統抵禦駭客入侵。近年來，由於機器學習技術的盛行，已經有許多研究在入侵偵測系統中使用機器學習和深度學習，原因是機器學習是一種良好的預測模型，可以準確地進行分類工作，適用於偵測網路異常的分類。本文提出了一種基於智能深度學習方法的入侵偵測系統。其中包含預先特徵分群的機制可以降低特徵維度且有效幫助特徵提取，並且所提出的用於特徵提取的深度學習方法是贏者全拿自動編碼器，其已經被證明在提取數據特徵方面是有效的並且對分類工作具有良好的效果。最後，使用支持向量機進行入侵行為的判別並且在NSL-KDD和CICIDS2017數據集上進行實驗。實驗結果表明，我們所使用的贏者全拿自動編碼器以及預先特徵分群這兩種方法都能有效提升準確率，並且在NSL-KDD數據集的準確度為87.24％，是NSL-KDD數據集研究中最高準確率。在CICIDS2017數據集上的性能也優於其他的相關研究，有著97.92%的準確度。我們所提出的入侵偵測系統擁有較高入侵偵測的準確性，並且提供了一套全新的入侵偵測方法。

The internet has become a necessary tool in our life. The convenience of online services has led to many applications. However, as they are increasingly popular, the attacks on them are on the rise dramatically in recent years. An intrusion detection system (IDS) has been considered as one of the main defense mechanisms. Recently, due to the popularity of machine learning, more and more researches have applied machine learning techniques in intrusion detection systems to improve the detection efficacy. The reason is that machine learning is a predictive model and can work very accurately on classification. In this thesis, we proposed an intelligent deep learning based approach for constructing an intrusion detection system. The proposed IDS scheme consists of a pre-clustering method for discrete features, a feature extraction scheme, and a classification mechanism. Applying a pre-clustering method on discrete features can reduce feature dimensions and effectively assist feature extraction. Furthermore, in the process of feature extraction, we employed the Winner-take-all autoencoder, which has been proven to be very effective in extracting data features and helpful on the subsequent classification work.
The proposed IDS scheme has been conducted experiments on the NSL-KDD and CICIDS2017 datasets. The experimental results show that both Winner-take-all autoencoder and the pre-clustering method can effectively improve the accuracy of classification. The proposed IDS scheme achieves the accuracy at 87.24% on the NSL-KDD dataset, which is the highest accuracy among all the state-of-art researches. Hence, it also outperforms most researches on the CICIDS2017 dataset, with excellent accuracy of 97.92%. Therefore, the proposed IDS improves the accuracy of intrusion detection and provides a novel method for intrusion detection.

[1] Internet world stats. [Online].
Available:https://www.internetworldstats.com/emarketing.htm, 2019.
[2] C. Tankard, "Advanced persistent threats and how to monitor and deter them," Network Security, vol. 2011, no. 8, pp. 16-19, 2011.
[3] “How to Identify a Mirai-Style DDoS Attack” [Online]. Available: https://www.imperva.com/blog/how-to-identify-a-mirai-style-ddos-attack/, 2017.
[4] S. Mohurle and M. Patil, "A brief study of wannacry threat: Ransomware attack 2017," International Journal of Advanced Research in Computer Science, vol. 8, no. 5, 2017.
[5] P. Mell, "Understanding intrusion detection systems," in IS Management Handbook: Auerbach Publications, pp. 409-418, 2003.
[6] H. Kozushko, "Intrusion detection: Host-based and network-based intrusion detection systems," Independent Study, 2003.
[7] H. Debar, M. Dacier, and A. Wespi, "Towards a taxonomy of intrusion-detection systems," Computer Networks, vol. 31, no. 8, pp. 805-822, 1999.
[8] Sans Penetration Testing, “Host- vs. Network-Based Intrusion Detection Systems,” [Online]. Available: https://cyber-defense.sans.org/resources/papers/gsec/host-vs-network-based-intrusion-detection-systems-102574, 2000.
[9] A. Mounji and B. Le Charlier, "Continuous assessment of a unix configuration: Integrating intrusion detection and configuration analysis," in Proceedings of SNDSS'97: Internet Society 1997 Symposium on Network and Distributed System Security, pp. 27-35, 1997.
[10] S. K. Jonnalagadda and R. P. Reddy, "A literature survey and comprehensive study of intrusion detection," International Journal of Computer Applications, vol. 81, no. 16, pp. 40-47, 2013.
[11] H. F. A. M. Eid, "Computational Intelligence in Intrusion Detection System," MSc Thesis, Al-Azhar University, 2013.
[12] S. Mallissery, J. Prabhu, and R. Ganiga, "Survey on intrusion detection methods," IET Seminar Digest, pp. 224-228, 2011.
[13] V. Chandala, A. Banerjee, and V. Kumar, "Anomaly Detection: A Survey," ACM Computing Surveys (CSUR), vol. 41, no. 3, pp. 1-58, July. 2009.
[14] S. S. Tirumala, H. Sathu, and A. Sarrafzadeh, "Free and open source intrusion detection systems: A study," in 2015 International Conference on Machine Learning and Cybernetics (ICMLC), vol. 1, pp. 205-210, July. 2015.
[15] H. Zhengbing, L. Zhitang, and W. Junqi, "A novel Network Intrusion Detection System (NIDS) based on signatures search of data mining," in First International Workshop on Knowledge Discovery and Data Mining, pp. 1-7, January. 2008.
[16] H. E. Poston, "A brief taxonomy of intrusion detection strategies," in 2012 IEEE National Aerospace and Electronics Conference (NAECON), pp. 255-263, July. 2012.
[17] P. Garcia-Teodoro, J. Diaz-Verdejo, G. Maciá-Fernández, and E. Vázquez, "Anomaly-based network intrusion detection: Techniques, systems and challenges," Computers & Security, vol. 28, no. 1-2, pp. 18-28, March. 2009.
[18] Y. LeCun, Y. Bengio, and G. Hinton, "Deep learning," Nature, vol. 521, no. 7553, pp. 436, 2015.
[19] M. Bojarski et al., "End to end learning for self-driving cars," arXiv preprint arXiv:1604.07316, 2016.
[20] D. Castelvecchi, "Deep learning boosts Google Translate tool," Nature, 2016.
[21] A. Krizhevsky, I. Sutskever, and G. E. Hinton, "Imagenet classification with deep convolutional neural networks," in Advances in neural information processing systems, vol. 1, pp. 1097-1105, December. 2012.
[22] M. Moravčík et al., "Deepstack: Expert-level artificial intelligence in heads-up no-limit poker," Science, vol. 356, no. 6337, pp. 508-513, 2017.
[23] D. Silver et al., "Mastering the game of Go with deep neural networks and tree search," Nature, vol. 529, no. 7587, pp. 484-489, 2016.
[24] Deepmind, [Online]. Available: https://deepmind.com/, 2019.
[25] T. A. Tang, L. Mhamdi, D. McLernon, S. A. R. Zaidi, and M. Ghogho, "Deep learning approach for network intrusion detection in software defined networking," in 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM), pp. 258-263, October. 2016.
[26] R. A. R. Ashfaq, X.-Z. Wang, J. Z. Huang, H. Abbas, and Y.-L. He, "Fuzziness based semi-supervised learning approach for intrusion detection system," Information Sciences, vol. 378, pp. 484-497, February. 2017.
[27] M. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani, "A detailed analysis of the KDD CUP 99 data set," in 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications, pp. 53-58, July. 2009.
[28] M. S. Pervez and D. M. Farid, "Feature selection and intrusion classification in NSL-KDD cup 99 dataset employing SVMs," in The 8th International Conference on Software, Knowledge, Information Management and Applications (SKIMA 2014), pp. 1-6, 2014.
[29] C. Yin, Y. Zhu, J. Fei, and X. He, "A deep learning approach for intrusion detection using recurrent neural networks," IEEE Access, vol. 5, pp. 21954-21961, October. 2017.
[30] M. Yousefi-Azar, V. Varadharajan, L. Hamey, and U. Tupakula, "Autoencoder-based feature learning for cyber security applications," in 2017 International joint conference on neural networks (IJCNN), pp. 3854-3861, 2017.
[31] KDD99 Intrusion detector learning. [Online]. Available:https:// http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html, 2019.
[32] A. Özgür and H. Erdem, "A review of KDD99 dataset usage in intrusion detection and machine learning between 2010 and 2015," PeerJ Preprints, vol. 4, pp. e1954, 2016.
[33] W. Lee and S. J. Stolfo, "A framework for constructing features and models for intrusion detection systems," ACM transactions on Information and system security (TiSSEC), vol. 3, no. 4, pp. 227-261, November. 2000.
[34] L. Dhanabal and S. Shantharajah, "A study on NSL-KDD dataset for intrusion detection system based on classification algorithms," International Journal of Advanced Research in Computer and Communication Engineering, vol. 4, no. 6, pp. 446-452, 2015.
[35] I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, "Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization," in ICISSP, pp. 108-116, January. 2018.
[36] M. Roesch, "Snort: Lightweight intrusion detection for networks," Proceeding LISA '99 Proceedings of the 13th USENIX conference on System administration, vol. 99, no. 1, pp. 229-238, November. 1999.
[37] N. Ye and Q. Chen, "An anomaly detection technique based on a chi‐square statistic for detecting intrusions into information systems," Quality and Reliability Engineering International, vol. 17, no. 2, pp. 105-112, March. 2001.
[38] N. Ye, S. M. Emran, Q. Chen, and S. Vilbert, "Multivariate statistical analysis of audit trails for host-based intrusion detection," IEEE Transactions on Computers, vol. 51, no. 7, pp. 810-820, August. 2002.
[39] D. Bzdok, N. Altman, and M. Krzywinski, "Statistics versus machine learning," Nature Methods, vol. 15, no. 4, pp. 233, April. 2018.
[40] TechOrange, [Online].
Available: https://buzzorange.com/techorange/2019/05/02/difference-between-statistics-and-machine-learning/
[41] M. A. Ambusaidi, X. He, P. Nanda, and Z. Tan, "Building an intrusion detection system using a filter-based feature selection algorithm," IEEE Transactions on Computers, vol. 65, no. 10, pp. 2986-2998, January. 2016.
[42] N. Shone, T. N. Ngoc, V. D. Phai, and Q. Shi, "A deep learning approach to network intrusion detection," IEEE Transactions on Emerging Topics in Computational Intelligence, vol. 2, no. 1, pp. 41-50, January. 2018.
[43] Y. Li, J.-L. Wang, Z.-H. Tian, T.-B. Lu, and C. Young, "Building lightweight intrusion detection system using wrapper-based feature selection mechanisms," Computers & Security, vol. 28, no. 6, pp. 466-475, September. 2009.
[44] C. Khammassi and S. Krichen, "A GA-LR wrapper approach for feature selection in network intrusion detection," Computers & Security, vol. 70, pp. 255-277, June. 2017.
[45] A. Makhzani and B. J. Frey, "Winner-take-all autoencoders," in Advances in Neural Information Processing Systems, pp. 2791-2799, 2015.
[46] E. Hernández-Pereira, J. A. Suárez-Romero, O. Fontenla-Romero, and A. Alonso-Betanzos, "Conversion methods for symbolic features: A comparison applied to an intrusion detection problem," Expert Systems with Applications, vol. 36, no. 7, pp. 10612-10617, September. 2009.
[47] A. Makhzani and B. Frey, "K-sparse autoencoders," International Conference on Learning Representations, December. 2013.
[48] C. Cortes and V. Vapnik, "Support-vector networks," Machine Learning, vol. 20, no. 3, pp. 273-297, September. 1995.
[49] F. Pedregosa et al., "Scikit-learn: Machine Learning in Python Journal of Machine Learning Research," The Journal of Machine Learning Research, vol. 12, pp. 2825-2830, 2011.
[50] M. Abadi et al., "Tensorflow: A system for large-scale machine learning," Proceeding OSDI'16 Proceedings of the 12th USENIX conference on Operating Systems Design and Implementation, pp. 265-283, 2016.
[51] N. Marir, H. Wang, G. Feng, B. Li, and M. Jia, "Distributed abnormal behavior detection approach based on deep belief network and ensemble svm using spark," IEEE Access, vol. 6, pp. 59657-59671, 2018.