近年來大數據及物聯網等網路技術愈趨成熟，資訊安全已成為不可忽視的議題。在眾多的防禦方法中，架設入侵偵測系統是一個常見的防禦手段，入侵偵測系統可以偵測來自外部網路或是已入侵至主機之惡意攻擊，在攻擊未見效前將其阻擋，達到防禦的目標，但網路駭客的攻擊手法十分多樣，且變化的速度很快，往往使入侵偵測系統誤判甚至偵測不到惡意攻擊，造成重大損失，雖有機器學習法改善偵測率問題，但誤判率過高也是機器學習應用於入侵偵測系統一個極需解決問題。為了找尋更加解法，本研究使用CICIDS2017資料集作為研究資料集，並使用深度學習模型進行偵測。在資料前處理階段，我們使用隨機森林演算法來決定何者為不重要特徵，將其丟棄，並利用嵌入法針對重要的高維度特徵進行降維，之後把處理完的資料輸入模型，對其進行訓練，使模型具有惡意流量偵測能力，實驗結果顯示，使用本研究提出之方法可讓惡意入侵偵測的準確率達到99.93%，且誤判率降至0.3%，且分別在KDDCup99和NSL_KDD資料集達到了99.93%以及99.46%的準確率，0.16%以及0.07%的誤判率，驗證本研究提出方法的可行性。

To prevent users from malware intrusion, many kinds of defense system are used, especially Intrusion Detection System (IDS), an important role in cybersecurity area. Most of network managements use network-based IDS(NIDS) to alert network attacks. However, NIDS suffers variety and quick-changing malwares and NIDS cannot identify the attacks fast and correctly.
Many machine learning algorithms are used in NIDS to improve the detection rate of malware, but to our knowledge, the efficiency is not fast and correct enough. We can improve the IDS detection efficiency by two methods: Novel dataset and suited algorithms. We proposed a new method based on deep learning technology and shown good performance for intrusion detection.
We use random forest (RF) to rank and choose features in CICIDS2017 datasets, and embed the high dimension features to low dimension, then input these data to the deep neural network model called Sequence to Sequence. By the intrusion detection experiment, we finally get 99.93% on accuracy and 0.3% on false alert rate.

[1] "微軟與Frost & Sullivan發布2018亞太資安研究," 11 June 2018. [Online]. Available: https://news.microsoft.com/zh-tw/frost-sullivan/. [Accessed 24 Feb 2019].
[2] 奧義智慧科技, "CICARRIER," [Online]. Available: https://www.cycarrier.com/. [Accessed 27 Feb 2019].
[3] 趨勢科技. [Online]. Available: https://zh.wikipedia.org/wiki/%E8%B6%A8%E5%8B%A2%E7%A7%91%E6%8A%80.
[4] R. Kaur and M. Singh, "A Survey on Zero-Day Polymorphic Worm Detection Techniques," IEEE Communications Surveys & Tutorials, vol. 16, pp. 1520-1549, 14 Mar 2014.
[5] C. Strobl, A.-L. Boulesteix, A. Zeileis and T. Hothorn, "Bias in random forest variable importance measures: Illustrations, sources and a solution," BMC Bioinformatics, 25 Jan 2007.
[6] L. v. d. Maaten and G. Hinton, "Visualizing Data using t-SNE," Journal of Machine Learning Research, vol. 9, pp. 2579-2605, 08 Nov 2008.
[7] J. Shlens, "A Tutorial on Principal Component Analysis," International Journal of Remote Sensing, vol. 2, 3 Apr 2014.
[8] I. Sharafaldin, A. Lashkari and A. Ghorbani, "Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization," ICISSP, pp. 108-116, 22-24 Jan 2018.
[9] A. S. F. B. Has¸im Sak, “Long Short-Term memory based recurrent neural network architechture for large vocabulary soeech recognition,” 5 Feb 2014.
[10] 蕭翔之, "入侵偵測與預防系統簡介與應用," [Online]. Available: http://avp.toko.edu.tw/docs/class/3/%E5%85%A5%E4%BE%B5%E5%81%B5%E6%B8%AC%E8%88%87%E9%A0%90%E9%98%B2%E7%B3%BB%E7%B5%B1%E7%B0%A1%E4%BB%8B%E8%88%87%E6%87%89%E7%94%A8.pdf. [Accessed 16 Feb 2019].
[11] "Suricata," [Online]. Available: https://suricata-ids.org/. [Accessed 14 Mar 2019].
[12] "The Zeek Network Security Monitor," [Online]. Available: https://www.zeek.org/. [Accessed 14 Mar 2019].
[13] Alex, D. DAY and A. AYESH, "Intelligent intrusion detection systems using artificial neural networks," ICT Express, pp. 95-99, 1 May 2018.
[14] S. A. Maske and T. J. Parvat, "Advanced anomaly intrusion detection technique for host based system using system call patterns," IEEE 2016 International Conference, 26-27 Aug 2016.
[15] G. Creech and J. Hu, "Generation of a new IDS test dataset: Time to retire the KDD collection," IEEE Wireless Communications and Networking Conference, pp. 4487-4492, 2013.
[16] M. Tavallaee, E. Bagheri, W. Lu and A. A. Ghorbani, "A Detailed Analysis of the KDD CUP 99 Data Set," IEEE CISDA, 18-20 July 2009.
[17] "Tasks KDD Cup 1999: Computer network intrusion detection," KDD , 8 Jan 2018. [Online]. Available: https://www.kdd.org/kdd-cup/view/kdd-cup-1999/Tasks. [Accessed 4 Mar 2019].
[18] A. Krizhevsky, I. Sutskever and G. E. Hinton, "ImageNet classification with deep convolutional neural networks," International Conference on Neural Information Processing Systems, vol. 1, pp. 1097-1105, 3-6 Dec 2012.
[19] S. Hochreiter and J. Schmidhuber, "Long Short-Term Memory," Neural Computation, vol. 9, pp. 1735-1780, 15 Nov 1997.
[20] FionnMurtagh, "Multilayer perceptrons for classification and regression," Neurocomputing, vol. 2, pp. 107-183, July 1991.
[21] A. M. Mubarek and E. Adalı, "Multilayer perceptron neural network technique for fraud detection," 2017 International Conference on Computer Science and Engineering (UBMK), 5-8 Oct 2017.
[22] J. Saxe and K. Berlin, "eXpose: A Character-Level Convolutional Neural Network with Embeddings For Detecting Malicious URLs, File Paths and Registry Keys," 27 Feb 2017.
[23] S. Hochreiter and J. Schmidhuber, "Long Short- Term Memory," Journal Neural Computation, vol. 9, pp. 1735-1780, 15 Nov 1997.
[24] Z. C. Lipton, J. Berkowitz and C. Elkan, "A Critical Review of Recurrent Neural Networks for Sequence Learning," 29 May 2015.
[25] J. K. Jihyun Kim, H. L. T. Thu and H. Kim, "Long Short Term Memory Recurrent Neural Network Classifier for Intrusion Detection," 2016 International Conference on Platform Technology and Service (PlatCon), 15-17 Feb 2016.
[26] A. Lavelli, F. Sebastiani and R. Zanoli, "Distributional term representations: an experimental comparison," 13th ACM International Conference on Information and Knowledge Management, pp. 615-624, 2004.
[27] M. Richardson, "Principal Component Analysis," May 2009. [Online]. Available: http://www.dsc.ufcg.edu.br/~hmg/disciplinas/posgraduacao/rn-copin-2014.3/material/SignalProcPCA.pdf. [Accessed 10 Feb 2019].
[28] L. Breiman, "Random Forests," Jan 2001. [Online]. Available: https://www.stat.berkeley.edu/~breiman/randomforest2001.pdf. [Accessed 10 Feb 2019].
[29] I. Sutskever, O. Vinyals and Q. V. Le, "Sequence to Sequence Learning with Neural Networks," NIPS'14 Proceedings of the 27th International Conference on Neural Information Processing Systems, vol. 2, pp. 3104-3112, 8-13 Dec 2014.
[30] M. Schuster, A. I. Telecommun, R. Lab. and K. K. Paliwal, "Bidirectional recurrent neural networks," IEEE Transactions on Signal Processing, vol. 45, no. 11, pp. 2673-2681 , Nov 1997.
[31] "Keras documention," [Online]. Available: https://keras.io/. [Accessed 20 Dec 2018].
[32] "tensorflow," [Online]. Available: https://www.tensorflow.org/. [Accessed 20 Nov 2018].
[33] F. A. Khan, A. Gumaei, A. Derhab and Hussain, "A Novel Two-Stage Deep Learning Model for Efficient Network Intrusion Detection," Artificial Intelligence and Cognitive Computing for Communication and Network Published in: IEEE Access ( Volume: 7 ), no. 7, pp. 30373 - 30385, 15 Feb 2019.
[34] M. Al-Qatf, Y. Lasheng, M. Al-Habib and K. Al-Sabahi, "Deep Learning Approach Combining Sparse Autoencoder With SVM for Network Intrusion Detection," IEEE Access, no. 6, pp. 52843 - 52856, 24 Sep 2018.
[35] R. Vinayakumar, M. Alazab, K. P. Soman, P. Poornachandran, A. Al-Nemrat and S. Venkatraman, "Deep Learning Approach for Intelligent Intrusion Detection System," IEEE Access, no. 7, p. IEEE Access, 03 April 2019.
[36] I. Sharafaldin, A. H. Lashkari and A. A. Ghorbani, "Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization," ICISSP 2018, pp. 108-116, 2018.
[37] F. Branchaud, F. Rahman, G. d. Marmiesse and T. Lee, "Keras-team/keras," [Online]. Available: https://github.com/keras-team/keras. [Accessed 20 Mar 2019].