SAGB: self-attention with gate and BiGRU network for intrusion detection

Abstract

Network traffic intrusion detection technology plays an important role in host and platform security. At present, machine learning and deep learning methods are often used for network traffic intrusion detection. However, the imbalance of relevant data sets will cause the model algorithm to learn the features of the majority categories and ignore the features of the minority categories, which will seriously affect the precision of network intrusion detection models. The number of samples of the attacks is much less than the number of normal samples. The classification performance on unbalanced data sets is poor and can not identify the minority attack samples well. To solve these problems, this paper proposed the resampling mechanism, which used random undersampling for the majority categories samples and K-Smote oversampling for the minority categories samples, so as to generate a more balanced data set and improve the model's detection rate for the minority categories. This paper proposed the Self-Attention with Gate (SAG) and BiGRU network model for intrusion detection on the CICIDS2017 data set, which can fully extract high-dimensional information from data samples and improve the detection rate of network attacks. The Self-Attention with Gate mechanism (SAG) based on the Transformer performed the feature extraction, filtered the irrelevant noise information, then extracted the long-distance dependency temporal sequence features by the BiGRU network, and obtained the classification results through the SoftMax classifier. Compared to the experimental results of other algorithms, such as Random Forest (RF) and BiGRU, it can be found that the overall classification precision for the SAG-BiGRU model in this paper is much higher and also has a good effect on the NSL-KDD data set.