An Improved Network Intrusion Detection Based on Deep Neural Network

Network intrusion detection is of great significance for network security in Local Area Network (LAN). Traditional methods such as firewalls do not completely protect against attacks on the LAN due to lack of continuous learning. Recently, the ability of convolutional neural networks (CNN) to extract features in the field of computer vision has received extensive attention. CNN can automatically extract effective complex features to adapt to constantly changing environments, which is especially important in network intrusion detection. In this paper, we focus on network security in the LAN. We propose an approach based on CNN to implement intrusion detection in LAN. This approach can effectively identify network attacks and has an accuracy of 98.34% on the KDD99 dataset. The experimental results show that the proposed approach based on the CNN has high accuracy in intrusion detection.

AEMCME 2019 IOP Conf. Series: Materials Science and Engineering 563 (2019) 052019 IOP Publishing doi: 10.1088/1757-899X/563/5/052019 2 network, etc). During the detection phase, program code or network behavior that deviates from the normal value beyond the tolerance is considered a malicious code or network attack behavior. However, the practice shows that the pros and cons of anomaly detection models mainly depend on feature extraction. In the existing research, the feature extraction work is mainly done manually by relevant domain experts, which makes the link rely heavily on expert experience and lacks adaptability in different application scenarios.
However, as the intensity and frequency of current cyber threats continue to rise [12], existing defense mechanisms and approaches are no longer able to protect the network, including LAN, from cyber threats in novel threats [13]. In addition, the traditional network intrusion detection method can only process a small amount of data, and cannot fully utilize a large amount of data for training, leading to a decrease in the accuracy of the inspection.
The neural networks, which is inspired by neurons in the brain, is considered to be a new branch of machine learning. Deep neural networks (DNN) can make full use of large amounts of data, and have good data representation and feature extraction capabilities. Because of its ability to extract high-level features, the neural networks are very suitable for network intrusion detection [14]. The small mutations and even newly developed attacks can be detected by this method [15].
In this paper, the work focuses on network intrusion detection about LAN. More specifically, using CNN to perform intrusion detection on the LAN to defend against internal attacks. Our contributions are as follows: • We focus on internal security in the LAN, utilizing network intrusion detection method. As far as we know, far too little attention has been paid to the internal security in the LAN. • The network intrusion detection model based on CNN is proposed in this paper to enhance the ability of feature extraction and improve accuracy.
• In order to better extract features through CNN and make full use of raw data, we reshape the data into image format.
The rest of this paper is scheduled as follows. In section 2, we review previous related works. We elaborate in detail our method with CNN-based intrusion detection in Section 3. Section 4 shows the results of the experiment. Finally, we conclude in Section 5.

Related work
Network intrusion detection has been studied by many researchers, which is discussed next. Current methods can be classified as machine learning-based and deep learning based. We also review some related work on deep convolutional neural networks.

Network intrusion detection
Intrusion detection technology was first proposed by Anderson [16] in 1980 and has been the focus of research in the field of network security since then. With the development of machine learning, researchers have found that utilizing machine learning methods to train a large number of intrusion detection data can more effectively improve the accuracy of network intrusion detection. Xian et al. [17] and Tang et al. [18] utilized the SVM-based intrusion detection technology to achieve higher accuracy with less prior knowledge and less training time. Li et al. [19] utilized the improved KNN algorithm to train data that can be effectively detected with a small amount of data. The method has a high detection rate and an abnormality of a low false alarm rate. Tsai et al. [20] combined k-means and KNN machine learning algorithms for intrusion detection. In this method, cluster centers of attacks are performed by k-means, and finally, the intrusion detection is performed by the KNN classifier. Experimental results show that this method is superior to SVM-based and KNN-based models.
Traditional machine learning-based methods have achieved good results in network intrusion detection, but they also have limitations: 1) The performance depends on feature engineering; 2) Unable to process large amounts of data; 3) The ability to learn independently is lacked. In order to solve these problems, neural network-based intrusion detection technology has received extensive attention. Compared with manual pre-designed statistical features, deep learning neural networks can AEMCME 2019 IOP Conf. Series: Materials Science and Engineering 563 (2019) 052019 IOP Publishing doi:10.1088/1757-899X/563/5/052019 3 automatically extract features from the raw data [21]. In addition, deep learning neural network algorithm has a better effect than traditional machine learning method in dealing with big data. Gao et al. [22] applied deep belief networks to network intrusion detection, achieving better performance than using other machine learning methods. Staudemeyer [23] firstly applied long short-term memory recurrent neural networks to network intrusion detection, which is very suitable for classifying highfrequency attacks. In addition, experiments by Kim et al. [24] and Elsherif [25] Tom et al. and Jam show that LSTM and RNN are very effective for network intrusion detection. Raman et al. [26] utilized the features selected by the hypergraph-based feature selection technique to train a probabilistic neural network in network intrusion detection. The experimental results show that this method increases the detection rate of fewer frequency attacks.

Convolution neural networks
The neural network consists of three main categories: the input layer, the hidden layer, and the output layer. However, the hidden layer of the CNN is formed by a series of convolutional, activation (nonlinear), pooling (downsampling), and fully connected layers. Because of this structure, CNN is different from DNN and RNN. The main differences are: 1) local connections. The layers are not fully connected but partially connected; 2) weight sharing. The weights of the connections between a subset of neurons in the same layer are shared. 3) Subsampling. A convergence layer is periodically inserted between successive convolutional layers. Therefore, the number of weight for CNN is relatively less than other neural networks, which is more suitable for network intrusion detection.
The research by Vinayakumar et al. [27] shows that CNN and it's variant architecture are better than classic machine learning classifiers in network intrusion detection. Experimental results show that one-dimensional convolution in CNN has high accuracy in network intrusion detection. Moreover, experiments by Liu et al. [28] show that the intrusion detection model based on CNN has a high detection rate and accuracy. It also proves the feasibility of applying CNN in highly-intrusion detection. CNN-based approaches show its powerful feature extraction ability in network intrusion detection and our work is also under this powerful framework.

Our approach
In this paper, CNN-based intrusion detection in the LAN is proposed. Due to the powerful feature extraction capabilities of CNN, we apply it to network intrusion detection. CNN can effectively extract the spatial features of image data. Therefore, in order to make full use of the characteristics of CNN, we finally convert raw data into image data. After that, the convolutional neural network can be used to classify the image to detect the input data. The architecture is shown in Figure 1. Our approach is briefly elucidated as follows. First, the raw data is preprocessed to obtain standard data. Then, the standard data is converted to image data. Finally, the image data is classified by the CNN model. The details of each step are as follows.

Data preprocess
KDD99 [29] is one of the most widely used intrusion detection datasets. The dataset consists of five million records, including one normal type and four types of attacks (e.g., DoS, Probe, U2R, R2L). Each record in the KDD99 dataset identifies a network connection, represented by 41 features. Among these 41 features in KDD99 dataset, there are 38 numerical features and 3 categorical features. For numerical features, the size of the numerical features varies greatly due to the difference in dimensions. Therefore, normalization is required to eliminate the effects of different dimensions. For each numerical feature in KDD99 shall be given as: Where, is the original input of feature , and are the maximum and minimum of the feature, respectively.
For categorical features, we consider digitizing them. The one-hot encoding and dummy variable encoding are adopted for KDD99. If one-hot encoding is adopted for all the category features, one record will be 122 dimensions in KDD99. For convenience in data transform, we consider using dummy variable encoding for one (e.g., protocol_type) of the categorical features. After the preprocessing step, the number of dimensions of the feature has been expanded from 41 to 121.

Data transform
The convolutional neural network has a powerful capability of feature extraction in the field of computer vision. For computers, the essence of images is the array of pixel values. Based on this inspiration, we transform each of the data-preprocessed records of KDD99 with a 121-dimensional record into a 11x11x1 array. The operation is shown in Figure 2. Since the pixel values of the image range from 0 to 255, the attribute of each record shall be given as: (2) Where, is the element of the array. Then, the result will be used as input to a CNN model. Figure 3. shows that a normal input and an anomaly input in KDD99 in the data. After data transform, normal data and abnormal data are different.

CNN Architecture
After the data is preprocessed and transformed, the raw data becomes an image with 1 channel. Then, we use VGG19 neural network [30] for training. We modify the last few layers of the VGG19 neural network for adapting to our task. Steps as follows. First, flatten the output after the last pool layer of VGG19. Then pass the result of the previous step through a dense layer with the rule activation AEMCME 2019 IOP Conf. Series: Materials Science and Engineering 563 (2019) 052019 IOP Publishing doi:10.1088/1757-899X/563/5/052019 5 function. Its output is a 128-dimensional vector. Finally, the previous result is passed through a dense layer with the sigmoid activation function. The one-dimensional result is output.
Since this is a two-classification task, we use binary cross entropy is given as the loss function : Where, is the number of training data. And is the expected output. is the sigmoid function. In addition, the neural network optimizer uses the RMSprop algorithm.

Experiment results
In our experiments, the hyper-parameter settings are as follows: batch-size=512, epoch=800, learningrate =0.001, decay-factor=0.9. We observed the change in accuracy by setting the different number of epoch in our experiments. It can be seen from Figure 4. that the accuracy rate increases as the number of epoch increases. When epoch reaches around 800, the accuracy rate stops rising. The evaluation result in the test set we have divided from KDD99 shows that the accuracy rate is 98.34%. The recall is 90.64%. The precision is 99.20%. With the condition of using the same dataset, Figure 5. Shows that the comparison experiments between our proposed method and the traditional machine learning algorithms including multilayer perceptron (MLP), nearest neighbor (NN), decision tree (DT). It can be seen that the accuracy of the method we proposed is higher than that based on traditional machine learning algorithms.   6 We use different scales on the KDD99 dataset as a training set and the rest as a test set. In Figure  6., as the training set increases, the accuracy of CNN-based methods continues to rise, while the accuracy of machine-based learning methods does not. Compared with traditional machine learning methods, CNN can make full use of big data. Figure 6. Comparison of different sizes in the training data. The above experimental results show that the convolutional neural network is superior to the machine learning methods in terms of feature extraction ability. The accuracy of traditional machine learning methods is lower than that based on convolutional neural networks because the representation of normal and abnormal data after feature extraction is similar at low levels. Convolutional neural networks can extract complex high-level features from these similar low-level features. Figure 7.
shows the visualization of the inter-layer features in the neural network after the data transform. Figure 7. Visualization of inter-layer features in VGG19. This is a feature extraction scheme that does not require manual design features. Therefore, CNN can continuously adapt to the intrusion detection of the changed network environment in the LAN.

Conclusion
In this paper, we focus on network security on the LAN. However, traditional intrusion detection methods have limitations in the LAN. The performance of current machine learning algorithms depends on feature engineering. Machine learning algorithms cannot take advantage of large amounts of data. In addition, machine learning algorithms lack the ability to adapt to independent learning. In AEMCME 2019 IOP Conf. Series: Materials Science and Engineering 563 (2019) 052019 IOP Publishing doi:10.1088/1757-899X/563/5/052019 7 order to overcome these limitations, this paper proposes a CNN-based intrusion detection method in LAN. In order to be better extracted for feature by the CNN, the result is converted into a 11x11x1 array as the input of the neural network after we preprocessed the data. Finally, the experimental results show that the proposed CNN-based method is superior to the machine learning-based method and has good effects in the field of network intrusion detection. Therefore, a solution with great possibilities is provided to protect the security of the network in the LAN.