DDP-DAR: Network intrusion detection based on denoising diffusion probabilistic model and dual-attention residual network

Saihua Cai; Yingwei Zhao; Jiaao Lyu; Shengran Wang; Yikai Hu; Mengya Cheng; Guofeng Zhang

doi:10.1016/j.neunet.2024.107064

DDP-DAR: Network intrusion detection based on denoising diffusion probabilistic model and dual-attention residual network

Neural Netw. 2024 Dec 18:184:107064. doi: 10.1016/j.neunet.2024.107064. Online ahead of print.

Authors

Saihua Cai¹, Yingwei Zhao², Jiaao Lyu², Shengran Wang³, Yikai Hu², Mengya Cheng², Guofeng Zhang⁴

Affiliations

¹ School of Computer Science and Communication Engineering, Jiangsu University, Zhenjiang, 212013, Jiangsu, China; Jiangsu Key Laboratory of Security Technology for Industrial Cyberspace, Jiangsu University, Zhenjiang, 212013, Jiangsu, China. Electronic address: caisaih@ujs.edu.cn.
² School of Computer Science and Communication Engineering, Jiangsu University, Zhenjiang, 212013, Jiangsu, China.
³ School of Computer Science and Communication Engineering, Jiangsu University, Zhenjiang, 212013, Jiangsu, China; Jiangsu Key Laboratory of Security Technology for Industrial Cyberspace, Jiangsu University, Zhenjiang, 212013, Jiangsu, China.
⁴ School of Information Science and Technology, Taishan University, Taian, 271000, Shandong, China.

PMID: 39721103
DOI: 10.1016/j.neunet.2024.107064

Abstract

Network intrusion detection (NID) is an effective manner to guarantee the security of cyberspace. However, the scale of normal network traffic is much larger than intrusion traffic (i.e., appearing data imbalance problem), which leads to the training of NID model to be more towards the majority classes, thus affecting the detection effect. Although scholars have solved this problem by reducing normal network traffic or increasing intrusion traffic, while increasing the number of intrusion traffic can effectively expand the scale of datasets in the model training process, which is benefit for training a better NID model. In this paper, we propose a network intrusion detection based on denoising diffusion probabilistic model and dual-attention residual network (DDP-DAR) through feature representation, data augmentation and intrusion detection, respectively. In the feature representation phase, we propose a novel feature representation method to better represent network traffic in the format of RGB images by storing global features and local features. In the data augmentation phase, we utilize the denoising diffusion probabilistic model instead of traditional data augmentation models (e.g., VAE, GAN), and then introduce the cosine noise addition and learnable variance parameter strategies to improve the denoising diffusion model for generating RGB images with high quality. In the intrusion detection phase, we propose the detection method based on dual-attention residual network, which performs feature extraction through multilayer network structure and dual-attention mechanism to get the higher level and more important information, thereby detecting intrusion traffic more accurately. Compared with the state-of-the-art data augmentation-based NID methods, a large number of experimental results show that DDP-DAR performs better in four metrics of Accuracy, F1-measure, FPR and ROC-AUC; Meanwhile, the detection results of DDP-DAR are more stable.

Keywords: Data augmentation; Denoising diffusion probabilistic model; Dual-attention residual network; Feature representation; Network traffic detection.