Malicious Network Traffic Detection Based on Deep Neural Networks and Association Analysis

• Published in: Sensors (Basel, Switzerland) Vol. 20; no. 5; p. 1452
• Main Authors: Gao, Minghui, Ma, Li, Liu, Heng, Zhang, Zhijun, Ning, Zhiyan, Xu, Jian
• Format: Journal Article
• Language: English
• Published: Switzerland MDPI 06.03.2020; MDPI AG
• Subjects: anomaly detection; apriori association algorithm; deep neural networks; network traffic; network traffic; anomaly detection; Apriori association algorithm; deep neural networks
• ISSN: 1424-8220; 1424-8220
• DOI: 10.3390/s20051452

Anomaly detection systems can accurately identify malicious network traffic, providing network security. With the development of internet technology, network attacks are becoming more and more sourced and complicated, making it difficult for traditional anomaly detection systems to effectively analyze and identify abnormal traffic. At present, deep neural network (DNN) technology achieved great results in terms of anomaly detection, and it can achieve automatic detection. However, there still exists misclassified traffic in the prediction results of deep neural networks, resulting in redundant alarm information. This paper designs a two-level anomaly detection system based on deep neural network and association analysis. We made a comprehensive evaluation of experiments using DNNs and other neural networks based on publicly available datasets. Through the experiments, we chose DNN-4 as an important part of our system, which has high precision and accuracy in identifying malicious traffic. The Apriori algorithm can mine rules between various discretized features and normal labels, which can be used to filter the classified traffic and reduce the false positive rate. Finally, we designed an intrusion detection system based on DNN-4 and association rules. We conducted experiments on the public training set NSL-KDD, which is considered as a modified dataset for the KDDCup 1999. The results show that our detection system has great precision in malicious traffic detection, and it achieves the effect of reducing the number of false alarms.