A Novel Network Intrusion Detection Method for Unbalanced Data in Open Scenarios

With the rapid development of information technology, network intrusion attacks continue to evolve, making the detection and defense increasingly urgent. In order to cope with the emerging threats, which are mostly unknown and can hardly be handled by traditional intrusion detection methods, we propose a data and knowledge driven solution in this work. Firstly, the knowledge revealing commonalities and features of different attacks is extracted from the public attack behaviors and encoded by using doc2vec. Then relying on zero-shot learning, the detection model is transferred to the accurate identification of unknown attack types. Considering that the vast majority of training samples are non-attack behaviors rather than attack behaviors, this imbalance in sample quantities often leads the detection model to be biased toward the larger class samples. We employ the SMOTE (Synthetic Minority Over-sampling Technique) method to synthesize small class samples, achieving a relatively balanced distribution of training samples across different categories. Experimental evaluation on the refined NSL-KDD dataset demonstrates the effectiveness of the proposed method in detecting network intrusion in open environments with unknown attacks.