A Real-Time and Ubiquitous Network Attack Detection Based on Deep Belief Network and Support Vector Machine Hao Zhang, Member, IEEE, Yongdan Li, Zhihan Lv, Senior Member, IEEE, Arun Kumar Sangaiah, Member, IEEE, and Tao Huang Abstract — In recent years, network traffic data have become larger and more complex, leading to higher possibilities of net- work intrusion. Traditional intrusion detection methods face dif- ficulty in processing high-speed network data and cannot detect currently unknown attacks. Therefore, this paper proposes a net- work attack detection method combining a flow calculation and deep learning. The method consists of two parts: a real-time de- tection algorithm based on flow calculations and frequent pat- terns and a classification algorithm based on the deep belief net- work and support vector machine (DBN-SVM). Sliding window (SW) stream data processing enables real-time detection, and the DBN-SVM algorithm can improve classification accuracy. Fi- nally, to verify the proposed method, a system is implemented. Based on the CICIDS2017 open source data set, a series of com- parative experiments are conducted. The method’s real-time de- tection efficiency is higher than that of traditional machine learn- ing algorithms. The attack classification accuracy is 0.7 percent- age points higher than that of a DBN, which is 2 percentage points higher than that of the integrated algorithm boosting and bagging methods. Hence, it is suitable for the real-time detection of high-speed network intrusions. Index Terms—Deep belief network (DBN), flow calculation, fre- quent pattern, intrusion detection, sliding window, support vector machine (SVM). I. Introduction I N this technological era, network and internet speeds have reached gigabyte-per-second and even terabyte-per-second levels. However, the possibility of cyberattacks resulting in stolen personal and secret information from computers and networks is also increasing at the same time. According to the “China internet industry market analysis report” released by the Internet Society of China, the growth rate of mobile inter- net access traffic in 2017 was 162.26%. Against the back- ground of high-speed networks, network attack methods have gradually become characterized by high intensity, low cost, strong destructiveness, high concealment and gradual devel- opment to application layer protocols, among which denial-of- service (DoS) and web application attacks are representative. How to quickly identify network attacks is one of the key technical problems of a hot research topic in the field of net- work security. Although existing protection software and in- trusion detection systems (IDSs) can detect and block attacks that are occurring or have occurred to a certain extent, with the advent of the big data era and the continuous massive data flow problem, the existing protection software and IDSs have brought new challenges. The traditional network intrusion de- tection system (NIDS) often has a high packet loss rate and a high missed detection rate for current high-speed networks. How to address this challenge by establishing an intrusion de- tection model that can analyze high-speed data has become a key issue, which has broad application potential for effect- ively improving network security. Aiming at the shortcomings of the traditional NIDS exposed by high-speed networks, a real-time intrusion detection method is designed in this paper. 1) This method is designed based on NetFlow to capture the data flow in a network, after which it preprocesses the data, including data format conversion, data cleaning, standardization, etc. 2) The method mines frequent patterns in data based on nested sliding windows (NSW) and a genetic algorithm. It then compares these patterns with a safe frequent pattern set and an attack frequent pattern set, determining whether they represent normal data, known attacks or unknown attacks, to detect network intrusion behaviors efficiently in real time. 3) For attack-type data, a classification algorithm based on the deep belief network and support vector machine (DBN-SVM) [1] is applied to accurately classify the attack type. 4) Compared with the existing detection methods, the intrusion detection method proposed in this paper is found Manuscript received October 24, 2018; revised December 11, 2018; accep- ted January 7, 2019. This work was supported by the National Key Research and Development Program of China (2017YFB1401300, 2017YFB1401304), the National Natural Science Foundation of China (61702211, L1724007, 61902203), Hubei Provincial Science and Technology Program of China (2017AKA191), the Self-Determined Research Funds of Central China Nor- mal University (CCNU) from the Colleges’ Basic Research (CCNU17QD00 04, CCNU17GF0002), the Natural Science Foundation of Shandong Province (ZR2017QF015), and the Key Research and Development Plan–Major Sci- entific and Technological Innovation Projects of Shandong Province (2019JZZY020101). Recommended by Associate Editor MengChu Zhou. (Corresponding author: Zhihan Lv and Arun Kumar Sangaiah.) Citation: H. Zhang, Y. D. Li, Z. H. Lv, A. K. Sangaiah, and T. Huang, “A real-time and ubiquitous network attack detection based on deep belief net- work and support vector machine,” IEEE/CAA J. Autom. Sinica, vol. 7, no. 3, pp. 790–799, May 2020. H. Zhang and T. Huang are with the National Engineering Laboratory for Educational Big Data, Central China Normal University, Wuhan 430072, China (e-mail: zhanghao@mail.ccnu.edu.cn; foresttiger@126.com). Y. D. Li is with Lanzhou Central Sub-branch of The People’s Bank of China, Lanzhou 730000, China (e-mail: yongdanl@qq.com). Z. H. Lv is with the School of Data Science and Software Engineering, Qingdao University, Qingdao 266071, China (e-mail: lvzhihan@gmail.com). Arun Kumar Sangaiah is with the School of Computing Science and Engin- eering, Vellore Institute of Technology University, Tamil Nadu 632014, In- dia (e-mail: arunkumarsangaiah@gmail.com). Color versions of one or more of the figures in this paper are available on- line at http://ieeexplore.ieee.org. Digital Object Identifier 10.1109/JAS.2020.1003099 790 IEEE/CAA JOURNAL OF AUTOMATICA SINICA, VOL. 7, NO. 3, MAY 2020