Article Preview
TopLiterature Review
Chuang & Wu (2019) proposed a novel method utilizing deep learning to generate data models aimed at balancing network intrusion detection datasets, thereby enhancing detection capabilities. This provides an effective solution to the deficiencies and imbalances in network intrusion detection. However, the training of deep learning models requires significant computational resources and time, which may limit their applicability in certain domains. Jiao et al. (2022) discuss machine learning model reconstruction and sample generation methods for malicious traffic detection, and according to the authors, existing machine learning models face issues like overfitting and underfitting in malicious traffic detection, affecting the accuracy and reconstruction rate of the models. They propose a solution based on model reconstruction and sample generation using a graph-based adaptive sample generation algorithm, quickly creating uniformly distributed generated samples in the input domain (Jiao et al., 2022). Although this method can generate and train reconstructed models like the target model, it may not fully replicate all the features and behaviors of the target model due to the lack of all information and details.
Many studies use generative adversarial network (GAN) (Goodfellow et al., 2018) or their derivative structures to address sample imbalance issues. GAN essentially consists of a generator and a discriminator. Recently, GAN has gradually been applied to adversarial example generation tasks (Zhang et al., 2022). For example, Rathore et al. (2021) proposed a GAN-based malicious sample generation method and a sequence feature selection method combining variance and correlation analysis to address imbalance issues in PIoT trajectory data. Building different GAN models to handle different categories of malicious traffic can better address data imbalance issues, improving model generalization and robustness (Sharma et al., 2021). However, DCGAN uses deep convolutional neural networks, capturing data features better than GAN through fully connected layers, thus generating samples more effectively.
Jamoos et al. (2023) state that the performance of traditional machine learning methods largely depends on dataset balance. However, many IDS datasets exhibit imbalanced class distributions, making threat detection challenging in some minority classes. To address this, a new model based on GAN – temporal dilated convolutional generative adversarial network (TDCGAN) – has been proposed. Moti et al. (2021) introduced a novel malicious software detection and generation framework called MalGAN for the Internet of Things (IoT) network edge. Unlike traditional feature-based methods, MalGAN does not require prior knowledge of malicious software and can automatically learn and generate new malicious software samples from raw bytecode. Nevertheless, redundant data may lead to storage wastage, especially when dealing with large datasets.
Additionally, Daniyal used DCGAN to deceive malicious software classifiers into believing they are normal entities. In this work, issues related to model collapse, instability, and vanishing gradients in the DCGAN were addressed by the proposed hybrid Aquila optimizer-Mine burst and harmony search (AO-MBHS) (Alghazzawi et al., 2022). However, there are many improved algorithms for the Aquila optimizer that require further research and optimization.
When dealing with highly imbalanced data distributions, normal samples typically outnumber abnormal ones significantly. Directly modeling and analyzing imbalanced data can lead to model bias, thereby affecting model accuracy (Yang et al., 2023). The innovative design of the malicious traffic sample enhancement system in this paper includes the use of a DCGAN to construct the generator, coupled with the ResNet from the CNN model. This design enables deep neural networks to train without encountering gradient disappearance issues. Additionally, the system utilizes a state-switching button to control the status of the malicious traffic sample enhancement system, providing two modes: PASS and WORKING. Such a sample enhancement system helps address certain biased traffic data issues, enhancing the effectiveness of detection models.