A. PCA

PCA is a feature extraction method that reduces the dimensionality of data by extracting features from the original data while retaining variance information in the original data. The core idea is to achieve dimensionality reduction by calculating the correlation between data points and removing data points with high correlation. By applying dimensionality reduction, several data attributes can be converted into a few data attributes without losing substantial important information [39], and the influence of redundant information can be reduced in subsequent feature learning. Furthermore, the reduction of the number of input features reduces the number of model parameters, improving computational efficiency. The main steps of PCA are as follows.

1. Standardization of data: The standardization process normalizes the size of all data points to the same range to avoid some oversized data points causing large errors. The standardization formula is as follows.

   $$\begin{equation*} X_{new}=\frac {X_{i}-\mu }{\sigma }\tag{1}\end{equation*}$$ View Source\begin{equation*} X_{new}=\frac {X_{i}-\mu }{\sigma }\tag{1}\end{equation*}

3. Calculation of covariance matrix: The correlation between data points is obtained by calculating the covariance matrix of the data points. The covariance matrix is as follows.

   $$\begin{align*} \mathrm {Cov =}\left [{ {\begin{array}{cccccccccccccccccccc} {\mathrm {Cov}}_{11} &\quad {\mathrm {Cov}}_{12} &\quad \ldots &\quad {\mathrm {Cov}}_{\mathrm {1M}}\\ {\mathrm {Cov}}_{21} &\quad {\mathrm {Cov}}_{22} &\quad \ldots &\quad {\mathrm {Cov}}_{\mathrm {2M}}\\ \vdots &\quad \vdots &\quad \ldots &\quad \vdots \\ {\mathrm {Cov}}_{\mathrm {M1}} &\quad {\mathrm {Cov}}_{\mathrm {M2}} &\quad \ldots &\quad {\mathrm {Cov}}_{\mathrm {MM}}\\ \end{array}} }\right]\tag{2}\end{align*}$$ View Source\begin{align*} \mathrm {Cov =}\left [{ {\begin{array}{cccccccccccccccccccc} {\mathrm {Cov}}_{11} &\quad {\mathrm {Cov}}_{12} &\quad \ldots &\quad {\mathrm {Cov}}_{\mathrm {1M}}\\ {\mathrm {Cov}}_{21} &\quad {\mathrm {Cov}}_{22} &\quad \ldots &\quad {\mathrm {Cov}}_{\mathrm {2M}}\\ \vdots &\quad \vdots &\quad \ldots &\quad \vdots \\ {\mathrm {Cov}}_{\mathrm {M1}} &\quad {\mathrm {Cov}}_{\mathrm {M2}} &\quad \ldots &\quad {\mathrm {Cov}}_{\mathrm {MM}}\\ \end{array}} }\right]\tag{2}\end{align*}

3. Calculate the eigenvalues of the covariance matrix and the corresponding eigenvectors: this method is used to determine the principal components in the data.

4. Ranking selection of principal components: Feature vectors are arranged in rows from top to bottom according to the magnitude of feature values to form a vector matrix, and the order from top to bottom indicates the decreasing importance.

5. Dimension of data after dimensionality reduction: When the data dimension is to be reduced to n dimensions, i.e., the first n rows of the directional volume matrix form a new matrix.

B. DCNN

CNN [40] is widely used as a powerful feature extraction tool for target recognition, text classification, and anomaly detection. The traditional CNN mainly consists of three layers: convolution, pooling, and fully connected layers [41]; the SNN [42] is obtained by improving the convolution layer based on the traditional CNN.

The convolution layer is the most important in the CNN structure, and its function is to perform feature extraction on the target to obtain more advanced features by convolving local regions. Depthwise separable convolution consists of depthwise convolution and pointwise convolution, which compute channel and spatial features separately and then add them together, reducing the number of parameters and computational effort. The formula is as follows. Figure 1 shows the comparison between traditional convolution and depthwise separable convolution. The upper half of the figure is the traditional convolution, and the bottom half is the depthwise separable convolution. The traditional convolution is calculated using $C_{1} \times n \times n \times C_{2}$ parameters, whereas the depthwise separable convolution is calculated separately using depthwise convolution and pointwise convolution, which only requires $C_{1} \times n \times n +C_{1} \times 1 \times 1 \times C_{2}$ parameters, significantly reducing the number of parameters.

View Source\begin{align*} \mathrm {Depthwise}-\mathrm {Conv}(W,y)_{(i,j)}=&\sum \nolimits _{k,l}^{K,L} W_{(k,l)}\cdot y_{(i+k,j+l)} \tag{3}\\ \mathrm {Pointwise-Conv}(W,y)_{(i,j)}=&\sum \nolimits _{m}^{M} W_{(m)}\cdot y_{(i,j,m)}\tag{4}\end{align*}

FIGURE 1.

Traditional convolutional structure and depthwise separable convolutional structure.

Show All

The pooling layer follows the convolutional layer, and its main role is to compress the feature map generated by the convolutional layer and extract the main features of each local region. Pooling is divided into two methods: maximum pooling, which outputs the maximum value of each region, and average pooling, which calculates the average value of the region. The pooling method can reduce the number of features and the complexity of the network structure. However, pooling will reduce the number of original features, and there will be less repetition among the network traffic features. Some important features may be lost through pooling, affecting the accuracy of the overall network. Therefore, in this paper, we replace the pooling layer with an attention mechanism to extract the main features, thereby avoiding the loss of relevant features.

The fully connected layer acts on the pooling layer to achieve the weighted classification of features by mapping the previously extracted features to the sample space. However, the fully connected layer has many parameters, which significantly increases the complexity of model construction. After the last convolution, the shape of the feature map input to the fully connected layer is $W\,\,\times \,\,H\,\,\times \,\,C$ . When the fully connected layer has N neurons, the fully connected layer will contain $W\,\,\times \,\,H\,\,\times \,\,C\,\,\times \,\,N$ parameters, and this huge number of parameters increases the size of the model and affects computational efficiency.

GAP is a good alternative to fully connected layers [43], and Figure 2 illustrates the process of classifying fully connected layers with GAP. GAP obtains M feature maps of shape $W\,\,\times \,\,H$ after the last convolution, where M represents the number of categories. The final classification result is obtained by averaging each feature map and converting it into a 1D vector. GAP has no parameter settings, which avoids the risk of overfitting while reducing the redundant parameters of the fully connected layer. The number of parameters is reduced by replacing the fully connected layer with GAP to improve computational efficiency.

FIGURE 2.

Fully connected layer structure and GAP structure.

Show All

C. Attention Mechanism

The development of the attention mechanism [44] in ML was inspired by the human visual mechanism, and when humans observe a group of things, they always focus on the important parts, and this method of observation improves the efficiency of observation and helps capture the important information accurately. The attention mechanism is used in practice to assign different weights to different features according to their importance among features. Greater weights are assigned to features with high importance so that the important information can be better captured during feature learning.

The attention mechanism embodies different functions depending on the position it is located. By replacing the pooling layer with the attention mechanism in the DCNN, feature loss caused by pooling downsampling is avoided; the main features are extracted by finding the more important features and assigning greater weights to each feature map after convolution by performing feature learning separately. The inclusion of the attention mechanism improves the DCNN’s feature learning capability, which proved effective in subsequent experiments. The output formula is as follows.

View Source\begin{equation*} \mathrm {Attention}(Q,K,V)=\mathrm {softmax}\left ({\frac {QK^{T}}{\sqrt {d}_{k}} }\right)V\tag{5}\end{equation*}

D. Dataset Description

1) Dataset Introduction

Three datasets, namely, KDDcup99 [45], NSL-KDD [46], and UNSW-NB15 [47], were used for the experiments. The KDDcup99 dataset is a classic network intrusion detection dataset containing several DoS attack data points, which is very suitable for DoS attack detection experiments. The UNSW-NB15 dataset was created by the Australian National Security Center in 2015, which has more types of attacks on the current network and better reflects the actual situation of the current network. As shown in Table 3, there are 41 feature types in the KDDcup99 and NSL-KDD datasets and 47 feature types in the UNSW-NB15 dataset; however, some of them are redundant, too repetitive with the others, or have insignificant effective features for the labels, so dimensionality reduction is needed to reduce the number of features and reduce redundancy. The three datasets, namely, KDDcup99, NSL-KDD, and UNSW-NB15, are divided into two parts, i.e., training and testing datasets, where the KDDcup99 and NSL-KDD datasets contain four attack types, and the UNSW-NB15 dataset contains nine attack types. In this paper, only their DoS attack types are extracted and studied, and Table 4 shows the number of normal and DoS attacks in their training and testing datasets.

TABLE 3 Feature list of KDDcup99, NSL-KDD, and UNSW-NB15 Dataset

TABLE 4 KDDcup99, NSL-KDD, and UNSW-NB15 Dataset Categories

2) Dataset Preprocessing

Firstly, we divide the training dataset, in which 90 % is the training set, and 10 % is the validation set. Since the model only allows numerical data input, data features are numerically encoded to convert nonnumerical features into numerical features. After numerical encoding, the normalization operation is performed in preparation for the subsequent PCA dimensionality reduction. PCA is an unsupervised dimensionality reduction method. Before dimensionality reduction, the feature items of the training dataset and testing dataset need to be merged to maintain the data distribution of training set, validation set, and testing set is the same after dimensionality reduction. In the dimensionality reduction stage, we reduce the features of KDDcup99, NSL-KDD, and UNSW-NB15 datasets to 30 dimensions, and the effect of dimensionality reduction is depicted in Figure 3. The histogram represents the degree of variance explained by each principal component, and the curve represents the degree of cumulative interpretation. From the figure, 30 principal components were extracted by PCA, and their cumulative principal component variance explained approximately 100% of all features, which contains a large amount of original feature information, indicating that the dimensionality reduction was successful. After dimensionality reduction, numerical normalization is also required to enable good model training, speed up convergence, and prevent gradient explosion. The normalization is given by the following equation.

$$\begin{equation*} X_{\mathrm {norm}}=\frac {X-X_{min}}{X_{max}-X_{min}}\tag{6}\end{equation*}$$ View Source\begin{equation*} X_{\mathrm {norm}}=\frac {X-X_{min}}{X_{max}-X_{min}}\tag{6}\end{equation*}

FIGURE 3.

Dimensionality reduction effect.

Show All

E. Model Structure

Figure 4 shows the deep convolution structure constructed in this paper, which consists of convolution layers, depthwise separable convolution layers, attention mechanism layer, and GAP layer. Firstly, we combine the traditional convolution layer with the depthwise separable convolution. In the initial layers, the traditional convolution is used to strengthen the feature learning ability, and in the subsequent layers, the depthwise separable convolution can greatly reduce the model parameters. Secondly, we use the attention mechanism to replace the pooling layer after each convolution. The multiple pooling during deep convolution operations leads to the loss of important features in the network traffic information. By replacing the pooling layer with an attention mechanism, the main features are extracted and the loss of important features is avoided. Moreover, the attention mechanism only adds a small amount of parameters, which does not affect the lightweight design of the model. Finally, GAP is used to replace the fully connected layer. The fully connected layer has complex redundant parameters, which greatly increases the complexity of the model. The replacement of GAP makes the model lighter.

FIGURE 4.

The Proposed DCNN model.

Show All

Figure 5 shows the overall structure of the proposed model. The model is divided into two parts: data preprocessing and feature extraction and classification. The first part is data preprocessing. The training data and testing data should be processed through four steps: numericalization, standardization, PCA dimensionality reduction, and normalization. The preprocessing operations in each step are prepared for the next step. The second part is the feature extraction and classification of data, which is an end-to-end model. Firstly, the proposed DCNN is used to extract the feature of the preprocessed data, and then the softmax function is used to classify and evaluate the classification results of the testing set. The operation process of the proposed model is illustrated by Algorithm 1.

FIGURE 5.

The framework of the proposed model.

Show All

Algorithm 1

The Computational Flow of the Proposed Model

Show All

A. Implementation

In this paper, simulation experiments are conducted with three datasets, namely KDDcup99, NSL-KDD, and UNSW-NB15. The experimental environment is set up on a personal host, and Table 5 presents the overall configuration.

TABLE 5 Experimental Operating Environment

We selected four classification evaluation metrics: accuracy, recall, precision, and F1-score. The four classification metrics can evaluate the model’s performance in many aspects to avoid errors caused by a single evaluation index. The formulas of the evaluation metrics are as follows, which mainly consist of four indicators: true positive (TP), true negative (TN), false positive (FP), and false negative (FN). TP is a positive case for both model prediction and the target sample’s true category; TN is a negative case for both model prediction and the target sample’s true category; FP is a positive case for model prediction but a negative case for the target sample’s true category; FN is a negative case for model prediction but a positive case for the target sample’s true category. From the formula, accuracy is the proportion of correct predictions among all predictions, which is typically used as an indicator to evaluate the overall classification performance of a model; recall is the proportion of positive predictions among the true categories of samples, which is more important than accuracy in abnormal traffic detection, as it reflects the recognition of abnormal traffic by a model. Precision is the percentage of correct predictions among positive predictions; F1-score is the average of recall and precision. In addition to the four evaluation metrics, we also visualize the detection effect through ROC curves and confusion matrices. The ROC curve indicates the trade-off between the TP rate and the FP rate of the estimated classes [48], and the confusion matrix is composed of TP, TN, FP, and FN. The model size and number of parameters are chosen for evaluation in terms of the lightweight property to determine how lightweight the model is.

View Source\begin{align*} Accuracy=&\frac {TP+TN}{TP+TN+FP+FN} \tag{7}\\ Recall=&\frac {TP}{FN+TP} \tag{8}\\ Precision=&\frac {TP}{TP+FP} \tag{9}\\ F1-score=&\frac {2PR}{P+R}\tag{10}\end{align*}

Experimental simulation is divided into two parts, classification metrics analysis, and lightweight metrics analysis. In the classification comparison experiments, we used seven models, namely, logistic regression (LR), DT, KNN, LSTM, bidirectional LSTM (Bi-LSTM), CNN, and SNN, for comparison with the DCNN model. It includes the classical ML method and the current mainstream DL method to verify the effectiveness of the model. In the lightweight evaluation of the model, we compare the proposed model with the original CNN and SNN, and Table 6 shows their model structures. All three models have a four-layer 1D convolutional structure. SELU is chosen as the activation function. SELU has the feature of self-normalization compared with ReLU, which can further prevent gradient disappearance and gradient explosion problems.

TABLE 6 The Respective Model Parameters of CNN, SNN, and DCNN

B. Classification Metrics Analysis

Figure 6 shows the training accuracy, training loss, validation accuracy, and validation loss of the DCNN model on the three datasets, and it can be seen that with the increase of period, the accuracy and loss of the model eventually converge to the maximum and minimum values. In general, the training and validation accuracy of KDDcup99 dataset is the best, followed by NSL-KDD dataset, and the worst is UNSW-NB15 dataset. However, in terms of the detection effect of binary classification, the model can achieve satisfactory results on three datasets. This shows that the model structure design is good, and the model can effectively learn the characteristics of different datasets through training.

FIGURE 6.

Accuracy and loss of training set and validation set.

Show All

Figure 7 shows the ROC curve of different models on three datasets. The ROC curve is composed of FP rate and TP rate. When the Area Under ROC Curve (AUC) is larger, it represents the better performance of the model. It can be seen that on the KDDcup99 dataset, each model has a good performance, and the best performance is CNN, followed by DCNN. On NSL-KDD and UNSW-NB15 datasets, DCNN performed the best, with AUCs of 0.945 and 0.993, respectively. On the whole, the performance of the DL model on the three data sets is better than that of the ML model, which is due to the more stable feature learning ability of the DL model. The ML model is more superficial in feature learning, and it is difficult to achieve good results in the face of complex data distribution. At the same time, it can be seen that the AUC of the NSL-KDD dataset is much lower than that of the KDDcup99 dataset and the UNSW-NB15 dataset, which is related to the distribution of the NSL-KDD dataset. Its test set contains more feature distributions that the training set does not have, which is more to test the generalization performance of the model.

FIGURE 7.

ROC curves comparison.

Show All

Tables 7, 8, and 9 show the two classification results for the Normal category and the DoS attack category for the three datasets, namely, KDDcup99, NSL-KDD, and UNSW-NB15, with the overall evaluation metrics. From the tables, for the KDDcup99 dataset, DCNN outperforms the other methods in terms of all evaluation metrics. Nonetheless, the metrics of the other methods are all above 97%, indicating that the methods are effective in detecting the KDDcup99 dataset. For the NSL-KDD and UNSW-NB15 datasets, DCNN also achieves the best result. and the DL models outperform the traditional ML models, reflecting the stronger feature extraction ability of DL methods. It can also be seen that the DCNN designed in this paper has a better performance compared with CNN and SNN models, and its Accuracy improves by 0.31% and 0.41% on the KDDcup99 dataset, 0.36% and 2.22% on the NSL-KDD dataset, and 0.57% and 1.24% on the UNSW-NB15 dataset, respectively. It indicates that the model proposed in this paper has a better overall detection effect.

TABLE 7 Different Methods on the KDDcup99 Dataset

TABLE 8 Different Methods on the NSL-KDD Dataset

TABLE 9 Different Methods on the UNSW-NB15 Dataset

To thoroughly evaluate the proposed model’s performance, we evaluated the model’s classification performance for the Normal category and the DoS attack category separately in terms of the metrics, as shown in Tables 10, 11, and 12. We mainly focus on the recall of DoS categories in the model. A higher recall represents a higher correct detection rate of DoS categories. It can be seen from the table that on KDDcup99 and NSL-KDD datasets, DCNN recall is the highest, followed by CNN. On the UNSW-NB15 dataset, CNN has the highest recall, followed by DCNN. It shows that DCNN has higher detection performance for DoS attack traffic. For F1-score of normal and DoS categories, DCNN is also the best, indicating that DCNN has better feature learning ability than other models. Also overall, the DL model performs better compared to the ML model.

TABLE 10 Classification Performance on the KDDcup99 Dataset

TABLE 11 Classification Performance on the NSL-KDD Dataset

TABLE 12 Classification Performance on the UNSW-NB15 Dataset

To more intuitively visualize how the model improvements help in the detection of DoS categories, Figures 8, 9, and 10 show the classification confusion matrices of CNN, SNN, and DCNN on the three datasets, namely, KDDcup99, NSL-KDD, and UNSW-NB15. From the confusion matrices, it can be seen that compared with CNN and SNN, the number of correct DoS detections of DCNN on KDDcup99 dataset increased by 1029 and 1342, respectively, and the number of correct DoS detections on NSL-KDD dataset increased by 61 and 393, respectively. For the UNSW-NB15 dataset, the number of correct detections of DoS is reduced by 38 and increased by 62 for DCNN compared to CNN and SNN, respectively. Because SNN adopts the structure of separable convolution, its feature extraction ability is not as good as CNN composed of traditional convolution structure. It can also be seen from the confusion matrix that the detection rate of SNN for DoS is lower than CNN on all three data sets. DCNN adopts the combination of traditional convolution and separable convolution, and replaces the maximum pooling layer with attention mechanism. Its feature extraction ability can reach the same level as CNN, so the detection rate of DoS on three data sets is similar to CNN.

FIGURE 8.

Confusion matrices on the KDDcup99 dataset.

Show All

FIGURE 9.

Confusion matrices on the NSL-KDD dataset.

Show All

FIGURE 10.

Confusion matrices on the UNSW-NB15 dataset.

Show All

C. Lightweight Metric Analysis

In this section, we compare the degree of lightness of DCNN with CNN and SNN. In the lightweight comparison, the model size and the number of parameters were mainly chosen to measure whether the model has an appropriate size for deployment on WSNs devices, and Table 13 shows the comparison results. For the three datasets, DCNN reduces the size of CNN and SNN models by 87.46% and 84.77%, respectively, and the number of parameters is reduced by 69496 and 55483 compared with CNN and SNN models. The reduction of model parameters is mainly due to the use of separable convolution and GAP.DCNN introduces separable convolution and GAP into the traditional convolution structure to reduce the overall calculation of the model and has a smaller model size. Experiments demonstrate that DCNN is more suitable for WSNs devices with a small memory footprint.

TABLE 13 Compare Model Size and Number of Parameters

D. Discussion and Analysis

In this chapter, the DCNN model is used to detect and analyze DoS traffic in KDDcup99, NSL-KDD, and UNSW-NB15 datasets. Compared with other models, DCNN has better experimental results, which proves the superiority of DCNN model in detecting abnormal traffic on WSNs devices. The following information is also available.

1. The NSL-KDD dataset has a worse detection effect than the KDDcup99 and UNSW-NB15 datasets. This is because the test set has more unknown data features than the training set. This feature makes it possible to better test the generalization of the model.

2. Although separable convolution can reduce model parameters, its feature extraction ability is also worse than traditional convolution. The combination of traditional convolution and separable convolution has better feature extraction ability, and using attention mechanism to replace the maximum pooling layer can also make up for the lack of feature extraction ability of separable convolution.

3. Separable convolution and GAP have fewer parameters than traditional convolution and fully connected layers, which benefits from their less computation and simplifies the model operation process.