Method and system for detecting intrusion in parallel based on unbalanced data Deep Belief Network

The invention claimed is: 1. A method for detecting an intrusion in parallel based on an unbalanced data Deep Belief Network (DBN), comprising: (1) obtaining an unbalanced data set, under-sampling the unbalanced data set using the Neighborhood Cleaning Rule algorithm, and clustering the under-sampled unbalanced data set using the Gravity-based Clustering Approach algorithm to obtain the clustered unbalanced data set; and (2) inputting the clustered unbalanced data obtained in step (1) into a trained Deep Belief Network model to extract a feature, inputting the extracted feature into multiple DBN-Weighted Kernel Extreme Learning Machine (DBN-WKELM) base classifiers in a trained DBN-WKELM multiclass classifier model to obtain multiple initial classification results, calculating a weight of each DBN-WKELM base classifier by the self-adaptive weighted voting method, and obtaining a final classification results and an intrusion behavioral type corresponding to the final classification results according to multiple weights and initial classification results. 2. The method for detecting the intrusion in parallel according to claim 1 , wherein step (1) comprises: (1-1) obtaining an unbalanced data set DS; (1-2) obtaining a sample point x and nearest neighbor data D k of the sample point x from the unbalanced data set DS obtained in step (1-1); wherein k represents a nearest neighbor parameter; (1-3) obtaining a set N k formed by all samples which have different type with the sample point x in the k-nearest neighbor data D k obtained in step (1-2) and a sample number num of the set N k ; (1-4) determining whether the sample number num obtained in step (1-3) is greater than or equal to k−1, proceeding to step (1-5) if yes, and otherwise, proceeding to step (1-6); (1-5) determining whether the type of the sample point x is a majority sample, updating the unbalanced data set DS to DS=DS−x and then proceeding to step (1-6) if yes, and otherwise, updating the unbalanced data set DS to DS=DS−N k and then proceeding to step (1-6); (1-6) repeating the above steps (1-2) to (1-5) for the remaining sample points in the unbalanced data set DS until all the sample points in the unbalanced data set DS has been processed, thereby obtaining the updated unbalanced data set DS; (1-7) setting a counter i=1; (1-8) determining whether i is equal to a total number of the sample points in the unbalanced data set DS, proceeding to step (1-14) if yes, and otherwise, proceeding to step (1-9); (1-9) reading the i-th new sample point d i =(d 1 i , d 2 i , . . . , d n i ) from the unbalanced data set DS updated in step (1-6), determining whether a cluster set S of preferred setting is empty, proceeding to step (1-10) if yes, and otherwise, proceeding to step (1-11); wherein e2∈[1, n], d e2 i : represents the e2-th feature attribute value in the i-th sample; (1-10) initialing a sample point d i as a new cluster C new ={d i }, setting a centroid μ to d i , adding the C new into the cluster set S, and proceeding to step (1-13); (1-11) calculating a gravitation for d i of each cluster in the cluster set S to obtain a gravitation set G={g 1 , g 2 , . . . , g ng }, and obtaining a maximum gravitation g max and its corresponding cluster C max from the gravitation set G, wherein n g represents a total number of the clusters in the cluster set S; (1-12) determining whether the maximum gravitation g max is less than a determined threshold r, returning to step (1-10) if yes, and otherwise, merging the sample point d i into the cluster C max , updating a centroid μ max of the cluster C max which has merged the sample point d i , and then proceeding to step (1-13); (1-13) setting the counter to i=i+1, and returning to step (1-8); and (1-14) traversing all the clusters in the cluster set S, and determining whether the types of all the sample points in each cluster is a majority sample, saving the majority samples in the cluster randomly according to a sampling rate sr and repeating the traversing process for the remaining clusters if yes, and otherwise, repeating the traversing process for the remaining clusters. 3. The method for detecting the intrusion in parallel according to claim 1 , wherein the gravitation g between the sample points d i and the clusters C is calculated according to the following formula: g = ln ⁢ ( ln ⁢ ( C num + 1 ) ) · ln ⁢ ( ln ⁢ 2 ) ( 1 n ⁢ ∑ e ⁢ 2 = 1 n ❘ "\[LeftBracketingBar]" d ϵ ⁢ 2 i - μ ε ⁢ 2 ❘ "\[RightBracketingBar]" ) 2 ; wherein C num is a number of the sample points in the cluster C, and μ e2 represents the e2-th feature attribute value in the centroid μ of the cluster C; a formula for updating a centroid μ max of a cluster C max is as follows: μ max =