Intrusion Behavior Identification in Network Nodes via an Improved Recursive Residual Network

With the popularization of computer technology and the Internet, network node intrusion occurs frequently, posing a major threat to personal, corporate and national security, easily leading to data leakage, system collapse, etc., thereby interfering with network operation and affecting social stability. Therefore, it is particularly important to identify network node intrusion behaviors and take corresponding prevention and countermeasures [1], [2]. However, the existing intrusion detection systems are faced with many challenges. On the one hand, because of the diversity and complexity of network node intrusion behaviors, it is often difficult for traditional detection methods to accurately identify all intrusion behaviors. On the other hand, with the continuous increase of network traffic, the existing detection system is prone to performance bottlenecks when dealing with large-scale data, resulting in the decline of detection efficiency and accuracy. In response to these problems, researchers have begun to explore intrusion detection methods based on deep learning.

Cao and Huang [3] explored host intrusion detection based on user file access logs. A graph was used to model file access behavior in a highly abstract way, deriving a set of behavioral features from the graph model that can be used by a machine learning algorithm to identify intruders. However, this method fails to fully consider the complexity of the network environment, resulting in poor performance in obtaining behavior features and affecting the identification effect of intrusion behavior. Reka et al. [4] developed a Coati Optimization Algorithm (COA) that incorporates network centrality measures to perform multi-attack intrusion identification, using a clustering-gradient mechanism to improve cluster formation. In this study, a cluster-head selection algorithm for Mobile Ad Hoc Networks (MANETs) based on dual network centrality was developed to solve the problem of node mobility and energy. The COA was used to obtain compact clusters. Finally, a Multi-Scale Attention Graph Convolutional Neural Network (MSA-GCNN) was used to identify multiple attacks. However, this method fails to consider the dynamic changes of the network, resulting in a poor clustering effect and a poor identification rate of the MSA-GCNN model.

In addition, Xie et al. [5] combined the distributed computing resources of Federated Learning and the decentralized characteristics of blockchain and proposed a blockchain-based Federated Learning framework for intrusion detection in Internet of Vehicles (IoV) networks. However, this method fails to take into account the influence of multiple factors on node behavior, which leads to the easy misjudgment of normal behavior as intrusion behavior, affecting the intrusion identification performance. Sathiya and Yuvaraj [6] developed an intrusion detection approach that integrates binary group optimization with differential evolution and moment-probability extremum learning to model node behavior. An intrusion detection system was constructed using moment-probability extremum learning in combination with a feature-selection mechanism based on a Goodman-activated binary group optimization differential evolution algorithm. However, this method tends to overlook subtle feature variations, resulting in incomplete or suboptimal feature selection and, consequently, reduced intrusion detection accuracy.

Therefore, to further improve the identification effect of intrusion behavior, a method to identify intrusion behavior in network nodes based on an improved RRN was proposed to more effectively guarantee network security. Compared with existing research, the main innovation of this study lies in the organic combination of an improved RRN, Depthwise Separable Convolution (DWConv), reputation fusion mechanisms, and Stress Majorization for Coordinate Finding (SMACOF) range localization methods to construct an end-to-end node intrusion behavior recognition framework, as shown in Table 1.

Network intrusion has different data characteristic patterns. Classification distinguishes normal data from potential intrusion data according to these patterns to provide a more accurate basis for subsequent processing.

As a basic data analysis method in statistics, classification of the network node data aims to distinguish the normal data from the potential intrusion data. According to the characteristics of the intrusion data, a statistical classification paradigm was adopted to realize the detection of intrusion data. Let the data of each node in the computer network constitute a set $z_j$, with the corresponding weight coefficient represented by $b_j$. These data need to meet the conditions of Eq. (1).

Under the above conditions, the maximum value of the intrusion data feature in the computer network node can be found using Eq. (2).

where, $l(y, y_i)$ is the kernel function; $z_k$ is the normal data set [7], $b_k$ is the weight coefficient, and $p$ is the data volume of computer network nodes.

Using Eq. (3), the intrusion data in computer network nodes are processed by quadratic programming.

where, $\beta_j$ is the classification coefficient [8], $c$ is a normal number, and $\gamma$ is the weight coefficient for intrusion behavior. The dual conversion of Eq. (3) is expressed as follows:

After derivation and analysis, the intrusion detection problem is reformulated as the dual form of a quadratic programming problem, which is subsequently solved to obtain the optimal classification coefficients. The resulting solution is expressed as follows:

Therefore, according to the optimal classification coefficient solution, the optimal classification function is obtained as follows:

The computer network node data $y$ can be substituted into the above Eq. (6) to complete the classification processing and obtain the intrusion data. To realize effective identification of intrusion behavior, it is necessary to not only identify the intrusion data but also further extract the abnormal characteristics of these data for the subsequent research of intrusion behavior identification.

On the basis of data classification, to extract the features of abnormal nodes more effectively, the PCA method can be used to optimize the feature space. PCA is able to retain the information of the original data to the greatest extent possible, while reducing the data complexity. The following are the specific steps for feature extraction of abnormal nodes in the computer network:

Step 1: In the computer network environment, in the face of various eigenvalue variables presented by any abnormal node, PCA is used to implement the dimensionality reduction strategy and refine it into a comprehensive variable with positive characteristics:

where, $Y$ is the comprehensive variable, $E$ is the original abnormal node data variable, $W$ is the characteristic weight variable [9], and $n$ is the number of variables.

Step 2: In computer network analysis, the comprehensive variable with the least variance is used as the main component, and the mean and standard deviation of abnormal nodes are obtained after the standardization of the covariance matrix.

where, $\bar{l}$ is the mean value, $s$ is standard deviation [10], and $Y_i$ represents the synthetic variable of node $i$.

Step 3: Based on the statistical characteristics of the abnormal nodes, the standard observation matrix and the associated matrix of the sample are constructed.

where, $W^{\prime}$ is the observation matrix, $T$ is the correlation matrix, $W_j$ represents the feature weight variable of node $J$, $a$ is the main component number, and $U$ is the correlation coefficient [11].

Step 4: Each element in the correlation matrix of the computer network is calculated. The feature decomposition formula of element $T_{ij}$ is shown in Eq. (10) where $k$ is the number of elements.

Step 5: Elements with eigenvalues greater than 1 are selected, and the cumulative contribution of these elements should exceed 90%. The principal component load matrix is constructed, which is the key feature of the abnormal nodes in the computer network. The cumulative contribution rate is expressed as:

where, $\mu$ is the characteristic value [12], and $q$ is the number.

After feature extraction is complete, the next step is to determine the range of network intrusion nodes. This step is critical because it can narrow the detection range, improve efficiency, and re-determine the target node range based on the new network state to ensure the effectiveness of intrusion detection. By using the SMACOF theory to correct the distance between target and target node, the error function is iteratively optimized, and the target node range of network intrusion is accurately solved. The specific steps are described below. For a system containing a specific number of $N$ network nodes, a function $S$ is defined to measure the error between the estimated distance of the network node to the target node and the actual distance.

where, $i \neq j, \hat{\delta}_{i, j}$ is the estimated distance between nodes [13], and $d_{i, j}\left(x_i, x_j\right)$ is the Euclidean distance. The above formula can be expanded to derive the following expression:

Eq. (13) is transformed into a spatial matrix to represent the determination of the target node range of network node intrusion.

where, $trace \{\cdot\}$ is the trace operation, $X$ is the matrix composed of all nodes $\left[x_1, x_2, \cdots, x_N\right]$, $X^T$ is the transpose of $X$, $H$ is the center matrix of node positioning space [14], with $H=I-e e^T / N, I$ , $I$ is the identity matrix, and $\psi(X)$ is the center matrix about $X$.

where, $w_{i, p}\left(x_i, x_p\right)$ represents the spatial weight between node $X_i$ and node $X_p$.

Based on the SMACOF theory, an auxiliary function is constructed to determine the target node coordinate $\varphi(X, Z)$ of network node intrusion:

where, $Z$ represents the coordinate matrix of the target node in the low dimensional space, and $\psi(Z)$ represents the center matrix about $Z$.

For each iteration $k$, $Z=X_{k-1}$ is utilized, since the gradient function of $\varphi(X, Z)$ satisfies the following condition:

Setting the gradient to 0 derives the following expression:

where, $X_k$ is the space matrix composed of all nodes.

According to the characteristics of the node positioning space center matrix $H$, the network intrusion node range $X^{\prime}$ is derived as follows:

In computer network node intrusion detection, improving the RRN structure can deeply dig the characteristics of network node data, which is very key to accurately identifying the intrusion behavior, because many complex intrusion behaviors are often hidden in these unobtrusive characteristics. Residual connections allow the network to more easily learn small changes in the input data, thereby improving the detection of intrusion behavior. To improve the identification accuracy of intrusion behavior in subsequent computer network nodes, the improved RRN results were constructed, and the intrusion detection was carried out in the range of intrusion nodes preliminarily determined above.

Based on the previous data processing and feature extraction results, the RRN architecture was constructed and optimized. The model can capture the features of network node intrusion behavior more effectively to enhance the detection accuracy and efficiency, laying a solid foundation for the subsequent optimization detection and intrusion determination. The iterative structure of RNN was introduced and the regression residual model was constructed by using the concept of jump connection in assisted residual network. The jump connection and recursive structure in the RRN help to speed up the training of the model, reduce the risk of overfitting, and make the model have higher detection efficiency and stability in practical applications. At the same time, using deep separable convolution technology to simplify model parameters can greatly reduce the number of model parameters, computational complexity and memory consumption while maintaining model performance. In this improved architecture, depth-separable convolution plays a central role, as shown in Figure 1.

Based on the results of previous data processing and feature extraction, the RRN architecture was constructed. The network consists of multiple recursive blocks, each of which is composed of multiple residual units. The residual unit uses a pre-activated architecture to reduce training difficulty and improve performance. Designs that apply activation functions before the weight layer are named “pre-activation” architectures. The “pre-activated” architecture is less difficult to train and shows better performance. The residual unit in this architecture can be expressed as:

where, $u=1,2, \cdots, U$, with $U$ being the number of residual units [15], $H^{u-1}$ and $H^u$ are the input and output of the units, respectively, and $F$ is the residual function.

In this study, Eq. (20) was adjusted, and the adjusted residual unit is defined as follows:

where, $G$ represents the adjusted residual function, and $H^0$ is the output of the first convolution layer.

Let $B$ represent the number of recursive blocks in the network, $x_{b-1}$ and $x_b(b=1,2, \cdots, B)$ represent the input and output of the $b$-th recursive block, and $H_b^0=f_b\left(x_{b-1}\right)$ represent the result of $x_{b-1}$ passing through the convolutional layer in the $b$-th recursive block [16]. Then, according to Eq. (21), the $u$-th residual element is:

Then the output $x_b$ of the $b$-th recursive block is:

In the RRN, the DWConv technique is used to reduce the model parameters. By dividing the standard convolution into deep convolution and point-by-point convolution, the calculation and parameter number of the model can be greatly reduced. The model was trained with a marked network node intrusion dataset. At the same time, the weight coefficient transfer and sharing mechanism in the recursive structure was used to effectively control the scale of network parameters. After training and tuning, the improved RRN was deployed to the actual computer network intrusion detection system. In practical applications, the model can monitor the behavior of network nodes in real time and identify the potential intrusion behavior accurately.

In a complex network environment, the behavior of nodes may be affected by many factors and fluctuate. For example, a node may experience a short period of increased network traffic due to a temporary business need, but this does not necessarily mean that it has been compromised. By considering many factors comprehensively to calculate the credit value, the normal behavior fluctuation can be accurately distinguished from the real intrusion behavior to improve the accuracy of intrusion detection. Therefore, multiple factors were considered in this study to calculate the comprehensive reputation value of a node, aiming to evaluate the node security more comprehensively, effectively reduce misjudgment, and improve the reliability of detection. The recursive structure of the RRN enables the model to deal with more complex network node behavior patterns and realize recursive transfer and sharing of weight coefficients among residual modules. Based on this recursive structure, the credit value of nodes can be iterated and updated constantly so that it can reflect the actual node behavior more accurately and realize intrusion detection. The change of node reputation value is based on the dynamic status of network nodes, and is not a simple numerical accumulation. The specific steps are as follows:

Step 1: Direct credit value calculation. The Bayesian method is used to estimate the success rate of node communication. The subjective probability of incomplete or unknown information is evaluated first, and then the Bayesian formula is used for correction. Finally, the revised credit value is used for evaluation. The specific application of the Bayes formula is as follows:

where, $D_j$ is a subset of the standard set [17], $E$ is the element in the annotation set, $P\left(D_j\right)$ is the communication success rate of standard set subset nodes, and $P\left(E \mid D_j\right)$ indicates the communication success rate of element nodes in the standard set subset. The $Beta$ distribution function is used to implement the fitting analysis of intrusion behavior identification. Assuming that the credit value of node $X$ represents the number of successful data transfers of node $X$, then the following equation can be derived:

where, $\alpha$ and $\beta$ are parameters greater than 0. Probability transformation of the $Beta$ distribution function is performed, and the final result of credit value is obtained as follows:

where, $s$ is the number of information transmission failures [18].

Step 2: Indirect credit value calculation. The data of neighboring nodes are used to calculate the credit value of the current node. By analyzing and calculating the data of other nodes, the reputation behavior of the current node can be evaluated, and more accurate results can be obtained.

Let the underlying nodes $x$, $y$, and $z$ be the same. For node $x$, the indirect reputation value can be transferred between nodes, and its calculation formula is as follows:

where, $R_{i k}$ and $R_{kj}$ represent the credit value of data flowing between $y$ nodes and $z$ nodes [19]. There is a risk in the calculation of the indirect credit value because the internal intrusion node may adopt a camouflage strategy to improve its own credit value or reduce the credit value of normal nodes. To deal with this problem, another credit calculation method needs to be adopted to identify and judge the intrusion node more accurately.

Step 3: Comprehensive credit value calculation. In view of the limitations of the above two credit value quantification methods, a comprehensive credit value evaluation method is adopted. Based on the comprehensive credit value of each node in the wireless network at any time, the intrusion optimization detection model of data nodes transmitted in the computer network is constructed.

where, $X_m$ is the comprehensive credit value, and the value range of parameter $c$ is [0, 1]. Therefore, the results of Eq. (28) are substituted into the above Eq. (23) as the input of the improved RRN, and the detection results of computer network node intrusion are the output.

On the basis of optimized detection, the potential intrusion behavior was further judged, involving calculating potential loss values or other relevant metrics and analyzing the detected abnormal behavior in depth to determine whether it constitutes a true breach. Once a network anomaly is detected, the relevant node can quickly send the abnormal information to the base station, which, as the center of the network, has sufficient energy and powerful computing power and is responsible for in-depth identification of the abnormal information. The goal of identification is to accurately determine whether there is network node intrusion to isolate malicious nodes in time and ensure the normal operation of the network and the security of data transmission.

This study evaluates the potential loss value L of the abnormal behavior to determine whether it should be recognized as an intrusion behavior. If the value exceeds the threshold, it is an intrusion behavior, and measures are taken immediately to isolate malicious nodes and maintain stable network operation. The relevant calculation formula is shown in Eq. (29).

where, $a_i$ is the threat indicator of node $i$ affected by abnormal behavior, $W_s$ is the number of times that node $s$ monitoring reports the intrusion action to the base station, $K$ indicates the number of detected intrusions, $\tau_k$ is the weight of detecting intrusion behavior $k$ [20], and $M_i$ is a set of monitoring sets for node $i$. Thus, $L$, the potential loss of node $I$, can be obtained, as shown in Eq. (30).

where, $c_i$ is the importance of node $i$, and the potential loss value $L$ of each node is calculated by considering the potential harm of abnormal behavior comprehensively. Once the value exceeds the preset threshold, the base station is able to determine that the node is a malicious node, confirm the existence of intrusion, and immediately perform isolation procedures to remove it from the network to prevent further damage. The threshold is not arbitrarily set, but is based on in-depth analysis of a large amount of historical network intrusion data and normal network behavior data. By conducting a detailed study of past intrusion events, the actual losses caused by different types of intrusion behaviors to the network were calculated, including data leakage, service interruption duration, and degree of network performance degradation. Meanwhile, considering the potential loss fluctuation range under normal network behavior, a threshold that can distinguish intrusion behavior from normal abnormal fluctuations was comprehensively determined. In addition, the expected utility-based method was used to calibrate the threshold, completing the identification of intrusion behavior in computer network nodes.

To verify the effectiveness of the research on intrusion behavior identification in computer network nodes based on the proposed improved RRN, the designed method was compared with some baseline methods [3], [4], [5], [6].

In terms of experimental setup, the mini-batch size was 128, the training period (epochs) was 10 rounds, and the learning rate was set to 0.0001. The test dataset used is CIC-IDS-2022, which contains 85 features and 3119346 communication session instance samples. In addition, the cycle number of 50,000 and the batch size of 128 were set. The Adam optimizer was simultaneously used by employing its adaptive learning rate characteristics to accelerate convergence and improve training stability. To prevent overfitting, multiple regularization strategies were implemented. A dropout layer with a dropout rate of 0.5 was introduced after the convolutional layer of the RRN to reduce the complex co-adaptation relationships between neurons. At the same time, a weight decay coefficient of 1e-5 was set in the optimizer to constrain the complexity of the model. To address the issue of class imbalance in the CIC-IDS-2022 dataset, the focal loss based on the cross entropy loss function was introduced, which enhanced the model’s ability to recognize minority class intrusion behaviors by adjusting the weights of difficult and easy samples. In addition, a cosine annealing scheduling strategy was adopted for the learning rate, which gradually decreased with training epochs, thus achieving more precise parameter adjustment in the later stage of training.

To build a stable and controllable measurement environment, the TensorFlow framework was adopted, and the execution program was written in Python. To ensure the specificity and anti-interference of the execution program, Java was additionally employed to invoke the Python program. In experimental evaluation, the training objective function is usually aimed at minimizing the difference between the predicted results and the true labels to improve the model’s accurate identification ability of intrusion behavior. The cross entropy loss function was adopted as the training objective function for multi-classification problems. By minimizing the loss function, the model can continuously adjust its own parameters to make the prediction results closer to the real situation, thereby improving the accuracy of intrusion behavior identification. To effectively evaluate the identification effectiveness of the proposed method, the identification accuracy, the F1 value, the intrusion behavior identification rate, and the changes in malicious node trust values were used as indicators. The identification accuracy is a commonly used indicator to measure the overall performance of the model, which represents the proportion of correctly predicted samples to the total number of samples. The calculation formula is expressed as:

where, $TP$ represents the true example, which is the number of samples that are actually intrusion behaviors and correctly predicted by the model; $TN$ represents true negative cases, which refers to the number of samples that are actually normal behavior and correctly predicted by the model; $FP$ stands for false positive examples, which refers to the number of samples that are actually normal behavior but incorrectly predicted by the model as invasive behavior; $F$N stands for false negative examples, which refers to the number of samples that are actually invasive behavior but incorrectly predicted by the model as normal behavior.

The F1 value is the harmonic mean of precision and recall, taking into account both the accuracy and recall capability of the model. Accuracy represents the proportion of samples predicted by the model as positive cases that are actually positive cases, while recall represents the proportion of samples predicted correctly by the model as positive cases. The calculation formula is as follows:

where, $P$ represents precision and $R$ represents recall.

In the identification of intrusion behavior in computer network nodes, the early stop strategy aims to prevent overfitting of the model during training by monitoring the performance indicators of the model on the validation set (such as validation loss or validation accuracy) to stop training. The specific steps are as follows:

Step 1: Setting of the patience value. The patience value is a pre-set integer that represents the number of epochs that the model is allowed to continue training without further improvement in the validation set’s performance. For example, setting the patience value to 5 means that if there is no improvement in performance on the validation set for five consecutive epochs, training can be stopped.

Step 2: Monitoring of the performance of the validation set. After each epoch of training, the model is applied to the validation set and the performance metrics such as validation loss or validation accuracy are calculated.

Step 3: Determining whether to stop early. The performance of the validation set for the current epoch is compared with the previous best performance. If the current performance does not improve, a counter is added. If there is an improvement in current performance, the counter is reset to 0. When the counter reaches the patience value, the training is stopped and the previously best-performing model parameters are used as the final model parameters.

Through the above training objective function, the indicator calculation method, and the early stopping strategy on the validation set, it is possible to effectively train and optimize an intrusion behavior identification model for computer network nodes based on the improved RRN and to improve its accurate identification ability of intrusion behavior. A medium-sized enterprise network testing environment was established, in which the Open Shortest Path First (OSPF) routing protocol was employed, with a topology structure including core switches, routers, database servers, web servers, and multiple client subnets. A total of 150 logical nodes were deployed in the network to simulate the distribution and communication relationships of devices in a real enterprise network, with a simulation time set at 150 seconds.

In the configured system test environment, programming tools were used to convert the design part into program code and import it into the main test computer. Then, the network was adjusted to the running state and the corresponding network running data were generated. Then, the computer network was connected to the system software running program through real-time data acquisition, protocol analysis, feature extraction and other steps, finally outputting the intrusion behavior identification results for computer network nodes. The experimental environment diagram is shown in Figure 2.

A total of 16200 communication session samples were randomly selected from the CIC-IDS-2022 dataset for in-depth analysis. After the network system was started, network traffic data were collected through the mirror port, and mixed analysis was performed based on 16200 session instances in the CIC-IDS-2022 dataset. The selected sample data cover a wide range of normal communication patterns and intrusion activities, including denial-of-service (DoS) attacks, R2L attacks, port scanning and monitoring activities (Probe), and unauthorized attempts to gain local superuser privileges (U2R), as shown in Table 2.

All configurations were consistent on each node. In the same network environment, the maximum working bandwidth was set to 300 Mbps.The sparse coding technology was adopted as the coding method of nodes. Keras was employed as the learning library of this experiment. To facilitate the reproducibility and verification of this research, the training scripts, data preprocessing pipeline, model implementation, and the complete hardware/software environment are described in detail below.

(a) Training script and model implementation

The core architecture of the improved RRN was implemented using the TensorFlow and Keras frameworks. The model leverages DWConv and a pre-activation residual structure within recursive blocks. The following pseudo-code illustrates the key components of the model-building process:

‘‘‘python

import tensorflow as tf

from tensorflow.keras.layers import *

from tensorflow.keras.models import Model

def pre_activation_residual_unit(input_tensor, filters, kernel_size=3):

"""

Defines a pre-activation residual unit.

"""

x = BatchNormalization()(input_tensor)

x = Activation('relu')(x)

x = DepthwiseConv2D(kernel_size, padding='same')(x)

x = Conv2D(filters, (1, 1), padding='same')(x)

return x

def build_recursive_block(input_tensor, num_units, filters):

"""

Builds a recursive block containing multiple residual units.

"""

x = input_tensor

for _ in range(num_units):

residual = pre_activation_residual_unit(x, filters)

x = Add()([x, residual])

return x

def build_improved_rrn(input_shape, num_classes, U=5, N=8, base_filters=64):

"""

Constructs the complete Improved RRN model.

Args:

U: Number of recursive blocks.

N: Number of residual units per block.

base_filters: Base number of filters for convolutional layers.

"""

inputs = Input(shape=input_shape)

x = inputs

# Initial Convolution

x = Conv2D(base_filters, (3, 3), padding='same')(x)

# Stack of Recursive Blocks

for _ in range(U):

x = build_recursive_block(x, N, base_filters)

# Final Classification Head

x = BatchNormalization()(x)

x = Activation('relu')(x)

x = GlobalAveragePooling2D()(x)

outputs = Dense(num_classes, activation='softmax')(x)

model = Model(inputs, outputs)

return model

# Example: Model Instantiation

model = build_improved_rrn(input_shape=(None, None, 1), num_classes=5, U=5, N=8)

model.compile(optimizer='adam', loss='categorical_crossentropy', metrics=['accuracy'])

‘‘‘

(b) Data preprocessing pipeline

The CIC-IDS-2022 dataset was processed through the following pipeline to prepare it for model input: data cleaning-feature scaling-sequence construction-label encoding. Rows with missing values and duplicate communication sessions were first removed. Numerical features were standardized using Z-score normalization to have a mean of 0 and a standard deviation of 1. Then continuous communication sessions were segmented into fixed-length time-series windows to capture temporal behavior. Multi-class labels (normal, DoS, R2L, Probe, and U2R) were converted into a one-hot encoded format.

(c) Hardware and software environment

The experiments were conducted in the following environment to ensure consistency:

• Hardware configuration: Intel Xeon Gold 6226R CPU (2.90 GHz); two NVIDIA Tesla V100 GPUs (32 GB VRAM each); and 128 GB DDR4 memory.

• Software configuration: Ubuntu 20.04.6 LTS operating system; Python 3.8.10; and key libraries including TensorFlow 2.10.0, Keras 2.10.0, NumPy 1.21.5, Pandas 1.3.5, and Scikit-learn 1.0.2.

The proposed intrusion behavior identification method for computer network nodes integrates multiple modules such as classification preprocessing, PCA feature extraction, SMACOF range localization, improved RRN, and reputation value fusion. To further explore the contribution of each module to the overall method performance, a step-by-step ablation experiment was conducted. By sequentially removing specific modules and comparing the performance of methods under different conditions, the key roles of each module in intrusion behavior identification can be clarified. The identification accuracy is used for measurement, and the results of the ablation experiment are shown in Table 3.

According to the results in Table 3, it can be seen that after removing the classification preprocessing module, the recognition accuracy significantly decreases, indicating that classification preprocessing can effectively distinguish normal data from potential intrusion data, providing a more accurate basis for subsequent processing and reducing the impact of interference data on detection results. Removing the PCA feature extraction module, the SMACOF range localization module, and the reputation value fusion module results in a decrease in performance. Without PCA’s dimensionality reduction and feature optimization, the model may face difficulties in processing high-dimensional data, which affects the accurate recognition of intrusion behavior. Without SMACOF, it is difficult to determine the range of network intrusion target nodes, which is affected by the interference of irrelevant node data and affects the accuracy of detection. Without reputation value fusion, relying solely on a single detection result for judgment can easily lead to misjudgment or omission of intrusion behavior. The removal of the improved RRN module has a significant impact on performance. This module can deeply explore the characteristics of network node data, and residual connections and recursive structures help accelerate model training speed and reduce the risk of overfitting.

Traditional neural network structures have limited ability to handle complex network node behavior patterns, resulting in a significant decrease in detection performance. Through gradual ablation experiments, the important role of each module in identifying intrusion behavior of computer network nodes was clarified. Classification preprocessing, the PCA feature extraction, the SMACOF range localization, the improved RRN, and the reputation value fusion module all contribute to improving the performance of the method. Among them, the improvement of the RRN module has the most significant impact, followed by the classification preprocessing module. In practical applications, the advantages of each module should be fully utilized to ensure the accuracy and reliability of identifying intrusion behaviors of computer network nodes.

Sensitivity analysis on parameters was conducted, such as the number of recursive blocks ($U$), the number of residual units ($N$), and the DWConv configuration in the improved RRN, to determine the optimal parameter configuration. Among them, the number of recursive blocks controls the number of repetitions of the recursive structure, and the testing range is from $U$ = 2 to $U$ = 8. The range of residual unit number testing is from $N$ = 4 to $N$ = 16. DWConv was evaluated in two configurations: standard convolution and depthwise convolution. When DWConv was enabled, the expansion factor $\alpha$ was tested over the range of 1.0 (no channel expansion) to 2.0 (doubling the number of channels). The results are shown in Table 4 below.

According to the results in Table 4, it can be seen that when the number of recursive blocks ($U$) is 5, the number of residual units ($N$) is 8, and the DWConv configuration is $\alpha$ = 1.0, the network performance reaches its optimal level, which can provide reliable support for identifying intrusion behavior of computer network nodes. Using literature review methods and the proposed method, intrusion behavior identification was carried out on various computer network nodes, with the F1 value as the evaluation index. A total of 200 samples was randomly selected from the test sample for testing, and the F1 values of each party are shown in Figure 3.

As shown in Figure 3, there is a significant difference in the F1 value between the design method and the other four methods. Specifically, the F1 value of the proposed method consistently remains above 0.9, while the F1 values of the other four literature methods are all below 0.8. By comparing the F1 values of five methods for intrusion behavior identification of various computer network nodes, it can be concluded that for abnormal data, the intrusion behavior identification method of the designed method shows good identification accuracy, significantly better than other methods. To evaluate the performance of the methods more scientifically, the 95% confidence intervals of the F1 values for each method were calculated, and the results are shown in Table 5.

According to the results in Table 5, the lower limit of the F1 confidence interval for the design method is 0.90, which consistently remains above 0.90. The upper limit of the F1 confidence interval for the other four literature methods is 0.80 or below. The design method demonstrates excellent identification accuracy. Its high F1 mean value (0.92) and narrow confidence interval ([0.90, 0.94]) indicate that this method has not only excellent average performance but also strong performance stability. This means that the design method can reliably achieve accurate identification of intrusion behavior in different sample situations, reducing the significant performance changes caused by sample fluctuations. The design method has significant advantages in identifying intrusion behaviors of computer network nodes and can more accurately and stably identify abnormal data, providing more reliable technical support for network security protection. The change of intrusion behavior identification rate of the proposed algorithm and other methods over time is shown in Table 6.

As can be seen from Table 6, at each measured time points (10 seconds to 70 seconds), the identification rate of intrusion behavior of the design method remained between 88.2% and 95.3%, showing high stability and accuracy. The identification rate of intrusion behavior increased from 88.2% of 10 seconds to 95.3% of 70 seconds, an increase of 7.1 percentage points, indicating that the performance of the design method is constantly improving over time. The identification rate of intrusion behavior of the method in the study [3] fluctuated greatly, from 80.3% in 10 seconds to 80.5% in 20 seconds, and then to 80.5% and 80.7% in 60 seconds and 70 seconds, with both increases and decreases during the period. Using the method in the study [4], the identification rate of intrusion behavior increased from 85.4% in 10 seconds to 87.8% in 30 seconds, but then decreased slightly to 80.9% in 70 seconds. The identification rate of intrusion behavior of the method in the study [5] showed an overall upward trend, from 85.5% in 10 seconds to 85.6% in 50 seconds, but then fluctuated slightly. Using the method in the study [6], the identification rate of intrusion behavior increased from 85.6% in 10 seconds to 87.7% in 30 seconds, but then gradually decreased to 82.4% in 70 seconds. In summary, the identification rate of intrusion behavior of the design method maintains a high level at each time point, and the fluctuation is small, which indicates that it has good stability.

To show the advantages of the proposed method more clearly, the results of the comparison of different methods on the trust value of malicious nodes are shown in Figure 4.

It can be clearly seen from the presentation of Figure 4 that the node trust value of the design method dropped below 0.15 after 75 seconds, while the node trust value of the literature method was above 0.2. Therefore, the proposed method is highly sensitive to malicious nodes, and can effectively identify and respond to malicious nodes to ensure that malicious nodes cannot interfere with normal trust relationships, which has a positive impact on network security. Therefore, normal nodes in the network can trust each other more, improving the overall security and stability of the network. The changes of network nodes under different methods are shown in Figure 5.

As can be seen from the results in Figure 5, in actual network applications, the design method has a large coverage area of network nodes, which can prevent intruders from touching the network core and control nodes to achieve self-protection. In the face of an intrusion situation, when the other four methods were adopted, the area of network nodes was not completely covered, and some nodes were eroded by intrusion nodes, reducing the coverage area. Therefore, the proposed design method is more practical in evaluating the results.

On the basis of the above analysis, to further verify the real-time performance of the proposed method, the performance differences between the proposed method and the other four methods [3], [4], [5], [6] in identifying intrusion behavior of computer network nodes were compared. Delay refers to the time interval from the occurrence of an anomaly to the output of the model’s identification results, measured in milliseconds. The above methods were used to identify five groups of samples, each containing 1000 samples. The identification delay of each method was calculated, and the results are shown in Table 7.

According to the results in Table 7, the highest average detection delay of the proposed method (12.3 ms) is significantly lower than that of the literature method (27.8–45.7 ms). This indicates that the proposed method has significant advantages in intrusion behavior identification latency, with lower latency verifying the effectiveness of the improved RRN in real-time performance.

In this design, a recursive structure was introduced into the improved RRN-based node intrusion behavior identification framework. This structure enables the use of recursive weight coefficients within the residual module, allowing the scale of network parameters to be effectively controlled and the overall network architecture to be simplified. According to the comprehensive credit value of the node, the intrusion detection model of the data node in computer network transmission was established. Based on the detection results, the loss value was used to identify the intrusion behavior of network nodes. When the potential loss value exceeds the specified threshold, the base station is able to determine that the node is a malicious node with intrusion behavior and immediately start the isolation program to ensure the stable operation of the network and the safe transmission of data. Although the improved RRN performs well in detection, its generalization capabilities still need to be further improved. Especially in the face of new or unknown intrusion behavior, the model may not be able to accurately identify it. By integrating various regularization techniques and integrated learning strategies, the generalization performance of the model can be enhanced. In addition, exploring transfer learning and other means to apply cross-domain knowledge to intrusion detection can improve the adaptability of the model. At the same time, the research and development of distributed intrusion detection technology can be strengthened to improve the detection ability of distributed network attacks.