CN112235288B - NDN network intrusion detection method based on GAN - Google Patents

NDN network intrusion detection method based on GAN Download PDF

Info

Publication number
CN112235288B
CN112235288B CN202011089853.9A CN202011089853A CN112235288B CN 112235288 B CN112235288 B CN 112235288B CN 202011089853 A CN202011089853 A CN 202011089853A CN 112235288 B CN112235288 B CN 112235288B
Authority
CN
China
Prior art keywords
data
network
attack
gan
ndn
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011089853.9A
Other languages
Chinese (zh)
Other versions
CN112235288A (en
Inventor
罗森林
魏继勋
潘丽敏
李班
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Technology BIT
Original Assignee
Beijing Institute of Technology BIT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Technology BIT filed Critical Beijing Institute of Technology BIT
Priority to CN202011089853.9A priority Critical patent/CN112235288B/en
Publication of CN112235288A publication Critical patent/CN112235288A/en
Application granted granted Critical
Publication of CN112235288B publication Critical patent/CN112235288B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2415Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on parametric or probabilistic models, e.g. based on likelihood ratio or false acceptance rate versus a false rejection rate
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/047Probabilistic or stochastic networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Computer Security & Cryptography (AREA)
  • Biophysics (AREA)
  • Molecular Biology (AREA)
  • General Health & Medical Sciences (AREA)
  • Computational Linguistics (AREA)
  • Biomedical Technology (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Probability & Statistics with Applications (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a GAN-based NDN network intrusion detection method, belonging to the technical field of computer and information science. The method mainly aims to solve the problems that in an NDN (named data networking) network, the generalization capability of a statistical method is poor, and intrusion detection aiming at CPA (cross-correlation analysis) attack and IFA (intrusion detection architecture) attack is difficult due to too little malicious flow sample data. Firstly, carrying out standardized preprocessing on statistical information acquired from NDN network routing nodes by using a variational Gaussian mixture model; secondly, performing data enhancement on the samples of the specific category by using a method based on conditional GAN, and expanding the number of malicious samples in the tabular data samples; then training a deep neural network classifier by using the enhanced data set; and finally, monitoring the traffic statistical information of the route by a classifier to judge the malicious intrusion attack type. The invention has better monitoring effect on CPA and IFA attacks.

Description

NDN network intrusion detection method based on GAN
Technical Field
The invention relates to a Named Data Networking (NDN) intrusion detection method based on a generated countermeasure Network (GAN), and belongs to the technical field of computers and information science.
Background
The existing TCP/IP network architecture takes an address as a core and takes a protection transmission path as a center, and the requirements of people on the safety, reliability and high efficiency of network data in the big data era are increasingly not met. To meet emerging communication needs from a fundamental level, future-oriented network architectures are receiving a great deal of attention. The named data network takes data as a center, changes the key point of communication from address to content, has the most potential to replace a TCP/IP network, and becomes the mainstream architecture of the future network.
NDN takes named data as a center, replaces an IP address, carries out route forwarding by using a data name and protects data instead of a channel. Each data packet is provided with a digital signature, and the integrity, the correctness and the data source of the data are effectively ensured by verifying information through the digital signature. Data can be found at any node in the NDN network, the addresses of the two transmission parties do not need to be known, and the two transmission parties do not establish a direct connection channel. The data is used as the center, and the security problems of information tampering, information deception and the like are solved from the architecture level by a mode of protecting the data through a digital signature. Compared with an IP (Internet protocol) architecture, the NDN network improves the security, but has potential safety attack hazards in the face of the complex situation of the Internet. Cache Pollution Attack (CPA) and flood Attack (IFA) are two most representative types of intrusion attacks.
1. Flood attack intrusion detection
The IFA attack targets the NDN router as an attack target, and sends an interest packet without content at a high speed in a short time aiming at a certain namespace, so as to exhaust the cache and bandwidth of the route, and make it difficult for a user to send or receive a data packet required by the user. If the attack duration is long, the entire NDN network eventually collapses.
When the IFA occurs, the number of interest packets is increased sharply, and the number of satisfied interest packets is decreased sharply. The intrusion detection method aiming at the IFA attack monitors an NDN routing interface in real time, analyzes the number of interest packets and data packets passing through a route in a period time and the dynamic change index of a routing cache table PIT, and judges whether the flooding attack occurs or not by using a statistical model. The existing statistical method has poor generalization capability and high misjudgment rate under the conditions of burst flow and hot content.
2. Cache pollution attack intrusion detection
The CPA attack aims at the cache of the NDN node, and makes the polluted content occupy the cache of the network node for a long time by requesting the content with low popularity for a long time at a low speed, so that the internal cache of the network node is controlled, the hit rate of a legal user is reduced, the time delay of obtaining the legal content is increased, and the NDN network performance is reduced.
When CPA attacks occur, the low prevalence of content in NDN networks increases. The intrusion detection method aiming at the CPA attack monitors the number of different interest packets in a specific time period in the NDN network, determines a threshold value based on an algorithm rule and judges whether cache pollution attack occurs or not. The method has better performance when the distance between a producer and a consumer is close, but low-speed malicious traffic has less proportion under a remote network environment, and the monitoring is difficult due to data imbalance.
In summary, in the existing NDN network intrusion detection method for IFA and CPA attacks, under the condition of a complex network, the generalization capability of the statistical method is poor, and the misjudgment rate of burst traffic is high; the data of the cached pollution flow is unbalanced, and the monitoring and the distinguishing are difficult. Therefore, the invention provides an NDN network intrusion detection method based on GAN.
Disclosure of Invention
The invention aims to solve the problems that the generalization capability of a statistical method is poor and the intrusion detection aiming at CPA attack and IFA attack is difficult due to too little malicious flow sample data in an NDN network, and provides a GAN-based NDN network intrusion detection method.
The design principle of the invention is as follows: firstly, carrying out standardized preprocessing on statistical information acquired from NDN network routing nodes by using a variational Gaussian mixture model; secondly, performing data enhancement on the samples of the specific category by using a method based on conditional GAN, and expanding the number of malicious samples in the tabular data samples; then training a deep neural network classifier by using the enhanced data set; and finally, monitoring the traffic statistical information of the route by a classifier to judge the malicious intrusion attack type.
The technical scheme of the invention is realized by the following steps:
step 1, preprocessing statistical information acquired from NDN network routing nodes.
Step 1.1, obtaining flow statistical Information of passing nodes in a statistical period from NDN routing, cache data (CS) of routing nodes, a Pending Interest Table (PIT) and a target Information Table (FIT).
Step 1.2, according to attack implementation time, dividing the flow samples obtained in step 1.1 into normal, CPA attack and IFA attack according to sampling time and routing node name
And step 1.3, processing the traffic classification statistical information obtained in step 1.2 according to a defined rule, and performing one-Hot coding processing on the classification label.
And step 1.4, carrying out standardization treatment on the numerical characteristics of the sample obtained in the step 1.3 by using a variational Gaussian mixture model.
And 2, performing data enhancement by using a GAN-based method, and expanding the number of malicious samples in the data samples.
And 2.1, generating an initial random sample by using random noise, and giving an initial classification as the input of the GAN generator.
And 2.2, sampling the real sample by adopting a logarithmic frequency method, and taking the sampled real attack sample and the output of the GAN generator as the input of the discriminator.
And 2.3, alternately training the discriminator network and the generator network by adopting a cross entropy loss function until a preset value is reached.
And 2.4, generating sample data of the specified attack type by using the generator model.
And 3, training the deep neural network classifier by using the enhanced data set.
And 3.1, taking the generated sample data and the original sample data as the input of a neural network classifier, and training the neural network classifier.
And 3.2, training by using an Adam optimizer to obtain a neural network classifier model.
And 4, monitoring the traffic statistical information of the route by the classifier to judge the malicious intrusion attack type, and quickly positioning the intrusion detection generation node according to the name and sampling time of the route node in the traffic information.
Advantageous effects
Compared with the flow statistic discrimination method based on the specific rule, the method can utilize the deep neural network to simultaneously process the multi-class characteristics to judge the CPA and IFA multi-class attacks, and has better generalization capability.
Compared with a BP neural network method, the method can expand data of a specific attack type by using a conditional GAN method, and reduces the misjudgment rate under an unbalanced data set.
Compared with a Bayesian network and deep neural network method, the method has a better modeling effect on sample characteristics with different distributions in the NDN network table type data.
Drawings
Fig. 1 is a diagram of an NDN network intrusion detection topology according to the present invention.
FIG. 2 is a diagram illustrating the data normalization process according to the present invention.
Fig. 3 is a flowchart of a GAN-based NDN network intrusion detection method according to the present invention.
Detailed Description
In order to better illustrate the objects and advantages of the present invention, embodiments of the method of the present invention are described in further detail below with reference to examples.
The data acquisition is to simulate the NDN network topology by using the NDNSIM, and acquire the traffic statistical information of each NDN route in the statistical period 3 s. A mesh topology network is constructed by 22 NDN routers and 36 links, and an optimal path forwarding strategy is adopted for route forwarding. The time delay of each link is set to 10ms, and the bandwidth is set to 1 Mbps. The cache capacity of each routing node is set to 100, and access requests are subjected to Zipf distribution by using an LFU as a cache replacement policy. The network topology is shown in fig. 1.
Setting 5 normal consumers, 2 normal producers, 1 IFA attacker and 1 CPA attacker in the network, and then carrying out normal data network simulation and IFA attack, CPA attack and the mixed attack simulation of the two. The normal network simulation is carried out for 20min before each attack, and the attack time is 5 min. And finally, 33000 traffic statistical data samples passing through the router in unit time of normal network access 60min and various types of attack access 15min of 22 routers are obtained, wherein the class proportion is 8:1: 1. The sample data characteristics are shown in table 1.
TABLE 1 flow statistics
Figure GDA0003331518820000041
Figure GDA0003331518820000051
The experiment adopts the false alarm rate and the detection rate to evaluate the intrusion detection result of the method, the false alarm rate calculation method is shown as formula 1, and the detection rate calculation method is shown as formula 2:
Figure GDA0003331518820000052
Figure GDA0003331518820000053
the experimental equipment is a computer and a server, and the specific configuration of the computer is as follows: inter i9-9900K, a CPU (Central processing Unit) of 3.60GHz, an internal memory of 32G and an operating system of windows 10, 64 bits; the specific configuration of the server is as follows: e7-4820v4, RAM 256G, operating system is Linux Ubuntu 64 bit.
The specific process of the experiment is as follows:
step 1, discrete statistical information obtained from NDN network routing nodes is preprocessed.
Step 1.1, using the NDNSIM to simulate the network topology structure shown in fig. 1, and obtaining the NDN network traffic statistical data according to the above manner, the detailed characteristics are shown in table 1, and the method includes: the method comprises the steps of routing node name, counting time, the number of links of the route with other routes, the average time required for an interest packet to receive a corresponding content packet, the number of received interest packets, the number of received data packets, the average size of the received data packets, the number of sent interest packets, the number of sent data packets, the average size of the sent data packets, the number of satisfied interest packets, the number of cache data hits, the average cache persistence time, the length of a cache data queue at the current time, the number of PIT table updating entries, the number of PIT table entries at the current time, the number of PIT table overtime deletion entries and the number of target information table entries at the current time. Each sample data contains 18 features, and the total number is 33000, which is table type data.
And step 1.2, according to attack implementation time, dividing the flow samples obtained in the step 1.1 into normal, CPA attack and IFA attack according to sampling time and the name of the routing node, wherein the sample ratio is 8:1: 1.
And step 1.3, processing the traffic statistic information obtained in the step 1.2 according to a defined rule, wherein the Name and the Time are used as classification identifiers and are removed. Performing one-Hot coding on the classification label characteristicskK represents a class, and N is the totaldAnd (4) each category. Resulting in a tabular sample dataset C.
Step 1.4, the numerical characteristics in the data set C are standardized by using a Gaussian mixture model, and the numerical values are zoomed to an interval of [ -1,1]. For each column C in CiEstimating the number N of Gaussian modes of the column distribution by using a variation Gaussian mixture model (VGM), and carrying out one-Hot coding beta on the N modesk. The Gaussian mixture model obtained by learning is
Figure GDA0003331518820000061
Wherein, pikAs a weight, mukAnd phikIs the mean and standard deviation of the kth gaussian model. For each column CiEach value c ini,jCalculating the probability that it belongs to each of N Gaussian patterns
Figure GDA0003331518820000062
Figure GDA0003331518820000063
Selecting the Gaussian model with the maximum probability for standardization, and finally obtaining alpha as shown in formula (3)i,jThe one-Hot coding of the gaussian model used therewith replaces the original values, which are expressed as:
Figure GDA0003331518820000064
wherein
Figure GDA0003331518820000065
Representing the connected front and back vectors.
Figure GDA0003331518820000066
The preprocessed data set is recorded as R, and each row R in the final data set RjExpressed as a concatenation of the values with the one-Hot code:
Figure GDA0003331518820000067
wherein N iscRepresenting the number of columns of the data set C, the process is shown in fig. 2.
And 2, performing data enhancement by using a GAN-based method, and expanding the number of malicious samples in the data samples.
Step 2.1, generating appointed random initial vector by random noise z-N (0, 1)
Figure GDA0003331518820000068
And gives an initial classification d as input to the GAN generator. Wherein N iszRepresenting the degree of dimension of the vector as a hyper-parameter of the model, and setting the degree during model training; d is a one-Hot code of an attack category, and is set according to the proportion of each category in the sample, wherein the proportion of the category of normal attack, CPA attack and IFA attack is 8:1: 1. the output of the GAN generator is
Figure GDA0003331518820000069
Step 2.2, sampling the preprocessed real sample R by adopting a logarithmic frequency method, wherein the probability of sampling the normal flow sample is as follows: log of the frequency of occurrence of normal flow samples. The probability of sampling other types of samples is the difference between 1 and the probability of sampling normal samples. The sampled samples are provided as inputs to a discriminator along with the output of the GAN generator.
And 2.3, using a discriminator network structure of PacMan to make a decision according to 8 original or generated samples in the same type of samples. The discriminator network D and the generator network G are trained alternately using Adam optimizers with cross entropy loss functions until a preset value is reached. The loss function is defined as shown in equation (4):
Figure GDA00033315188200000610
step 2.4, generating sample data of the specified attack type by using the generator model, and generating a data set and recording the data set as: t issyn. Finally, the condition generator G (z, d) is represented as:
Figure GDA0003331518820000071
distinguishing deviceD(r1,…,r8,d1,…,d8) Can be expressed as:
Figure GDA0003331518820000072
and 3, training a deep neural network classifier by using the enhanced data set.
And 3.1, fusing the generated sample data with the sample data preprocessed in the step 1, and taking the fused sample data as the input of a neural network classifier to train a 5-layer deep neural network classifier. The neural network hidden layer activation function is a ReLUs function, and the output layer activation function adopts a SoftMax function.
And 3.2, training by using an Adam optimizer, inputting the enhanced data set, and finally obtaining a neural network classifier model, wherein the loss function is a mean square error function.
And 4, monitoring the traffic statistical information of the route by the classifier, judging the malicious intrusion attack type, and quickly positioning an intrusion detection generation node according to the name of the route node and the sampling time in the traffic information.
The above detailed description is intended to illustrate the objects, aspects and advantages of the present invention, and it should be understood that the above detailed description is only exemplary of the present invention and is not intended to limit the scope of the present invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (3)

1. A Named Data Networking (NDN) intrusion detection method based on a generated countermeasure Network (GAN), the method comprising the steps of:
step 1, preprocessing statistical Information acquired from a routing node of an NDN network, and first acquiring traffic statistical Information of a node passing through a statistical period from a NDN route, cache data (CS) of the routing node, a Pending Interest Table (PIT), and a target Information Table (FIT), wherein the statistical Information includes: routing node name, statistical time, the number of links between the route and other routes, the average time required for the interest packet to receive corresponding content packets, the number of received interest packets, the number of received data packets, the average size of received data packets, the number of sent interest packets, the number of sent data packets, the average size of data packets to be sent, the number of satisfied interest packets, the number of cache data hits, the average cache persistence time, the length of the cache data queue at the current time, the number of PIT table update entries, the number of PIT table entries at the current time, the number of PIT table overtime deletions, the number of target information table entries at the current time, 18 features in total, the distribution of each feature being different, then according to the attack implementation time, dividing the obtained traffic samples into normal, CPA attack, IFA attack according to the sampling time and the routing node name, then, processing the obtained traffic classification statistical information according to the defined rules, performing one-Hot coding processing on the classification label, and finally performing standardization processing on the numerical characteristics of the obtained sample by using a variational Gaussian mixture model;
step 2, using a GAN-based method to enhance data, expanding the number of malicious samples in the data samples, first, generating N with random noise z-N (0, 1)zRandom initial vector of dimension numbers
Figure FDA0003331518810000011
Setting one-Hot codes d representing vector attack categories according to the proportion of each category in the sample, taking an initial sample z and the category d as the input of a GAN generator G (z, d), sampling a real sample by adopting a logarithmic frequency method, taking the sampled real attack sample and the output of the GAN generator as the input of a discriminator, alternately training the discriminator network and the generator network by adopting a cross entropy loss function until a preset value is reached, and finally generating sample data of a specified attack type by utilizing a generator model;
step 3, training the deep neural network classifier by using the enhanced data set, firstly, taking generated sample data and original sample data as input of the neural network classifier, training the neural network classifier, and then, training by using an Adam optimizer to obtain a neural network classifier model;
and 4, monitoring the traffic statistical information of the route by the classifier to judge the malicious intrusion attack type, and quickly positioning the intrusion detection generation node according to the name and sampling time of the route node in the traffic information.
2. The GAN-based NDN network intrusion detection method according to claim 1, wherein: preprocessing the 18 NDN routing node sample characteristics in the step 1 by using a variational Gaussian mixture model:
Figure FDA0003331518810000021
wherein r isjThe result is the processed result of the jth data; alpha is alphai,jThe method refers to a Gaussian normalized value of the ith characteristic in the jth data, and comprises the following processing steps: first, for each column of features CiEstimating the number N of Gaussian modes of the list of characteristics by using a variational Gaussian mixture model, carrying out one-Hot coding on the N modes, and then, regarding a specific numerical value c in the list of characteristicsi,jIn the Gaussian mode with the highest probability
Figure FDA0003331518810000022
And (3) standardization treatment: alpha is alphai,j=(ci,jk)/(4×φk);βi,jFinger alphai,jone-Hot coding of the corresponding Gaussian mode is an N-dimensional vector; nc is 18, which is the number of features; djone-Hot encoding referring to the label value of the piece of data;
Figure FDA0003331518810000023
representing the connected front and back vectors.
3. The GAN-based NDN network intrusion detection method according to claim 1, wherein: step 2 definition of the GAN generator network G (z, d) in the GAN-based data enhancement method. The generator network G (z, d) is defined specifically as follows:
Figure FDA0003331518810000024
wherein the generator network has inputs of (z, d) and outputs of
Figure FDA0003331518810000025
z refers to a random initial vector and d is the sample class one-Hot encoding.
Figure FDA0003331518810000026
In order to be the input layer of the device,
Figure FDA0003331518810000027
representing a connected front and back vector; the network has two hidden layers, each layer has 256 neurons, and Batch Normalization (BN) processing is carried out on the hidden layers at the same time, and a Rectified Linear Unit (ReLU) is used as an activation function; connecting the input vector and the output vector of the hidden layer to be used as the input of the next layer; the output layer of the generator network is
Figure FDA0003331518810000028
And
Figure FDA0003331518810000029
Figure FDA00033315188100000210
refers to the normalized value of the ith feature, obtained using the hyperbolic tangent function tanh,
Figure FDA00033315188100000211
the one-Hot coding of the Gaussian mode is classified data output by Gumbel-Softmax; wherein FC (full connected) means fully connected, diThe number of gaussian modes for the ith feature.
CN202011089853.9A 2020-10-13 2020-10-13 NDN network intrusion detection method based on GAN Active CN112235288B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011089853.9A CN112235288B (en) 2020-10-13 2020-10-13 NDN network intrusion detection method based on GAN

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011089853.9A CN112235288B (en) 2020-10-13 2020-10-13 NDN network intrusion detection method based on GAN

Publications (2)

Publication Number Publication Date
CN112235288A CN112235288A (en) 2021-01-15
CN112235288B true CN112235288B (en) 2022-05-17

Family

ID=74112418

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011089853.9A Active CN112235288B (en) 2020-10-13 2020-10-13 NDN network intrusion detection method based on GAN

Country Status (1)

Country Link
CN (1) CN112235288B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112884121A (en) * 2021-02-05 2021-06-01 武汉纺织大学 Traffic identification method based on generation of confrontation deep convolutional network
CN113283476B (en) * 2021-04-27 2023-10-10 广东工业大学 Internet of things network intrusion detection method
CN113810385B (en) * 2021-08-26 2023-02-14 浙江工业大学 Network malicious flow detection and defense method for self-adaptive interference
CN113922985B (en) * 2021-09-03 2023-10-31 西南科技大学 Network intrusion detection method and system based on ensemble learning
CN114399029A (en) * 2022-01-14 2022-04-26 国网河北省电力有限公司电力科学研究院 Malicious traffic detection method based on GAN sample enhancement
CN115392453A (en) * 2022-08-18 2022-11-25 湖南工商大学 Data enhancement model training method, data enhancement method and related equipment

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120136507A (en) * 2011-06-09 2012-12-20 삼성전자주식회사 Node apparatus and method that prevent overflow of pending interest table in network system of name base
US10097566B1 (en) * 2015-07-31 2018-10-09 Amazon Technologies, Inc. Identifying targets of network attacks
CN106131844B (en) * 2016-07-21 2019-08-27 江苏大学 The defence method of malicious requests interest packet attack in a kind of NDN
US10819724B2 (en) * 2017-04-03 2020-10-27 Royal Bank Of Canada Systems and methods for cyberbot network detection
CN108429761B (en) * 2018-04-10 2020-06-16 北京交通大学 DDoS attack detection and defense method for resource adaptation analysis server in intelligent cooperative network
CN110012019A (en) * 2019-04-11 2019-07-12 鸿秦(北京)科技有限公司 A kind of network inbreak detection method and device based on confrontation model
CN110113353B (en) * 2019-05-20 2021-06-22 桂林电子科技大学 Intrusion detection method based on CVAE-GAN
CN110808945B (en) * 2019-09-11 2020-07-28 浙江大学 Network intrusion detection method in small sample scene based on meta-learning
CN111327611B (en) * 2020-02-17 2022-04-05 辽宁大学 Security protection method for multiple attacks in named data network
CN111447212A (en) * 2020-03-24 2020-07-24 哈尔滨工程大学 Method for generating and detecting APT (advanced persistent threat) attack sequence based on GAN (generic antigen network)

Also Published As

Publication number Publication date
CN112235288A (en) 2021-01-15

Similar Documents

Publication Publication Date Title
CN112235288B (en) NDN network intrusion detection method based on GAN
CN112398779B (en) Network traffic data analysis method and system
CN112738015B (en) Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection
CN112434298B (en) Network threat detection system based on self-encoder integration
CN110611640A (en) DNS protocol hidden channel detection method based on random forest
CN113645182B (en) Denial of service attack random forest detection method based on secondary feature screening
CN110868404B (en) Industrial control equipment automatic identification method based on TCP/IP fingerprint
CN112839017B (en) Network attack detection method and device, equipment and storage medium thereof
CN113821793B (en) Multi-stage attack scene construction method and system based on graph convolution neural network
Shen et al. Efficient fine-grained website fingerprinting via encrypted traffic analysis with deep learning
Niandong et al. Detection of probe flow anomalies using information entropy and random forest method
Wu et al. TDAE: Autoencoder-based automatic feature learning method for the detection of DNS tunnel
Ao Using machine learning models to detect different intrusion on NSL-KDD
CN117014182A (en) Malicious traffic detection method and device based on LSTM
CN103501302B (en) Method and system for automatically extracting worm features
Man et al. Cache Pollution Detection Method Based on GBDT in Information‐Centric Network
CN117354024A (en) DNS malicious domain name detection system and method based on big data
CN115085948A (en) Network security situation assessment method based on improved D-S evidence theory
Deng et al. Abnormal traffic detection of IoT terminals based on Bloom filter
CN111371727A (en) Detection method for NTP protocol covert communication
CN113938292A (en) Vulnerability attack flow detection method and detection system based on concept drift
CN114330504A (en) Network malicious traffic detection method based on Sketch
Xie et al. Research and application of intrusion detection method based on hierarchical features
Alhaidari et al. Feature Pruning Method for hidden markov model-based anomaly detection: A Comparison of performance
Xie Data Security Model Construction of Network Coding of Wireless Communication Based on Deep Learning Algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant