CN113395280A - Anti-confusion network intrusion detection method based on generation of countermeasure network - Google Patents

Anti-confusion network intrusion detection method based on generation of countermeasure network Download PDF

Info

Publication number
CN113395280A
CN113395280A CN202110655888.2A CN202110655888A CN113395280A CN 113395280 A CN113395280 A CN 113395280A CN 202110655888 A CN202110655888 A CN 202110655888A CN 113395280 A CN113395280 A CN 113395280A
Authority
CN
China
Prior art keywords
attack
intrusion detection
instance
examples
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110655888.2A
Other languages
Chinese (zh)
Other versions
CN113395280B (en
Inventor
何俊鹏
李允�
肖堃
赵焕宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Weichen Information Technology Co ltd
Chengdu Weichen Information Technology Co ltd
Original Assignee
Guangdong Weichen Information Technology Co ltd
Chengdu Weichen Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Weichen Information Technology Co ltd, Chengdu Weichen Information Technology Co ltd filed Critical Guangdong Weichen Information Technology Co ltd
Priority to CN202110655888.2A priority Critical patent/CN113395280B/en
Publication of CN113395280A publication Critical patent/CN113395280A/en
Application granted granted Critical
Publication of CN113395280B publication Critical patent/CN113395280B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Evolutionary Computation (AREA)
  • Molecular Biology (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an anti-confusion network intrusion detection method based on a generated anti-network, which comprises the steps of collecting a plurality of normal examples and attack examples, training the generated anti-network by adopting the attack examples, determining a target intrusion detection system needing to improve the anti-confusion according to actual conditions, configuring an intrusion detection model aiming at the target intrusion detection system, training, carrying out joint training on a generator in the anti-network and the intrusion detection model by adopting the attack examples to realize cheating on the target intrusion detection system, and carrying out joint training on the generator in the generated anti-network and the intrusion detection model again by adopting the normal examples and the attack examples to realize overtaking on the target intrusion detection system. The invention is based on generating the attack example for resisting the network generation, and adopts an intrusion detection model to simulate, deceive and overtake the target intrusion detection system, thereby improving the anti-confusion performance of the network intrusion.

Description

Anti-confusion network intrusion detection method based on generation of countermeasure network
Technical Field
The invention belongs to the technical field of network intrusion detection, and particularly relates to an anti-confusion network intrusion detection method based on a generation countermeasure network.
Background
The intrusion detection system is a crucial link for network security, and is a tool configured at a router for detecting network traffic. The intrusion detection system is divided into a network intrusion detection system and a host intrusion detection system. The network intrusion detection system can identify malicious attacks from a large amount of network traffic. And the host intrusion detection system can judge whether malicious behaviors and operations exist or not through the related system call logs, and further detect the threat to the system. With the continuous development of computer technology in recent years, the computer performance and the storage capacity of the computer are continuously improved, and a lot of intrusion detection systems based on machine learning and deep learning models are beginning to be widely applied. These gradient descent model based intrusion detection systems can be trained with existing data sets and can also be used to determine network traffic or system log operations that will not be seen in the future. These kinds of detection models tend to have high accuracy and practicality.
In recent years, however, malware may reach attacks on targeted intrusion detection systems by using a generation countermeasure network or some other method to generate counterinstances. This counter-attack instance is implemented by making appropriate modifications to the original attack instance, which modifications are then targeted to misleading target intrusion detection systems. These countermeasures have threatened servers and clients of many enterprises. To be able to resist these attack instances, some more powerful intrusion detection systems need to be deployed.
Generation of countermeasure networks (GANs), a game model for deep learning to generate examples, is a new framework proposed by Google researchers Ian Goodfellow and their team in 2015. Fig. 1 is a block diagram of a generation countermeasure network. As shown in fig. 1, two network models of the countermeasure network are generated, a generator and a discriminator, respectively, the purpose of the generator being to generate instances to bypass the discriminator, and the purpose of the discriminator being to distinguish these generated instances from the real data set. The two networks continuously compete with each other during the training phase. After the training is finished, a relatively real sample which is not seen can be trained.
Current intrusion detection systems often fail to identify counterattacks that are specific to finding model vulnerabilities. Hackers use various means such as neighbor lookups, combinatorial optimization, etc. to generate countervailing instances. The advent of GAN makes it possible to generate counterexamples in large quantities quickly, further exacerbating the crisis of conventional intrusion detection systems. On the other hand, however, a large number of countermeasures can be generated rapidly, and the generated examples can be utilized to continuously strengthen an intrusion detection system. In the literature of current GAN applications in the field of intrusion detection, the relevant work is mainly divided into the following four goals:
attacking a system, producing a counterinstance to bypass an intrusion detection system configured for that system
Assistance in the construction of an intrusion detection system
Data set generation
Solving problems in unbalanced data sets
There are still many deficiencies in the first sector, namely the development of enhanced intrusion detection systems using GAN. The generated examples may lack effectiveness, the framework training may be difficult, and the training target setting of the arbiter may be unreasonable. In addition, no effective evaluation means exists for the countermeasure example generated by the GAN to verify the validity and distribution rationality of the countermeasure example.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide an anti-confusion network intrusion detection method based on a generation countermeasure network.
In order to achieve the above object, the present invention provides an anti-confusion network intrusion detection method based on generation of a countermeasure network, comprising the following steps:
s1: collecting a plurality of normal examples to form a normal example set X _ n, simultaneously collecting a plurality of attack examples to form an attack example set X _ a, after determining the attack type to be detected, dividing each example into functional characteristics and non-functional characteristics, wherein the functional characteristics are characteristics which are closely connected with the basic functions of the examples and can destroy the effectiveness of the examples if modified, and the non-functional characteristics are characteristics which can not influence the basic functions of the examples;
s2: setting a deep neural network, forming non-functional characteristics of a normal example into a non-functional characteristic vector of the normal example, forming non-functional characteristics of an attack example into a non-functional characteristic vector of the attack example, using the non-functional characteristic vector of the example as the input of the deep neural network, using a label indicating whether the example is normal as the output of the deep neural network, training the deep neural network, deleting the last layer of the deep neural network obtained by training, and using the residual network as a characteristic extractor;
s3: adopting an attack example to train the countermeasure network, wherein the specific method comprises the following steps:
for each attack example in the attack example set X _ a, non-functional characteristics of each attack example form a non-functional characteristic vector, the non-functional characteristic vector is input into a characteristic extractor for characteristic extraction, the obtained characteristics are spliced with Gaussian noise generated randomly, the spliced characteristics are used as input of a generator G in a generation countermeasure network, the generator G processes the input to obtain generated non-functional characteristics, the generated non-functional characteristics and functional characteristics of corresponding attack examples are combined to obtain a generated example, the generated example and corresponding original attack examples are respectively input into a discriminator D for discrimination, and parameters of the generator and the discriminator are updated based on discrimination results;
s4: determining a target intrusion detection system T needing to improve the anti-confusion performance according to the actual situation, and configuring an intrusion detection model C aiming at the target intrusion detection system T;
training the intrusion detection model C with training samples in the merged set of the normal instance set X _ n and the attack instance set X _ a collected in step S1 to obtain a maximum training objective function value, wherein the maximum training objective function value is calculated according to the following formula:
Figure BDA0003112741870000031
wherein, thetaCParameters, n, representing an intrusion detection model CCDenotes the size, x 'of Batch during the intrusion detection model C training'i′Denotes the ith ' case, T (x ' in this Batch 'i′) Representing target intrusion detection System T for instance x'i′Detection score of (2), C (x'i′) Represent intrusion detection model C for instance x'i′The detection score of (1) is in a value range of [0,1 ]]Smaller means closer to the normal instance, larger means closer to the attack instance;
s5: the method comprises the following steps of performing joint training on a generator G and an intrusion detection model C in a generated countermeasure network, and specifically comprises the following steps:
s5.1: making the iteration number t equal to 1;
s5.2: creating a set of counter-attack instances
Figure BDA0003112741870000032
Randomly selecting a group of examples from an attack example set X _ a to form an attack example subset, inputting the non-functional characteristics of each attack example in the attack example subset into a characteristic extractor for characteristic extraction, combining the obtained characteristics with randomly generated Gaussian noise, using the combined characteristics as the input of a generator in a generation countermeasure network, processing the input by the generator to obtain generated non-functional characteristics, combining the generated non-functional characteristics with the functional characteristics of the corresponding attack example to obtain a generated example, inputting the generated example into a discriminator for discrimination, and if the discrimination result is true attack, inputting the generated example into a discriminator for discriminationIf the instance is clicked, adding the instance into the anti-attack instance set H, and recording the authentication score of the anti-attack instance, otherwise, discarding the generated instance;
s5.3: making the internal iteration number s equal to 1;
s5.4: randomly selecting a group of examples from the anti-attack example set H to form an anti-attack example set H, and respectively inputting each anti-attack example in the anti-attack example set H into a target intrusion detection system T and an intrusion detection model C for detection;
s5.5: calculating an objective function value of the intrusion detection model C by adopting the following formula, and updating parameters of the intrusion detection model C by taking the maximum training objective function value as a target:
Figure BDA0003112741870000041
wherein n ishDenotes the number of attack instances, x ″, in the set h of attack instancesi″Represents the ith "example, T (x", in the set of counter attack examples hi″) Showing the target intrusion detection system T for the counter attack instance x ″i″Detection score of (1), C (x ″)i″) Represents intrusion detection model C for countering attack instance x ″)i″The detection score of (1).
S5.6: calculating an objective function value of the generator G by adopting the following formula, and updating parameters of the generator G by taking the maximum training objective function value as a target:
Figure BDA0003112741870000042
wherein, D (x ″)i″) Denotes the case of attack on the counter attack by discriminator D x ″)i″The authentication score of (1).
S5.7: judging whether the internal iteration number s is less than smax,smaxRepresenting the preset maximum internal iteration times, if yes, entering step S5.8, otherwise, entering step S5.9;
s5.8: step S5.4 is returned to when S is equal to S + 1;
s5.9: judging whether the iteration times t is less than tmax,tmaxRepresenting the preset maximum internal iteration times, if yes, entering the step S5.10, otherwise, finishing the training;
s5.10: making t equal to t +1, and returning to the step S5.2;
s6: and performing joint training again on the generator G and the intrusion detection model C, wherein the specific steps comprise:
s5.1: making the iteration number t' equal to 1;
s5.2: creating a set of counter-attack instances
Figure BDA0003112741870000043
Randomly selecting a group of examples from an attack example set X _ a to form an attack example subset, inputting the non-functional characteristics of each attack example in the attack example subset into a characteristic extractor for characteristic extraction, combining the obtained characteristics with randomly generated Gaussian noise, using the combined characteristics as the input of a generator in a generation countermeasure network, processing the input of the generator to obtain generated non-functional characteristics, then combining the generated non-functional characteristics with the functional characteristics of the corresponding attack example to obtain a generation example, inputting the generation example into a discriminator for discrimination, if the discrimination result is a real attack example, adding the generation example into a countermeasure example set H', otherwise, discarding the generation example;
s5.3: merging the normal instance set X _ n, the attack instance set X _ a and the counter attack resistant instance set H' to obtain an instance set X, and marking whether each instance in the instance set X is a label of a normal instance;
s5.4: making the internal iteration number s' equal to 1;
s5.5: randomly selecting a group of examples from the example set X to form an example set
Figure BDA0003112741870000051
Aggregating instances
Figure BDA0003112741870000052
Is input into the intrusion detection modelC, detecting and inputting a discriminator for generating a countermeasure network for discrimination;
s5.6: calculating an objective function value of the intrusion detection model C by adopting the following formula, and updating parameters of the intrusion detection model C by taking the maximum training objective function value as a target:
Figure BDA0003112741870000053
wherein the content of the first and second substances,
Figure BDA0003112741870000054
representing a collection of instances
Figure BDA0003112741870000055
The number of the examples in (1) is,
Figure BDA0003112741870000056
representing a collection of instances
Figure BDA0003112741870000057
To middle
Figure BDA0003112741870000058
In one example of the above-described method,
Figure BDA0003112741870000059
showing examples
Figure BDA00031127418700000510
The real label of (a) is,
Figure BDA00031127418700000511
representing intrusion detection model C for an instance
Figure BDA00031127418700000512
The detection score of (1);
s5.7: calculating an objective function value of the generator G by adopting the following formula, and updating parameters of the generator G by taking the maximum training objective function value as a target:
Figure BDA00031127418700000513
wherein the content of the first and second substances,
Figure BDA00031127418700000514
representing discriminator D pair instances
Figure BDA00031127418700000515
The authentication score of (a);
s5.8: judging whether the number of internal iterations s '< s'max,s′maxRepresenting the preset maximum internal iteration times, if yes, entering step S5.9, otherwise, entering step S5.10;
s5.9: let S '═ S' +1, return to step S5.4.
S5.10: judging whether iteration time t '< t'max,t′maxRepresenting the preset maximum iteration times, if yes, entering the step S5.11, otherwise, finishing the training;
s5.11: making t equal to t +1, and returning to the step S5.2;
s7: when the network needs to be subjected to intrusion detection, the data packets are divided according to the size of the example, and then the data packets are input into an intrusion detection model C for detection.
The invention discloses an anti-confusion network intrusion detection method based on a generated anti-confusion network, which comprises the steps of collecting a plurality of normal examples and attack examples, training the generated anti-confusion network by adopting the attack examples, determining a target intrusion detection system needing to improve the anti-confusion according to actual conditions, configuring an intrusion detection model aiming at the target intrusion detection system and training the intrusion detection model, then carrying out combined training on a generator in the anti-confusion network and the intrusion detection model by adopting the attack examples to realize cheating on the target intrusion detection system, and carrying out combined training on the generator in the generated anti-confusion network and the intrusion detection model again by adopting the normal examples and the attack examples to realize exceeding on the target intrusion detection system. The invention is based on generating the attack example for resisting the network generation, and adopts an intrusion detection model to simulate, deceive and overtake the target intrusion detection system, thereby improving the anti-confusion performance of the network intrusion.
Drawings
FIG. 1 is a block diagram of a generation countermeasure network;
FIG. 2 is a flowchart of an embodiment of an anti-aliasing network intrusion detection method based on generation of a countermeasure network according to the invention;
FIG. 3 is a schematic diagram of the generation of confrontational network training in the present invention;
FIG. 4 is a flow diagram of the joint training of a generator and intrusion detection model in the present invention;
FIG. 5 is a flow chart of the present invention in which the generator and intrusion detection model are again co-trained;
FIG. 6 is a statistical chart of detection rates for DDoS attacks after 4 types of target intrusion detection models are processed by the present invention;
FIG. 7 is a graph of FID values versus iteration number for 4 examples of the inventive generator training process.
Detailed Description
The following description of the embodiments of the present invention is provided in order to better understand the present invention for those skilled in the art with reference to the accompanying drawings. It is to be expressly noted that in the following description, a detailed description of known functions and designs will be omitted when it may obscure the subject matter of the present invention.
Examples
Fig. 2 is a flowchart of an embodiment of an anti-confusion network intrusion detection method based on generation of a countermeasure network. As shown in fig. 2, the specific steps of the method for detecting an anti-confusion network intrusion based on a generation countermeasure network of the present invention include:
s201: example collection:
collecting a plurality of normal examples to form a normal example set X _ n, simultaneously collecting a plurality of attack examples to form an attack example set X _ a, after determining the attack type to be detected, dividing each example into functional characteristics and non-functional characteristics, wherein the functional characteristics are the characteristics which are closely connected with the basic functions of the examples and damage the effectiveness of the examples if modified, and the characteristics are often strongly connected with the attack type to be detected, so the functional characteristics cannot be modified; non-functional features are those features that cannot affect the basic functionality of an instance (e.g., configurable parameters, etc.) and that, if modified, do not affect the basic functionality of the instance. Taking CICIDS2017 network traffic data set as an example, each example in the CIDS data set has 78 characteristics. When detecting a DoS attack, like Flow Duration, Packet Length Std is some features closely connected to the basic functions of an instance, and modification of the features directly affects the judgment of whether the instance is a DoS attack. Therefore, these features cannot be modified during the training process and thus belong to functional features; like Destination Port, the characteristic has no relation with whether the instance is DoS attack or not, and the judgment result of the instance cannot be influenced by modifying the characteristic in the training process, so that the characteristic belongs to a non-functional characteristic.
S202: training a feature extractor:
setting a deep neural network, forming non-functional characteristics of a normal example into a non-functional characteristic vector of the normal example, forming non-functional characteristics of an attack example into a non-functional characteristic vector of the attack example, using the non-functional characteristic vector of the example as the input of the deep neural network, using a label indicating whether the example is normal as the output of the deep neural network, training the deep neural network, deleting the last layer of the deep neural network obtained by training, and using the residual network as a characteristic extractor.
S203: generating the confrontation network training:
the generation is trained on the anti-net using the attack instance. Fig. 3 is a schematic diagram of generation of confrontational network training in the present invention. As shown in fig. 3, the specific method for generating the confrontation network training in the present invention is as follows:
for each attack example in the attack example set X _ a, non-functional characteristics of the attack example set X _ a form a non-functional characteristic vector, the input characteristic extractor performs characteristic extraction, the obtained characteristics are spliced with Gaussian noise generated randomly, the spliced characteristics are used as the input of a generator G in a generation countermeasure network, the generator G processes the input to obtain generated non-functional characteristics, the generated non-functional characteristics and the functional characteristics of the corresponding attack example are combined to obtain a generated example, the generated example and the corresponding original attack example are respectively input into a discriminator D for discrimination, and parameters of the generator and the discriminator are updated based on discrimination results.
As with the conventional generation of countermeasure networks, the training generator and the discriminator are iterated separately and alternately in this step, where the calculation formula of the training objective function value of the generator is as follows:
Figure BDA0003112741870000081
wherein, thetaGRepresenting the network parameters of generator G, n represents the size of Batch,
Figure BDA0003112741870000082
represents the ith generated instance in the Batch,
Figure BDA0003112741870000083
representing pairs of discriminators D to generate examples
Figure BDA0003112741870000084
The authentication score of (1). Generator training is performed with the maximum training objective function value.
The formula for calculating the training objective function value of the corresponding discriminator is as follows:
Figure BDA0003112741870000085
wherein, thetaDNetwork parameter, x, representing discriminator DiPresentation Generation instances
Figure BDA0003112741870000086
Corresponding original attack instance, D (x)i) Representing the discriminator D against the original attack instance xiThe authentication score of (1). To a maximumAnd 4, carrying out discriminator training by changing the training objective function value.
S204: training an intrusion detection model:
determining a target intrusion detection system T needing to improve the anti-confusion performance according to the actual situation, and configuring an intrusion detection model C aiming at the target intrusion detection system T. The structure of the intrusion detection model C can be the same as that of the target intrusion detection system T, and other structures can be adopted and determined according to actual needs.
In order to make the intrusion detection model C have a basic detection capability on the original network data, the intrusion detection model C needs to be trained first, so that the obtained detection result is as consistent as possible with the target intrusion detection system T. Training the intrusion detection model C with training samples as examples in the merged set of the normal example set X _ n and the attack example set X _ a collected in step S201, and training with the maximum training objective function value as a target, wherein a calculation formula of the training objective function value is as follows:
Figure BDA0003112741870000087
wherein, thetaCParameters, n, representing an intrusion detection model CCDenotes the size, x 'of Batch during the intrusion detection model C training'i′Denotes the ith ' case, T (x ' in this Batch 'i′) Representing target intrusion detection System T for instance x'i′Detection score of (2), C (x'i′) Represent intrusion detection model C for instance x'i′The detection score of (1) is in a value range of [0,1 ]]Smaller means closer to the normal instance, larger means closer to the attack instance.
S205: spoofed target intrusion detection system:
before the anti-aliasing capability is improved, the generator in the generation countermeasure network is adopted to generate the countermeasure instance capable of bypassing the target intrusion detection system T, and in order to enable the generator to improve the capability of generating the countermeasure instance and generate enough countermeasure attack instances with aliasing, further joint training needs to be carried out on the generator G and the intrusion detection model C in the generation countermeasure network. FIG. 4 is a flow chart of the joint training of the generator G and the intrusion detection model C in the present invention. As shown in fig. 4, the specific steps of training and training the generator G and the intrusion detection model C in the present invention include:
s401: let the iteration number t equal to 1.
S402: generating an example of an anti-attack:
creating a set of counter-attack instances
Figure BDA0003112741870000091
Randomly selecting a group of examples from an attack example set X _ a to form an attack example subset, inputting the non-functional characteristics of each attack example in the attack example subset into a characteristic extractor for characteristic extraction, combining the obtained characteristics with randomly generated Gaussian noise, using the combined characteristics as the input of a generator in a generation countermeasure network, processing the input by the generator to obtain generated non-functional characteristics, then combining the generated non-functional characteristics with the functional characteristics of the corresponding attack example to obtain a generated example, inputting the generated example into a discriminator for discrimination, adding the generated example into a countermeasure attack example set H if the discrimination result is a real attack example, recording the discrimination score of the countermeasure attack example, and otherwise discarding the generated example.
S403: let the internal iteration number s equal to 1.
S404: detection of attack resisting example:
and randomly selecting a group of examples from the counter attack example set H to form a counter attack example set H, and respectively inputting each counter attack example in the counter attack example set H into a target intrusion detection system T and an intrusion detection model C for detection.
S405: updating parameters of an intrusion detection model:
calculating an objective function value of the intrusion detection model C by adopting the following formula, and updating parameters of the intrusion detection model C by taking the maximum training objective function value as a target:
Figure BDA0003112741870000092
wherein n ishRepresenting the number of counter attack instances, x, in the set h of counter attack instancesi"indicates the ith" example, T (x "", in the set of examples h against attacki″) Showing the target intrusion detection system T for the counter attack instance x ″i″Detection score of (1), C (x ″)i″) Represents intrusion detection model C for countering attack instance x ″)i″The detection score of (1).
S406: updating generator parameters:
calculating an objective function value of the generator G by adopting the following formula, and updating parameters of the generator G by taking the maximum training objective function value as a target:
Figure BDA0003112741870000101
wherein, D (x ″)i″) Denotes the case of attack on the counter attack by discriminator D x ″)i″The authentication score of (1).
S407: judging whether the internal iteration number s is less than smax,smaxRepresenting a preset maximum number of internal iterations, and if so, proceeding to step S408, otherwise, proceeding to step S409.
S408: let S be S +1, return to step S404.
S409: judging whether the iteration times t is less than tmax,tmaxRepresenting the preset maximum internal iteration number, if yes, entering step S410, otherwise, finishing the training.
S410: let t be t +1, return to step S402.
S206: beyond the target intrusion detection system:
in order to enable the identification capability of the intrusion detection model C to exceed that of the original target intrusion detection system T, the anti-attack examples which cannot be detected by the target intrusion detection system T can be identified, and the anti-confusion capability of the intrusion detection model C is enhanced. Therefore, the generator G and the intrusion detection model C in the generation countermeasure network need to be jointly trained again. FIG. 5 is a flow chart of the present invention in which the generator and intrusion detection model are again co-trained. As shown in fig. 5, the specific steps of the generator G and the intrusion detection model C of the present invention for the joint training again include:
s501: let the iteration number t' be 1.
S502: generating an example of an anti-attack:
creating a set of counter-attack instances
Figure BDA0003112741870000102
Randomly selecting a group of examples from an attack example set X _ a to form an attack example subset, inputting the non-functional characteristics of each attack example in the attack example subset into a characteristic extractor for characteristic extraction, combining the obtained characteristics with randomly generated Gaussian noise, using the combined characteristics as the input of a generator in a generation countermeasure network, processing the input by the generator to obtain generated non-functional characteristics, then combining the generated non-functional characteristics with the functional characteristics of the corresponding attack example to obtain a generation example, inputting the generation example into a discriminator for discrimination, adding the generation example into a countermeasure example set H' if the discrimination result is a real attack example, and otherwise discarding the generation example.
S503: merging examples:
and merging the normal instance set X _ n, the attack instance set X _ a and the counter attack resistant instance set H' to obtain an instance set X, and marking whether each instance in the instance set X is a label of a normal instance, wherein the label is 0 to represent a normal instance, and the label is 1 to represent an attack instance.
S504: let the internal iteration number s' be 1.
S505: example testing:
randomly selecting a group of examples from the example set X to form an example set
Figure BDA0003112741870000111
Aggregating instances
Figure BDA0003112741870000112
Each instance in (a) is input into an intrusion detection model C for detection and input into generationThe discriminator of the countermeasure network performs discrimination.
S506: updating parameters of an intrusion detection model:
calculating an objective function value of the intrusion detection model C by adopting the following formula, and updating parameters of the intrusion detection model C by taking the maximum training objective function value as a target:
Figure BDA0003112741870000113
wherein the content of the first and second substances,
Figure BDA0003112741870000114
representing a collection of instances
Figure BDA0003112741870000115
The number of the examples in (1) is,
Figure BDA0003112741870000116
representing a collection of instances
Figure BDA0003112741870000117
To middle
Figure BDA0003112741870000118
In one example of the above-described method,
Figure BDA0003112741870000119
showing examples
Figure BDA00031127418700001110
The real label of (a) is,
Figure BDA00031127418700001111
representing intrusion detection model C for an instance
Figure BDA00031127418700001112
The detection score of (1).
S507: updating generator parameters:
calculating an objective function value of the generator G by adopting the following formula, and updating parameters of the generator G by taking the maximum training objective function value as a target:
Figure BDA00031127418700001113
wherein the content of the first and second substances,
Figure BDA00031127418700001114
representing discriminator D pair instances
Figure BDA00031127418700001115
The authentication score of (1).
S508: judging whether the number of internal iterations s '< s'max,s′maxIndicating a preset maximum number of internal iterations, and if so, proceeding to step S509, otherwise, proceeding to step S510.
S509: let S' +1, return to step S504.
S510: judging whether iteration time t '< t'max,t′maxRepresenting the preset maximum iteration number, if yes, entering step S511, otherwise, finishing the training.
S511: let t be t +1, return to step S502.
S207: and (3) intrusion detection:
when the network needs to be subjected to intrusion detection, the data packets are divided according to the size of the example, and then the data packets are input into an intrusion detection model C for detection.
In order to better illustrate the technical effect of the invention, the CICICIDS 2017 data set is adopted to carry out experimental simulation on the invention. In the experimental simulation, an attempt is made to attack a trained target intrusion detection system based on a machine learning algorithm, a DDoS counterexample is generated, the target intrusion detection system is deceived, and a new classifier is developed. The model for constructing the target intrusion detection system uses 4 types of Decision Trees (DT), Adaboost (ADA), Random Forest (RF) and Deep Neural Network (DNN). FIG. 6 is a statistical diagram of detection rate for DDoS attacks after the 4 types of target intrusion detection models are processed by the present invention. As shown in fig. 6, for 4 existing machine learning models, the present invention can effectively find out their weaknesses and generate counterexample deceiving them, and develop a new intrusion detection model to identify these counterexamples, and the new intrusion detection model can still detect the original attack.
In addition, the FID is used in the experimental simulation to evaluate the effectiveness of 4 attacks, namely DoS, DDoS, Brutevoid and Infiltration, generated by the algorithm. FID (fringe inclusion Distance) is an index for evaluating generation of a countermeasure network, and the idea is as follows: respectively sending the real sample and the generated sample to a classifier (such as inclusion Net-V3 or other CNNs and the like), extracting abstract features of an intermediate layer of the classifier, assuming that the abstract features conform to multivariate Gaussian distribution, estimating a mean value and a variance of Gaussian distribution of the generated sample, and training the sample and the variance, and calculating a Fourier break distance of the two Gaussian distributions, wherein the distance value is FID. Therefore, the authenticity of the generated example is evaluated by using FID in the experimental verification. FIG. 7 is a graph of FID values versus iteration number for 4 examples of the inventive generator training process. As shown in fig. 7, in the experimental simulation, the first 20 iterations are performed in step S203, the 20 th to 25 th iterations are performed in step S406, and the 25 th to 35 th iterations are performed in step S507. As can be seen from the analysis of the graph, the initial FID value of the generated example is very high, and in step S203, in order to enable the generator to cheat the discriminator, the main goal of the generator is to generate an example as real as possible, and the goal of the generator is to reduce the FID value, so that the FID value is continuously reduced until it stabilizes at a relatively small value during the training process; in step S406 and step S507, although the generator is trained, the FID value is still not changed significantly and remains at a very low value (even in the infitration attack, the FID value is only about 50), which may indicate that the generated example has a certain validity.
Although illustrative embodiments of the present invention have been described above to facilitate the understanding of the present invention by those skilled in the art, it should be understood that the present invention is not limited to the scope of the embodiments, and various changes may be made apparent to those skilled in the art as long as they are within the spirit and scope of the present invention as defined and defined by the appended claims, and all matters of the invention which utilize the inventive concepts are protected.

Claims (1)

1. An anti-confusion network intrusion detection method based on a generation countermeasure network is characterized by comprising the following steps:
s1: collecting a plurality of normal examples to form a normal example set X _ n, simultaneously collecting a plurality of attack examples to form an attack example set X _ a, after determining the attack type to be detected, dividing each example into functional characteristics and non-functional characteristics, wherein the functional characteristics are characteristics which are closely connected with the basic functions of the examples and can destroy the effectiveness of the examples if modified, and the non-functional characteristics are characteristics which can not influence the basic functions of the examples;
s2: setting a deep neural network, forming non-functional characteristics of a normal example into a non-functional characteristic vector of the normal example, forming non-functional characteristics of an attack example into a non-functional characteristic vector of the attack example, using the non-functional characteristic vector of the example as the input of the deep neural network, using a label indicating whether the example is normal as the output of the deep neural network, training the deep neural network, deleting the last layer of the deep neural network obtained by training, and using the residual network as a characteristic extractor;
s3: adopting an attack example to train the countermeasure network, wherein the specific method comprises the following steps:
for each attack example in the attack example set X _ a, non-functional characteristics of each attack example form a non-functional characteristic vector, the non-functional characteristic vector is input into a characteristic extractor for characteristic extraction, the obtained characteristics are spliced with Gaussian noise generated randomly, the spliced characteristics are used as input of a generator G in a generation countermeasure network, the generator G processes the input to obtain generated non-functional characteristics, the generated non-functional characteristics and functional characteristics of corresponding attack examples are combined to obtain a generated example, the generated example and corresponding original attack examples are respectively input into a discriminator D for discrimination, and parameters of the generator and the discriminator are updated based on discrimination results;
s4: determining a target intrusion detection system T needing to improve the anti-confusion performance according to the actual situation, and configuring an intrusion detection model C aiming at the target intrusion detection system T;
training the intrusion detection model C with training samples in the merged set of the normal instance set X _ n and the attack instance set X _ a collected in step S1 to obtain a maximum training objective function value, wherein the maximum training objective function value is calculated according to the following formula:
Figure FDA0003112741860000011
wherein, thetaCParameters, n, representing an intrusion detection model CCDenotes the size, x 'of Batch during the intrusion detection model C training'i′Denotes the ith ' case, T (x ' in this Batch 'i′) Representing target intrusion detection System T for instance x'i′Detection score of (2), C (x'1′) Represent intrusion detection model C for instance x'i′The detection score of (1) is in a value range of [0,1 ]]Smaller means closer to the normal instance, larger means closer to the attack instance;
s5: the method comprises the following steps of performing joint training on a generator G and an intrusion detection model C in a generated countermeasure network, and specifically comprises the following steps:
s5.1: making the iteration number t equal to 1;
s5.2: creating a set of counter-attack instances
Figure FDA0003112741860000021
Randomly selecting a group of examples from an attack example set X _ a to form an attack example subset, inputting the non-functional characteristics of each attack example in the attack example subset into a characteristic extractor for characteristic extraction, combining the obtained characteristics with randomly generated Gaussian noise, using the combined characteristics as the input of a generator in a generation countermeasure network, processing the generated non-functional characteristics by the generator, and then generating the generated non-functional characteristicsCombining the non-functional characteristics with the functional characteristics of the corresponding attack examples to obtain a generated example, inputting the generated example into a discriminator for discrimination, if the discrimination result is a real attack example, adding the real attack example into an anti-attack example set H, and recording the discrimination score of the anti-attack example, otherwise, discarding the generated example;
s5.3: making the internal iteration number s equal to 1;
s5.4: randomly selecting a group of examples from the anti-attack example set H to form an anti-attack example set H, and respectively inputting each anti-attack example in the anti-attack example set H into a target intrusion detection system T and an intrusion detection model C for detection;
s5.5: calculating an objective function value of the intrusion detection model C by adopting the following formula, and updating parameters of the intrusion detection model C by taking the maximum training objective function value as a target:
Figure FDA0003112741860000022
wherein n ishDenotes the number of attack instances, x ″, in the set h of attack instancesi″Represents the ith "example, T (x", in the set of counter attack examples hi″) Showing the target intrusion detection system T for the counter attack instance x ″i″Detection score of (1), C (x ″)i″) Represents intrusion detection model C for countering attack instance x ″)i″The detection score of (1);
s5.6: calculating an objective function value of the generator G by adopting the following formula, and updating parameters of the generator G by taking the maximum training objective function value as a target:
Figure FDA0003112741860000023
wherein, D (x ″)i″) Denotes the case of attack on the counter attack by discriminator D x ″)i″The authentication score of (1).
S5.7: judging whether the internal iteration number s is less than smax,smaxRepresenting the preset maximum internal iteration times, if yes, entering step S5.8, otherwise, entering step S5.9;
s5.8: step S5.4 is returned to when S is equal to S + 1;
s5.9: judging whether the iteration times t is less than tmax,tmaxRepresenting the preset maximum internal iteration times, if yes, entering the step S5.10, otherwise, finishing the training;
s5.10: making t equal to t +1, and returning to the step S5.2;
s6: and performing joint training again on the generator G and the intrusion detection model C, wherein the specific steps comprise:
s5.1: making the iteration number t' equal to 1;
s5.2: creating a set of counter-attack instances
Figure FDA0003112741860000031
Randomly selecting a group of examples from an attack example set X _ a to form an attack example subset, inputting the non-functional characteristics of each attack example in the attack example subset into a characteristic extractor for characteristic extraction, combining the obtained characteristics with randomly generated Gaussian noise, using the combined characteristics as the input of a generator in a generation countermeasure network, processing the input of the generator to obtain generated non-functional characteristics, then combining the generated non-functional characteristics with the functional characteristics of the corresponding attack example to obtain a generation example, inputting the generation example into a discriminator for discrimination, if the discrimination result is a real attack example, adding the generation example into a countermeasure example set H', otherwise, discarding the generation example;
s5.3: merging the normal instance set X _ n, the attack instance set X _ a and the counter attack resistant instance set H' to obtain an instance set X, and marking whether each instance in the instance set X is a label of a normal instance;
s5.4: making the internal iteration number s' equal to 1;
s5.5: randomly selecting a group of examples from the example set X to form an example set
Figure FDA0003112741860000032
Aggregating instances
Figure FDA0003112741860000033
Inputting each instance in the network into an intrusion detection model C for detection, and inputting a discriminator for generating a countermeasure network for discrimination;
s5.6: calculating an objective function value of the intrusion detection model C by adopting the following formula, and updating parameters of the intrusion detection model C by taking the maximum training objective function value as a target:
Figure FDA0003112741860000034
wherein the content of the first and second substances,
Figure FDA0003112741860000035
representing a collection of instances
Figure FDA0003112741860000036
The number of the examples in (1) is,
Figure FDA0003112741860000037
representing a collection of instances
Figure FDA0003112741860000038
To middle
Figure FDA0003112741860000039
In one example of the above-described method,
Figure FDA00031127418600000310
showing examples
Figure FDA00031127418600000311
The real label of (a) is,
Figure FDA00031127418600000312
representing intrusion detection model C for an instance
Figure FDA00031127418600000313
The detection score of (1);
s5.7: calculating an objective function value of the generator G by adopting the following formula, and updating parameters of the generator G by taking the maximum training objective function value as a target:
Figure FDA0003112741860000041
wherein the content of the first and second substances,
Figure FDA0003112741860000042
representing discriminator D pair instances
Figure FDA0003112741860000043
The authentication score of (a);
s5.8: judging whether the number of internal iterations s '< s'max,s′maxRepresenting the preset maximum internal iteration times, if yes, entering step S5.9, otherwise, entering step S5.10;
s5.9: let S '═ S' +1, return to step S5.4.
S5.10: judging whether iteration time t '< t'max,t′maxRepresenting the preset maximum iteration times, if yes, entering the step S5.11, otherwise, finishing the training;
s5.11: making t equal to t +1, and returning to the step S5.2;
s7: when the network needs to be subjected to intrusion detection, the data packets are divided according to the size of the example, and then the data packets are input into an intrusion detection model C for detection.
CN202110655888.2A 2021-06-11 2021-06-11 Anti-confusion network intrusion detection method based on generation countermeasure network Active CN113395280B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110655888.2A CN113395280B (en) 2021-06-11 2021-06-11 Anti-confusion network intrusion detection method based on generation countermeasure network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110655888.2A CN113395280B (en) 2021-06-11 2021-06-11 Anti-confusion network intrusion detection method based on generation countermeasure network

Publications (2)

Publication Number Publication Date
CN113395280A true CN113395280A (en) 2021-09-14
CN113395280B CN113395280B (en) 2022-07-26

Family

ID=77620777

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110655888.2A Active CN113395280B (en) 2021-06-11 2021-06-11 Anti-confusion network intrusion detection method based on generation countermeasure network

Country Status (1)

Country Link
CN (1) CN113395280B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114091661A (en) * 2021-11-24 2022-02-25 北京工业大学 Oversampling method for improving intrusion detection performance based on generation countermeasure network and k-nearest neighbor algorithm
CN114499923A (en) * 2021-11-30 2022-05-13 北京天融信网络安全技术有限公司 ICMP (Internet control message protocol) simulation message generation method and device
CN115021965A (en) * 2022-05-06 2022-09-06 中南民族大学 Method and system for generating attack data of intrusion detection system based on generating type countermeasure network
CN116094824A (en) * 2023-02-07 2023-05-09 电子科技大学 Detection system and method for few sample malicious traffic
CN116185767A (en) * 2023-02-02 2023-05-30 广东为辰信息科技有限公司 Method for monitoring data flow direction based on encryption technology
CN114091661B (en) * 2021-11-24 2024-06-04 北京工业大学 Oversampling method for improving intrusion detection performance based on generation countermeasure network and k-nearest neighbor algorithm

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108322349A (en) * 2018-02-11 2018-07-24 浙江工业大学 The deep learning antagonism attack defense method of network is generated based on confrontation type
US20190034703A1 (en) * 2017-07-26 2019-01-31 Baidu Online Network Technology (Beijing) Co., Ltd. Attack sample generating method and apparatus, device and storage medium
CN109460814A (en) * 2018-09-28 2019-03-12 浙江工业大学 A kind of deep learning classification method for attacking resisting sample function with defence
CN110334806A (en) * 2019-05-29 2019-10-15 广东技术师范大学 A kind of confrontation sample generating method based on production confrontation network
CN110598400A (en) * 2019-08-29 2019-12-20 浙江工业大学 Defense method for high hidden poisoning attack based on generation countermeasure network and application
CN110741388A (en) * 2019-08-14 2020-01-31 东莞理工学院 Confrontation sample detection method and device, computing equipment and computer storage medium
CN111310802A (en) * 2020-01-20 2020-06-19 星汉智能科技股份有限公司 Anti-attack defense training method based on generation of anti-network
CN111447212A (en) * 2020-03-24 2020-07-24 哈尔滨工程大学 Method for generating and detecting APT (advanced persistent threat) attack sequence based on GAN (generic antigen network)
CN111669410A (en) * 2020-07-24 2020-09-15 中国航空油料集团有限公司 Industrial control network negative sample data generation method, device, server and medium
CN111881935A (en) * 2020-06-19 2020-11-03 北京邮电大学 Countermeasure sample generation method based on content-aware GAN
US20200410228A1 (en) * 2019-06-28 2020-12-31 Baidu Usa Llc Systems and methods for fast training of more robust models against adversarial attacks
CN112613494A (en) * 2020-11-19 2021-04-06 北京国网富达科技发展有限责任公司 Power line monitoring abnormity identification method and system based on deep countermeasure network
CN112688928A (en) * 2020-12-18 2021-04-20 中国科学院信息工程研究所 Network attack flow data enhancement method and system combining self-encoder and WGAN
US20210150672A1 (en) * 2018-09-04 2021-05-20 Advanced New Technologies Co., Ltd. Method and apparatus for enhancing vehicle damage image on the basis of a generative adversarial network

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190034703A1 (en) * 2017-07-26 2019-01-31 Baidu Online Network Technology (Beijing) Co., Ltd. Attack sample generating method and apparatus, device and storage medium
CN108322349A (en) * 2018-02-11 2018-07-24 浙江工业大学 The deep learning antagonism attack defense method of network is generated based on confrontation type
US20210150672A1 (en) * 2018-09-04 2021-05-20 Advanced New Technologies Co., Ltd. Method and apparatus for enhancing vehicle damage image on the basis of a generative adversarial network
CN109460814A (en) * 2018-09-28 2019-03-12 浙江工业大学 A kind of deep learning classification method for attacking resisting sample function with defence
CN110334806A (en) * 2019-05-29 2019-10-15 广东技术师范大学 A kind of confrontation sample generating method based on production confrontation network
US20200410228A1 (en) * 2019-06-28 2020-12-31 Baidu Usa Llc Systems and methods for fast training of more robust models against adversarial attacks
CN110741388A (en) * 2019-08-14 2020-01-31 东莞理工学院 Confrontation sample detection method and device, computing equipment and computer storage medium
CN110598400A (en) * 2019-08-29 2019-12-20 浙江工业大学 Defense method for high hidden poisoning attack based on generation countermeasure network and application
CN111310802A (en) * 2020-01-20 2020-06-19 星汉智能科技股份有限公司 Anti-attack defense training method based on generation of anti-network
CN111447212A (en) * 2020-03-24 2020-07-24 哈尔滨工程大学 Method for generating and detecting APT (advanced persistent threat) attack sequence based on GAN (generic antigen network)
CN111881935A (en) * 2020-06-19 2020-11-03 北京邮电大学 Countermeasure sample generation method based on content-aware GAN
CN111669410A (en) * 2020-07-24 2020-09-15 中国航空油料集团有限公司 Industrial control network negative sample data generation method, device, server and medium
CN112613494A (en) * 2020-11-19 2021-04-06 北京国网富达科技发展有限责任公司 Power line monitoring abnormity identification method and system based on deep countermeasure network
CN112688928A (en) * 2020-12-18 2021-04-20 中国科学院信息工程研究所 Network attack flow data enhancement method and system combining self-encoder and WGAN

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
ZHANG G ET AL.: "Network Intrusion Detection Based on Conditional Wasserstein Generative Adversarial Network and Cost-Sensitive Stacked Autoencoder", 《IEEE ACCESS》 *
何俊鹏 等: "基于特征值分布和人工智能的网络入侵检测系统的研究与实现", 《计算机应用研究》 *
赵维: "基于生成对抗网络的异常行为模拟算法研究", 《长春理工大学学报(自然科学版)》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114091661A (en) * 2021-11-24 2022-02-25 北京工业大学 Oversampling method for improving intrusion detection performance based on generation countermeasure network and k-nearest neighbor algorithm
CN114091661B (en) * 2021-11-24 2024-06-04 北京工业大学 Oversampling method for improving intrusion detection performance based on generation countermeasure network and k-nearest neighbor algorithm
CN114499923A (en) * 2021-11-30 2022-05-13 北京天融信网络安全技术有限公司 ICMP (Internet control message protocol) simulation message generation method and device
CN114499923B (en) * 2021-11-30 2023-11-10 北京天融信网络安全技术有限公司 ICMP simulation message generation method and device
CN115021965A (en) * 2022-05-06 2022-09-06 中南民族大学 Method and system for generating attack data of intrusion detection system based on generating type countermeasure network
CN115021965B (en) * 2022-05-06 2024-04-02 中南民族大学 Method and system for generating attack data of intrusion detection system based on generation type countermeasure network
CN116185767A (en) * 2023-02-02 2023-05-30 广东为辰信息科技有限公司 Method for monitoring data flow direction based on encryption technology
CN116185767B (en) * 2023-02-02 2024-04-19 广东为辰信息科技有限公司 Method for monitoring data flow direction based on encryption technology
CN116094824A (en) * 2023-02-07 2023-05-09 电子科技大学 Detection system and method for few sample malicious traffic
CN116094824B (en) * 2023-02-07 2024-02-20 电子科技大学 Detection system and method for few sample malicious traffic

Also Published As

Publication number Publication date
CN113395280B (en) 2022-07-26

Similar Documents

Publication Publication Date Title
CN113395280B (en) Anti-confusion network intrusion detection method based on generation countermeasure network
CN112738015B (en) Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection
Tesfahun et al. Intrusion detection using random forests classifier with SMOTE and feature reduction
WO2016082284A1 (en) Modbus tcp communication behaviour anomaly detection method based on ocsvm dual-profile model
Sarwar et al. Design of an advance intrusion detection system for IoT networks
CN113452699B (en) Springboard attack path analysis method based on configuration file
CN111818102B (en) Defense efficiency evaluation method applied to network target range
Maslan et al. Feature selection for DDoS detection using classification machine learning techniques
CN110191137A (en) A kind of network system quantization safety evaluation method and device
Raihan-Al-Masud et al. Network intrusion detection system using voting ensemble machine learning
CN115225384A (en) Network threat degree evaluation method and device, electronic equipment and storage medium
CN114531283B (en) Method, system, storage medium and terminal for measuring robustness of intrusion detection model
Zulhilmi et al. A comparison of three machine learning algorithms in the classification of network intrusion
CN110598794A (en) Classified countermeasure network attack detection method and system
CN112001423B (en) Open set identification method, device, equipment and medium for APT malicious software organization
CN114884755B (en) Network security protection method and device, electronic equipment and storage medium
Song et al. A comprehensive approach to detect unknown attacks via intrusion detection alerts
Maslan et al. Ddos detection on network protocol using neural network with feature extract optimization
CN114615056B (en) Tor malicious flow detection method based on robust learning
CN115051833B (en) Intercommunication network anomaly detection method based on terminal process
Fu et al. Event prediction technology based on graph neural network
CN108632272A (en) A kind of network-based attack tool recognition methods and system
Li et al. Hidden Markov model based real time network security quantification method
Nazarudeen et al. Efficient DDoS Attack Detection using Machine Learning Techniques
Kodati et al. Ensemble Framework of Artificial immune system based on Network Intrusion Detection System for Network Security Sustainability

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant