CN114640498A - Network intrusion cooperative detection method based on federal learning - Google Patents
Network intrusion cooperative detection method based on federal learning Download PDFInfo
- Publication number
- CN114640498A CN114640498A CN202210097210.1A CN202210097210A CN114640498A CN 114640498 A CN114640498 A CN 114640498A CN 202210097210 A CN202210097210 A CN 202210097210A CN 114640498 A CN114640498 A CN 114640498A
- Authority
- CN
- China
- Prior art keywords
- federal
- intrusion detection
- model
- local
- convolution model
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
- G06N20/20—Ensemble learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/047—Probabilistic or stochastic networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/084—Backpropagation, e.g. using gradient descent
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Mathematical Physics (AREA)
- Artificial Intelligence (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Life Sciences & Earth Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Computational Linguistics (AREA)
- Biophysics (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Medical Informatics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Probability & Statistics with Applications (AREA)
- Computer And Data Communications (AREA)
Abstract
A network intrusion cooperative detection method based on federal learning. The method comprises the steps that an initiator initiates a federal learning request; the coordinating party issues parameter information; each participant locally trains a federal intrusion detection convolution model; obtaining a local encryption state federal intrusion detection convolution model and uploading the model; obtaining and issuing a global federal intrusion detection convolution model; and feeding back the federal learning condition and the like. The federal intrusion detection convolution model trained by the invention is more suitable for the service requirement of the model. The federal learning task adopts a federal model increment average aggregation function, so that the federal learning efficiency can be improved. And each participant uploading model adopts an encryption state federal intrusion detection convolution model, so that the model inversion attack of the semi-honest participants on other participants can be prevented. The initiator of federal learning carries out arbitration, thereby protecting the intrusion detection library from being acquired by a coordinator, ensuring the end-to-end safety of model parameters and aiming at enhancing the robustness of the model.
Description
Technical Field
The invention belongs to the technical field of network intrusion detection, and particularly relates to a network intrusion cooperative detection method based on federal learning.
Background
In recent years, with the popularization of big data applications, networks have become one of the people-aware and people-all tools, and the explosive increase in the number of network users brings about an exponential increase in network traffic, but with the network security problem becoming more severe. As an important component of Network security, a Network Intrusion Detection System (IDS for short) has been a hotspot in research in the technical field of Network security.
The traditional network intrusion detection technology mainly takes a single-point sample training method as a main point, but in the face of the current complex and changeable network environment, the single-point training has the following problems:
(1) the number of available samples is limited: for a single mechanism for collecting malicious attack samples, the number of labeled samples which can be labeled is limited, which results in insufficient number of samples, especially the number of malicious samples, so that in practical application, an intrusion detection model is easy to generate a large amount of false alarm, thereby submerging real attack alarm.
(2) The malicious sample forms are variable: the means and the mode of the malicious attack are various, the malicious samples collected by each mechanism are different, and the model trained by only one mechanism has limitation on some types of malicious attacks and cannot be well adapted to complex real-world environments.
(3) Data islands exist between mechanisms: with the improvement of the network security method, the data of the organization cannot be randomly exported and used in plaintext, so that data islands are generated among the organizations, and how to use the data under the condition of not revealing the data becomes a very troublesome problem.
Disclosure of Invention
In order to solve the above problems, the present invention aims to provide a network intrusion cooperative detection method based on federal learning.
In order to achieve the above purpose, the federated learning-based network intrusion cooperative detection method provided by the present invention comprises the following steps that are carried out in sequence:
1) the initiator initiOrgan is used as one of N participants of the federal learning and participates in the training and arbitration of the federal intrusion detection convolution model; the other participants PartiOrgan include the first participant PartiOrgan1PartiOrgan as the N-1 th participantn-1Only participate in the training of the convolution model of the federal intrusion detection; firstly, an initiator InitiOrgan sends a request of federal learning to a coordinator, and the initiator InitiOrgan and the coordinator jointly determine parameter information related to a federal intrusion detection convolution model according to self requirements;
2) the coordinating party issues the relevant parameter information to each participating party of the local federal intrusion detection convolution model;
3) after obtaining the parameter information, each participant initializes a local federal intrusion detection convolution model according to the parameter information to obtain a local initial federal intrusion detection convolution model, and then transmits an intrusion detection library owned locally into each local initial federal intrusion detection convolution model for training to obtain an updated local federal intrusion detection convolution model;
4) after each participant completes one round of updating of the local federal intrusion detection convolution model, an encryption state submodel splitting and fusion algorithm is adopted to split the updated local federal intrusion detection convolution model into N encryption state submodels, each encryption state submodel is exchanged with other participants, and finally the encryption state submodels obtained by accumulation exchange of each participant are used as the local encryption state federal intrusion detection convolution model;
5) each participant uploads a respective local encryption state federal intrusion detection convolution model to a coordinator;
6) the coordination party carries out encryption state federal intrusion detection convolution model increment weighted average on the local encryption state federal intrusion detection convolution model uploaded by each participant to obtain a global federal intrusion detection convolution model;
7) the coordinator sends the global federal intrusion detection convolution model to each participant;
8) other participants PartiOrgan continue to train the global federal intrusion detection convolution model by using a local intrusion detection library; the initiator InitiOrgan puts the local intrusion detection library into 9: 1, training and arbitrating the global federal intrusion detection convolution model, wherein the arbitration function adopts a federal multi-label entropy loss function, and feedbacks the federal learning condition to a coordinator according to the convergence state of the arbitration function.
In step 1), the parameter information includes:
101) selecting an algorithm: an algorithm selected for federal learning;
102) the data processing method comprises the following steps: a data preprocessing method of each local intrusion detection library;
103) the privacy protection method comprises the following steps: uploading an encryption mode used by the updated federal intrusion detection convolution model;
104) the number of the participants is: the total number of participants of the federal intrusion detection convolution model training;
105) global round: training a global federal intrusion detection convolution model for the maximum round;
106) the local round is as follows: the number of times each participant has trained in a single round;
107) shared batch size: the coordinator specifies the batch size shared by all the participants;
108) the ratio of the participants: the proportion of the participants randomly selected in a single round;
109) and (3) a node updating method: updating node parameters of a federal intrusion detection convolution model;
110) shared learning rate: the learning rate of each participant specified by the coordinator is the same;
111) sharing momentum: the coordinator specifies the amount of momentum shared by the participants.
In step 3), the training method is as follows:
301) each participant carries out data preprocessing on the intrusion detection library owned locally, including standardized processing and characteristic matrix conversion into a CNN pixel matrix;
302) carrying out batch processing on the preprocessed intrusion detection libraries by using the local batch size and disordering the sequence; then the participator constructs a local initial federal intrusion detection convolution model by using a global initial federal intrusion detection convolution model issued by the coordinator; then each participant locally trains a local initial federated intrusion detection convolution model for E rounds to update model parameters;
303) the method comprises the following steps of calculating each node parameter by forward propagation of a local initial federal intrusion detection convolution model, and then calculating a loss value MultiLabelLoss of the model parameter by adopting a federal multi-label entropy loss function, wherein the formula is as follows:
wherein i represents a sample; n represents the total number of samples; MCOORDI represents the number of label categories of the training task selected by the coordinator;if the label type of the sample i is the same as the label type c, the value of the symbol function of the sample i is 1, otherwise, the value of the symbol function of the sample i is 0; predSoftmaxc iRepresenting the predicted probability value of the sample i for the label category c;
304) the method comprises the steps of reversely propagating a model, calculating partial derivatives of loss values of model parameters to each neuron node parameter, and solving the partial derivatives by adopting a Federal shared momentum SGD algorithm and updating the node parameters by utilizing the magnitude of the partial derivatives, wherein the calculation formula of the Federal shared momentum SGD is as follows:
wherein, mavgtAs a parameter of a nodeUnder the condition of sharing momentum sharemementhe average value of the momentum of t local turns; the shared momentum sharemen is a federal shared momentum SGD specified by the coordinator;loss value MultiLabelLoss to node parameter for model parameter of t-th local roundThe partial derivative value of (d); sharerlr is the shared learning rate (sharerlr) of the federated intrusion detection convolution model;updating the node parameter of the t local round;
305) repeatedly calculating loss value MultiLabelLoss and partial derivative value of model parameterUntil the number of local batches of training reaches a maximum.
In step 4), after each participant completes one round of updating of the local federal intrusion detection convolution model, the encryption state submodel splitting and fusion algorithm is adopted to split the updated local federal intrusion detection convolution model into N encryption state submodels, each encryption state submodel is exchanged with other participants, and finally the encryption state submodels obtained by accumulating and exchanging of each participant are used as the local encryption state federal intrusion detection convolution model, and the specific steps are as follows:
401) initiator InitiOrgan has updated local federated intrusion detection convolution model M1First party PartiOrgan1Having an updated local federated intrusion detection convolution model M2… PartiOrgan as the N-1 participantn-1Having an updated local federated intrusion detection convolution model Mn;
402) The initiator initiOrgan takes N-1 random operators, Rm respectively2、Rm3、…、RmnThen, the following N encryption state submodels are calculated:
<M1>2=Rm2
<M1>3=Rm3
……
<M1>n=Rmn
<M1>1=M1-<M1>2-<M1>3-…-<M1>n
wherein < > represents the encryption state cipher text in the encryption state submodel splitting and merging algorithm;
403) initiator InitiOrgan will encrypt state submodel<M1>2Forward to the first participant partiorgagan1The encryption state sub-model<M1>3Forward to the second party PartiOrgan2And so on; as above, the first party PartiOrgan1And a second party PartiOrgan2All execute the same operation as the initiator InitiOrgan, and forward the encryption state submodel to other participants; after one-time forwarding, the initiator InitiOrgan possesses the encryption state submodel as follows:<M1>1、<M2>1、…、<Mn>1(ii) a First party PartiOrgan1The submodel with the encryption state is as follows:<M1>2、<M2>2、…、<Mn>2(ii) a Second party PartiOrgan2The submodel with the encryption state is as follows:<M1>3、<M2>3、…、<Mn>3and so on;
404) and (3) the encryption state submodel obtained by local accumulation exchange of each participant is used as a local encryption state federal intrusion detection convolution model:
InitiOrgan:<M>1=<M1>1+<M2>1+…+<Mn>1
PartiOrgan1:<M>2=<M1>2+<M2>2+…+<Mn>2
…
PartiOrgann-1:<M>n=<M1>n+<M2>n+…+<Mn>n
wherein the content of the first and second substances,<M>1the encryption state sub-model obtained by accumulated exchange of the initiator initiOrgan is used as a local encryption state federal intrusion detection convolution model,<M>2PartiOrgan as a first participant1A local encryption state federal intrusion detection convolution model obtained by accumulation exchange,<M>3PartiOrgan as a second party2And accumulating and exchanging the obtained local encryption state federal intrusion detection convolution model, and so on.
In step 6), the calculation formula of the encryption state federal model incremental weighted average is as follows:
among them, GloModeltRepresenting a global federal intrusion detection convolution model issued by a tth round coordinator;representing a local encryption state model obtained after the ith round of training of the ith participant;representing the difference value of the local encryption state model parameters of the current round and the global initial federal intrusion detection convolution model parameters of the current round, wherein the value of the difference value is used as the model parameter increment uploaded by the participants of the current round; and N represents the number of participants participating in the global iteration of the current round.
In step 8), the method for the initiator InitiOrgan to arbitrate the global federated intrusion detection convolution model is as follows:
801) after receiving a global federal intrusion detection convolution model issued by a coordinator, an initiator initiOrgan freezes nodes of a non-convolution sensing layer at first, and then extends forwards to obtain an arbitration loss value of an arbitration function;
802) the initiator InitiOrgan records the arbitration loss value, and judges the convergence status of the arbitration function according to the arbitration loss value:
the method comprises the following specific steps:
80201) After multiple times of global batch training, if the arbitration loss value is not reduced but increased, the initiator initi organ requests the coordinator to terminate federal learning and renegotiate new parameter information;
80202) After multiple times of global batch training, if the arbitration loss value is still in a descending state, the initiator initi organ does not process the arbitration loss value;
80203) After multiple times of global batch training, if the arbitration loss value reaches the convergence state, the initiator initi organ requests the coordinator to terminate the federal learning, and the global federal intrusion detection convolution model issued for the last time is used as the result of the federal learning.
The network intrusion cooperative detection method based on the federal learning provided by the invention has the following beneficial effects:
(1) different from the traditional method that the coordinator completely controls the federal learning process, the initiator of the federal learning and the coordinator jointly build a horizontal federal learning task in the method, and a trained Federal Intrusion Detection Convolutional Model (FIDCM) is more suitable for the service requirement of the initiator. (2) The federal learning task adopts a federal model increment average aggregation function, so that the efficiency of federal learning can be improved. (3) And each participant uploading model adopts an encryption state federal intrusion detection convolution model, so that the model inversion attack of the semi-honest participants on other participants can be prevented. (4) The initiator of federal learning carries out arbitration, thereby protecting the intrusion detection library from being acquired by a coordinator, ensuring the end-to-end safety of model parameters and aiming at enhancing the robustness of the model.
Drawings
Fig. 1 is a flowchart of a federated learning-based network intrusion cooperative detection method provided in the present invention.
FIG. 2 is a flow chart of local initial federated intrusion detection convolutional model training performed by each participant in the present invention.
FIG. 3 is a flow chart of an algorithm for splitting and fusing encryption state submodels of N participants.
FIG. 4 is a flow diagram of global federated intrusion detection convolution model arbitration in accordance with the present invention.
Detailed Description
The invention is described in detail below with reference to the figures and the specific embodiments.
As shown in fig. 1, the federated learning-based network intrusion cooperative detection method provided by the present invention includes the following steps performed in sequence:
1) the initiator initiOrgan is used as one of N participants of the federal learning and participates in the training and arbitration of the federal intrusion detection convolution model; the other participants PartiOrgan include the first participant PartiOrgan1PartiOrgan as the N-1 th participantn-1Only participate in the training of the convolution model of the federal intrusion detection; firstly, an initiator InitiOrgan sends a request of federal learning to a coordinator, and the initiator InitiOrgan and the coordinator jointly determine parameter information related to a federal intrusion detection convolution model according to self requirements;
the method is suitable for horizontal federal learning among multiple organizations, a coordinator does not have complete authority to determine parameter information related to the federal learning, the coordinator is borne by a polymerization server, the main task is to send an initial federal intrusion detection convolution model and receive an updated federal intrusion detection convolution model, increment weighted average of the federal intrusion detection convolution model is carried out, and the coordinator determines which participants have the authority to participate in a single training round.
The parameter information includes:
101) and (3) algorithm selection: the algorithm selected for federal learning. (SelectedModel: Fed-Resnet-18)
102) The data processing method comprises the following steps: the data preprocessing method of each local intrusion detection library adopts a standardized processing method and a CNN pixel matrix conversion method. (DataPreprocessing: [ normaliztion: MinMaxScaler, PixelMatrixRow:7])
103) The privacy protection method comprises the following steps: uploading an encryption mode used by the updated federal intrusion detection convolution model. (PrivacyProtectMethod: EncrypttedModelAccumulation)
104) The number of the participants is: the total number of participants in the convolutional model training for federal intrusion detection. (Participants:10)
105) Global round: and training the global federal intrusion detection convolution model for the maximum round. (GlobalaEpochs: 100)
106) The local round is as follows: number of times each participant has trained in a single round. (LocalEpochs:10)
107) Shared batch size: the coordinator specifies the batch size to be used by each participant. (BatchSize:64)
108) The ratio of the participants: proportion of participants randomly selected in a single round. (SampleRatio:0.5)
109) And (3) a node updating method: and updating node parameters of the federal intrusion detection convolution model. (UpdateNodePar: FSMSGD)
110) Shared learning rate: the size of the learning rate shared by each participant specified by the coordinator. (Sharelr:0.001)
111) Sharing momentum: the coordinator specifies the amount of momentum shared by the participants. (ShareMomentum:0.0001)
2) The coordinator sends the related parameter information to each participant of a local federal intrusion detection convolution model;
3) after obtaining the parameter information, each participant initializes a local federal intrusion detection convolution model according to the parameter information to obtain a local initial federal intrusion detection convolution model, and then transmits an intrusion detection library owned locally into each local initial federal intrusion detection convolution model for training to obtain an updated local federal intrusion detection convolution model;
as shown in fig. 2, the training method is as follows:
301) each participant carries out data preprocessing on the locally owned intrusion detection library, including standardization processing and conversion of the feature matrix into a CNN pixel matrix, wherein the dimension of the CNN pixel matrix is determined according to the number of features in the intrusion detection library, and the intrusion detection library comprises 41 features, so that when the feature matrix is converted into the CNN pixel matrix, the dimension of the CNN pixel matrix is 7 x 7 (PixelMatrixRow);
302) carrying out batch processing on the preprocessed intrusion detection libraries by using the local batch size (BatchSize) and disordering the sequence; then the participator utilizes the global initial federal intrusion detection convolution model issued by the coordinator to construct a local initial federal intrusion detection convolution model (SelectedModel); then each participant locally trains E (LocalEpochs) rounds on a local initial federated intrusion detection convolution model to update model parameters;
303) the method comprises the following steps of calculating parameters of each node by forward propagating a local initial federal intrusion detection convolution model, and then calculating a loss value MultiLabelLoss of the model parameters by adopting a federal multi-label entropy loss function, wherein the formula is as follows:
wherein i represents a sample; n represents the total number of samples; MCOORDI represents the number of label categories of the training task selected by the coordinator;if the label type of the sample i is the same as the label type c, the value of the symbol function of the sample i is 1, otherwise, the value of the symbol function of the sample i is 0; predSoftmaxc iRepresenting the predicted probability value of the sample i for the label category c;
304) the method for solving the partial derivative value adopts a Federal shared momentum SGD algorithm and updates the node parameter by using the partial derivative value, wherein a calculation formula of the Federal shared momentum SGD is as follows:
wherein, mavgtAs a parameter of a nodeThe average value of the momentum of the t local round under the condition of sharing the momentum sharememan; the shared momentum sharemen is a federal shared momentum SGD specified by the coordinator;loss value MultiLabelLoss to node parameter for model parameter of t-th local roundThe partial derivative value of (d); sharerl is the shared learning rate (sharerlr) of the federal intrusion detection convolution model;updating the node parameter of the t local round;
305) repeatedly calculating loss value MultiLabelLoss and partial derivative value of model parameterUntil the number of local batches of training reaches a maximum.
4) After each participant completes one round of updating of the local federal intrusion detection convolution model, an encryption state submodel splitting and fusion algorithm is adopted to split the updated local federal intrusion detection convolution model into N encryption state submodels, each encryption state submodel is exchanged with other participants, and finally the encryption state submodels obtained by accumulation exchange of each participant are used as the local encryption state federal intrusion detection convolution model;
as shown in fig. 3, the specific steps are as follows:
401) initiator InitiOrgan has updated local federated intrusion detection convolution model M1The first party PartiOrgan1Having an updated local federated intrusion detection convolution model M2… PartiOrgan as the N-1 participantn-1Having an updated local federated intrusion detection convolution model Mn;
402) The initiator initiOrgan takes N-1 random operators, Rm respectively2、Rm3、…、RmnThen, the following N encryption state submodels are calculated:
<M1>2=Rm2
<M1>3=Rm3
……
<M1>n=Rmn
<M1>1=M1-<M1>2-<M1>3-…-<M1>n
wherein < > represents the encryption state cipher text in the encryption state submodel splitting and merging algorithm;
403) initiator InitiOrgan will encrypt state submodel<M1>2Forward to the first participant PartiOrgan1The encryption state sub-model<M1>3Forward to the second participant PartiOrgan2And so on; as above, the first party PartiOrgan1And a second party PartiOrgan2All execute the same operation as the initiator InitiOrgan, and forward the encryption state submodel to other participants; after the primary forwarding, the initiator InitiOrgan possesses the encryption state submodel as follows:<M1>1、<M2>1、…、<Mn>1(ii) a First party PartiOrgan1The submodel with the encryption state is as follows:<M1>2、<M2>2、…、<Mn>2(ii) a Second party PartiOrgan2The submodel with the encryption state comprises the following steps:<M1>3、<M2>3、…、<Mn>3thereby, it is possible to obtainAnd so on;
404) and (3) the encryption state submodel obtained by local accumulation exchange of each participant is used as a local encryption state federal intrusion detection convolution model:
InitiOrgan:<M>1=<M1>1+<M2>1+…+<Mn>1
PartiOrgan1:<M>2=<M1>2+<M2>2+…+<Mn>2
…
PartiOrgann-1:<M>n=<M1>n+<M2>n+…+<Mn>n
wherein the content of the first and second substances,<M>1the encryption state sub-model obtained by accumulated exchange of the initiator initiOrgan is used as a local encryption state federal intrusion detection convolution model,<M>2PartiOrgan for the first participant1A local encryption state federal intrusion detection convolution model obtained by accumulation exchange,<M>3PartiOrgan as a second party2And accumulating and exchanging the obtained local encryption state federal intrusion detection convolution model, and so on.
5) Each participant uploads a respective local encryption state federal intrusion detection convolution model to a coordinator;
6) the coordination party carries out encryption state federal intrusion detection convolution models uploaded by all the participants on incremental weighted average of the encryption state federal intrusion detection convolution models to obtain a global federal intrusion detection convolution model;
the calculation formula of the encryption state federal model incremental weighted average is as follows:
among them, GloModeltRepresenting a global federal intrusion detection convolution model issued by a tth round coordinator;representing a local encryption state model obtained after the ith round of training of the ith participant;representing the difference value of the local encryption state model parameters of the current round and the global initial federal intrusion detection convolution model parameters of the current round, wherein the value of the difference value is used as the model parameter increment uploaded by the participants of the current round; n represents the number of participants participating in the global iteration of the current round;
7) the coordinator sends the global federal intrusion detection convolution model to each participant;
8) other participants PartiOrgan continue training the global federal intrusion detection convolution model by using a local intrusion detection library; the initiator InitiOrgan puts the local intrusion detection library into 9: 1, training and arbitrating the global federal intrusion detection convolution model, wherein the arbitration function adopts a federal multi-label entropy loss function, and feedbacks the federal learning condition to a coordinator according to the convergence state of the arbitration function.
As shown in fig. 4, the method for the initiator InitiOrgan to arbitrate the global federated intrusion detection convolution model is as follows:
801) after receiving a global federal intrusion detection convolution model issued by a coordinator, an initiator initiOrgan freezes nodes of a non-convolution sensing layer at first, and then extends forwards to obtain an arbitration loss value of an arbitration function;
802) the initiator InitiOrgan records the arbitration loss value, and judges the convergence status of the arbitration function according to the arbitration loss value:
the method comprises the following specific steps:
80201) After multiple times of global batch training, if the arbitration loss value is not reduced but increased, the initiator initi organ requests the coordinator to terminate federal learning and renegotiate new parameter information;
80202) After multiple times of global batch training, if the arbitration loss value is still in a descending state, the initiator initi organ does not process the arbitration loss value;
80203) After multiple times of global batch training, if the arbitration loss value reaches the convergence state, the initiator initi organ requests the coordinator to terminate the federal learning, and the global federal intrusion detection convolution model issued for the last time is used as the result of the federal learning.
Claims (6)
1. A network intrusion cooperative detection method based on federal learning is characterized in that: the network intrusion cooperative detection method based on the federal learning comprises the following steps in sequence:
1) the initiator InitiOrgan is used as one of N participants of the federal learning and participates in the training and arbitration of the federal intrusion detection convolution model; the other participants PartiOrgan include the first participant PartiOrgan1PartiOrgan as the N-1 th participantn-1Only participate in the training of the convolution model of the federal intrusion detection; firstly, an initiator InitiOrgan sends a request of federal learning to a coordinator, and the initiator InitiOrgan and the coordinator jointly determine parameter information related to a federal intrusion detection convolution model according to self requirements;
2) the coordinating party issues the relevant parameter information to each participating party of the local federal intrusion detection convolution model;
3) after obtaining the parameter information, each participant initializes a local federal intrusion detection convolution model according to the parameter information to obtain a local initial federal intrusion detection convolution model, and then transmits an intrusion detection library owned locally into each local initial federal intrusion detection convolution model for training to obtain an updated local federal intrusion detection convolution model;
4) after each participant completes one round of updating of the local federal intrusion detection convolution model, an encryption state submodel splitting and fusion algorithm is adopted to split the updated local federal intrusion detection convolution model into N encryption state submodels, each encryption state submodel is exchanged with other participants, and finally the encryption state submodels obtained by accumulation exchange of each participant are used as the local encryption state federal intrusion detection convolution model;
5) each participant uploads a respective local encryption state federal intrusion detection convolution model to a coordinator;
6) the coordination party carries out encryption state federal intrusion detection convolution models uploaded by all the participants on incremental weighted average of the encryption state federal intrusion detection convolution models to obtain a global federal intrusion detection convolution model;
7) the coordinator sends the global federal intrusion detection convolution model to each participant;
8) other participants PartiOrgan continue training the global federal intrusion detection convolution model by using a local intrusion detection library; and the initiator initiOrgan trains and arbitrates the global federal intrusion detection convolution model according to the local intrusion detection library in a ratio of 9: 1, the arbitration function adopts a federal multi-label entropy loss function, and the federal learning condition is fed back to the coordinator according to the convergence state of the arbitration function.
2. The federated learning-based network intrusion collaborative detection method of claim 1, wherein: in step 1), the parameter information includes:
101) and (3) algorithm selection: an algorithm selected for federal learning;
102) the data processing method comprises the following steps: a data preprocessing method of each local intrusion detection library;
103) the privacy protection method comprises the following steps: uploading an encryption mode used by the updated federal intrusion detection convolution model;
104) the number of the participants is: the total number of participants of the federal intrusion detection convolution model training;
105) global round: training a global federal intrusion detection convolution model for the maximum round;
106) the local round is as follows: the number of times each participant has trained in a single round;
107) shared batch size: the coordinator specifies the batch size shared by all the participants;
108) the ratio of the participants: the proportion of the participants randomly selected in a single round;
109) and (3) a node updating method: updating node parameters of a federal intrusion detection convolution model;
110) shared learning rate: the learning rate which is specified by the coordinator and is used by all the participants;
111) sharing momentum: the coordinator specifies the amount of momentum shared by the participants.
3. The federated learning-based network intrusion collaborative detection method of claim 1, wherein: in step 3), the training method is as follows:
301) each participant carries out data preprocessing on the intrusion detection library owned locally, including standardized processing and characteristic matrix conversion into a CNN pixel matrix;
302) carrying out batch processing on the preprocessed intrusion detection libraries by using the local batch size and disordering the sequence; then the participator constructs a local initial federal intrusion detection convolution model by using a global initial federal intrusion detection convolution model issued by the coordinator; then each participant locally trains a local initial federated intrusion detection convolution model for E rounds to update model parameters;
303) the method comprises the following steps of calculating parameters of each node by forward propagating a local initial federal intrusion detection convolution model, and then calculating a loss value MultiLabelLoss of the model parameters by adopting a federal multi-label entropy loss function, wherein the formula is as follows:
wherein i represents a sample; n represents the total number of samples; MCOORDI represents the number of label categories of the training task selected by the coordinator;if the label type of the sample i is the same as the label type c, the value of the symbol function of the sample i is 1, otherwise, the value of the symbol function of the sample i is 0; predSoftmaxc iRepresenting the predicted probability value of the sample i for the label category c;
304) the method comprises the steps of reversely propagating a model, calculating partial derivatives of loss values of model parameters to each neuron node parameter, and solving the partial derivatives by adopting a Federal shared momentum SGD algorithm and updating the node parameters by utilizing the magnitude of the partial derivatives, wherein the calculation formula of the Federal shared momentum SGD is as follows:
wherein, mavgtAs a parameter of a nodeThe average value of the momentum of the t local round under the condition of sharing the momentum sharememan; the shared momentum sharemen is a federal shared momentum SGD specified by the coordinator;loss value MultiLabelLoss to node parameter for model parameter of t-th local roundThe partial derivative value of (d); sharerl is the shared learning rate (sharerlr) of the federal intrusion detection convolution model;updating the node parameter of the t local round;
4. The federated learning-based network intrusion collaborative detection method of claim 1, wherein: in step 4), after each participant completes one round of updating of the local federal intrusion detection convolution model, the encryption state submodel splitting and fusion algorithm is adopted to split the updated local federal intrusion detection convolution model into N encryption state submodels, each encryption state submodel is exchanged with other participants, and finally the encryption state submodels obtained by accumulating and exchanging of each participant are used as the local encryption state federal intrusion detection convolution model, and the specific steps are as follows:
401) initiator InitiOrgan has updated local federated intrusion detection convolution model M1First party PartiOrgan1Having an updated local federated intrusion detection convolution model M2… PartiOrgan as the N-1 participantn-1The method comprises the steps of having an updated local federal intrusion detection convolution model Mn;
402) the initiator initiOrgan takes N-1 random operators, Rm respectively2、Rm3、…、RmnThen, the following N encryption state submodels are calculated:
<M1>2=Rm2
<M1>3=Rm3
……
<M1>n=Rmn
<M1>1=M1-<M1>2-<M1>3-…-<M1>n
wherein < · > represents an encryption state ciphertext in an encryption state sub-model splitting and merging algorithm;
403) initiator initiOrgan will encrypt state submodel<M1>2Forward to the first participant partiorgagan1The encryption state sub-model<M1>3Forward to the second party PartiOrgan2And so on; as above, the first party PartiOrgan1And a second party PartiOrgan2All execute the same operation as the initiator InitiOrgan, and forward the encryption state submodel to other participants;after the primary forwarding, the initiator InitiOrgan possesses the encryption state submodel as follows:<M1>1、<M2>1、…、<Mn>1(ii) a First party PartiOrgan1The submodel with the encryption state is as follows:<M1>2、<M2>2、…、<Mn>2(ii) a Second party PartiOrgan2The submodel with the encryption state is as follows:<M1>3、<M2>3、…、<Mn>3and so on;
404) and (3) the encryption state submodel obtained by local accumulation exchange of each participant is used as a local encryption state federal intrusion detection convolution model:
InitiOrgan:<M>1=<M1>1+<M2>1+…+<Mn>1
PartiOrgan1:<M>2=<M1>2+<M2>2+…+<Mn>2
…
PartiOrgann-1:<M>n=<M1>n+<M2>n+…+<Mn>n
wherein the content of the first and second substances,<M>1the encryption state sub-model obtained by accumulated exchange of the initiator initiOrgan is used as a local encryption state federal intrusion detection convolution model,<M>2PartiOrgan as a first participant1A local encryption state federal intrusion detection convolution model obtained by accumulation exchange,<M>3PartiOrgan as a second party2And accumulating and exchanging the obtained local encryption state federal intrusion detection convolution model, and so on.
5. The federated learning-based network intrusion collaborative detection method of claim 1, wherein: in step 6), the calculation formula of the encryption state federal model incremental weighted average is as follows:
among them, GloModeltRepresenting a global federal intrusion detection convolution model issued by a tth round coordinator;representing a local encryption state model obtained after the ith round of training of the ith participant;representing the difference value of the local encryption state model parameters of the current round and the global initial federal intrusion detection convolution model parameters of the current round, wherein the value of the difference value is used as the model parameter increment uploaded by the participants of the current round; and N represents the number of participants participating in the global iteration of the current round.
6. The federated learning-based network intrusion collaborative detection method of claim 1, wherein: in step 8), the method for the initiator InitiOrgan to arbitrate the global federated intrusion detection convolution model is as follows:
801) after receiving a global federal intrusion detection convolution model issued by a coordinator, an initiator initiOrgan freezes nodes of a non-convolution sensing layer at first, and then extends forwards to obtain an arbitration loss value of an arbitration function;
802) the initiator InitiOrgan records the arbitration loss value, and judges the convergence status of the arbitration function according to the arbitration loss value:
the method comprises the following specific steps:
80201) After multiple times of global batch training, if the arbitration loss value is not reduced but increased, the initiator initi organ requests the coordinator to terminate federal learning and renegotiate new parameter information;
80202) After multiple times of global batch training, if the arbitration loss value is still in a descending state, the initiator initi organ does not process the arbitration loss value;
80203) After multiple times of global batch training, if the arbitration loss value reaches the convergence state, the initiator initi organ requests the coordinator to terminate the federal learning, and the global federal intrusion detection convolution model issued for the last time is used as the result of the federal learning.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210097210.1A CN114640498B (en) | 2022-01-27 | 2022-01-27 | Network intrusion collaborative detection method based on federal learning |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210097210.1A CN114640498B (en) | 2022-01-27 | 2022-01-27 | Network intrusion collaborative detection method based on federal learning |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114640498A true CN114640498A (en) | 2022-06-17 |
CN114640498B CN114640498B (en) | 2023-08-29 |
Family
ID=81945917
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210097210.1A Active CN114640498B (en) | 2022-01-27 | 2022-01-27 | Network intrusion collaborative detection method based on federal learning |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114640498B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115242559A (en) * | 2022-09-23 | 2022-10-25 | 北京航空航天大学 | Network flow intrusion detection method based on block chain and federal learning |
CN115277696A (en) * | 2022-07-13 | 2022-11-01 | 京信数据科技有限公司 | Cross-network federal learning system and method |
CN116010944A (en) * | 2023-03-24 | 2023-04-25 | 北京邮电大学 | Federal computing network protection method and related equipment |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112203282A (en) * | 2020-08-28 | 2021-01-08 | 中国科学院信息工程研究所 | 5G Internet of things intrusion detection method and system based on federal transfer learning |
AU2021104400A4 (en) * | 2021-07-21 | 2021-09-16 | Alshehri, Mohammad Dahman DR | An intelligent system for detecting behavioral cyber attack on industrial iot using ai federated learning algorithm |
CN113468521A (en) * | 2021-07-01 | 2021-10-01 | 哈尔滨工程大学 | Data protection method for federal learning intrusion detection based on GAN |
CN113794675A (en) * | 2021-07-14 | 2021-12-14 | 中国人民解放军战略支援部队信息工程大学 | Distributed Internet of things intrusion detection method and system based on block chain and federal learning |
CN113806735A (en) * | 2021-08-20 | 2021-12-17 | 北京工业大学 | Execution and evaluation dual-network personalized federal learning intrusion detection method and system |
CN113962314A (en) * | 2021-10-27 | 2022-01-21 | 南京富尔登科技发展有限公司 | Non-invasive enterprise load decomposition method based on federal learning |
-
2022
- 2022-01-27 CN CN202210097210.1A patent/CN114640498B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112203282A (en) * | 2020-08-28 | 2021-01-08 | 中国科学院信息工程研究所 | 5G Internet of things intrusion detection method and system based on federal transfer learning |
CN113468521A (en) * | 2021-07-01 | 2021-10-01 | 哈尔滨工程大学 | Data protection method for federal learning intrusion detection based on GAN |
CN113794675A (en) * | 2021-07-14 | 2021-12-14 | 中国人民解放军战略支援部队信息工程大学 | Distributed Internet of things intrusion detection method and system based on block chain and federal learning |
AU2021104400A4 (en) * | 2021-07-21 | 2021-09-16 | Alshehri, Mohammad Dahman DR | An intelligent system for detecting behavioral cyber attack on industrial iot using ai federated learning algorithm |
CN113806735A (en) * | 2021-08-20 | 2021-12-17 | 北京工业大学 | Execution and evaluation dual-network personalized federal learning intrusion detection method and system |
CN113962314A (en) * | 2021-10-27 | 2022-01-21 | 南京富尔登科技发展有限公司 | Non-invasive enterprise load decomposition method based on federal learning |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115277696A (en) * | 2022-07-13 | 2022-11-01 | 京信数据科技有限公司 | Cross-network federal learning system and method |
CN115242559A (en) * | 2022-09-23 | 2022-10-25 | 北京航空航天大学 | Network flow intrusion detection method based on block chain and federal learning |
CN116010944A (en) * | 2023-03-24 | 2023-04-25 | 北京邮电大学 | Federal computing network protection method and related equipment |
Also Published As
Publication number | Publication date |
---|---|
CN114640498B (en) | 2023-08-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN114640498A (en) | Network intrusion cooperative detection method based on federal learning | |
CN111460443B (en) | Security defense method for data manipulation attack in federated learning | |
Popov et al. | The coordicide | |
CN112738034B (en) | Block chain phishing node detection method based on vertical federal learning | |
CN112101403B (en) | Classification method and system based on federal few-sample network model and electronic equipment | |
CN112560059B (en) | Vertical federal model stealing defense method based on neural pathway feature extraction | |
CN116708009A (en) | Network intrusion detection method based on federal learning | |
He et al. | The hybrid similar neighborhood robust factorization machine model for can bus intrusion detection in the in-vehicle network | |
CN113392429A (en) | Block chain-based power distribution Internet of things data safety protection method and device | |
Goh et al. | Secure trust-based delegated consensus for blockchain frameworks using deep reinforcement learning | |
CN115660147A (en) | Information propagation prediction method and system based on influence modeling between propagation paths and in propagation paths | |
Zhang et al. | Federated learning with quantum secure aggregation | |
CN112733170B (en) | Active trust evaluation method based on evidence sequence extraction | |
CN112085051B (en) | Image classification method and system based on weighted voting and electronic equipment | |
CN117391816A (en) | Heterogeneous graph neural network recommendation method, device and equipment | |
CN117216788A (en) | Video scene identification method based on federal learning privacy protection of block chain | |
CN115208604B (en) | AMI network intrusion detection method, device and medium | |
Anwer et al. | Intrusion detection using deep learning | |
CN115310625A (en) | Longitudinal federated learning reasoning attack defense method | |
CN115766140A (en) | Distributed denial of service (DDoS) attack detection method and device | |
Chen et al. | Fast and practical intrusion detection system based on federated learning for VANET | |
CN114785608A (en) | Industrial control network intrusion detection method based on decentralized federal learning | |
CN114189332A (en) | Continuous group perception excitation method based on symmetric encryption and double-layer truth discovery | |
Gao et al. | Multi-source feedback based light-weight trust mechanism for edge computing | |
Kang et al. | Bitcoin double-spending attack detection using graph neural network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |