CN114640498A - Network intrusion cooperative detection method based on federal learning - Google Patents

Network intrusion cooperative detection method based on federal learning Download PDF

Info

Publication number
CN114640498A
CN114640498A CN202210097210.1A CN202210097210A CN114640498A CN 114640498 A CN114640498 A CN 114640498A CN 202210097210 A CN202210097210 A CN 202210097210A CN 114640498 A CN114640498 A CN 114640498A
Authority
CN
China
Prior art keywords
federal
intrusion detection
model
local
convolution model
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210097210.1A
Other languages
Chinese (zh)
Other versions
CN114640498B (en
Inventor
王劲松
魏宗朴
赵泽宁
张洪豪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianjin University of Technology
Original Assignee
Tianjin University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianjin University of Technology filed Critical Tianjin University of Technology
Priority to CN202210097210.1A priority Critical patent/CN114640498B/en
Publication of CN114640498A publication Critical patent/CN114640498A/en
Application granted granted Critical
Publication of CN114640498B publication Critical patent/CN114640498B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • G06N20/20Ensemble learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/047Probabilistic or stochastic networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/084Backpropagation, e.g. using gradient descent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Mathematical Physics (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Computational Linguistics (AREA)
  • Biophysics (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Medical Informatics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Probability & Statistics with Applications (AREA)
  • Computer And Data Communications (AREA)

Abstract

A network intrusion cooperative detection method based on federal learning. The method comprises the steps that an initiator initiates a federal learning request; the coordinating party issues parameter information; each participant locally trains a federal intrusion detection convolution model; obtaining a local encryption state federal intrusion detection convolution model and uploading the model; obtaining and issuing a global federal intrusion detection convolution model; and feeding back the federal learning condition and the like. The federal intrusion detection convolution model trained by the invention is more suitable for the service requirement of the model. The federal learning task adopts a federal model increment average aggregation function, so that the federal learning efficiency can be improved. And each participant uploading model adopts an encryption state federal intrusion detection convolution model, so that the model inversion attack of the semi-honest participants on other participants can be prevented. The initiator of federal learning carries out arbitration, thereby protecting the intrusion detection library from being acquired by a coordinator, ensuring the end-to-end safety of model parameters and aiming at enhancing the robustness of the model.

Description

Network intrusion cooperative detection method based on federal learning
Technical Field
The invention belongs to the technical field of network intrusion detection, and particularly relates to a network intrusion cooperative detection method based on federal learning.
Background
In recent years, with the popularization of big data applications, networks have become one of the people-aware and people-all tools, and the explosive increase in the number of network users brings about an exponential increase in network traffic, but with the network security problem becoming more severe. As an important component of Network security, a Network Intrusion Detection System (IDS for short) has been a hotspot in research in the technical field of Network security.
The traditional network intrusion detection technology mainly takes a single-point sample training method as a main point, but in the face of the current complex and changeable network environment, the single-point training has the following problems:
(1) the number of available samples is limited: for a single mechanism for collecting malicious attack samples, the number of labeled samples which can be labeled is limited, which results in insufficient number of samples, especially the number of malicious samples, so that in practical application, an intrusion detection model is easy to generate a large amount of false alarm, thereby submerging real attack alarm.
(2) The malicious sample forms are variable: the means and the mode of the malicious attack are various, the malicious samples collected by each mechanism are different, and the model trained by only one mechanism has limitation on some types of malicious attacks and cannot be well adapted to complex real-world environments.
(3) Data islands exist between mechanisms: with the improvement of the network security method, the data of the organization cannot be randomly exported and used in plaintext, so that data islands are generated among the organizations, and how to use the data under the condition of not revealing the data becomes a very troublesome problem.
Disclosure of Invention
In order to solve the above problems, the present invention aims to provide a network intrusion cooperative detection method based on federal learning.
In order to achieve the above purpose, the federated learning-based network intrusion cooperative detection method provided by the present invention comprises the following steps that are carried out in sequence:
1) the initiator initiOrgan is used as one of N participants of the federal learning and participates in the training and arbitration of the federal intrusion detection convolution model; the other participants PartiOrgan include the first participant PartiOrgan1PartiOrgan as the N-1 th participantn-1Only participate in the training of the convolution model of the federal intrusion detection; firstly, an initiator InitiOrgan sends a request of federal learning to a coordinator, and the initiator InitiOrgan and the coordinator jointly determine parameter information related to a federal intrusion detection convolution model according to self requirements;
2) the coordinating party issues the relevant parameter information to each participating party of the local federal intrusion detection convolution model;
3) after obtaining the parameter information, each participant initializes a local federal intrusion detection convolution model according to the parameter information to obtain a local initial federal intrusion detection convolution model, and then transmits an intrusion detection library owned locally into each local initial federal intrusion detection convolution model for training to obtain an updated local federal intrusion detection convolution model;
4) after each participant completes one round of updating of the local federal intrusion detection convolution model, an encryption state submodel splitting and fusion algorithm is adopted to split the updated local federal intrusion detection convolution model into N encryption state submodels, each encryption state submodel is exchanged with other participants, and finally the encryption state submodels obtained by accumulation exchange of each participant are used as the local encryption state federal intrusion detection convolution model;
5) each participant uploads a respective local encryption state federal intrusion detection convolution model to a coordinator;
6) the coordination party carries out encryption state federal intrusion detection convolution model increment weighted average on the local encryption state federal intrusion detection convolution model uploaded by each participant to obtain a global federal intrusion detection convolution model;
7) the coordinator sends the global federal intrusion detection convolution model to each participant;
8) other participants PartiOrgan continue to train the global federal intrusion detection convolution model by using a local intrusion detection library; the initiator InitiOrgan puts the local intrusion detection library into 9: 1, training and arbitrating the global federal intrusion detection convolution model, wherein the arbitration function adopts a federal multi-label entropy loss function, and feedbacks the federal learning condition to a coordinator according to the convergence state of the arbitration function.
In step 1), the parameter information includes:
101) selecting an algorithm: an algorithm selected for federal learning;
102) the data processing method comprises the following steps: a data preprocessing method of each local intrusion detection library;
103) the privacy protection method comprises the following steps: uploading an encryption mode used by the updated federal intrusion detection convolution model;
104) the number of the participants is: the total number of participants of the federal intrusion detection convolution model training;
105) global round: training a global federal intrusion detection convolution model for the maximum round;
106) the local round is as follows: the number of times each participant has trained in a single round;
107) shared batch size: the coordinator specifies the batch size shared by all the participants;
108) the ratio of the participants: the proportion of the participants randomly selected in a single round;
109) and (3) a node updating method: updating node parameters of a federal intrusion detection convolution model;
110) shared learning rate: the learning rate of each participant specified by the coordinator is the same;
111) sharing momentum: the coordinator specifies the amount of momentum shared by the participants.
In step 3), the training method is as follows:
301) each participant carries out data preprocessing on the intrusion detection library owned locally, including standardized processing and characteristic matrix conversion into a CNN pixel matrix;
302) carrying out batch processing on the preprocessed intrusion detection libraries by using the local batch size and disordering the sequence; then the participator constructs a local initial federal intrusion detection convolution model by using a global initial federal intrusion detection convolution model issued by the coordinator; then each participant locally trains a local initial federated intrusion detection convolution model for E rounds to update model parameters;
303) the method comprises the following steps of calculating each node parameter by forward propagation of a local initial federal intrusion detection convolution model, and then calculating a loss value MultiLabelLoss of the model parameter by adopting a federal multi-label entropy loss function, wherein the formula is as follows:
Figure BDA0003491335240000041
wherein i represents a sample; n represents the total number of samples; MCOORDI represents the number of label categories of the training task selected by the coordinator;
Figure BDA0003491335240000042
if the label type of the sample i is the same as the label type c, the value of the symbol function of the sample i is 1, otherwise, the value of the symbol function of the sample i is 0; predSoftmaxc iRepresenting the predicted probability value of the sample i for the label category c;
304) the method comprises the steps of reversely propagating a model, calculating partial derivatives of loss values of model parameters to each neuron node parameter, and solving the partial derivatives by adopting a Federal shared momentum SGD algorithm and updating the node parameters by utilizing the magnitude of the partial derivatives, wherein the calculation formula of the Federal shared momentum SGD is as follows:
Figure BDA0003491335240000043
Figure BDA0003491335240000044
wherein, mavgtAs a parameter of a node
Figure BDA0003491335240000045
Under the condition of sharing momentum sharemementhe average value of the momentum of t local turns; the shared momentum sharemen is a federal shared momentum SGD specified by the coordinator;
Figure BDA0003491335240000046
loss value MultiLabelLoss to node parameter for model parameter of t-th local round
Figure BDA0003491335240000047
The partial derivative value of (d); sharerlr is the shared learning rate (sharerlr) of the federated intrusion detection convolution model;
Figure BDA0003491335240000048
updating the node parameter of the t local round;
305) repeatedly calculating loss value MultiLabelLoss and partial derivative value of model parameter
Figure BDA0003491335240000049
Until the number of local batches of training reaches a maximum.
In step 4), after each participant completes one round of updating of the local federal intrusion detection convolution model, the encryption state submodel splitting and fusion algorithm is adopted to split the updated local federal intrusion detection convolution model into N encryption state submodels, each encryption state submodel is exchanged with other participants, and finally the encryption state submodels obtained by accumulating and exchanging of each participant are used as the local encryption state federal intrusion detection convolution model, and the specific steps are as follows:
401) initiator InitiOrgan has updated local federated intrusion detection convolution model M1First party PartiOrgan1Having an updated local federated intrusion detection convolution model M2… PartiOrgan as the N-1 participantn-1Having an updated local federated intrusion detection convolution model Mn
402) The initiator initiOrgan takes N-1 random operators, Rm respectively2、Rm3、…、RmnThen, the following N encryption state submodels are calculated:
<M1>2=Rm2
<M1>3=Rm3
……
<M1>n=Rmn
<M1>1=M1-<M1>2-<M1>3-…-<M1>n
wherein < > represents the encryption state cipher text in the encryption state submodel splitting and merging algorithm;
403) initiator InitiOrgan will encrypt state submodel<M1>2Forward to the first participant partiorgagan1The encryption state sub-model<M1>3Forward to the second party PartiOrgan2And so on; as above, the first party PartiOrgan1And a second party PartiOrgan2All execute the same operation as the initiator InitiOrgan, and forward the encryption state submodel to other participants; after one-time forwarding, the initiator InitiOrgan possesses the encryption state submodel as follows:<M1>1、<M2>1、…、<Mn>1(ii) a First party PartiOrgan1The submodel with the encryption state is as follows:<M1>2、<M2>2、…、<Mn>2(ii) a Second party PartiOrgan2The submodel with the encryption state is as follows:<M1>3、<M2>3、…、<Mn>3and so on;
404) and (3) the encryption state submodel obtained by local accumulation exchange of each participant is used as a local encryption state federal intrusion detection convolution model:
InitiOrgan:<M>1=<M1>1+<M2>1+…+<Mn>1
PartiOrgan1:<M>2=<M1>2+<M2>2+…+<Mn>2
PartiOrgann-1:<M>n=<M1>n+<M2>n+…+<Mn>n
wherein the content of the first and second substances,<M>1the encryption state sub-model obtained by accumulated exchange of the initiator initiOrgan is used as a local encryption state federal intrusion detection convolution model,<M>2PartiOrgan as a first participant1A local encryption state federal intrusion detection convolution model obtained by accumulation exchange,<M>3PartiOrgan as a second party2And accumulating and exchanging the obtained local encryption state federal intrusion detection convolution model, and so on.
In step 6), the calculation formula of the encryption state federal model incremental weighted average is as follows:
Figure BDA0003491335240000061
Figure BDA0003491335240000062
among them, GloModeltRepresenting a global federal intrusion detection convolution model issued by a tth round coordinator;
Figure BDA0003491335240000063
representing a local encryption state model obtained after the ith round of training of the ith participant;
Figure BDA0003491335240000064
representing the difference value of the local encryption state model parameters of the current round and the global initial federal intrusion detection convolution model parameters of the current round, wherein the value of the difference value is used as the model parameter increment uploaded by the participants of the current round; and N represents the number of participants participating in the global iteration of the current round.
In step 8), the method for the initiator InitiOrgan to arbitrate the global federated intrusion detection convolution model is as follows:
801) after receiving a global federal intrusion detection convolution model issued by a coordinator, an initiator initiOrgan freezes nodes of a non-convolution sensing layer at first, and then extends forwards to obtain an arbitration loss value of an arbitration function;
802) the initiator InitiOrgan records the arbitration loss value, and judges the convergence status of the arbitration function according to the arbitration loss value:
the method comprises the following specific steps:
80201) After multiple times of global batch training, if the arbitration loss value is not reduced but increased, the initiator initi organ requests the coordinator to terminate federal learning and renegotiate new parameter information;
80202) After multiple times of global batch training, if the arbitration loss value is still in a descending state, the initiator initi organ does not process the arbitration loss value;
80203) After multiple times of global batch training, if the arbitration loss value reaches the convergence state, the initiator initi organ requests the coordinator to terminate the federal learning, and the global federal intrusion detection convolution model issued for the last time is used as the result of the federal learning.
The network intrusion cooperative detection method based on the federal learning provided by the invention has the following beneficial effects:
(1) different from the traditional method that the coordinator completely controls the federal learning process, the initiator of the federal learning and the coordinator jointly build a horizontal federal learning task in the method, and a trained Federal Intrusion Detection Convolutional Model (FIDCM) is more suitable for the service requirement of the initiator. (2) The federal learning task adopts a federal model increment average aggregation function, so that the efficiency of federal learning can be improved. (3) And each participant uploading model adopts an encryption state federal intrusion detection convolution model, so that the model inversion attack of the semi-honest participants on other participants can be prevented. (4) The initiator of federal learning carries out arbitration, thereby protecting the intrusion detection library from being acquired by a coordinator, ensuring the end-to-end safety of model parameters and aiming at enhancing the robustness of the model.
Drawings
Fig. 1 is a flowchart of a federated learning-based network intrusion cooperative detection method provided in the present invention.
FIG. 2 is a flow chart of local initial federated intrusion detection convolutional model training performed by each participant in the present invention.
FIG. 3 is a flow chart of an algorithm for splitting and fusing encryption state submodels of N participants.
FIG. 4 is a flow diagram of global federated intrusion detection convolution model arbitration in accordance with the present invention.
Detailed Description
The invention is described in detail below with reference to the figures and the specific embodiments.
As shown in fig. 1, the federated learning-based network intrusion cooperative detection method provided by the present invention includes the following steps performed in sequence:
1) the initiator initiOrgan is used as one of N participants of the federal learning and participates in the training and arbitration of the federal intrusion detection convolution model; the other participants PartiOrgan include the first participant PartiOrgan1PartiOrgan as the N-1 th participantn-1Only participate in the training of the convolution model of the federal intrusion detection; firstly, an initiator InitiOrgan sends a request of federal learning to a coordinator, and the initiator InitiOrgan and the coordinator jointly determine parameter information related to a federal intrusion detection convolution model according to self requirements;
the method is suitable for horizontal federal learning among multiple organizations, a coordinator does not have complete authority to determine parameter information related to the federal learning, the coordinator is borne by a polymerization server, the main task is to send an initial federal intrusion detection convolution model and receive an updated federal intrusion detection convolution model, increment weighted average of the federal intrusion detection convolution model is carried out, and the coordinator determines which participants have the authority to participate in a single training round.
The parameter information includes:
101) and (3) algorithm selection: the algorithm selected for federal learning. (SelectedModel: Fed-Resnet-18)
102) The data processing method comprises the following steps: the data preprocessing method of each local intrusion detection library adopts a standardized processing method and a CNN pixel matrix conversion method. (DataPreprocessing: [ normaliztion: MinMaxScaler, PixelMatrixRow:7])
103) The privacy protection method comprises the following steps: uploading an encryption mode used by the updated federal intrusion detection convolution model. (PrivacyProtectMethod: EncrypttedModelAccumulation)
104) The number of the participants is: the total number of participants in the convolutional model training for federal intrusion detection. (Participants:10)
105) Global round: and training the global federal intrusion detection convolution model for the maximum round. (GlobalaEpochs: 100)
106) The local round is as follows: number of times each participant has trained in a single round. (LocalEpochs:10)
107) Shared batch size: the coordinator specifies the batch size to be used by each participant. (BatchSize:64)
108) The ratio of the participants: proportion of participants randomly selected in a single round. (SampleRatio:0.5)
109) And (3) a node updating method: and updating node parameters of the federal intrusion detection convolution model. (UpdateNodePar: FSMSGD)
110) Shared learning rate: the size of the learning rate shared by each participant specified by the coordinator. (Sharelr:0.001)
111) Sharing momentum: the coordinator specifies the amount of momentum shared by the participants. (ShareMomentum:0.0001)
2) The coordinator sends the related parameter information to each participant of a local federal intrusion detection convolution model;
3) after obtaining the parameter information, each participant initializes a local federal intrusion detection convolution model according to the parameter information to obtain a local initial federal intrusion detection convolution model, and then transmits an intrusion detection library owned locally into each local initial federal intrusion detection convolution model for training to obtain an updated local federal intrusion detection convolution model;
as shown in fig. 2, the training method is as follows:
301) each participant carries out data preprocessing on the locally owned intrusion detection library, including standardization processing and conversion of the feature matrix into a CNN pixel matrix, wherein the dimension of the CNN pixel matrix is determined according to the number of features in the intrusion detection library, and the intrusion detection library comprises 41 features, so that when the feature matrix is converted into the CNN pixel matrix, the dimension of the CNN pixel matrix is 7 x 7 (PixelMatrixRow);
302) carrying out batch processing on the preprocessed intrusion detection libraries by using the local batch size (BatchSize) and disordering the sequence; then the participator utilizes the global initial federal intrusion detection convolution model issued by the coordinator to construct a local initial federal intrusion detection convolution model (SelectedModel); then each participant locally trains E (LocalEpochs) rounds on a local initial federated intrusion detection convolution model to update model parameters;
303) the method comprises the following steps of calculating parameters of each node by forward propagating a local initial federal intrusion detection convolution model, and then calculating a loss value MultiLabelLoss of the model parameters by adopting a federal multi-label entropy loss function, wherein the formula is as follows:
Figure BDA0003491335240000101
wherein i represents a sample; n represents the total number of samples; MCOORDI represents the number of label categories of the training task selected by the coordinator;
Figure BDA0003491335240000102
if the label type of the sample i is the same as the label type c, the value of the symbol function of the sample i is 1, otherwise, the value of the symbol function of the sample i is 0; predSoftmaxc iRepresenting the predicted probability value of the sample i for the label category c;
304) the method for solving the partial derivative value adopts a Federal shared momentum SGD algorithm and updates the node parameter by using the partial derivative value, wherein a calculation formula of the Federal shared momentum SGD is as follows:
Figure BDA0003491335240000103
Figure BDA0003491335240000104
wherein, mavgtAs a parameter of a node
Figure BDA0003491335240000111
The average value of the momentum of the t local round under the condition of sharing the momentum sharememan; the shared momentum sharemen is a federal shared momentum SGD specified by the coordinator;
Figure BDA0003491335240000112
loss value MultiLabelLoss to node parameter for model parameter of t-th local round
Figure BDA0003491335240000113
The partial derivative value of (d); sharerl is the shared learning rate (sharerlr) of the federal intrusion detection convolution model;
Figure BDA0003491335240000114
updating the node parameter of the t local round;
305) repeatedly calculating loss value MultiLabelLoss and partial derivative value of model parameter
Figure BDA0003491335240000115
Until the number of local batches of training reaches a maximum.
4) After each participant completes one round of updating of the local federal intrusion detection convolution model, an encryption state submodel splitting and fusion algorithm is adopted to split the updated local federal intrusion detection convolution model into N encryption state submodels, each encryption state submodel is exchanged with other participants, and finally the encryption state submodels obtained by accumulation exchange of each participant are used as the local encryption state federal intrusion detection convolution model;
as shown in fig. 3, the specific steps are as follows:
401) initiator InitiOrgan has updated local federated intrusion detection convolution model M1The first party PartiOrgan1Having an updated local federated intrusion detection convolution model M2… PartiOrgan as the N-1 participantn-1Having an updated local federated intrusion detection convolution model Mn
402) The initiator initiOrgan takes N-1 random operators, Rm respectively2、Rm3、…、RmnThen, the following N encryption state submodels are calculated:
<M1>2=Rm2
<M1>3=Rm3
……
<M1>n=Rmn
<M1>1=M1-<M1>2-<M1>3-…-<M1>n
wherein < > represents the encryption state cipher text in the encryption state submodel splitting and merging algorithm;
403) initiator InitiOrgan will encrypt state submodel<M1>2Forward to the first participant PartiOrgan1The encryption state sub-model<M1>3Forward to the second participant PartiOrgan2And so on; as above, the first party PartiOrgan1And a second party PartiOrgan2All execute the same operation as the initiator InitiOrgan, and forward the encryption state submodel to other participants; after the primary forwarding, the initiator InitiOrgan possesses the encryption state submodel as follows:<M1>1、<M2>1、…、<Mn>1(ii) a First party PartiOrgan1The submodel with the encryption state is as follows:<M1>2、<M2>2、…、<Mn>2(ii) a Second party PartiOrgan2The submodel with the encryption state comprises the following steps:<M1>3、<M2>3、…、<Mn>3thereby, it is possible to obtainAnd so on;
404) and (3) the encryption state submodel obtained by local accumulation exchange of each participant is used as a local encryption state federal intrusion detection convolution model:
InitiOrgan:<M>1=<M1>1+<M2>1+…+<Mn>1
PartiOrgan1:<M>2=<M1>2+<M2>2+…+<Mn>2
PartiOrgann-1:<M>n=<M1>n+<M2>n+…+<Mn>n
wherein the content of the first and second substances,<M>1the encryption state sub-model obtained by accumulated exchange of the initiator initiOrgan is used as a local encryption state federal intrusion detection convolution model,<M>2PartiOrgan for the first participant1A local encryption state federal intrusion detection convolution model obtained by accumulation exchange,<M>3PartiOrgan as a second party2And accumulating and exchanging the obtained local encryption state federal intrusion detection convolution model, and so on.
5) Each participant uploads a respective local encryption state federal intrusion detection convolution model to a coordinator;
6) the coordination party carries out encryption state federal intrusion detection convolution models uploaded by all the participants on incremental weighted average of the encryption state federal intrusion detection convolution models to obtain a global federal intrusion detection convolution model;
the calculation formula of the encryption state federal model incremental weighted average is as follows:
Figure BDA0003491335240000131
Figure BDA0003491335240000132
among them, GloModeltRepresenting a global federal intrusion detection convolution model issued by a tth round coordinator;
Figure BDA0003491335240000133
representing a local encryption state model obtained after the ith round of training of the ith participant;
Figure BDA0003491335240000134
representing the difference value of the local encryption state model parameters of the current round and the global initial federal intrusion detection convolution model parameters of the current round, wherein the value of the difference value is used as the model parameter increment uploaded by the participants of the current round; n represents the number of participants participating in the global iteration of the current round;
7) the coordinator sends the global federal intrusion detection convolution model to each participant;
8) other participants PartiOrgan continue training the global federal intrusion detection convolution model by using a local intrusion detection library; the initiator InitiOrgan puts the local intrusion detection library into 9: 1, training and arbitrating the global federal intrusion detection convolution model, wherein the arbitration function adopts a federal multi-label entropy loss function, and feedbacks the federal learning condition to a coordinator according to the convergence state of the arbitration function.
As shown in fig. 4, the method for the initiator InitiOrgan to arbitrate the global federated intrusion detection convolution model is as follows:
801) after receiving a global federal intrusion detection convolution model issued by a coordinator, an initiator initiOrgan freezes nodes of a non-convolution sensing layer at first, and then extends forwards to obtain an arbitration loss value of an arbitration function;
802) the initiator InitiOrgan records the arbitration loss value, and judges the convergence status of the arbitration function according to the arbitration loss value:
the method comprises the following specific steps:
80201) After multiple times of global batch training, if the arbitration loss value is not reduced but increased, the initiator initi organ requests the coordinator to terminate federal learning and renegotiate new parameter information;
80202) After multiple times of global batch training, if the arbitration loss value is still in a descending state, the initiator initi organ does not process the arbitration loss value;
80203) After multiple times of global batch training, if the arbitration loss value reaches the convergence state, the initiator initi organ requests the coordinator to terminate the federal learning, and the global federal intrusion detection convolution model issued for the last time is used as the result of the federal learning.

Claims (6)

1. A network intrusion cooperative detection method based on federal learning is characterized in that: the network intrusion cooperative detection method based on the federal learning comprises the following steps in sequence:
1) the initiator InitiOrgan is used as one of N participants of the federal learning and participates in the training and arbitration of the federal intrusion detection convolution model; the other participants PartiOrgan include the first participant PartiOrgan1PartiOrgan as the N-1 th participantn-1Only participate in the training of the convolution model of the federal intrusion detection; firstly, an initiator InitiOrgan sends a request of federal learning to a coordinator, and the initiator InitiOrgan and the coordinator jointly determine parameter information related to a federal intrusion detection convolution model according to self requirements;
2) the coordinating party issues the relevant parameter information to each participating party of the local federal intrusion detection convolution model;
3) after obtaining the parameter information, each participant initializes a local federal intrusion detection convolution model according to the parameter information to obtain a local initial federal intrusion detection convolution model, and then transmits an intrusion detection library owned locally into each local initial federal intrusion detection convolution model for training to obtain an updated local federal intrusion detection convolution model;
4) after each participant completes one round of updating of the local federal intrusion detection convolution model, an encryption state submodel splitting and fusion algorithm is adopted to split the updated local federal intrusion detection convolution model into N encryption state submodels, each encryption state submodel is exchanged with other participants, and finally the encryption state submodels obtained by accumulation exchange of each participant are used as the local encryption state federal intrusion detection convolution model;
5) each participant uploads a respective local encryption state federal intrusion detection convolution model to a coordinator;
6) the coordination party carries out encryption state federal intrusion detection convolution models uploaded by all the participants on incremental weighted average of the encryption state federal intrusion detection convolution models to obtain a global federal intrusion detection convolution model;
7) the coordinator sends the global federal intrusion detection convolution model to each participant;
8) other participants PartiOrgan continue training the global federal intrusion detection convolution model by using a local intrusion detection library; and the initiator initiOrgan trains and arbitrates the global federal intrusion detection convolution model according to the local intrusion detection library in a ratio of 9: 1, the arbitration function adopts a federal multi-label entropy loss function, and the federal learning condition is fed back to the coordinator according to the convergence state of the arbitration function.
2. The federated learning-based network intrusion collaborative detection method of claim 1, wherein: in step 1), the parameter information includes:
101) and (3) algorithm selection: an algorithm selected for federal learning;
102) the data processing method comprises the following steps: a data preprocessing method of each local intrusion detection library;
103) the privacy protection method comprises the following steps: uploading an encryption mode used by the updated federal intrusion detection convolution model;
104) the number of the participants is: the total number of participants of the federal intrusion detection convolution model training;
105) global round: training a global federal intrusion detection convolution model for the maximum round;
106) the local round is as follows: the number of times each participant has trained in a single round;
107) shared batch size: the coordinator specifies the batch size shared by all the participants;
108) the ratio of the participants: the proportion of the participants randomly selected in a single round;
109) and (3) a node updating method: updating node parameters of a federal intrusion detection convolution model;
110) shared learning rate: the learning rate which is specified by the coordinator and is used by all the participants;
111) sharing momentum: the coordinator specifies the amount of momentum shared by the participants.
3. The federated learning-based network intrusion collaborative detection method of claim 1, wherein: in step 3), the training method is as follows:
301) each participant carries out data preprocessing on the intrusion detection library owned locally, including standardized processing and characteristic matrix conversion into a CNN pixel matrix;
302) carrying out batch processing on the preprocessed intrusion detection libraries by using the local batch size and disordering the sequence; then the participator constructs a local initial federal intrusion detection convolution model by using a global initial federal intrusion detection convolution model issued by the coordinator; then each participant locally trains a local initial federated intrusion detection convolution model for E rounds to update model parameters;
303) the method comprises the following steps of calculating parameters of each node by forward propagating a local initial federal intrusion detection convolution model, and then calculating a loss value MultiLabelLoss of the model parameters by adopting a federal multi-label entropy loss function, wherein the formula is as follows:
Figure FDA0003491335230000031
wherein i represents a sample; n represents the total number of samples; MCOORDI represents the number of label categories of the training task selected by the coordinator;
Figure FDA0003491335230000032
if the label type of the sample i is the same as the label type c, the value of the symbol function of the sample i is 1, otherwise, the value of the symbol function of the sample i is 0; predSoftmaxc iRepresenting the predicted probability value of the sample i for the label category c;
304) the method comprises the steps of reversely propagating a model, calculating partial derivatives of loss values of model parameters to each neuron node parameter, and solving the partial derivatives by adopting a Federal shared momentum SGD algorithm and updating the node parameters by utilizing the magnitude of the partial derivatives, wherein the calculation formula of the Federal shared momentum SGD is as follows:
Figure FDA0003491335230000033
Figure FDA0003491335230000034
wherein, mavgtAs a parameter of a node
Figure FDA0003491335230000035
The average value of the momentum of the t local round under the condition of sharing the momentum sharememan; the shared momentum sharemen is a federal shared momentum SGD specified by the coordinator;
Figure FDA0003491335230000036
loss value MultiLabelLoss to node parameter for model parameter of t-th local round
Figure FDA0003491335230000037
The partial derivative value of (d); sharerl is the shared learning rate (sharerlr) of the federal intrusion detection convolution model;
Figure FDA0003491335230000038
updating the node parameter of the t local round;
305) repeatedly calculating loss value MultiLabelLoss and partial derivative value of model parameter
Figure FDA0003491335230000039
Until the number of local batches of training reaches a maximum.
4. The federated learning-based network intrusion collaborative detection method of claim 1, wherein: in step 4), after each participant completes one round of updating of the local federal intrusion detection convolution model, the encryption state submodel splitting and fusion algorithm is adopted to split the updated local federal intrusion detection convolution model into N encryption state submodels, each encryption state submodel is exchanged with other participants, and finally the encryption state submodels obtained by accumulating and exchanging of each participant are used as the local encryption state federal intrusion detection convolution model, and the specific steps are as follows:
401) initiator InitiOrgan has updated local federated intrusion detection convolution model M1First party PartiOrgan1Having an updated local federated intrusion detection convolution model M2… PartiOrgan as the N-1 participantn-1The method comprises the steps of having an updated local federal intrusion detection convolution model Mn;
402) the initiator initiOrgan takes N-1 random operators, Rm respectively2、Rm3、…、RmnThen, the following N encryption state submodels are calculated:
<M1>2=Rm2
<M1>3=Rm3
……
<M1>n=Rmn
<M1>1=M1-<M1>2-<M1>3-…-<M1>n
wherein < · > represents an encryption state ciphertext in an encryption state sub-model splitting and merging algorithm;
403) initiator initiOrgan will encrypt state submodel<M1>2Forward to the first participant partiorgagan1The encryption state sub-model<M1>3Forward to the second party PartiOrgan2And so on; as above, the first party PartiOrgan1And a second party PartiOrgan2All execute the same operation as the initiator InitiOrgan, and forward the encryption state submodel to other participants;after the primary forwarding, the initiator InitiOrgan possesses the encryption state submodel as follows:<M1>1、<M2>1、…、<Mn>1(ii) a First party PartiOrgan1The submodel with the encryption state is as follows:<M1>2、<M2>2、…、<Mn>2(ii) a Second party PartiOrgan2The submodel with the encryption state is as follows:<M1>3、<M2>3、…、<Mn>3and so on;
404) and (3) the encryption state submodel obtained by local accumulation exchange of each participant is used as a local encryption state federal intrusion detection convolution model:
InitiOrgan:<M>1=<M1>1+<M2>1+…+<Mn>1
PartiOrgan1:<M>2=<M1>2+<M2>2+…+<Mn>2
PartiOrgann-1:<M>n=<M1>n+<M2>n+…+<Mn>n
wherein the content of the first and second substances,<M>1the encryption state sub-model obtained by accumulated exchange of the initiator initiOrgan is used as a local encryption state federal intrusion detection convolution model,<M>2PartiOrgan as a first participant1A local encryption state federal intrusion detection convolution model obtained by accumulation exchange,<M>3PartiOrgan as a second party2And accumulating and exchanging the obtained local encryption state federal intrusion detection convolution model, and so on.
5. The federated learning-based network intrusion collaborative detection method of claim 1, wherein: in step 6), the calculation formula of the encryption state federal model incremental weighted average is as follows:
Figure FDA0003491335230000051
Figure FDA0003491335230000052
among them, GloModeltRepresenting a global federal intrusion detection convolution model issued by a tth round coordinator;
Figure FDA0003491335230000053
representing a local encryption state model obtained after the ith round of training of the ith participant;
Figure FDA0003491335230000054
representing the difference value of the local encryption state model parameters of the current round and the global initial federal intrusion detection convolution model parameters of the current round, wherein the value of the difference value is used as the model parameter increment uploaded by the participants of the current round; and N represents the number of participants participating in the global iteration of the current round.
6. The federated learning-based network intrusion collaborative detection method of claim 1, wherein: in step 8), the method for the initiator InitiOrgan to arbitrate the global federated intrusion detection convolution model is as follows:
801) after receiving a global federal intrusion detection convolution model issued by a coordinator, an initiator initiOrgan freezes nodes of a non-convolution sensing layer at first, and then extends forwards to obtain an arbitration loss value of an arbitration function;
802) the initiator InitiOrgan records the arbitration loss value, and judges the convergence status of the arbitration function according to the arbitration loss value:
the method comprises the following specific steps:
80201) After multiple times of global batch training, if the arbitration loss value is not reduced but increased, the initiator initi organ requests the coordinator to terminate federal learning and renegotiate new parameter information;
80202) After multiple times of global batch training, if the arbitration loss value is still in a descending state, the initiator initi organ does not process the arbitration loss value;
80203) After multiple times of global batch training, if the arbitration loss value reaches the convergence state, the initiator initi organ requests the coordinator to terminate the federal learning, and the global federal intrusion detection convolution model issued for the last time is used as the result of the federal learning.
CN202210097210.1A 2022-01-27 2022-01-27 Network intrusion collaborative detection method based on federal learning Active CN114640498B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210097210.1A CN114640498B (en) 2022-01-27 2022-01-27 Network intrusion collaborative detection method based on federal learning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210097210.1A CN114640498B (en) 2022-01-27 2022-01-27 Network intrusion collaborative detection method based on federal learning

Publications (2)

Publication Number Publication Date
CN114640498A true CN114640498A (en) 2022-06-17
CN114640498B CN114640498B (en) 2023-08-29

Family

ID=81945917

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210097210.1A Active CN114640498B (en) 2022-01-27 2022-01-27 Network intrusion collaborative detection method based on federal learning

Country Status (1)

Country Link
CN (1) CN114640498B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115242559A (en) * 2022-09-23 2022-10-25 北京航空航天大学 Network flow intrusion detection method based on block chain and federal learning
CN115277696A (en) * 2022-07-13 2022-11-01 京信数据科技有限公司 Cross-network federal learning system and method
CN116010944A (en) * 2023-03-24 2023-04-25 北京邮电大学 Federal computing network protection method and related equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112203282A (en) * 2020-08-28 2021-01-08 中国科学院信息工程研究所 5G Internet of things intrusion detection method and system based on federal transfer learning
AU2021104400A4 (en) * 2021-07-21 2021-09-16 Alshehri, Mohammad Dahman DR An intelligent system for detecting behavioral cyber attack on industrial iot using ai federated learning algorithm
CN113468521A (en) * 2021-07-01 2021-10-01 哈尔滨工程大学 Data protection method for federal learning intrusion detection based on GAN
CN113794675A (en) * 2021-07-14 2021-12-14 中国人民解放军战略支援部队信息工程大学 Distributed Internet of things intrusion detection method and system based on block chain and federal learning
CN113806735A (en) * 2021-08-20 2021-12-17 北京工业大学 Execution and evaluation dual-network personalized federal learning intrusion detection method and system
CN113962314A (en) * 2021-10-27 2022-01-21 南京富尔登科技发展有限公司 Non-invasive enterprise load decomposition method based on federal learning

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112203282A (en) * 2020-08-28 2021-01-08 中国科学院信息工程研究所 5G Internet of things intrusion detection method and system based on federal transfer learning
CN113468521A (en) * 2021-07-01 2021-10-01 哈尔滨工程大学 Data protection method for federal learning intrusion detection based on GAN
CN113794675A (en) * 2021-07-14 2021-12-14 中国人民解放军战略支援部队信息工程大学 Distributed Internet of things intrusion detection method and system based on block chain and federal learning
AU2021104400A4 (en) * 2021-07-21 2021-09-16 Alshehri, Mohammad Dahman DR An intelligent system for detecting behavioral cyber attack on industrial iot using ai federated learning algorithm
CN113806735A (en) * 2021-08-20 2021-12-17 北京工业大学 Execution and evaluation dual-network personalized federal learning intrusion detection method and system
CN113962314A (en) * 2021-10-27 2022-01-21 南京富尔登科技发展有限公司 Non-invasive enterprise load decomposition method based on federal learning

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115277696A (en) * 2022-07-13 2022-11-01 京信数据科技有限公司 Cross-network federal learning system and method
CN115242559A (en) * 2022-09-23 2022-10-25 北京航空航天大学 Network flow intrusion detection method based on block chain and federal learning
CN116010944A (en) * 2023-03-24 2023-04-25 北京邮电大学 Federal computing network protection method and related equipment

Also Published As

Publication number Publication date
CN114640498B (en) 2023-08-29

Similar Documents

Publication Publication Date Title
CN114640498A (en) Network intrusion cooperative detection method based on federal learning
CN111460443B (en) Security defense method for data manipulation attack in federated learning
Popov et al. The coordicide
CN112738034B (en) Block chain phishing node detection method based on vertical federal learning
CN112101403B (en) Classification method and system based on federal few-sample network model and electronic equipment
CN112560059B (en) Vertical federal model stealing defense method based on neural pathway feature extraction
CN116708009A (en) Network intrusion detection method based on federal learning
He et al. The hybrid similar neighborhood robust factorization machine model for can bus intrusion detection in the in-vehicle network
CN113392429A (en) Block chain-based power distribution Internet of things data safety protection method and device
Goh et al. Secure trust-based delegated consensus for blockchain frameworks using deep reinforcement learning
CN115660147A (en) Information propagation prediction method and system based on influence modeling between propagation paths and in propagation paths
Zhang et al. Federated learning with quantum secure aggregation
CN112733170B (en) Active trust evaluation method based on evidence sequence extraction
CN112085051B (en) Image classification method and system based on weighted voting and electronic equipment
CN117391816A (en) Heterogeneous graph neural network recommendation method, device and equipment
CN117216788A (en) Video scene identification method based on federal learning privacy protection of block chain
CN115208604B (en) AMI network intrusion detection method, device and medium
Anwer et al. Intrusion detection using deep learning
CN115310625A (en) Longitudinal federated learning reasoning attack defense method
CN115766140A (en) Distributed denial of service (DDoS) attack detection method and device
Chen et al. Fast and practical intrusion detection system based on federated learning for VANET
CN114785608A (en) Industrial control network intrusion detection method based on decentralized federal learning
CN114189332A (en) Continuous group perception excitation method based on symmetric encryption and double-layer truth discovery
Gao et al. Multi-source feedback based light-weight trust mechanism for edge computing
Kang et al. Bitcoin double-spending attack detection using graph neural network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant