CN114640498B - Network intrusion collaborative detection method based on federal learning - Google Patents
Network intrusion collaborative detection method based on federal learning Download PDFInfo
- Publication number
- CN114640498B CN114640498B CN202210097210.1A CN202210097210A CN114640498B CN 114640498 B CN114640498 B CN 114640498B CN 202210097210 A CN202210097210 A CN 202210097210A CN 114640498 B CN114640498 B CN 114640498B
- Authority
- CN
- China
- Prior art keywords
- federal
- intrusion detection
- model
- local
- convolution model
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 176
- 239000003999 initiator Substances 0.000 claims abstract description 52
- 230000006870 function Effects 0.000 claims abstract description 29
- 238000000034 method Methods 0.000 claims description 36
- 239000011159 matrix material Substances 0.000 claims description 11
- 238000009825 accumulation Methods 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 6
- 238000007781 pre-processing Methods 0.000 claims description 6
- 210000000056 organ Anatomy 0.000 claims description 5
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 230000008569 process Effects 0.000 claims description 4
- 238000003672 processing method Methods 0.000 claims description 4
- 230000004927 fusion Effects 0.000 claims description 3
- 230000000644 propagated effect Effects 0.000 claims description 3
- 238000010187 selection method Methods 0.000 claims description 3
- 210000002569 neuron Anatomy 0.000 claims description 2
- 230000002776 aggregation Effects 0.000 abstract description 3
- 238000004220 aggregation Methods 0.000 abstract description 3
- 230000000977 initiatory effect Effects 0.000 abstract 1
- 230000007246 mechanism Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000002360 explosive Substances 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 239000002245 particle Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
- G06N20/20—Ensemble learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/047—Probabilistic or stochastic networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/084—Backpropagation, e.g. using gradient descent
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Artificial Intelligence (AREA)
- Mathematical Physics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- General Physics & Mathematics (AREA)
- Biophysics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computational Linguistics (AREA)
- Biomedical Technology (AREA)
- Life Sciences & Earth Sciences (AREA)
- Molecular Biology (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Probability & Statistics with Applications (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Medical Informatics (AREA)
- Computer And Data Communications (AREA)
Abstract
A network intrusion cooperative detection method based on federal learning. Which includes an initiator initiating a federal learning request; the coordinator transmits parameter information; each participant locally trains a federal intrusion detection convolution model; obtaining and uploading a local encryption federation intrusion detection convolution model; obtaining and issuing a global federal intrusion detection convolution model; feeding back federal learning conditions and the like. The federal intrusion detection convolution model trained by the invention is more suitable for the own business requirements. The federation learning task adopts a federation model increment average aggregation function, so that federation learning efficiency can be improved. The uploading model of each participant adopts an encryption federal intrusion detection convolution model, so that the model inversion attack of the semi-honest participant on other participants can be prevented. Arbitration is carried out by an initiator of federal learning, so that an intrusion detection library is protected from being acquired by a coordinator, the end-to-end safety of model parameters can be ensured, and the model robustness is enhanced.
Description
Technical Field
The invention belongs to the technical field of network intrusion detection, and particularly relates to a federal learning-based network intrusion collaborative detection method.
Background
In recent years, with the popularization of big data application, networks have become one of the tools known and used by everyone, and the explosive growth of the number of network users has also brought about an exponential increase of network traffic, but with the increase of network security problems. Network intrusion detection systems (Network Intrusion Detection System, IDS for short) are a major component of network security, and have been a hot spot in research in the field of network security technologies.
The traditional network intrusion detection technology mainly adopts a single-point sample training method, but faces to the complex and changeable network environment at present, the single-point training has the following problems:
(1) The number of available samples is limited: for a single mechanism for collecting malicious attack samples, the number of marked samples is limited, which leads to insufficient sample number, especially malicious sample number, so that in practical application, the intrusion detection model is easy to generate a large number of false alarm alarms, thereby inundating the real attack alarms.
(2) Malicious sample forms are changeable: the malicious attack means and modes are various, and malicious samples collected by each organization are different, and the model trained by only one organization has limitation on some malicious attacks, so that the method cannot be well adapted to complex reality environments.
(3) Data islands exist among institutions: with the perfection of the network security method, the data of the mechanism cannot be randomly delivered out of the warehouse and cannot be randomly used in the clear, which causes a data island among the mechanisms, and how to use the data without revealing the data becomes a very troublesome problem.
Disclosure of Invention
In order to solve the problems, the invention aims to provide a network intrusion collaborative detection method based on federal learning.
In order to achieve the above object, the network intrusion cooperative detection method based on federal learning provided by the invention comprises the following steps in sequence:
1) The initiator initibogan is taken as one of N participants of federal learning to participate in the training and arbitration of the federal intrusion detection convolution model; the other party Partischen includes the first party Partischen 1 To the N-1 th participant Parti Organ n-1 Only participate in the training of the federal intrusion detection convolution model; firstly, an initiator InitiaOrgan initiates a federal learning request to a coordinator, and the initiator InitiaOrgan determines parameter information related to a federal intrusion detection convolution model together with the coordinator according to own requirements;
2) The coordinator transmits the related parameter information to each participant of the local federal intrusion detection convolution model;
3) After each participant obtains parameter information, initializing a local federal intrusion detection convolution model according to the parameter information to obtain a local initial federal intrusion detection convolution model, and then transmitting an intrusion detection library owned by the local into each local initial federal intrusion detection convolution model for training to obtain an updated local federal intrusion detection convolution model;
4) After each participant completes one round of local federal intrusion detection convolution model updating, an encryption state sub-model splitting and fusing algorithm is adopted to split the updated local federal intrusion detection convolution model into N encryption state sub-models, each encryption state sub-model is exchanged with other participants, and finally each participant accumulates the encryption state sub-model obtained by exchange to be used as a local encryption state federal intrusion detection convolution model;
5) Uploading the local encryption federation intrusion detection convolution model of each participant to a coordinator;
6) The coordinator carries out incremental weighted average on the encrypted federation model by the local encrypted federation intrusion detection convolutional model uploaded by each participant to obtain a global federation intrusion detection convolutional model;
7) The coordinator transmits the global federal intrusion detection convolution model to each participant;
8) The other participators PartiOrgan continue to train the global federal intrusion detection convolution model by using the local intrusion detection library; the initiator initihan will have the local intrusion detection library at 9: and 1, training and arbitrating the global federation intrusion detection convolution model, adopting a federation multi-label entropy loss function as an arbitration function, and feeding back federation learning conditions to a coordinator according to the convergence state of the arbitration function.
In step 1), the parameter information includes:
101 Algorithm selection: an algorithm selected by federal learning;
102 Data processing method: the data preprocessing method of each local intrusion detection library;
103 Privacy protection method: uploading an encryption mode used by the updated federal intrusion detection convolution model;
104 Number of participants): total number of participants trained by the federal intrusion detection convolution model;
105 Global round: training a global federal intrusion detection convolution model for a maximum round;
106 A local round: the number of times each participant is trained in a single round;
107 Shared lot size: the coordinator designates the batch size shared by all the participants;
108 Participant ratio): a single round of randomly selected participant ratios;
109 Node update method: updating a node parameter selection method of the federal intrusion detection convolution model;
110 Shared learning rate): the learning rate of each party designated by the coordinator;
111 Shared momentum: the momentum magnitude shared by the parties designated by the coordinator.
In step 3), the training method is as follows:
301 Each participant performs data preprocessing on a locally owned intrusion detection library, including standardization processing and conversion of a feature matrix into a CNN pixel matrix;
302 Carrying out batch processing and scrambling on the preprocessed intrusion detection library by utilizing the local batch size; then, the participator builds a local initial federal intrusion detection convolution model by using the global initial federal intrusion detection convolution model issued by the coordinator; then each participant trains E rounds on the local initial federal intrusion detection convolution model locally to update model parameters;
303 The local initial federal intrusion detection convolution model is propagated forward to calculate each node parameter, and then a federal multi-label entropy loss function is adopted to calculate a loss value MultiLabelLoss of the model parameter, wherein the formula is as follows:
wherein i represents a sample; n represents the total number of samples; MCOORDI represents the number of label categories of training tasks selected by the coordinator;representation sampleThe sign function of the label class is that if the label class of the sample i is the same as the label class c, the sign function value of the sample i is 1, otherwise, the sign function value of the sample i is 0; predSoftmax c i A predicted probability value representing a sample i for a label class c;
304 The model is spread reversely, the partial derivative value of the loss value MultiLabelLoss of the model parameter to each neuron node parameter is calculated, the partial derivative value is solved by adopting a federal shared momentum SGD algorithm, and node parameters are updated by utilizing the partial derivative value, wherein the calculation formula of the federal shared momentum SGD is as follows:
wherein, mavg t For node parametersUnder the condition of sharing the momentum shareMomen, the momentum average value of the t-th local round is calculated; shared momentum shareMomen is federal shared momentum SGD specified by a coordinator; />Loss value MultiLabelLoss versus node parameter for model parameter of the t-th local round>Is a bias value of (1); sharerlr is the shared learning rate of the federal intrusion detection convolution model (sharerlr);updating the value for the node parameter of the t-th local round;
305 Repeatedly calculating loss value MultiLabelLoss and partial derivative value of model parametersUntil the number of local batches trained reaches a maximum.
In step 4), after each participant completes a round of local federation intrusion detection convolution model updating, an encryption state submodel splitting and fusing algorithm is adopted to split the updated local federation intrusion detection convolution model into N encryption state submodels, each encryption state submodel is exchanged with other participants, and finally each participant accumulates the encryption state submodel obtained by exchange, and the specific steps of using the local federation intrusion detection convolution model as a local encryption state submodel are as follows:
401 Initiator initiosgan owns updated local federal intrusion detection convolution model M 1 First party Partischen 1 Local federal intrusion detection convolution model M with updates 2 …, N-1 st PartiOrgan n-1 Local federal intrusion detection convolution model M with updates n ;
402 Initiator initiosgan takes N-1 random operators, rm respectively 2 、Rm 3 、…、Rm n The following N encrypted state submodels are then calculated:
<M 1 > 2 =Rm 2
<M 1 > 3 =Rm 3
……
<M 1 > n =Rm n
<M 1 > 1 =M 1 -<M 1 > 2 -<M 1 > 3 -…-<M 1 > n
wherein </DEG > represents the encrypted ciphertext in the encrypted state submodel splitting and fusion algorithm;
403 Initiator initios will encrypt state submodel<M 1 > 2 Forward to first party Partisorganic 1 To encrypt state submodel<M 1 > 3 Forwarding to a second party Partisorganic 2 And so on; as above, the first party Partischen 1 And a second party Parti Organ 2 All execute the same operation as initiator initibogan and forward the encrypted state submodel to other participants; after one forwarding, the initiator initibangan has an encryption state submodel of:<M 1 > 1 、<M 2 > 1 、…、<M n > 1 the method comprises the steps of carrying out a first treatment on the surface of the First participant Partisconsisting 1 The possession of the encryption state submodel is:<M 1 > 2 、<M 2 > 2 、…、<M n > 2 the method comprises the steps of carrying out a first treatment on the surface of the Second party Partistgan 2 The possession of the encryption state submodel is:<M 1 > 3 、<M 2 > 3 、…、<M n > 3 and so on;
404 The encryption state submodel obtained by each participant in the local accumulation exchange is used as a local encryption state federal intrusion detection convolution model:
InitiOrgan:<M> 1 =<M 1 > 1 +<M 2 > 1 +…+<M n > 1
PartiOrgan 1 :<M> 2 =<M 1 > 2 +<M 2 > 2 +…+<M n > 2
…
PartiOrgan n-1 :<M> n =<M 1 > n +<M 2 > n +…+<M n > n
wherein,,<M> 1 an encrypted state submodel obtained by accumulated exchange for the initiator initiorganically is used as a local encrypted state federal intrusion detection convolution model,<M> 2 Partischen for the first party 1 A local encryption federation intrusion detection convolution model obtained by accumulation exchange,<M> 3 Partisgan as the second party 2 The local encrypted federal intrusion detection convolution model obtained through accumulated exchanges, and so on.
In step 6), the calculation formula of the incremental weighted average of the encrypted federal model is as follows:
wherein GloModel t Representing a global federation intrusion detection convolution model issued by a t-th round coordinator;representing a local encryption state model obtained after the ith participant is trained in the ith round;representing the difference value between the local encryption state model parameters of the round and the global initial federal intrusion detection convolution model parameters of the round, wherein the value is used as the model parameter increment uploaded by the participation of the round; n represents the number of participants involved in the global iteration of the present round.
In step 8), the method for the initiator initibogan to arbitrate the global federation intrusion detection convolution model is as follows:
801 After receiving the global federal intrusion detection convolution model issued by the coordinator, the initiator initiiorganic freezes the nodes of the non-convolution sensing layer first and then propagates forwards to calculate the arbitration loss value of the arbitration function;
802 The initiator initiogan records the arbitration loss value and determines the convergence state of the arbitration function based on the arbitration loss value:
the method comprises the following specific steps:
80201 After multiple global batch training, if the arbitration loss value is not reduced but is increased, the initiator initiosgan requests the coordinator to terminate federal learning and renegotiate new parameter information;
80202 After multiple global batch training, if the arbitration loss value is still in a descending state, the initiator initiosgan does not process;
80203 After multiple global batch training, if the arbitration loss value reaches a convergence state, the initiator initibogan requests the coordinator to terminate federal learning, and takes the last issued global federal intrusion detection convolution model as a federal learning result.
The network intrusion collaborative detection method based on federal learning has the following beneficial effects:
(1) Unlike traditional method, which has federal learning process completely controlled by coordinator, the federal learning initiator and coordinator build transverse federal learning task together, and the trained federal intrusion detection convolution model (Federated Intrusion Detection Convolutional Model, FIDCM) is more suitable for own business requirement. (2) The federation learning task adopts a federation model increment average aggregation function, so that the efficiency of federation learning can be improved. (3) The uploading model of each participant adopts an encryption federal intrusion detection convolution model, so that the model inversion attack of the semi-honest participant on other participants can be prevented. (4) Arbitration is carried out by an initiator of federal learning, so that an intrusion detection library is protected from being acquired by a coordinator, the end-to-end safety of model parameters can be ensured, and the model robustness is enhanced.
Drawings
Fig. 1 is a flowchart of a network intrusion cooperative detection method based on federal learning.
FIG. 2 is a flow chart of the local initial federal intrusion detection convolution model training performed by each participant in the present invention.
Fig. 3 is a flowchart of the splitting and merging algorithm of the N-party encryption state submodels in the present invention.
FIG. 4 is a flow chart of the global federation intrusion detection convolution model arbitration according to the present invention.
Detailed Description
The invention will now be described in detail with reference to the drawings and specific examples.
As shown in fig. 1, the network intrusion cooperative detection method based on federal learning provided by the invention comprises the following steps in sequence:
1) Initiator initibogan as one of N participants in federal learning participates in federal intrusion detection convolution modulusTraining and arbitration of the model; the other party Partischen includes the first party Partischen 1 To the N-1 th participant Parti Organ n-1 Only participate in the training of the federal intrusion detection convolution model; firstly, an initiator InitiaOrgan initiates a federal learning request to a coordinator, and the initiator InitiaOrgan determines parameter information related to a federal intrusion detection convolution model together with the coordinator according to own requirements;
the method is suitable for transverse federal learning among multiple institutions, a coordinator does not have complete rights to determine parameter information related to federal learning, the coordinator is born by an aggregation server, and the main tasks are to issue an initial federal intrusion detection convolution model and receive an updated federal intrusion detection convolution model, perform incremental weighted average on the federal intrusion detection convolution model, and determine which participants are entitled to participate in a single training round by the coordinator.
The parameter information includes:
101 Algorithm selection: the federal learns the selected algorithm. (SelectedModel: fed-Resnet-18)
102 Data processing method: the data preprocessing method of each local intrusion detection library adopts a standardized processing method and a CNN pixel matrix conversion method. (DataPreprocessing: [ Normalization: minMaxScaler, pixelMatrixRow:7 ])
103 Privacy protection method: uploading an encryption mode used by the updated federal intrusion detection convolution model. (Privacy protection method: encryptedModelAccumulation)
104 Number of participants): total number of participants trained by federal intrusion detection convolution model. (particles: 10)
105 Global round: the global federal intrusion detection convolution model trains the largest rounds. (globalpiochs: 100)
106 A local round: number of training sessions by each participant in a single round. (LocalEpochs: 10)
107 Shared lot size: the coordinator specifies the batch size that each participant uses in common. (BatchSize: 64)
108 Participant ratio): a single round of randomly selected participation ratio. (SampleRatio: 0.5)
109 Node update method: updating node parameter selection method of federal intrusion detection convolution model. (UpdateNodePar: FSMSGD)
110 Shared learning rate): the learning rate size of each party designated by the coordinator. (ShareLR: 0.001)
111 Shared momentum: the momentum magnitude shared by the parties designated by the coordinator. (ShareMomentum: 0.0001)
2) The coordinator transmits the related parameter information to each participant of the local federal intrusion detection convolution model;
3) After each participant obtains parameter information, initializing a local federal intrusion detection convolution model according to the parameter information to obtain a local initial federal intrusion detection convolution model, and then transmitting an intrusion detection library owned by the local into each local initial federal intrusion detection convolution model for training to obtain an updated local federal intrusion detection convolution model;
as shown in fig. 2, the training method is as follows:
301 Each participant performs data preprocessing on a locally owned intrusion detection library, including standardization processing and conversion of a feature matrix into a CNN pixel matrix, wherein the dimension of the CNN pixel matrix is determined according to the number of features in the intrusion detection library, and the intrusion detection library comprises 41 features, so that when the feature matrix is converted into the CNN pixel matrix, the dimension of the CNN pixel matrix is 7*7 (PixelMatrixRow);
302 Batch processing and order scrambling the preprocessed intrusion detection library by using the local batch size (batch size); then, the participator builds a local initial federation intrusion detection convolution model (SelectedModel) by using the global initial federation intrusion detection convolution model issued by the coordinator; each participant then trains the local initial federal intrusion detection convolution model for E (LocalEpochs) rounds locally to update model parameters;
303 The local initial federal intrusion detection convolution model is propagated forward to calculate each node parameter, and then a federal multi-label entropy loss function is adopted to calculate a loss value MultiLabelLoss of the model parameter, wherein the formula is as follows:
wherein i represents a sample; n represents the total number of samples; MCOORDI represents the number of label categories of training tasks selected by the coordinator;a symbol function representing a sample and a label class, wherein if the label class of the sample i is the same as the label class c, the symbol function value of the sample i is 1, otherwise, the symbol function value of the sample i is 0; predSoftmax c i A predicted probability value representing a sample i for a label class c;
304 The method for solving the partial derivative value adopts a federal shared momentum SGD algorithm, and updates the node parameters by using the partial derivative value, wherein the calculation formula of the federal shared momentum SGD is as follows:
wherein, mavg t For node parametersUnder the condition of sharing the momentum shareMomen, the momentum average value of the t-th local round is calculated; shared momentum shareMomen is federal shared momentum SGD specified by a coordinator; />Loss value MultiLabelLoss versus node parameter for model parameter of the t-th local round>Is a bias value of (1); sharerlr is the shared learning rate of the federal intrusion detection convolution model (sharerlr);updating the value for the node parameter of the t-th local round;
305 Repeatedly calculating loss value MultiLabelLoss and partial derivative value of model parametersUntil the number of local batches trained reaches a maximum.
4) After each participant completes one round of local federal intrusion detection convolution model updating, an encryption state sub-model splitting and fusing algorithm is adopted to split the updated local federal intrusion detection convolution model into N encryption state sub-models, each encryption state sub-model is exchanged with other participants, and finally each participant accumulates the encryption state sub-model obtained by exchange to be used as a local encryption state federal intrusion detection convolution model;
as shown in fig. 3, the specific steps are as follows:
401 Initiator initiosgan owns updated local federal intrusion detection convolution model M 1 First party Partischen 1 Local federal intrusion detection convolution model M with updates 2 …, N-1 st PartiOrgan n-1 Local federal intrusion detection convolution model M with updates n ;
402 Initiator initiosgan takes N-1 random operators, rm respectively 2 、Rm 3 、…、Rm n The following N encrypted state submodels are then calculated:
<M 1 > 2 =Rm 2
<M 1 > 3 =Rm 3
……
<M 1 > n =Rm n
<M 1 > 1 =M 1 -<M 1 > 2 -<M 1 > 3 -…-<M 1 > n
wherein </DEG > represents the encrypted ciphertext in the encrypted state submodel splitting and fusion algorithm;
403 Initiator initios will encrypt state submodel<M 1 > 2 Forward to first party Partisorganic 1 To encrypt state submodel<M 1 > 3 Forwarding to a second party Partisorganic 2 And so on; as above, the first party Partischen 1 And a second party Parti Organ 2 All execute the same operation as initiator initibogan and forward the encrypted state submodel to other participants; after one forwarding, the initiator initibangan has an encryption state submodel of:<M 1 > 1 、<M 2 > 1 、…、<M n > 1 the method comprises the steps of carrying out a first treatment on the surface of the First participant Partisconsisting 1 The possession of the encryption state submodel is:<M 1 > 2 、<M 2 > 2 、…、<M n > 2 the method comprises the steps of carrying out a first treatment on the surface of the Second party Partistgan 2 The possession of the encryption state submodel is:<M 1 > 3 、<M 2 > 3 、…、<M n > 3 and so on;
404 The encryption state submodel obtained by each participant in the local accumulation exchange is used as a local encryption state federal intrusion detection convolution model:
InitiOrgan:<M> 1 =<M 1 > 1 +<M 2 > 1 +…+<M n > 1
PartiOrgan 1 :<M> 2 =<M 1 > 2 +<M 2 > 2 +…+<M n > 2
…
PartiOrgan n-1 :<M> n =<M 1 > n +<M 2 > n +…+<M n > n
wherein,,<M> 1 for initiator initiosganAccumulating the encrypted state submodel obtained by exchange to be used as a local encrypted state federal intrusion detection convolution model,<M> 2 Partischen for the first party 1 A local encryption federation intrusion detection convolution model obtained by accumulation exchange,<M> 3 Partisgan as the second party 2 The local encrypted federal intrusion detection convolution model obtained through accumulated exchanges, and so on.
5) Uploading the local encryption federation intrusion detection convolution model of each participant to a coordinator;
6) The coordinator carries out incremental weighted average on the encrypted federation model by the local encrypted federation intrusion detection convolutional model uploaded by each participant to obtain a global federation intrusion detection convolutional model;
the calculation formula of the incremental weighted average of the encryption federation model is as follows:
wherein GloModel t Representing a global federation intrusion detection convolution model issued by a t-th round coordinator;representing a local encryption state model obtained after the ith participant is trained in the ith round;representing the difference value between the local encryption state model parameters of the round and the global initial federal intrusion detection convolution model parameters of the round, wherein the value is used as the model parameter increment uploaded by the participation of the round; n represents the number of participants participating in the global iteration of the present round;
7) The coordinator transmits the global federal intrusion detection convolution model to each participant;
8) The other participators PartiOrgan continue to train the global federal intrusion detection convolution model by using the local intrusion detection library; the initiator initihan will have the local intrusion detection library at 9: and 1, training and arbitrating the global federation intrusion detection convolution model, adopting a federation multi-label entropy loss function as an arbitration function, and feeding back federation learning conditions to a coordinator according to the convergence state of the arbitration function.
As shown in fig. 4, the method for the initiator initibogan to arbitrate the global federal intrusion detection convolution model is as follows:
801 After receiving the global federal intrusion detection convolution model issued by the coordinator, the initiator initiiorganic freezes the nodes of the non-convolution sensing layer first and then propagates forwards to calculate the arbitration loss value of the arbitration function;
802 The initiator initiogan records the arbitration loss value and determines the convergence state of the arbitration function based on the arbitration loss value:
the method comprises the following specific steps:
80201 After multiple global batch training, if the arbitration loss value is not reduced but is increased, the initiator initiosgan requests the coordinator to terminate federal learning and renegotiate new parameter information;
80202 After multiple global batch training, if the arbitration loss value is still in a descending state, the initiator initiosgan does not process;
80203 After multiple global batch training, if the arbitration loss value reaches a convergence state, the initiator initibogan requests the coordinator to terminate federal learning, and takes the last issued global federal intrusion detection convolution model as a federal learning result.
Claims (6)
1. A network intrusion cooperative detection method based on federal learning is characterized by comprising the following steps: the network intrusion collaborative detection method based on federal learning comprises the following steps in sequence:
1) The initiator initibogan is taken as one of N participants of federal learning to participate in the training and arbitration of the federal intrusion detection convolution model; the other party Partischen includes the first party Partischen 1 To the N-1 th ginsengPartisorganic party n-1 Only participate in the training of the federal intrusion detection convolution model; firstly, an initiator InitiaOrgan initiates a federal learning request to a coordinator, and the initiator InitiaOrgan determines parameter information related to a federal intrusion detection convolution model together with the coordinator according to own requirements;
2) The coordinator transmits the related parameter information to each participant of the local federal intrusion detection convolution model;
3) After each participant obtains parameter information, initializing a local federal intrusion detection convolution model according to the parameter information to obtain a local initial federal intrusion detection convolution model, and then transmitting an intrusion detection library owned by the local into each local initial federal intrusion detection convolution model for training to obtain an updated local federal intrusion detection convolution model;
4) After each participant completes one round of local federal intrusion detection convolution model updating, an encryption state sub-model splitting and fusing algorithm is adopted to split the updated local federal intrusion detection convolution model into N encryption state sub-models, each encryption state sub-model is exchanged with other participants, and finally each participant accumulates the encryption state sub-model obtained by exchange to be used as a local encryption state federal intrusion detection convolution model;
5) Uploading the local encryption federation intrusion detection convolution model of each participant to a coordinator;
6) The coordinator carries out incremental weighted average on the encrypted federation model by the local encrypted federation intrusion detection convolutional model uploaded by each participant to obtain a global federation intrusion detection convolutional model;
7) The coordinator transmits the global federal intrusion detection convolution model to each participant;
8) The other participators PartiOrgan continue to train the global federal intrusion detection convolution model by using the local intrusion detection library; the initiator initihan will have the local intrusion detection library at 9: and 1, training and arbitrating the global federation intrusion detection convolution model, adopting a federation multi-label entropy loss function as an arbitration function, and feeding back federation learning conditions to a coordinator according to the convergence state of the arbitration function.
2. The federal learning-based network intrusion co-detection method according to claim 1, wherein: in step 1), the parameter information includes:
101 Algorithm selection: an algorithm selected by federal learning;
102 Data processing method: the data preprocessing method of each local intrusion detection library;
103 Privacy protection method: uploading an encryption mode used by the updated federal intrusion detection convolution model;
104 Number of participants): total number of participants trained by the federal intrusion detection convolution model;
105 Global round: training a global federal intrusion detection convolution model for a maximum round;
106 A local round: the number of times each participant is trained in a single round;
107 Shared lot size: the coordinator designates the batch size shared by all the participants;
108 Participant ratio): a single round of randomly selected participant ratios;
109 Node update method: updating a node parameter selection method of the federal intrusion detection convolution model;
110 Shared learning rate): the learning rate of each party designated by the coordinator;
111 Shared momentum: the momentum magnitude shared by the parties designated by the coordinator.
3. The federal learning-based network intrusion co-detection method according to claim 1, wherein: in step 3), the training method is as follows:
301 Each participant performs data preprocessing on a locally owned intrusion detection library, including standardization processing and conversion of a feature matrix into a CNN pixel matrix;
302 Carrying out batch processing and scrambling on the preprocessed intrusion detection library by utilizing the local batch size; then, the participator builds a local initial federal intrusion detection convolution model by using the global initial federal intrusion detection convolution model issued by the coordinator; then each participant trains E rounds on the local initial federal intrusion detection convolution model locally to update model parameters;
303 The local initial federal intrusion detection convolution model is propagated forward to calculate each node parameter, and then a federal multi-label entropy loss function is adopted to calculate a loss value MultiLabelLoss of the model parameter, wherein the formula is as follows:
onehot->predSoftmax;
wherein i represents a sample; n represents the total number of samples; MCOORDI represents the number of label categories of training tasks selected by the coordinator;a symbol function representing a sample and a label class, wherein if the label class of the sample i is the same as the label class c, the symbol function value of the sample i is 1, otherwise, the symbol function value of the sample i is 0; predSoftmax c i A predicted probability value representing a sample i for a label class c;
304 The model is spread reversely, the partial derivative value of the loss value MultiLabelLoss of the model parameter to each neuron node parameter is calculated, the partial derivative value is solved by adopting a federal shared momentum SGD algorithm, and node parameters are updated by utilizing the partial derivative value, wherein the calculation formula of the federal shared momentum SGD is as follows:
wherein, mavg t For node parametersT-th book under the condition of sharing momentum shareMomenMomentum average of ground turns; shared momentum shareMomen is federal shared momentum SGD specified by a coordinator; />Loss value MultiLabelLoss versus node parameter for model parameter of the t-th local round>Is a bias value of (1); shareLR is shared learning rate shareLR of the federal intrusion detection convolution model; />Updating the value for the node parameter of the t-th local round;
305 Repeatedly calculating loss value MultiLabelLoss and partial derivative value of model parametersUntil the number of local batches trained reaches a maximum.
4. The federal learning-based network intrusion co-detection method according to claim 1, wherein: in step 4), after each participant completes a round of local federation intrusion detection convolution model updating, an encryption state submodel splitting and fusing algorithm is adopted to split the updated local federation intrusion detection convolution model into N encryption state submodels, each encryption state submodel is exchanged with other participants, and finally each participant accumulates the encryption state submodel obtained by exchange, and the specific steps of using the local federation intrusion detection convolution model as a local encryption state submodel are as follows:
401 Initiator initiosgan owns updated local federal intrusion detection convolution model M 1 First party Partischen 1 Local federal intrusion detection convolution model M with updates 2 …, N-1 st PartiOrgan n-1 Local federal intrusion detection convolution model M with updates n ;
402 Initiator initiosgan takes N-1 random operators, rm respectively 2 、Rm 3 、…、Rm n The following N encrypted state submodels are then calculated:
<M 1 > 2 =Rm 2
<M 1 > 3 =Rm 3
……
<M 1 > n =Rm n
<M 1 > 1 =M 1 -<M 1 > 2 -<M 1 > 3 -……-<M 1 > n
wherein </DEG > represents the encrypted ciphertext in the encrypted state submodel splitting and fusion algorithm;
403 Initiator initios will encrypt state submodel<M 1 > 2 Forward to first party Partisorganic 1 To encrypt state submodel<M 1 > 3 Forwarding to a second party Partisorganic 2 And so on; as above, the first party Partischen 1 And a second party Parti Organ 2 All execute the same operation as initiator initibogan and forward the encrypted state submodel to other participants; after one forwarding, the initiator initibangan has an encryption state submodel of:<M 1 > 1 、<M 2 > 1 、…、<M n > 1 the method comprises the steps of carrying out a first treatment on the surface of the First participant Partisconsisting 1 The possession of the encryption state submodel is:<M 1 > 2 、<M 2 > 2 、…、<M n > 2 the method comprises the steps of carrying out a first treatment on the surface of the Second party Partistgan 2 The possession of the encryption state submodel is:<M 1 > 3 、<M 2 > 3 、…、<M n > 3 and so on;
404 The encryption state submodel obtained by each participant in the local accumulation exchange is used as a local encryption state federal intrusion detection convolution model:
InitiOrgan:<M> 1 =<M 1 > 1 +<M 2 > 1 +…+<M n > 1
PartiOrgan 1 :<M> 2 =<M 1 > 2 +<M 2 > 2 +…+<M n > 2
…
PartiOrgan n-1 :<M> n =<M 1 > n +<M 2 > n +…+<M n > n
wherein,,<M> 1 an encrypted state submodel obtained by accumulated exchange for the initiator initiorganically is used as a local encrypted state federal intrusion detection convolution model,<M> 2 Partischen for the first party 1 A local encryption federation intrusion detection convolution model obtained by accumulation exchange,<M> 3 Partisgan as the second party 2 The local encrypted federal intrusion detection convolution model obtained through accumulated exchanges, and so on.
5. The federal learning-based network intrusion co-detection method according to claim 1, wherein: in step 6), the calculation formula of the incremental weighted average of the encrypted federal model is as follows:
wherein GloModel t Representing a global federation intrusion detection convolution model issued by a t-th round coordinator;representing a local encryption state model obtained after the ith participant is trained in the ith round;representing local encryption state model parameters of the round and global initial state of the roundThe difference value of the initial federal intrusion detection convolution model parameters is used as the model parameter increment uploaded by the participant of the round; n represents the number of participants involved in the global iteration of the present round.
6. The federal learning-based network intrusion co-detection method according to claim 1, wherein: in step 8), the method for the initiator initibogan to arbitrate the global federation intrusion detection convolution model is as follows:
801 After receiving the global federal intrusion detection convolution model issued by the coordinator, the initiator initiiorganic freezes the nodes of the non-convolution sensing layer first and then propagates forwards to calculate the arbitration loss value of the arbitration function;
802 The initiator initiogan records the arbitration loss value and determines the convergence state of the arbitration function based on the arbitration loss value:
the method comprises the following specific steps:
80201 After multiple global batch training, if the arbitration loss value is not reduced but is increased, the initiator initiosgan requests the coordinator to terminate federal learning and renegotiate new parameter information;
80202 After multiple global batch training, if the arbitration loss value is still in a descending state, the initiator initiosgan does not process;
80203 After multiple global batch training, if the arbitration loss value reaches a convergence state, the initiator initibogan requests the coordinator to terminate federal learning, and takes the last issued global federal intrusion detection convolution model as a federal learning result.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210097210.1A CN114640498B (en) | 2022-01-27 | 2022-01-27 | Network intrusion collaborative detection method based on federal learning |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210097210.1A CN114640498B (en) | 2022-01-27 | 2022-01-27 | Network intrusion collaborative detection method based on federal learning |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114640498A CN114640498A (en) | 2022-06-17 |
CN114640498B true CN114640498B (en) | 2023-08-29 |
Family
ID=81945917
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210097210.1A Active CN114640498B (en) | 2022-01-27 | 2022-01-27 | Network intrusion collaborative detection method based on federal learning |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114640498B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115277696B (en) * | 2022-07-13 | 2023-04-18 | 京信数据科技有限公司 | Cross-network federal learning system and method |
CN115242559B (en) * | 2022-09-23 | 2022-12-02 | 北京航空航天大学 | Network flow intrusion detection method based on block chain and federal learning |
CN116010944B (en) * | 2023-03-24 | 2023-06-20 | 北京邮电大学 | Federal computing network protection method and related equipment |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112203282A (en) * | 2020-08-28 | 2021-01-08 | 中国科学院信息工程研究所 | 5G Internet of things intrusion detection method and system based on federal transfer learning |
AU2021104400A4 (en) * | 2021-07-21 | 2021-09-16 | Alshehri, Mohammad Dahman DR | An intelligent system for detecting behavioral cyber attack on industrial iot using ai federated learning algorithm |
CN113468521A (en) * | 2021-07-01 | 2021-10-01 | 哈尔滨工程大学 | Data protection method for federal learning intrusion detection based on GAN |
CN113794675A (en) * | 2021-07-14 | 2021-12-14 | 中国人民解放军战略支援部队信息工程大学 | Distributed Internet of things intrusion detection method and system based on block chain and federal learning |
CN113806735A (en) * | 2021-08-20 | 2021-12-17 | 北京工业大学 | Execution and evaluation dual-network personalized federal learning intrusion detection method and system |
CN113962314A (en) * | 2021-10-27 | 2022-01-21 | 南京富尔登科技发展有限公司 | Non-invasive enterprise load decomposition method based on federal learning |
-
2022
- 2022-01-27 CN CN202210097210.1A patent/CN114640498B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112203282A (en) * | 2020-08-28 | 2021-01-08 | 中国科学院信息工程研究所 | 5G Internet of things intrusion detection method and system based on federal transfer learning |
CN113468521A (en) * | 2021-07-01 | 2021-10-01 | 哈尔滨工程大学 | Data protection method for federal learning intrusion detection based on GAN |
CN113794675A (en) * | 2021-07-14 | 2021-12-14 | 中国人民解放军战略支援部队信息工程大学 | Distributed Internet of things intrusion detection method and system based on block chain and federal learning |
AU2021104400A4 (en) * | 2021-07-21 | 2021-09-16 | Alshehri, Mohammad Dahman DR | An intelligent system for detecting behavioral cyber attack on industrial iot using ai federated learning algorithm |
CN113806735A (en) * | 2021-08-20 | 2021-12-17 | 北京工业大学 | Execution and evaluation dual-network personalized federal learning intrusion detection method and system |
CN113962314A (en) * | 2021-10-27 | 2022-01-21 | 南京富尔登科技发展有限公司 | Non-invasive enterprise load decomposition method based on federal learning |
Also Published As
Publication number | Publication date |
---|---|
CN114640498A (en) | 2022-06-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN114640498B (en) | Network intrusion collaborative detection method based on federal learning | |
CN112183730B (en) | Neural network model training method based on shared learning | |
Li et al. | Blockchain-based trust edge knowledge inference of multi-robot systems for collaborative tasks | |
CN110445609B (en) | Quantum secret sharing method and quantum secret sharing system based on quantum walking | |
CN115549888A (en) | Block chain and homomorphic encryption-based federated learning privacy protection method | |
CN115333825A (en) | Defense method aiming at gradient attack of federal learning neurons | |
CN112288094A (en) | Federal network representation learning method and system | |
Lin et al. | Data fusion and transfer learning empowered granular trust evaluation for Internet of Things | |
CN116708009A (en) | Network intrusion detection method based on federal learning | |
Li et al. | Feel: Federated end-to-end learning with non-iid data for vehicular ad hoc networks | |
CN114363043A (en) | Asynchronous federated learning method based on verifiable aggregation and differential privacy in peer-to-peer network | |
CN113255002A (en) | Federal k nearest neighbor query method for protecting multi-party privacy | |
Zhang et al. | Federated learning with quantum secure aggregation | |
CN115409155A (en) | Information cascade prediction system and method based on Transformer enhanced Hooke process | |
CN114564641A (en) | Personalized multi-view federal recommendation system | |
CN114998005A (en) | Bit currency abnormal transaction identification method based on federal graph neural network technology | |
He et al. | The hybrid similar neighborhood robust factorization machine model for can bus intrusion detection in the in-vehicle network | |
CN116187469A (en) | Client member reasoning attack method based on federal distillation learning framework | |
CN112560059B (en) | Vertical federal model stealing defense method based on neural pathway feature extraction | |
CN114881371A (en) | Traffic flow prediction method based on federal learning | |
CN114330750A (en) | Method for detecting federated learning poisoning attack | |
CN117216788A (en) | Video scene identification method based on federal learning privacy protection of block chain | |
CN115310625A (en) | Longitudinal federated learning reasoning attack defense method | |
Luo et al. | A Fast and Robust Solution for Common Knowledge Formation in Decentralized Swarm Robots | |
Kang et al. | Bitcoin double-spending attack detection using graph neural network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |