CN115130102A - Online adaptive intrusion detection method based on incremental learning - Google Patents

Online adaptive intrusion detection method based on incremental learning Download PDF

Info

Publication number
CN115130102A
CN115130102A CN202210790522.0A CN202210790522A CN115130102A CN 115130102 A CN115130102 A CN 115130102A CN 202210790522 A CN202210790522 A CN 202210790522A CN 115130102 A CN115130102 A CN 115130102A
Authority
CN
China
Prior art keywords
sample
model
intrusion detection
samples
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210790522.0A
Other languages
Chinese (zh)
Inventor
王利娟
张哲瑛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN202210790522.0A priority Critical patent/CN115130102A/en
Publication of CN115130102A publication Critical patent/CN115130102A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Biomedical Technology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Virology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Image Analysis (AREA)

Abstract

The invention discloses an online self-adaptive intrusion detection method based on incremental learning, which mainly solves the problems that an existing method cannot update an intrusion detection model in real time and is poor in detection effect. The method mainly comprises the following steps: 1) training an intrusion detection classification model to be expanded on a data set of a known type to obtain an initial model; 2) sniffing and processing data in the current network in real time and sending the data into a model for detection; 3) when the model detection result is attack data of unknown species, selecting a part of representative samples of known species to be combined with samples of unknown species to serve as an incremental sample set; 4) updating the initial model on line by using incremental learning, and judging the data flow in the current network in real time to train the model again; 5) and completing real-time intrusion detection by utilizing the online updated model. The invention can effectively improve the accuracy of detecting the intrusion behaviors of the known classes and the unknown classes, and can update the intrusion detection model on line in real time.

Description

Online adaptive intrusion detection method based on incremental learning
Technical Field
The invention belongs to the technical field of network security, and further relates to an intrusion detection method, in particular to an online adaptive intrusion detection method based on incremental learning, which can be used for detecting the attack behavior in a network in real time and updating an intrusion detection system online.
Background
The deep neural network is used as an intelligent algorithm, fully shows the advantages of the deep neural network in the aspect of complex data analysis, and can be well applied to the field of intrusion detection, however, most deep neural networks can only carry out good training on network intrusion of known types, namely most neural network models are designed for a closed environment. In real life, known classes of network attacks do not effectively cover all classes of attacks. Incremental learning is a class of algorithms that can expand and update existing models by learning new samples. It can preserve most of the knowledge learned in known categories and continually learn new knowledge from new added categories. The main features of the incremental learning algorithm include: the ability to learn new knowledge from newly added samples; the model does not need or only needs part of the original data set in the training process; the model has the capability of memorizing old knowledge, so that the problem of catastrophic forgetting can be avoided; the model can perform adaptive learning on new categories which may appear in the newly added samples. Although incremental learning provides a thought for processing new categories, the incremental learning algorithm for intrusion detection at present cannot detect network intrusion behaviors on line in real time, so that the intrusion detection technology lacks adaptability, instantaneity and reliability.
Chinese patent application CN108173708A discloses an abnormal flow detection method based on deep learning, which comprises three stages of acquiring user side flow data, carrying out abnormal detection on the flow by utilizing the flow detection classification, and carrying out online training on a flow detection classifier based on the abnormal data. Firstly, acquiring flow data of a user side by using a sniffer to construct a trainable data set; secondly, carrying out anomaly detection on the traffic data by using a traffic detection classifier which is constructed in advance in anomaly detection equipment; when abnormal data are detected, training sample data are obtained based on the abnormal data, and the sample data are used for carrying out online training on the flow detection classifier. However, the above method cannot achieve a perfect effect when training all abnormal sample data, and the problem that the sample data is not processed in the incremental process affects the model classification accuracy and the training efficiency.
In the field of intrusion detection, whether due to a change in demand or the appearance of new intrusion behavior, intrusion detection models need to be retrained. When the model requires day-to-day training, the training time becomes very important. Most of the existing related work only considers intrusion detection in a static environment, rarely considers intrusion detection in a dynamic environment changing along with time, and rarely considers the adaptivity of an intrusion detection method, which is mainly embodied in the following three aspects: 1) most of models are offline, and known network intrusion behaviors cannot be detected online in real time; 2) the existing intrusion detection model can not detect the intrusion behavior of unknown classes, and when the unknown classes appear, the model can not be dynamically updated in a self-adaptive manner and needs to be completely retrained; 3) intrusion detection models based on deep learning can generate a large amount of time overhead, resulting in low model efficiency. Due to the increase of the complexity of the network and the appearance of a large amount of high-dimensional network data, the detection accuracy of the intrusion detection model based on the traditional machine learning is low; 4) theoretical studies are rarely applied in real scenes and lack consideration of real scenes in many ways.
Therefore, there is a need in the art for a method for improving the accuracy of classification of known classes and unknown classes to address and solve the problem of identification, and for an incremental learning method specifically for the field of intrusion detection to improve the efficiency of incremental learning classification.
Disclosure of Invention
The invention aims to provide an online self-adaptive intrusion detection method based on incremental learning aiming at the defects of the prior art, the method can effectively improve the accuracy of detecting the intrusion behaviors of known classes and unknown classes, and can update an intrusion detection model online in real time; the algorithm classification efficiency is further improved on the basis of the existing incremental learning, so that the real-time performance, expandability, adaptability and robustness of the intrusion detection method are ensured, and a new thought is provided for the subsequent intrusion detection algorithm research and engineering application based on the incremental learning.
The basic idea for realizing the invention is as follows: firstly, training an intrusion detection classification model to be expanded on a data set of a known type to obtain an initial model, then sniffing in real time, processing data in the current network and simultaneously sending the data into the model for detection, when a detection result of the model is attack data of an unknown type, selecting a part of representative samples of the known type to be combined with samples of the unknown type to serve as an incremental sample set, updating the model on line by utilizing incremental learning, simultaneously judging data flow in the current network in real time, and retraining the model to be expanded by utilizing all data when the data flow is smaller than a threshold value.
The invention realizes the aim as follows:
(1) acquiring a data set and preprocessing:
obtaining a public intrusion detection data set from a network as an initial known class sample set, extracting the characteristics and labels of each data record, removing part of invalid data, classifying the rest data records according to the labels, carrying out unique hot coding on character type characteristics, making a binary file sample set containing data, labels and a list, and dividing the data in the file sample set into an initial known class training set D old And a verification set D valid Two parts;
D old ={X 1 ,X 2 ,...,X n },
D valid ={T 1 ,T 2 ,...,T n },
where n is the number of classes of the initial known class sample, X n 、T n Respectively representing all nth initial known class training samples and verification samples;
(2) building a classification network model to be expanded:
adopting a space-time network structure, connecting a one-dimensional convolutional neural network and a long-short term memory neural network in series to serve as a network structure, building a classification network model to be expanded, which sequentially consists of two first one-dimensional convolutional neural network layers conv1d, a first maximum pooling layer max _ pooling _1, a second one-dimensional convolutional neural network layer conv1d _2, a second maximum pooling layer max _ pooling _2, a long-short term memory neural network layer lstm, a temporary regression layer dropout and a first full connection layer dense _1, taking a one-dimensional matrix of 18 x 1 as input, and outputting a matrix of 1 x 1 representing a sample type prediction score;
(3) training set D with initial known class samples old And cross entropy loss function L c Training a classification network model to be expanded, acquiring an intrusion detection model capable of detecting known classes, and simultaneously utilizing an initial known class verification set D valid The state and convergence condition of the model are detected in the intrusion detection model training process, and the hyperparameter is adjusted according to the detection result to realize the training effect optimization, so that the trained intrusion detection model is obtained
Figure BDA0003729997560000031
(4) A real-time extraction module real-time of a flow characteristic extraction tool CICFlowMeter is used for capturing data records in a network in real time, removing part of invalid data records, analyzing the valid data records to obtain 50-80 data characteristics, and storing the data characteristics;
(5) performing feature extraction on the data features obtained in the step (4), and combining the extracted features to obtain an online intrusion detection sample set D online
(6) And (3) real-time intrusion detection:
will online intrusion sample set D online Putting the intrusion detection model trained in the step (3)
Figure BDA0003729997560000032
According to the model prediction result, judging an online intrusion detection sample set D online The type of each sample in (1) is as follows:
if the sample is classified as a normal sample, continue to the sample set D online Carrying out real-time intrusion detection on other samples;
if the sample is classified as a sample of a known abnormal category, the sample is fed back to an administrator for further analysis while continuing to analyze the sampleCollection D online Carrying out real-time intrusion detection on other samples;
if the sample is classified into the sample of unknown category, carrying out manual judgment to determine whether the sample is available, and if the sample is judged to be unavailable, continuing to carry out sample set D online Carrying out real-time intrusion detection on other samples; if the judgment result is that the data are available, executing the step (7);
(7) manually labeling the label of the unknown type sample according to the information of the available sample data records, and constructing an unknown type sample set D unknown
D unknown ={X 1 ,X 2 ,...,X m },
Where m is the number of classes of the unknown class sample, X m All unknown sample sets with sample class m.
(8) Selecting representative samples from the initial known category sample set to construct a known category sample set D known
D known ={D t ,D f ,D r },
Wherein D t For classifying a correct and top-scoring 1% high set of data samples on the classification model to be expanded, D f For classifying the entire data sample set of errors on the classification model to be expanded, D r Randomly selecting a data sample set of 1% of the remaining known class samples;
(9) constructing an incremental sample set D for a subsequent online update model new
D new ={D known ,D unknown }
={D t ,D f ,D r ,D unknown },
={X 1 ,X 2 ,...,X n ,X n+1 ,X n+2 ,...X n+m }
Wherein n and m respectively represent the number of classes of the known class samples and the unknown class samples;
Figure BDA0003729997560000042
X n+m ={(x j ,y j ),1≤j≤M,y j ∈[1,2,...,m]},
wherein the content of the first and second substances,
Figure BDA0003729997560000041
sample characteristics and sample labels of samples of known classes respectively, N is the number of samples of a sample set of known classes, x i 、y i Respectively representing the sample characteristics and the sample labels of the unknown sample, wherein M is the number of samples of the unknown sample set;
(10) building an extended classification network model:
building an extended classification network model sequentially composed of a one-dimensional separation convolutional neural network layer split _ conv1d, a first maximum pooling layer max _ posing _1, a transition layer flatten, a second fully-connected layer dense _2, a temporary layer dropout and a first fully-connected layer dense _1, and inputting a one-dimensional matrix of 18 x 1 to the extended classification network model to obtain a 1 x 1 matrix representing the sample type prediction fraction;
(11) using incremental sample sets D new Training an extended classification network model by a loss function L to obtain an online updated intrusion detection model capable of detecting known classes and unknown classes
Figure BDA0003729997560000051
And using the online updated intrusion detection model
Figure BDA0003729997560000052
Replacing the intrusion detection model in step (6)
Figure BDA0003729997560000053
And completing real-time intrusion detection.
Compared with the prior art, the invention has the following advantages:
firstly, the invention utilizes increment learning to lead the intrusion detection system to detect the known and unknown types of intrusion behaviors in the dynamic environment which changes along with time, thereby greatly reducing the time for updating the model and leading the model to have self-adaptability; by using the incremental learning algorithm, the model can have the capability of detecting unknown class attacks without re-training the model, so that the real-time performance and the high efficiency of intrusion detection are realized.
Secondly, the method uses different deep neural networks for the classification model to be expanded and the expansion classification model; the one-dimensional separation convolutional neural network with fewer parameters is used as an extension classification model, and the model combining the convolutional neural network and the long-term and short-term memory neural network is used as a to-be-extended classification model, so that the training time is obviously shortened, the training cost is further reduced, the model has higher efficiency, and the detection rate of the model is improved.
Thirdly, the model constructed by the invention can be deployed in a real network environment and can be detected and updated on line, and can be retrained when the network is idle, and each step can be independently applied to the real network, including but not limited to data collection, feature extraction, intrusion detection and model update; the model is retrained by using all data when the current network flow is smaller than the threshold value, so that the possible catastrophic forgetting problem of the model can be effectively solved when the model is continuously updated, and the condition of cost increase caused by updating the model when a large amount of networks are used is avoided.
Drawings
FIG. 1 is a flow chart of an implementation of the present invention;
FIG. 2 is a diagram illustrating parameter settings of a classification model to be expanded according to the present invention;
FIG. 3 is a diagram illustrating parameter settings of the extended classification model according to the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
The first embodiment is as follows: referring to fig. 1, the online adaptive intrusion detection method based on incremental learning provided by the present invention specifically includes the following steps:
step 1, acquiring a data set and preprocessing:
obtaining public intrusion detection data set from network as initial known class sample set, extracting characteristic and label of each data recordRemoving partial invalid data, classifying the rest data records according to the labels, performing one-hot coding on character type characteristics, making a binary file sample set containing data, labels and lists, and dividing the data in the file sample set into an initial known type training set D old And a verification set D valid Two parts;
D old ={X 1 ,X 2 ,...,X n },
D valid ={T 1 ,T 2 ,...,T n },
where n is the number of classes of the initial known class sample, X n 、T n Respectively representing all nth class initial known class training samples and verification samples.
Step 2, building a classification network model to be expanded:
adopting a space-time network structure, connecting a one-dimensional convolutional neural network and a long-short term memory neural network in series to serve as a network structure, building a classification network model to be expanded, which sequentially consists of two first one-dimensional convolutional neural network layers conv1d, a first maximum pooling layer max _ pooling _1, a second one-dimensional convolutional neural network layer conv1d _2, a second maximum pooling layer max _ pooling _2, a long-short term memory neural network layer lstm, a temporary regression layer dropout and a first full connection layer dense _1, taking a one-dimensional matrix of 18 x 1 as input, and outputting a matrix of 1 x 1 representing a sample type prediction score;
all the one-dimensional convolutional neural network layers adopt the Same filling Same filling mode, the activation functions all use linear rectification activation functions Relu, the pooling size of the maximum pooling layer is set to be 2, the long-term and short-term memory neural network layers comprise 128 hidden layers, the parameter of the temporary backoff layer is 0.1, and the activation function of the full connection layer adopts an S-shaped growth curve activation function Sigmoid function.
Step 3, training set D by using initial known class samples old And cross entropy loss function L c Training a classification network model to be expanded, acquiring an intrusion detection model capable of detecting known classes, and simultaneously utilizing an initial known class verification set D valid Testing intrusion detection models during their trainingState and convergence conditions, and adjusting the hyperparameter according to the test result to realize training effect optimization to obtain a trained intrusion detection model
Figure BDA0003729997560000061
The intrusion detection model
Figure BDA0003729997560000062
The training can also be achieved by:
(a) dynamically calculating a data flow threshold theta:
Figure BDA0003729997560000071
wherein A is the sum of data flow from four points to six points in the early morning every day in 7 days before the current moment;
(b) comparing the receiving data flow tau of the data record in the hourly captured network in the step (4) with the threshold theta in real time, and when the tau is larger than the threshold theta<When the sample class is theta, all samples are set as samples of known types, and an initial training set D of samples of known sample classes in the step (1) is constructed old And using the sample set and the cross entropy loss function L c Training a classification network model to be expanded to obtain a trained intrusion detection model capable of detecting known classes
Figure BDA0003729997560000072
The cross entropy loss function L c Is defined as:
Figure BDA0003729997560000073
wherein y and
Figure BDA0003729997560000074
respectively representing the prediction type and the real type of the known sample obtained by the model.
Step 4, a real-time extraction module real-time capture data records in the network by using a flow characteristic extraction tool CICFlowMeter, remove partial invalid data records, analyze the valid data records to obtain 50-80 data characteristics and store the data characteristics;
step 5, extracting the characteristics of the data obtained in the step 4, and combining the extracted characteristics to obtain an online intrusion detection sample set D online . The feature extraction method comprises the following steps: pearson correlation coefficient feature extraction method, principal component analysis method, and the like. In this embodiment, a pearson correlation coefficient feature extraction method is adopted, and the implementation steps are as follows:
(5.1) carrying out one-hot coding on the character type characteristics, then calculating a Pearson correlation coefficient r of each characteristic and other characteristics, and setting a coefficient judgment threshold; the pearson correlation coefficient r is calculated according to the following formula:
Figure BDA0003729997560000075
wherein i belongs to [1, fnum ∈]Is the serial number of the sample characteristic value, fnum is the characteristic number of the sample set, x i Is the i-th characteristic value, y, of the current sample i For the other characteristic values of the current sample,
Figure BDA0003729997560000076
is the average of the ith characteristic values of all samples,
Figure BDA0003729997560000077
is the average of other characteristic values of all samples.
(5.2) sorting the correlation coefficients r according to the descending order, taking out the features of which the correlation coefficient values are larger than the judgment threshold value, and making a binary file online intrusion detection sample set D formed by combining the features of which the correlation coefficient values are larger than the judgment threshold value online
Step 6, real-time intrusion detection:
sample set D of online intrusion online Putting the intrusion detection model trained in the step 3
Figure BDA0003729997560000081
According to the model prediction result, judging an online intrusion detection sample set D online The type of each sample in (1) is as follows:
if the sample is classified as a normal sample, continue to the sample set D online Carrying out real-time intrusion detection on other samples;
if the sample is classified as a sample of a known abnormal category, the sample is fed back to an administrator for further analysis, and meanwhile, the sample set D is continuously processed online Carrying out real-time intrusion detection on other samples;
if the sample is classified into the sample of unknown category, carrying out manual judgment to determine whether the sample is available, and if the sample is judged to be unavailable, continuing to carry out sample set D online Carrying out real-time intrusion detection on other samples; if the judgment result is that the data are available, executing the step 7;
step 7, manually marking the label of the unknown type sample according to the information of the available sample data records, and constructing an unknown type sample set D unknown
D unknown ={X 1 ,X 2 ,...,X m },
Where m is the number of classes of the unknown class sample, X m All unknown sample sets with sample class m.
Step 8, selecting representative samples from the initial known category sample set to construct a known category sample set D known
D known ={D t ,D f ,D r },
Wherein D t For classifying a correct and top-scoring 1% high set of data samples on the classification model to be expanded, D f For classifying the entire data sample set of errors on the classification model to be expanded, D r Randomly selecting a data sample set of 1% of the remaining known class samples;
step 9. constructing an increment sample set D for subsequent online updating model new
D new ={D known ,D unknown }
={D t ,D f ,D r ,D unknown },
={X 1 ,X 2 ,...,X n ,X n+1 ,X n+2 ,...X n+m }
Wherein n and m respectively represent the number of classes of the known class samples and the unknown class samples;
Figure BDA0003729997560000082
X n+m ={(x j ,y j ),1≤j≤M,y j ∈[1,2,...,m]},
wherein, the first and the second end of the pipe are connected with each other,
Figure BDA0003729997560000091
sample characteristics and sample labels of samples of known classes respectively, N is the number of samples of a sample set of known classes, x i 、y i Respectively representing the sample characteristics and the sample labels of the unknown sample, wherein M is the number of samples of the unknown sample set;
the selection method of the incremental samples can also adopt the steps of only using a reservoir sampling algorithm to obtain random samples, only using samples with higher classification scores and the like.
Step 10, building an extended classification network model:
building an extended classification network model sequentially composed of a one-dimensional separation convolutional neural network layer private _ conv1d, a first maximum pooling layer max _ posing _1, a transition layer flatten, a second fully-connected layer dense _2, a temporary regression layer dropout and a first fully-connected layer dense _1, and inputting a one-dimensional matrix of 18 x 1 to the extended classification network model to obtain a 1 x 1 matrix representing a sample type prediction score;
all the separated one-dimensional convolutional neural network layers adopt the Same filling Same filling mode, the activation functions all use linear rectification activation functions Relu, the pooling size of the maximum pooling layer is set to be 2, the parameter of the temporary withdrawal layer is 0.5, and the activation functions of the full connection layers adopt S-shaped growth curve activation functions Sigmoid functions.
Step 11, utilizing the incremental sample set D new Training an extended classification network model by a loss function L to obtain an online updated intrusion detection model capable of detecting known classes and unknown classes
Figure BDA0003729997560000092
And using the online updated intrusion detection model
Figure BDA0003729997560000093
Replacing the intrusion detection model in step 6
Figure BDA0003729997560000094
And completing real-time intrusion detection.
The loss function L is defined as:
L=λL d +(1-λ)L c
wherein λ is a hyperparameter, L d As a function of distillation loss, defined as:
Figure BDA0003729997560000095
wherein N is the number of all samples, and N + m is the number of all sample types;
Figure BDA0003729997560000096
Figure BDA0003729997560000101
wherein the content of the first and second substances,
Figure BDA0003729997560000102
the prediction scores of the samples of the known type on the extended model are obtained, q is the prediction score of the samples of the unknown type on the extended model, and t is a hyperparameter.
Example two: the overall steps of the intrusion detection method provided by this embodiment are the same as those of embodiment one, and the implementation process of the method of the present invention will be further described in detail by giving specific parameters.
Step a, the present embodiment preferably discloses an intrusion detection data set CICIDS2017 as a known class sample set, the CICIDS2017 data set containing benign and latest common attacks, similar to real world data. It also includes the results of network traffic analysis using the CICFlowMeter, using markup streams based on timestamps, source and target IPs, source and target ports, protocols, and attacks (CSV files). Each extracted data record has 18 characteristics, the labels have 8 attack types and 1 normal type, then part of invalid data is removed, all the data records are classified according to the labels, the character type characteristics are subjected to one-hot coding, a binary file sample set containing data, the labels and a list is manufactured, finally 80% of the data are selected for training, 20% of the data are selected for verification, and an initial known type training set D can be divided according to other proportions old And a verification set D valid E.g., 7:3, the present embodiment is preferably divided by 8: 2.
The CICIDS2017 can be replaced by other public intrusion detection data sets such as UNSW-NB15, NSL-KDD and the like for the known class sample set.
And step B, referring to FIG. 2, building a classification network model to be expanded, wherein the model adopts a space-time network structure, and a one-dimensional convolution neural network and a long-short term memory neural network are connected in series to serve as a network structure. The number of trainable parameters of the classification model to be expanded is 123905, which is input as a one-dimensional matrix of 18 × 1, and passes through the one-dimensional convolutional neural network layer conv1d _21, conv1d _22, maximum pooling layer max _ pooling1d _16, one-dimensional convolutional neural network layer conv1d _23, maximum pooling layer max _ pooling1d _17, long and short term memory neural network layer lstm _7, dropout layer dropout _9 and fully connected layer dense _11, and finally output as a matrix of 1 × 1, representing the prediction score of the sample type. The one-dimensional convolutional neural network layers all adopt a Same filling mode, the activation functions all use Relu activation functions, the maximum pooling size is set to be 2, the long-term and short-term memory neural network layers comprise 128 hidden layers, the parameters of a Dropout layer are 0.1, and the activation functions of the full connection layers adopt Sigmoid activation functions.
Step C, training set D by using initial known classes in step A old And cross entropy loss function L c Training the classification network model to be expanded built in the step B, obtaining an intrusion detection model capable of detecting the known class, and simultaneously utilizing an initial known class verification set D valid The state and convergence condition of the model are detected in the intrusion detection model training process, the hyper-parameters are adjusted according to the detection result to realize the training effect optimization, and the well-trained intrusion detection model is obtained
Figure BDA0003729997560000111
The model is tested, specifically, the classification prediction probability of each data record in the verification set is obtained, the accuracy of model prediction is further obtained, and finally whether the current model is available or not is judged, so that optimization is realized. Where old indicates that the model has not been updated, θ old Are neural network model parameters.
Step D, sniffing network traffic in real time:
capturing data records in a network in real time by using a Realtime module of a CICFlowMeter, removing part of invalid data records, analyzing the valid data records to obtain no more than 80 data characteristics, and storing; the embodiment preferably analyzes the valid data records to obtain 80 data features.
And E, performing feature extraction on the 80 data features obtained in the last step, namely the network flow features by using a Pearson correlation coefficient feature extraction method, and specifically realizing the following steps:
firstly, character-type features are subjected to one-hot coding, then, Pearson correlation coefficients r of each feature and other features are calculated, descending sorting is carried out according to the magnitude of the correlation coefficients, the features with the phase relation numerical values larger than a set threshold value are taken as the features summarizing the whole data set, the threshold value is set to be 0.078 in the embodiment, and finally, a binary file online intrusion detection sample set D containing data is manufactured online
The calculation method of the Pearson correlation coefficient r comprises the following steps:
Figure BDA0003729997560000112
wherein i ∈ [1,80 ]]Is the number of sample characteristic values, x i Is the i-th eigenvalue, y, of the current sample i For the other characteristic values of the current sample,
Figure BDA0003729997560000113
is the average of the ith characteristic values of all samples,
Figure BDA0003729997560000114
is the average of other characteristic values of all samples.
Step F, real-time intrusion detection:
sample set D of online intrusion online Putting the intrusion detection model trained in the step C
Figure BDA0003729997560000115
To obtain a linear invasion sample set D online The classification prediction probability logits of each record, and the sample set D is judged according to the prediction probability online For each sample type, the following are specified:
if the sample is classified as a normal sample, continuing to perform the analysis on the sample set D online Carrying out real-time intrusion detection on other samples;
if the sample is classified as a sample of a known abnormal category, the sample is fed back to an administrator for further analysis, and meanwhile, the sample set D is continuously processed online Carrying out real-time intrusion detection on other samples;
if the sample is classified into the sample of unknown category, carrying out manual judgment to determine whether the sample is available, and if the sample is not available, continuing to carry out sample set D online Carrying out real-time intrusion detection on other samples; and if the data is available, entering the next step to prepare for data labeling, namely executing the step G.
G, manually marking data
When the online intrusion detection result is an unknown type sampleWhen the method is available, the label of the unknown type sample is manually marked according to the information recorded by the available sample data, and an unknown type sample set D is constructed unknown
D unknown ={X 1 ,X 2 ,...,X m },
Where m is the number of classes of the unknown class sample, X m All unknown sample sets with sample class m.
Step H. construction of a representative sample set D of known classes known
D known ={D t ,D f ,D r },
Wherein D t For classifying a correct and top-scoring 1% high set of data samples on the classification model to be expanded, D f For classifying the entire data sample set of errors on the classification model to be expanded, D r A set of data samples of 1% of the remaining known class samples was randomly selected.
Step I. construction of incremental sample set D for subsequent online updating of model new
D new ={D known ,D unknown And i.e.:
D new ={X 1 ,X 2 ,...,X n ,X n+1 ,X n+2 ,...X n+m },
where n and m represent the number of classes of the known class samples and the unknown class samples respectively,
Figure BDA0003729997560000121
X n+m ={(x j ,y j ),1≤j≤M,y j ∈[1,2,...,m]},
wherein
Figure BDA0003729997560000122
Sample characteristics and sample labels of samples of known classes respectively, N is the number of samples of a sample set of known classes, x i ,y i Sample features of samples of unknown classes, respectivelyAnd a sample label, M is the number of samples of the unknown class sample set.
So far, the incremental sample set for subsequently updating the online extension model is successfully constructed.
Step j, referring to fig. 3, an extended classification network model is constructed, the trainable parameter number of the model is 37124, the model is input into a one-dimensional matrix of 18 × 1, and passes through a one-dimensional separation convolutional neural network layer secure _ conv1d _1, a maximum pooling layer max _ pooling1d _5, a transition layer flat _1, a maximum pooling layer max _ pooling1d _17, a fully connected layer dense _4, a dropout layer dense _9 and a fully connected layer dense _5, and a matrix with an output of 1 × 1 finally represents the prediction score of the sample. The separation one-dimensional convolutional neural network layers all adopt a Same filling mode, the activation functions all use Relu activation functions, the maximum pooling size is set to be 2, the parameters of the Dropout layer are 0.5, and the activation functions of the full connection layers adopt Sigmoid activation functions.
Step K. Using the incremental sample set D new Training an extended classification network model by a loss function L to obtain an online updated intrusion detection model capable of detecting known classes and unknown classes
Figure BDA0003729997560000131
Where new indicates that the model has been updated, θ new Representing neural network model parameters; and using the online updated intrusion detection model
Figure BDA0003729997560000132
Replacement of
Figure BDA0003729997560000133
And updating the model and completing real-time intrusion detection.
The classification model to be expanded and the expanded classification model constructed by the invention can be replaced by any deep learning network structure, such as a convolutional neural network structure, a ResNet residual error network structure, a deep convolutional network VGG-Net and the like, but the parameter value of the expanded classification model is required to be ensured to be smaller than that of the classification model to be expanded. For step two, the network sniffing part of the cifcflowmeter may be replaced by other network traffic sniffers, such as Sniffer and whireshark. The CICFlowMeter can extract the flow characteristics of the obtained data packet by itself, has higher efficiency than the alternative scheme and realizes high-efficiency data mining.
The invention has not been described in detail in part of the common general knowledge of those skilled in the art.
While the invention has been particularly shown and described with reference to a preferred embodiment, it will be understood by those skilled in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the invention.

Claims (8)

1. An online adaptive intrusion detection method based on incremental learning comprises the following steps:
(1) preprocessing the original data set:
obtaining a public intrusion detection data set from a network as an initial known class sample set, extracting the characteristics and labels of each data record, removing part of invalid data, classifying the rest data records according to the labels, carrying out unique hot coding on character type characteristics, making a binary file sample set containing data, labels and a list, and dividing the data in the file sample set into an initial known class training set D old And a verification set D valid Two parts;
D old ={X 1 ,X 2 ,...,X n },
D valid ={T 1 ,T 2 ,...,T n },
where n is the number of classes of the initial known class sample, X n 、T n Respectively representing all nth initial known class training samples and verification samples;
(2) building a classification network model to be expanded:
adopting a space-time network structure, connecting a one-dimensional convolutional neural network and a long-short term memory neural network in series to form a network structure, building a classification network model to be expanded, which sequentially consists of two first one-dimensional convolutional neural network layers conv1d, a first maximum pooling layer max _ pooling _1, a second one-dimensional convolutional neural network layer conv1d _2, a second maximum pooling layer max _ pooling _2, a long-short term memory neural network layer lstm, a temporary regression layer dropout and a first full connection layer dense _1, taking a one-dimensional matrix of 18 x 1 as input, and outputting a matrix of 1 x 1 representing a sample type prediction score;
(3) training set D with initial known class samples old And cross entropy loss function L c Training a classification network model to be expanded, acquiring an intrusion detection model capable of detecting known classes, and simultaneously utilizing an initial known class verification set D valid The state and convergence condition of the model are detected in the intrusion detection model training process, and the hyperparameter is adjusted according to the detection result to realize the training effect optimization, so that the trained intrusion detection model is obtained
Figure FDA0003729997550000011
(4) A real-time extraction module real-time of a flow characteristic extraction tool CICFlowMeter is used for capturing data records in a network in real time, removing part of invalid data records, analyzing the valid data records to obtain 50-80 data characteristics, and storing the data characteristics;
(5) performing feature extraction on the data features obtained in the step (4), and obtaining an online intrusion detection sample set D according to the extracted feature combinations online
(6) And (3) real-time intrusion detection:
sample set D of online intrusion online Putting the intrusion detection model trained in the step (3)
Figure FDA0003729997550000021
According to the model prediction result, judging an online intrusion detection sample set D online The type of each sample in (1) is as follows:
if the sample is classified as a normal sample, continuing to perform the analysis on the sample set D online Carrying out real-time intrusion detection on other samples;
if the sample is classified as a sample of a known abnormal category, the sample is fed back to an administrator for further analysis, and meanwhile, the sample set D is continuously processed online Carrying out real-time intrusion detection on other samples;
if the sample is classified into the sample of unknown category, carrying out manual judgment to determine whether the sample is available, and if the sample is not available, continuing to carry out sample set D online Carrying out real-time intrusion detection on other samples; if the judgment result is that the data are available, executing the step (7);
(7) manually labeling the label of the unknown type sample according to the information of the available sample data records, and constructing an unknown type sample set D unknown
D unknown ={X 1 ,X 2 ,...,X m },
Where m is the number of classes of the unknown class sample, X m All unknown sample sets with sample class m.
(8) Selecting representative samples from the initial known category sample set to construct a known category sample set D known
D known ={D t ,D f ,D r },
Wherein D t For classifying a correct and top-scoring 1% high set of data samples on the classification model to be expanded, D f For classifying the entire data sample set of errors on the classification model to be expanded, D r Randomly selecting a data sample set of 1% of the remaining known class samples;
(9) constructing an incremental sample set D for a subsequent online update model new
Figure FDA0003729997550000031
Wherein n and m respectively represent the number of classes of the known class samples and the unknown class samples;
Figure FDA0003729997550000032
X n+m ={(x j ,y j ),1≤j≤M,y j ∈[1,2,...,m]},
wherein the content of the first and second substances,
Figure FDA0003729997550000033
sample characteristics and sample labels of samples of known classes respectively, N is the number of samples of a sample set of known classes, x i 、y i Respectively representing the sample characteristics and the sample labels of the unknown sample, wherein M is the number of samples of the unknown sample set;
(10) building an extended classification network model:
building an extended classification network model sequentially composed of a one-dimensional separation convolutional neural network layer private _ conv1d, a first maximum pooling layer max _ posing _1, a transition layer flatten, a second fully-connected layer dense _2, a temporary regression layer dropout and a first fully-connected layer dense _1, and inputting a one-dimensional matrix of 18 x 1 to the extended classification network model to obtain a 1 x 1 matrix representing a sample type prediction score;
(11) using incremental sample sets D new Training an extended classification network model by a loss function L to obtain an online updated intrusion detection model capable of detecting known classes and unknown classes
Figure FDA0003729997550000034
And using the online updated intrusion detection model
Figure FDA0003729997550000035
Replacing the intrusion detection model in step (6)
Figure FDA0003729997550000036
And completing real-time intrusion detection.
2. The method of claim 1, wherein: in the step (2), all the one-dimensional convolutional neural network layers adopt the Same filling Same filling mode, the activation functions all use linear rectification activation functions Relu, the pooling size of the maximum pooling layer is set to be 2, the long-term and short-term memory neural network layers comprise 128 hidden layers, the parameters of the temporary backoff layer are 0.1, and the activation functions of the full connection layers adopt S-shaped growth curve activation functions Sigmoid functions.
3. The method of claim 1, wherein: the intrusion detection model in the step (3)
Figure FDA0003729997550000037
The training can also be achieved by:
(a) dynamically calculating a data flow threshold theta:
Figure FDA0003729997550000041
wherein A is the sum of data flow from four points to six points in the early morning every day in 7 days before the current moment;
(b) comparing the receiving data flow tau of the data record in the hourly captured network in the step (4) with the threshold theta in real time, and when the tau is larger than the threshold theta<When the sample class is theta, all samples are set as samples of known types, and an initial training set D of samples of known sample classes in the step (1) is constructed old And using the sample set and the cross entropy loss function L c Training the classification network model to be expanded to obtain a good intrusion detection model capable of detecting known classes
Figure FDA0003729997550000042
4. A method according to claim 1 or 3, characterized in that: the cross entropy loss function L c Is defined as:
Figure FDA0003729997550000043
wherein y and
Figure FDA0003729997550000044
respectively representing the prediction type and the real type of the known sample obtained by the model.
5. The method of claim 1, wherein: and (5) extracting the features in the step (5), wherein a Pearson correlation coefficient feature extraction method is adopted, and the method comprises the following steps:
(5.1) carrying out one-hot coding on the character type characteristics, then calculating a Pearson correlation coefficient r of each characteristic and other characteristics, and setting a coefficient judgment threshold;
(5.2) sorting the correlation coefficients r according to the descending order, taking out the features of which the correlation coefficient values are larger than the judgment threshold value, and making a binary file online intrusion detection sample set D formed by combining the features of which the correlation coefficient values are larger than the judgment threshold value online
6. The method of claim 5, wherein: the pearson correlation coefficient r in step (5.1) is calculated according to the following formula:
Figure FDA0003729997550000045
wherein i belongs to [1, fnum ∈]Is the serial number of the sample characteristic value, fnum is the characteristic number of the sample set, x i Is the i-th characteristic value, y, of the current sample i For the other characteristic values of the current sample,
Figure FDA0003729997550000046
is the average of the ith characteristic values of all samples,
Figure FDA0003729997550000047
is the average of other characteristic values of all samples.
7. The method of claim 1, wherein: in the step (10), all the separated one-dimensional convolutional neural network layers adopt the Same filling Same filling mode, the activation functions all use linear rectification activation functions Relu, the pooling size of the maximum pooling layer is set to be 2, the parameter of the temporary backoff layer is 0.5, and the activation functions of the full connection layers adopt S-shaped growth curve activation functions Sigmoid functions.
8. The method of claim 1, wherein: the definition of the loss function L in step (11) is:
L=λL d +(1-λ)L c
wherein λ is a hyperparameter, L d As a function of distillation loss, defined as:
Figure FDA0003729997550000051
wherein N is the number of all samples, and N + m is the number of all sample types;
Figure FDA0003729997550000052
Figure FDA0003729997550000053
wherein the content of the first and second substances,
Figure FDA0003729997550000054
the prediction scores of the samples of the known type on the extended model are obtained, q is the prediction score of the samples of the unknown type on the extended model, and t is a hyperparameter.
CN202210790522.0A 2022-07-05 2022-07-05 Online adaptive intrusion detection method based on incremental learning Pending CN115130102A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210790522.0A CN115130102A (en) 2022-07-05 2022-07-05 Online adaptive intrusion detection method based on incremental learning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210790522.0A CN115130102A (en) 2022-07-05 2022-07-05 Online adaptive intrusion detection method based on incremental learning

Publications (1)

Publication Number Publication Date
CN115130102A true CN115130102A (en) 2022-09-30

Family

ID=83382813

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210790522.0A Pending CN115130102A (en) 2022-07-05 2022-07-05 Online adaptive intrusion detection method based on incremental learning

Country Status (1)

Country Link
CN (1) CN115130102A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116015932A (en) * 2022-12-30 2023-04-25 湖南大学 Intrusion detection network model generation method and data flow intrusion detection method
CN116582372A (en) * 2023-07-13 2023-08-11 深圳市前海新型互联网交换中心有限公司 Internet of things intrusion detection method, system, electronic equipment and storage medium

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116015932A (en) * 2022-12-30 2023-04-25 湖南大学 Intrusion detection network model generation method and data flow intrusion detection method
CN116582372A (en) * 2023-07-13 2023-08-11 深圳市前海新型互联网交换中心有限公司 Internet of things intrusion detection method, system, electronic equipment and storage medium
CN116582372B (en) * 2023-07-13 2023-09-26 深圳市前海新型互联网交换中心有限公司 Internet of things intrusion detection method, system, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN115130102A (en) Online adaptive intrusion detection method based on incremental learning
CN110929918B (en) 10kV feeder fault prediction method based on CNN and LightGBM
CN111967294A (en) Unsupervised domain self-adaptive pedestrian re-identification method
CN110166484A (en) A kind of industrial control system intrusion detection method based on LSTM-Attention network
CN111181939A (en) Network intrusion detection method and device based on ensemble learning
CN112651435B (en) Self-learning-based power network probe flow abnormity detection method
CN112087442B (en) Time sequence related network intrusion detection method based on attention mechanism
CN111397902B (en) Rolling bearing fault diagnosis method based on feature alignment convolutional neural network
CN111460728A (en) Method and device for predicting residual life of industrial equipment, storage medium and equipment
CN114553475A (en) Network attack detection method based on network flow attribute directed topology
CN114022904B (en) Noise robust pedestrian re-identification method based on two stages
CN113762377B (en) Network traffic identification method, device, equipment and storage medium
CN112087447A (en) Rare attack-oriented network intrusion detection method
CN115296919B (en) Method and system for calculating special traffic packet by edge gateway
CN111526144A (en) Abnormal flow detection method and system based on DVAE-Catboost
CN112232604A (en) Prediction method for extracting network traffic based on Prophet model
CN111367908A (en) Incremental intrusion detection method and system based on security assessment mechanism
CN116340746A (en) Feature selection method based on random forest improvement
CN111600878A (en) Low-rate denial of service attack detection method based on MAF-ADM
CN110995713A (en) Botnet detection system and method based on convolutional neural network
Gao et al. The prediction role of hidden markov model in intrusion detection
CN110191081A (en) The Feature Selection system and method for network flow attack detecting based on learning automaton
Sameer et al. Source camera identification model: Classifier learning, role of learning curves and their interpretation
CN116821905A (en) Knowledge search-based malicious software detection method and system
CN115883424A (en) Method and system for predicting traffic data between high-speed backbone networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination