CN115913643A - Network intrusion detection method, system and medium based on countermeasure self-encoder - Google Patents
Network intrusion detection method, system and medium based on countermeasure self-encoder Download PDFInfo
- Publication number
- CN115913643A CN115913643A CN202211282135.2A CN202211282135A CN115913643A CN 115913643 A CN115913643 A CN 115913643A CN 202211282135 A CN202211282135 A CN 202211282135A CN 115913643 A CN115913643 A CN 115913643A
- Authority
- CN
- China
- Prior art keywords
- network
- encoder
- sample
- training
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 56
- 238000012549 training Methods 0.000 claims abstract description 70
- 238000009826 distribution Methods 0.000 claims abstract description 51
- 230000009467 reduction Effects 0.000 claims abstract description 8
- 230000006870 function Effects 0.000 claims description 33
- 238000000034 method Methods 0.000 claims description 28
- 238000004590 computer program Methods 0.000 claims description 13
- 230000004913 activation Effects 0.000 claims description 6
- 239000011159 matrix material Substances 0.000 claims description 6
- 238000003860 storage Methods 0.000 claims description 6
- 239000000203 mixture Substances 0.000 claims description 4
- 238000005457 optimization Methods 0.000 claims description 3
- 230000002194 synthesizing effect Effects 0.000 claims description 3
- 230000004304 visual acuity Effects 0.000 claims description 3
- 238000012360 testing method Methods 0.000 abstract description 8
- 238000010586 diagram Methods 0.000 description 13
- 238000013528 artificial neural network Methods 0.000 description 11
- 238000012545 processing Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 6
- 238000004422 calculation algorithm Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 4
- 238000000513 principal component analysis Methods 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000010801 machine learning Methods 0.000 description 3
- 230000015556 catabolic process Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000013135 deep learning Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000005070 sampling Methods 0.000 description 2
- 238000012706 support-vector machine Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000003042 antagnostic effect Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000008260 defense mechanism Effects 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000005315 distribution function Methods 0.000 description 1
- 230000008030 elimination Effects 0.000 description 1
- 238000003379 elimination reaction Methods 0.000 description 1
- 230000002068 genetic effect Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000000116 mitigating effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006116 polymerization reaction Methods 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network intrusion detection method, a system and a medium based on an anti-self encoder, and the network intrusion detection method based on the anti-self encoder comprises the following steps: s101, inputting network flow data into a trained confrontation self-encoder to perform dimensionality reduction so as to obtain low-dimensionality data characteristics; and S102, inputting the data characteristics into a trained classifier to obtain intrusion detection results corresponding to the network traffic data. The invention can convert high-dimensional data distribution into low-dimensional data which accords with potential probability distribution, separates the categories which are easy to be confused in the original data sample, improves the detection efficiency and reduces the training and testing time, thereby realizing the early intrusion detection of various network attacks including DDoS attack.
Description
Technical Field
The invention belongs to an intrusion detection technology in the field of network security, and particularly relates to a network intrusion detection method, a system and a medium based on a confrontation self-encoder.
Background
In recent years, communication between mobile computing devices has become increasingly common due to rapid growth of mobile computing devices, increased performance of communication devices, and decreased prices, however, mobile computing devices, which are important components in pervasive computing and pervasive computing environments, face a variety of security threats. Among them, DDoS (Distributed Denial of Service) attacks are one of the most serious threats. With the development of network infrastructure, DDoS attacks are becoming more and more intense. The basic principle of DDoS attacks is to generate very large traffic and quickly exhaust resources of the target system, such as network bandwidth and computing power. Defense mechanisms against DDoS attacks can be divided into four categories, defense, detection, mitigation, and response. When a DDoS attack occurs, the first step in preventing a DDoS attack is detection, which should be done as soon as possible. However, because the message of DDoS attack usually contains no malicious content, it is difficult to distinguish it from normal traffic. In addition, attackers forge their source addresses and hide their locations, making DDoS attacks more complex. The DDoS attack detection scheme ensures both short detection delay and high detection rate and low false alarm rate. Computational overhead should also be taken into account because the detection engine (or module) must handle a large amount of real-time network traffic. The detection mechanism can be mainly divided into two types; the first is the use of misuse detection that relies on a predefined DDoS attack pattern (or signature). However, pattern-based detection mechanisms have difficulty detecting new intrusions. The second is the use of anomaly detection, which focuses on comparing normal and abnormal behavior of the system, and thus can detect unknown intrusions.
DDoS attacks that generate large amounts of traffic consume network bandwidth and system resources. Therefore, it is very important to detect DDoS attacks at their early stages. However, the DDos attack traffic data features have the characteristics of high dimensionality, large scale, difficult classification and the like. In order to reduce computational overhead and improve classification accuracy, it is necessary to convert high-dimensional data distributions into low-dimensional data with latent probability distributions. The traditional way of reducing dimensionality mainly adopts Principal Component Analysis (PCA). However, the PCA requires a KL divergence technique, which is time-consuming, and besides, the PCA variation cannot well retain data information, and the effect on data with nonlinear dependence is not good.
Disclosure of Invention
The technical problems to be solved by the invention are as follows: aiming at the problems in the prior art, the invention provides a network intrusion detection method, a system and a medium based on an antagonistic self-encoder, which can convert high-dimensional data distribution into low-dimensional data conforming to potential probability distribution, separate easily-confused categories in original data samples, improve detection efficiency and reduce training and testing time, thereby realizing early intrusion detection of various network attacks including DDoS attacks.
In order to solve the technical problems, the invention adopts the technical scheme that:
a network intrusion detection method based on a countermeasure self-encoder comprises the following steps:
s101, inputting network flow data into a trained confrontation self-encoder to perform dimensionality reduction so as to obtain low-dimensionality data characteristics;
and S102, inputting the data characteristics into a trained classifier to obtain intrusion detection results corresponding to the network traffic data.
Optionally, the countermeasure self-encoder comprises an automatic encoder and a generation countermeasure network, the automatic encoder comprises an encoder and a decoder, the encoder is used for encoding input network traffic data x to generate a low-dimensional encoding vector h as an input of the decoder and a low-dimensional data characteristic output by the countermeasure self-encoder, and the decoder is used for decoding the low-dimensional encoding vector h in a training stage to obtain a reconstruction sample z, so as to obtain an optimal value of a network parameter of the automatic encoder according to reconstruction error optimization between the network traffic data x and the reconstruction sample z to reduce the reconstruction error between the network traffic data x and the reconstruction sample z thereof; the generation countermeasure network comprises a generator G and a discriminator D, wherein the generator G is used for synthesizing a false sample according to input random noise Z in a training stage to train a classifier, and the discriminator D is used for judging whether the false sample is from the generator G or real data to optimize network parameters of the generator G in the training stage according to the input false sample and a classification label y corresponding to network traffic data x of the generated false sample.
Optionally, the functional expression of the encoder in the automatic encoder is:
h=f(x)=A(Wx+b),
the functional expression of the decoder in the automatic encoder is as follows:
z=g(h)=g(f(x))=A′(W′f(x)+b′),
wherein h represents a low-dimensional coding vector, f (x) represents a coding result of a coding function f of a coder on network traffic data x, A represents an activation function of the coder, W represents a weight matrix of the coder, and b represents a bias of the coder; z denotes a reconstructed sample, g (h) denotes a decoding result of a decoding function g of a decoder on a low-dimensional encoded vector h, a ' denotes an activation function of the decoder, W ' denotes a weight matrix of the decoder, and b ' denotes an offset of the decoder.
Optionally, the calculation function expression of the reconstruction error between the network traffic data x and the reconstructed sample z thereof is:
Loss(x,z)=||x-z|| 2 ,
in the above formula, loss (x, z) represents a Loss function used by the auto-encoder in the training phase, x represents network traffic data, and z is a reconstruction sample.
Optionally, when the generation countermeasure network is in the training phase, the objective function adopted by the discriminator D is:
the objective function employed to generate the countermeasure network is:
wherein D (x) represents the result of the discrimination of the network traffic data x by the discriminator D, P r Representing the true sample distribution, P, of network traffic data x g Showing the distribution of the false samples, G (x) is the false sample generated by the generator G for the network flow data x, D (G (x)) shows the discrimination of G (x) by the discriminator DAs a result of which,
represents an expected value in the true sample distribution range of the network traffic data x, and>
and (3) representing an expected value in a false sample distribution range of the network flow data x, wherein min is a minimum value, and max is a maximum value.
Optionally, step S101 is preceded by co-training the auto-encoder and the generation of the countermeasure network:
s201, training an automatic encoder through network flow data x serving as training samples to reduce reconstruction errors of a decoder;
s202, establishing a low-dimensional coding vector h serving as a real training sample through a trained decoder, firstly fixing network parameters of a generator G, inputting the real training sample of the low-dimensional coding vector h and a false sample generated by the generator G into a discriminator D, training the resolving power of the discriminator D and updating the network parameters of the discriminator D; then, the network parameters of the discriminator D are fixed, and false samples generated by the generator G on the input random noise Z are used to be close to real training samples to the maximum extent so as to cheat the discriminator D, thereby improving the capability of the generator G for generating samples and updating the network parameters of the generator G.
Optionally, the random noise Z is a specified prior distribution, and the specified prior distribution is one of a random distribution, a single gaussian distribution, a gaussian mixture distribution, and a swiss roll distribution.
Optionally, when the generator G is used to generate a false sample that is closest to the true training sample for the input random noise Z in step S202 to spoof the discriminator D, the discriminator D judges whether the false sample is the true training sample based on the set confidence level for the input false sample, and the value of the set confidence level increases with the increase of the training times.
In addition, the invention also provides a network intrusion detection system based on the countering self-encoder, which comprises a microprocessor and a memory which are connected with each other, wherein the microprocessor is programmed or configured to execute the network intrusion detection method based on the countering self-encoder.
Furthermore, the present invention also provides a computer readable storage medium, in which a computer program is stored, the computer program being programmed or configured by a microprocessor to execute the foregoing network intrusion detection method based on a countering self-encoder.
Compared with the prior art, the invention mainly has the following advantages:
1. the method comprises the steps of inputting network flow data into a trained confrontation self-encoder to reduce the dimension so as to obtain low-dimensional data characteristics, inputting the data characteristics into a trained classifier to obtain intrusion detection results corresponding to the network flow data, converting high-dimensional data distribution into low-dimensional data conforming to potential probability distribution, separating easily confused classes in original data samples, improving detection efficiency and reducing training and testing time, thereby realizing early intrusion detection of various network attacks including DDoS attacks.
2. The method comprises the steps of inputting network flow data into a trained countercheck self-encoder to reduce the dimension so as to obtain low-dimensional data characteristics, inputting the data characteristics into a trained classifier to obtain intrusion detection results corresponding to the network flow data, and combining the countercheck self-encoder with the classifier so as to quickly and accurately detect various network attacks including DDoS attacks and further reduce the system intrusion risk.
Drawings
FIG. 1 is a schematic diagram of a basic flow of a method according to an embodiment of the present invention.
FIG. 2 is a schematic structural diagram of a countering self-encoder according to an embodiment of the present invention.
Fig. 3 is a schematic diagram of the working principle of the countering self-encoder in the embodiment of the invention.
Fig. 4 is a schematic structural diagram of generation of a countermeasure network in an embodiment of the present invention.
Fig. 5 is an example of a training process for a countering self-encoder in an embodiment of the present invention.
Fig. 6 is an example of two prior distributions involved in an embodiment of the present invention.
FIG. 7 is a diagram illustrating the complete training process for the anti-autoencoder and the classifier according to the embodiment of the present invention.
Detailed Description
As shown in fig. 1, the present embodiment provides a network intrusion detection method based on a countering self-encoder, including:
s101, inputting network flow data into a trained confrontation self-encoder to perform dimensionality reduction so as to obtain low-dimensionality data characteristics;
and S102, inputting the data characteristics into a trained classifier to obtain intrusion detection results corresponding to the network traffic data.
An autoencoder is an artificial neural network based on unsupervised learning, in which the output layer has the same dimensions as the input layer, and simply the number of output units in the output layer is equal to the number of input units in the input layer. An autoencoder copies data from input to output in an unsupervised manner, and is therefore sometimes referred to as a replicator neural network. The method is mainly used for processing high-dimensional and complex data, and lays a theoretical foundation for the development of a neural network. Automatic encoders are widely used in many fields, such as dimension reduction (dimension reduction) and abnormal value detection (abnormal detection). The automatic encoder is composed of three components of an encoder, a code (encoding result) and a decoder. The encoder is a feed-forward, fully-connected neural network that compresses the input into a potential spatial representation and encodes the input image into a reduced-dimension compressed representation for creating a low-dimension version of the high-dimension data, capturing the most salient features in the data distribution. Once a layer is trained, its code is input to the next layer to better simulate the highly non-linear dependencies in the input. This paradigm focuses on reducing the dimensionality of the input data. The structure of the auto-encoder is usually symmetric, and when there is more than one hidden layer, the number of hidden layers in the encoding stage is the same as that in the decoding stage. Ideally, the data characteristics generated by the autoencoder will provide a better representation of the data points than the original data itself. The part of the code (encoding result) representing the network contains a simplified representation of the input fed to the decoder. The decoder is also a feed forward network like an encoder, with a similar structure as the encoder. The network is responsible for reconstructing the input back into the original dimensions in the code. The hidden layer of an auto-encoder typically has a smaller dimension than the input (known as an under-sampled or sparse auto-encoder). As shown in fig. 2, the countermeasure self-encoder in this embodiment includes an automatic encoder and a countermeasure network generation, the automatic encoder includes an encoder and a decoder, the encoder is configured to encode input network traffic data x to generate a low-dimensional encoding vector h as an input of the decoder and a low-dimensional data characteristic output by the countermeasure self-encoder, the decoder is configured to decode the low-dimensional encoding vector h in a training phase to obtain a reconstruction sample z, so as to obtain an optimal value of a network parameter of the automatic encoder according to a reconstruction error optimization between the network traffic data x and the reconstruction sample z to reduce a reconstruction error between the network traffic data x and the reconstruction sample z thereof. The encoder and the decoder are network models commonly used in the deep neural network, and the actually available network models can be selected according to needs. For example, as an optional implementation manner, the function expression of the encoder in the automatic encoder selected in this embodiment is:
h=f(x)=A(Wx+b),
the functional expression of the decoder in the automatic encoder is as follows:
z=g(h)=g(f(x))=A′(W′f(x)+b′),
wherein h represents a low-dimensional coding vector, f (x) represents a coding result of a coding function f of a coder on network traffic data x, A represents an activation function of the coder, W represents a weight matrix of the coder, and b represents a bias of the coder; z denotes a reconstructed sample, g (h) denotes a decoding result of a decoding function g of a decoder on a low-dimensional encoded vector h, a ' denotes an activation function of the decoder, W ' denotes a weight matrix of the decoder, and b ' denotes an offset of the decoder.
In this embodiment, a calculation function expression of a reconstruction error between network traffic data x and a reconstruction sample z is as follows:
Loss(x,z)=||x-z|| 2 ,
in the above equation, loss (x, z) represents a Loss function used by the auto-encoder in the training phase, x represents network traffic data, and z is a reconstruction sample, and according to a reconstruction error between the network traffic data x and the reconstruction sample z, a back propagation algorithm (e.g., a gradient descent algorithm) may be used to optimally obtain an optimal value of a network parameter of the auto-encoder so as to reduce the reconstruction error (to force an approximation between an input value and an output value) between the network traffic data x and the reconstruction sample z thereof. It should be noted that, the implementation details of the conventional method for training the artificial neural network by using the back propagation algorithm to optimize the network parameters are not described in detail here.
The automatic encoder is an artificial neural network based on unsupervised learning, has the advantages of low calculated amount, high interpretability and the like, and can realize feature selection. However, the performance of the automatic encoder is not as good as that of an artificial neural network adopting a supervised learning mode, and particularly when the number of layers is too large, the reconstruction input of the general target characteristics may not be an ideal method. On the basis of the above, the present embodiment introduces the generation countermeasure network to optimize the encoder in the automatic encoder.
As shown in fig. 4, the generation countermeasure network in the embodiment includes a generator G for synthesizing a false sample according to the input random noise Z in the training stage for training the classifier, and a discriminator D for judging whether the false sample is from the generator G or the true data to optimize the network parameter of the generator G for the input false sample and the classification label y corresponding to the network traffic data x of the generated false sample in the training stage to obtain the optimal value of the network parameter of the generator G. The two models of the generator G and the discriminator D generate expected output in a mutual game learning mode. The generation model takes the noise of potential space random sampling as input, and the output result needs to be as close to a real sample as possible; the input of the discriminant model is a predefined distribution sample and a false sample of the output of the generative model, which aim to be able to distinguish between true and false samples. The two models are mutually confronted, parameters are continuously updated, the generator G continuously improves the capacity of generating real samples, the discriminator D continuously improves the discrimination capacity, and finally the purpose is to ensure that the discriminator D cannot distinguish real data from generated data. In the discrimination network part of the discriminator D, the discriminator D discriminates the input data to identify whether it comes from the coding layer of the self-encoder or from the real distribution function, and the encoder deceives the discriminator by continuously training and updating parameters to make it difficult to identify the truth or falseness. Since the original generation countermeasure network cannot make good use of the tag information, in the generation countermeasure network of the model of this embodiment, a one-hot code (one hot) input representing the classification tag y corresponding to the network traffic data x is additionally added to the discriminator D to fully utilize the tag information to optimize the network parameters of the generator G.
In this embodiment, when the generated countermeasure network is in the training stage, the objective function adopted by the discriminator D is:
the objective function employed to generate the countermeasure network is:
wherein D (x) represents the result of the discrimination of the network traffic data x by the discriminator D, P r Representing the true sample distribution, P, of network traffic data x g Showing the distribution of the false samples, G (x) is the false sample generated by the generator G for the network traffic data x, D (G (x)) shows the discrimination result of the discriminator D for G (x),
represents an expected value within a true sample distribution range of the network traffic data x, is>
And (3) representing an expected value in a false sample distribution range of the network flow data x, wherein min is a minimum value, and max is a maximum value.
The training can be completed only by back propagation in the generation of the confrontation network model, repeated sampling of a Markov chain is not needed, the probability problem of approximate calculation is avoided, and the confrontation network model can be combined with a plurality of existing neural network algorithms for use. However, since there is no loss function in generating the countermeasure network, the degree of freedom is large, and it is difficult to determine whether progress is made in the training process, and the problem of breakdown is likely to occur. In addition, the generator G and the discriminator D for generating the countermeasure network are difficult to synchronize due to separate training, and it is easy for one model to be trained at an excessively high speed to affect the other model. In order to solve the above problem, the present embodiment adopts a method of training the auto-encoder and the generation countermeasure network together. Specifically, the present embodiment further includes, before step S101, training the automatic encoder and the generation countermeasure network together:
s201, training an automatic encoder through network flow data x serving as training samples to reduce reconstruction errors of a decoder;
s202, as shown in fig. 5, establishing a low-dimensional code vector h as a real training sample by a trained decoder, first fixing a network parameter of a generator G, inputting the real training sample of the low-dimensional code vector h and a dummy sample generated by the generator G to a discriminator D, training a resolving power of the discriminator D, and updating the network parameter of the discriminator D; the network parameters of the discriminator D are then fixed and the false samples generated by the generator G on the incoming random noise Z are used to maximally approximate the true training samples to fool the discriminator D, thereby improving the ability of the generator G to generate samples and updating the network parameters of the generator G.
For the classification label y of the false sample, the sample generated in the zeroth generation is marked with 0, the sample generated in the first generation is marked with 1, and so on, in the initial stage of model training, the false sample can always correspond to the corresponding label, and the encoding of the real data has no strict corresponding relation with the classification label y. As training iterations progress through the aggregate posterior distribution q (z) and the label will slowly yield such a correspondence. The function expression of the posterior distribution q (z) of the polymerization is shown by the following formula:
q(z)=∫ x q(z|x)p d (x)dx,
in the above formula, q: (z | x) denotes the coding function of the encoder, p d (x) Representing the data distribution of the network traffic data x. In this embodiment, the random noise Z is a specified prior distribution p (Z), and the specified prior distribution may select one of a random distribution (uniform), a single Gaussian distribution (single Gaussian), a Gaussian Mixture distribution (Gaussian Mixture), and a Swiss Roll distribution (Swiss Roll) as required, as shown in fig. 6, where (a) and (b) are image examples of two prior distributions, respectively. In the intrusion detection process, we want the sample points x of each class to be independent of each other and obey a known prior distribution p (z) to facilitate classifier classification. In step S202, when the generator G is used to generate a false sample that is close to the true training sample to the maximum extent to cheat the discriminator D, the discriminator D judges whether the false sample is the true training sample based on the set confidence level for the input false sample, and the value of the set confidence level increases with the increase of the training times. The countermeasure autoencoder (SAAE) in the present embodiment associates a discriminator model that generates a countermeasure network with the encoding layer of the autoencoder. Initially, because the generator model has a poor ability to make false, the discriminator D gives a low confidence to the code vector and a high confidence to the true sample. The automatic encoder updates parameters according to the feedback result given by the discriminator D, and deceives the discriminator D through continuous learning of training. Over a number of iterations, the final generator G can produce samples that match the known prior distribution p (z), thus being indistinguishable by the discriminator D.
For example, the DDos attack data set further includes, before step S101, a complete process of performing co-training on a countermeasure autoencoder (SAAE) composed of an autoencoder and a generation countermeasure network, including:
s301, preprocessing (including insertion missing values, abnormal value elimination and the like) and standardization processing (normalization processing) are carried out on the DDos attack data set, and data (training samples of network traffic data x) after the preprocessor are generated;
s302, dividing the data after the preprocessor into a training set and a test set;
s303, training an automatic encoder and generating a confrontation automatic encoder (SAAE) consisting of a confrontation network by utilizing the training set;
s304, testing a countermeasure self-encoder (SAAE) formed by the automatic encoder and the generated countermeasure network by using the test set, and jumping to S305 if the testing accuracy meets the requirement;
s305, training a classifier, and inputting the detected DDos attack data into the trained classifier to obtain an intrusion detection result of the DDos attack data, namely a classification label y.
In this embodiment, step S102 inputs the data characteristics into the trained classifier to obtain the intrusion detection result corresponding to the network traffic data. The classifier can select a single classifier as required, or a plurality of classifiers vote (minority obeys majority) according to the classification result to obtain a final result, wherein the related classifier can adopt various existing common machine learning-based classifiers as required, for example, as an optional implementation manner, a Support Vector Machine (SVM) is adopted in the embodiment for classification, so that whether Linux is attacked by DDos at a certain time is evaluated, and then corresponding measures are taken.
In summary, the countermeasure autocoder (SAAE) in this embodiment utilizes the thought of the genetic neural network to perform accurate approximation on the potential feature space according to any prior, and is mainly applied to the aspects of unsupervised learning, data dimension reduction, and the like. Compared with the traditional characteristic selection mode, the method can reduce the calculation consumption. The countermeasure self-encoder adopted in the embodiment combines the ideas of the traditional automatic encoder and a countermeasure generation network, and converts the automatic encoder into a generative model. In these automatic encoders, anti-regularization enables the distribution of the encoding to match a prior distribution, such as a multivariate standard normal distribution, to reduce the amount of information that may be contained in the encoding, force the model to learn a valid representation of the encoded data, and counteract the effect of detection performance degradation caused by reduced outlier reconstruction errors in the self-encoder training. Compared with the traditional automatic analysis system, the countermeasure autoencoder adopted in the embodiment has the advantages that the approximate distribution of the hidden layer can be influenced, and the countermeasure autoencoder is allowed to learn the extra variance which does not exist in the training data, so that the countermeasure autoencoder is not easy to over-fit. The intrusion detection technology is one of the most important security precautionary measures of an operating system, can effectively detect potential attacks aiming at the system, and can perform early warning and take corresponding protective measures. With the continuous development and enrichment of attack means, the conventional intrusion detection technology cannot meet the current requirements. New generation artificial intelligence techniques such as deep learning have been applied to different fields and have achieved considerable results. The deep neural network has the characteristics of multiple parameters, nonlinearity and the like, and can well represent higher-level abstract features in data. The application of deep learning techniques to the field of intrusion detection is a necessary trend, and more essential attribute features in network traffic data can be found so as to improve the detection effect of an intrusion detection system. The method adopts the countermeasure self-encoder (SAAE) to carry out intrusion detection of the Linux system, and carries out dimension reduction processing on the system intrusion characteristics by using the countermeasure self-encoder, thereby improving the machine learning detection efficiency and simultaneously reducing the training and testing time, and is suitable for intrusion scenes with higher machine learning cost due to higher characteristic dimension.
It should be noted that, this embodiment is only an example of a DDos attack of a Linux system, and the attack type detectable by the method of this embodiment is not limited to the DDos attack, and different attack types can be detected according to the attack type used in the training phase; the method of the embodiment is not dependent on the specific operating system type, so the method can be also applied to other types of operating systems besides the Linux system, including a Windows operating system, a Mac operating system and the like.
In addition, the embodiment also provides a network intrusion detection system based on the countering self-encoder, which comprises a microprocessor and a memory which are connected with each other, wherein the microprocessor is programmed or configured to execute the network intrusion detection method based on the countering self-encoder.
Furthermore, the present embodiment also provides a computer-readable storage medium, in which a computer program is stored, the computer program being programmed or configured by a microprocessor to execute the foregoing network intrusion detection method based on a countering self-encoder.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-readable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks. These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks. These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and the protection scope of the present invention is not limited to the above embodiments, and all technical solutions belonging to the idea of the present invention belong to the protection scope of the present invention. It should be noted that modifications and embellishments within the scope of the invention may occur to those skilled in the art without departing from the principle of the invention, and are considered to be within the scope of the invention.
Claims (10)
1. A network intrusion detection method based on a countermeasure self-encoder, comprising:
s101, inputting network flow data into a trained confrontation self-encoder to perform dimensionality reduction so as to obtain low-dimensionality data characteristics;
and S102, inputting the data characteristics into a trained classifier to obtain an intrusion detection result corresponding to the network traffic data.
2. The method according to claim 1, wherein the countermeasure self-encoder comprises an automatic encoder and a generation countermeasure network, the automatic encoder comprises an encoder and a decoder, the encoder is used for encoding the input network traffic data x to generate a low-dimensional encoding vector h as an input of the decoder and a low-dimensional data characteristic output by the countermeasure self-encoder, the decoder is used for decoding the low-dimensional encoding vector h in a training phase to obtain a reconstruction sample z, and the optimal value of the network parameter of the automatic encoder is obtained according to the reconstruction error optimization between the network traffic data x and the reconstruction sample z to reduce the reconstruction error between the network traffic data x and the reconstruction sample z; the generation countermeasure network comprises a generator G and a discriminator D, wherein the generator G is used for synthesizing a false sample according to input random noise Z in a training stage to train a classifier, and the discriminator D is used for judging whether the false sample is from the generator G or real data to optimize network parameters of the generator G in the training stage according to the input false sample and a classification label y corresponding to network traffic data x of the generated false sample.
3. The method of claim 2, wherein the function expression of the encoder in the automatic encoder is:
h=f(x)=A(Wx+b),
the functional expression of the decoder in the automatic encoder is as follows:
z=g(h)=g(f(x))=A′(W′f(x)+b′),
wherein h represents a low-dimensional coding vector, f (x) represents a coding result of a coding function f of a coder on network traffic data x, A represents an activation function of the coder, W represents a weight matrix of the coder, and b represents a bias of the coder; z denotes a reconstructed sample, g (h) denotes a decoding result of a decoding function g of a decoder on a low-dimensional encoded vector h, a ' denotes an activation function of the decoder, W ' denotes a weight matrix of the decoder, and b ' denotes an offset of the decoder.
4. The method of claim 3, wherein the computational function expression of the reconstruction error between the network traffic data x and its reconstructed samples z is:
Loss(x,z)=||x-z|| 2 ,
in the above equation, loss (x, z) represents a Loss function used by the auto-encoder in the training phase, x represents network traffic data, and z is a reconstruction sample.
5. The method according to claim 4, wherein the objective function adopted by the discriminator D during the training phase is:
the objective function employed to generate the countermeasure network is:
wherein D (x) represents the result of the discrimination of the network traffic data x by the discriminator D, P r Representing the true sample distribution, P, of network traffic data x g Showing the distribution of the false samples, G (x) is the false sample generated by the generator G for the network traffic data x, D (G (x)) shows the discrimination result of the discriminator D for G (x),
representing the expected value within the true sample distribution of network traffic data x,
and (4) representing an expected value in a false sample distribution range of the network flow data x, wherein min is a minimum value, and max is a maximum value.
6. The countering self-encoder based network intrusion detection method according to claim 2, wherein the step S101 is preceded by co-training the automatic encoder and the generation countering network:
s201, training an automatic encoder through network flow data x serving as a training sample to reduce reconstruction errors of a decoder;
s202, establishing a low-dimensional coding vector h serving as a real training sample through a trained decoder, firstly fixing network parameters of a generator G, inputting the real training sample of the low-dimensional coding vector h and a false sample generated by the generator G into a discriminator D, training the resolving power of the discriminator D and updating the network parameters of the discriminator D; then, the network parameters of the discriminator D are fixed, and false samples generated by the generator G on the input random noise Z are used to be close to real training samples to the maximum extent so as to cheat the discriminator D, thereby improving the capability of the generator G for generating samples and updating the network parameters of the generator G.
7. The countering autoencoder-based network intrusion detection method of claim 6, wherein the random noise Z is a specified prior distribution, the specified prior distribution being one of a random distribution, a single Gaussian distribution, a Gaussian mixture distribution, and a Swiss roll distribution.
8. The method according to claim 6, wherein when the generator G is used to generate the false samples for the input random noise Z to be close to the true training samples to the maximum extent in step S202 to trick the discriminator D, the discriminator D determines whether the false samples are the true training samples or not based on the set confidence level for the input false samples, and the value of the set confidence level increases with the increase of the training times.
9. A countering self-encoder-based network intrusion detection system, comprising a microprocessor and a memory which are connected to each other, characterized in that the microprocessor is programmed or configured to perform the countering self-encoder-based network intrusion detection method according to any one of claims 1 to 8.
10. A computer-readable storage medium having a computer program stored thereon, wherein the computer program is adapted to be programmed or configured by a microprocessor to perform the method of network intrusion detection based on countering self-encoders according to any one of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211282135.2A CN115913643A (en) | 2022-10-19 | 2022-10-19 | Network intrusion detection method, system and medium based on countermeasure self-encoder |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211282135.2A CN115913643A (en) | 2022-10-19 | 2022-10-19 | Network intrusion detection method, system and medium based on countermeasure self-encoder |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115913643A true CN115913643A (en) | 2023-04-04 |
Family
ID=86484134
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211282135.2A Pending CN115913643A (en) | 2022-10-19 | 2022-10-19 | Network intrusion detection method, system and medium based on countermeasure self-encoder |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115913643A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117152564A (en) * | 2023-10-16 | 2023-12-01 | 苏州元脑智能科技有限公司 | Target detection method, target detection device, electronic equipment and storage medium |
| CN117349774A (en) * | 2023-10-24 | 2024-01-05 | 重庆邮电大学 | Block chain abnormal transaction detection method based on big data |
| CN117527449A (en) * | 2024-01-05 | 2024-02-06 | 之江实验室 | Intrusion detection method, device, electronic equipment and storage medium |
-
2022
- 2022-10-19 CN CN202211282135.2A patent/CN115913643A/en active Pending
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117152564A (en) * | 2023-10-16 | 2023-12-01 | 苏州元脑智能科技有限公司 | Target detection method, target detection device, electronic equipment and storage medium |
| CN117152564B (en) * | 2023-10-16 | 2024-02-20 | 苏州元脑智能科技有限公司 | Target detection method, target detection device, electronic equipment and storage medium |
| CN117349774A (en) * | 2023-10-24 | 2024-01-05 | 重庆邮电大学 | Block chain abnormal transaction detection method based on big data |
| CN117349774B (en) * | 2023-10-24 | 2024-07-05 | 中科医联(南京)健康科技有限公司 | Block chain abnormal transaction detection method based on big data |
| CN117527449A (en) * | 2024-01-05 | 2024-02-06 | 之江实验室 | Intrusion detection method, device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7376593B2 (en) | Security system using artificial intelligence | |
| CN115913643A (en) | Network intrusion detection method, system and medium based on countermeasure self-encoder | |
| Liu et al. | Security analysis and enhancement of model compressed deep learning systems under adversarial attacks | |
| CN111652290B (en) | Method and device for detecting countermeasure sample | |
| Peng et al. | A robust coverless steganography based on generative adversarial networks and gradient descent approximation | |
| CN111241291A (en) | Method and device for generating countermeasure sample by utilizing countermeasure generation network | |
| Li et al. | Deep learning backdoors | |
| CN112260818B (en) | Side channel curve enhancement method, side channel attack method and side channel attack device | |
| Won et al. | PlausMal-GAN: Plausible malware training based on generative adversarial networks for analogous zero-day malware detection | |
| Zhang et al. | Detection of android malware based on deep forest and feature enhancement | |
| KR20190028880A (en) | Method and appratus for generating machine learning data for botnet detection system | |
| Ding et al. | Image steganography based on artificial immune in mobile edge computing with internet of things | |
| Zanddizari et al. | Generating black-box adversarial examples in sparse domain | |
| Pérez et al. | Universal steganography detector based on an artificial immune system for JPEG images | |
| Nowroozi et al. | Employing deep ensemble learning for improving the security of computer networks against adversarial attacks | |
| Sharma et al. | MIGAN: GAN for facilitating malware image synthesis with improved malware classification on novel dataset | |
| CN118138278A (en) | Multi-type intrusion detection method and system based on reconstruction and feature matching | |
| Aljabri et al. | Hybrid stacked autoencoder with dwarf mongoose optimization for Phishing attack detection in internet of things environment | |
| CN113159317B (en) | Antagonistic sample generation method based on dynamic residual corrosion | |
| CN116488874A (en) | Network intrusion detection method and system based on self-supervision mask context reconstruction | |
| CN115222990A (en) | Meta-learning neural network fingerprint detection method based on self-adaptive fingerprints | |
| Chen et al. | Robust Knowledge Distillation Based on Feature Variance Against Backdoored Teacher Model | |
| CN114169443A (en) | Word-level text countermeasure sample detection method | |
| CN113793396A (en) | Method for generating network training image reconstruction model based on confrontation | |
| Xu et al. | Drhnet: a deep residual network based on heterogeneous kernel for steganalysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |