CN116506181A - Internet of vehicles intrusion detection method based on different composition attention network - Google Patents
Internet of vehicles intrusion detection method based on different composition attention network Download PDFInfo
- Publication number
- CN116506181A CN116506181A CN202310476298.2A CN202310476298A CN116506181A CN 116506181 A CN116506181 A CN 116506181A CN 202310476298 A CN202310476298 A CN 202310476298A CN 116506181 A CN116506181 A CN 116506181A
- Authority
- CN
- China
- Prior art keywords
- internet
- vehicles
- intrusion detection
- attention network
- nodes
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 55
- 239000000203 mixture Substances 0.000 title claims description 8
- 239000011159 matrix material Substances 0.000 claims abstract description 35
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 23
- 238000012549 training Methods 0.000 claims abstract description 11
- 238000003064 k means clustering Methods 0.000 claims abstract description 9
- 238000012545 processing Methods 0.000 claims abstract description 4
- 230000006870 function Effects 0.000 claims description 26
- 238000000034 method Methods 0.000 claims description 16
- 239000002245 particle Substances 0.000 claims description 16
- 230000004913 activation Effects 0.000 claims description 7
- 239000004973 liquid crystal related substance Substances 0.000 claims description 6
- 230000001133 acceleration Effects 0.000 claims description 3
- 230000015572 biosynthetic process Effects 0.000 claims description 3
- 238000003786 synthesis reaction Methods 0.000 claims description 3
- 238000009827 uniform distribution Methods 0.000 claims description 3
- 238000004590 computer program Methods 0.000 claims description 2
- 230000006855 networking Effects 0.000 abstract description 11
- 238000010606 normalization Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 6
- 238000010276 construction Methods 0.000 description 4
- 238000005070 sampling Methods 0.000 description 4
- 238000013528 artificial neural network Methods 0.000 description 3
- 238000013136 deep learning model Methods 0.000 description 3
- 239000010410 layer Substances 0.000 description 3
- 238000005457 optimization Methods 0.000 description 3
- 238000011144 upstream manufacturing Methods 0.000 description 3
- 238000013135 deep learning Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- ORILYTVJVMAKLC-UHFFFAOYSA-N Adamantane Natural products C1C(C2)CC3CC1CC2C3 ORILYTVJVMAKLC-UHFFFAOYSA-N 0.000 description 1
- 238000012935 Averaging Methods 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 239000008280 blood Substances 0.000 description 1
- 210000004369 blood Anatomy 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000003550 marker Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000007637 random forest analysis Methods 0.000 description 1
- 239000002356 single layer Substances 0.000 description 1
- 238000012706 support-vector machine Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
- G06F18/232—Non-hierarchical techniques
- G06F18/2321—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
- G06F18/23213—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2415—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on parametric or probabilistic models, e.g. based on likelihood ratio or false acceptance rate versus a false rejection rate
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02T—CLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO TRANSPORTATION
- Y02T10/00—Road transport of goods or passengers
- Y02T10/10—Internal combustion engine [ICE] based vehicles
- Y02T10/40—Engine management systems
Abstract
The invention discloses a vehicle networking intrusion detection method based on an heterogram attention network, which comprises the steps of clustering collected vehicle networking flow data by using a K-Means clustering algorithm; performing oversampling and normalization processing on the clustering result; extracting the IP address of the source host, the IP address of the target host and key characteristics of the normalized result and constructing a bipartite graph; obtaining a final learning feature matrix of the nodes of the key features by utilizing the node-level attention network learning bipartite graph; determining the weight of each element path through semantic level attention network learning bipartite graphs; constructing an intrusion detection model according to the weights of the element paths and the final learning feature matrix of the nodes corresponding to the key features of the semantic relations; training and optimizing the model, inputting the vehicle networking stream data to be detected into the optimized model, and predicting the intrusion category. The invention represents the data flow and the relation thereof as a graph, can learn the basic structure of the resistance attack, and can prevent the resistance attack from changing the flow data so as to disable the intrusion detection model.
Description
Technical Field
The invention relates to the field of intrusion detection of the Internet of vehicles. In particular to a vehicle networking intrusion detection method based on an abnormal composition attention network.
Background
With the rapid development of the internet of things and the internet of vehicles, modern vehicles have evolved gradually into intelligent internet-of-things vehicles. However, the network connectivity and accessibility of intelligent networked vehicles increases their network attack surface. The network connection between the intelligent networked vehicles and the external network makes these vehicles vulnerable to various conventional network attacks and results in sensitive data leakage. This leaked information may be used to crime, thereby causing the life and property of people to be threatened. Therefore, it is critical to develop an intrusion detection method for protecting the internet of vehicles system and the intelligent internet of vehicles in the internet of vehicles environment.
In the prior art, the traffic of the internet of vehicles is classified by using a supervised learning algorithm to realize intrusion detection, such as decision trees, random forests or support vector machines. While these models are generally highly accurate when trained and evaluated using traffic from the same network, they are very difficult to detect changing data streams and are particularly vulnerable to challenge attacks. A resistance attack typically changes flow characteristics over time, such as modifying packet size and arrival interval to avoid detection. From the perspective of multi-stream attacks, this limitation is particularly evident, and prior to detecting malicious behavior such as port scanning, network scanning, distributed denial of service attacks, brute force attacks, etc., a set of data streams is typically analyzed and associated, so that the challenge data constructed for the challenge attack is more easily input into the machine learning model like normal data to obtain the spoofed recognition result. Therefore, there is a need for an internet of vehicles intrusion detection algorithm that can accurately identify a resistance attack to improve the accuracy of the detection.
Disclosure of Invention
The present invention is based on the above-mentioned needs of the prior art, and the technical problem to be solved by the present invention is to provide a method for detecting an intrusion of a vehicle network in a heterogeneous graph, so as to learn and save a data flow record and its relationship, and prevent a resistance attack from changing flow data to disable an intrusion detection model.
In order to solve the problems, the invention is realized by adopting the following technical scheme:
an internet of vehicles intrusion detection method based on a heterograph attention network, comprising:
collecting internet of vehicles flow data, and clustering the internet of vehicles flow data by using a K-Means clustering algorithm; oversampling the clustering result to balance the internet of vehicles stream data; normalizing the balanced internet of vehicles stream data;
extracting a source host IP address, a target host IP address and key characteristics of normalized Internet of vehicles streaming data; constructing a bipartite graph by taking the IP address of the source host, the IP address of the target host and the key characteristics as bipartite graph nodes;
utilizing a node level attention network to learn the nodes of key features in each element path in the bipartite graph, and obtaining a final learning feature matrix; learning each meta-path in the bipartite graph through a semantic level attention network, and determining the weight of each meta-path; constructing an intrusion detection model according to the weights of the element paths and the final learning feature matrix of the nodes corresponding to the key features of the semantic relations;
training an intrusion detection model by using the class cross entropy function as a loss function; optimizing the super parameters of the intrusion detection model by using a particle swarm algorithm; inputting the internet of vehicles flow data to be detected into the optimized intrusion detection model, and predicting the intrusion category.
Optionally, the clustering the internet of vehicles stream data by using a K-Means clustering algorithm includes:
the internet of vehicles stream data is clustered into k clusters by minimizing the sum of squares of distances between all the internet of vehicles stream data and the centroids of the corresponding clusters, and the formula is as follows:
wherein, (x) 1 ,...,x n ) Is a matrix obtained by the stream data of the Internet of vehicles, u j Is cluster C k Is C k The average value of all samples in the (a); n is n k Is cluster C k The total number of sample points in the sample.
Optionally, the oversampling the clustering result to balance the internet of vehicles stream data includes:
for each instance X of a minority class in the Internet of vehicles stream data, randomly selecting a sample X from k nearest neighbors of X i New synthesis example X n Expressed as:
X n =X+rand(0,1)*(X i -X),i=1,2,...,k
wherein rand (0, 1) represents a random number in the range of (0, 1).
Optionally, the normalizing the balanced internet of vehicles stream data includes:
converting character string characteristics in the internet of vehicles stream data into digital characteristics or single-heat codes;
normalizing the converted internet of vehicles stream data through a Z-Score algorithm, wherein each normalized characteristic value x n Represented asWhere x is the original eigenvalue, μ represents the mean of the eigenvalues, σ represents the standard deviation of the eigenvalues.
Optionally, the method further comprises:
the source host IP address and the target host IP address are uniformly coded into 12-bit floating point numbers.
Optionally, the learning the node of the key feature in each element path in the bipartite graph by using the node level attention network to obtain a final learning feature matrix includes:
defining an initial hidden state of the two graph nodes;
according to the initial hiding state, projecting the two graph nodes into the same feature space to obtain projection features;
learning the weight between the node i and the node j through a learning function;
normalizing the weights among the nodes by using a softmax function to obtain a weight coefficient;
processing the weight coefficient and the projection characteristic of the node j by using a nonlinear activation function to obtain a learning characteristic matrix of the node i;
repeating the steps k times to obtain a final learning feature matrix of the node i; and acquiring key feature representations corresponding to each element path according to the final learning feature matrix.
Optionally, the learning each meta-path in the bipartite graph through the semantic level attention network, determining the weight of each meta-path includes:
obtaining the importance of each meta-pathThe formula is as follows:
where W is the weight matrix, the element path Φ t B is a bias vector, q is a semantic level trainable weight vector used to measure similarity between embedded representations under multiple element paths,the number of all connected nodes;
according to the formulaDetermining a meta-path Φ t Is a weight of (2).
Optionally, the intrusion detection model is constructed according to the weights of the element paths and the final learning feature matrix of the nodes corresponding to the key features of the semantic relationship, and the formula is as follows:
Y=r(C)
wherein Y represents the predicted detection class,weights representing meta-paths +.>Final learning feature matrix, Φ, of nodes representing key features t Meta-paths representing the t-th set of semantic relationships.
Optionally, the optimizing the super parameter of the intrusion detection model by using a particle swarm algorithm includes:
for each individual in the population by locationAnd speed->Initializing;
based on the current optimal positionCurrent global optimum position shared with other individuals +.>Updating the speed of each particle by the formula:
wherein, the liquid crystal display device comprises a liquid crystal display device,is composed of acceleration constant->And->The calculated continuous and uniform distribution;
and after the iteration is performed for a preset number of times, determining a global optimal value of the particles.
A computer readable storage medium having stored thereon a computer program having stored thereon a heterograph attention network based internet of vehicles intrusion detection program which when executed by a processor implements the steps of a heterograph attention network based internet of vehicles intrusion detection method of any one of the preceding claims.
Compared with the prior art, the invention provides the Internet of vehicles intrusion detection method based on the heterogram attention network, which is characterized in that Internet of vehicles flow data is expressed as a two-part diagram, the topological structure of Internet of vehicles attack flow can be correctly captured by the diagram constructed in the way, the characteristics of upstream and downstream flow of the associated flow can be distinguished, and meanwhile, the relation between different flows connected to the same source/target host can be expressed. After the flow and the relation thereof are expressed as the graph, the basic structure of the attack is learned by using the heterogeneous graph to annotate the force network, so that a more robust model for potential resistance attack is obtained, wherein the importance of nodes and element paths in the graph can be simultaneously considered through node-level attention and semantic-level attention, and the method can be applied to large-scale heterogeneous composition.
Drawings
In order to more clearly illustrate the embodiments of the present description or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the embodiments of the present description, and other drawings may be obtained according to these drawings for a person having ordinary skill in the art.
FIG. 1 is a flow chart of a method for detecting intrusion of a vehicle network based on an iso-composition attention network according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a two-part graph construction method of an Internet of vehicles intrusion detection method based on an heterogram attention network according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a network structure of an intrusion detection method for internet of vehicles based on an iso-composition attention network according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
For the purpose of facilitating an understanding of the embodiments of the present invention, reference will now be made to the following description of specific embodiments, taken in conjunction with the accompanying drawings, which are not intended to limit the scope of the invention.
The embodiment provides a method for detecting intrusion of internet of vehicles based on an heterograph attention network, as shown in fig. 1, including:
s1: collecting internet of vehicles flow data, and clustering the internet of vehicles flow data by using a K-Means clustering algorithm; oversampling the clustering result to balance the internet of vehicles stream data; and normalizing the balanced internet of vehicles stream data.
And a data collection module is arranged in a central gateway of the intelligent network-connected vehicle to collect the internet-of-vehicles streaming data outside the intelligent network-connected vehicle.
If there is less data in the internet of vehicles, the CIC-IDS2017 dataset may be used instead of the internet of vehicles streaming data, including the latest attacks mixed with real world traffic. The data flow characteristics and attack types in the data set are rich, wherein malicious traffic is classified into 7 main types of attacks: brute force attacks, heart blood vulnerabilities, botnets, denial of service attacks, distributed denial of service attacks, penetration attacks, and Web attacks, for a total of 15 different sub-class attacks, each flow record copolymerizing 80 features.
In addition, the 80% training dataset and the 20% validation dataset are randomly segmented in this example.
And then, preprocessing the captured internet of vehicles stream data, so that the training speed of the model is increased, and the detection accuracy of the model is improved.
Preferably, the clustering the internet of vehicles stream data by using a K-Means clustering algorithm includes:
the internet of vehicles stream data is clustered into k clusters by minimizing the sum of squares of distances between all the internet of vehicles stream data and the centroids of the corresponding clusters, and the formula is as follows:
wherein, (x) 1 ,...,x n ) Is a matrix obtained by the stream data of the Internet of vehicles, u j Is cluster C k Is C k The average value of all samples in the (a); n is n k Is cluster C k The total number of sample points in the sample.
After K-Means clustering is carried out on the internet of vehicles stream data, the internet of vehicles stream data is clustered into K clusters, random sampling is carried out on the internet of vehicles stream data in each cluster, and 10% of data is selected as a sampling subset.
Because in an actual internet of vehicles environment, training a depth model for all network traffic data and adjusting the hyper-parameters of the model multiple times can take a significant amount of time. K-Means clustering is adopted to generate a high-quality subset of the original Internet of vehicles streaming data, so that training complexity of the model is reduced, and training efficiency of the model is improved.
Preferably, the oversampling the clustering result to balance the internet of vehicles stream data includes:
for each instance X of a minority class in the Internet of vehicles stream data, randomly selecting a sample X from k nearest neighbors of X i New synthesis example X n Expressed as:
X n =X+rand(0,1)*(X i -X),i=1,2,...,k
wherein rand (0, 1) represents a random number in the range of (0, 1).
Since in a real internet of vehicles system, normal network traffic data is usually far more than attack data, the internet of vehicles stream data often has an unbalanced class problem, and the recall rate of an intrusion detection model is usually low. Thus, embodiments of the present invention use a synthetic minority over-sampling technique (Synthetic Minority Oversampling Techniques, SMOTE) to create high quality instances for minority classes in the internet of vehicles streaming data to balance the internet of vehicles streaming data. SMOTE, unlike random sampling, which simply replicates an instance and may lead to overfitting, can synthesize high quality instances based on the concept of KNN.
Preferably, the normalizing the balanced internet of vehicles stream data includes:
firstly, as many deep learning algorithms cannot support character string features, and part of features in the internet of vehicles stream data are coded by using labels, the character string features in the internet of vehicles stream data are converted into digital features or single-hot codes so as to support the input of the deep learning algorithms;
however, because internet of vehicles streaming data typically has a large range of variation, non-normalized data with different feature scales may result in poor deep learning model performance. Therefore, in this embodiment, statistical indexes of the internet of vehicles flow data are calculated first, including the average value and standard deviation of each numerical feature, and then the converted internet of vehicles flow data are normalized by the Z-Score algorithm, and each normalized feature value x n Represented asWhere x is the original eigenvalue, μ represents the mean of the eigenvalues, σ represents the standard deviation of the eigenvalues. By the Z-Score method, the features can be normalized to be 0 in mean value and 1 in standard deviation, and further the large-scale feature deep learning model only emphasized by normalization is enabled to better perform on the Internet of vehicles stream data.
Furthermore, the attack category of each piece of internet-of-vehicles stream data can be extracted and represented in a single-hot coding mode, so that the problem that the deep learning model is not good at processing attribute data can be solved, and the characteristics are expanded to a certain extent. And the model is evaluated for subsequent construction, so that parameter optimization is conveniently performed according to an evaluation result, and the accuracy of the model is improved.
S2: extracting a source host IP address, a target host IP address and key characteristics of normalized Internet of vehicles streaming data; and constructing a bipartite graph by taking the source host IP address, the target host IP address and the key features as bipartite graph nodes.
After extracting each source host IP address and each target host IP address in each Internet of vehicles stream data, 12 floating point numbers can be used for unified coding, so that the construction of subsequent heterograms is facilitated.
In the embodiment of the invention, key characteristics include a source port, a target port, a traffic data packet, a PSH (packet status) flag count and an average data packet size.
The construction of the bipartite graph is shown in fig. 2, and comprises the following steps: for each piece of internet of vehicles stream data, two undirected edges are created, one edge is from the node of the source host IP address to the node of the key feature, and the other edge is from the node of the key feature to the node of the target host IP address, so that a two-part graph is formed. The graph constructed using this method contains flow related information that can distinguish and correlate upstream and downstream traffic characteristics of flows while representing the relationship between different flows connected to the same source or destination host IP address.
S3: utilizing a node level attention network to learn the nodes of key features in each element path in the bipartite graph, and obtaining a final learning feature matrix; learning each meta-path in the bipartite graph through a semantic level attention network, and determining the weight of each meta-path; and constructing an intrusion detection model according to the weights of the element paths and the final learning feature matrix of the nodes corresponding to the key features of the semantic relations, wherein the network structure of the intrusion detection model is shown in figure 3.
Preferably, the learning the node of the key feature in each element path in the bipartite graph by using the node level attention network to obtain a final learning feature matrix includes:
s310: defining an initial hidden state of the bipartite graph node.
Nodes share two types of key features, one representing the source host IP address or the target host IP address and the other representing the internet of vehicles streaming data, so the hidden states of these nodes are typically initialized with different features. Let the initial feature be X i =[x 0 ,...,x k ]The initial hidden states of the node defining the source host IP address and the node defining the target host IP address are: h is a i =[x 0 ,...,x k ,1,1,1...,1]The method comprises the steps of carrying out a first treatment on the surface of the The initial hidden state of node i defining the key feature is: h is a i =[x 0 ,...,x k ,0,0,0...,0]。
S320: according to the initial hiding state, projecting the two graph nodes into the same feature space to obtain projection features h i 。
Wherein h is i As an original feature of the node i,is of node type phi i And (3) a determined transformation matrix. Through type-specific projection operations, node level attention can handle both types of nodes in the bipartite graph.
S330: the weights between node i and node j are learned by a learning function
Wherein att is node Representing a learning function that performs a node-level attention mechanism, node pair (i, j) passes through meta-path Φ. The meta-path Φ is defined asAbbreviated as A 1 A 2 …A l+1 It describes->Object A 1 And A l+1 A complex relationship between>Representing the composite operator on the relationship. The same meta-path phi, all node pairs based on meta-path share att node . In this embodiment only the node +.>Is->Wherein->Representing the meta-path based neighbors of node i.
S340: after obtaining importance between pairs of nodes based on meta-paths, normalizing weights between nodes using a softmax function to obtain weight coefficients
Wherein the activation function adopts a LeakyRelu function, ||represents a connection operation, a Φ Is the node level attention vector of the meta-path Φ. The weighting coefficients of (i, j) depend on their characteristics.
S350: embedding the connection node i based on the element path in the bipartite graph can aggregate the projection characteristics of the neighbors and the corresponding coefficients, and the nonlinear activation function is utilized to process the weight coefficients and the projection characteristics of the node j so as to obtain a learning characteristic matrix of the node i
Wherein elu is a nonlinear activation function. Attention weightingIs generated for a single element path and is therefore semantically specific, enabling capture of a semantic information.
S360: repeating the steps k times to obtain a final learning feature matrix of the node i; and acquiring key feature representations corresponding to each element path according to the final learning feature matrix.
Repeating the node level attention K times for the nodes of the key features in the bipartite graph, and obtaining a final learning feature matrix of the node i as follows:
then, for the meta-path set { Φ } 1 ,...,Φ T Obtaining T sets of semantic-specific key feature representations, denoted as
Each node in the heterogram contains multiple types of semantic information, while semantic-specific node embedding can only reflect nodes from one aspect. By building a semantic level attention mechanism, meta-paths are fused to reveal multiple semantics and learn more comprehensive node embedding.
Preferably, the learning each meta-path in the bipartite graph through semantic level attention network, determining the weight of each meta-path includes:
embedding of specific semantics is transformed by a single layer neural network. Averaging the importance of embedding all semantic connection nodes to obtain the importance degree of each meta-pathThe formula is as follows:
where W is the weight matrix, the element path Φ t B is a bias vector, q is a semantic level trainable weight vector used to measure similarity between embedded representations under multiple element paths,the number of all connected nodes;
according to the formulaDetermining a meta-path Φ t Is a weight of (2).
Preferably, the intrusion detection model is constructed according to the weights of the element paths and the final learning feature matrix of the nodes corresponding to the key features of the semantic relationship, and the formula is as follows:
Y=r(C)
wherein Y represents the predicted detection class,weights representing meta-paths +.>Final learning feature matrix, Φ, of nodes representing key features t Meta-paths representing the t-th set of semantic relationships. C represents a final learning feature matrix of the nodes fusing key features under different meta-paths to obtain a low-dimensional representation of the nodes of the final key features. r is a learnable function. During training, r is implemented as a 4-layer fully connected neural network, the first three layers of the neural network using ReLU as the activation function, and the last layer using softmax as the activation function.
S4: training an intrusion detection model by using the class cross entropy function as a loss function; optimizing the super parameters of the intrusion detection model by using a particle swarm algorithm; inputting the internet of vehicles flow data to be detected into the optimized intrusion detection model, and predicting the intrusion category.
During model training, a class cross entropy function is used as a loss function, and an Adam function is used as an optimization function of the model. The proposed model is optimized by back propagation under the direction of the marker data and the embedding of the nodes is learned.
After the intrusion detection model is trained, the detection model can be evaluated according to the attack category of each piece of extracted internet-of-vehicles stream data; and adjusting the super parameters in the estimated model by using a particle swarm algorithm so that the model can be better fitted with the network data. In this embodiment, the HPO is completed for the intrusion detection model using a particle swarm algorithm, which is a widely used meta-heuristic optimization method that can support different types of hyper-parameters.
The optimizing the super parameters of the intrusion detection model by using a particle swarm algorithm comprises:
for each individual in the population by locationAnd speed->Initializing;
based on the current optimal positionCurrent global optimum position shared with other individuals +.>Updating the speed of each particle by the formula:
wherein, the liquid crystal display device comprises a liquid crystal display device,is composed of acceleration constant->And->The calculated continuous and uniform distribution;
and after the iteration is performed for a preset number of times, determining a global optimal value of the particles.
Therefore, the particle swarm algorithm determines the optimal super-parameter value of the model through information sharing and cooperation among particles in the swarm, so that the model can better fit the vehicle networking stream data, and the performance of the model is further improved.
And placing the trained model in a central gateway of the intelligent networking vehicle, collecting network flow data outside the intelligent networking vehicle, detecting the networking flow data to be detected according to the model, and predicting the intrusion type.
Compared with the prior art, the embodiment of the invention provides a vehicle networking intrusion detection method based on an heterogram attention network, which is characterized in that vehicle networking flow data is expressed as a two-part diagram, the diagram constructed in the way can correctly capture the topological structure of the vehicle networking attack flow, can distinguish and correlate the upstream and downstream flow characteristics of the flow, and can represent the relationship between different flows connected to the same source/target host. After the flow and the relation thereof are expressed as the graph, the basic structure of the attack is learned by using the heterogeneous graph to annotate the force network, so that a more robust model for potential resistance attack is obtained, wherein the importance of nodes and element paths in the graph can be simultaneously considered through node-level attention and semantic-level attention, and the method can be applied to large-scale heterogeneous composition.
The foregoing description of the embodiments has been provided for the purpose of illustrating the general principles of the invention, and is not meant to limit the scope of the invention, but to limit the invention to the particular embodiments, and any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the invention are intended to be included within the scope of the invention.
Claims (10)
1. An internet of vehicles intrusion detection method based on a heterograph attention network is characterized by comprising the following steps:
collecting internet of vehicles flow data, and clustering the internet of vehicles flow data by using a K-Means clustering algorithm; oversampling the clustering result to balance the internet of vehicles stream data; normalizing the balanced internet of vehicles stream data;
extracting a source host IP address, a target host IP address and key characteristics of normalized Internet of vehicles streaming data; constructing a bipartite graph by taking the IP address of the source host, the IP address of the target host and the key characteristics as bipartite graph nodes;
utilizing a node level attention network to learn the nodes of key features in each element path in the bipartite graph, and obtaining a final learning feature matrix; learning each meta-path in the bipartite graph through a semantic level attention network, and determining the weight of each meta-path; constructing an intrusion detection model according to the weights of the element paths and the final learning feature matrix of the nodes corresponding to the key features of the semantic relations;
training an intrusion detection model by using the class cross entropy function as a loss function; optimizing the super parameters of the intrusion detection model by using a particle swarm algorithm; inputting the internet of vehicles flow data to be detected into the optimized intrusion detection model, and predicting the intrusion category.
2. The internet of vehicles intrusion detection method based on an iso-composition attention network according to claim 1, wherein the clustering of the internet of vehicles streaming data using a K-Means clustering algorithm comprises:
the internet of vehicles stream data is clustered into k clusters by minimizing the sum of squares of distances between all the internet of vehicles stream data and the centroids of the corresponding clusters, and the formula is as follows:
wherein, (x) 1 ,...,x n ) Is a matrix obtained by the stream data of the Internet of vehicles, u j Is cluster C k Is C k The average value of all samples in the (a); n is n k Is cluster C k The total number of sample points in the sample.
3. The internet of vehicles intrusion detection method based on an heterograph attention network of claim 2, wherein the oversampling of the clustering result to balance internet of vehicles streaming data comprises:
for each instance X of a minority class in the Internet of vehicles stream data, randomly selecting a sample X from k nearest neighbors of X i New synthesis example X n Expressed as:
X n =X+rand(0,1)*(X i -X),i=1,2,...,k
wherein rand (0, 1) represents a random number in the range of (0, 1).
4. A method for detecting an intrusion into a vehicle network based on an iso-patterned attention network according to claim 3, wherein normalizing the balanced vehicle network flow data comprises:
converting character string characteristics in the internet of vehicles stream data into digital characteristics or single-heat codes;
normalizing the converted internet of vehicles stream data through a Z-Score algorithm, wherein each normalized characteristic value x n Represented asWhere x is the original eigenvalue, μ represents the mean of the eigenvalues, σ represents the standard deviation of the eigenvalues.
5. A method for internet of vehicles intrusion detection based on a heterograph attention network as recited in claim 3, further comprising:
the source host IP address and the target host IP address are uniformly coded into 12-bit floating point numbers.
6. The internet of vehicles intrusion detection method based on the heterogram attention network according to claim 1, wherein the learning the nodes of the key features in each element path in the bipartite graph by using the node-level attention network to obtain the final learning feature matrix comprises:
step one: defining an initial hidden state of the two graph nodes;
step two: according to the initial hiding state, projecting the two graph nodes into the same feature space to obtain projection features;
step three: learning the weight between the node i and the node j through a learning function;
step four: normalizing the weights among the nodes by using a softmax function to obtain a weight coefficient;
step five: processing the weight coefficient and the projection characteristic of the node j by using a nonlinear activation function to obtain a learning characteristic matrix of the node i;
step six: repeatedly executing the steps three to five for k times to obtain a final learning feature matrix of the node i; and acquiring key feature representations corresponding to each element path according to the final learning feature matrix.
7. The method for intrusion detection of internet of vehicles based on heterogram attention network of claim 1, wherein learning each meta-path in the bipartite graph through the semantic level attention network, determining the weight of each meta-path comprises:
obtaining the importance of each meta-pathThe formula is as follows:
where W is the weight matrix, the element path Φ t B is a bias vector, q is a semantic level trainable weight vector used to measure similarity between embedded representations under multiple element paths,the number of all connected nodes;
according to the formulaDetermining a meta-path Φ t Is a weight of (2).
8. The internet of vehicles intrusion detection method based on the heterogram attention network according to claim 1, wherein the final learning feature matrix of the nodes according to the weights of the meta paths and the key features of the corresponding semantic relations is used for constructing an intrusion detection model, and the formula is as follows:
Y=r(C)
wherein Y is as followsThe predicted detection class is shown as such,weights representing meta-paths +.>Final learning feature matrix, Φ, of nodes representing key features t Meta-paths representing the t-th set of semantic relationships.
9. The internet of vehicles intrusion detection method based on an heterograph attention network of claim 1, wherein said optimizing the hyper-parameters of the intrusion detection model using a particle swarm algorithm comprises:
for each individual in the population by locationAnd speed->Initializing;
based on the current optimal positionCurrent global optimum position shared with other individuals +.>Updating the speed of each particle by the formula:
wherein, the liquid crystal display device comprises a liquid crystal display device,is composed of acceleration constant->And->The calculated continuous and uniform distribution;
and after the iteration is performed for a preset number of times, determining a global optimal value of the particles.
10. A computer readable storage medium having stored thereon a computer program having stored thereon a heterograph attention network based internet of vehicles intrusion detection program which when executed by a processor implements the steps of a heterograph attention network based internet of vehicles intrusion detection method of any one of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310476298.2A CN116506181A (en) | 2023-04-28 | 2023-04-28 | Internet of vehicles intrusion detection method based on different composition attention network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310476298.2A CN116506181A (en) | 2023-04-28 | 2023-04-28 | Internet of vehicles intrusion detection method based on different composition attention network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116506181A true CN116506181A (en) | 2023-07-28 |
Family
ID=87321217
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310476298.2A Pending CN116506181A (en) | 2023-04-28 | 2023-04-28 | Internet of vehicles intrusion detection method based on different composition attention network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116506181A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116774678A (en) * | 2023-08-24 | 2023-09-19 | 北京航空航天大学 | Intrusion detection method and system for train control system based on transfer learning |
| CN117198406A (en) * | 2023-09-21 | 2023-12-08 | 亦康(北京)医药科技有限公司 | Feature screening method, system, electronic equipment and medium |
-
2023
- 2023-04-28 CN CN202310476298.2A patent/CN116506181A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116774678A (en) * | 2023-08-24 | 2023-09-19 | 北京航空航天大学 | Intrusion detection method and system for train control system based on transfer learning |
| CN116774678B (en) * | 2023-08-24 | 2023-10-13 | 北京航空航天大学 | Intrusion detection method and system for train control system based on transfer learning |
| CN117198406A (en) * | 2023-09-21 | 2023-12-08 | 亦康(北京)医药科技有限公司 | Feature screening method, system, electronic equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Bostani et al. | Modification of supervised OPF-based intrusion detection systems using unsupervised learning and social network concept | |
| Qu et al. | A survey on the development of self-organizing maps for unsupervised intrusion detection | |
| CN108023876B (en) | Intrusion detection method and intrusion detection system based on sustainability ensemble learning | |
| Wagh et al. | Survey on intrusion detection system using machine learning techniques | |
| Saxena et al. | Intrusion detection in KDD99 dataset using SVM-PSO and feature reduction with information gain | |
| CN116506181A (en) | Internet of vehicles intrusion detection method based on different composition attention network | |
| CN114492768B (en) | Twin capsule network intrusion detection method based on small sample learning | |
| Rekha et al. | Intrusion detection in cyber security: role of machine learning and data mining in cyber security | |
| Bodström et al. | State of the art literature review on network anomaly detection with deep learning | |
| Izadi et al. | Network traffic classification using deep learning networks and Bayesian data fusion | |
| CN112257760A (en) | Method for detecting abnormal network communication behavior of host based on time sequence die body | |
| Mousavi et al. | A new intelligent intrusion detector based on ensemble of decision trees | |
| Al-mamory et al. | Evaluation of different data mining algorithms with kdd cup 99 data set | |
| Bharti et al. | Clustering‐based resource discovery on Internet‐of‐Things | |
| Zhang et al. | A scalable network intrusion detection system towards detecting, discovering, and learning unknown attacks | |
| Zheng et al. | Tegdetector: a phishing detector that knows evolving transaction behaviors | |
| Zhang et al. | A Step-Based Deep Learning Approach for Network Intrusion Detection. | |
| Huynh et al. | On the performance of intrusion detection systems with hidden multilayer neural network using DSD training | |
| Sunyoto | Enhance Intrusion Detection (IDS) System Using Deep SDAE to Increase Effectiveness of Dimensional Reduction in Machine Learning and Deep Learning. | |
| Faraoun et al. | Neural networks learning improvement using the k-means clustering algorithm to detect network intrusions | |
| Qu et al. | Direct batch growth hierarchical self-organizing mapping based on statistics for efficient network intrusion detection | |
| Liao et al. | A Survey of Deep Learning Technologies for Intrusion Detection in Internet of Things | |
| Xie et al. | Research and application of intrusion detection method based on hierarchical features | |
| Shah et al. | Group feature selection via structural sparse logistic regression for ids | |
| Deepa et al. | Detection of DDoS attack using multiple kernel level (MKL) algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |