[go: up one dir, main page]

CN115130102A - An online adaptive intrusion detection method based on incremental learning - Google Patents

An online adaptive intrusion detection method based on incremental learning Download PDF

Info

Publication number
CN115130102A
CN115130102A CN202210790522.0A CN202210790522A CN115130102A CN 115130102 A CN115130102 A CN 115130102A CN 202210790522 A CN202210790522 A CN 202210790522A CN 115130102 A CN115130102 A CN 115130102A
Authority
CN
China
Prior art keywords
sample
model
intrusion detection
samples
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210790522.0A
Other languages
Chinese (zh)
Other versions
CN115130102B (en
Inventor
王利娟
张哲瑛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN202210790522.0A priority Critical patent/CN115130102B/en
Publication of CN115130102A publication Critical patent/CN115130102A/en
Application granted granted Critical
Publication of CN115130102B publication Critical patent/CN115130102B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Biomedical Technology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Virology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Image Analysis (AREA)

Abstract

The invention discloses an online self-adaptive intrusion detection method based on incremental learning, which mainly solves the problems that an existing method cannot update an intrusion detection model in real time and is poor in detection effect. The method mainly comprises the following steps: 1) training an intrusion detection classification model to be expanded on a data set of a known type to obtain an initial model; 2) sniffing and processing data in the current network in real time and sending the data into a model for detection; 3) when the model detection result is attack data of unknown species, selecting a part of representative samples of known species to be combined with samples of unknown species to serve as an incremental sample set; 4) updating the initial model on line by using incremental learning, and judging the data flow in the current network in real time to train the model again; 5) and completing real-time intrusion detection by utilizing the online updated model. The invention can effectively improve the accuracy of detecting the intrusion behaviors of the known classes and the unknown classes, and can update the intrusion detection model on line in real time.

Description

一种基于增量学习的在线自适应入侵检测方法An online adaptive intrusion detection method based on incremental learning

技术领域technical field

本发明属于网络安全技术领域,进一步涉及入侵检测方法,具体为一种基于增量学习的在线自适应入侵检测方法,可用于实时检测网络中的攻击行为并在线更新入侵检测系统。The invention belongs to the technical field of network security, and further relates to an intrusion detection method, in particular to an online adaptive intrusion detection method based on incremental learning, which can be used for real-time detection of attack behaviors in a network and online update of an intrusion detection system.

背景技术Background technique

深度神经网络作为一种智能算法,在复杂数据分析方面充分展示了其优势所在,能够很好地应用在入侵检测领域,然而大部分深度神经网络只能针对已知类别的网络入侵进行良好的训练,即大部分神经网络模型是为一个封闭的环境所设计的。在现实生活中,已知类别的网络攻击并不能有效地涵盖所有攻击类别。增量学习是一类能够通过学习新增样本、扩展和更新现有模型的算法。它能够保存大部分在已知类别中学习的知识,并且不断地从新增类别中学习新的知识。增量学习算法的主要特征包括:具备从新增样本中学习新知识的能力;模型在训练过程中不需要或者仅需要部分原始数据集;模型对旧知识具有记忆的能力,不会出现灾难性遗忘的问题;模型能够对新增样本中可能出现的新类别进行自适应学习。虽然增量学习为处理新增类别提供了思路,但是目前用于入侵检测的增量学习算法仍不能实现在线实时地检测网络入侵行为,导致入侵检测技术缺乏自适应性,实时性以及可靠性。As an intelligent algorithm, deep neural network has fully demonstrated its advantages in complex data analysis and can be well applied in the field of intrusion detection. However, most deep neural networks can only be well trained for known types of network intrusions. , that is, most neural network models are designed for a closed environment. In real life, known classes of cyberattacks do not effectively cover all attack classes. Incremental learning is a class of algorithms that can learn to add new samples, extend and update existing models. It can preserve most of the knowledge learned in known categories, and continuously learn new knowledge from new categories. The main characteristics of incremental learning algorithms include: the ability to learn new knowledge from new samples; the model does not need or only needs part of the original data set during the training process; the model has the ability to memorize old knowledge without catastrophic occurrences The problem of forgetting; the model can adaptively learn new classes that may appear in new samples. Although incremental learning provides ideas for dealing with new categories, the current incremental learning algorithms for intrusion detection still cannot detect network intrusion behaviors online and in real time, resulting in the lack of adaptability, real-time and reliability of intrusion detection technology.

中国专利申请CN108173708A公开了一种基于深度学习的异常流量检测方法,该方法包括获取用户端流量数据,利用流量检测分类其对流量进行异常检测,基于异常数据对流量检测分类器进行在线训练三个阶段。首先,利用嗅探器获取用户端的流量数据构建可训练数据集;其次,利用异常检测设备中预先构建的流量检测分类器对所述流量数据进行异常检测;当检测出异常数据时,基于所述异常数据,得到训练样本数据,并利用所述样本数据对所述流量检测分类器进行在线训练。然而,上述方法对全部的异常样本数据进行训练并不能达到非常完美的效果,且在增量过程中未对样本数据进行处理的问题均会影响模型分类准确率和训练效率。Chinese patent application CN108173708A discloses an abnormal traffic detection method based on deep learning. The method includes acquiring user-end traffic data, using traffic detection and classification to perform abnormal traffic detection, and online training of traffic detection classifiers based on the abnormal data. Three stage. First, use the sniffer to obtain the traffic data of the client to construct a trainable data set; secondly, use the traffic detection classifier pre-built in the abnormality detection device to perform abnormality detection on the traffic data; when abnormal data is detected, based on the Abnormal data, training sample data is obtained, and the traffic detection classifier is trained online by using the sample data. However, the above methods cannot achieve perfect results for training all abnormal sample data, and the problem that the sample data is not processed in the incremental process will affect the model classification accuracy and training efficiency.

在入侵检测领域,不管是因为需求的变化,还是新的入侵行为的出现,入侵检测模型都需要重新训练。当模型需要日日训练时,训练时间变得非常重要。现有相关工作大多只考虑静态环境中的入侵检测,很少考虑随时间变化的动态环境中的入侵检测,较少考虑入侵检测方法的自适应性,主要体现在以下三个方面:1)模型大部分都是离线的,不能在线实时地检测已知种类的网络入侵行为;2)现有入侵检测模型检测不出未知类别的入侵行为,当出现未知类别时,模型无法动态自适应地更新,需要全部重新训练;3)基于深度学习的入侵检测模型会产生大量的时间开销,导致模型效率不高。网络复杂程度的增加以及大量高维网络数据的出现也使得基于传统机器学习的入侵检测模型检测准确率不高;4)理论研究很少应用在真实场景中,在很多方面缺乏对真实场景的考量。In the field of intrusion detection, the intrusion detection model needs to be retrained whether it is because of changes in demand or the emergence of new intrusion behaviors. Training time becomes very important when the model needs to be trained daily. Most of the existing related works only consider intrusion detection in a static environment, rarely consider intrusion detection in a dynamic environment that changes with time, and rarely consider the adaptability of intrusion detection methods, which are mainly reflected in the following three aspects: 1) Model Most of them are offline and cannot detect known types of network intrusion behaviors online and in real time; 2) The existing intrusion detection models cannot detect unknown types of intrusion behaviors. When unknown types appear, the model cannot be dynamically updated adaptively. All need to be retrained; 3) Intrusion detection models based on deep learning will generate a lot of time overhead, resulting in low model efficiency. The increase of network complexity and the emergence of a large number of high-dimensional network data also make the detection accuracy of traditional machine learning-based intrusion detection models low; 4) Theoretical research is rarely applied in real scenarios, and lacks consideration of real scenarios in many aspects .

因此,现有技术需要一种提高已知类别和未知类别分类准确率的方法,来处理并解决识别问题,且需要一种专门针对入侵检测领域的增量学习方法,来提高增量学习分类效率。Therefore, the prior art requires a method for improving the classification accuracy of known categories and unknown categories to deal with and solve the identification problem, and an incremental learning method specifically for the field of intrusion detection is required to improve the efficiency of incremental learning and classification .

发明内容SUMMARY OF THE INVENTION

本发明目的在于针对上述现有技术的不足,提出一种基于增量学习的在线自适应入侵检测方法,该方法可以有效地提升对已知类别和未知类别入侵行为检测的准确率,并且可以在线实时地更新入侵检测模型;在现有增量学习基础上进一步提高算法分类效率,从而保证入侵检测方法的实时性、可扩展性、可适应性和鲁棒性,为后续基于增量学习的入侵检测算法研究以及工程应用提供新的思路。The purpose of the present invention is to propose an online adaptive intrusion detection method based on incremental learning, which can effectively improve the accuracy of intrusion behavior detection of known and unknown categories, and can be used online The intrusion detection model is updated in real time; the algorithm classification efficiency is further improved on the basis of the existing incremental learning, so as to ensure the real-time, scalability, adaptability and robustness of the intrusion detection method, which is the basis for the subsequent intrusion detection based on incremental learning. The detection algorithm research and engineering application provide new ideas.

实现本发明的基本思路是:首先在已知种类的数据集上对待扩展入侵检测分类模型进行训练得到初始模型,接着实时嗅探并处理当前网络中的数据同时送入模型进行检测,当模型检测结果为未知种类的攻击数据时,选择部分已知种类的代表性样本与未知种类样本相结合作为增量样本集,利用增量学习对模型进行在线更新,同时实时判断当前网络中的数据流量,当数据流量小于阈值时利用全部数据重新训练待扩展模型。The basic idea of realizing the present invention is as follows: firstly, an initial model is obtained by training the to-be-expanded intrusion detection classification model on a known type of data set; When the result is an unknown type of attack data, some representative samples of known types are selected to be combined with unknown types of samples as an incremental sample set, and incremental learning is used to update the model online, and at the same time judge the current data traffic in the network in real time. When the data flow is less than the threshold, the model to be expanded is retrained with all the data.

本发明实现上述目的具体步骤如下:The present invention realizes above-mentioned purpose concrete steps are as follows:

(1)获取数据集并进行预处理:(1) Obtain the dataset and preprocess:

从网络中获取公开入侵检测数据集作为初始已知类别样本集,提取每条数据记录的特征和标签,去除部分无效数据,根据标签对剩余数据记录进行分类,并对字符型特征进行独热编码,制作包含数据、标签、列表的二进制文件样本集,将该文件样本集中的数据划分为初始已知类别训练集Dold和验证集Dvalid两部分;Obtain the public intrusion detection data set from the network as the initial known category sample set, extract the features and labels of each data record, remove some invalid data, classify the remaining data records according to the labels, and perform one-hot encoding on the character features , make a binary file sample set containing data, labels, and lists, and divide the data in the file sample set into two parts, the initial known category training set D old and the verification set D valid ;

Dold={X1,X2,...,Xn},D old ={X 1 ,X 2 ,...,X n },

Dvalid={T1,T2,...,Tn},D valid ={T 1 ,T 2 ,...,T n },

其中,n为初始已知类别样本的类别数量,Xn、Tn分别表示所有第n类初始已知类别训练样本、验证样本;Among them, n is the number of classes of the initial known class samples, X n , T n represent all the nth class initial known class training samples and verification samples, respectively;

(2)搭建待扩展分类网络模型:(2) Build the classification network model to be expanded:

采用时空网络结构,以一维卷积神经网络和长短期记忆神经网络串接在一起作为网络结构,搭建依次由两个第一一维卷积神经网络层conv1d、第一最大池化层max_pooling_1、第二一维卷积神经网络层conv1d_2、第二最大池化层max_pooling_2、长短期记忆神经网络层lstm、暂退层dropout以及第一全连接层dense_1组成的待扩展分类网络模型,以18*1的一维矩阵作为输入,输出代表样本类型预测分数的1*1的矩阵;Using a spatiotemporal network structure, a one-dimensional convolutional neural network and a long short-term memory neural network are concatenated together as the network structure. The classification network model to be expanded composed of the second one-dimensional convolutional neural network layer conv1d_2, the second maximum pooling layer max_pooling_2, the long short-term memory neural network layer lstm, the temporary dropout layer dropout and the first fully connected layer dense_1 is 18*1 The one-dimensional matrix of is as input, and the output represents a 1*1 matrix of sample type prediction scores;

(3)利用初始已知类别样本训练集Dold和交叉熵损失函数Lc训练待扩展分类网络模型,获取可检测已知类别的入侵检测模型,同时利用初始已知类别验证集Dvalid在入侵检测模型训练过程中检验该模型的状态、收敛情况,并根据检验结果调整超参数实现训练效果优化,得到训练好的入侵检测模型

Figure BDA0003729997560000031
(3) Use the initial known class sample training set D old and the cross entropy loss function L c to train the classification network model to be expanded, and obtain an intrusion detection model that can detect known classes, and use the initial known class validation set D valid to detect intrusion During the training process of the detection model, the state and convergence of the model are checked, and the hyperparameters are adjusted according to the test results to optimize the training effect, and the trained intrusion detection model is obtained.
Figure BDA0003729997560000031

(4)利用流量特征提取工具CICFlowMeter的实时提取模块Realtime实时捕获网络中的数据记录,去除部分无效数据记录,对有效数据记录进行分析得到50-80个数据特征并保存;(4) Utilize the real-time extraction module Realtime of the flow characteristic extraction tool CICFlowMeter to capture the data records in the network in real time, remove some invalid data records, and analyze the valid data records to obtain 50-80 data characteristics and save them;

(5)对步骤(4)得到的数据特征进行特征提取,根据提取到的特征组合得到在线入侵检测样本集Donline(5) feature extraction is performed on the data features obtained in step (4), and an online intrusion detection sample set D online is obtained according to the extracted feature combination;

(6)实时入侵检测:(6) Real-time intrusion detection:

将在线入侵样本集Donline放入步骤(3)中训练好的入侵检测模型

Figure BDA0003729997560000032
中进行预测,根据模型预测结果判断在线入侵检测样本集Donline中每一个样本的类型,具体如下:Put the online intrusion sample set D online into the intrusion detection model trained in step (3)
Figure BDA0003729997560000032
According to the prediction results of the model, the type of each sample in the online intrusion detection sample set D online is judged, as follows:

若样本分类为正常的样本,则继续对样本集Donline中其它样本进行实时入侵检测;If the sample is classified as a normal sample, continue to perform real-time intrusion detection on other samples in the sample set D online ;

若样本分类为已知异常类别的样本,则将该样本反馈至管理员做进一步分析,同时继续对样本集Donline中其它样本进行实时入侵检测;If the sample is classified as a sample of a known abnormal category, the sample will be fed back to the administrator for further analysis, and at the same time, real-time intrusion detection will continue to be performed on other samples in the sample set D online ;

若样本分类为未知类别的样本,则进行人工判断,确定该样本是否可用,如果判断为不可用,则继续对样本集Donline中其它样本进行实时入侵检测;如果判断为可用,则执行步骤(7);If the sample is classified as a sample of an unknown category, perform manual judgment to determine whether the sample is available; if it is determined to be unavailable, continue to perform real-time intrusion detection on other samples in the sample set D online ; if it is determined to be available, execute step ( 7);

(7)根据可用样本数据记录的信息,人工标注未知类别样本的标签,并构建未知类别样本集Dunknown(7) According to the information recorded by the available sample data, manually label the unknown category samples, and construct the unknown category sample set D unknown :

Dunknown={X1,X2,...,Xm},D unknown ={X 1 ,X 2 ,...,X m },

其中m为未知类别样本的类别数量,Xm为样本类别为m的所有未知样本集。where m is the number of categories of samples of unknown category, and X m is the set of all unknown samples with sample category m.

(8)在初始已知类别样本集中选取具有代表性的样本构建已知类别样本集Dknown(8) Select representative samples from the initial known class sample set to construct a known class sample set D known :

Dknown={Dt,Df,Dr},D known = {D t , D f , D r },

其中Dt为在待扩展分类模型上分类正确且分数前1%高的数据样本集,Df为在待扩展分类模型上分类错误的全部数据样本集,Dr为随机选择1%剩余已知类别样本的数据样本集;where D t is the data sample set that is correctly classified on the classification model to be extended and has a high score in the top 1%, D f is the entire data sample set that is incorrectly classified on the classification model to be extended, and D r is randomly selected 1% remaining known Data sample set of class samples;

(9)构建用于后续在线更新模型的增量样本集Dnew(9) Construct an incremental sample set D new for subsequent online updating of the model:

Dnew={Dknown,Dunknown}D new ={D known ,D unknown }

={Dt,Df,Dr,Dunknown},={D t ,D f ,D r ,D unknown },

={X1,X2,...,Xn,Xn+1,Xn+2,...Xn+m}={X 1 ,X 2 ,...,X n ,X n+1 ,X n+2 ,... X n+m }

其中,n和m分别表示已知类别样本和未知类别样本的类别数量;Among them, n and m represent the number of classes of known class samples and unknown class samples, respectively;

Figure BDA0003729997560000042
Figure BDA0003729997560000042

Xn+m={(xj,yj),1≤j≤M,yj∈[1,2,...,m]},X n+m ={(x j ,y j ),1≤j≤M,y j ∈[1,2,...,m]},

其中,

Figure BDA0003729997560000041
分别为已知类别样本的样本特征和样本标签,N为已知类别样本集的样本数量,xi、yi分别为未知类别样本的样本特征和样本标签,M为未知类别样本集的样本数量;in,
Figure BDA0003729997560000041
are the sample features and sample labels of the known class samples, respectively, N is the number of samples in the known class sample set, x i and y i are the sample features and sample labels of the unknown class samples, respectively, and M is the sample number of the unknown class sample set ;

(10)搭建扩展分类网络模型:(10) Build an extended classification network model:

搭建依次由一维分离卷积神经网络层separable_conv1d、第一最大池化层max_pooling_1、过渡层flatten、第二全连接层dense_2、暂退层dropout和第一全连接层dense_1构成的扩展分类网络模型,对其输入18*1的一维矩阵,得到代表样本类型预测分数的1*1矩阵;Build an extended classification network model consisting of a one-dimensional separation convolutional neural network layer separable_conv1d, the first maximum pooling layer max_pooling_1, the transition layer flatten, the second fully connected layer dense_2, the temporary dropout layer dropout and the first fully connected layer dense_1. Input a 18*1 one-dimensional matrix to it, and get a 1*1 matrix representing the prediction score of the sample type;

(11)利用增量样本集Dnew和损失函数L训练扩展分类网络模型,得到可检测已知类别和未知类别的在线更新后入侵检测模型

Figure BDA0003729997560000051
并用该在线更新后入侵检测模型
Figure BDA0003729997560000052
替换步骤(6)中的入侵检测模型
Figure BDA0003729997560000053
完成实时入侵检测。(11) Use the incremental sample set D new and the loss function L to train the extended classification network model to obtain an online updated intrusion detection model that can detect known and unknown categories
Figure BDA0003729997560000051
And use the online updated intrusion detection model
Figure BDA0003729997560000052
Replace the intrusion detection model in step (6)
Figure BDA0003729997560000053
Complete real-time intrusion detection.

本发明与现有技术相比具有以下优点:Compared with the prior art, the present invention has the following advantages:

第一、本发明利用增量学习使入侵检测系统可在随时间变化的动态环境中检测出已知和未知种类的入侵行为,大大减少了模型更新的时间,让模型有了自适应性;通过使用增量学习算法,不需要对模型全部重新训练就可以让模型具备检测未知类别攻击的能力,从而实现了入侵检测的实时性和高效性。First, the present invention utilizes incremental learning to enable the intrusion detection system to detect known and unknown intrusion behaviors in a dynamic environment that changes over time, greatly reducing the time for model updating and making the model adaptive; Using the incremental learning algorithm, the model can be equipped with the ability to detect unknown types of attacks without retraining the model, thus realizing the real-time and high efficiency of intrusion detection.

第二、本发明对待扩展分类模型和扩展分类模型使用不同的深度神经网络;采用参数更少的一维分离卷积神经网络作为扩展分类模型,采用卷积神经网络和长短期记忆神经网络相结合的模型作为待扩展分类模型,明显缩减了训练时间,进而降低训练成本,使得模型更具高效性,且提高了模型的检测率。Second, the present invention uses different deep neural networks to treat the extended classification model and the extended classification model; uses a one-dimensional separation convolutional neural network with fewer parameters as the extended classification model, and adopts a combination of a convolutional neural network and a long short-term memory neural network. As the classification model to be extended, the model of 2000 significantly reduces the training time, thereby reducing the training cost, making the model more efficient, and improving the detection rate of the model.

第三、本发明构建的模型能够部署在真实的网络环境中并在线进行检测和更新,同时也可以在网络空闲时重新训练,每个步骤均可以单独应用在真实网络之中,包括但不局限于数据收集、特征提取、入侵检测以及模型更新阶段;设计令当前网络流量小于阈值时利用全部数据重新训练模型,可在模型持续更新时,有效应对模型可能存在的灾难性遗忘问题,同时避免在大量使用网络时更新模型带来的成本增加情况。Third, the model constructed by the present invention can be deployed in a real network environment, and can be detected and updated online, and can also be retrained when the network is idle. Each step can be independently applied to the real network, including but not limited to In the stages of data collection, feature extraction, intrusion detection, and model update; the design makes use of all data to retrain the model when the current network traffic is less than the threshold, which can effectively deal with the possible catastrophic forgetting problem of the model when the model is continuously updated, while avoiding the problem of catastrophic forgetting in the model. The increased cost of updating the model when the network is heavily used.

附图说明Description of drawings

图1为本发明的实现流程图;Fig. 1 is the realization flow chart of the present invention;

图2为本发明待扩展分类模型的参数设置示意图;Fig. 2 is the parameter setting schematic diagram of the classification model to be expanded according to the present invention;

图3为本发明扩展分类模型的参数设置示意图。FIG. 3 is a schematic diagram of parameter setting of the extended classification model of the present invention.

具体实施方式Detailed ways

下面结合附图对本发明做进一步的描述。The present invention will be further described below with reference to the accompanying drawings.

实施例一:参照附图1,本发明提出的一种基于增量学习的在线自适应入侵检测方法,具体包括如下步骤:Embodiment 1: Referring to FIG. 1, an online adaptive intrusion detection method based on incremental learning proposed by the present invention specifically includes the following steps:

步骤1.获取数据集并进行预处理:Step 1. Get the dataset and preprocess:

从网络中获取公开入侵检测数据集作为初始已知类别样本集,提取每条数据记录的特征和标签,去除部分无效数据,根据标签对剩余数据记录进行分类,并对字符型特征进行独热编码,制作包含数据、标签、列表的二进制文件样本集,将该文件样本集中的数据划分为初始已知类别训练集Dold和验证集Dvalid两部分;Obtain the public intrusion detection data set from the network as the initial known category sample set, extract the features and labels of each data record, remove some invalid data, classify the remaining data records according to the labels, and perform one-hot encoding on the character features , make a binary file sample set containing data, labels, and lists, and divide the data in the file sample set into two parts, the initial known category training set D old and the verification set D valid ;

Dold={X1,X2,...,Xn},D old ={X 1 ,X 2 ,...,X n },

Dvalid={T1,T2,...,Tn},D valid ={T 1 ,T 2 ,...,T n },

其中,n为初始已知类别样本的类别数量,Xn、Tn分别表示所有第n类初始已知类别训练样本、验证样本。Among them, n is the number of classes of the initial known class samples, and X n and T n represent all the nth class initial known class training samples and verification samples, respectively.

步骤2.搭建待扩展分类网络模型:Step 2. Build the classification network model to be expanded:

采用时空网络结构,以一维卷积神经网络和长短期记忆神经网络串接在一起作为网络结构,搭建依次由两个第一一维卷积神经网络层conv1d、第一最大池化层max_pooling_1、第二一维卷积神经网络层conv1d_2、第二最大池化层max_pooling_2、长短期记忆神经网络层lstm、暂退层dropout以及第一全连接层dense_1组成的待扩展分类网络模型,以18*1的一维矩阵作为输入,输出代表样本类型预测分数的1*1的矩阵;Using a spatiotemporal network structure, a one-dimensional convolutional neural network and a long short-term memory neural network are concatenated together as the network structure. The classification network model to be expanded composed of the second one-dimensional convolutional neural network layer conv1d_2, the second maximum pooling layer max_pooling_2, the long short-term memory neural network layer lstm, the temporary dropout layer dropout and the first fully connected layer dense_1 is 18*1 The one-dimensional matrix of is as input, and the output represents a 1*1 matrix of sample type prediction scores;

所有一维卷积神经网络层均采用相同填充的Same填充方式,激活函数均使用线性整流激活函数Relu函数,最大池化层池化大小均设置为2,长短期记忆神经网络层包含128个隐藏层,暂退层的参数为0.1,全连接层的激活函数采用S型生长曲线激活函数Sigmoid函数。All one-dimensional convolutional neural network layers use the same padding method, the activation function uses the linear rectification activation function Relu function, the maximum pooling layer pooling size is set to 2, and the long short-term memory neural network layer contains 128 hidden layer, the parameter of the ephemeral layer is 0.1, and the activation function of the fully connected layer adopts the sigmoid function of the sigmoid growth curve activation function.

步骤3.利用初始已知类别样本训练集Dold和交叉熵损失函数Lc训练待扩展分类网络模型,获取可检测已知类别的入侵检测模型,同时利用初始已知类别验证集Dvalid在入侵检测模型训练过程中检验该模型的状态、收敛情况,并根据检验结果调整超参数实现训练效果优化,得到训练好的入侵检测模型

Figure BDA0003729997560000061
Step 3. Use the initial known class sample training set D old and the cross-entropy loss function L c to train the classification network model to be expanded to obtain an intrusion detection model that can detect known classes, and at the same time use the initial known class validation set D valid for intrusion detection. During the training process of the detection model, the state and convergence of the model are checked, and the hyperparameters are adjusted according to the test results to optimize the training effect, and the trained intrusion detection model is obtained.
Figure BDA0003729997560000061

所述入侵检测模型

Figure BDA0003729997560000062
还可以通过如下方式进行训练得到:The intrusion detection model
Figure BDA0003729997560000062
It can also be obtained by training in the following ways:

(a)动态计算数据流量阈值Θ:(a) Dynamically calculate the data traffic threshold Θ:

Figure BDA0003729997560000071
Figure BDA0003729997560000071

其中,A为当前时刻之前7天中每天凌晨四点到六点的数据流量之和;Among them, A is the sum of the data traffic from 4:00 am to 6:00 am every day in the 7 days before the current moment;

(b)将步骤(4)中每小时捕获网络中数据记录的接收数据流量τ与阈值Θ大小进行实时比较,当τ<Θ时,将全部样本设为已知类型样本,构建步骤(1)中的初始已知样本类别样本训练集Dold,并利用该样本集和交叉熵损失函数Lc训练待扩展分类网络模型,得到可检测已知类别的训练好的入侵检测模型

Figure BDA0003729997560000072
(b) Compare the received data flow τ of the data records in the network captured every hour in step (4) with the threshold Θ size in real time, when τ < Θ, set all samples as known type samples, and construct step (1) The initial known sample category sample training set D old in , and use the sample set and the cross entropy loss function L c to train the classification network model to be expanded, and obtain a trained intrusion detection model that can detect known categories
Figure BDA0003729997560000072

所述交叉熵损失函数Lc定义为:The cross-entropy loss function L c is defined as:

Figure BDA0003729997560000073
Figure BDA0003729997560000073

其中y和

Figure BDA0003729997560000074
分别表示已知样本经过模型得到的预测类型和真实类型。where y and
Figure BDA0003729997560000074
Represent the predicted type and the real type obtained by the known sample through the model, respectively.

步骤4.利用流量特征提取工具CICFlowMeter的实时提取模块Realtime实时捕获网络中的数据记录,去除部分无效数据记录,对有效数据记录进行分析得到50-80个数据特征并保存;Step 4. Utilize the real-time extraction module Realtime of the flow feature extraction tool CICFlowMeter to capture the data records in the network in real time, remove some invalid data records, and analyze the valid data records to obtain 50-80 data features and save them;

步骤5.对步骤4得到的数据特征进行特征提取,根据提取到的特征组合得到在线入侵检测样本集Donline。所述特征提取方法包括:皮尔逊相关系数特征提取法、主成分分析法等。本实施例采用皮尔逊相关系数特征提取法,实现步骤如下:Step 5. Perform feature extraction on the data features obtained in step 4, and obtain an online intrusion detection sample set D online according to the extracted feature combination. The feature extraction method includes: Pearson correlation coefficient feature extraction method, principal component analysis method, and the like. The present embodiment adopts the Pearson correlation coefficient feature extraction method, and the implementation steps are as follows:

(5.1)对字符型特征进行独热编码,之后算每一个特征与其他特征的皮尔逊相关系数r,并设定系数判定阈值;这里的皮尔逊相关系数r,根据下式进行计算:(5.1) Perform one-hot encoding on character features, then calculate the Pearson correlation coefficient r between each feature and other features, and set the coefficient judgment threshold; the Pearson correlation coefficient r here is calculated according to the following formula:

Figure BDA0003729997560000075
Figure BDA0003729997560000075

其中,i∈[1,fnum]为样本特征值的序号,fnum为样本集的特征数量,xi为当前样本的第i个特征值,yi为当前样本的其它特征值,

Figure BDA0003729997560000076
为全部样本第i个特征值的均值,
Figure BDA0003729997560000077
为全部样本其它特征值的均值。Among them, i∈[1,fnum] is the serial number of the eigenvalue of the sample, fnum is the number of features of the sample set, x i is the ith eigenvalue of the current sample, y i is the other eigenvalues of the current sample,
Figure BDA0003729997560000076
is the mean of the i-th eigenvalue of all samples,
Figure BDA0003729997560000077
is the mean of other eigenvalues of all samples.

(5.2)按照从大到小的顺序对相关系数r进行排序,取出相关系数值大于判定阈值的特征,制作由相关系数值大于判定阈值的特征组合成的二进制文件在线入侵检测样本集Donline(5.2) sort the correlation coefficient r in descending order, take out the feature whose correlation coefficient value is greater than the judgment threshold, and make the binary file online intrusion detection sample set D online composed of the features whose correlation coefficient value is greater than the judgment threshold;

步骤6.实时入侵检测:Step 6. Real-time intrusion detection:

将在线入侵样本集Donline放入步骤3中训练好的入侵检测模型

Figure BDA0003729997560000081
中进行预测,根据模型预测结果判断在线入侵检测样本集Donline中每一个样本的类型,具体如下:Put the online intrusion sample set D online into the intrusion detection model trained in step 3
Figure BDA0003729997560000081
According to the prediction results of the model, the type of each sample in the online intrusion detection sample set D online is judged, as follows:

若样本分类为正常的样本,则继续对样本集Donline中其它样本进行实时入侵检测;If the sample is classified as a normal sample, continue to perform real-time intrusion detection on other samples in the sample set D online ;

若样本分类为已知异常类别的样本,则将该样本反馈至管理员做进一步分析,同时继续对样本集Donline中其它样本进行实时入侵检测;If the sample is classified as a sample of a known abnormal category, the sample will be fed back to the administrator for further analysis, and at the same time, real-time intrusion detection will continue to be performed on other samples in the sample set D online ;

若样本分类为未知类别的样本,则进行人工判断,确定该样本是否可用,如果判断为不可用,则继续对样本集Donline中其它样本进行实时入侵检测;如果判断为可用,则执行步骤7;If the sample is classified as a sample of an unknown category, perform manual judgment to determine whether the sample is available; if it is determined to be unavailable, continue to perform real-time intrusion detection on other samples in the sample set D online ; if it is determined to be available, go to step 7 ;

步骤7.根据可用样本数据记录的信息,人工标注未知类别样本的标签,并构建未知类别样本集DunknownStep 7. According to the information recorded by the available sample data, manually label the unknown category samples, and construct the unknown category sample set D unknown :

Dunknown={X1,X2,...,Xm},D unknown ={X 1 ,X 2 ,...,X m },

其中m为未知类别样本的类别数量,Xm为样本类别为m的所有未知样本集。where m is the number of categories of samples of unknown category, and X m is the set of all unknown samples with sample category m.

步骤8.在初始已知类别样本集中选取具有代表性的样本构建已知类别样本集DknownStep 8. Select representative samples from the initial known class sample set to construct a known class sample set D known :

Dknown={Dt,Df,Dr},D known = {D t , D f , D r },

其中Dt为在待扩展分类模型上分类正确且分数前1%高的数据样本集,Df为在待扩展分类模型上分类错误的全部数据样本集,Dr为随机选择1%剩余已知类别样本的数据样本集;where D t is the data sample set that is correctly classified on the classification model to be extended and has a high score in the top 1%, D f is the entire data sample set that is incorrectly classified on the classification model to be extended, and D r is randomly selected 1% remaining known Data sample set of class samples;

步骤9.构建用于后续在线更新模型的增量样本集DnewStep 9. Build an incremental sample set D new for subsequent online updating of the model:

Dnew={Dknown,Dunknown}D new ={D known ,D unknown }

={Dt,Df,Dr,Dunknown},={D t ,D f ,D r ,D unknown },

={X1,X2,...,Xn,Xn+1,Xn+2,...Xn+m}={X 1 ,X 2 ,...,X n ,X n+1 ,X n+2 ,... X n+m }

其中,n和m分别表示已知类别样本和未知类别样本的类别数量;Among them, n and m represent the number of classes of known class samples and unknown class samples, respectively;

Figure BDA0003729997560000082
Figure BDA0003729997560000082

Xn+m={(xj,yj),1≤j≤M,yj∈[1,2,...,m]},X n+m ={(x j ,y j ),1≤j≤M,y j ∈[1,2,...,m]},

其中,

Figure BDA0003729997560000091
分别为已知类别样本的样本特征和样本标签,N为已知类别样本集的样本数量,xi、yi分别为未知类别样本的样本特征和样本标签,M为未知类别样本集的样本数量;in,
Figure BDA0003729997560000091
are the sample features and sample labels of the known class samples, respectively, N is the number of samples in the known class sample set, x i and y i are the sample features and sample labels of the unknown class samples, respectively, and M is the sample number of the unknown class sample set ;

增量样本的选择方法还可以采用如仅使用蓄水池采样算法获取随机样本、仅使用分类分数更高的样本等。The selection method of incremental samples can also be adopted, such as using only the reservoir sampling algorithm to obtain random samples, and only using samples with higher classification scores.

步骤10.搭建扩展分类网络模型:Step 10. Build an extended classification network model:

搭建依次由一维分离卷积神经网络层separable_conv1d、第一最大池化层max_pooling_1、过渡层flatten、第二全连接层dense_2、暂退层dropout和第一全连接层dense_1构成的扩展分类网络模型,对其输入18*1的一维矩阵,得到代表样本类型预测分数的1*1矩阵;Build an extended classification network model consisting of a one-dimensional separation convolutional neural network layer separable_conv1d, the first maximum pooling layer max_pooling_1, the transition layer flatten, the second fully connected layer dense_2, the temporary dropout layer dropout and the first fully connected layer dense_1. Input a 18*1 one-dimensional matrix to it, and get a 1*1 matrix representing the prediction score of the sample type;

所有分离一维卷积神经网络层均采用相同填充的Same填充方式,激活函数均使用线性整流激活函数Relu函数,最大池化层池化大小均设置为2,暂退层的参数为0.5,全连接层的激活函数采用S型生长曲线激活函数Sigmoid函数。All separated one-dimensional convolutional neural network layers use the same padding method, the activation function uses the linear rectification activation function Relu function, the maximum pooling layer pooling size is set to 2, the parameter of the temporary retreat layer is 0.5, and The activation function of the connection layer adopts the sigmoid function of the sigmoid growth curve activation function.

步骤11.利用增量样本集Dnew和损失函数L训练扩展分类网络模型,得到可检测已知类别和未知类别的在线更新后入侵检测模型

Figure BDA0003729997560000092
并用该在线更新后入侵检测模型
Figure BDA0003729997560000093
替换步骤6中的入侵检测模型
Figure BDA0003729997560000094
完成实时入侵检测。Step 11. Use the incremental sample set D new and the loss function L to train the extended classification network model to obtain an online updated intrusion detection model that can detect known and unknown categories
Figure BDA0003729997560000092
And use the online updated intrusion detection model
Figure BDA0003729997560000093
Replace the intrusion detection model in step 6
Figure BDA0003729997560000094
Complete real-time intrusion detection.

所述损失函数L的定义为:The loss function L is defined as:

L=λLd+(1-λ)LcL=λL d +(1-λ)L c ,

其中,λ为超参数,Ld为蒸馏损失函数,其定义为:where λ is a hyperparameter and L d is the distillation loss function, which is defined as:

Figure BDA0003729997560000095
Figure BDA0003729997560000095

其中,N为所有样本的数量,n+m为所有样本类型的数量;Among them, N is the number of all samples, and n+m is the number of all sample types;

Figure BDA0003729997560000096
Figure BDA0003729997560000096

Figure BDA0003729997560000101
Figure BDA0003729997560000101

其中,

Figure BDA0003729997560000102
为已知种类样本在扩展模型上的预测分数,q为未知种类的样本在扩展模型上的预测分数,t为超参数。in,
Figure BDA0003729997560000102
is the prediction score of the sample of known species on the extended model, q is the prediction score of the sample of unknown species on the extended model, and t is the hyperparameter.

实施例二:本实施例提出的入侵检测方法整体步骤同实施例一,现给定具体参数进一步详细描述本发明方法的实现过程。Embodiment 2: The overall steps of the intrusion detection method proposed in this embodiment are the same as those in Embodiment 1, and the implementation process of the method of the present invention is further described in detail given specific parameters.

步骤A.本实施例优选公开入侵检测数据集CICIDS2017作为已知类别样本集,CICIDS2017数据集包含良性和最新的常见攻击,类似真实世界数据。它还包括使用CICFlowMeter进行网络流量分析的结果,使用基于时间戳、源和目标IP、源和目标端口、协议和攻击(CSV文件)的标记流。提取后的每条数据记录有18个特征,标签共有8种攻击类和1种正常类,接着去除部分无效数据,按照标签对所有的数据记录进行分类,并对字符型特征进行独热编码,制作出包含数据、标签、列表的二进制文件样本集,最后选取其中80%的数据用作训练,20%的数据用作验证,当然这里也可以按照其它比例来划分初始已知类别训练集Dold和验证集Dvalid,例如7:3,本实施例优选按照8:2来划分。Step A. This embodiment preferably discloses the intrusion detection data set CICIDS2017 as a known category sample set. The CICIDS2017 data set contains benign and latest common attacks, similar to real-world data. It also includes the results of network traffic analysis using CICFlowMeter, using tagged flows based on timestamp, source and destination IP, source and destination port, protocol and attack (CSV file). Each extracted data record has 18 features, and the tags have 8 attack types and 1 normal type, then remove some invalid data, classify all data records according to the tags, and perform one-hot encoding on the character features. Make a binary file sample set containing data, labels, and lists, and finally select 80% of the data for training and 20% for verification. Of course, the initial known category training set D old can also be divided according to other proportions. and the validation set D valid , for example, 7:3, which is preferably divided according to 8:2 in this embodiment.

对于已知种类样本集CICIDS2017可以替换为其它公开的入侵检测数据集,如UNSW-NB15、NSL-KDD等。For the known species sample set CICIDS2017 can be replaced with other public intrusion detection data sets, such as UNSW-NB15, NSL-KDD and so on.

步骤B.参照图2,搭建待扩展分类网络模型,该模型采用时空网络结构,以一维卷积神经网络和长短期记忆神经网络串接在一起作为网络结构。待扩展分类模型的可训练参数量为123905,其输入为18*1的一维矩阵,经过一维卷积神经网络层conv1d_21,conv1d_22,最大池化层max_pooling1d_16,一维卷积神经网络层conv1d_23,最大池化层max_pooling1d_17,长短期记忆神经网络层lstm_7,dropout层dropout_9以及全连接层dense_11,最终输出为1*1的矩阵,代表样本类型的预测分数。其中一维卷积神经网络层均采用Same的填充方式,激活函数均使用Relu激活函数,最大池化层池化大小均设置为2,长短期记忆神经网络层包含128个隐藏层,Dropout层的参数为0.1,全连接层的激活函数采用Sigmoid激活函数。Step B. Referring to FIG. 2 , build a classification network model to be expanded. The model adopts a spatiotemporal network structure, and a one-dimensional convolutional neural network and a long short-term memory neural network are connected in series as a network structure. The number of trainable parameters of the classification model to be expanded is 123905, and its input is a one-dimensional matrix of 18*1. After one-dimensional convolutional neural network layers conv1d_21, conv1d_22, maximum pooling layer max_pooling1d_16, one-dimensional convolutional neural network layer conv1d_23, The maximum pooling layer max_pooling1d_17, the long short-term memory neural network layer lstm_7, the dropout layer dropout_9 and the fully connected layer dense_11, the final output is a 1*1 matrix, representing the prediction score of the sample type. The one-dimensional convolutional neural network layers all use the same filling method, the activation functions all use the Relu activation function, the pooling size of the maximum pooling layer is set to 2, the long short-term memory neural network layer contains 128 hidden layers, and the Dropout layer has 128 hidden layers. The parameter is 0.1, and the activation function of the fully connected layer adopts the Sigmoid activation function.

步骤C.利用步骤A中的初始已知类别训练集Dold和交叉熵损失函数Lc训练步骤B中搭建的待扩展分类网络模型,获取可检测已知类别的入侵检测模型,同时利用初始已知类别验证集Dvalid在入侵检测模型训练过程中检验该模型的状态、收敛情况,根据检验结果调整超参数实现训练效果优化,得到训练好的入侵检测模型

Figure BDA0003729997560000111
这里对模型进行检验,具体是通过得到验证集中每一条数据记录的分类预测概率,进而得到模型预测的准确率,最后判断当前模型是否可用,从而实现优化。其中old表示模型还未经过更新,θold为神经网络模型参数。Step C. Use the initial known category training set D old in step A and the cross entropy loss function L c to train the to-be-expanded classification network model built in step B to obtain an intrusion detection model that can detect known categories, and at the same time use the initial known category Know the category verification set D valid to test the state and convergence of the intrusion detection model during the training process, adjust the hyperparameters according to the test results to optimize the training effect, and obtain a trained intrusion detection model
Figure BDA0003729997560000111
The model is tested here, specifically by obtaining the classification prediction probability of each data record in the verification set, and then obtaining the accuracy of the model prediction, and finally judging whether the current model is available, so as to achieve optimization. Where old indicates that the model has not been updated, and θ old is the neural network model parameter.

步骤D.实时嗅探网络流量:Step D. Sniff network traffic in real time:

利用CICFlowMeter的Realtime模块实时捕获网络中的数据记录,去除部分无效数据记录,对有效数据记录进行分析得到不多于80个数据特征并保存;本实施例优选对有效数据记录进行分析得到80个数据特征。Use the Realtime module of CICFlowMeter to capture the data records in the network in real time, remove some invalid data records, and analyze the valid data records to obtain no more than 80 data features and save them; in this embodiment, it is preferable to analyze the valid data records to obtain 80 data features. feature.

步骤E.对上一步得到的80个数据特征,即网络流量特征利用皮尔逊相关系数特征提取法进行特征提取,具体实现如下:Step E. Perform feature extraction on the 80 data features obtained in the previous step, that is, network traffic features using the Pearson correlation coefficient feature extraction method. The specific implementation is as follows:

首先对字符型特征进行独热编码,接着计算每一个特征与其他特征的皮尔逊相关系数r,按照相关系数的大小进行降序排序,取相关系数值大于设定阈值的特征作为概括整个数据集的特征,本实施例中设定阈值为0.078,最终制作出包含数据的二进制文件在线入侵检测样本集DonlineFirst, one-hot encoding is performed on the character features, and then the Pearson correlation coefficient r of each feature and other features is calculated, and sorted in descending order according to the size of the correlation coefficient. Feature, in this embodiment, the threshold is set to 0.078, and finally a binary file online intrusion detection sample set D online containing data is produced.

其中皮尔逊相关系数r的计算方法为:The calculation method of the Pearson correlation coefficient r is:

Figure BDA0003729997560000112
Figure BDA0003729997560000112

其中,i∈[1,80]为样本特征值的序号,xi为当前样本的第i个特征值,yi为当前样本的其它特征值,

Figure BDA0003729997560000113
为全部样本第i个特征值的均值,
Figure BDA0003729997560000114
为全部样本其它特征值的均值。Among them, i∈[1,80] is the sequence number of the eigenvalue of the sample, x i is the ith eigenvalue of the current sample, y i is the other eigenvalues of the current sample,
Figure BDA0003729997560000113
is the mean of the i-th eigenvalue of all samples,
Figure BDA0003729997560000114
is the mean of other eigenvalues of all samples.

步骤F.实时入侵检测:Step F. Real-time intrusion detection:

将在线入侵样本集Donline放入步骤C中训练好的入侵检测模型

Figure BDA0003729997560000115
中进行预测,得到线入侵样本集Donline中每一条记录的分类预测概率logits,根据预测概率判断样本集Donline的每一个样本类型,具体如下:Put the online intrusion sample set D online into the intrusion detection model trained in step C
Figure BDA0003729997560000115
Prediction is performed in the online intrusion sample set D online to obtain the classification prediction probability logits of each record in the line intrusion sample set D online , and each sample type of the sample set D online is judged according to the predicted probability, as follows:

若样本分类为正常的样本,则继续对样本集Donline中其它样本进行实时入侵检测;If the sample is classified as a normal sample, continue to perform real-time intrusion detection on other samples in the sample set D online ;

若样本分类为已知异常类别的样本,则将该样本反馈至管理员做进一步分析,同时继续对样本集Donline中其它样本进行实时入侵检测;If the sample is classified as a sample of a known abnormal category, the sample will be fed back to the administrator for further analysis, and at the same time, real-time intrusion detection will continue to be performed on other samples in the sample set D online ;

若样本分类为未知类别的样本,则进行人工判断,确定该样本是否可用,如果判断为不可用,则继续对样本集Donline中其它样本进行实时入侵检测;如果判断为可用,则进入下一步骤准备进行数据标注,即执行步骤G。If the sample is classified as a sample of an unknown category, a manual judgment is made to determine whether the sample is available. If it is judged to be unavailable, it will continue to perform real-time intrusion detection on other samples in the sample set D online ; if it is judged to be available, go to the next step. The step is ready to perform data labeling, that is, step G is executed.

步骤G.人工标注数据Step G. Manually label the data

当在线入侵检测结果为未知类别样本且可用时,根据可用样本数据记录的信息,人工标注未知类别样本的标签,并构建未知类别样本集DunknownWhen the online intrusion detection result is an unknown class sample and it is available, according to the information recorded by the available sample data, the label of the unknown class sample is manually marked, and the unknown class sample set D unknown is constructed:

Dunknown={X1,X2,...,Xm},D unknown ={X 1 ,X 2 ,...,X m },

其中m为未知类别样本的类别数量,Xm为样本类别为m的所有未知样本集。where m is the number of categories of samples of unknown category, and X m is the set of all unknown samples with sample category m.

步骤H.构建代表性已知类别样本集DknownStep H. Construct a representative known class sample set D known :

Dknown={Dt,Df,Dr},D known = {D t , D f , D r },

其中Dt为在待扩展分类模型上分类正确且分数前1%高的数据样本集,Df为在待扩展分类模型上分类错误的全部数据样本集,Dr为随机选择1%剩余已知类别样本的数据样本集。where D t is the data sample set that is correctly classified on the classification model to be extended and has a high score in the top 1%, D f is the entire data sample set that is incorrectly classified on the classification model to be extended, and D r is randomly selected 1% remaining known A set of data samples for class samples.

步骤I.构建用于后续在线更新模型的增量样本集DnewStep I. Build an incremental sample set D new for subsequent online updating of the model:

Dnew={Dknown,Dunknown},即:D new = {D known , D unknown }, namely:

Dnew={X1,X2,...,Xn,Xn+1,Xn+2,...Xn+m},D new ={X 1 ,X 2 ,...,X n ,X n+1 ,X n+2 ,... X n+m },

其中n和m分别表示已知类别样本和未知类别样本的类别数量,where n and m represent the number of classes of known class samples and unknown class samples, respectively,

Figure BDA0003729997560000121
Figure BDA0003729997560000121

Xn+m={(xj,yj),1≤j≤M,yj∈[1,2,...,m]},X n+m ={(x j ,y j ),1≤j≤M,y j ∈[1,2,...,m]},

其中

Figure BDA0003729997560000122
分别为已知类别样本的样本特征和样本标签,N为已知类别样本集的样本数量,xi,yi分别为未知类别样本的样本特征和样本标签,M为未知类别样本集的样本数量。in
Figure BDA0003729997560000122
are the sample features and sample labels of known class samples, respectively, N is the number of samples in the known class sample set, x i , y i are the sample features and sample labels of the unknown class samples, respectively, M is the number of samples in the unknown class sample set .

至此,用于后续更新在线扩展模型的增量样本集构建成功。So far, the incremental sample set for the subsequent update of the online expansion model has been successfully constructed.

步骤J.参阅图3,搭建扩展分类网络模型,该模型的可训练参数量为37124,其输入为18*1的一维矩阵,经过一维分离卷积神经网络层separable_conv1d_1,最大池化层max_pooling1d_5,过渡层flatten_1,最大池化层max_pooling1d_17,全连接层dense_4,dropout层dropout_9以及全连接层dense_5,最终输出为1*1的矩阵,代表样本的预测分数。其中分离一维卷积神经网络层均采用Same的填充方式,激活函数均使用Relu激活函数,最大池化层池化大小均设置为2,Dropout层的参数为0.5,全连接层的激活函数采用Sigmoid激活函数。Step J. Referring to Figure 3, build an extended classification network model. The number of trainable parameters of this model is 37124, and its input is a one-dimensional matrix of 18*1. After one-dimensional separation of the convolutional neural network layer separable_conv1d_1, the maximum pooling layer max_pooling1d_5 , the transition layer flatten_1, the maximum pooling layer max_pooling1d_17, the fully connected layer dense_4, the dropout layer dropout_9 and the fully connected layer dense_5, the final output is a 1*1 matrix, representing the predicted score of the sample. The separation one-dimensional convolutional neural network layer adopts the same filling method, the activation function uses the Relu activation function, the maximum pooling layer pooling size is set to 2, the parameter of the dropout layer is 0.5, and the activation function of the fully connected layer adopts Sigmoid activation function.

步骤K.利用增量样本集Dnew和损失函数L训练扩展分类网络模型,得到可检测已知类别和未知类别的在线更新后入侵检测模型

Figure BDA0003729997560000131
其中new表示模型已经更新过了,θnew代表神经网络模型参数;并用该在线更新后入侵检测模型
Figure BDA0003729997560000132
替换
Figure BDA0003729997560000133
实现模型更新,完成实时入侵检测。Step K. Use the incremental sample set D new and the loss function L to train the extended classification network model to obtain an online updated intrusion detection model that can detect known and unknown categories
Figure BDA0003729997560000131
Among them, new indicates that the model has been updated, and θ new indicates the parameters of the neural network model; and use the online updated intrusion detection model
Figure BDA0003729997560000132
replace
Figure BDA0003729997560000133
Realize model update and complete real-time intrusion detection.

本发明构建的待扩展分类模型和扩展分类模型还可以使用任意一种深度学习网络结构进行替代,如卷积神经网络结构、ResNet残差网络结构、深度卷积网络VGG-Net等,但需要保证扩展分类模型的参数值小于待扩展分类模型。针对步骤二,所述的CICFlowMeter的网络嗅探部分可以替换为其它网络流量嗅探器,如Sniffer、whireshark。CICFlowMeter可以自行提取获得数据包的流量特征,比替代方案效率高很多,实现高效率的数据挖掘。The to-be-expanded classification model and the expanded classification model constructed by the present invention can also be replaced by any deep learning network structure, such as a convolutional neural network structure, a ResNet residual network structure, a deep convolutional network VGG-Net, etc., but it is necessary to ensure that The parameter value of the extended classification model is smaller than that of the to-be-extended classification model. For step 2, the network sniffing part of the CICFlowMeter can be replaced with other network traffic sniffers, such as Sniffer and whireshark. CICFlowMeter can extract and obtain the flow characteristics of the data packets by itself, which is much more efficient than the alternative solution and realizes efficient data mining.

本发明未详细说明部分属于本领域技术人员公知常识。The parts of the present invention that are not described in detail belong to the common knowledge of those skilled in the art.

以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,显然对于本领域的专业人员来说,在了解了本发明内容和原理后,都可能在不背离本发明原理、结构的情况下,进行形式和细节上的各种修正和改变,但是这些基于本发明思想的修正和改变仍在本发明的权利要求保护范围之内。The above are only preferred embodiments of the present invention, and are not intended to limit the present invention. Obviously, for those skilled in the art, after understanding the content and principles of the present invention, they may not deviate from the principles of the present invention, In the case of the structure, various corrections and changes in form and details are made, but these corrections and changes based on the idea of the present invention are still within the scope of protection of the claims of the present invention.

Claims (8)

1. An online adaptive intrusion detection method based on incremental learning comprises the following steps:
(1) preprocessing the original data set:
obtaining a public intrusion detection data set from a network as an initial known class sample set, extracting the characteristics and labels of each data record, removing part of invalid data, classifying the rest data records according to the labels, carrying out unique hot coding on character type characteristics, making a binary file sample set containing data, labels and a list, and dividing the data in the file sample set into an initial known class training set D old And a verification set D valid Two parts;
D old ={X 1 ,X 2 ,...,X n },
D valid ={T 1 ,T 2 ,...,T n },
where n is the number of classes of the initial known class sample, X n 、T n Respectively representing all nth initial known class training samples and verification samples;
(2) building a classification network model to be expanded:
adopting a space-time network structure, connecting a one-dimensional convolutional neural network and a long-short term memory neural network in series to form a network structure, building a classification network model to be expanded, which sequentially consists of two first one-dimensional convolutional neural network layers conv1d, a first maximum pooling layer max _ pooling _1, a second one-dimensional convolutional neural network layer conv1d _2, a second maximum pooling layer max _ pooling _2, a long-short term memory neural network layer lstm, a temporary regression layer dropout and a first full connection layer dense _1, taking a one-dimensional matrix of 18 x 1 as input, and outputting a matrix of 1 x 1 representing a sample type prediction score;
(3) training set D with initial known class samples old And cross entropy loss function L c Training a classification network model to be expanded, acquiring an intrusion detection model capable of detecting known classes, and simultaneously utilizing an initial known class verification set D valid The state and convergence condition of the model are detected in the intrusion detection model training process, and the hyperparameter is adjusted according to the detection result to realize the training effect optimization, so that the trained intrusion detection model is obtained
Figure FDA0003729997550000011
(4) A real-time extraction module real-time of a flow characteristic extraction tool CICFlowMeter is used for capturing data records in a network in real time, removing part of invalid data records, analyzing the valid data records to obtain 50-80 data characteristics, and storing the data characteristics;
(5) performing feature extraction on the data features obtained in the step (4), and obtaining an online intrusion detection sample set D according to the extracted feature combinations online
(6) And (3) real-time intrusion detection:
sample set D of online intrusion online Putting the intrusion detection model trained in the step (3)
Figure FDA0003729997550000021
According to the model prediction result, judging an online intrusion detection sample set D online The type of each sample in (1) is as follows:
if the sample is classified as a normal sample, continuing to perform the analysis on the sample set D online Carrying out real-time intrusion detection on other samples;
if the sample is classified as a sample of a known abnormal category, the sample is fed back to an administrator for further analysis, and meanwhile, the sample set D is continuously processed online Carrying out real-time intrusion detection on other samples;
if the sample is classified into the sample of unknown category, carrying out manual judgment to determine whether the sample is available, and if the sample is not available, continuing to carry out sample set D online Carrying out real-time intrusion detection on other samples; if the judgment result is that the data are available, executing the step (7);
(7) manually labeling the label of the unknown type sample according to the information of the available sample data records, and constructing an unknown type sample set D unknown
D unknown ={X 1 ,X 2 ,...,X m },
Where m is the number of classes of the unknown class sample, X m All unknown sample sets with sample class m.
(8) Selecting representative samples from the initial known category sample set to construct a known category sample set D known
D known ={D t ,D f ,D r },
Wherein D t For classifying a correct and top-scoring 1% high set of data samples on the classification model to be expanded, D f For classifying the entire data sample set of errors on the classification model to be expanded, D r Randomly selecting a data sample set of 1% of the remaining known class samples;
(9) constructing an incremental sample set D for a subsequent online update model new
Figure FDA0003729997550000031
Wherein n and m respectively represent the number of classes of the known class samples and the unknown class samples;
Figure FDA0003729997550000032
X n+m ={(x j ,y j ),1≤j≤M,y j ∈[1,2,...,m]},
wherein,
Figure FDA0003729997550000033
sample characteristics and sample labels of samples of known classes respectively, N is the number of samples of a sample set of known classes, x i 、y i Respectively representing the sample characteristics and the sample labels of the unknown sample, wherein M is the number of samples of the unknown sample set;
(10) building an extended classification network model:
building an extended classification network model sequentially composed of a one-dimensional separation convolutional neural network layer private _ conv1d, a first maximum pooling layer max _ posing _1, a transition layer flatten, a second fully-connected layer dense _2, a temporary regression layer dropout and a first fully-connected layer dense _1, and inputting a one-dimensional matrix of 18 x 1 to the extended classification network model to obtain a 1 x 1 matrix representing a sample type prediction score;
(11) using incremental sample sets D new Training an extended classification network model by a loss function L to obtain an online updated intrusion detection model capable of detecting known classes and unknown classes
Figure FDA0003729997550000034
And using the online updated intrusion detection model
Figure FDA0003729997550000035
Replacing the intrusion detection model in step (6)
Figure FDA0003729997550000036
And completing real-time intrusion detection.
2. The method of claim 1, wherein: in the step (2), all the one-dimensional convolutional neural network layers adopt the Same filling Same filling mode, the activation functions all use linear rectification activation functions Relu, the pooling size of the maximum pooling layer is set to be 2, the long-term and short-term memory neural network layers comprise 128 hidden layers, the parameters of the temporary backoff layer are 0.1, and the activation functions of the full connection layers adopt S-shaped growth curve activation functions Sigmoid functions.
3. The method of claim 1, wherein: the intrusion detection model in the step (3)
Figure FDA0003729997550000037
The training can also be achieved by:
(a) dynamically calculating a data flow threshold theta:
Figure FDA0003729997550000041
wherein A is the sum of data flow from four points to six points in the early morning every day in 7 days before the current moment;
(b) comparing the receiving data flow tau of the data record in the hourly captured network in the step (4) with the threshold theta in real time, and when the tau is larger than the threshold theta<When the sample class is theta, all samples are set as samples of known types, and an initial training set D of samples of known sample classes in the step (1) is constructed old And using the sample set and the cross entropy loss function L c Training the classification network model to be expanded to obtain a good intrusion detection model capable of detecting known classes
Figure FDA0003729997550000042
4. A method according to claim 1 or 3, characterized in that: the cross entropy loss function L c Is defined as:
Figure FDA0003729997550000043
wherein y and
Figure FDA0003729997550000044
respectively representing the prediction type and the real type of the known sample obtained by the model.
5. The method of claim 1, wherein: and (5) extracting the features in the step (5), wherein a Pearson correlation coefficient feature extraction method is adopted, and the method comprises the following steps:
(5.1) carrying out one-hot coding on the character type characteristics, then calculating a Pearson correlation coefficient r of each characteristic and other characteristics, and setting a coefficient judgment threshold;
(5.2) sorting the correlation coefficients r according to the descending order, taking out the features of which the correlation coefficient values are larger than the judgment threshold value, and making a binary file online intrusion detection sample set D formed by combining the features of which the correlation coefficient values are larger than the judgment threshold value online
6. The method of claim 5, wherein: the pearson correlation coefficient r in step (5.1) is calculated according to the following formula:
Figure FDA0003729997550000045
wherein i belongs to [1, fnum ∈]Is the serial number of the sample characteristic value, fnum is the characteristic number of the sample set, x i Is the i-th characteristic value, y, of the current sample i For the other characteristic values of the current sample,
Figure FDA0003729997550000046
is the average of the ith characteristic values of all samples,
Figure FDA0003729997550000047
is the average of other characteristic values of all samples.
7. The method of claim 1, wherein: in the step (10), all the separated one-dimensional convolutional neural network layers adopt the Same filling Same filling mode, the activation functions all use linear rectification activation functions Relu, the pooling size of the maximum pooling layer is set to be 2, the parameter of the temporary backoff layer is 0.5, and the activation functions of the full connection layers adopt S-shaped growth curve activation functions Sigmoid functions.
8. The method of claim 1, wherein: the definition of the loss function L in step (11) is:
L=λL d +(1-λ)L c
wherein λ is a hyperparameter, L d As a function of distillation loss, defined as:
Figure FDA0003729997550000051
wherein N is the number of all samples, and N + m is the number of all sample types;
Figure FDA0003729997550000052
Figure FDA0003729997550000053
wherein,
Figure FDA0003729997550000054
the prediction scores of the samples of the known type on the extended model are obtained, q is the prediction score of the samples of the unknown type on the extended model, and t is a hyperparameter.
CN202210790522.0A 2022-07-05 2022-07-05 Online self-adaptive intrusion detection method based on incremental learning Active CN115130102B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210790522.0A CN115130102B (en) 2022-07-05 2022-07-05 Online self-adaptive intrusion detection method based on incremental learning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210790522.0A CN115130102B (en) 2022-07-05 2022-07-05 Online self-adaptive intrusion detection method based on incremental learning

Publications (2)

Publication Number Publication Date
CN115130102A true CN115130102A (en) 2022-09-30
CN115130102B CN115130102B (en) 2024-06-11

Family

ID=83382813

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210790522.0A Active CN115130102B (en) 2022-07-05 2022-07-05 Online self-adaptive intrusion detection method based on incremental learning

Country Status (1)

Country Link
CN (1) CN115130102B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115952876A (en) * 2022-12-26 2023-04-11 中南大学 A Reliability Assessment Method for Machine Learning Models Facing Engineering Applications
CN116015932A (en) * 2022-12-30 2023-04-25 湖南大学 Intrusion detection network model generation method and data traffic intrusion detection method
CN116582372A (en) * 2023-07-13 2023-08-11 深圳市前海新型互联网交换中心有限公司 Internet of things intrusion detection method, system, electronic equipment and storage medium
CN118690830A (en) * 2024-08-22 2024-09-24 山东工商学院 An online learning and optimization method and system for an electronic nose system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080263663A1 (en) * 2004-08-02 2008-10-23 Tsuyoshi Ide Anomaly detection based on directional data
CN111209563A (en) * 2019-12-27 2020-05-29 北京邮电大学 Network intrusion detection method and system
CN113259331A (en) * 2021-04-29 2021-08-13 上海电力大学 Unknown abnormal flow online detection method and system based on incremental learning

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080263663A1 (en) * 2004-08-02 2008-10-23 Tsuyoshi Ide Anomaly detection based on directional data
CN111209563A (en) * 2019-12-27 2020-05-29 北京邮电大学 Network intrusion detection method and system
CN113259331A (en) * 2021-04-29 2021-08-13 上海电力大学 Unknown abnormal flow online detection method and system based on incremental learning

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CHRISTOS CONSTANTINIDES等: ""A novel online incremental learning intrusion prevention system"", 《2019 10TH IFIP INTERNATIONAL CONFERENCE ON NEW TECHNOLOGIES, MOBILITY AND SECURITY(NTMS)》, 15 July 2019 (2019-07-15), pages 1 - 6 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115952876A (en) * 2022-12-26 2023-04-11 中南大学 A Reliability Assessment Method for Machine Learning Models Facing Engineering Applications
CN116015932A (en) * 2022-12-30 2023-04-25 湖南大学 Intrusion detection network model generation method and data traffic intrusion detection method
CN116582372A (en) * 2023-07-13 2023-08-11 深圳市前海新型互联网交换中心有限公司 Internet of things intrusion detection method, system, electronic equipment and storage medium
CN116582372B (en) * 2023-07-13 2023-09-26 深圳市前海新型互联网交换中心有限公司 Internet of things intrusion detection method, system, electronic equipment and storage medium
CN118690830A (en) * 2024-08-22 2024-09-24 山东工商学院 An online learning and optimization method and system for an electronic nose system
CN118690830B (en) * 2024-08-22 2024-11-05 山东工商学院 Online learning and optimizing method and system for electronic nose system

Also Published As

Publication number Publication date
CN115130102B (en) 2024-06-11

Similar Documents

Publication Publication Date Title
CN115130102A (en) An online adaptive intrusion detection method based on incremental learning
CN109768985B (en) Intrusion detection method based on flow visualization and machine learning algorithm
CN109284606A (en) Data flow anomaly detection system based on empirical characteristics and convolutional neural network
CN111967343A (en) Detection method based on simple neural network and extreme gradient lifting model fusion
CN114615093A (en) Anonymous network traffic identification method and device based on traffic reconstruction and inheritance learning
CN112087442B (en) Time-series correlation network intrusion detection method based on attention mechanism
CN112839034A (en) A Network Intrusion Detection Method Based on CNN-GRU Hierarchical Neural Network
CN109218223B (en) A robust network traffic classification method and system based on active learning
CN113242207A (en) Iterative clustering network flow abnormity detection method
CN111460441A (en) A network intrusion detection method based on batch normalized convolutional neural network
CN112087447A (en) Rare attack-oriented network intrusion detection method
CN112383516A (en) Graph neural network construction method and abnormal flow detection method based on graph neural network
CN115277888B (en) Method and system for analyzing message type of mobile application encryption protocol
CN110047506A (en) A kind of crucial audio-frequency detection based on convolutional neural networks and Multiple Kernel Learning SVM
CN113114673A (en) Network intrusion detection method and system based on generation countermeasure network
CN114842371A (en) Unsupervised video anomaly detection method
CN114708609A (en) A Domain-adaptive Skeleton Behavior Recognition Method and System Based on Continuous Learning
CN117326420A (en) Linkage elevator fault identification and diagnosis method based on image identification
CN113609480B (en) Multipath learning intrusion detection method based on large-scale network flow
CN119848622A (en) Multi-noise robust cross-working condition migration fault diagnosis method under time-varying working condition
CN118051818A (en) Internet of things equipment identification method based on federal learning and behavior analysis
CN117827508A (en) Abnormality detection method based on system log data
CN114547601B (en) Random forest intrusion detection method based on multi-layer classification strategy
CN115567367A (en) Network fault detection method based on multiple promotion ensemble learning
CN113328986A (en) Network flow abnormity detection method based on combination of convolutional neural network and LSTM

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant