基于记忆模块与过滤式生成对抗网络的入侵检测方法

doi:10.19678/j.issn.1000-3428.0068157

摘要/Abstract

摘要： 为了解决现有的网络入侵检测方法在异常样本有限时存在精确度低且容易产生过拟合的问题,提出一种基于记忆模块和过滤式生成对抗网络(GAN)的入侵检测方法MemFGAN。在生成对抗网络中,生成器采用编码器-解码器结构并引入1个记忆模块学习正常样本的特征向量进行记忆增强,生成器用于对给定的输入进行编码并将其用作查询请求,在记忆模块中查询最相关的项进行重构,生成器的重构误差作为异常分数用于入侵检测,在判别器之前增加过滤器过滤异常样本,利用判别器损失提高生成器对正常样本的生成能力以降低其异常分数。此外,分别为生成器和判别器设计了新的训练目标,实现利用已知异常标签对生成器进行监督,降低生成器对异常样本的重构能力以扩大其异常分数,从而提高模型的入侵检测精确度并缓解过拟合问题。在MAWILab、ISCX2012、IDS2017、IDS2018 4个入侵检测数据集上的实验结果表明,相较于基线方法,MemFGAN的F1值平均提高了0.147,在入侵检测方面具有较好的准确性和泛化性,可以在异常样本有限时保持良好的检测能力。

关键词: 入侵检测, 生成对抗网络, 记忆模块, 弱监督学习, 特征增强

Abstract: To solve the low accuracy of existing network intrusion detection methods as well as their susceptibility to overfitting when abnormal samples are limited, an intrusion detection method based on a memory module and filtered Generative Adversarial Network(GAN) MemFGAN is proposed. In a GAN, the generator adopts an encoder-decoder structure and introduces a memory module to learn the feature vectors of normal samples to enhance memory. The generator encodes the input and uses it as a query request in the memory module. The most relevant items in the query are reconstructed and the reconstruction error of the generator is used as the anomaly score for intrusion detection. A filter is added before the discriminator to filter out abnormal samples, whereas the discriminator loss is used to improve the generator's ability to generate normal samples and reduce its abnormal score. In addition, new training objectives are designed for the generator and discriminator to supervise the generator using known anomalies and to diminish the generator's ability in reconstructing abnormal samples such that its anomaly score is higher, thereby improving the intrusion detection accuracy of the model and alleviating overfitting. Experimental results on four intrusion detection datasets, i.e., MAWILab, ISCX2012, IDS2017, and IDS2018, show that compared with the baseline method, the MemFGAN improves the F1 value by an average of 0.147, offers better accuracy and generalization in intrusion detection, and maintains good detection capabilities when abnormal samples are limited.

Key words: intrusion detection, Generative Adversarial Network(GAN), memory module, weakly-supervised learning, feature enhancement

中图分类号:

TP393

张慧妍, 梁勇, 兰景宏, 赵强. 基于记忆模块与过滤式生成对抗网络的入侵检测方法[J]. 计算机工程, 2024, 50(6): 197-207.

ZHANG Huiyan, LIANG Yong, LAN Jinghong, ZHAO Qiang. Intrusion Detection Method Based on Memory Module and Filtered Generative Adversarial Network[J]. Computer Engineering, 2024, 50(6): 197-207.

https://www.ecice06.com/CN/Y2024/V50/I6/197

参考文献

[1] AHMAD Z, SHAHID KHAN A, WAI SHIANG C, et al. Network intrusion detection system:a systematic study of machine learning and deep learning approaches[J]. Transactions on Emerging Telecommunications Technologies, 2021, 32(1):e4150.
[2] 刘奇旭,王君楠,尹捷,等.对抗机器学习在网络入侵检测领域的应用[J].通信学报, 2021, 42(11):1-12. LIU Q X, WANG J N, YIN J, et al. Application of adversarial machine learning in network intrusion detection[J]. Journal on Communications, 2021, 42(11):1-12.(in Chinese)
[3] ROESCH M. Snort:lightweight intrusion detection for networks[EB/OL].[2023-06-20].https://facultystaff.richmond.edu/~dszajda/classes/cs334/papers/snort.pdf.
[4] LIU G Y, ZHAO H Q, FAN F, et al. An enhanced intrusion detection model based on improved kNN in WSNs[J]. Sensors, 2022, 22(4):1407.
[5] 石磊,张吉涛,高宇飞,等.基于Transformer与BiLSTM的网络流量入侵检测[J].计算机工程, 2023, 49(3):29-36, 57. SHI L, ZHANG J T, GAO Y F, et al. Intrusion detection of network traffic based on Transformer and BiLSTM[J]. Computer Engineering, 2023, 49(3):29-36, 57.(in Chinese)
[6] 麻文刚,张亚东,郭进.基于LSTM与改进残差网络优化的异常流量检测方法[J].通信学报, 2021, 42(5):23-40. MA W G, ZHANG Y D, GUO J. Abnormal traffic detection method based on LSTM and improved residual neural network optimization[J]. Journal on Communications, 2021, 42(5):23-40.(in Chinese)
[7] KANUMALLI S S, LAVANYA K, RAJESWARI A, et al. A scalable network intrusion detection system using Bi-LSTM and CNN[C]//Proceedings of the 3rd International Conference on Artificial Intelligence and Smart Energy. Washington D. C., USA:IEEE Press, 2023:1-6.
[8] 席亮,王瑞东,樊好义,等.基于样本关联感知的无监督深度异常检测模型[J].计算机学报, 2021, 44(11):2317-2331. XI L, WANG R D, FAN H Y, et al. Sample-correlation-aware unsupervised deep anomaly detection model[J]. Chinese Journal of Computers, 2021, 44(11):2317-2331.(in Chinese)
[9] SHI Y Q, SHEN H. Unsupervised anomaly detection for network traffic using artificial immune network[J]. Neural Computing and Applications, 2022, 34(15):13007-13027.
[10] SINGH A, JANG-JACCARD J. Autoencoder-based unsupervised intrusion detection using multi-scale convolutional recurrent networks[EB/OL].[2023-06-20]. http://arxiv.org/abs/2204.03779.
[11] XU W, JANG-JACCARD J, LIU T, et al. Training a bidirectional GAN-based one-class classifier for network intrusion detection[EB/OL].[2023-06-20]. http://arxiv.org/abs/2202.01332.
[12] BINBUSAYYIS A, VAIYAPURI T. Unsupervised deep learning approach for network intrusion detection combining convolutional autoencoder and one-class SVM[J]. Applied Intelligence, 2021, 51(10):7094-7108.
[13] ZHOU Y J, SONG X C, ZHANG Y R, et al. Feature encoding with autoencoders for weakly supervised anomaly detection[J]. IEEE Transactions on Neural Networks and Learning Systems, 2022, 33(6):2454-2465.
[14] ILIYASU A S, DENG H F. N-GAN:a novel anomaly-based network intrusion detection with generative adversarial networks[J]. International Journal of Information Technology, 2022, 14(7):3365-3375.
[15] HOU Y B, TEO S G, CHEN Z H, et al. Handling labeled data insufficiency:semi-supervised learning with self-training mixup decision tree for classification of network attacking traffic[J/OL]. IEEE Transactions on Dependable and Secure Computing:1-14[2023-06-20].https://ieeexplore.ieee.org/document/9847046.
[16] AOUEDI O, PIAMRAT K, MULLER G, et al. FLUIDS:federated learning with semi-supervised approach for intrusion detection system[C]//Proceedings of the 19th Annual Consumer Communications&Networking Conference. Washington D. C., USA:IEEE Press, 2022:523-524.
[17] ZHANG Y, NIU J, HE G J, et al. Network intrusion detection based on active semi-supervised learning[C]//Proceedings of the 51st Annual International Conference on Dependable Systems and Networks Workshops (DSN-W). Washington D. C., USA:IEEE Press, 2021:129-135.
[18] MBONA I, ELOFF J H P. Detecting zero-day intrusion attacks using semi-supervised machine learning approaches[J]. IEEE Access, 2022, 10:69822-69838.
[19] HAN X, CHEN X H, LIU L P. GAN ensemble for anomaly detection[C]//Proceedings of the AAAI Conference on Artificial Intelligence.[S.l.]:AAAI Press, 2021:4090-4097.
[20] DU B W, SUN X X, YE J C, et al. GAN-based anomaly detection for multivariate time series using polluted training set[J]. IEEE Transactions on Knowledge and Data Engineering, 2023, 35(12):12208-12219.
[21] GRAVES A, WAYNE G, DANIHELKA I. Neural Turing machines[EB/OL].[2023-06-20]. https://arxiv.org/pdf/1410.5401.pdf.
[22] GONG D, LIU L Q, LE V, et al. Memorizing normality to detect anomaly:memory-augmented deep autoencoder for unsupervised anomaly detection[C]//Proceedings of the International Conference on Computer Vision. Washington D. C., USA:IEEE Press, 2019:1705-1714.
[23] LU H M, WANG T, XU X, et al. Cognitive memory-guided autoencoder for effective intrusion detection in Internet of Things[J]. IEEE Transactions on Industrial Informatics, 2022, 18(5):3358-3366.
[24] ZHONG Y, CHEN W Q, WANG Z L, et al. HELAD:a novel network anomaly detection model based on heterogeneous ensemble learning[J]. Computer Networks, 2020, 169:107049.
[25] RAE J W, HUNT J J, HARLEY T, et al. Scaling memory-augmented neural networks with sparse reads and writes[EB/OL].[2023-06-20]. https://arxiv.org/pdf/1610.09027.pdf.
[26] SANTORO A, BARTUNOV S, BOTVINICK M, et al. One-shot learning with memory-augmented neural networks[EB/OL].[2023-06-20]. https://arxiv.org/pdf/1605.06065.pdf.
[27] FONTUGNE R, BORGNAT P, ABRY P, et al. MAWILab:combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking[C]//Proceedings of the 6th International Conference. New York, USA:ACM Press, 2010:1-12.
[28] SHIRAVI A, SHIRAVI H, TAVALLAEE M, et al. Toward developing a systematic approach to generate benchmark datasets for intrusion detection[J]. Computers and Security, 2012, 31(3):357-374.
[29] SHARAFALDIN I, HABIBI LASHKARI A, GHORBANI A A. Toward generating a new intrusion detection dataset and intrusion traffic characterization[EB/OL].[2023-06-20]. http://www.cs.unb.ca/research-expo/expos/2018/submissions/20180403-14-56-isharafa-at-unb.ca-toward_generating_a_new_intrusion_detection_dataset_and_intrusion_traffic_characterization.pdf.
[30] LASKAR M T R, HUANG J X, SMETANA V, et al. Extending isolation forest for anomaly detection in big data via K-means[J]. ACM Transactions on Cyber-Physical Systems, 2021,5(4):41.
[31] SAHU S K, JENA S K. A multiclass SVM classification approach for intrusion detection[C]//Proceedings International Conference on Distributed Computing and Internet Technology. Berlin, Germany:Springer, 2016:175-181.
[32] ZONG B, SONG Q, MIN M R, et al. Deep autoencoding Gaussian mixture model for unsupervised anomaly detection[C]//Proceedings of International Conference on Learning Representations.[S.l.]:AAAI Press, 2018:1-10.
[33] BELARBI O, KHAN A, CARNELLI P, et al. An intrusion detection system based on deep belief networks[C]//Proceedings of International Conference on Science of Cyber Security. Berlin, Germany:Springer, 2022:377-392.
[34] WU Z H, ZHANG H, WANG P H, et al. RTIDS:a robust transformer-based approach for intrusion detection system[J]. IEEE Access, 2022, 10:64375-64387.

选择文件类型/文献管理软件名称

选择包含的内容