Research on Abnormal Traffic Detection in Industrial Control Network Based on CVAE-CatBoost

doi:10.19678/j.issn.1000-3428.0065478

Abstract

Abstract: For the detection of abnormal traffic in Industrial Control Network（ICN），a new abnormal traffic detection model based on Conditional Variational Autoencoder（CVAE） and the Categorical Features Gradient Boosting（CatBoost） algorithm is proposed to address the problems of unbalanced data distribution and low detection rate in existing models.CVAE uses label information as a constraint to control the category of generated samples.The CatBoost algorithm overcomes gradient bias by introducing unbiased estimation，improves prediction accuracy，and reduces risk of overfitting by adopting various tree growth modes.CVAE is used to enhance data，expand rare attack samples，and build balanced datasets with uniform distribution.The CatBoost algorithm is an anomaly traffic detection model which accurately identifies attack samples，such as Dos，Fuzzers，and outputs the classification results.The experimental results show that on the UNSW-NB15 dataset，after data enhancement using CVAE，CatBoost improves the F1 value by 25.16 percentage points on average，whereby the overall precision，recall，and F1 value，reach 87.85%，87.87%，and 87.86%，respectively；on the ZYELL_NCTU NetTraffic_1.0 dataset，after using CVAE to enhance the data，CatBoost improves the F1 value by 16.32% on average，and the overall precision，recall，and F1 value，reach 99.85%.The proposed model can effectively avoid data imbalance problems and has better detection performance and generalization ability than machine learning and deep learning algorithms，such as K-Nearest Neighbor（KNN），Random Forest（RF），and Convolution Neural Network（CNN）.

Key words: Industrial Control Network（ICN）, anomaly detection, data imbalance, Conditional Variational Autoencoder（CVAE）, CatBoost algorithm

摘要： 为解决工业控制网络异常流量检测中存在的数据分布不均衡、现有模型检测率低的问题，提出一种基于条件变分自编码器（CVAE）和CatBoost算法的异常流量检测模型。CVAE引入标签信息作为约束条件，控制生成样本的类别。CatBoost算法通过引入无偏估计克服梯度偏差，提高预测的准确性，同时采用多种树的生长方式降低过拟合的风险。使用CVAE进行数据增强，扩充稀有攻击样本，构建分布均匀的平衡数据集。将CatBoost算法作为异常流量检测模型，对Dos、Fuzzers等攻击样本进行精确识别并输出分类结果。实验结果表明：在UNSW-NB15数据集上，利用CVAE进行数据增强后，CatBoost算法对少数类样本的F1值平均提升了25.16个百分点，整体精确率、召回率和F1值分别达到87.85%、87.87%和87.86%；在ZYELL_NCTU NetTraffic_1.0数据集上，利用CVAE进行数据增强后，CatBoost算法对少数类样本的F1值平均提升了16.32%，整体精确率、召回率和F1值均达到99.85%。该模型能够有效避免数据不均衡问题，相较K近邻、随机森林、卷积神经网络等机器学习和深度学习算法具有更好的检测性能和泛化能力。

关键词: 工业控制网络, 异常检测, 数据不平衡, 条件变分自编码器, CatBoost算法

CLC Number:

TP393

ZHANG Zixuan, ZONG Xuejun, HE Kan, LIAN Lian. Research on Abnormal Traffic Detection in Industrial Control Network Based on CVAE-CatBoost[J]. Computer Engineering, 2023, 49(5): 173-180.

张子宣, 宗学军, 何戡, 连莲. 基于CVAE-CatBoost的工业控制网络异常流量检测研究[J]. 计算机工程, 2023, 49(5): 173-180.

/ / Recommend / Download Citations

URL: http://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0065478

http://www.ecice06.com/EN/Y2023/V49/I5/173

Figures/Tables 16

References

[1] JAGTAP S S,SHANKAR SRIRAM V S,KOTECHA K,et al.Securing industrial control systems from cyber-attacks:a stacked neural-network based approach[EB/OL].[2022-07-26].https://ieeexplore.ieee.org/document/9762042.
[2] CHEN J M,GAO X S,DENG R L,et al.Generating adversarial examples against machine learning-based intrusion detector in industrial control systems[J].IEEE Transactions on Dependable and Secure Computing,2022,19(3):1810-1825.
[3] 国家互联网应急中心.2020年我国互联网网络安全态势综述[EB/OL].[2022-07-26].https://www.cert.org.cn/publish/main/46/2021/20210526121148344277777/20210526121148344277777_.html. National Internet Emergency Center.Overview of China's Internet network security situation in 2020[EB/OL].[2022-07-26].https://www.cert.org.cn/publish/main/46/2021/20210526121148344277777/20210526121148344277777_.html.(in Chinese)
[4] CHEN Y P,YUAN F S.Multi-scale network traffic anomaly detection based on improved genetic algorithm[C]//Proceedings of IEEE International Conference on Electrical Engineering,Big Data and Algorithms.Washington D.C.,USA:IEEE Press,2022:1362-1367.
[5] WANG Z D,ZENG Y,LIU Y D,et al.Deep belief network integrating improved kernel-based extreme learning machine for network intrusion detection[J].IEEE Access,2021,9:16062-16091.
[6] ZHOU X K,LIANG W,SHIMIZU S,et al.Siamese neural network based few-shot learning for anomaly detection in industrial cyber-physical systems[J].IEEE Transactions on Industrial Informatics,2020,17(8):5790-5798.
[7] MASSAOUDI M,REFAAT S S,ABU-RUB H.Intrusion detection method based on SMOTE transformation for smart grid cybersecurity[C]//Proceedings of the 3rd International Conference on Smart Grid and Renewable Energy.Washington D.C.,USA:IEEE Press,2022:1-6.
[8] FU W,QIAN L P,ZHU X H.GAN-based intrusion detection data enhancement[C]//Proceedings of the 33rd Chinese Control and Decision Conference.Washington D.C.,USA:IEEE Press,2021:2739-2744.
[9] DENG R W,YUAN J,LI X Y,et al.DACNN:deep autoencoding convolutional neural network in network intrusion detection[C]//Proceedings of the 7th International Conference on Big Data Analytics.Washington D.C.,USA:IEEE Press,2022:224-230.
[10] 周杰英,贺鹏飞,邱荣发,等.融合随机森林和梯度提升树的入侵检测研究[J].软件学报,2021,32(10):3254-3265. ZHOU J Y,HE P F,QIU R F,et al.Research on intrusion detection based on random forest and gradient boosting tree[J].Journal of Software,2021,32(10):3254-3265.(in Chinese)
[11] HUSSAIN F,HUSSAIN R,ALI HASSAN S,et al.Machine learning in IoT security:current solutions and future challenges[J].IEEE Communications Surveys & Tutorials,2020,22(3):1686-1721.
[12] HAMOUDA D,FERRAG M A,BENHAMIDA N,et al.Intrusion detection systems for industrial Internet of Things:a survey[C]//Proceedings of International Conference on Theoretical and Applicative Aspects of Computer Science.Washington D.C.,USA:IEEE Press,2022:1-8.
[13] HNAMTE V,HUSSAIN J.An extensive survey on intrusion detection systems:datasets and challenges for modern scenario[C]//Proceedings of the 3rd International Conference on Electrical,Control and Instrumentation Engineering.Washington D.C.,USA:IEEE Press,2022:1-10.
[14] SOHN K,YAN X C,LEE H.Learning structured output representation using deep conditional generative models[C]//Proceedings of the 28th International Conference on Neural Information Processing Systems.Cambridge,USA:MIT Press,2015:3483-3491.
[15] KINGMA D P,WELLING M.Auto-encoding variational Bayes[C]//Proceedings of the 2nd International Conference on Learning Representations.New York,USA:ACM Press,2014:112-134.
[16] GOODFELLOW I J,POUGET-ABADIE J,MIRZA M,et al.Generative adversarial nets[C]//Proceedings of the 27th International Conference on Neural Information Processing Systems.Cambridge,USA:MIT Press,2014:2672-2680.
[17] SHETTAR P,KACHAVIMATH A V,MULLA M M,et al.Intrusion detection system using MLP and chaotic neural networks[C]//Proceedings of International Conference on Computer Communication and Informatics.Washington D.C.,USA:IEEE Press,2021:1-4.
[18] PROKHORENKOVA L,GUSEV G,VOROBEV A,et al.CatBoost:unbiased boosting with categorical features[C]//Proceedings of the 32nd International Conference on Neural Information Processing Systems.Cambridge,USA:MIT Press,2018:6639-6649.
[19] MOUSTAFA N,SLAY J.UNSW-NB15:a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set)[C]//Proceedings of Military Communications and Information Systems Conference.Washington D.C.,USA:IEEE Press,2015:1-6.
[20] CHEN L,WENG S E,PENG C J,et al.ZYELL_NCTU NetTraffic_1.0:a large-scale dataset for real-world network anomaly detection[C]//Proceedings of IEEE International Conference on Consumer Electronics.Washington D.C.,USA:IEEE Press,2021:1-2.
[21] LATIF S,IDREES Z,ZOU Z,et al.DRaNN:a deep random neural network model for intrusion detection in industrial IoT[C]//Proceedings of International Conference on UK-China Emerging Technologies.Washington D.C.,USA:IEEE Press,2020:1-4.
[22] YANG K X,SHI Y F,YU Z W,et al.Stacked one-class broad learning system for intrusion detection in industry 4.0[EB/OL].[2022-07-26].https://ieeexplore.ieee.org/document/9730077.
[23] 任家东,张亚飞,张炳,等.基于特征选择的工业互联网入侵检测分类方法[J].计算机研究与发展,2022,59(5):1148-1159. REN J D,ZHANG Y F,ZHANG B,et al.Classification method of industrial Internet intrusion detection based on feature selection[J].Journal of Computer Research and Development,2022,59(5):1148-1159.(in Chinese)
[24] 梁杰,陈嘉豪,张雪芹,等.基于独热编码和卷积神经网络的异常检测[J].清华大学学报(自然科学版),2019,59(7):523-529. LIANG J,CHEN J H,ZHANG X Q,et al.One-hot encoding and convolutional neural network based anomaly detection[J].Journal of Tsinghua University (Science and Technology),2019,59(7):523-529.(in Chinese)
[25] 崔景洋,陈振国,田立勤,等.基于机器学习的用户与实体行为分析技术综述[J].计算机工程,2022,48(2):10-24. CUI J Y,CHEN Z G,TIAN L Q,et al.Overview of user and entity behavior analytics technology based on machine learning[J].Computer Engineering,2022,48(2):10-24.(in Chinese)
[26] 李贝贝,彭力,戴菲菲.结合马氏距离与自编码器的网络流量异常检测方法[J].计算机工程,2022,48(4):133-142. LI B B,PENG L,DAI F F.Abnormal network traffic detection method combining Mahalanobis distance and autoencoder[J].Computer Engineering,2022,48(4):133-142.(in Chinese)
[27] 陈铁明,董航.使用蚁群算法和深度强化学习的工业异常入侵检测[J].小型微型计算机系统,2022,43(4):779-784. CHEN T M,DONG H.Industrial anomaly intrusion detection using ant colony algorithm and deep reinforcement learning[J].Journal of Chinese Computer Systems,2022,43(4):779-784.(in Chinese)
[28] 何戡,曲超,宗学军,等.机器学习在工业网络入侵检测中的研究应用[J].小型微型计算机系统,2021,42(2):437-442. HE K,QU C,ZONG X J,et al.Research and application of machine learning in industrial network intrusion detection[J].Journal of Chinese Computer Systems,2021,42(2):437-442.(in Chinese)

Please choose a citation manager

Content to export