作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2023, Vol. 49 ›› Issue (2): 169-174. doi: 10.19678/j.issn.1000-3428.0063917

• 网络空间安全 • 上一篇    下一篇

自适应类增量学习的物联网入侵检测系统

刘强1, 张颖2, 周卫祥2, 蒋先涛2, 周薇娜2, 周谋国3   

  1. 1. 上海海事大学 物流科学与工程研究院, 上海 201306;
    2. 上海海事大学 信息工程学院, 上海 201306;
    3. 上海真灼科技股份有限公司, 上海 201199
  • 收稿日期:2022-02-12 修回日期:2022-04-03 发布日期:2022-07-19
  • 作者简介:刘强(1997-),男,硕士研究生,主研方向为物联网信息安全;张颖(通信作者),教授;周卫祥、蒋先涛,讲师;周薇娜,副教授;周谋国,工程师。
  • 基金资助:
    国家自然科学基金(61673259)。

Adaptive Class Incremental Learning-Based IoT Intrusion Detection System

LIU Qiang1, ZHANG Ying2, ZHOU Weixiang2, JIANG Xiantao2, ZHOU Weina2, ZHOU Mouguo3   

  1. 1. Institute of Logistics Science and Engineering, Shanghai Maritime University, Shanghai 201306, China;
    2. College of Information Engineering, Shanghai Maritime University, Shanghai 201306, China;
    3. Shanghai Zenkore Technology Co., Ltd., Shanghai 201199, China
  • Received:2022-02-12 Revised:2022-04-03 Published:2022-07-19

摘要: 传统物联网入侵检测系统难以实时检测新类别攻击,为此,提出一种基于堆叠稀疏自编码器(SSAE)和自组织增量神经网络(SOINN)的物联网入侵检测方法。SSAE对已知类别的攻击样本进行稀疏编码和特征提取,所提取的特征输入SOINN,SOINN形成符合流量特征空间分布的拓扑结构。当出现新类别训练样本的特征时,SOINN自适应地生成新节点以建立新的局部拓扑结构。为了保留SSAE在旧类别样本上的知识,对SOINN已有的拓扑结构施加约束,通过误差反向传递间接约束SSAE权重的变化。针对SOINN在新类别上产生的新局部拓扑结构进行自适应聚合和优化,从而实现新类别样本学习。实验结果表明,该方法能基于新类别数据对模型进行增量训练而无需历史类别数据,在CIC-IDS2017数据集的动态数据流中能有效检测新类别攻击同时缓解旧类别数据中存在的灾难性遗忘问题,在初始已知数据集上的准确率达到98.15%,完成3个阶段的类别增量学习后整体准确率仍能达到57.34%,优于KNN-SVM、mCNN等增量学习方法。

关键词: 入侵检测系统, 堆叠稀疏自编码器, 自组织增量神经网络, 增量学习, 知识保留

Abstract: The conventional intrusion detection system for the Internet of Things(IoT) typically fails to detect new types of attacks in real time.Therefore, a new intrusion detection method for the IoT that is based on Stacked Sparse Autoencoders(SSAE) and Self-Organizing Incremental Neural Networks(SOINN) is proposed in this study.SSAE performs sparse coding and feature extraction on sample attacks of known categories.The extracted features are input to the SOINN, which forms a topological structure that conforms to the spatial distribution of the traffic characteristics.When the features of new class training samples appear, the SOINN adaptively generates new nodes to establish a new local topology.To retain the knowledge of SSAE on the old class samples, constraints are imposed on the existing topology of the SOINN, and the changes to the SSAE weights are indirectly constrained through error reverse transfer.Adaptive aggregation and optimization are performed using the new local topological structure generated by the SOINN for the new class to learn the new class samples.The experimental results indicate that this method can perform incremental training on the model based on new categories of data without requiring historical data.It can effectively detect new types of attacks in the dynamic data flow of the CIC-IDS2017 dataset and alleviate the catastrophic forgetting problem associated with the old category data.The accuracy rate for the initially known dataset is 98.15%, and the overall accuracy rate reaches 57.34% after completing the three stages of category incremental learning, which is better than that of KNN-SVM, mCNN, and other incremental learning methods.

Key words: intrusion detection system, Stacked Sparse Autoencoders(SSAE), Self-Organizing Incremental Neural Networks(SOINN), incremental learning, knowledge retention

中图分类号: