CN109660522A - The mixed intrusion detection method based on deep layer self-encoding encoder towards Integrated Electronic System - Google Patents
The mixed intrusion detection method based on deep layer self-encoding encoder towards Integrated Electronic System Download PDFInfo
- Publication number
- CN109660522A CN109660522A CN201811439878.XA CN201811439878A CN109660522A CN 109660522 A CN109660522 A CN 109660522A CN 201811439878 A CN201811439878 A CN 201811439878A CN 109660522 A CN109660522 A CN 109660522A
- Authority
- CN
- China
- Prior art keywords
- data
- encoding encoder
- detection method
- intrusion detection
- deep layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Burglar Alarm Systems (AREA)
Abstract
The invention discloses a kind of mixed intrusion detection method based on deep layer self-encoding encoder towards Integrated Electronic System, include: data prediction: the data stored to bus manager in Integrated Electronic System pre-process, and specifically include data normalization and standardization processing;Feature extraction: carrying out feature extraction to pretreated data using deep layer self-encoding encoder, extracts characteristic parameter weight by pre-training and fine tuning weighting parameter method;Intrusion behavior determines: doing operation and obtains characteristic parameter weight and input value that feature extraction phases obtain, using this feature data as the input of Ensemble classifier, export as two classification of normal data and attack data.The present invention, which extracts researcher using deep layer self-encoding encoder, to reduce characteristic dimension by the simple artificial some Higher Order Abstract features for calculating acquisition, to reduce calculating cost, and can efficiently differentiate new variant attack.
Description
Technical field
The invention belongs to the technical field of information security, in particular to it is a kind of towards Integrated Electronic System based on deep layer from
The mixed intrusion detection method of encoder.
Background technique
Inside Integrated Electronic System without encryption mechanism, built-in component is popular, technology, opening up, transport channel standard
The features such as so that it is faced extensive threat.Information security events emerge one after another both at home and abroad at present, and security situation is very severe, and I
State is in Integrated Electronic System application field, including space, vehicle etc., and previous research multi-focus is in its high efficiency of guarantee and reliably
Property, the safety of Integrated Electronic System is seldom paid close attention to, spatial data security standards system, core technology and the production of top layer are also lacked
Product.It flies satellite, aircraft etc. in space or the Space Facilities of sky, internal system is in " in the air " state, is easy hair
It is raw to be captured the attack such as control;For Integrated Electronic System Ground Application scene, it is also faced with identical threat, panzer
Etc. internal systems without any encryption mechanism and other safety protection techniques, be also easy to cause the vehicle to be controlled by attacker, from
And generate serious consequence.
Intrusion Detection Technique is the key that Integrated Electronic System security protection, can effectively detect internal attack, external attack
And maloperation, fundamentally improve the safety of Integrated Electronic System.And as the attack method of attacker becomes increasingly complex, it passes
The intrusion detection method based on machine learning method and based on specification of system follows traditional attack logic, can not detect complexity
Mutation attacks, be not suitable for Integrated Electronic System application scenarios.It is mixed based on deep layer self-encoding encoder that the invention proposes a kind of
Intrusion detection method is closed, is a kind of unsupervised approaches, has good recognition effect to mutation attacks.But due to Integrated Electronic System
Computing resource is limited, and computing resource needed for deep layer self-encoding encoder is larger, is difficult to run this method on star, therefore by integrated electronics
The data that bus manager is collected in 1553B bus in system are periodically transmitted to ground base station by certain mode, on ground
Face base station performs intrusion detection, such as: when aircraft lands every time, its communication data in current flight course is transmitted to base
It stands, the mixed intrusion detection method based on deep layer self-encoding encoder is then used to be detected.
Summary of the invention
The purpose of the present invention is to overcome the shortcomings of the existing technology and deficiency, provides a kind of base towards Integrated Electronic System
In the mixed intrusion detection method of deep layer self-encoding encoder, bus data is pre-processed first, is then encoded certainly by deep layer
Device extracts some Higher Order Abstract features that researcher can not be obtained by simple computation, finally using Ensemble classifier to invasion
Behavior is judged.Present invention reduces the dimensions of feature, to reduce calculating cost, and can efficiently differentiate new change
Body attack.
Realizing the specific technical solution of the object of the invention is:
A kind of mixed intrusion detection method based on deep layer self-encoding encoder towards Integrated Electronic System, including walk as follows
It is rapid:
Step 1: data prediction, the communication stream between each terminal that bus manager in Integrated Electronic System is stored
Amount data are normalized and standardization, obtain the training set of format specification;
Step 2: feature extraction carries out feature extraction to training set data using deep layer self-encoding encoder, obtains characteristic parameter
Weight makes feature have more ability to express;
Step 3: intrusion behavior determines, the resulting parameter weight of step 2 and training set data are done operation and obtain characteristic
According to input Ensemble classifier judges whether this feature belongs to attack.
Mixed intrusion detection method according to claim 1, normalization refers to described in step 1 is returned by min-max
One changes, logarithmic function normalization or arc cotangent function normalization algorithm map the data into the section of [0,1];The standardization
Refer to and proportionally zoomed in and out the data by min-max standardization, Z score standardization or Sigmoid function algorithm,
It is mapped to the data in corresponding space.
Mixed intrusion detection method according to claim 1, deep layer self-encoding encoder described in step 2 have several hide
Layer, including coding and decoding, are converted into feature representation form for original input;Specifically:
I) the pre-training stage, initial parameter weight is generated using training set data;
II) the fine tuning stage, parameter weighed value adjusting is carried out using the optimization method of stochastic gradient descent to all neurons.
Mixed intrusion detection method according to claim 1 makes feature have more ability to express described in step 2, is logical
Spending the fine tuning stage is iterated adjustment to characteristic parameter, filters interference characteristic, extracts and determine related feature with behavior.
Mixed intrusion detection method according to claim 1, doing operation described in step 3 i.e. will be in the training set
Data are multiplied with characteristic parameter described in step 2, it is therefore an objective to carry out dimension-reduction treatment to the training set data.
Mixed intrusion detection method according to claim 1, Ensemble classifier described in step 3 include but is not limited to
XGBoost。
Beneficial effects of the present invention are as follows: the present invention proposes a kind of base towards the limited Integrated Electronic System of computing resource
In the mixed intrusion detection method that unsupervised depth self-encoding encoder and Ensemble classifier combine, the dimension of feature is reduced
Degree, significantly reduces memory and calculating demand, can recognize that new variant attack.
Detailed description of the invention
Fig. 1 is flow chart of the present invention;
Fig. 2 is deep layer self-encoding encoder topology diagram of the present invention;
Fig. 3 is the Error Graph of deep layer self-encoding encoder of the present invention;
Fig. 4 is to accumulate limited Boltzmann machine structure chart;
Fig. 5 is decision process schematic diagram of the present invention to intrusion behavior.
Specific embodiment
In conjunction with following specific embodiments and attached drawing, the present invention is described in further detail.Implement process of the invention,
Condition, experimental method etc. are among the general principles and common general knowledge in the art, this hair in addition to what is specifically mentioned below
It is bright that there are no special restrictions to content.
Refering to fig. 1, the present invention includes the following steps:
Step 1: data prediction, communication flows between each terminal stored to bus manager in Integrated Electronic System
Data are normalized and standardization, obtain the training set of format specification;
Step 2: feature extraction carries out feature extraction to training set data using deep layer self-encoding encoder, obtains characteristic parameter
Weight makes feature have more ability to express;
Step 3: intrusion behavior determines, the resulting parameter weight of step 2 and training set data are done operation and obtain characteristic
According to input Ensemble classifier judges whether this feature belongs to attack.
In step 1, since the present invention has directly used the data on flows from bus manager, no longer Manual definition is special
Sign, it is therefore desirable to the data be pre-processed, mapping, discretization and normalizing operation are specifically included.The normalization refers to logical
It crosses algorithm to map the data into the section of [0,1], common algorithms include that min-max normalizes, logarithmic function normalizes, anti-
Cotangent normalization etc.;The standardization, which refers to, is proportionally zoomed in and out the data by algorithm, reflects the data
It is mapped to inside corresponding space, common algorithms include min-max standardization, Z score standardization, Sigmoid function etc..
In step 2, self-encoding encoder proposed by the present invention has multiple hidden layers, and profound self-encoding encoder compares shallow-layer
Secondary self-encoding encoder has better effect, but profound autocoder is more sensitive to initial value, need one it is good
Start node.The topological structure of deep layer self-encoding encoder proposed by the present invention is as shown in Figure 2.In the cataloged procedure of self-encoding encoder,
By the hidden feature of multilayered structure study to input data, then reconstructed in decoding process using the hidden feature learnt
Original input data.
The Error Graph of self-encoding encoder is as shown in figure 3, be mapped to hidden layer for input:
Y=f (x)=s (wi*x+bi)
Wherein x is input vector, x ∈ Rd*1, d is the dimension of input data.Y is output vector, y ∈ Rr*1, r is hidden layer
The quantity of neuron.wiIt is the weight of hidden layer, wi∈Rr*d。biIt is the input biasing of hidden layer, bi∈Rr*1.S is activation letter
Number.Activation of the activation primitive for two layers of intermediate node, usually nonlinear function, common activation primitive have Sigmoid function,
Relu function etc..The present invention is by taking Leaky Relu function as an example.
Decoder is that y is mapped back to original x, expression formula are as follows:
X=h (y)=s (wi*y+bi)
Wherein wi∈Rr*d, bi∈Rd*1。
Loss function expression formula are as follows:
L (w, b)=| | xi-h(f(xi))||2
Therefore, the objective function of self-encoding encoder can be expressed as:
Wherein N is total sample number, and nl indicates the number of plies of the self-encoding encoder, and sl is every layer of neuron number.
After loss function and objective function determine, using the optimal solution of stochastic gradient descent method solving model, make to lose letter
Number is minimum, and stochastic gradient descent is the loss function for minimizing every data, although be not the loss function that obtains every time all to
Global optimum be but on the whole towards global optimum.The main connection optimized between neuron by stochastic gradient descent
Weight matrix and bias matrix vector.More new-standard cement are as follows:
Wherein η is learning rate.
The training of deep layer self-encoding encoder includes two stages, one is pre-training, in order to allow deep layer self-encoding encoder
There is good initial value;The second is all neurons of deep layer self-encoding encoder are used the optimization side of stochastic gradient descent by fine tuning
Method is adjusted.
Pre-training self-encoding encoder and two kinds of most common technologies for obtaining initialization weight are to accumulate limited Boltzmann machine
Device (RBM) and stack de-noising self-encoding encoder.The present invention is illustrated by taking RBM as an example, and structure is as shown in Figure 4.Specifically with
The output of the successively mode training of greed, one of training RBM is used as the input of next RBM block.Each RBM block can heap
It is stacked in top of each other, forms the topological structure of deep layer self-encoding encoder.Global optimum, Mei Geyin are approached with every layer of optimal value
Containing layer, individually training is so that the error of preceding layer will not influence next layer, and all layers train appearance jointly in solution neural network
The problem of gradient disperse.
The fine tuning stage obtains initial weight from pre-training and for initializing depth self-encoding encoder, and parameter is adjusted with iteration
Mode carries out.This method uses back-propagation algorithm, is finely adjusted to each neuron of deep layer self-encoding encoder.
In step 3, it is illustrated by taking XGBoost Ensemble classifier as an example.Integrated Electronic System communication data passes through upper
The pre-training stage is stated, the parameter w and b of input layer to middle layer is obtained, is again calculated characteristic using parameter, specifically
It is the data after dimensionality reduction can be obtained that training set data is multiplied with the parameter of self-encoding encoder network, and reaches XGBoost classification
Device is classified, and normal and abnormal two classes are broadly divided into, and decision process is as shown in Figure 5.
Protection content of the invention is not limited to above embodiments.Without departing from the spirit and scope of the invention, originally
Field technical staff it is conceivable that variation and advantage be all included in the present invention, and with appended claims be protect
Protect range.
Claims (6)
1. a kind of mixed intrusion detection method based on deep layer self-encoding encoder towards Integrated Electronic System, which is characterized in that packet
Include following steps:
Step 1: data prediction, the communication flows number between each terminal that bus manager in Integrated Electronic System is stored
According to being normalized and standardization, the training set of format specification is obtained;
Step 2: feature extraction carries out feature extraction to training set data using deep layer self-encoding encoder, obtains characteristic parameter weight,
Feature is set to have more ability to express;
Step 3: intrusion behavior determines, the resulting parameter weight of step 2 and training set data are done operation and obtain characteristic, defeated
Enter Ensemble classifier and judges whether this feature belongs to attack.
2. mixed intrusion detection method according to claim 1, which is characterized in that normalization described in step 1 refers to by most
Small-maximum normalization, logarithmic function normalization or arc cotangent function normalization algorithm map the data into the section of [0,1];
It is described standardization refer to by min-max standardization, Z score standardization or Sigmoid function algorithm by the data according to than
Example zooms in and out, and is mapped to the data in corresponding space.
3. mixed intrusion detection method according to claim 1, which is characterized in that the tool of deep layer self-encoding encoder described in step 2
There are several hidden layers, including coding and decoding, original input is converted into feature representation form;Specifically:
I) the pre-training stage, initial parameter weight is generated using training set data;
II) the fine tuning stage, parameter weighed value adjusting is carried out using the optimization method of stochastic gradient descent to all neurons.
4. mixed intrusion detection method according to claim 1, which is characterized in that express that feature more
Ability is to be iterated adjustment to characteristic parameter by the fine tuning stage, filters interference characteristic, is extracted related with behavior judgement
Feature.
5. mixed intrusion detection method according to claim 1, which is characterized in that doing operation described in step 3 i.e. will be described
Data in training set are multiplied with characteristic parameter described in step 2, it is therefore an objective to carry out dimension-reduction treatment to the training set data.
6. mixed intrusion detection method according to claim 1, which is characterized in that Ensemble classifier described in step 3 includes
But it is not limited to XGBoost.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811439878.XA CN109660522B (en) | 2018-11-29 | 2018-11-29 | Deep self-encoder-based hybrid intrusion detection method for integrated electronic system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811439878.XA CN109660522B (en) | 2018-11-29 | 2018-11-29 | Deep self-encoder-based hybrid intrusion detection method for integrated electronic system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109660522A true CN109660522A (en) | 2019-04-19 |
CN109660522B CN109660522B (en) | 2021-05-25 |
Family
ID=66111929
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811439878.XA Active CN109660522B (en) | 2018-11-29 | 2018-11-29 | Deep self-encoder-based hybrid intrusion detection method for integrated electronic system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109660522B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110929118A (en) * | 2019-11-04 | 2020-03-27 | 腾讯科技(深圳)有限公司 | Network data processing method, equipment, device and medium |
CN111294341A (en) * | 2020-01-17 | 2020-06-16 | 成都信息工程大学 | Vehicle-mounted system intrusion detection method based on self-encoder and recurrent neural network |
CN111669396A (en) * | 2020-06-15 | 2020-09-15 | 绍兴文理学院 | Self-learning security defense method and system for software-defined Internet of things |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120222087A1 (en) * | 2003-06-10 | 2012-08-30 | International Business Machines Corporation | Application based intrusion detection |
CN107276805A (en) * | 2017-06-19 | 2017-10-20 | 北京邮电大学 | A kind of sample predictions method, device and electronic equipment based on IDS Framework |
CN107480699A (en) * | 2017-07-13 | 2017-12-15 | 电子科技大学 | A kind of intrusion detection method based on channel condition information and SVMs |
CN108540451A (en) * | 2018-03-13 | 2018-09-14 | 北京理工大学 | A method of classification and Detection being carried out to attack with machine learning techniques |
-
2018
- 2018-11-29 CN CN201811439878.XA patent/CN109660522B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120222087A1 (en) * | 2003-06-10 | 2012-08-30 | International Business Machines Corporation | Application based intrusion detection |
CN107276805A (en) * | 2017-06-19 | 2017-10-20 | 北京邮电大学 | A kind of sample predictions method, device and electronic equipment based on IDS Framework |
CN107480699A (en) * | 2017-07-13 | 2017-12-15 | 电子科技大学 | A kind of intrusion detection method based on channel condition information and SVMs |
CN108540451A (en) * | 2018-03-13 | 2018-09-14 | 北京理工大学 | A method of classification and Detection being carried out to attack with machine learning techniques |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110929118A (en) * | 2019-11-04 | 2020-03-27 | 腾讯科技(深圳)有限公司 | Network data processing method, equipment, device and medium |
CN110929118B (en) * | 2019-11-04 | 2023-12-19 | 腾讯科技(深圳)有限公司 | Network data processing method, device, apparatus and medium |
CN111294341A (en) * | 2020-01-17 | 2020-06-16 | 成都信息工程大学 | Vehicle-mounted system intrusion detection method based on self-encoder and recurrent neural network |
CN111294341B (en) * | 2020-01-17 | 2021-12-28 | 成都信息工程大学 | Vehicle-mounted system intrusion detection method based on self-encoder and recurrent neural network |
CN111669396A (en) * | 2020-06-15 | 2020-09-15 | 绍兴文理学院 | Self-learning security defense method and system for software-defined Internet of things |
Also Published As
Publication number | Publication date |
---|---|
CN109660522B (en) | 2021-05-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Cao et al. | A novel false data injection attack detection model of the cyber-physical power system | |
CN106599797B (en) | A kind of infrared face recognition method based on local parallel neural network | |
CN110232319B (en) | Ship behavior identification method based on deep learning | |
CN111585948B (en) | Intelligent network security situation prediction method based on power grid big data | |
CN111353153B (en) | GEP-CNN-based power grid malicious data injection detection method | |
CN109766992B (en) | Industrial control abnormity detection and attack classification method based on deep learning | |
Li et al. | Connecting the dots: Detecting adversarial perturbations using context inconsistency | |
Yang et al. | Real-time intrusion detection in wireless network: A deep learning-based intelligent mechanism | |
CN109902740B (en) | Re-learning industrial control intrusion detection method based on multi-algorithm fusion parallelism | |
CN109660522A (en) | The mixed intrusion detection method based on deep layer self-encoding encoder towards Integrated Electronic System | |
CN102915453B (en) | Real-time feedback and update vehicle detection method | |
CN107292166B (en) | Intrusion detection method based on CFA algorithm and BP neural network | |
CN109344856B (en) | Offline signature identification method based on multilayer discriminant feature learning | |
CN103632160A (en) | Combination-kernel-function RVM (Relevance Vector Machine) hyperspectral classification method integrated with multi-scale morphological characteristics | |
CN113242259A (en) | Network abnormal flow detection method and device | |
CN112995150B (en) | Botnet detection method based on CNN-LSTM fusion | |
CN110581840B (en) | Intrusion detection method based on double-layer heterogeneous integrated learner | |
CN109726703A (en) | A kind of facial image age recognition methods based on improvement integrated study strategy | |
Liang | An improved intrusion detection based on neural network and fuzzy algorithm | |
CN114596622A (en) | Iris and periocular antagonism adaptive fusion recognition method based on contrast knowledge drive | |
CN114724189A (en) | Method, system and application for training confrontation sample defense model for target recognition | |
CN114155407A (en) | Unbalanced image classification system based on feature scaling and boundary samples | |
Khan et al. | Robust face recognition using computationally efficient features | |
Yu et al. | A joint multi-task cnn for cross-age face recognition | |
Lu et al. | Network intrusion detection based on contractive sparse stacked denoising autoencoder |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |