CN109660522A - The mixed intrusion detection method based on deep layer self-encoding encoder towards Integrated Electronic System - Google Patents

The mixed intrusion detection method based on deep layer self-encoding encoder towards Integrated Electronic System Download PDF

Info

Publication number
CN109660522A
CN109660522A CN201811439878.XA CN201811439878A CN109660522A CN 109660522 A CN109660522 A CN 109660522A CN 201811439878 A CN201811439878 A CN 201811439878A CN 109660522 A CN109660522 A CN 109660522A
Authority
CN
China
Prior art keywords
data
encoding encoder
detection method
intrusion detection
deep layer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811439878.XA
Other languages
Chinese (zh)
Other versions
CN109660522B (en
Inventor
何道敬
乔琪
郑佳佳
齐维孔
王灏宇
李明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
East China Normal University
China Academy of Space Technology CAST
Original Assignee
East China Normal University
China Academy of Space Technology CAST
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by East China Normal University, China Academy of Space Technology CAST filed Critical East China Normal University
Priority to CN201811439878.XA priority Critical patent/CN109660522B/en
Publication of CN109660522A publication Critical patent/CN109660522A/en
Application granted granted Critical
Publication of CN109660522B publication Critical patent/CN109660522B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Burglar Alarm Systems (AREA)

Abstract

The invention discloses a kind of mixed intrusion detection method based on deep layer self-encoding encoder towards Integrated Electronic System, include: data prediction: the data stored to bus manager in Integrated Electronic System pre-process, and specifically include data normalization and standardization processing;Feature extraction: carrying out feature extraction to pretreated data using deep layer self-encoding encoder, extracts characteristic parameter weight by pre-training and fine tuning weighting parameter method;Intrusion behavior determines: doing operation and obtains characteristic parameter weight and input value that feature extraction phases obtain, using this feature data as the input of Ensemble classifier, export as two classification of normal data and attack data.The present invention, which extracts researcher using deep layer self-encoding encoder, to reduce characteristic dimension by the simple artificial some Higher Order Abstract features for calculating acquisition, to reduce calculating cost, and can efficiently differentiate new variant attack.

Description

The mixed intrusion detection method based on deep layer self-encoding encoder towards Integrated Electronic System
Technical field
The invention belongs to the technical field of information security, in particular to it is a kind of towards Integrated Electronic System based on deep layer from The mixed intrusion detection method of encoder.
Background technique
Inside Integrated Electronic System without encryption mechanism, built-in component is popular, technology, opening up, transport channel standard The features such as so that it is faced extensive threat.Information security events emerge one after another both at home and abroad at present, and security situation is very severe, and I State is in Integrated Electronic System application field, including space, vehicle etc., and previous research multi-focus is in its high efficiency of guarantee and reliably Property, the safety of Integrated Electronic System is seldom paid close attention to, spatial data security standards system, core technology and the production of top layer are also lacked Product.It flies satellite, aircraft etc. in space or the Space Facilities of sky, internal system is in " in the air " state, is easy hair It is raw to be captured the attack such as control;For Integrated Electronic System Ground Application scene, it is also faced with identical threat, panzer Etc. internal systems without any encryption mechanism and other safety protection techniques, be also easy to cause the vehicle to be controlled by attacker, from And generate serious consequence.
Intrusion Detection Technique is the key that Integrated Electronic System security protection, can effectively detect internal attack, external attack And maloperation, fundamentally improve the safety of Integrated Electronic System.And as the attack method of attacker becomes increasingly complex, it passes The intrusion detection method based on machine learning method and based on specification of system follows traditional attack logic, can not detect complexity Mutation attacks, be not suitable for Integrated Electronic System application scenarios.It is mixed based on deep layer self-encoding encoder that the invention proposes a kind of Intrusion detection method is closed, is a kind of unsupervised approaches, has good recognition effect to mutation attacks.But due to Integrated Electronic System Computing resource is limited, and computing resource needed for deep layer self-encoding encoder is larger, is difficult to run this method on star, therefore by integrated electronics The data that bus manager is collected in 1553B bus in system are periodically transmitted to ground base station by certain mode, on ground Face base station performs intrusion detection, such as: when aircraft lands every time, its communication data in current flight course is transmitted to base It stands, the mixed intrusion detection method based on deep layer self-encoding encoder is then used to be detected.
Summary of the invention
The purpose of the present invention is to overcome the shortcomings of the existing technology and deficiency, provides a kind of base towards Integrated Electronic System In the mixed intrusion detection method of deep layer self-encoding encoder, bus data is pre-processed first, is then encoded certainly by deep layer Device extracts some Higher Order Abstract features that researcher can not be obtained by simple computation, finally using Ensemble classifier to invasion Behavior is judged.Present invention reduces the dimensions of feature, to reduce calculating cost, and can efficiently differentiate new change Body attack.
Realizing the specific technical solution of the object of the invention is:
A kind of mixed intrusion detection method based on deep layer self-encoding encoder towards Integrated Electronic System, including walk as follows It is rapid:
Step 1: data prediction, the communication stream between each terminal that bus manager in Integrated Electronic System is stored Amount data are normalized and standardization, obtain the training set of format specification;
Step 2: feature extraction carries out feature extraction to training set data using deep layer self-encoding encoder, obtains characteristic parameter Weight makes feature have more ability to express;
Step 3: intrusion behavior determines, the resulting parameter weight of step 2 and training set data are done operation and obtain characteristic According to input Ensemble classifier judges whether this feature belongs to attack.
Mixed intrusion detection method according to claim 1, normalization refers to described in step 1 is returned by min-max One changes, logarithmic function normalization or arc cotangent function normalization algorithm map the data into the section of [0,1];The standardization Refer to and proportionally zoomed in and out the data by min-max standardization, Z score standardization or Sigmoid function algorithm, It is mapped to the data in corresponding space.
Mixed intrusion detection method according to claim 1, deep layer self-encoding encoder described in step 2 have several hide Layer, including coding and decoding, are converted into feature representation form for original input;Specifically:
I) the pre-training stage, initial parameter weight is generated using training set data;
II) the fine tuning stage, parameter weighed value adjusting is carried out using the optimization method of stochastic gradient descent to all neurons.
Mixed intrusion detection method according to claim 1 makes feature have more ability to express described in step 2, is logical Spending the fine tuning stage is iterated adjustment to characteristic parameter, filters interference characteristic, extracts and determine related feature with behavior.
Mixed intrusion detection method according to claim 1, doing operation described in step 3 i.e. will be in the training set Data are multiplied with characteristic parameter described in step 2, it is therefore an objective to carry out dimension-reduction treatment to the training set data.
Mixed intrusion detection method according to claim 1, Ensemble classifier described in step 3 include but is not limited to XGBoost。
Beneficial effects of the present invention are as follows: the present invention proposes a kind of base towards the limited Integrated Electronic System of computing resource In the mixed intrusion detection method that unsupervised depth self-encoding encoder and Ensemble classifier combine, the dimension of feature is reduced Degree, significantly reduces memory and calculating demand, can recognize that new variant attack.
Detailed description of the invention
Fig. 1 is flow chart of the present invention;
Fig. 2 is deep layer self-encoding encoder topology diagram of the present invention;
Fig. 3 is the Error Graph of deep layer self-encoding encoder of the present invention;
Fig. 4 is to accumulate limited Boltzmann machine structure chart;
Fig. 5 is decision process schematic diagram of the present invention to intrusion behavior.
Specific embodiment
In conjunction with following specific embodiments and attached drawing, the present invention is described in further detail.Implement process of the invention, Condition, experimental method etc. are among the general principles and common general knowledge in the art, this hair in addition to what is specifically mentioned below It is bright that there are no special restrictions to content.
Refering to fig. 1, the present invention includes the following steps:
Step 1: data prediction, communication flows between each terminal stored to bus manager in Integrated Electronic System Data are normalized and standardization, obtain the training set of format specification;
Step 2: feature extraction carries out feature extraction to training set data using deep layer self-encoding encoder, obtains characteristic parameter Weight makes feature have more ability to express;
Step 3: intrusion behavior determines, the resulting parameter weight of step 2 and training set data are done operation and obtain characteristic According to input Ensemble classifier judges whether this feature belongs to attack.
In step 1, since the present invention has directly used the data on flows from bus manager, no longer Manual definition is special Sign, it is therefore desirable to the data be pre-processed, mapping, discretization and normalizing operation are specifically included.The normalization refers to logical It crosses algorithm to map the data into the section of [0,1], common algorithms include that min-max normalizes, logarithmic function normalizes, anti- Cotangent normalization etc.;The standardization, which refers to, is proportionally zoomed in and out the data by algorithm, reflects the data It is mapped to inside corresponding space, common algorithms include min-max standardization, Z score standardization, Sigmoid function etc..
In step 2, self-encoding encoder proposed by the present invention has multiple hidden layers, and profound self-encoding encoder compares shallow-layer Secondary self-encoding encoder has better effect, but profound autocoder is more sensitive to initial value, need one it is good Start node.The topological structure of deep layer self-encoding encoder proposed by the present invention is as shown in Figure 2.In the cataloged procedure of self-encoding encoder, By the hidden feature of multilayered structure study to input data, then reconstructed in decoding process using the hidden feature learnt Original input data.
The Error Graph of self-encoding encoder is as shown in figure 3, be mapped to hidden layer for input:
Y=f (x)=s (wi*x+bi)
Wherein x is input vector, x ∈ Rd*1, d is the dimension of input data.Y is output vector, y ∈ Rr*1, r is hidden layer The quantity of neuron.wiIt is the weight of hidden layer, wi∈Rr*d。biIt is the input biasing of hidden layer, bi∈Rr*1.S is activation letter Number.Activation of the activation primitive for two layers of intermediate node, usually nonlinear function, common activation primitive have Sigmoid function, Relu function etc..The present invention is by taking Leaky Relu function as an example.
Decoder is that y is mapped back to original x, expression formula are as follows:
X=h (y)=s (wi*y+bi)
Wherein wi∈Rr*d, bi∈Rd*1
Loss function expression formula are as follows:
L (w, b)=| | xi-h(f(xi))||2
Therefore, the objective function of self-encoding encoder can be expressed as:
Wherein N is total sample number, and nl indicates the number of plies of the self-encoding encoder, and sl is every layer of neuron number.
After loss function and objective function determine, using the optimal solution of stochastic gradient descent method solving model, make to lose letter Number is minimum, and stochastic gradient descent is the loss function for minimizing every data, although be not the loss function that obtains every time all to Global optimum be but on the whole towards global optimum.The main connection optimized between neuron by stochastic gradient descent Weight matrix and bias matrix vector.More new-standard cement are as follows:
Wherein η is learning rate.
The training of deep layer self-encoding encoder includes two stages, one is pre-training, in order to allow deep layer self-encoding encoder There is good initial value;The second is all neurons of deep layer self-encoding encoder are used the optimization side of stochastic gradient descent by fine tuning Method is adjusted.
Pre-training self-encoding encoder and two kinds of most common technologies for obtaining initialization weight are to accumulate limited Boltzmann machine Device (RBM) and stack de-noising self-encoding encoder.The present invention is illustrated by taking RBM as an example, and structure is as shown in Figure 4.Specifically with The output of the successively mode training of greed, one of training RBM is used as the input of next RBM block.Each RBM block can heap It is stacked in top of each other, forms the topological structure of deep layer self-encoding encoder.Global optimum, Mei Geyin are approached with every layer of optimal value Containing layer, individually training is so that the error of preceding layer will not influence next layer, and all layers train appearance jointly in solution neural network The problem of gradient disperse.
The fine tuning stage obtains initial weight from pre-training and for initializing depth self-encoding encoder, and parameter is adjusted with iteration Mode carries out.This method uses back-propagation algorithm, is finely adjusted to each neuron of deep layer self-encoding encoder.
In step 3, it is illustrated by taking XGBoost Ensemble classifier as an example.Integrated Electronic System communication data passes through upper The pre-training stage is stated, the parameter w and b of input layer to middle layer is obtained, is again calculated characteristic using parameter, specifically It is the data after dimensionality reduction can be obtained that training set data is multiplied with the parameter of self-encoding encoder network, and reaches XGBoost classification Device is classified, and normal and abnormal two classes are broadly divided into, and decision process is as shown in Figure 5.
Protection content of the invention is not limited to above embodiments.Without departing from the spirit and scope of the invention, originally Field technical staff it is conceivable that variation and advantage be all included in the present invention, and with appended claims be protect Protect range.

Claims (6)

1. a kind of mixed intrusion detection method based on deep layer self-encoding encoder towards Integrated Electronic System, which is characterized in that packet Include following steps:
Step 1: data prediction, the communication flows number between each terminal that bus manager in Integrated Electronic System is stored According to being normalized and standardization, the training set of format specification is obtained;
Step 2: feature extraction carries out feature extraction to training set data using deep layer self-encoding encoder, obtains characteristic parameter weight, Feature is set to have more ability to express;
Step 3: intrusion behavior determines, the resulting parameter weight of step 2 and training set data are done operation and obtain characteristic, defeated Enter Ensemble classifier and judges whether this feature belongs to attack.
2. mixed intrusion detection method according to claim 1, which is characterized in that normalization described in step 1 refers to by most Small-maximum normalization, logarithmic function normalization or arc cotangent function normalization algorithm map the data into the section of [0,1]; It is described standardization refer to by min-max standardization, Z score standardization or Sigmoid function algorithm by the data according to than Example zooms in and out, and is mapped to the data in corresponding space.
3. mixed intrusion detection method according to claim 1, which is characterized in that the tool of deep layer self-encoding encoder described in step 2 There are several hidden layers, including coding and decoding, original input is converted into feature representation form;Specifically:
I) the pre-training stage, initial parameter weight is generated using training set data;
II) the fine tuning stage, parameter weighed value adjusting is carried out using the optimization method of stochastic gradient descent to all neurons.
4. mixed intrusion detection method according to claim 1, which is characterized in that express that feature more Ability is to be iterated adjustment to characteristic parameter by the fine tuning stage, filters interference characteristic, is extracted related with behavior judgement Feature.
5. mixed intrusion detection method according to claim 1, which is characterized in that doing operation described in step 3 i.e. will be described Data in training set are multiplied with characteristic parameter described in step 2, it is therefore an objective to carry out dimension-reduction treatment to the training set data.
6. mixed intrusion detection method according to claim 1, which is characterized in that Ensemble classifier described in step 3 includes But it is not limited to XGBoost.
CN201811439878.XA 2018-11-29 2018-11-29 Deep self-encoder-based hybrid intrusion detection method for integrated electronic system Active CN109660522B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811439878.XA CN109660522B (en) 2018-11-29 2018-11-29 Deep self-encoder-based hybrid intrusion detection method for integrated electronic system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811439878.XA CN109660522B (en) 2018-11-29 2018-11-29 Deep self-encoder-based hybrid intrusion detection method for integrated electronic system

Publications (2)

Publication Number Publication Date
CN109660522A true CN109660522A (en) 2019-04-19
CN109660522B CN109660522B (en) 2021-05-25

Family

ID=66111929

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811439878.XA Active CN109660522B (en) 2018-11-29 2018-11-29 Deep self-encoder-based hybrid intrusion detection method for integrated electronic system

Country Status (1)

Country Link
CN (1) CN109660522B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110929118A (en) * 2019-11-04 2020-03-27 腾讯科技(深圳)有限公司 Network data processing method, equipment, device and medium
CN111294341A (en) * 2020-01-17 2020-06-16 成都信息工程大学 Vehicle-mounted system intrusion detection method based on self-encoder and recurrent neural network
CN111669396A (en) * 2020-06-15 2020-09-15 绍兴文理学院 Self-learning security defense method and system for software-defined Internet of things

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120222087A1 (en) * 2003-06-10 2012-08-30 International Business Machines Corporation Application based intrusion detection
CN107276805A (en) * 2017-06-19 2017-10-20 北京邮电大学 A kind of sample predictions method, device and electronic equipment based on IDS Framework
CN107480699A (en) * 2017-07-13 2017-12-15 电子科技大学 A kind of intrusion detection method based on channel condition information and SVMs
CN108540451A (en) * 2018-03-13 2018-09-14 北京理工大学 A method of classification and Detection being carried out to attack with machine learning techniques

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120222087A1 (en) * 2003-06-10 2012-08-30 International Business Machines Corporation Application based intrusion detection
CN107276805A (en) * 2017-06-19 2017-10-20 北京邮电大学 A kind of sample predictions method, device and electronic equipment based on IDS Framework
CN107480699A (en) * 2017-07-13 2017-12-15 电子科技大学 A kind of intrusion detection method based on channel condition information and SVMs
CN108540451A (en) * 2018-03-13 2018-09-14 北京理工大学 A method of classification and Detection being carried out to attack with machine learning techniques

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110929118A (en) * 2019-11-04 2020-03-27 腾讯科技(深圳)有限公司 Network data processing method, equipment, device and medium
CN110929118B (en) * 2019-11-04 2023-12-19 腾讯科技(深圳)有限公司 Network data processing method, device, apparatus and medium
CN111294341A (en) * 2020-01-17 2020-06-16 成都信息工程大学 Vehicle-mounted system intrusion detection method based on self-encoder and recurrent neural network
CN111294341B (en) * 2020-01-17 2021-12-28 成都信息工程大学 Vehicle-mounted system intrusion detection method based on self-encoder and recurrent neural network
CN111669396A (en) * 2020-06-15 2020-09-15 绍兴文理学院 Self-learning security defense method and system for software-defined Internet of things

Also Published As

Publication number Publication date
CN109660522B (en) 2021-05-25

Similar Documents

Publication Publication Date Title
Cao et al. A novel false data injection attack detection model of the cyber-physical power system
CN106599797B (en) A kind of infrared face recognition method based on local parallel neural network
CN110232319B (en) Ship behavior identification method based on deep learning
CN111585948B (en) Intelligent network security situation prediction method based on power grid big data
CN111353153B (en) GEP-CNN-based power grid malicious data injection detection method
CN109766992B (en) Industrial control abnormity detection and attack classification method based on deep learning
Li et al. Connecting the dots: Detecting adversarial perturbations using context inconsistency
Yang et al. Real-time intrusion detection in wireless network: A deep learning-based intelligent mechanism
CN109902740B (en) Re-learning industrial control intrusion detection method based on multi-algorithm fusion parallelism
CN109660522A (en) The mixed intrusion detection method based on deep layer self-encoding encoder towards Integrated Electronic System
CN102915453B (en) Real-time feedback and update vehicle detection method
CN107292166B (en) Intrusion detection method based on CFA algorithm and BP neural network
CN109344856B (en) Offline signature identification method based on multilayer discriminant feature learning
CN103632160A (en) Combination-kernel-function RVM (Relevance Vector Machine) hyperspectral classification method integrated with multi-scale morphological characteristics
CN113242259A (en) Network abnormal flow detection method and device
CN112995150B (en) Botnet detection method based on CNN-LSTM fusion
CN110581840B (en) Intrusion detection method based on double-layer heterogeneous integrated learner
CN109726703A (en) A kind of facial image age recognition methods based on improvement integrated study strategy
Liang An improved intrusion detection based on neural network and fuzzy algorithm
CN114596622A (en) Iris and periocular antagonism adaptive fusion recognition method based on contrast knowledge drive
CN114724189A (en) Method, system and application for training confrontation sample defense model for target recognition
CN114155407A (en) Unbalanced image classification system based on feature scaling and boundary samples
Khan et al. Robust face recognition using computationally efficient features
Yu et al. A joint multi-task cnn for cross-age face recognition
Lu et al. Network intrusion detection based on contractive sparse stacked denoising autoencoder

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant