CN109660522B - Deep self-encoder-based hybrid intrusion detection method for integrated electronic system - Google Patents
Deep self-encoder-based hybrid intrusion detection method for integrated electronic system Download PDFInfo
- Publication number
- CN109660522B CN109660522B CN201811439878.XA CN201811439878A CN109660522B CN 109660522 B CN109660522 B CN 109660522B CN 201811439878 A CN201811439878 A CN 201811439878A CN 109660522 B CN109660522 B CN 109660522B
- Authority
- CN
- China
- Prior art keywords
- data
- encoder
- electronic system
- detection method
- intrusion detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Burglar Alarm Systems (AREA)
Abstract
The invention discloses a deep self-encoder-based hybrid intrusion detection method for an integrated electronic system, which comprises the following steps: data preprocessing: preprocessing data stored by a bus manager in the integrated electronic system, specifically including data normalization and normalization processing; feature extraction: extracting the characteristics of the preprocessed data by using a deep self-encoder, and extracting characteristic parameter weights by using a pre-training and fine-tuning weight parameter method; and (3) judging intrusion behaviors: and (3) operating the parameter weight and the input value obtained in the characteristic extraction stage to obtain characteristic data, taking the characteristic data as the input of the set classifier, and outputting the characteristic data into two categories of normal data and attack data. The invention adopts a deep self-encoder to extract some high-order abstract features which can not be obtained by a researcher through simple manual calculation, reduces feature dimension, thereby reducing calculation cost and effectively distinguishing new variant attacks.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a deep-layer self-encoder-based hybrid intrusion detection method for an integrated electronic system.
Background
The characteristics of no encryption mechanism, popularization of built-in components, technical openness, transmission channel standardization and the like in the integrated electronic system make the integrated electronic system face wide threats. At present, information security incidents at home and abroad are infinite, and the safety situation is very severe, but in the application field of the integrated electronic system in China, including spaces, vehicles and the like, previous research focuses on ensuring the high efficiency and reliability of the integrated electronic system, little focuses on the safety of the integrated electronic system, and a top-level space information security standard system, a core technology and a product are lacked. For space equipment such as satellites and airplanes flying in space or sky, the interior of the system is in an 'unprotected' state, and attacks such as capturing control right and the like are easy to occur; in terms of ground application scenarios of the integrated electronic system, the same threat is also faced, and the situation that the vehicle is controlled by an attacker easily due to the fact that no encryption mechanism or other security protection technologies exist inside the system such as an armored vehicle and the like is easy to cause, so that serious consequences are generated.
The intrusion detection technology is the key of the safety protection of the integrated electronic system, can effectively detect internal attack, external attack and misoperation, and fundamentally improves the safety of the integrated electronic system. However, as the attack method of an attacker becomes more complex, the traditional machine learning-based method and the intrusion detection method based on the specification follow the traditional attack logic, and the complicated variant attack cannot be detected, so that the method is not suitable for the application scene of the comprehensive electronic system. The invention provides a hybrid intrusion detection method based on a deep self-encoder, which is an unsupervised method and has a good identification effect on variant attacks. However, because the computing resources of the integrated electronic system are limited, the computing resources required by the deep self-encoder are large, and it is difficult to operate the method on the satellite, the data collected by the bus manager in the integrated electronic system on the 1553B bus is periodically transmitted to the ground base station in a certain way, and intrusion detection is performed on the ground base station, for example: and when the airplane lands on the ground, the communication data of the airplane in the flight process is transmitted to the base station, and then the mixed intrusion detection method based on the deep self-encoder is used for detection.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide a deep self-encoder-based hybrid intrusion detection method for an integrated electronic system. The invention reduces the dimensionality of the features, thereby reducing the computational cost and effectively distinguishing new variant attacks.
The specific technical scheme for realizing the purpose of the invention is as follows:
a deep self-encoder-based hybrid intrusion detection method for an integrated electronic system comprises the following steps:
step 1: data preprocessing, namely performing normalization and standardization processing on communication flow data between terminals stored by a bus manager in the integrated electronic system to obtain a training set with a standard format;
step 2: extracting features, namely extracting the features of the training set data by using a deep self-encoder to obtain a feature parameter weight so that the features have more expression capability;
and step 3: and (3) judging the intrusion behavior, namely calculating the parameter weight obtained in the step (2) with training set data to obtain characteristic data, and inputting the characteristic data into a set classifier to judge whether the characteristic belongs to the attack behavior.
The hybrid intrusion detection method according to claim 1, wherein the normalization of step 1 is to map data into an interval of [0,1] by min-max normalization, logarithmic function normalization or inverse cotangent function normalization algorithm; the standardization refers to scaling the data according to a proportion through a minimum-maximum standardization, a Z-score standardization or a Sigmoid function algorithm, so that the data are mapped into a corresponding space.
The hybrid intrusion detection method according to claim 1, wherein the deep self-encoder of step 2 has a plurality of hidden layers, including encoding and decoding, and converts an original input into a feature expression form; the method specifically comprises the following steps:
in the pre-training stage, training set data is used for generating an initial parameter weight;
and ii) in a fine adjustment stage, performing parameter weight adjustment on all the neurons by using an optimization method of random gradient descent.
The hybrid intrusion detection method according to claim 1, wherein the step 2 of making the features more expressive is to iteratively adjust feature parameters through a fine-tuning stage, filter interference features, and extract features associated with behavior decision.
The hybrid intrusion detection method according to claim 1, wherein the operation of step 3 is to multiply the data in the training set by the feature parameters of step 2, so as to perform dimension reduction processing on the data in the training set.
The hybrid intrusion detection method according to claim 1, wherein the set classifier of step 3 includes, but is not limited to, XGBoost.
The invention has the following beneficial effects: the invention provides a hybrid intrusion detection method based on combination of an unsupervised depth self-encoder and a set classifier for a comprehensive electronic system with limited computing resources, so that the feature dimensionality is reduced, the memory and the computing requirements are obviously reduced, and a new variant attack can be identified.
Drawings
FIG. 1 is a flow chart of the present invention;
FIG. 2 is a diagram of a deep level auto-encoder topology according to the present invention;
FIG. 3 is an error diagram of the deep self-encoder of the present invention;
FIG. 4 is a diagram of a stack-limited Boltzmann machine;
FIG. 5 is a schematic diagram illustrating the intrusion behavior determination process according to the present invention.
Detailed Description
The present invention will be described in further detail with reference to the following specific examples and the accompanying drawings. The procedures, conditions, experimental methods and the like for carrying out the present invention are general knowledge and common general knowledge in the art except for the contents specifically mentioned below, and the present invention is not particularly limited.
Referring to fig. 1, the present invention includes the steps of:
step 1: data preprocessing, namely performing normalization and standardization processing on communication flow data between terminals stored by a bus manager in the integrated electronic system to obtain a training set with a standard format;
step 2: extracting features, namely extracting the features of the training set data by using a deep self-encoder to obtain a feature parameter weight so that the features have more expression capability;
and step 3: and (3) judging the intrusion behavior, namely calculating the parameter weight obtained in the step (2) with training set data to obtain characteristic data, and inputting the characteristic data into a set classifier to judge whether the characteristic belongs to the attack behavior.
In step 1, since the present invention directly uses the traffic data from the bus manager, and does not manually define the characteristics, the data needs to be preprocessed, specifically including mapping, discretization and standardization operations. The normalization refers to mapping data to a [0,1] interval through an algorithm, and common algorithms comprise minimum-maximum normalization, logarithmic function normalization, inverse cotangent function normalization and the like; the standardization refers to scaling the data according to a proportion through an algorithm, so that the data are mapped into a corresponding space, and common algorithms comprise minimum-maximum standardization, Z-score standardization, a Sigmoid function and the like.
In step 2, the self-encoder provided by the invention has a plurality of hidden layers, and the deep self-encoder has better effect than the shallow self-encoder, but the deep self-encoder is sensitive to the initial value and needs a good initial node. The topology of the deep self-encoder proposed by the present invention is shown in fig. 2. In the encoding process of the self-encoder, implicit features of input data are learned through a multi-layer structure, and then the original input data are reconstructed using the learned implicit features in the decoding process.
Error map for the self-encoder as shown in fig. 3, the input is mapped to the hidden layer:
y=f(x)=s(wi*x+bi)
where x is the input vector, x ∈ Rd*1And d is the dimension of the input data. y is the output vector, y ∈ Rr*1And r is the number of hidden layer neurons. w is aiIs the weight of the hidden layer, wi∈Rr*d。biIs the input bias of the hidden layer, bi∈Rr*1. s is the activation function. The activation function is used for activating a node between two layers, and is usually a nonlinear function, and common activation functions are a Sigmoid function, a Relu function and the like. The invention takes Leaky Relu function as an example。
The decoder maps y back to the original x, with the expression:
x=h(y)=s(wi*y+bi)
wherein wi∈Rr*d,bi∈Rd*1。
The loss function expression is:
L(w,b)=||xi-h(f(xi))||2
thus, the objective function of the self-encoder can be expressed as:
where N is the total number of samples, nl represents the number of layers of the self-encoder, and sl is the number of neurons per layer.
After the loss function and the target function are determined, the optimal solution of the model is solved by using a random gradient descent method to minimize the loss function, wherein the random gradient descent is the loss function for minimizing each piece of data, and although the loss function obtained each time is not towards the global optimum, the overall situation is towards the global optimum. Connection weight matrix and bias matrix vector between neurons are optimized mainly through random gradient descent. The update expression is:
where η is the learning rate.
The training of the deep self-encoder comprises two stages, wherein one stage is pre-training, and the aim is to ensure that the deep self-encoder has a good initial value; and secondly, fine adjustment, namely adjusting all neurons of the deep self-encoder by using an optimization method of random gradient descent.
The two most common techniques for pre-training the self-encoder and obtaining initialization weights are the stacked constrained boltzmann machine (RBM) and the stacked noise-canceling self-encoder. The present invention is illustrated by using an RBM as an example, and the structure thereof is shown in fig. 4. Specifically, training is done in a greedy, layer-by-layer manner, where the output of one training RBM is used as input to the next RBM block. Each RBM block can be stacked on top of each other, forming the topology of the deep-level self-encoder. The optimal value of each layer is close to the global optimal value, each hidden layer is trained independently, so that the error of the previous layer does not influence the next layer, and the problem of gradient dispersion generated by the common training of all layers in the neural network is solved.
The fine tuning stage obtains initial weights from the pre-training and is used to initialize the depth autoencoder, with parameter adjustments being made in an iterative manner. The method uses a back propagation algorithm to fine-tune each neuron of the deep-layer self-encoder.
In step 3, an XGBoost set classifier is taken as an example for explanation. The comprehensive electronic system communication data obtains parameters w and b from an input layer to an intermediate layer through the pre-training stage, characteristic data is calculated again by using the parameters, specifically, training set data is multiplied by parameters of a self-encoder network to obtain data after dimensionality reduction, the data is transmitted to an XGboost classifier to be classified, the data is mainly divided into normal and abnormal data, and the judging process is shown in figure 5.
The protection of the present invention is not limited to the above embodiments. Variations and advantages that may occur to those skilled in the art may be incorporated into the invention without departing from the spirit and scope of the inventive concept, and the scope of the appended claims is intended to be protected.
Claims (4)
1. A deep self-encoder-based hybrid intrusion detection method for an integrated electronic system is characterized by comprising the following steps:
step 1: data preprocessing, namely performing normalization and standardization processing on communication flow data between terminals stored by a bus manager in the integrated electronic system to obtain a training set with a standard format;
step 2: extracting features, namely extracting the features of the training set data by using a deep self-encoder to obtain a feature parameter weight so that the features have more expression capability;
and step 3: judging intrusion behavior, namely calculating the parameter weight obtained in the step (2) with training set data to obtain characteristic data, and inputting the characteristic data into a set classifier to judge whether the characteristic belongs to attack behavior; wherein:
step 1, the normalization refers to mapping data to an interval of [0,1] through a minimum-maximum normalization, a logarithmic function normalization or an inverse cotangent function normalization algorithm; the standardization means that the data is scaled according to a proportion through a minimum-maximum standardization, a Z-score standardization or a Sigmoid function algorithm, so that the data is mapped into a corresponding space;
step 2, the deep self-coding device has a plurality of hidden layers, comprises coding and decoding, and converts the original input into a characteristic expression form; the method specifically comprises the following steps:
in the pre-training stage, training set data is used for generating an initial parameter weight;
and ii) in a fine adjustment stage, performing parameter weight adjustment on all the neurons by using an optimization method of random gradient descent.
2. The hybrid intrusion detection method according to claim 1, wherein the step 2 of making the features more expressive is to iteratively adjust feature parameters through a fine-tuning stage, filter interference features, and extract features associated with behavior decision.
3. The hybrid intrusion detection method according to claim 1, wherein the operation of step 3 is to multiply the data in the training set by the feature parameters of step 2 in order to perform the dimension reduction processing on the data in the training set.
4. The hybrid intrusion detection method according to claim 1, wherein the set classifier of step 3 is XGBoost.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811439878.XA CN109660522B (en) | 2018-11-29 | 2018-11-29 | Deep self-encoder-based hybrid intrusion detection method for integrated electronic system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811439878.XA CN109660522B (en) | 2018-11-29 | 2018-11-29 | Deep self-encoder-based hybrid intrusion detection method for integrated electronic system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109660522A CN109660522A (en) | 2019-04-19 |
| CN109660522B true CN109660522B (en) | 2021-05-25 |
Family
ID=66111929
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811439878.XA Active CN109660522B (en) | 2018-11-29 | 2018-11-29 | Deep self-encoder-based hybrid intrusion detection method for integrated electronic system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109660522B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110929118B (en) * | 2019-11-04 | 2023-12-19 | 腾讯科技(深圳)有限公司 | Network data processing method, device, apparatus and medium |
| CN111294341B (en) * | 2020-01-17 | 2021-12-28 | 成都信息工程大学 | Vehicle-mounted system intrusion detection method based on self-encoder and recurrent neural network |
| CN111669396B (en) * | 2020-06-15 | 2022-11-29 | 绍兴文理学院 | Self-learning security defense method and system for software-defined Internet of things |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107276805A (en) * | 2017-06-19 | 2017-10-20 | 北京邮电大学 | A kind of sample predictions method, device and electronic equipment based on IDS Framework |
| CN107480699A (en) * | 2017-07-13 | 2017-12-15 | 电子科技大学 | A kind of intrusion detection method based on channel condition information and SVMs |
| CN108540451A (en) * | 2018-03-13 | 2018-09-14 | 北京理工大学 | A method of classification and Detection being carried out to attack with machine learning techniques |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8220052B2 (en) * | 2003-06-10 | 2012-07-10 | International Business Machines Corporation | Application based intrusion detection |
-
2018
- 2018-11-29 CN CN201811439878.XA patent/CN109660522B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107276805A (en) * | 2017-06-19 | 2017-10-20 | 北京邮电大学 | A kind of sample predictions method, device and electronic equipment based on IDS Framework |
| CN107480699A (en) * | 2017-07-13 | 2017-12-15 | 电子科技大学 | A kind of intrusion detection method based on channel condition information and SVMs |
| CN108540451A (en) * | 2018-03-13 | 2018-09-14 | 北京理工大学 | A method of classification and Detection being carried out to attack with machine learning techniques |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109660522A (en) | 2019-04-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109660522B (en) | Deep self-encoder-based hybrid intrusion detection method for integrated electronic system | |
| CN111294341B (en) | Vehicle-mounted system intrusion detection method based on self-encoder and recurrent neural network | |
| CN111585948B (en) | Intelligent network security situation prediction method based on power grid big data | |
| CN109766992B (en) | Industrial control abnormity detection and attack classification method based on deep learning | |
| CN113179244B (en) | Federal deep network behavior feature modeling method for industrial internet boundary safety | |
| CN112349281B (en) | Defense method of voice recognition model based on StarGAN | |
| CN113094707B (en) | Lateral movement attack detection method and system based on heterogeneous graph network | |
| CN112995150B (en) | Botnet detection method based on CNN-LSTM fusion | |
| CN113468537B (en) | Feature extraction and exploit attack detection method based on improved self-encoder | |
| Huang | Network Intrusion Detection Based on an Improved Long‐Short‐Term Memory Model in Combination with Multiple Spatiotemporal Structures | |
| Yin et al. | Neural network fragile watermarking with no model performance degradation | |
| CN112560059A (en) | Vertical federal model stealing defense method based on neural pathway feature extraction | |
| CN114758113A (en) | Confrontation sample defense training method, classification prediction method and device, and electronic equipment | |
| Zhang et al. | Many-objective optimization based intrusion detection for in-vehicle network security | |
| Hou et al. | Hybrid intrusion detection model based on a designed autoencoder | |
| Gao et al. | Attack detection for intelligent vehicles via can-bus: A lightweight image network approach | |
| CN116312513A (en) | Intelligent voice control system | |
| Zhang et al. | Adversarial learning in transformer based neural network in radio signal classification | |
| CN115879108A (en) | Federal learning model attack defense method based on neural network feature extraction | |
| CN113194092B (en) | Accurate malicious flow variety detection method | |
| CN115879030A (en) | Network attack classification method and system for power distribution network | |
| CN113159317B (en) | Antagonistic sample generation method based on dynamic residual corrosion | |
| CN115473734A (en) | Remote code execution attack detection method based on single classification and federal learning | |
| CN113177599A (en) | Enhanced sample generation method based on GAN | |
| CN118101330B (en) | CAN vehicle-mounted network intrusion detection method, device, system and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |