CN113114673A - Network intrusion detection method and system based on generation countermeasure network - Google Patents

Network intrusion detection method and system based on generation countermeasure network Download PDF

Info

Publication number
CN113114673A
CN113114673A CN202110389604.XA CN202110389604A CN113114673A CN 113114673 A CN113114673 A CN 113114673A CN 202110389604 A CN202110389604 A CN 202110389604A CN 113114673 A CN113114673 A CN 113114673A
Authority
CN
China
Prior art keywords
attack
data
intrusion detection
network
trained
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110389604.XA
Other languages
Chinese (zh)
Inventor
吴诒轩
孙文韬
聂来森
宁兆龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Northwestern Polytechnical University
Original Assignee
Northwestern Polytechnical University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Northwestern Polytechnical University filed Critical Northwestern Polytechnical University
Priority to CN202110389604.XA priority Critical patent/CN113114673A/en
Publication of CN113114673A publication Critical patent/CN113114673A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/084Backpropagation, e.g. using gradient descent

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Molecular Biology (AREA)
  • Mathematical Physics (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network intrusion detection method and a system based on a generation countermeasure network. The method comprises the following steps: carrying out network traffic intrusion detection on the network traffic to be detected by adopting a trained generation confrontation network model; when an anti-network model is generated by training, a method for training a single-attack intrusion detection model based on the generated anti-network by adopting an attack data set is adopted to generate a plurality of trained single-attack intrusion detection models; inputting the output result of each trained single attack intrusion detection model by using the flow of the network to be trained, training the multi-type attack intrusion detection models based on the generated countermeasure network, and generating the trained multi-type attack intrusion detection models; and generating a trained generation confrontation network model according to a plurality of trained single attack intrusion detection models and a plurality of trained attack intrusion detection models. The method and the system can identify various types of attacks in the network.

Description

Network intrusion detection method and system based on generation countermeasure network
Technical Field
The invention relates to the technical field of network intrusion detection, in particular to a network intrusion detection method and a system based on a generation countermeasure network.
Background
With the continuous development of the internet, more and more devices and living necessities can be connected to the internet and perform real-time communication. Due to the widespread use of social networking, millions of sensors and devices continue to generate data and exchange important information. As a network with a wide range and high openness, network operators must pay more attention to network security threats. In order to ensure the security of the network, it is important to use intrusion detection mechanisms in the network environment. Intrusion detection is a good way to prevent multiple attacks and protect user privacy.
At present, the intrusion detection generally uses deep learning to realize intrusion detection to protect the security of the network. However, the problem of network intrusion detection remains a challenge, and the security performance research of current network systems cannot meet the increasingly diverse networks.
Disclosure of Invention
The invention aims to provide a network intrusion detection method and a network intrusion detection system based on a generation countermeasure network, which have the advantages of considering the complexity and the variability of the network and being capable of identifying various types of attacks in the network.
In order to achieve the purpose, the invention provides the following scheme:
a network intrusion detection method, comprising:
acquiring network flow to be detected;
carrying out network traffic intrusion detection on the to-be-detected network traffic by adopting a trained generation confrontation network model to obtain a detection result of whether the network traffic is attacked or not;
the method for generating the trained confrontation network model specifically comprises the following steps:
acquiring network flow to be trained;
carrying out flow characteristic extraction on the network flow to be trained, and collecting attack data of different attack types to form a plurality of attack data sets; each attack data set comprises a flow characteristic matrix corresponding to an attack type;
adopting an attack data set to train a single attack intrusion detection model based on a generated countermeasure network to generate a plurality of trained single attack intrusion detection models;
inputting the network flow to be trained into each trained single attack intrusion detection model to obtain a synthetic data matrix; the elements of the synthetic data matrix are output results after the network traffic to be trained is input into the trained single attack intrusion detection model;
training a multi-type attack intrusion detection model based on the generated countermeasure network by using the synthetic data matrix to generate a trained multi-type attack intrusion detection model;
and generating a trained generation countermeasure network model according to a plurality of trained single attack intrusion detection models and one trained multi-type attack intrusion detection model.
Optionally, the traffic feature extraction is performed on the network traffic to be trained, attack data of different attack types are collected, and a plurality of attack data sets are formed, which specifically includes:
carrying out traffic characteristic extraction on the network traffic to be trained to obtain a traffic characteristic matrix;
normalizing the elements of the flow characteristic matrix to obtain normalized flow characteristic data;
and carrying out attack type division on the normalized flow characteristic data to generate a plurality of attack data sets.
Optionally, the method for training a single-attack intrusion detection model based on a generated countermeasure network by using an attack data set generates a plurality of trained single-attack intrusion detection models, and specifically includes:
acquiring a plurality of noise data;
inputting a plurality of noise data into a generator of the single attack intrusion detection model to generate first deception data;
inputting the first deception data and an attack data set into a discriminator of the single attack intrusion detection model, and outputting a discrimination result of the single attack data and a discrimination result of the first deception data;
determining the discrimination performance of a discriminator of the single attack intrusion detection model on the attack data according to the discrimination result of the single kind of attack data;
determining the discrimination performance of a discriminator of the single attack intrusion detection model on the first deception data according to the discrimination result of the first deception data;
judging whether a first training end condition is met or not according to the distinguishing performance of the discriminator of the single attack intrusion detection model on attack data and the distinguishing performance of the discriminator of the single attack intrusion detection model on first deception data; and generating a trained single attack intrusion detection model after the first training end condition is met.
Optionally, the generating of the multi-type attack intrusion detection model based on the countermeasure network is trained by using the synthetic data matrix to generate the trained multi-type attack intrusion detection model, which specifically includes:
inputting the synthetic data matrix into a generator of the multi-type attack intrusion detection model to generate second deception data;
inputting the synthesized data matrix and the second deception data into a discriminator of the multi-type attack intrusion detection model, and outputting a judgment result of the synthesized data and a judgment result of the second deception data;
determining the distinguishing performance of the discriminators of the multiple kinds of attack intrusion detection models on the synthetic data according to the distinguishing result of the synthetic data;
determining the discrimination performance of the discriminators of the multiple attack intrusion detection models on the second deception data according to the discrimination result of the second deception data;
judging whether a second training end condition is met or not according to the distinguishing performance of the discriminators of the various attack intrusion detection models on the synthetic data and the distinguishing performance of the discriminators of the various attack intrusion detection models on the second deception data; and generating a trained multi-type attack intrusion detection model after the second training end condition is met.
The invention also provides a network intrusion detection system, comprising:
the network flow measurement module is used for acquiring the network flow to be detected;
the intrusion detection module is used for carrying out network traffic intrusion detection on the to-be-detected network traffic by adopting a trained generation confrontation network model to obtain a detection result of whether the network traffic is attacked or not;
the intrusion detection module specifically comprises:
the network traffic to be trained acquisition submodule is used for acquiring network traffic to be trained;
the attack data set generation submodule is used for carrying out flow characteristic extraction on the network flow to be trained and collecting attack data of different attack types to form a plurality of attack data sets; each attack data set comprises a flow characteristic matrix corresponding to an attack type;
the single attack intrusion detection model training submodule is used for generating a plurality of trained single attack intrusion detection models by adopting a method for training a single attack intrusion detection model based on a generated countermeasure network by adopting an attack data set;
a synthetic data matrix generation submodule, configured to input the to-be-trained network traffic into each trained single attack intrusion detection model, so as to obtain a synthetic data matrix; the elements of the synthetic data matrix are output results after the network traffic to be trained is input into the trained single attack intrusion detection model;
the multi-type attack intrusion detection model training submodule is used for training a multi-type attack intrusion detection model based on the generated countermeasure network by utilizing the synthetic data matrix to generate a trained multi-type attack intrusion detection model;
and the trained generation confrontation network model generation submodule is used for generating a trained generation confrontation network model according to a plurality of the trained single attack intrusion detection models and one of the trained multi-type attack intrusion detection models.
Optionally, the attack data set generating sub-module specifically includes:
the traffic characteristic extraction unit is used for extracting traffic characteristics of the network traffic to be trained to obtain a traffic characteristic matrix;
the normalization processing unit is used for performing normalization processing on the elements of the traffic characteristic matrix to obtain normalized traffic characteristic data;
and the attack category division unit is used for carrying out attack category division on the normalized flow characteristic data to generate a plurality of attack data sets.
Optionally, the single attack intrusion detection model training submodule specifically includes:
a noise data acquisition unit for acquiring a plurality of noise data;
a first spoofed data generating unit configured to input a plurality of the noise data into a generator of the single attack intrusion detection model, and generate first spoofed data;
a first discrimination result output unit, configured to input the first spoofed data and one attack data set into the discriminator of the single attack intrusion detection model, and output a discrimination result of the single kind of attack data and a discrimination result of the first spoofed data;
a first discrimination performance determining unit, configured to determine, according to a discrimination result of the single type of attack data, discrimination performance of a discriminator of the single attack intrusion detection model on the attack data;
a second discrimination performance determination unit, configured to determine, according to a discrimination result of the first spoofed data, discrimination performance of the discriminator of the single attack intrusion detection model on the first spoofed data;
a trained single attack intrusion detection model generation unit, configured to determine whether a first training end condition is satisfied according to a discrimination performance of an identifier of the single attack intrusion detection model on attack data and a discrimination performance of the identifier of the single attack intrusion detection model on first deception data; and generating a trained single attack intrusion detection model after the first training end condition is met.
Optionally, the multi-type attack intrusion detection model training submodule specifically includes:
a second deception data generation unit, configured to input the composite data matrix into the generator of the multiple attack intrusion detection model, and generate second deception data;
a second discrimination result output unit, configured to input the composite data matrix and the second spoofed data into the discriminator of the multi-type attack intrusion detection model, and output a discrimination result of the composite data and a discrimination result of the second spoofed data;
a third discrimination performance determination unit, configured to determine discrimination performance of the discriminators of the multiple types of attack intrusion detection models on the synthetic data according to a discrimination result of the synthetic data;
a fourth discrimination performance determining unit, configured to determine, according to a discrimination result of the second spoofed data, discrimination performance of the discriminators of the multiple attack intrusion detection models on the second spoofed data;
a trained multi-type attack intrusion detection model generation unit, configured to determine whether a second training end condition is satisfied according to a discrimination performance of the discriminator of the multi-type attack intrusion detection model on the synthetic data and a discrimination performance of the discriminator of the multi-type attack intrusion detection model on the second spoofed data; and generating a trained multi-type attack intrusion detection model after the second training end condition is met.
Compared with the prior art, the invention has the beneficial effects that:
the invention has proposed a network intrusion detection method and system based on generating the confrontation network, while training and generating the confrontation network model, adopt a kind of attack data set to a method based on generating the single attack intrusion detection model of the confrontation network to train, produce a plurality of single attack intrusion detection models trained; inputting the output result of each trained single attack intrusion detection model by using the flow of the network to be trained, training the multi-type attack intrusion detection models based on the generated countermeasure network, and generating the trained multi-type attack intrusion detection models; and generating a trained generation confrontation network model according to a plurality of trained single attack intrusion detection models and a plurality of trained attack intrusion detection models. Therefore, when network intrusion detection is carried out, the detection result of whether the network traffic is attacked or not can be obtained only by adopting a trained generation confrontation network model to carry out the network traffic intrusion detection on the network traffic to be detected. The invention considers the complexity and the variability of the network and can identify various types of attacks in the network.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.
FIG. 1 is a flow chart of a method for detecting network intrusion based on generation of a countermeasure network according to an embodiment of the present invention;
FIG. 2 is a flowchart of a training method for generating a confrontation network model according to an embodiment of the present invention;
FIG. 3 is a diagram of a network intrusion detection system based on a spanning countermeasure network according to an embodiment of the present invention;
FIG. 4 is a block diagram of an intrusion detection module according to an embodiment of the present invention;
FIG. 5 is a diagram of a collaborative edge network architecture based on social IOT in an embodiment of the present invention;
FIG. 6 is a diagram illustrating comparison of performance of single type attack detection according to an embodiment of the present invention;
FIG. 7 is a diagram illustrating a comparison of performance of various attack detection embodiments of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention aims to provide a network intrusion detection method and a network intrusion detection system based on a generation countermeasure network, which have the advantages of considering the complexity and the variability of the network and being capable of identifying various types of attacks in the network.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
Examples
Fig. 1 is a flowchart of a network intrusion detection method based on a generation countermeasure network in an embodiment of the present invention, and as shown in fig. 1, a network intrusion detection method based on a generation countermeasure network includes:
step 101: and acquiring the network traffic to be detected.
Step 102: and carrying out network traffic intrusion detection on the network traffic to be detected by adopting a trained generation confrontation network model to obtain a detection result of whether the network traffic is attacked or not.
Fig. 2 is a flowchart of a training method for generating a confrontation network model in the embodiment of the present invention, and as shown in fig. 2, the trained method for generating a confrontation network model specifically includes:
step 201: and acquiring the traffic of the network to be trained.
Step 202: carrying out flow characteristic extraction on network flow to be trained, and collecting attack data of different attack types to form a plurality of attack data sets; each attack data set includes a traffic characteristic matrix corresponding to an attack type.
Step 202, specifically comprising:
extracting traffic characteristics of network traffic to be trained to obtain a traffic characteristic matrix;
normalizing the elements of the flow characteristic matrix to obtain normalized flow characteristic data;
and carrying out attack type division on the normalized flow characteristic data to generate a plurality of attack data sets.
Step 203: adopting an attack data set to train a single attack intrusion detection model based on a generated countermeasure network to generate a plurality of trained single attack intrusion detection models;
step 203, specifically comprising:
acquiring a plurality of noise data;
inputting a plurality of noise data into a generator of a single attack intrusion detection model to generate first deception data;
inputting the first deception data and an attack data set into a discriminator of a single attack intrusion detection model, and outputting a discrimination result of the single attack data and a discrimination result of the first deception data;
determining the discrimination performance of a discriminator of a single attack intrusion detection model on the attack data according to the discrimination result of the single type of attack data;
determining the discrimination performance of a discriminator of a single attack intrusion detection model on the first deception data according to the discrimination result of the first deception data;
judging whether a first training end condition is met or not according to the distinguishing performance of the discriminator of the single attack intrusion detection model on the attack data and the distinguishing performance of the discriminator of the single attack intrusion detection model on the first deception data; and generating a trained single attack intrusion detection model after the first training end condition is met.
Step 204: inputting the network flow to be trained into each trained single attack intrusion detection model to obtain a synthetic data matrix; the elements of the synthetic data matrix are output results after the network traffic to be trained is input into the trained single attack intrusion detection model;
step 205: training a multi-type attack intrusion detection model based on the generated countermeasure network by using the synthetic data matrix to generate a well-trained multi-type attack intrusion detection model;
step 205, specifically including:
inputting the synthesized data matrix into a generator of the multi-type attack intrusion detection model to generate second deception data;
inputting the synthesized data matrix and the second deception data into a discriminator of the multi-type attack intrusion detection model, and outputting a judgment result of the synthesized data and a judgment result of the second deception data;
determining the distinguishing performance of the discriminators of the various attack intrusion detection models on the synthetic data according to the distinguishing result of the synthetic data;
determining the discrimination performance of discriminators of the various attack intrusion detection models on the second deception data according to the discrimination result of the second deception data;
judging whether a second training end condition is met or not according to the distinguishing performance of the discriminator of the multi-type attack intrusion detection model on the synthetic data and the distinguishing performance of the discriminator of the multi-type attack intrusion detection model on the second deception data; and generating a trained multi-type attack intrusion detection model after the second training end condition is met.
Step 206: and generating a trained generation confrontation network model according to a plurality of trained single attack intrusion detection models and a plurality of trained attack intrusion detection models.
Fig. 3 is a structural diagram of a network intrusion detection system based on a generation countermeasure network in an embodiment of the present invention, and as shown in fig. 3, a network intrusion detection system based on a generation countermeasure network includes:
and the network flow measurement module 301 is configured to obtain a network flow to be detected.
And the intrusion detection module 302 is configured to perform network traffic intrusion detection on the to-be-detected network traffic by using a trained generation countermeasure network model to obtain a detection result of whether the network traffic is attacked or not.
Fig. 4 is a structural diagram of an intrusion detection module according to an embodiment of the present invention, and as shown in fig. 4, the intrusion detection module 302 specifically includes:
and the to-be-trained network traffic obtaining submodule 401 is configured to obtain network traffic to be trained.
An attack data set generation submodule 402, configured to perform traffic feature extraction on network traffic to be trained, collect attack data of different attack types, and form multiple attack data sets; each attack data set includes a traffic characteristic matrix corresponding to an attack type.
The attack data set generation submodule 402 specifically includes:
the traffic characteristic extraction unit is used for extracting traffic characteristics of network traffic to be trained to obtain a traffic characteristic matrix;
the normalization processing unit is used for performing normalization processing on the elements of the flow characteristic matrix to obtain normalized flow characteristic data;
and the attack category division unit is used for carrying out attack category division on the normalized flow characteristic data to generate a plurality of attack data sets.
The single attack intrusion detection model training submodule 403 is configured to generate a plurality of trained single attack intrusion detection models by using an attack data set to train a single attack intrusion detection model based on the generated countermeasure network.
The single attack intrusion detection model training submodule 403 specifically includes:
a noise data acquisition unit for acquiring a plurality of noise data;
a first spoofed data generating unit for inputting a plurality of noise data into a generator of a single attack intrusion detection model to generate first spoofed data;
a first discrimination result output unit for inputting the first deception data and an attack data set into a discriminator of a single attack intrusion detection model, and outputting a discrimination result of the single kind of attack data and a discrimination result of the first deception data;
a first discrimination performance determination unit for determining discrimination performance of a discriminator of the single attack intrusion detection model on attack data according to a discrimination result of the single type of attack data;
a second discrimination performance determination unit configured to determine, according to a discrimination result of the first spoofed data, discrimination performance of the discriminator of the single attack intrusion detection model on the first spoofed data;
a trained single attack intrusion detection model generation unit, configured to determine whether a first training end condition is satisfied according to a discrimination performance of a discriminator of the single attack intrusion detection model on attack data and a discrimination performance of the discriminator of the single attack intrusion detection model on first deception data; and generating a trained single attack intrusion detection model after the first training end condition is met.
A synthetic data matrix generation submodule 404, configured to input network traffic to be trained into each trained single attack intrusion detection model, so as to obtain a synthetic data matrix; and the elements of the synthetic data matrix are output results after the network traffic to be trained is input into the trained single attack intrusion detection model.
And the multi-type attack intrusion detection model training submodule 405 is used for training the multi-type attack intrusion detection model based on the generated countermeasure network by utilizing the synthetic data matrix to generate the trained multi-type attack intrusion detection model.
The multiple type of attack intrusion detection model training submodule 405 specifically includes:
the second deception data generation unit is used for inputting the synthesized data matrix into a generator of the multi-type attack intrusion detection model to generate second deception data;
the second judgment result output unit is used for inputting the synthesized data matrix and the second deception data into the discriminator of the multi-type attack intrusion detection model and outputting the judgment result of the synthesized data and the judgment result of the second deception data;
a third discrimination performance determination unit for determining discrimination performance of the discriminators of the multiple attack intrusion detection models on the synthetic data according to the discrimination result of the synthetic data;
the fourth discrimination performance determining unit is used for determining discrimination performance of the discriminators of the multiple attack intrusion detection models on the second deception data according to discrimination results of the second deception data;
the trained multi-type attack intrusion detection model generation unit is used for judging whether a second training end condition is met according to the distinguishing performance of the discriminator of the multi-type attack intrusion detection model on the synthetic data and the distinguishing performance of the discriminator of the multi-type attack intrusion detection model on the second deception data; and generating a trained multi-type attack intrusion detection model after the second training end condition is met.
And the trained generation confrontation network model generation submodule 406 is used for generating a trained generation confrontation network model according to the plurality of trained single attack intrusion detection models and one trained multi-type attack intrusion detection model.
To further illustrate the network intrusion detection method based on generation of a countermeasure network provided by the present invention, the method includes the following steps:
the method comprises the following steps: in the network management center, the network flow is measured, expressed as a feature matrix and used as training data.
Step two: in the network management center, a plurality of single type attack intrusion detection methods based on generation of a countermeasure network are respectively utilized to carry out learning training on each known attack.
Step three: and in the network management center, preprocessing training data by utilizing all the trained intrusion detection models based on the single type of attacks, and using the processed data to train the multi-type attack intrusion detection models.
Step four: and (4) in the network management center, generating a confrontation network model according to the third step, and realizing intrusion detection of network flow by using the discrimination network.
Step one, the feature matrix setting specifically includes the following steps:
step A: in the network management center, the network traffic is measured and expressed as a traffic characteristic matrix X.
End-to-end network traffic, referred to as an origin-to-destination flow (OD), describes traffic from an origin node to a destination node. For all possible OD pairs in a network with 12 nodes, the traffic matrix can be described in terms of traffic matrix, while using a network security data set traffic feature extraction tool (Cicflowmeter) to extract the traffic matrix, forming a traffic feature matrix. The traffic signature matrix may be represented as X, where X is an R × P matrix, where R represents the number of traffic data signatures and P represents the total number of samples. In addition, 83 flow characteristics were extracted using a Cicflowmeter in the proposed method.
And B: and in the network management center, carrying out normalization processing on the original traffic characteristic matrix data X.
Setting xrSetting X for the r row data of the matrix data Xr_meanDenotes xrMean of all data in (1), xr_maxIs xrMaximum value of all data in, xr_minIs xrThe minimum of all data in (c). Then each row of data is normalized as follows:
Figure BDA0003016051740000111
wherein x isrpRepresents the row r and column p of the matrix data X. x is the number ofrpRepresents xrpAnd (5) normalizing the data. And carrying out normalization processing on each data in the matrix data X.
And C: in the network management center, p is collectedAA normalized traffic data set as training data XA. While in the known training data set XAIn which known different kinds of attack data X are collectedk(k 1,2, 3.., I) as a training data set of a single type attack intrusion detection model, wherein I represents the known number of attack types, and a data set X of each attackkIs based on the number of attacks in the training data set XAIn a ratio of (a) to (b).
The generation countermeasure network training setting for single anomaly detection specifically comprises the following steps:
step A: loading the data set X of each attack collected in the step one in a network management centerk(k ═ 1,2, 3.., I), and the traffic signature matrix is read.
And B: at the network management center, a noise data set p is randomly generatedz(z) from pz(z) selecting l data as input z to a single type attack intrusion detection model generator based on the generation of the countermeasure network. p is a radical ofz(z) is a matrix of 1 × l, z is a matrix of 1 × l ', where l and l' each represent pz(z) and z sample number, andpz(z) and z have only 1 feature.
And C: in the network management center, a generator for generating a countermeasure network by using a single kind of attack processes noise data z and outputs deception data xz
In the network management center, the intrusion detection training of the single type of attack is carried out based on the traffic characteristics, and the characteristics of the traffic matrix for generating the anti-network architecture to carry out the detection training on the single type of attack are used. The generation countermeasure network consists of a generator and a discriminator, wherein the generator and the discriminator respectively consist of several hidden layers, the output of each layer being the input of the subsequent layer.
At the network management center, the noise samples z are first input into a generator G that generates a countermeasure network model based on a single attack. Generation of spoofed data x by generating a networkzWherein x iszIs an 83 × l' matrix. The generator G is a deep feed-forward neural network, and the process of generating spoofed data from random noise data is described as follows:
Figure BDA0003016051740000121
wherein the content of the first and second substances,
Figure BDA0003016051740000122
which represents the input noise z, is,
Figure BDA0003016051740000123
representing the output of the kth layer of the generator,
Figure BDA0003016051740000124
representing the generator output data xz. And wherein m represents the number of layers that a generator in the countering network generates based on a single attack. Use of
Figure BDA0003016051740000125
To represent the corresponding parameters of the k-th layer generator. gkRepresenting the activation function, typically expressed in hyperbolic tangent (Tanh) and rectified linear units (ReLUs), etc., where gmRepresenting the activation function Tanh. Ladder with adjustable heightThe degree back propagation algorithm can efficiently compute the parameters of the generator network. The present invention therefore addresses intrusion detection problems with a method based on generating a counterpoise network. The used generator network architecture has 7 layers of neural networks to analyze the characteristics of the input data set, 1 input layer of neurons, 1280 hidden layer of neural units and 83 output layer of neural units. The single-layer neural network uses Tanh as an activation function, and the double-layer neural network uses ReLUs as an activation function.
In the network management center, a mean square error function is selected as a loss function L of a generatorMSEThe concrete formula is as follows:
Figure BDA0003016051740000126
wherein, q'kRepresenting the kth actual value in a batch of input data. q. q.skRepresenting the kth predicted value of the neural network prediction in a batch of input data. The mean square error function is a function of the mean error of a batch, and e represents the number of samples in a batch.
In a network management center, an adaptive moment estimation (Adam) is selected as an optimization algorithm, and the specific formula is as follows:
Figure BDA0003016051740000131
wherein L represents a loss function, e.g. of the generating networkMSE. Theta denotes a parameter corresponding to the network, e.g. generator network thetaGThe parameters indicated.
Figure BDA0003016051740000132
Representing the gradient of the parameter theta. gtThe gradient of the t-th time step is shown, and t represents the number of optimization time steps. Rho1And ρ2Exponential decay rate ρ representing moment estimation1Set to 0.9, ρ2Set to 0.999. m istRepresenting an estimate of the biased first moment, ntAn estimate of the biased second moment is shown,
Figure BDA0003016051740000133
the deviation of the first moment is represented as,
Figure BDA0003016051740000134
the deviation of the second moment is represented. Eta represents a step size set to 0.001, and epsilon represents a constant for numerical stability set to 10-8. Δ θ represents the size of the parameter θ that needs to be updated. The goal of the Adam optimization algorithm is to optimize the model so that the model can get an optimal solution.
Step D: combining data x generated by the generator in a network management centerzWith the input single type attack data XkSo that combined data x is generatedD,xDIs 83 × (l' + p)k) Matrix of pkIs data XkThe number of samples of (1).
Step E: at the network management center, the training combined data x is learned by using a discriminator based on a single type attack model for generating an anti-networkD
In the network management center, synthesizing the data xDInput into discriminator D. Generation of discrimination data y over discrimination networkDWherein y isDIs 2 × (l' + p)k) Of the matrix of (a). The generator D is a deep feed-forward neural network, the process of which can be described as follows:
Figure BDA0003016051740000135
wherein
Figure BDA0003016051740000136
Representing input data xD
Figure BDA0003016051740000137
Representing the output of the k-th layer of the discriminator,
Figure BDA0003016051740000138
representing discriminator output data yD. And wherein n represents a single aggressor-based aggressorThe number of layers of discriminators in the pairwise reactive network. Use of
Figure BDA0003016051740000139
To indicate the corresponding parameters of the k-th layer discriminator. f. ofkRepresenting activation functions, typically represented by Tanh and ReLUs, etc., where fnRepresents the normalized exponential function (softmax). The gradient back-propagation algorithm can efficiently compute the parameters of the discriminator network. The discriminator network architecture used has 53 layers of neural networks to resolve the features of the input data set, 83 input layer neurons, 1104 hidden layer neural units, and 2 output layer neural units. The single-layer neural network uses Tanh as an activation function, the double-layer neural network uses ReLUs as an activation function, and the final layer uses softmax as an activation function.
In the network management center, a cross entropy loss function is selected as a loss function L of the discriminatorCEThe concrete formula is as follows:
Figure BDA0003016051740000141
and in the network management center, an Adam optimization algorithm is selected to optimize the discriminator network, so that the network obtains the optimal solution.
Step F: and processing the data generated by the discriminator in a network management center.
In the network management center, the data generated by the discriminator needs to be preprocessed and optimized, and the specific formula is as follows:
Figure BDA0003016051740000142
wherein y is1kAnd y2kRespectively representing the discrimination results of the k-th data of the discriminator. Discriminator output data yDFrom YkAnd yzComposition of, wherein YkIs a single type of attack data XkResult of discrimination of (a), yzIs the output data xzThe result of the discrimination (1).
In the network management center, according to the letterNumber F to data YkAnd yzAnd performing operation, wherein the discrimination performance of the discriminator on attack data and the discrimination performance of the discriminator on generated data can be obtained through the function F, and the formula is as follows:
Figure BDA0003016051740000143
wherein defining TP indicates that erroneous data, which is different from the estimated traffic and the actual traffic, has been correctly classified as erroneous; defining FP to mean that correct data with the same estimated flow rate as the actual flow rate is wrongly classified as an error; TN indicates that the correct data with the same estimated flow rate as the actual flow rate is correctly classified as correct data; FN indicates that erroneous data in which the estimated flow rate is different from the actual flow rate is erroneously classified as correct.
Step G: at the network management center, judging
Figure BDA0003016051740000144
And F (Y (Y)z),Yz) Size of (1), wherein
Figure BDA0003016051740000145
Representing a single type of attack data XkWherein Y iszRepresentation generation data xzThe real tag of (1). When in use
Figure BDA0003016051740000151
Greater than F (Y (Y)z),Yz) And C, repeating the step B, the step C and the step F. When in use
Figure BDA0003016051740000152
Less than or equal to F (Y (Y)z),Yz) And C, repeating the step D, the step E and the step F. Step G was repeated T times.
Step H: in a network management center, a single attack intrusion detection model based on a generated countermeasure network is trained independently according to known different kinds of attacks. I.e. there are I attack types, I single attack intrusion detection models based on generation of the countermeasure network are trained respectively.
Step three, setting the multi-type attack intrusion detection model, specifically comprising the following steps:
step A: loading the training data X collected in the step one in a network management centerAAnd reads the traffic characteristic matrix. Loading I single attack intrusion detection models based on the generation countermeasure network trained in the step two, reading corresponding discriminators and setting the discriminators as D1,D2,...,DI
And B: in the network management center, a single attack intrusion detection model D based on generation of a countermeasure network is used1,D2,...,DIProcessing training data XAAnd combining the generated data into data xGThe specific formula is as follows:
Figure BDA0003016051740000153
wherein xiIs training data XA2 xp generated by a discriminator of single attack intrusion detection modelsAA feature matrix. Synthetic data xGIs 2I × pAAnd (4) matrix.
And C: processing data x in a network management center using a generator G' based on a plurality of types of intrusion detection models for generating a countermeasure networkGGenerating spoofed data xz′。
In the network management center, firstly, the synthetic data x is synthesizedGInput into a generator G' that generates a countermeasure network model based on a plurality of attacks. Generation of spoofed data x by generating a networkz', wherein xz' is 2I × pAOf the matrix of (a). The generator G' is a deep feedforward neural network, which converts the data xGGenerating spoofed data xzThe process of' can be described as follows:
Figure BDA0003016051740000154
wherein
Figure BDA0003016051740000155
Representing input xG
Figure BDA0003016051740000156
Representing the output of the kth layer of the generator,
Figure BDA0003016051740000157
representing the generator output data xz'. And wherein M represents the number of layers that a generator in the countering network generates based on multiple attacks. Use of
Figure BDA0003016051740000158
To represent the corresponding parameters of the k-th layer generator. g'kRepresents an activation function, typically represented by Tanh and ReLUs, etc., where g'MRepresenting the activation function Tanh. The generator network architecture used has 16 layers of neural networks to analyze the characteristics of the input data set, 2I input layer neurons, 1400 hidden layer neural units, and 2I output layer neural units. The single-layer neural network uses ReLUs as an activation function, and the double-layer neural network uses Tanh as an activation function.
And in the network management center, MSE is selected as a loss function of the generator, and an Adam optimizer is selected to determine the minimum loss value of the generator network, so that corresponding learning parameters can be solved and the model can be optimized.
Step D: combining data x generated by the generator in a network management centerz' AND input training data XASo that combined data x 'is generated'D,x′DIs 2I × 2pAAnd (4) matrix.
Step E: learning, at a network management center, training combined data x 'using discriminators based on various attack models generating a countermeasure network'D
In the network management center, the synthetic data x'DInput into the discriminator D'. Generation of discrimination data y 'from discrimination network'DWherein y'DIs 2X 2pAOf the matrix of (a). The generator D' is a deep feed-forward neural network, the process of which can be described as follows:
Figure BDA0003016051740000161
wherein
Figure BDA0003016051740000162
Represents input data x'D
Figure BDA0003016051740000163
Representing the output of the k-th layer of the discriminator,
Figure BDA0003016051740000164
representative discriminator output data y'D. And wherein N represents the number of layers that are generated to combat discriminators in the network based on multiple attacks. Use of
Figure BDA0003016051740000165
To indicate the corresponding parameters of the k-th layer discriminator. f'kRepresents an activation function, typically represented by Tanh and ReLUs, etc., where f'nRepresenting the softmax activation function. The gradient back-propagation algorithm can efficiently compute the parameters of the discriminator network. The discriminator network architecture used has a 54-layer neural network to resolve the features of the input data set, with 2I input layer neurons, 1104 hidden layer neural units, and 2 output layer neural units. The single-layer neural network uses ReLUs as an activation function, the double-layer neural network uses Tanh as an activation function, and the final layer uses softmax as an activation function.
And in the network management center, selecting a cross entropy loss function as a loss function of the discriminator, and simultaneously selecting an Adam optimizer to determine the minimum loss value of the generator network, so that corresponding learning parameters can be solved and the model can be optimized.
Step F: at the network management center, data y 'generated by the discriminator'DAnd (6) processing.
In the network management center, the data generated by the discriminator needs to be preprocessed and optimized, and the specific formula is as follows:
Figure BDA0003016051740000166
wherein y is1kAnd y'2kRespectively representing the discrimination results of the k-th data of the discriminator. Discriminator output data y'DFrom YAAnd yz' composition wherein YAIs training data XAResult of discrimination of (a), yzIs output data xz' the result of the discrimination.
Step G: at the network management center, judging
Figure BDA0003016051740000171
And F (Y '(Y'z),Yz') of size, wherein
Figure BDA0003016051740000172
Representing training data XAWherein Y isz' Generation data xz' of the real tag. The discrimination performance of the discriminator on attack data and the discrimination performance on generated data can be obtained by the function F. When in use
Figure BDA0003016051740000173
Greater than F (Y '(Y'z),Yz') repeating step B, step C, and step F. When in use
Figure BDA0003016051740000174
Less than or equal to F (Y '(Y'z),Yz') repeating step D, step E, and step F. Step G was repeated T times.
Setting the multi-type attack intrusion detection model, which comprises the following specific steps:
step A: loading the I single attack intrusion detection models based on the generation countermeasure network obtained in the step two in a network management center, reading corresponding discriminators and setting the discriminators as D1,D2,...,DI. Loading the multi-attack intrusion detection model based on the generation-resisting network obtained in the step three,and reads the corresponding discriminator D'.
And B: in the network management center, the current network flow x is collected in real timetAnd carrying out intrusion detection by using the discriminator obtained in the step A, wherein a specific formula is as follows:
Figure BDA0003016051740000175
wherein y istJudging the current network flow abnormal result, and comparing ytThe treatment is carried out according to the following specific formula:
Figure BDA0003016051740000176
wherein y is1tAnd y2tRespectively representing the discrimination results of the discriminator on the current network flow. When y is1t=0,y2tWhen the network traffic is 1, the current network traffic is normal; when y is1t=1,y2tWhen 0, the current network traffic is under attack.
According to the method, research content is applied to a cooperative edge network of the social Internet of things (as shown in figure 5), and the obtained result is compared with the existing method, so that whether the network intrusion detection method based on the generation countermeasure network has superiority and universality is researched.
The following is described with a cooperative edge network of the social internet of things as an embodiment:
the cooperative edge network of the social internet of things is composed of vehicle-mounted units (such as vehicles), roadside units, mobile devices, wireless receiving devices and the like, and is an edge network far away from a centralized data center. The backbone network of the cooperative edge network consists of 12 network nodes.
The method comprises the following steps:
the invention firstly researches the effect of detecting the single type of attacks of the implementation step one, namely the implementation step two, on the existing attacks, as shown in fig. 6, when the method acts on the cooperative edge network of the social Internet of things, the performance of the trained single attack intrusion detection model is compared with that of the existing method on the single type of attack detection, and the method (GAN) can accurately detect the single type of attacks compared with other methods. One of the existing methods is a deep learning method (VCDL) based on vector convolution, which includes two modules: fully connected networks and vector convolutional networks. And extracting the features through a vector convolution network, and learning the extracted features by using a full-connection network so as to detect the network intrusion. Another method is a combined method (SCAE + SVM) of a stacked compression auto-encoder and a support vector machine, which uses a stacked compression auto-encoder to perform feature extraction and classifies training data through the support vector machine, thereby implementing network intrusion detection.
All the different single type attack intrusion detection models that obtain the best effect are selected according to the above results and applied to the following steps.
And training a multi-attack intrusion detection model based on the generated anti-network according to the third step by using all the trained intrusion detection models based on the single type of attacks. And then the network intrusion detection is carried out according to the fourth step.
Fig. 7 shows intrusion detection performance against a variety of attacks, and the method of the present invention based on generation of a countermeasure network has more efficient and accurate performance than the other two methods.
The principles and embodiments of the present invention have been described herein using specific examples, which are provided only to help understand the method and the core concept of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, the specific embodiments and the application range may be changed. In summary, this summary should not be construed to limit the present invention.

Claims (8)

1. A method for network intrusion detection, comprising:
acquiring network flow to be detected;
carrying out network traffic intrusion detection on the to-be-detected network traffic by adopting a trained generation confrontation network model to obtain a detection result of whether the network traffic is attacked or not;
the method for generating the trained confrontation network model specifically comprises the following steps:
acquiring network flow to be trained;
carrying out flow characteristic extraction on the network flow to be trained, and collecting attack data of different attack types to form a plurality of attack data sets; each attack data set comprises a flow characteristic matrix corresponding to an attack type;
adopting an attack data set to train a single attack intrusion detection model based on a generated countermeasure network to generate a plurality of trained single attack intrusion detection models;
inputting the network flow to be trained into each trained single attack intrusion detection model to obtain a synthetic data matrix; the elements of the synthetic data matrix are output results after the network traffic to be trained is input into the trained single attack intrusion detection model;
training a multi-type attack intrusion detection model based on the generated countermeasure network by using the synthetic data matrix to generate a trained multi-type attack intrusion detection model;
and generating a trained generation countermeasure network model according to a plurality of trained single attack intrusion detection models and one trained multi-type attack intrusion detection model.
2. The method according to claim 1, wherein the performing traffic feature extraction on the network traffic to be trained, collecting attack data of different attack types, and forming a plurality of attack data sets specifically includes:
carrying out traffic characteristic extraction on the network traffic to be trained to obtain a traffic characteristic matrix;
normalizing the elements of the flow characteristic matrix to obtain normalized flow characteristic data;
and carrying out attack type division on the normalized flow characteristic data to generate a plurality of attack data sets.
3. The method according to claim 1, wherein the method for training a single attack intrusion detection model based on generation of a countermeasure network by using an attack data set to generate a plurality of trained single attack intrusion detection models comprises:
acquiring a plurality of noise data;
inputting a plurality of noise data into a generator of the single attack intrusion detection model to generate first deception data;
inputting the first deception data and an attack data set into a discriminator of the single attack intrusion detection model, and outputting a discrimination result of the single attack data and a discrimination result of the first deception data;
determining the discrimination performance of a discriminator of the single attack intrusion detection model on the attack data according to the discrimination result of the single kind of attack data;
determining the discrimination performance of a discriminator of the single attack intrusion detection model on the first deception data according to the discrimination result of the first deception data;
judging whether a first training end condition is met or not according to the distinguishing performance of the discriminator of the single attack intrusion detection model on attack data and the distinguishing performance of the discriminator of the single attack intrusion detection model on first deception data; and generating a trained single attack intrusion detection model after the first training end condition is met.
4. The method according to claim 3, wherein the generating of the trained multi-type attack intrusion detection model by training the multi-type attack intrusion detection model based on the generated countermeasure network by using the synthetic data matrix specifically includes:
inputting the synthetic data matrix into a generator of the multi-type attack intrusion detection model to generate second deception data;
inputting the synthesized data matrix and the second deception data into a discriminator of the multi-type attack intrusion detection model, and outputting a judgment result of the synthesized data and a judgment result of the second deception data;
determining the distinguishing performance of the discriminators of the multiple kinds of attack intrusion detection models on the synthetic data according to the distinguishing result of the synthetic data;
determining the discrimination performance of the discriminators of the multiple attack intrusion detection models on the second deception data according to the discrimination result of the second deception data;
judging whether a second training end condition is met or not according to the distinguishing performance of the discriminators of the various attack intrusion detection models on the synthetic data and the distinguishing performance of the discriminators of the various attack intrusion detection models on the second deception data; and generating a trained multi-type attack intrusion detection model after the second training end condition is met.
5. A network intrusion detection system, comprising:
the network flow measurement module is used for acquiring the network flow to be detected;
the intrusion detection module is used for carrying out network traffic intrusion detection on the to-be-detected network traffic by adopting a trained generation confrontation network model to obtain a detection result of whether the network traffic is attacked or not;
the intrusion detection module specifically comprises:
the network traffic to be trained acquisition submodule is used for acquiring network traffic to be trained;
the attack data set generation submodule is used for carrying out flow characteristic extraction on the network flow to be trained and collecting attack data of different attack types to form a plurality of attack data sets; each attack data set comprises a flow characteristic matrix corresponding to an attack type;
the single attack intrusion detection model training submodule is used for generating a plurality of trained single attack intrusion detection models by adopting a method for training a single attack intrusion detection model based on a generated countermeasure network by adopting an attack data set;
a synthetic data matrix generation submodule, configured to input the to-be-trained network traffic into each trained single attack intrusion detection model, so as to obtain a synthetic data matrix; the elements of the synthetic data matrix are output results after the network traffic to be trained is input into the trained single attack intrusion detection model;
the multi-type attack intrusion detection model training submodule is used for training a multi-type attack intrusion detection model based on the generated countermeasure network by utilizing the synthetic data matrix to generate a trained multi-type attack intrusion detection model;
and the trained generation confrontation network model generation submodule is used for generating a trained generation confrontation network model according to a plurality of the trained single attack intrusion detection models and one of the trained multi-type attack intrusion detection models.
6. The network intrusion detection system according to claim 5, wherein the attack data set generation submodule specifically includes:
the traffic characteristic extraction unit is used for extracting traffic characteristics of the network traffic to be trained to obtain a traffic characteristic matrix;
the normalization processing unit is used for performing normalization processing on the elements of the traffic characteristic matrix to obtain normalized traffic characteristic data;
and the attack category division unit is used for carrying out attack category division on the normalized flow characteristic data to generate a plurality of attack data sets.
7. The network intrusion detection system according to claim 5, wherein the single attack intrusion detection model training submodule specifically includes:
a noise data acquisition unit for acquiring a plurality of noise data;
a first spoofed data generating unit configured to input a plurality of the noise data into a generator of the single attack intrusion detection model, and generate first spoofed data;
a first discrimination result output unit, configured to input the first spoofed data and one attack data set into the discriminator of the single attack intrusion detection model, and output a discrimination result of the single kind of attack data and a discrimination result of the first spoofed data;
a first discrimination performance determining unit, configured to determine, according to a discrimination result of the single type of attack data, discrimination performance of a discriminator of the single attack intrusion detection model on the attack data;
a second discrimination performance determination unit, configured to determine, according to a discrimination result of the first spoofed data, discrimination performance of the discriminator of the single attack intrusion detection model on the first spoofed data;
a trained single attack intrusion detection model generation unit, configured to determine whether a first training end condition is satisfied according to a discrimination performance of an identifier of the single attack intrusion detection model on attack data and a discrimination performance of the identifier of the single attack intrusion detection model on first deception data; and generating a trained single attack intrusion detection model after the first training end condition is met.
8. The network intrusion detection system according to claim 7, wherein the multi-attack intrusion detection model training submodule specifically includes:
a second deception data generation unit, configured to input the composite data matrix into the generator of the multiple attack intrusion detection model, and generate second deception data;
a second discrimination result output unit, configured to input the composite data matrix and the second spoofed data into the discriminator of the multi-type attack intrusion detection model, and output a discrimination result of the composite data and a discrimination result of the second spoofed data;
a third discrimination performance determination unit, configured to determine discrimination performance of the discriminators of the multiple types of attack intrusion detection models on the synthetic data according to a discrimination result of the synthetic data;
a fourth discrimination performance determining unit, configured to determine, according to a discrimination result of the second spoofed data, discrimination performance of the discriminators of the multiple attack intrusion detection models on the second spoofed data;
a trained multi-type attack intrusion detection model generation unit, configured to determine whether a second training end condition is satisfied according to a discrimination performance of the discriminator of the multi-type attack intrusion detection model on the synthetic data and a discrimination performance of the discriminator of the multi-type attack intrusion detection model on the second spoofed data; and generating a trained multi-type attack intrusion detection model after the second training end condition is met.
CN202110389604.XA 2021-04-12 2021-04-12 Network intrusion detection method and system based on generation countermeasure network Pending CN113114673A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110389604.XA CN113114673A (en) 2021-04-12 2021-04-12 Network intrusion detection method and system based on generation countermeasure network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110389604.XA CN113114673A (en) 2021-04-12 2021-04-12 Network intrusion detection method and system based on generation countermeasure network

Publications (1)

Publication Number Publication Date
CN113114673A true CN113114673A (en) 2021-07-13

Family

ID=76715659

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110389604.XA Pending CN113114673A (en) 2021-04-12 2021-04-12 Network intrusion detection method and system based on generation countermeasure network

Country Status (1)

Country Link
CN (1) CN113114673A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113591962A (en) * 2021-07-22 2021-11-02 国网山西省电力公司营销服务中心 Network attack sample generation method and device
CN114301637A (en) * 2021-12-11 2022-04-08 河南大学 Intrusion detection method and system for medical Internet of things
CN115086070A (en) * 2022-07-20 2022-09-20 山东省计算中心(国家超级计算济南中心) Industrial internet intrusion detection method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110351244A (en) * 2019-06-11 2019-10-18 山东大学 A kind of network inbreak detection method and system based on multireel product neural network fusion
US20200213354A1 (en) * 2019-01-02 2020-07-02 International Business Machines Corporation Efficient Bootstrapping of Transmitter Authentication and Use Thereof
CN111431849A (en) * 2020-02-18 2020-07-17 北京邮电大学 Network intrusion detection method and device
CN112529109A (en) * 2020-12-29 2021-03-19 四川长虹电器股份有限公司 Unsupervised multi-model-based anomaly detection method and system
CN112561383A (en) * 2020-12-24 2021-03-26 航天科工网络信息发展有限公司 Real-time anomaly detection method based on generation countermeasure network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200213354A1 (en) * 2019-01-02 2020-07-02 International Business Machines Corporation Efficient Bootstrapping of Transmitter Authentication and Use Thereof
CN110351244A (en) * 2019-06-11 2019-10-18 山东大学 A kind of network inbreak detection method and system based on multireel product neural network fusion
CN111431849A (en) * 2020-02-18 2020-07-17 北京邮电大学 Network intrusion detection method and device
CN112561383A (en) * 2020-12-24 2021-03-26 航天科工网络信息发展有限公司 Real-time anomaly detection method based on generation countermeasure network
CN112529109A (en) * 2020-12-29 2021-03-19 四川长虹电器股份有限公司 Unsupervised multi-model-based anomaly detection method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
LAISEN NIE ET AL: "Intrusion Detection for Secure Social Internet of Things Based on Collaborative Edge Computing: A Generative Adversarial Network-Based Approach", 《IEEE TRANSACTIONS ON COMPUTATIONAL SOCIAL SYSTEMS(EARLY ACCESS)》 *
彭中联等: "基于改进CGANs的入侵检测方法研究", 《信息网络安全》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113591962A (en) * 2021-07-22 2021-11-02 国网山西省电力公司营销服务中心 Network attack sample generation method and device
CN113591962B (en) * 2021-07-22 2023-12-15 国网山西省电力公司营销服务中心 Network attack sample generation method and device
CN114301637A (en) * 2021-12-11 2022-04-08 河南大学 Intrusion detection method and system for medical Internet of things
CN114301637B (en) * 2021-12-11 2022-09-02 河南大学 Intrusion detection method and system for medical Internet of things
CN115086070A (en) * 2022-07-20 2022-09-20 山东省计算中心(国家超级计算济南中心) Industrial internet intrusion detection method and system

Similar Documents

Publication Publication Date Title
CN113114673A (en) Network intrusion detection method and system based on generation countermeasure network
CN108601026B (en) Perception data error attack detection method based on random sampling consistency
CN113242259B (en) Network abnormal flow detection method and device
CN112217787B (en) Method and system for generating mock domain name training data based on ED-GAN
Shitharth et al. An enriched RPCO-BCNN mechanisms for attack detection and classification in SCADA systems
CN112560596B (en) Radar interference category identification method and system
CN117113262B (en) Network traffic identification method and system
CN113922985A (en) Network intrusion detection method and system based on ensemble learning
CN111901340A (en) Intrusion detection system and method for energy Internet
CN111598179A (en) Power monitoring system user abnormal behavior analysis method, storage medium and equipment
Osman et al. Artificial neural network model for decreased rank attack detection in RPL based on IoT networks
CN111754519A (en) Countermeasure defense method based on class activation mapping
Moore et al. Anomaly detection of cyber physical network data using 2D images
CN117580046A (en) Deep learning-based 5G network dynamic security capability scheduling method
CN115021965A (en) Method and system for generating attack data of intrusion detection system based on generating type countermeasure network
CN110650124A (en) Network flow abnormity detection method based on multilayer echo state network
CN117527295A (en) Self-adaptive network threat detection system based on artificial intelligence
CN112422546A (en) Network anomaly detection method based on variable neighborhood algorithm and fuzzy clustering
CN116760569A (en) Internet of things intrusion detection method based on graph neural network model
Qin et al. Intrusion detection framework for in-vehicle network combining time features and data features
CN113420791B (en) Access control method and device for edge network equipment and terminal equipment
Lu et al. An Ensemble Learning-Based Cyber-Attacks Detection Method of Cyber-Physical Power Systems
CN117896176B (en) Learning-driven physical layer authentication method for industrial Internet of things spoofing attack
Kumari et al. Deep learning-powered multiclass classification of DDoS attacks on 6G-connected IoT devices
CN117240624B (en) Method and device for generating and testing anti-attack sample based on black box scene

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210713

RJ01 Rejection of invention patent application after publication