基于改进CGANs的入侵检测方法研究

doi:10.3969/j.issn.1671-1122.2020.05.006

摘要/Abstract

摘要：

近年来,机器学习算法在入侵检测系统（IDS）中的应用获得越来越多的关注。然而,传统的机器学习算法更多的依赖于已知样本,因此需要尽可能多的数据样本来对模型进行训练。遗憾地是,随着越来越多未知攻击的出现,且用于训练的攻击样本具有不平衡性,传统的机器学习模型会遇到瓶颈。文章提出一种将改进后的条件生成对抗网络（CGANs）与深度神经网络（DNN）相结合的入侵检测模型（CGANs-DNN）,通过解决样本不平衡性问题来提高检测模型对未知攻击类型或只有少数攻击样本类型的检测率。深度神经网络（DNN）具有表征数据潜在特征的能力,而经过改进后的条件CGANs,能够通过学习已知攻击样本潜在数据特征分布,来根据指定类型生成新的攻击样本。此外,与生成对抗网络（GANs）和变分自编码器（VAE）等无监督生成模型相比,CGANs-DNN经过改进后加入梯度惩罚项,在训练的稳定性上有了很大地提升。通过NSL-KDD数据集对模型进行评估,与传统算法相比CGANs-DNN不仅在整体准确率、召回率和误报率等方面有更好的性能,而且对未知攻击和只有少数样本的攻击类型具有较高的检测率。

关键词: 入侵检测, 生成对抗网络, 条件GAN

Abstract:

In recent years, more and more attention has been paid to the application of machine learning algorithms in intrusion detection systems (IDS). However, traditional machine learning algorithms rely more on known samples, so they need as many data samples as possible to train the model. Unfortunately, as more and more unknown attacks emerge and the attack samples used for training become unbalanced, traditional machine learning models may run into bottlenecks. This paper proposes an intrusion detection model combining improved conditional generation countermeasures network (CGANs) and deep neural network (DNN), namely CGANs-DNN, to improve the detection rate of the detection model against unknown attack types or only a few attack sample types by solving the problem of sample imbalance. Deep neural network (DNN) has the ability to represent the potential characteristics of data, while the improved conditional CGANs can generate new attack samples based on the specified type by learning the potential data distribution of known attack samples. In addition, compared with the unsupervised generation models such as GANs and VAE, the supervised generation model CGANs-DNN in this paper was improved by adding the gradient penalty item, which greatly improved the stability of training. In this paper, NSL-KDD data set was used to evaluate the results of the model. Compared with the traditional algorithm, the results show that CGANs-DNN not only has better performance in terms of overall accuracy, recall rate and false positives rate, but also has a higher detection rate for unknown attacks and attack types with only a few samples.

Key words: intrusion detection, generative adversarial networks, conditional GAN

中图分类号:

TP309

彭中联, 万巍, 荆涛, 魏金侠. 基于改进CGANs的入侵检测方法研究[J]. 信息网络安全, 2020, 20(5): 47-56.

PENG Zhonglian, WAN Wei, JING Tao, WEI Jinxia. Research on Intrusion Detection Method Based on Modified CGANs[J]. Netinfo Security, 2020, 20(5): 47-56.

图/表 14

图1

表1

表2

图2

表3

表4

表5

表6

表7

表8

表9

表10

表11

表12

参考文献 24

[1]	ZHANG Huanguo, MU Yi . Cyberspace Security[J]. China Communications, 2016,11(2):68-69.
[2]	ALI MH, MOHAMMED B A D A, ISMAIL M A B , et al. A New Intrusion Detection System Based on Fast Learning Network and Particle Swarm Optimization[J]. IEEE Access, 2018,18(6):20255-20261.
[3]	TIAN Yingjie, MIRZABAGHERI M, BAMAKAN S M H , et al. Ramp Loss One-Class Support Vector Machine; A Robust and Effective Approach to Anomaly Detection Problems[J]. Neurocomputing, 2018,310(3):223-235.
[4]	GANESHAN R, PAUL R S . I-AHSDT: Intrusion Detection Using Adaptive Dynamic Directive Operative Fractional Lion Clustering and Hyperbolic Secant-Based Decision Tree Classifier[J]. Journal of Experimental & Theoretical Artificial Intelligence, 2018,6(30):887-910.
[5]	SERPEN G , AGHAEIE. Host-Based Misuse Intrusion Detection Using PCA Feature Extraction and KNN Classification Algorithms[J]. Intelligent Data Analysis, 2018,22(5):1101-1114.
[6]	LI Deng, DONG Yu . Deep Learning: Methods and Applications[J]. Foundations and Trends in Signal Processing, 2014,7(3-4):197-387.
[7]	WONGSUPHASAWAT K, SMILKOV D, WEXLER J , et al. Visualizing Dataflow Graphs of Deep Learning Models in Tensor Flow[J]. IEEE Transactions on Visualization and Computer Graphics, 2018,24(1):1-24.
[8]	MALAIYA R K, KWON D, KIM J , et al. An Empirical Evaluation of Deep Learning for Network Anomaly Detection[J]. IEEE Access, 2018,18(7):140806-140817.
[9]	LI Chaopeng, WANG Jinlin, YE Xiaozhou . Using a Recurrent Neural Network and Restricted Boltzmann Machines for Malicious Traffic Detection[J]. Neuro Quantology, 2018,16(5):823-831.
[10]	ZHENG Wang . Deep Learning Based Intrusion Detection with Adversaries[J]. IEEE Access, 2018,18(6):38367-38384.
[11]	XIN Yang, KONG Lingshuang, LIU Zhi , et al. Machine Learning and Deep Learning Methods for Cybersecurity[J]. IEEE Access, 2018,18(6):35365-35381.
[12]	SEO E, SONG H M, KIM H K . GIDS: GAN based Intrusion Detection System for In-Vehicle Network [C]//IEEE. 16th Annual Conference on Privacy, Security and Trust (PST), August 28-30, 2018, Belfast, UK. New York: IEEE, 2018: 1-6.
[13]	GOODFELLOW I, POUGET-ABADIE J, MIRZA M et al. Generative Adversarial Nets[EB/OL]. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.747.1316&rep=rep1&type=pdf, 2014-10-15.
[14]	GULRAJANI I, AHMED F, ARJOVSKY M , et al. Improved Training of Wasserstein GANs[EB/OL]. https://arxiv.org/pdf/1704.00028.pdf, 2017-10-15.
[15]	DHANABAL L, SHAN THARAJAH . A Study on NSL-KDD Dataset for Intrusion Detection System Based on Classiﬁcation Algorithms[EB/OL]. https://ijarcce.com/upload/2015/june-15/IJARCCE%2096.pdf, 2015-10-15.
[16]	WANG Xiaosen, HE Kun, SONG Chuanbiao , et al. AT-GAN: A Generative Attack Model for Adversarial Transferring on Generative Adversarial Nets[EB/OL]. https://arxiv.org/pdf/1904.07793.pdf, 2020-1-15.
[17]	HU Weiwei, TAN Ying . Generating Adversarial Malware Examples for Black-Box Attacks Based on GAN[EB/OL]. https://arxiv.org/pdf/1702.05983.pdf, 2017-10-15.
[18]	MUHAMMAD U, MUHAMMAD A, SIDDIQUE L , et al. Generative Adversarial Networks For Launching and Thwarting Adversarial Attacks on Network Intrusion Detection Systems [C]//IEEE. 15th International Wireless Communications & Mobile Computing Conference (IWCMC), June 24-28, 2019, Tangier, Morocco. New York: IEEE, 2019: 78-83.
[19]	MA Tao, WANG Fen, CHENG Jianjun , et al. A Hybrid Spectral Clustering and Deep Neural Network Ensemble Algorithm for Intrusion Detection in Sensor Networks[J]. Sensors, 2016,16(10):1701-1723.
[20]	TANG T A, MHAMDI L, MCLERNON D , et al. Deep Recurrent Neural Network for Intrusion Detection in SDN-based Networks [C]//IEEE. 4th IEEE Conference on Network Softwarization and Workshops (NetSoft), June 25-29, 2018, Montreal, QC, Canada. New York: IEEE, 2018: 202-206.
[21]	MUNA A H, MOUSTAFA N, SITNIKOVA E , et al. Identification of Malicious Activities in Industrial Internet of Thingsbased on Deep Learning Models[J]. Journal of Information Security and Applications, 2018,41:1-11.
[22]	GUILLAUME L, FERNANDO N, CHRISTOS A . Imbalanced-Learn: A Python Toolbox to Tackle the Curse of Imbalanced Datasets in Machine learning[EB/OL]. https://hal.inria.fr/hal-01516244/document, 2017-10-15.
[23]	CHAWLA N V, BOWYER K W, HALL L O , et al. SMOTE: Synthetic Minority Over-Sampling Technique[J]. Journal of Artificial Intelligence Research, 2002,16(1):321-357.
[24]	HE Haibo, BAI Yang, GARCIA E A , et al. ADASYN: Adaptive Synthetic Sampling Approach for Imbalanced Learning [C]//IEEE. 2008 IEEE International Joint Conference on Neural Networks (IEEE World Congress on Computational Intelligence), June 1-8, 2008, Hong Kong, China. New York: IEEE, 2018: 1322-1328.

	预测为攻击样本	预测为正常样本
攻击样本	TP	FN
正常样本	FP	TN

指标类型	计算方式
$Accuracy$	$\frac{TP+TN}{TP+TN+FP+FN}$
$DR$	$\frac{TP}{TP+FN}$
$Precision$	$\frac{TP}{TP+FP}$
$Recall$	$\frac{TP}{TP+FN}$
$FPR$	$\frac{FP}{FP+TN}$
F1- measure	$\frac{2\left( Precision\times Recall \right)}{Precision+Recall}\text{或}\frac{2TP}{2TP+FP+FN}$

攻击类型	分类	总计
DoS	back, land, neptune, pod, smurf, teardrop, mailbomb, processtable, udpstorm,apache2, worm	11
Probe	Satan, ipsweep, nmap, portsweep, mscan, saint	6
R2L	guess_passwd, ftp_write, imap, phf, multihop, warezmaster, xlock, xsnoop, snmpguess, snmpgetattack, httptunnel, sendmail, named, warezclient, spy	15
U2R	buffer_overflow, loadmodule, rootkit, perl, slotbacks, xterm, ps	7
总计		39

类别	KDDTrain+_20Percent		KDDTest+		KDDTest-21
	攻击类型	数量	攻击类型	数量	攻击类型	数量
Normal	normal	13449	normal	9711	normal	2152
合计	13449			9711		2152
Probe	ipsweep satan portsweep nmap	710 691 587 301	ipsweep satan portsweep nmap saint mscan	141 735 157 73 319 996	ipsweep satan portsweep nmap saint mscan	141 727 156 73 309 996
合计	2289			2421		2402
DoS	neptune smurf back teardrop pod land	8282 529 196 188 38 1	neptune smurf back teardrop pod land apache2 mailbomb processtable udpstorm	4657 665 359 12 41 7 737 293 685 2	neptune smurf back teardrop pod land apache2 mailbomb processtable udpstorm	1579 627 359 12 41 7 737 293 685 2
合计	9234			7458		4342
U2R	buffer_over?ow rootkit loadmodule	6 4 1	buffer_over?ow rootkit loadmodule perl httptunnel ps sqlattack xterm	20 13 2 2 133 15 2 13	buffer_over?ow rootkit loadmodule perl httptunnel ps sqlattack xterm	20 13 2 2 133 15 2 13
合计	11			200		200
R2L	guess_passwd warezmaster imap multihop phf ftp_write spy warezclient	10 7 5 2 2 1 1 181	guess_passwd warezmaster imap multihop phf ftp_write named sendmail xlock xsnoop worm snmpgetattack snmpguess	1231 944 1 18 2 3 17 14 9 4 2 178 331	guess_passwd warezmaster imap multihop phf ftp_write named sendmail xlock xsnoop worm snmpgetattack snmpguess	1231 944 1 18 2 3 17 14 9 4 2 178 331
合计	209			2754		2754
总计	25192			22544		11850

	节点个数	激活函数	W断开率
Dense	100	Leaky-ReLUs	0
Dense	80	Leaky-ReLUs	0
Dense	70	Leaky-ReLUs	0
Dense	70	Leaky-ReLUs	0
Dense	80	Leaky-ReLUs	0
Dense	122	/	/