Research on Active Learning-based Intrusion Detection Approach for Industrial Internet

doi:10.3969/j.issn.1671-1122.2021.01.010

Abstract

Abstract:

Aiming at the problem of low accuracy of intrusion detection caused by complex industrial Internet structure and few known attack samples, an active learning-based intrusion detection system for Industrial Internet is proposed. The system introduces expert tagging into the process of intrusion detection, combines active learning query strategy with LightGBM, and solves the problem of low accuracy of intrusion detection system when training samples are scarce. Firstly, the system extracts features from the original network flow and the payload of the Industrial Internet and fills the missing data by the nearest neighbor method. Secondly, sampling with uncertainty, the most valuable training samples are selected to be labeled by experts. Then, the labeled samples are added to the training set, and Bayesian Optimization is used to optimize the hyper parameters of the LightGBM model. Finally, the validity of the intrusion detection is verified by the binary classification and multi-classification experiments on the data set.

Key words: Industrial Internet, intrusion detection, active learning, uncertainty sampling, LightGBM

CLC Number:

TP309

SHEN Yeming, LI Beibei, LIU Xiaojie, OUYANG Yuankai. Research on Active Learning-based Intrusion Detection Approach for Industrial Internet[J]. Netinfo Security, 2021, 21(1): 80-87.

Figures/Tables 12

References 18

[1]	WANG Defu, WANG Xiaojuan, ZHANG Yong, et al. Detection of Power Grid Disturbances and Cyber-attacks Based on Machine Learning[J]. Journal of Information Security and Applications, 2019,2(8), 42-52.
[2]	HUDA S, MIAH S, HASSAN M M, et al. Defending Unknown Attacks on Cyber-Physical Systems by Semi-supervised Approach and Available Unlabeled Data[J]. Information Sciences, 2016,9(41), 211-228.
[3]	HASSAN M, GUMAEI A, HUDA S, et al. Increasing the Trustworthiness in the Industrial Iot Networks Through A Reliable Cyber-attack Detection Model[J]. IEEE Transactions on Industrial Informatics, 2020,16(9):6154-6162. doi: 10.1109/TII.9424 URL
[4]	LI Guangxia, SHEN Yulong, ZHAO Peilin, et al. Detecting Cyberattacks in Industrial Control Systems Using Online Learning Algorithms[J]. Neurocomputing, 2019,7(364), 338-348.
[5]	YAO Haipeng, GAO Pengcheng, ZHANG Peiying, et al. Hybrid Intrusion Detection System for Edge-based IIoT Relying on Machine-Learning-Aided Detection[J]. IEEE Network, 2019,33(5), 75-81. doi: 10.1109/MNET.65 URL
[6]	ZHOU Zhihua, ZHANG Minling, HUANG Shengjun, et al. Multi-instance Multi-label Learning[J]. Artificial Intelligence, 2012,176(1), 2291-2320. doi: 10.1016/j.artint.2011.10.002 URL
[7]	HUISMAN M. Imputation of Missing Item Responses: Some Simple Techniques[J]. Quality and Quantity, 2000,34(4), 331-351.
[8]	ZHOU Xiaohua, ECKERT G J, TIERNEY W M. Multiple Imputation in Public Health Research[J]. Statistics in Medicine, 2001,20(10), 1541-1549.
[9]	ZAINURI N A, JEMAIN A A, MUDA N. A Comparison of Various Imputation Methods for Missing Values in Air Quality Data[J]. Sains Malaysiana, 2015,44(3), 449-456.
[10]	MALARVIZHI M R, THANAMANI A S. K-nearest Neighbor in Missing Data Imputation[J]. International Journal of Engineering Research and Development, 2012,5(1), 5-7.
[11]	LEWIS D D, CATLETT J. Heterogeneous Uncertainty Sampling for Supervised Learning[C] //Rutgers University, The Eleventh International Conference on Machine Learning, July 10-13, 1994, New Brunswick. San Francisco: Elsevier, 1994: 148-156.
[12]	SEUNG H S, OPPER M, SOMPOLINSKY H. Query by Committee[C] //ACM. The 5th Annual Workshop on Computational Learning Theory, July 27-29, 1992, Pittsburgh PA USA. New York: ACM, 1992: 287-294.
[13]	ROY N, MCCALLUM A. Toward Optimal Active Learning Through Sampling Estimation of Error Reduction[C] //ICML. The 8th International Conference on Machine Learning, June 28-July 1, 2001, Williamstown, MA, USA. San Francisco: Morgan Kaufmann, 2001: 441-448.
[14]	YAN Yifan. Multi-label Active Learning with Hierarchical Label Structure[D]. Nanjing: Nanjing University of Aeronautics and Astronautics, 2019.
	颜逸凡. 面向层次化标记结构的多标记主动学习研究[D]. 南京:南京航空航天大学, 2019.
[15]	KE Guolin, MENG Qi, FINLEY T, et al. Lightgbm: A Highly Efficient Gradient Boosting Decision Tree[C] //NIPS17. The 31st International Conference on Neural Information Processing Systems, December 4-9, 2017, New York, USA. New York, Curran Associates Inc. 2017: 3146-3154.
[16]	SRINIVAS N, KRAUSE A, KAKADE S M, et al. Gaussian Process Optimization in the Bandit Setting: No Regret and Experimental Design[C]/ /ICML. The 27th International Conference on International Conference on Machine Learning, June 21-24, 2010, Haifa, Israel. Madison: Omnipress, 2010: 1015-1022.
[17]	GUTTORP P, GNEITING T. Studies in The History Of Probability And Statistics Xlix on the Matern Correlation Family[J]. Biometrika, 2006,93(4), 989-995.
[18]	MORRIS T, GAO Wei. Industrial Control System Traffic Data Sets for Intrusion Detection Research[J]. IFIP Advances in Information and Communication Technology, 2014,3(441), 65-78.

标签名称	值	描述	数量
Normal	0	正常数据	19503
NMRI	1	简单恶意响应注入攻击	1198
CMRI	2	复杂恶意响应注入攻击	1457
MSCI	3	恶意状态命令注入攻击	209
MPCI	4	恶意参数命令注入攻击	410
MFCI	5	恶意功能命令注入攻击	155
DoS	6	拒绝服务攻击	135
Reconnaissance	7	侦察攻击	4132

评估指标	二分类		多分类
评估指标	优化前/%	优化后/%	优化前/%	优化后/%
准确率	96.94	97.73	96.92	97.38
查准率	97.05	98.11	97.31	97.90
召回率	96.94	98.73	96.92	98.45
F1	96.97	98.41	97.07	98.17