基于集成学习的无监督网络入侵检测方法  被引量：3

作　　者：江荣[1] 刘海天 刘聪 JIANG Rong;LIU Haitian;LIU Cong(College of Computer,National University of Defence Technology,Changsha 410073,China;Information Center,Logistic Support Department of Central Military Commission,Beijing 100842,China)

机构地区：[1]国防科技大学计算机学院,长沙410073 [2]中央军委后勤保障部信息中心,北京100842

出　　处：《信息网络安全》2024年第3期411-426,共16页Netinfo Security

基　　金：国家自然科学基金[62072131];国家重点研发计划[2022YFB3104103]。

摘　　要：目前,网络对抗对入侵检测智能化和自主性的需求不断提高,基于深度学习的方法通过训练和学习来区分复杂攻击模式和行为,但有监督的学习方法需要专家知识和大量人工开销。针对上述问题,文章提出一种基于集成学习的无监督网络入侵检测方法,并使用基于3种不同异常检测理念的深度学习检测器,在3种不同集成逻辑下对各单检测器的检测结果进行检测判定。该方法可以综合分析时间序列数据中不同类型的异常数据,降低无监督异常检测模型由于过度拟合所造成的影响,并以一种高效的在线方式检测可能存在的网络攻击数据流。在KDD CUP 1999和CSE-CICIDS 2018数据集上进行验证,实验结果表明,与其他单一的无监督异常检测模型相比,文章提出的集成方法结合了不同无监督检测模型的优势,适用于对多种网络入侵引起的异常进行检测。With the increasing demand for intelligent and autonomous intrusion detection in network counter,deep learning-based methods can distinguish complex attack patterns and behaviors through training and learning.However,supervised learning requires professional expert knowledge and the overhead of a large amount of manually annotated data.In response to the above issues,this paper proposed an unsupervised network intrusion detection method based on ensemble learning,which used deep learning detectors based on three different anomaly detection concepts in parallel to detect,and the results of individual detectors were combined under three different integration logics to provide the final detection decision.This method could comprehensively analyze the different types of anomalies in time series data,reduce the impact of unsupervised anomaly detection models caused by overfitting,and detect potential new attack data streams in an efficient online manner.Experiments are conducted on the KDDCUP 99 and the CSE-CIC-IDS 2018 datasets,and the results show that compared to other single unsupervised anomaly detection models,the integrated method proposed in the article combines the advantages of different unsupervised detectors and is suitable for anomaly detection situations caused by multiple network intrusions.

关 键 词：入侵检测系统 异常检测 无监督深度学习 集成学习 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]