结合套接字地址结构信息的网络入侵检测系统  

作　　者：李昊冉 王宝亮 李雪威[1] LI Hao-ran;WANG Bao-liang;LI Xue-wei(College of Intelligence and Computing,Tianjin University,Tianjin 300300,China;Information and Network Center,Tianjin University,Tianjin 300300,China)

机构地区：[1]天津大学智能与计算学部,天津300300 [2]天津大学信息与网络中心,天津300300

出　　处：《计算机仿真》2024年第4期357-362,407,共7页Computer Simulation

基　　金：赛尔网络下一代互联网技术创新项目(NGII20180115)。

摘　　要：在过去的几年里,不断增长的网络攻击严重威胁社会经济与隐私安全,需要准确的网络入侵检测系统。现有主流的基于机器学习的网络入侵检测系统通常独立地处理网络流量,近些年很多研究开始尝试使用图神经网络技术捕获流量间的关系,然而它们都没有捕获流量的套接字地址结构,即主机IP地址与其端口号间的结构信息。结构信息对于一些依赖主机IP地址与端口作为切入点网络攻击的检测非常重要,所以提出基于图神经网络的结合套接字地址结构信息的网络入侵检测系统,设计一个可以保存网络流量连接IP地址与其端口号间结构信息的异质图表示方法,然后提出一个适配上述图表示方法的消息传递与聚合方法用以捕获套接字地址的结构信息,最后使用门控循环单元结合捕获的结构信息检测入侵行为。实验结果表明,提出的图卷积网络模型在著名的CIC-IDS2017,CSE-CIC-IDS2018数据集上能得到更好的性能。In the past few years,the growing network attacks have seriously threatened the social economy and privacy security,which requires an accurate network intrusion detection system.The existing mainstream network intrusion detection systems based on machine learning usually deal with network traffic independently.Due to the rise of graph neural network technology,many studies have begun to use graph neural network technology to capture the relationship between traffic in recent years.However,they did not capture the socket address structure of traffic,that is,the structure information between the host IP address and its port number.This structure information is very important for the detection of some network attacks that rely on the host IP address and port as the entry point.Therefore,a network intrusion detection system combined with socket address structure information is proposed.The network intrusion detection improves the structural relationship between traffic through a new graph representation method that can save the structural information between the IP address and its port number,and proposes a new message passing mechanism to adapt the graph representation method.The experimental results show that the proposed graph convolution network model can achieve better performance on the famous CIC-IDS2017 and CSE-CIC-IDS2018 datasets.

关 键 词：网络安全 入侵检测 深度学习 图卷积网路 网络流量 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]