基于半监督联邦学习的恶意流量检测模型  

作　　者：张帅华 张淑芬 周明川 徐超 陈学斌 ZHANG Shuaihua;ZHANG Shufen;ZHOU Mingchuan;XU Chao;CHEN Xuebin(College of Sciences,North China University of Science and Technology,Tangshan Hebei 063210,China;Hebei Provincial Key Laboratory of Data Science and Application(North China University of Science and Technology),Tangshan Hebei 063210,China;Tangshan Key Laboratory of Big Data Security and Intelligent Computing(Beijing Jiaotong University),Tangshan Hebei 063210,China;Tangshan Key Laboratory of Data Science(North China University of Science and Technology),Tangshan Hebei 063210,China)

机构地区：[1]华北理工大学理学院,河北唐山063210 [2]河北省数据科学与应用重点实验室(华北理工大学),河北唐山063210 [3]唐山市大数据安全与智能计算重点实验室(北京交通大学),河北唐山063210 [4]唐山市数据科学重点实验室(华北理工大学),河北唐山063210

出　　处：《计算机应用》2024年第11期3487-3494,共8页journal of Computer Applications

基　　金：国家自然科学基金资助项目(U20A20179)。

摘　　要：恶意流量检测是应对网络安全挑战的关键技术之一。针对采用联邦学习进行恶意流量检测时,本地标记数据不足,非独立同分布(non-IID)导致协同训练模型性能下降的问题,构建一种基于半监督联邦学习的恶意流量检测模型。该模型借助伪标记和一致性正则化项的半监督学习技术,有效地从未标记数据中提取信息进行训练;同时,设计一种非线性函数,用于动态调整客户端本地有监督和无监督损失在聚合时的权重,以充分利用未标记数据,提高模型的准确性。为降低non-IID问题对全局模型性能的影响,提出一种联邦聚合算法FedLD(Federated-Loss-Data),通过结合训练损失和数据量的权重计算方法,自适应地调整全局模型聚合过程中各客户端模型的权重。实验结果表明,在NSL-KDD数据集上,所提模型在标记数据有限的情况下能够实现较高的检测准确率,与基线模型FedSem(Federated Semi-supervised)相比,检测准确率提升了4.11个百分点,在正常流量(Normal)、拒绝服务(DoS)攻击和探测(Probe)等类别上的召回率也提升了1.65~7.66个百分点,说明所提模型更适用于恶意流量检测领域。Malicious traffic detection is one of the key technologies to deal with network security challenges.Aiming at the problems of insufficient local labeled data and degradation of co-trained model performance due to non-Independent and Identical Distribution(non-IID)when using federated learning for malicious traffic detection,a semi-supervised federated learning-based malicious traffic detection model was constructed.The proposed model was trained effectively by information extracted from unlabeled data with the help of semi-supervised learning techniques of pseudo-labeling and consistency regularization terms.At the same time,a nonlinear function was designed to dynamically adjust the weights of the clients local supervised and unsupervised losses during aggregation to make full use of unlabeled data and improve accuracy of the model.To reduce the impact of non-IID problems on performance of the global model,a federated aggregation algorithm FedLD(Federated-Loss-Data)was proposed,which adaptively adjusted the weights of different client models in the global model aggregation process through a weight calculation method that combined training loss and data volume.Experimental results show that on NSL-KDD dataset,the proposed model can achieve higher detection accuracy when labeled data is limited.Compared with the baseline model FedSem(Federated Semi-supervised),the proposed model has the detection accuracy increased by 4.11 percentage points,and the recall in Normal,Denial-of-Service(DoS),Probe and other categories also increased by 1.65 to 7.66 percentage points,verifying that the proposed model is more suitable for applications in the field of malicious traffic detection.

关 键 词：联邦学习 半监督学习 恶意流量检测 一致性正则化 动态聚合权重 

分 类 号：TP309.2[自动化与计算机技术—计算机系统结构]