基于边残差注意力机制的动态图神经网络入侵检测方法  

作　　者：闫雷鸣[1,2] 张定一 陈先意 王金伟 YAN Lei-ming;ZHANG Ding-yi;CHEN Xian-yi;WANG Jin-wei(Engineering Research Center of Digital Forensics Ministry of Education,Nanjing University of Information Science and Technology,Nanjing 210044,China;School of Computer Science and Cyber Science and Engineering,Nanjing University of Information Science and Technology,Nanjing 210044,China;College of Cyberspace Security,Nankai University,Tianjin 300071,China)

机构地区：[1]南京信息工程大学数字取证教育部工程研究中心,江苏南京210044 [2]南京信息工程大学计算机,网络空间安全学院,江苏南京210044 [3]南开大学网络空间安全学院,天津300071

出　　处：《中国电子科学研究院学报》2025年第1期10-18,40,共10页Journal of China Academy of Electronics and Information Technology

基　　金：国家自然科学基金资助项目(62472229;62172292)。

摘　　要：现有深度学习方法在网络入侵检测中侧重于统计静态攻击特征,并且在提取时序特征时很少考虑IP间通信的交互演变,未能充分捕捉网络流量的时空特征。针对上述问题,文中提出了一种基于边残差注意力机制的动态图神经网络模型。首先,将网络流量转化成一系列图快照,并使用本文设计的边注意力层从每个离散快照中提取空间信息,给予高相似性的节点和边更高的权重,强化他们之间的空间特征;随后,利用BiGRU捕获IP对之间的通信演变,融合时空特征;最后,通过多层感知机进行分类,实现入侵检测。实验结果表明,所提模型在四个公开数据集上均取得了较高的准确率和F1分数,优于当前主流先进模型。Existing deep learning methods for network intrusion detection primarily focus on static attack features,with limited consideration of the interaction evolution between IP communications when extracting temporal features.This results in a failure to fully capture the spatiotemporal characteristics of network traffic.To address this issue,this paper proposes a dynamic graph neural network model based on an edge residual attention mechanism.First,network traffic is transformed into a series of graph snapshots,and a specially designed edge attention layer is used to extract spatial information from each discrete snapshot,assigning higher weights to highly similar nodes and edges to enhance their spatial features.Then,BiGRU is employed to capture the communication evolution between IP pairs,integrating spatiotemporal features.Finally,a multi-layer perceptron is used for classification to achieve intrusion detection.Experimental results show that the proposed model achieves high accuracy and F1 scores on four public datasets,outperforming current state-of-the-art models.

关 键 词：入侵检测 边残差注意力 图神经网络 动态图 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]