基于SAE特征优选和集成学习的半监督网络入侵检测方法  

作　　者：苑占江 桂改花[1] YUAN Zhan-jiang;GUI Gai-hua(Guangdong Vocational College of Science and Technology,Zhuhai 519000,China)

机构地区：[1]广东科学技术职业学院,广东珠海519000

出　　处：《中国电子科学研究院学报》2025年第1期48-55,共8页Journal of China Academy of Electronics and Information Technology

基　　金：广东省普通高校特色创新项目(2020KTSCX238);广东省智慧职教工程技术研究中心资助(2021A118);高等教育科学研究专题项目(2023GXJK736);计算机视觉应用创新团队项目(2022KCXTD047)。

摘　　要：网络入侵检测数据呈现高维、非线性和不均衡特点,导致有监督类入侵检测方法泛化能力弱且少数类检测准确率低。针对该问题,文中提出一种联合稀疏自编码器(Sparse Auto-Encoder,SAE),最小极大概率机(Min-Max Probability Machine,MPM)和Bagging集成学习的不均衡样本半监督网络入侵检测方法。首先,采用SAE无监督的学习出原始高维数据的低维隐层特征,以剔除冗余特征并实现数据降维;然后,采用MPM半监督分类器实现对“正常(Normal)”和“异常(Abnormal)”两种网络状态的有效区分;进而,利用K-均值,基于密度的聚类(Density-Based Spatial Clustering of Applications with Noise,DBSCAN)和高斯混合模型(Gaussian Mixture Model,GMM)三种无监督聚类方法对MPM判决为“Abnormal”的数据进行进一步聚类分析;最后,利用Bagging集成学习对三种聚类结果进行综合,从而获得最终的入侵检测结果。同时针对K-均值,DBSCAN和GMM模型参数设置问题,文中提出改进的蚁群算法(Improved Ant Colony Optimization,IACO)进行全局寻优,提升聚类性能。基于KDDCUP99数据集的试验结果表明,相对于两种有监督类方法和一种无监督类方法,所提方法的检测准确率提升超过2.7%,误检率降低超过1.05%,且降低数据获取难度,具有较高的应用前景。Network intrusion detection data exhibits high-dimensional,non-linear,and imbalanced characteristics,resulting in weak generalization ability and low accuracy in minority class detection of supervised intrusion detection methods.A semi supervised network intrusion detection method for imbalanced samples is proposed,which combines Sparse Auto Encoder(SAE),Min Max Probability Machine(MPM),and Bagging ensemble learning to address this issue.Firstly,SAE unsupervised learning is used to extract the low dimensional hidden layer features of the original high-dimensional data,in order to eliminate redundant features and achieve data dimensionality reduction;Then,an MPM semi supervised classifier is used to effectively distinguish between the two network states of“Normal”and“Abnormal”;Furthermore,using K-means,density based spatial clustering(DBSCAN)and Gaussian Mixture Model(GMM),three unsupervised clustering methods were employed to further cluster and analyze the data with MPM judgment as“Normal”.Finally,Bagging ensemble learning was used to synthesize the three clustering results,resulting in the final intrusion detection result.Aiming at the parameter setting issues of K-means,DBSCAN,and GMM models,an improved Ant Colony Optimization(IACO)is proposed for global optimization to enhance clustering performance.The experimental results based on the KDDCUP99 dataset show that compared to two supervised methods and one unsupervised method,the proposed method improves detection accuracy by more than 2.7%,reduces false detection rate by more than 1.05%,and reduces the difficulty of data acquisition.It has high application prospects.

关 键 词：网络入侵 集成学习 特征优选 聚类分析 稀疏自编码器 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]