MNDetector:基于多层网络的异常访问检测方法  

作　　者：袁子淇 孙庆赟 周号益 朱祖坤 李建欣[1] Yuan Ziqi;Sun Qingyun;Zhou Haoyi;Zhu Zukun;Li Jianxin(School of Computer Science and Engineering,Beihang University,Beijing 100191;School of Software,Beihang University,Beijing 100191)

机构地区：[1]北京航空航天大学计算机学院,北京100191 [2]北京航空航天大学软件学院,北京100191

出　　处：《计算机研究与发展》2025年第3期765-778,共14页Journal of Computer Research and Development

基　　金：国家杰出青年科学基金项目(62225202);国家自然科学基金青年科学基金项目(62302023);中国人工智能学会-华为MindSpore学术奖励基金。

摘　　要：针对频发的网络安全事件,异常访问检测被广泛应用于恶意行为的识别.然而,异常访问通常仅在部分属性字段上体现出显著的异常特性,检测结果易被异常特性不显著的字段所干扰.针对这一问题,提出MNDetector,将多层网络结构引入异常访问检测领域,基于关联紧密的属性字段构建单层网络,并添加层间关联以形成多层网络.随后利用适应多层网络的跨层游走获得同层及跨层节点序列以计算节点表示.最终利用分层生成对抗网络(GAN)融合各层重构损失与判别结果,实现异常检测.实验结果表明,MNDetector在多个公开数据集上的检测效果超过了最优方法,相较于常用方法实现了约8%的F1分数提升.进一步的案例研究通过分析异常特性在属性字段上的分布解释了不同场景的检测效果差异,并从网络结构的角度解释了各层检测结果差异,验证了MNDetector能够解决异常特性不显著的属性字段造成的属性干扰问题.Given the frequent cybersecurity incidents,anomaly detection methods have been widely employed for the identification of malicious behaviors.However,these anomalous accesses often exhibit prominent characteristics only in certain attribute fields,rendering the detection results susceptible to interference from attributes where anomalies are less prominent.To address this issue,MNDetecctor,an anomaly access detection framework that introduces the multiplex network structure into this field is proposed.Through association analysis,closely associated attribute fields are constructed into single-layer networks,with cross-layer connections added to form a multiplex network.Subsequently,cross-layer walks are performed to obtain node sequences within the same layer and across layers,facilitating node embedding.Ultimately,a hierarchical generative adversarial network is employed to merge reconstruction losses and discriminative results across different layers,thereby achieving anomaly access detection.Experimental results demonstrate that MNDetector surpasses the performance of state-of-the-art detection methods on multiple public datasets,achieving an approximately 8%increase in F1 score compared with commonly used methods.In-depth case studies elucidate the variation in detection outcomes across diverse scenarios by analyzing the distribution of anomalous attributes within fields.Furthermore,an examination from a network structural perspective clarifies the disparities among results obtained from different layers,substantiating MNDetector’s efficacy in addressing the attribute interference issue caused by attribute fields with insignificant anomalous characteristics.

关 键 词：异常检测 多层网络 访问检测 网络行为 网络安全 

分 类 号：TP183[自动化与计算机技术—控制理论与控制工程] TP393[自动化与计算机技术—控制科学与工程]