一种基于图热核扩散卷积的网络入侵检测方法  

作　　者：景永俊 王浩[1] 邵堃[1] 王晓峰[2] JING Yongjun;WANG Hao;SHAO Kun;WANG Xiaofeng(School of Computer Science and Information Engineering,Hefei University of Technology,Hefei 230601;School of Computer Science and Engineering,North Minzu University,Yinchuan 750021,China)

机构地区：[1]合肥工业大学计算机与信息学院,安徽合肥230601 [2]北方民族大学计算机科学与工程学院,宁夏银川750021

出　　处：《计算机工程与科学》2025年第3期459-471,共13页Computer Engineering & Science

基　　金：国家自然科学基金(61572167)。

摘　　要：网络入侵检测是保护计算资源和数据免受网络攻击的重要手段。近年来,基于深度学习的方法在入侵检测领域取得了显著进展,但仍存在有效特征提取困难和过度依赖手工标注数据等问题。针对上述问题,提出一种基于图热核扩散卷积的半监督入侵检测方法,该方法在流量统计特征的基础上,以源IP和目标IP地址为节点,以它们之间的交互关系为边,构建入侵检测主机交互图。通过融合网络流量统计特征与潜在的图结构特征,该方法利用图热核扩散传播机制,聚合丰富的邻域信息以学习节点的特征表示,这些节点表示能够使得下游的入侵检测任务更准确地识别异常节点和恶意连接,提升入侵检测的性能。在CIC-IDS-2017和CIC-IDS-20182个数据集上进行的实验结果表明,该方法能够有效捕获网络流量数据中的复杂拓扑结构和节点之间的关系特征,仅通过少量的流量特征和标签信息就能够学习节点的低维向量表示。此外,通过对节点表示的聚类分析和可视化,能够揭示攻击节点在网络中的社区结构和连接特征,这为新型或变种攻击的预防提供了参考。Network intrusion detection is a crucial means of protecting computing resources and data from cyber-attacks.In recent years,the methods based on deep learning have made significant progress for intrusion detection.However,challenges remain,such as effective feature extraction and over-reliance on manually annotated data.To address these issues,a semi-supervised intrusion detection method based on graph heat kernel diffusion convolution is proposed.The method builds the host interaction graph by using source IP and destination IP addresses as nodes,and their interaction relationships as edges.By fusing network flow statistics and latent graph structural features,the method leverages the graph heat kernel diffusion to aggregate the neighborhood information.These node representations can significantly improve the downstream intrusion detection tasks,enhancing the accuracy of identifying anomalous nodes and malicious connections.Experiments conducted on the CIC-IDS-2017 and CIC-IDS-2018 datasets demonstrate that the proposed method can effectively capture the complex topological structures and node relationships in network traffic data.It can learn low-dimensional node embeddings using only a small number of flow features and label information.Furthermore,cluster analysis and visualization of the node representations can reveal the community structure and connection characteristics of attack nodes,providing valuable references for the prevention of novel or evolving attacks.

关 键 词：网络入侵检测 图热核扩散 图表示学习 图神经网络 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]