计算机应用 ›› 2019, Vol. 39 ›› Issue (7): 1967-1972.DOI: 10.11772/j.issn.1001-9081.2018112302

• 网络空间安全 • 上一篇    下一篇

基于逆向习得推理的网络异常行为检测模型

杨宏宇, 李博超   

  1. 中国民航大学 计算机科学与技术学院, 天津 300300
  • 收稿日期:2018-11-23 修回日期:2019-02-25 发布日期:2019-07-15 出版日期:2019-07-10
  • 通讯作者: 李博超
  • 作者简介:杨宏宇(1969-),男,吉林长春人,教授,博士,CCF会员,主要研究方向:网络信息安全;李博超(1990-),男,山西大同人,硕士研究生,主要研究方向:网络信息安全。
  • 基金资助:

    国家自然科学基金民航联合研究基金资助项目(U1833107);国家科技重大专项(2012ZX03002002);中央高校基本科研业务费资助项目(ZYGX2018028)。

Network abnormal behavior detection model based on adversarially learned inference

YANG Hongyu, LI Bochao   

  1. School of Computer Science and Technology, Civil Aviation University of China, Tianjin 300300, China
  • Received:2018-11-23 Revised:2019-02-25 Online:2019-07-15 Published:2019-07-10
  • Supported by:

    This paper is partially supported by the Civil Aviation Joint Research Fund and National Natural Science Foundation of China (U1833107), the National Science and Technology Major Project (2012ZX03002002), the Fundamental Research Funds for the Central Universities (ZYGX2018028)

摘要:

针对网络异常行为检测中因数据不平衡而导致召回率低的问题,提出一种基于逆向习得推理(ALI)的网络异常行为检测模型。首先,去除数据集中用离散数据表示的特征项,并对处理后的数据集进行归一化以提高模型的收敛速度与精度;然后,提出改进的ALI模型,通过ALI训练算法用仅由正样本所构成的数据对其进行训练,并利用已训练完成的改进ALI模型处理检测数据以生成处理后的检测数据集;最后,依据异常检测函数计算检测数据与处理后的检测数据之间的距离来判断数据是否异常。与单类支持向量机(OC-SVM)、深层结构能量模型(DSEBM)、深度自编码高斯混合模型(DAGMM)和生成对抗网络异常检测模型(AnoGAN)的对比实验结果表明,所提模型的准确率提升了5.8~17.4个百分点,召回率提升了1.4~31.4个百分点,F1值提升了14.18~19.7个百分点。可知所提出的基于逆向习得推理的网络异常行为检测模型在数据不平衡时仍具有较高的召回率和检测精度。

关键词: 逆向习得推理, 异常行为检测, 数据不平衡, 数据归一化

Abstract:

In order to solve the problem of low recall rate caused by data imbalance in network abnormal behavior detection, a network abnormal behavior detection model based on Adversarially Learned Inference (ALI) was proposed. Firstly, the feature items represented by discrete data in a dataset were removed, and the processed dataset was normalized to improve the convergence speed and accuracy of the model. Then, an improved ALI model was proposed and trained by ALI training algorithm with a dataset only consisting of positive samples, and the improved ALI model which had been trained was used to process the detection data to generate the processed detection dataset. Finally, the distance between detection data and the processed detection data was calculated based on abnormality detection function to determine whether the data was abnormal. The experimental results show that compared with One-Class Support Vector Machine (OC-SVM), Deep Structured Energy Based Model (DSEBM), Deep Autoencoding Gaussian Mixture Model (DAGMM) and Anomaly detection model with Generative Adversarial Network (AnoGAN), the accuracy of the proposed model is improved by 5.8-17.4 percentage points, the recall rate is increased by 1.4-31.4 percentage points, and the F1 value is increased by 14.18-19.7 percentage points. It can be seen that the network abnormal behavior detection model based on ALI has high recall rate and detection accuracy when the data is unbalanced.

Key words: Adversarially Learned Inference (ALI), abnormal behavior detection, data imbalance, min-max scaling

中图分类号: