《计算机应用》唯一官方网站 ›› 2024, Vol. 44 ›› Issue (9): 2763-2769.DOI: 10.11772/j.issn.1001-9081.2023091328
收稿日期:
2023-09-28
修回日期:
2023-12-10
接受日期:
2023-12-15
发布日期:
2024-01-31
出版日期:
2024-09-10
通讯作者:
陶重犇
作者简介:
方介泼(2000—),男,浙江温州人,硕士研究生,主要研究方向:车联网安全、人工智能基金资助:
Jiepo FANG1, Chongben TAO1,2()
Received:
2023-09-28
Revised:
2023-12-10
Accepted:
2023-12-15
Online:
2024-01-31
Published:
2024-09-10
Contact:
Chongben TAO
About author:
FANG Jiepo, born in 2000, M. S. candidate. His research interests include internet of vehicles security, artificial intelligence.
Supported by:
摘要:
现有机器学习方法在面对零日攻击检测时,存在对样本数据过度依赖以及对异常数据不敏感的问题,从而导致入侵检测系统(IDS)难以有效防御零日攻击。因此,提出一种基于Transformer和自适应模糊神经网络推理系统(ANFIS)的混合车联网入侵检测系统。首先,设计了一种数据增强算法,通过先去除噪声再生成的方法解决了数据样本不平衡的问题;其次,将非线性特征交互引入复杂的特征组合,设计了一个特征工程模块;最后,将Transformer的自注意力机制和ANFIS的自适应学习方法相结合,以提高特征表征能力,减少对样本数据的依赖。在CICIDS-2017和UNSW-NB15入侵数据集上将所提系统与Dual-IDS等先进(SOTA)算法进行比较。实验结果表明,对于零日攻击,所提系统在CICIDS-2017入侵数据集上实现了98.64%的检测精确率和98.31%的F1值,在UNSW-NB15入侵数据集上实现了93.07%的检测精确率和92.43%的F1值,验证了所提算法在零日攻击检测方面的高准确性和强泛化能力。
中图分类号:
方介泼, 陶重犇. 应对零日攻击的混合车联网入侵检测系统[J]. 计算机应用, 2024, 44(9): 2763-2769.
Jiepo FANG, Chongben TAO. Hybrid internet of vehicles intrusion detection system for zero-day attacks[J]. Journal of Computer Applications, 2024, 44(9): 2763-2769.
类别 | 原始样本数 | 平衡后训练集 样本数 | 测试集 样本数 | |
---|---|---|---|---|
Benign | 2 264 189 | 1 811 351 | 452 838 | |
Bot | 1 935 | 50 000 | 387 | |
DoS | DDoS | 380 566 | 304 453 | 76 113 |
DoS GoldenEye | ||||
DoS Hulk | ||||
DoS Slow-httptest | ||||
DoS Slowloris | ||||
Heartbleed | ||||
Port-Scan | 158 612 | 126 890 | 31 722 | |
SSH | 5 870 | 50 000 | 1 174 | |
FTP | 7 905 | 50 000 | 1 581 | |
Infiltration | 36 | 0 | 36 | |
Brute Force | 1 497 | 0 | 1 497 | |
SQL Injection | 22 | 0 | 22 | |
XSS | 656 | 0 | 656 |
表1 CICIDS-2017数据集的类标签和样本数
Tab. 1 Class tags and sample sizes for CICIDS-2017 dataset
类别 | 原始样本数 | 平衡后训练集 样本数 | 测试集 样本数 | |
---|---|---|---|---|
Benign | 2 264 189 | 1 811 351 | 452 838 | |
Bot | 1 935 | 50 000 | 387 | |
DoS | DDoS | 380 566 | 304 453 | 76 113 |
DoS GoldenEye | ||||
DoS Hulk | ||||
DoS Slow-httptest | ||||
DoS Slowloris | ||||
Heartbleed | ||||
Port-Scan | 158 612 | 126 890 | 31 722 | |
SSH | 5 870 | 50 000 | 1 174 | |
FTP | 7 905 | 50 000 | 1 581 | |
Infiltration | 36 | 0 | 36 | |
Brute Force | 1 497 | 0 | 1 497 | |
SQL Injection | 22 | 0 | 22 | |
XSS | 656 | 0 | 656 |
类别 | 原始样本数 | 训练集样本数 | 测试集样本数 |
---|---|---|---|
Normal | 2 218 761 | 1 775 009 | 443 752 |
Fuzzers | 24 246 | 19 397 | 4 849 |
Analysis | 2 677 | 0 | 2 677 |
Backdoors | 2 329 | 0 | 2 329 |
DoS | 16 353 | 13 082 | 3 271 |
Exploits | 44 525 | 35 620 | 8 905 |
Generic | 215 481 | 172 385 | 43 096 |
Reconnaissance | 13 987 | 11 190 | 2 797 |
Shellcode | 1 511 | 0 | 1 511 |
Worms | 174 | 0 | 174 |
表2 UNSW-NB15数据集的类标签和样本数
Tab. 2 Class tags and sample sizes for UNSW-NB15 dataset
类别 | 原始样本数 | 训练集样本数 | 测试集样本数 |
---|---|---|---|
Normal | 2 218 761 | 1 775 009 | 443 752 |
Fuzzers | 24 246 | 19 397 | 4 849 |
Analysis | 2 677 | 0 | 2 677 |
Backdoors | 2 329 | 0 | 2 329 |
DoS | 16 353 | 13 082 | 3 271 |
Exploits | 44 525 | 35 620 | 8 905 |
Generic | 215 481 | 172 385 | 43 096 |
Reconnaissance | 13 987 | 11 190 | 2 797 |
Shellcode | 1 511 | 0 | 1 511 |
Worms | 174 | 0 | 174 |
数据集 | 训练集类别 | 测试集类别 |
---|---|---|
CICIDS-2017 | Benign,Bot,DoS, Port-Scan,SSH,FTP | Benign,Bot,SSH,Port-Scan, FTP,XSS,Infiltration, Brute Force,SQL Injection,DoS |
UNSW-NB15 | Normal,Fuzzers, Reconnaissance,DoS,Exploits,Generic | Normal,Fuzzers,Generic,Exploits,Reconnaissance,Analysis, Backdoors,Shellcode,Worms |
表3 2个数据集中训练集和测试集的设置
Tab. 3 Training set and test set setting for two datasets
数据集 | 训练集类别 | 测试集类别 |
---|---|---|
CICIDS-2017 | Benign,Bot,DoS, Port-Scan,SSH,FTP | Benign,Bot,SSH,Port-Scan, FTP,XSS,Infiltration, Brute Force,SQL Injection,DoS |
UNSW-NB15 | Normal,Fuzzers, Reconnaissance,DoS,Exploits,Generic | Normal,Fuzzers,Generic,Exploits,Reconnaissance,Analysis, Backdoors,Shellcode,Worms |
攻击类别 | 样本数 | P% | R% | F% | F1% |
---|---|---|---|---|---|
Benign | 452 838 | 99.48 | 98.70 | 2.14 | 99.09 |
Bot | 387 | 86.82 | 95.35 | 0.01 | 90.89 |
DoS | 76 113 | 96.25 | 92.52 | 0.57 | 94.35 |
Port-Scan | 31 722 | 90.86 | 98.20 | 0.60 | 94.39 |
SSH | 1 174 | 98.55 | 98.72 | 0.00 | 98.64 |
FTP | 1 581 | 97.58 | 96.77 | 0.01 | 97.17 |
Unknown | 2 211 | 24.56 | 68.43 | 0.84 | 36.15 |
表4 本文模型在CICIDS-2017数据集上的性能评估结果
Tab. 4 Performance evaluation results of proposed model on CICIDS-2017 dataset
攻击类别 | 样本数 | P% | R% | F% | F1% |
---|---|---|---|---|---|
Benign | 452 838 | 99.48 | 98.70 | 2.14 | 99.09 |
Bot | 387 | 86.82 | 95.35 | 0.01 | 90.89 |
DoS | 76 113 | 96.25 | 92.52 | 0.57 | 94.35 |
Port-Scan | 31 722 | 90.86 | 98.20 | 0.60 | 94.39 |
SSH | 1 174 | 98.55 | 98.72 | 0.00 | 98.64 |
FTP | 1 581 | 97.58 | 96.77 | 0.01 | 97.17 |
Unknown | 2 211 | 24.56 | 68.43 | 0.84 | 36.15 |
攻击类别 | 样本数 | P% | R% | F% | F1% |
---|---|---|---|---|---|
Normal | 443 752 | 99.41 | 95.29 | 3.77 | 97.31 |
Fuzzers | 4 849 | 32.12 | 73.80 | 1.54 | 44.76 |
DoS | 3 271 | 87.32 | 85.08 | 0.08 | 86.19 |
Exploits | 8 905 | 89.39 | 82.20 | 0.06 | 85.64 |
Generic | 43 096 | 36.20 | 97.52 | 3.10 | 52.80 |
Reconnaissance | 2 797 | 99.94 | 99.50 | 0.01 | 99.72 |
Unknown | 6 691 | 87.70 | 55.39 | 0.11 | 67.89 |
表5 本文模型在UNSW-NB15数据集上的性能评估结果
Tab. 5 Performance evaluation results of proposed model on UNSW-NB15 dataset
攻击类别 | 样本数 | P% | R% | F% | F1% |
---|---|---|---|---|---|
Normal | 443 752 | 99.41 | 95.29 | 3.77 | 97.31 |
Fuzzers | 4 849 | 32.12 | 73.80 | 1.54 | 44.76 |
DoS | 3 271 | 87.32 | 85.08 | 0.08 | 86.19 |
Exploits | 8 905 | 89.39 | 82.20 | 0.06 | 85.64 |
Generic | 43 096 | 36.20 | 97.52 | 3.10 | 52.80 |
Reconnaissance | 2 797 | 99.94 | 99.50 | 0.01 | 99.72 |
Unknown | 6 691 | 87.70 | 55.39 | 0.11 | 67.89 |
模型 | CICIDS-2017 | UNSW-NB15 | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
P% | R% | F% | F1% | T/ms | P/% | R/% | F/% | F1/% | T/ms | |
SVM | 92.35 | 91.61 | 3.22 | 91.87 | 0.502 | 89.73 | 88.56 | 4.75 | 88.46 | 0.356 |
KNN | 93.24 | 94.34 | 5.92 | 93.75 | 0.360 | 91.06 | 89.47 | 4.96 | 90.56 | 0.310 |
LSTM | 97.40 | 97.12 | 1.93 | 96.78 | — | 91.22 | 92.55 | 1.67 | 91.43 | — |
CVAE-EVT [ | 93.64 | 59.83 | 1.08 | 90.18 | — | — | — | — | — | — |
Dual-IDS [ | — | — | — | — | — | 92.21 | 92.94 | 4.38 | 92.60 | — |
SimpleRNN [ | 98.59 | 83.70 | 98.72 | 0.621 | 93.98 | 87.07 | — | 90.03 | 0.456 | |
IDS-TA | 98.64 | 98.09 | 1.83 | 98.31 | 0.624 | 93.07 | 94.48 | 3.54 | 92.43 | 0.570 |
表6 不同模型的性能比较
Tab. 6 Performance comparison among different models
模型 | CICIDS-2017 | UNSW-NB15 | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
P% | R% | F% | F1% | T/ms | P/% | R/% | F/% | F1/% | T/ms | |
SVM | 92.35 | 91.61 | 3.22 | 91.87 | 0.502 | 89.73 | 88.56 | 4.75 | 88.46 | 0.356 |
KNN | 93.24 | 94.34 | 5.92 | 93.75 | 0.360 | 91.06 | 89.47 | 4.96 | 90.56 | 0.310 |
LSTM | 97.40 | 97.12 | 1.93 | 96.78 | — | 91.22 | 92.55 | 1.67 | 91.43 | — |
CVAE-EVT [ | 93.64 | 59.83 | 1.08 | 90.18 | — | — | — | — | — | — |
Dual-IDS [ | — | — | — | — | — | 92.21 | 92.94 | 4.38 | 92.60 | — |
SimpleRNN [ | 98.59 | 83.70 | 98.72 | 0.621 | 93.98 | 87.07 | — | 90.03 | 0.456 | |
IDS-TA | 98.64 | 98.09 | 1.83 | 98.31 | 0.624 | 93.07 | 94.48 | 3.54 | 92.43 | 0.570 |
组成 | A | B | C | D | E | F |
---|---|---|---|---|---|---|
自注意力 | √ | |||||
多头自注意力 | √ | √ | √ | √ | √ | |
Feedforward | √ | √ | √ | √ | √ | √ |
ADASYN-ENN | √ | √ | √ | √ | ||
ANFIS | √ | √ | √ | |||
MBGD | √ | √ | √ | √ | √ | |
BGD | √ | |||||
L1正则项 | √ |
表7 消融实验中对比模型的组成
Tab. 7 Composition of comparison models in ablation experiments
组成 | A | B | C | D | E | F |
---|---|---|---|---|---|---|
自注意力 | √ | |||||
多头自注意力 | √ | √ | √ | √ | √ | |
Feedforward | √ | √ | √ | √ | √ | √ |
ADASYN-ENN | √ | √ | √ | √ | ||
ANFIS | √ | √ | √ | |||
MBGD | √ | √ | √ | √ | √ | |
BGD | √ | |||||
L1正则项 | √ |
模型 | P/% | F1/% | T/ms | 模型 | P/% | F1/% | T/ms |
---|---|---|---|---|---|---|---|
A | 91.30 | 79.66 | 0.424 | D | 98.59 | 97.44 | 0.610 |
B | 95.19 | 80.23 | 0.608 | E | 97.78 | 95.26 | 0.621 |
C | 97.86 | 81.52 | 0.614 | F | 98.64 | 98.31 | 0.624 |
表8 消融实验结果
Tab. 8 Results of ablation experiments
模型 | P/% | F1/% | T/ms | 模型 | P/% | F1/% | T/ms |
---|---|---|---|---|---|---|---|
A | 91.30 | 79.66 | 0.424 | D | 98.59 | 97.44 | 0.610 |
B | 95.19 | 80.23 | 0.608 | E | 97.78 | 95.26 | 0.621 |
C | 97.86 | 81.52 | 0.614 | F | 98.64 | 98.31 | 0.624 |
1 | 孙怡亭, 郭越, 李长进, 等. 可编程逻辑控制器的控制逻辑注入攻击入侵检测方法 [J]. 计算机应用, 2023, 43( 6): 1861- 1869. |
SUN Y T, GUO Y, LI C J, et al. Intrusion detection method for control logic injection attack against programmable logic controller [J]. Journal of Computer Applications, 2023, 43( 6): 1861- 1869. | |
2 | WANG K, ZHANG A, SUN H, et al. Analysis of recent deep-learning-based intrusion detection methods for in-vehicle network[J]. IEEE Transactions on Intelligent Transportation Systems, 2023, 24( 2): 1843- 1854. |
3 | 郝劭辰, 卫孜钻, 马垚, 等. 基于高效联邦学习算法的网络入侵检测模型[J]. 计算机应用, 2023, 43( 4): 1169- 1175. |
HAO S C, WEI Z Z, MA Y, et al. Network intrusion detection model based on efficient federated learning algorithm [J]. Journal of Computer Applications, 2023, 43( 4): 1169- 1175. | |
4 | 董宁, 程晓荣, 张铭泉. 基于物联网平台的动态权重损失函数入侵检测系统[J]. 计算机应用, 2022, 42( 7): 2118- 2124. |
DONG N, CHENG X R, ZHANG M Q. Intrusion detection system with dynamic weight loss function based on internet of things platform [J]. Journal of Computer Applications, 2022, 42( 7): 2118- 2124. | |
5 | ALANI M M, AWAD A I. An intelligent two-layer intrusion detection system for the internet of things [J]. IEEE Transactions on Industrial Informatics, 2023, 19( 1): 683- 692. |
6 | WU J, WANG Y, DAI H, et al. Adaptive bi-recommendation and self-improving network for heterogeneous domain adaptation-assisted IoT intrusion detection [EB/OL]. [ 2023-10-04]. . |
7 | 刘拥民, 杨钰津, 罗皓懿, 等. 基于双向循环生成对抗网络的无线传感网入侵检测方法[J]. 计算机应用, 2023, 43( 1): 160- 168. |
LIU Y M, YANG Y J, LUO H Y, et al. Intrusion detection method for wireless sensor network based on bidirectional circulation generative adversarial network [J]. Journal of Computer Applications, 2023, 43( 1): 160- 168. | |
8 | WU J, DAI H, WANG Y, et al. Heterogeneous domain adaptation for IoT intrusion detection: a geometric graph alignment approach [EB/OL]. [ 2023-09-29]. . |
9 | ZAINUDIN A, AKTER R, KIM D-S, et al. Federated learning inspired low-complexity intrusion detection and classification technique for SDN-based industrial CPS [J]. IEEE Transactions on Network and Service Management, 2023, 20( 3): 2442- 2459. |
10 | ZHANG J, LUO C, CARPENTER M, et al. Federated learning for distributed IIoT intrusion detection using transfer approaches[J]. IEEE Transactions on Industrial Informatics, 2023, 19( 7): 8159- 8169. |
11 | FOUDA M, KSANTINI R, ELMEDANY W. A novel intrusion detection system for internet of healthcare things based on deep subclasses dispersion information [J]. IEEE Internet of Things Journal, 2023, 10( 10): 8395- 8407. |
12 | BENADDI H, IBRAHIMI K, BENSLIMANE A, et al. Robust enhancement of intrusion detection systems using deep reinforcement learning and stochastic game [J]. IEEE Transactions on Vehicular Technology, 2022, 71( 10): 11089- 11102. |
13 | DUAN G, LV H, WANG H, et al. Application of a dynamic line graph neural network for intrusion detection with semisupervised learning [J]. IEEE Transactions on Information Forensics and Security, 2022, 18: 699- 714. |
14 | KHAN I A, KESHK M, PI D, et al. Enhancing IIoT networks protection: a robust security model for attack detection in internet industrial control systems [J]. Ad Hoc Networks, 2022, 134: 102930. |
15 | VERKERKEN M, D’HOOGE L, SUDYANA D, et al. A novel multi-stage approach for hierarchical intrusion detection [J]. IEEE Transactions on Network and Service Management, 2023, 20( 3): 3915- 3929. |
16 | VASWANI A, SHAZEER N, PARMAR N, et al. Attention is all you need [C]// Proceedings of the 31st International Conference on Neural Information Processing Systems. Red Hook: Curran Associates Inc., 2017: 6000- 6010. |
17 | JANG J-S R. ANFIS: adaptive-network-based fuzzy inference system [J]. IEEE Transactions on Systems, Man, and Cybernetics, 1993, 23( 3): 665- 685. |
18 | SHU J, ZHOU L, ZHANG W, et al. Collaborative intrusion detection for VANETs: a deep learning-based distributed SDN approach [J]. IEEE Transactions on Intelligent Transportation Systems, 2021, 22( 7): 4519- 4530. |
19 | ZHOU M, HAN L, LU H, et al. Attack detection based on invariant state set for SDN-enabled vehicle platoon control system[J]. Vehicular Communications, 2022, 34: 100417. |
20 | DESTA A K, OHIRA S, ARAI I, et al. Rec-CNN: in-vehicle networks intrusion detection using convolutional neural networks trained on recurrence plots [J]. Vehicular Communications, 2022, 35: 100470. |
21 | ESKANDARI M, JANJUA Z H, VECCHIO M, et al. Passban IDS: an intelligent anomaly-based intrusion detection system for IoT edge devices [J]. IEEE Internet of Things Journal, 2020, 7( 8): 6882- 6897. |
22 | QIN H, YAN M, JI H. Application of controller area network (CAN) bus anomaly detection based on time series prediction [J]. Vehicular Communications, 2021, 27: 100291. |
23 | STAN O, COHEN A, ELOVICI Y, et al. Intrusion detection system for the MIL-STD-1553 communication bus [J]. IEEE Transactions on Aerospace and Electronic Systems, 2020, 56( 4): 3010- 3027. |
24 | YANG J, CHEN X, CHEN S, et al. Conditional variational auto-encoder and extreme value theory aided two-stage learning approach for intelligent fine-grained known/unknown intrusion detection [J]. IEEE Transactions on Information Forensics and Security, 2021, 16: 3538- 3553. |
25 | YANG L, MOUBAYED A, SHAMI A. MTH-IDS: a multitiered hybrid intrusion detection system for internet of vehicles [J]. IEEE Internet of Things Journal, 2022, 9( 1): 616- 632. |
26 | LOUK M H L, TAMA B A. Dual-IDS: a bagging-based gradient boosting decision tree model for network anomaly intrusion detection system [J]. Expert Systems with Applications, 2023, 213: 119030. |
27 | KASONGO S M. A deep learning technique for intrusion detection system using a recurrent neural networks based framework [J]. Computer Communications, 2023, 199: 113- 125. |
[1] | 任烈弘, 黄铝文, 田旭, 段飞. 基于DFT的频率敏感双分支Transformer多变量长时间序列预测方法[J]. 《计算机应用》唯一官方网站, 2024, 44(9): 2739-2746. |
[2] | 李金金, 桑国明, 张益嘉. APK-CNN和Transformer增强的多域虚假新闻检测模型[J]. 《计算机应用》唯一官方网站, 2024, 44(9): 2674-2682. |
[3] | 贾洁茹, 杨建超, 张硕蕊, 闫涛, 陈斌. 基于自蒸馏视觉Transformer的无监督行人重识别[J]. 《计算机应用》唯一官方网站, 2024, 44(9): 2893-2902. |
[4] | 黄云川, 江永全, 黄骏涛, 杨燕. 基于元图同构网络的分子毒性预测[J]. 《计算机应用》唯一官方网站, 2024, 44(9): 2964-2969. |
[5] | 杨鑫, 陈雪妮, 吴春江, 周世杰. 结合变种残差模型和Transformer的城市公路短时交通流预测[J]. 《计算机应用》唯一官方网站, 2024, 44(9): 2947-2951. |
[6] | 丁宇伟, 石洪波, 李杰, 梁敏. 基于局部和全局特征解耦的图像去噪网络[J]. 《计算机应用》唯一官方网站, 2024, 44(8): 2571-2579. |
[7] | 邓凯丽, 魏伟波, 潘振宽. 改进掩码自编码器的工业缺陷检测方法[J]. 《计算机应用》唯一官方网站, 2024, 44(8): 2595-2603. |
[8] | 杨帆, 邹窈, 朱明志, 马振伟, 程大伟, 蒋昌俊. 基于图注意力Transformer神经网络的信用卡欺诈检测模型[J]. 《计算机应用》唯一官方网站, 2024, 44(8): 2634-2642. |
[9] | 李大海, 王忠华, 王振东. 结合空间域和频域信息的双分支低光照图像增强网络[J]. 《计算机应用》唯一官方网站, 2024, 44(7): 2175-2182. |
[10] | 黎施彬, 龚俊, 汤圣君. 基于Graph Transformer的半监督异配图表示学习模型[J]. 《计算机应用》唯一官方网站, 2024, 44(6): 1816-1823. |
[11] | 黄梦源, 常侃, 凌铭阳, 韦新杰, 覃团发. 基于层间引导的低光照图像渐进增强算法[J]. 《计算机应用》唯一官方网站, 2024, 44(6): 1911-1919. |
[12] | 吕锡婷, 赵敬华, 荣海迎, 赵嘉乐. 基于Transformer和关系图卷积网络的信息传播预测模型[J]. 《计算机应用》唯一官方网站, 2024, 44(6): 1760-1766. |
[13] | 刘子涵, 周登文, 刘玉铠. 基于全局依赖Transformer的图像超分辨率网络[J]. 《计算机应用》唯一官方网站, 2024, 44(5): 1588-1596. |
[14] | 赵晓焱, 韩威, 张俊娜, 袁培燕. 基于异步深度强化学习的车联网协作卸载策略[J]. 《计算机应用》唯一官方网站, 2024, 44(5): 1501-1510. |
[15] | 席治远, 唐超, 童安炀, 王文剑. 基于双路时空网络的驾驶员行为识别[J]. 《计算机应用》唯一官方网站, 2024, 44(5): 1511-1519. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||