Hybrid internet of vehicles intrusion detection system for zero-day attacks

doi:10.11772/j.issn.1001-9081.2023091328

Abstract

Abstract:

Existing machine learning methods suffer from over-reliance on sample data and insensitivity to anomalous data when confronted with zero-day attack detection， thus making it difficult for Intrusion Detection System （IDS） to effectively defend against zero-day attacks. Therefore， a hybrid internet of vehicles intrusion detection system based on Transformer and ANFIS （Adaptive-Network-based Fuzzy Inference System） was proposed. Firstly， a data enhancement algorithm was designed and the problem of unbalanced data samples was solved by denoising first and then generating. Secondly， a feature engineering module was designed by introducing non-linear feature interactions into complex feature combinations. Finally， the self-attention mechanism of Transformer and the adaptive learning method of ANFIS were combined， which enhanced the ability of feature representation and reduced the dependence on sample data. The proposed system was compared with other SOTA （State-Of-The-Art） algorithms such as Dual-IDS on CICIDS-2017 and UNSW-NB15 intrusion datasets. Experimental results show that for zero-day attacks， the proposed system achieves 98.64% detection accuracy and 98.31% F1 value on CICIDS-2017 intrusion dataset， and 93.07% detection accuracy and 92.43% F1 value on UNSW-NB15 intrusion dataset， which validates high accuracy and strong generalization ability of the proposed algorithm for zero-day attack detection.

Key words: Internet of Vehicles (IoV), intrusion detection, zero-day attack, Transformer, Adaptive-Network-based Fuzzy Inference System (ANFIS)

摘要：

现有机器学习方法在面对零日攻击检测时，存在对样本数据过度依赖以及对异常数据不敏感的问题，从而导致入侵检测系统（IDS）难以有效防御零日攻击。因此，提出一种基于Transformer和自适应模糊神经网络推理系统（ANFIS）的混合车联网入侵检测系统。首先，设计了一种数据增强算法，通过先去除噪声再生成的方法解决了数据样本不平衡的问题；其次，将非线性特征交互引入复杂的特征组合，设计了一个特征工程模块；最后，将Transformer的自注意力机制和ANFIS的自适应学习方法相结合，以提高特征表征能力，减少对样本数据的依赖。在CICIDS-2017和UNSW-NB15入侵数据集上将所提系统与Dual-IDS等先进（SOTA）算法进行比较。实验结果表明，对于零日攻击，所提系统在CICIDS-2017入侵数据集上实现了98.64%的检测精确率和98.31%的F1值，在UNSW-NB15入侵数据集上实现了93.07%的检测精确率和92.43%的F1值，验证了所提算法在零日攻击检测方面的高准确性和强泛化能力。

关键词: 车联网, 入侵检测, 零日攻击, Transformer, 自适应模糊神经网络推理系统

CLC Number:

TP393.08

Jiepo FANG, Chongben TAO. Hybrid internet of vehicles intrusion detection system for zero-day attacks[J]. Journal of Computer Applications, 2024, 44(9): 2763-2769.

方介泼, 陶重犇. 应对零日攻击的混合车联网入侵检测系统[J]. 《计算机应用》唯一官方网站, 2024, 44(9): 2763-2769.

Figures/Tables 15

References 27

1	孙怡亭，郭越，李长进，等. 可编程逻辑控制器的控制逻辑注入攻击入侵检测方法［J］. 计算机应用， 2023， 43（ 6）： 1861- 1869.
	SUN Y T， GUO Y， LI C J， et al. Intrusion detection method for control logic injection attack against programmable logic controller ［J］. Journal of Computer Applications， 2023， 43（ 6）： 1861- 1869.
2	WANG K， ZHANG A， SUN H， et al. Analysis of recent deep-learning-based intrusion detection methods for in-vehicle network［J］. IEEE Transactions on Intelligent Transportation Systems， 2023， 24（ 2）： 1843- 1854.
3	郝劭辰，卫孜钻，马垚，等. 基于高效联邦学习算法的网络入侵检测模型［J］. 计算机应用， 2023， 43（ 4）： 1169- 1175.
	HAO S C， WEI Z Z， MA Y， et al. Network intrusion detection model based on efficient federated learning algorithm ［J］. Journal of Computer Applications， 2023， 43（ 4）： 1169- 1175.
4	董宁，程晓荣，张铭泉. 基于物联网平台的动态权重损失函数入侵检测系统［J］. 计算机应用， 2022， 42（ 7）： 2118- 2124.
	DONG N， CHENG X R， ZHANG M Q. Intrusion detection system with dynamic weight loss function based on internet of things platform ［J］. Journal of Computer Applications， 2022， 42（ 7）： 2118- 2124.
5	ALANI M M， AWAD A I. An intelligent two-layer intrusion detection system for the internet of things ［J］. IEEE Transactions on Industrial Informatics， 2023， 19（ 1）： 683- 692.
6	WU J， WANG Y， DAI H， et al. Adaptive bi-recommendation and self-improving network for heterogeneous domain adaptation-assisted IoT intrusion detection ［EB/OL］. ［ 2023-10-04］. .
7	刘拥民，杨钰津，罗皓懿，等. 基于双向循环生成对抗网络的无线传感网入侵检测方法［J］. 计算机应用， 2023， 43（ 1）： 160- 168.
	LIU Y M， YANG Y J， LUO H Y， et al. Intrusion detection method for wireless sensor network based on bidirectional circulation generative adversarial network ［J］. Journal of Computer Applications， 2023， 43（ 1）： 160- 168.
8	WU J， DAI H， WANG Y， et al. Heterogeneous domain adaptation for IoT intrusion detection： a geometric graph alignment approach ［EB/OL］. ［ 2023-09-29］. .
9	ZAINUDIN A， AKTER R， KIM D-S， et al. Federated learning inspired low-complexity intrusion detection and classification technique for SDN-based industrial CPS ［J］. IEEE Transactions on Network and Service Management， 2023， 20（ 3）： 2442- 2459.
10	ZHANG J， LUO C， CARPENTER M， et al. Federated learning for distributed IIoT intrusion detection using transfer approaches［J］. IEEE Transactions on Industrial Informatics， 2023， 19（ 7）： 8159- 8169.
11	FOUDA M， KSANTINI R， ELMEDANY W. A novel intrusion detection system for internet of healthcare things based on deep subclasses dispersion information ［J］. IEEE Internet of Things Journal， 2023， 10（ 10）： 8395- 8407.
12	BENADDI H， IBRAHIMI K， BENSLIMANE A， et al. Robust enhancement of intrusion detection systems using deep reinforcement learning and stochastic game ［J］. IEEE Transactions on Vehicular Technology， 2022， 71（ 10）： 11089- 11102.
13	DUAN G， LV H， WANG H， et al. Application of a dynamic line graph neural network for intrusion detection with semisupervised learning ［J］. IEEE Transactions on Information Forensics and Security， 2022， 18： 699- 714.
14	KHAN I A， KESHK M， PI D， et al. Enhancing IIoT networks protection： a robust security model for attack detection in internet industrial control systems ［J］. Ad Hoc Networks， 2022， 134： 102930.
15	VERKERKEN M， D’HOOGE L， SUDYANA D， et al. A novel multi-stage approach for hierarchical intrusion detection ［J］. IEEE Transactions on Network and Service Management， 2023， 20（ 3）： 3915- 3929.
16	VASWANI A， SHAZEER N， PARMAR N， et al. Attention is all you need ［C］// Proceedings of the 31st International Conference on Neural Information Processing Systems. Red Hook： Curran Associates Inc.， 2017： 6000- 6010.
17	JANG J-S R. ANFIS： adaptive-network-based fuzzy inference system ［J］. IEEE Transactions on Systems， Man， and Cybernetics， 1993， 23（ 3）： 665- 685.
18	SHU J， ZHOU L， ZHANG W， et al. Collaborative intrusion detection for VANETs： a deep learning-based distributed SDN approach ［J］. IEEE Transactions on Intelligent Transportation Systems， 2021， 22（ 7）： 4519- 4530.
19	ZHOU M， HAN L， LU H， et al. Attack detection based on invariant state set for SDN-enabled vehicle platoon control system［J］. Vehicular Communications， 2022， 34： 100417.
20	DESTA A K， OHIRA S， ARAI I， et al. Rec-CNN： in-vehicle networks intrusion detection using convolutional neural networks trained on recurrence plots ［J］. Vehicular Communications， 2022， 35： 100470.
21	ESKANDARI M， JANJUA Z H， VECCHIO M， et al. Passban IDS： an intelligent anomaly-based intrusion detection system for IoT edge devices ［J］. IEEE Internet of Things Journal， 2020， 7（ 8）： 6882- 6897.
22	QIN H， YAN M， JI H. Application of controller area network （CAN） bus anomaly detection based on time series prediction ［J］. Vehicular Communications， 2021， 27： 100291.
23	STAN O， COHEN A， ELOVICI Y， et al. Intrusion detection system for the MIL-STD-1553 communication bus ［J］. IEEE Transactions on Aerospace and Electronic Systems， 2020， 56（ 4）： 3010- 3027.
24	YANG J， CHEN X， CHEN S， et al. Conditional variational auto-encoder and extreme value theory aided two-stage learning approach for intelligent fine-grained known/unknown intrusion detection ［J］. IEEE Transactions on Information Forensics and Security， 2021， 16： 3538- 3553.
25	YANG L， MOUBAYED A， SHAMI A. MTH-IDS： a multitiered hybrid intrusion detection system for internet of vehicles ［J］. IEEE Internet of Things Journal， 2022， 9（ 1）： 616- 632.
26	LOUK M H L， TAMA B A. Dual-IDS： a bagging-based gradient boosting decision tree model for network anomaly intrusion detection system ［J］. Expert Systems with Applications， 2023， 213： 119030.
27	KASONGO S M. A deep learning technique for intrusion detection system using a recurrent neural networks based framework ［J］. Computer Communications， 2023， 199： 113- 125.

类别		原始样本数	平衡后训练集样本数	测试集样本数
Benign		2 264 189	1 811 351	452 838
Bot		1 935	50 000	387
DoS	DDoS	380 566	304 453	76 113
	DoS GoldenEye
	DoS Hulk
	DoS Slow-httptest
	DoS Slowloris
	Heartbleed
Port-Scan		158 612	126 890	31 722
SSH		5 870	50 000	1 174
FTP		7 905	50 000	1 581
Infiltration		36	0	36
Brute Force		1 497	0	1 497
SQL Injection		22	0	22
XSS		656	0	656

类别		原始样本数	平衡后训练集样本数	测试集样本数
Benign		2 264 189	1 811 351	452 838
Bot		1 935	50 000	387
DoS	DDoS	380 566	304 453	76 113
	DoS GoldenEye
	DoS Hulk
	DoS Slow-httptest
	DoS Slowloris
	Heartbleed
Port-Scan		158 612	126 890	31 722
SSH		5 870	50 000	1 174
FTP		7 905	50 000	1 581
Infiltration		36	0	36
Brute Force		1 497	0	1 497
SQL Injection		22	0	22
XSS		656	0	656

类别	原始样本数	训练集样本数	测试集样本数
Normal	2 218 761	1 775 009	443 752
Fuzzers	24 246	19 397	4 849
Analysis	2 677	0	2 677
Backdoors	2 329	0	2 329
DoS	16 353	13 082	3 271
Exploits	44 525	35 620	8 905
Generic	215 481	172 385	43 096
Reconnaissance	13 987	11 190	2 797
Shellcode	1 511	0	1 511
Worms	174	0	174

类别	原始样本数	训练集样本数	测试集样本数
Normal	2 218 761	1 775 009	443 752
Fuzzers	24 246	19 397	4 849
Analysis	2 677	0	2 677
Backdoors	2 329	0	2 329
DoS	16 353	13 082	3 271
Exploits	44 525	35 620	8 905
Generic	215 481	172 385	43 096
Reconnaissance	13 987	11 190	2 797
Shellcode	1 511	0	1 511
Worms	174	0	174

攻击类别	样本数	P%	R%	F%	F1%
Benign	452 838	99.48	98.70	2.14	99.09
Bot	387	86.82	95.35	0.01	90.89
DoS	76 113	96.25	92.52	0.57	94.35
Port-Scan	31 722	90.86	98.20	0.60	94.39
SSH	1 174	98.55	98.72	0.00	98.64
FTP	1 581	97.58	96.77	0.01	97.17
Unknown	2 211	24.56	68.43	0.84	36.15