﻿ 基于端到端记忆神经网络的可解释入侵检测模型
 计算机系统应用  2018, Vol. 27 Issue (10): 170-176 PDF

1. 中国科学院 计算机网络信息中心, 北京 100190;
2. 中国科学院大学, 北京 100049

Explainable Intrusion Detecion Model Based on End-to-End Memory Network
GAO Xiao-Xian1,2, LONG Chun1, WEI Jin-Xia1, ZHAO Jing1, SONG Dan-Jie1
1. Computer Network Information Center, Chinese Academy of Sciences, Beijing 100190, China;
2. University of Chinese Academy of Sciences, Beijing 100049, China
Abstract: There are different methods combining misuse and anomaly detection for intrusion detection. However, most of them consist of more than one basic models which complicate the learning process. In this paper, we present an effective intrusion detection method with low complexity on the basis of the end-to-end memory network to classify the network behavior data by taking advantage of domain knowledge. A matching module and a blending module are designed in our model to ensure that relevant knowledge items take effect in the classify module. Furthermore, additional output are provided with the detecting result as explainable reference information. Data pre-processing is done using data normalization and knowledge items about attacks are selected from the dataset. Experimental results show that the domain knowledge plays a positive role in the model and the proposed method has good performance on intrusion detecting. .
Key words: end-to-end memory network     intrusion detection     machine learning     classification algorithm

1 引言

2 相关工作

3 模型

 图 1 模型框架

3.1 输入输出

 $M = \left( {\begin{array}{*{20}{c}} {{m_1}}& \cdots &{{m_n}} \end{array}} \right){}^{\rm{T}}$

3.2 匹配

 $M,x\xrightarrow{V}{M'},{x'}$ (1)

 $p = g({x'},{M'}) = ({g_V}(x,{m_1}), \cdots ,{g_V}(x,{m_n}))$ (2)

3.3 融合

 $o = {h_p}({x'},{M'})$ (3)

3.4 分类

 $\hat y = {f_W}(o)$ (4)
3.5 模型细节

 图 2 N2N Mem-IDS模型

 $V = \{ A,B,C\}$ (5)
 $\left\{ \begin{gathered} {M_A} = M \cdot A \hfill \\ {M_B} = M \cdot B \hfill \\ u = x \cdot C \hfill \\ \end{gathered} \right.$ (6)

 ${p_i} = {g_V}({x'},{m_i}') = \frac{{{u^{\rm{T}}} \cdot {a_i}}}{{{{\left\| u \right\|}_2} \cdot {{\left\| {{a_i}} \right\|}_2}}}$ (7)

 $o = {h_p}({x'},{M'}) = W \cdot (u + \sum {{p_i}{b_i}} )$ (8)

 ${x_{j + 1}} = {o_j}$ (9)

 $\left\{ \begin{gathered} Y = \operatorname{softmax} (o) \hfill \\ \hat y = \arg \max (Y) \hfill \\ \end{gathered} \right.$ (10)

4 实验设计

4.1 数据介绍

NSL KDD数据集中每一条数据表示一个网络连接记录, 其类别包括正常类型和4大类、40子类攻击类型. 数据集由一个训练集train+和一个测试集test+组成, 测试集中的攻击类型都是训练集中的攻击类型或者训练集中攻击的变体类型.

4.2 数据预处理

NSL KDD数据有41个特征, 包括离散特征和连续特征. 对于连续特征, 我们使用Z分数(z-score)标准化进行处理, z-score标准化计算方法为:

 $Z = \frac{{X - \mu }}{\sigma }$ (11)

4.3 攻击知识项提取

1) 选取一个行为类别, 将该类别数据单独取出, 形成子数据集;

2) 使用随机森林算法确定子数据集中所有特征的重要程度(feature importance), 并将特征按重要程度降序排列;

3) 将重要程度从大到小依次累加, 在累加和超过阈值 $\scriptstyle \alpha$ $\scriptstyle (0 < \alpha < 1)$ 的位置截断, 选择截断位置之前的特征作为局部特征;

4) 保留该子集中局部特征的特征值, 其它特征值置0, 形成的新数据成为近似行为数据;

5) 使用K均值聚类算法, 根据Calinski Harabaz分数, 从近似行为数据中计算出若干个聚类中心, 作为该类别的知识项.

6) 回到1), 选择提取其它类别的知识项.

4.4 实验设计

 $\left\{\begin{gathered} DR = {{TP} / {(TP + FN)}} \hfill \\ {\rm{Precision}} = FP/(TP + FP) \hfill \\ \end{gathered} \right.$ (12)

 $\left\{\begin{gathered} ExpV = {\raise0.7ex\hbox{${ExpScore}$} \!/\!\lower0.7ex\hbox{${count}$}} \hfill \\ MemV = {\raise0.7ex\hbox{${MemScore}$} \!/\!\lower0.7ex\hbox{${count}$}} \hfill \\ \end{gathered} \right.$ (13)

ExpV表示可解释结果对研究人员的可参考价值, ExpV越大, 可参考价值越大. MemV表示攻击知识项对判断结果所起作用, MemV越大说明模型中攻击知识项发挥的作用越大. ExpScoreMemScore取决于可解释结果和输入值的真实类别, 计算方式如表1所示.

5 实验结果

6 在不同类型数据上的扩展

 图 3 不同知识项提取方式实验结果对比

 图 4 与其它模型实验结果对比

 ${p_i} = g(x,{m_i}) = \frac{{\sum {{I_k}(x)} }}{K}$ (14)

 图 5 连接(concatenate) 融合方法

7 结论与展望

 [1] Kim G, Lee S, Kim S. A novel hybrid intrusion detection method integrating anomaly detection with misuse detection. Expert Systems with Applications, 2014, 41(4): 1690-1700. DOI:10.1016/j.eswa.2013.08.066 [2] Scarfone KA, Mell PM. Guide to intrusion detection and prevention systems (IDPS). Gaithersburg: NIST, 2007. [3] Griffin K, Schneider S, Hu X, et al. Automatic generation of string signatures for malware detection. Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection. Saint-Malo, France. 2009. 101–120. [4] Snort network intrusion detection system. https://www.snort.org. [5] The bro network security monitor. https://www.bro.org/. [6] Gu GF, Perdisci R, Zhang JJ, et al. BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. Proceedings of the 17th USENIX Security Symposium. Berkeley, CA, USA. 2008. 139–154. [7] Kumar S, Spafford EH. A pattern matching model for misuse intrusion detection. Proceedings of the 17th National Computer Security Conference. Baltimore, MD, USA. 1994. 11–21. [8] 杨忠明, 秦勇, 蔡昭权. 一种策略分流的入侵防御及恢复系统架构. 计算机系统应用, 2017, 26(2): 83-87. DOI:10.15888/j.cnki.csa.005620 [9] Tajbakhsh A, Rahmati M, Mirzaei A. Intrusion detection using fuzzy association rules. Applied Soft Computing, 2009, 9(2): 462-469. DOI:10.1016/j.asoc.2008.06.001 [10] Blowers M, Williams J. Machine learning applied to cyber operations. Pino RE. Network Science and Cybersecurity. New York: Springer, 2014. 155–175. [11] Singh R, Kumar H, Singla RK. An intrusion detection system using network traffic profiling and online sequential extreme learning machine. Expert Systems with Applications, 2015, 42(22): 8609-8624. DOI:10.1016/j.eswa.2015.07.015 [12] Chong D. Learning automata based SVM for intrusion detection. arXiv: 1801.01314. [13] Agarap AF. A neural network architecture combining gated recurrent unit (GRU) and support vector machine (SVM) for intrusion detection in network traffic data. arXiv: 1709.03082. [14] Bhuyan MH, Bhattacharyya DK, Kalita JK. Network anomaly detection: Methods, systems and tools. IEEE Communications Surveys & Tutorials, 2014, 16(1): 303-336. [15] 任晓芳, 赵德群, 秦健勇. 基于随机森林和加权k均值聚类的网络入侵检测系统. 微型电脑应用, 2016, 32(7): 21-24. DOI:10.3969/j.issn.1007-757X.2016.07.007 [16] 王锋. 一种误用和异常技术结合的网络入侵检测模型. 计算机光盘软件与应用, 2012(12)84. [17] Al-Yaseen WL, Othman ZA, Nazri MZA. Multi-level hybrid support vector machine and extreme learning machine based on modified K-means for intrusion detection system. Expert Systems with Applications, 2017, 67: 296-303. DOI:10.1016/j.eswa.2016.09.041 [18] Weston J, Chopra S, Bordes A. Memory networks. arXiv: 1410.3916. [19] Sukhbaatar S, Szlam A, Weston J, et al. End-to-end memory networks. arXiv: 1503.08895, 2015. [20] Stolfo SJ, Fan W, Lee W, et al. Cost-based modeling and evaluation for data mining with application to fraud and intrusion detection: Results from the JAM project. 1999. 130–144. [21] Lippmann RP, Graf I, Wyschogrod D, et al. The 1998 darpa/afrl off-line intrusion detection evaluation. Proceedings of the 1st International Workshop on Recent Advances in Intrusion Detection. Louvain-la-Neuve, Belgium. 1998. [22] Tavallaee M, Bagheri E, Lu W, et al. A detailed analysis of the KDD CUP 99 data set. Proceedings of 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications. Ottawa, ON, Canada. 2009. 1–6.