摘要: |
网络入侵检测技术是指对危害计算机系统安全的行为进行检测的方法,它是计算机网络安全领域中的必不可少的防御机制。目前,基于有监督学习的网络异常入侵检测技术具有较高的效率和准确率,该类方法获得了广泛关注,取得了大量的研究成果。但是这类方法需要借助大量标注样本进行模型训练。为减少对标注样本依赖,基于无监督学习或半监督学习的网络入侵检测技术被提出,并逐渐成为该领域的研究热点。其中,基于自编码器的网络异常检测技术是这方面技术的典型代表。该文首先介绍了各类自编码器的基本原理、模型结构、损失函数和训练方法。然后在此基础上将其分为基于阈值和基于分类的方法。其中,基于阈值的方法用又可分为基于重构误差和基于重构概率两类。合适的阈值对异常检测技术的成败至关重要,该文介绍了三种阈值的计算方法。接着对比分析了多个代表性研究工作的方法、性能及创新点,最后对该研究中存在的问题做了介绍,并对未来的研究方向做了展望。 |
关键词: 网络安全 入侵检测 异常检测 深度学习 自编码器 |
DOI:10.19363/J.cnki.cn10-1380/tn.2023.03.07 |
Received:December 16, 2021Revised:April 07, 2022 |
基金项目:本课题得到西藏自治区自然科学基金项目(No.XZ2019ZRG-36(Z))和西藏民族大学“涉藏网络信息内容与数据安全团队”项目(No.324042000709)的资助。 |
|
An Overview of Network Anomaly Detection Based on Autoencoders |
ZHANG Guoliang,GUO Xiaojun |
Department of Information Engineering, Xizang Minzu University, Xianyang 710200, China |
Abstract: |
Network intrusion detection technology refers to a method of detecting behaviors that endanger computer system security, such as collecting vulnerability information, denying access, and obtaining system control rights beyond the legal scope. It is an indispensable defense mechanism in the field of computer network security. It is widely recognized in academia and industry. At present, the network anomaly intrusion detection technology based on supervised learning has high processing efficiency and detection accuracy. However, such methods require a large number of labeled samples for model training, and the acquisition of these labeled samples is difficult and expensive. In order to reduce the dependence on labeled samples, network intrusion detection technology based on unsupervised learning or semi-supervised learning has been proposed, and has gradually become a research hotspot in this field. Among them, the network anomaly detection technology based on autoencoder is a typical representative of this technology.This paper sorts out and sums up the representative work of autoencoders in network anomaly detection, and reviews related literatures. Firstly, the basic principles, model structures, loss functions and training methods of various autoencoders are introduced. Secondly, it can be divided into threshold based and classification based methods on this basis. Among them, the threshold based method uses an autoencoder to calculate the reconstruction error or reconstruction probability, which can be divided into reconstruction error based and reconstruction probability based methods. Appropriate thresholds are critical to the success or failure of anomaly detection techniques. This paper introduces three calculation methods for thresholds. The classification based methods use an autoencoder for feature learning and dimensionality reduction, followed by a classifier for anomaly detection. Then, the method characteristics, performance evaluation and innovation points of several representative research works are compared and analyzed. Finally, the existing problems in the research are introduced, and the future research direction is prospected. |
Key words: network security intrusion detection anomaly detection deep learning autoencoder |