| 摘要: |
| 随着具有复杂关联关系的网络攻击行为层出不穷, 传统基于流式数据的网络异常检测方法面临着严峻的安全挑战。为了应对这一挑战, 基于图深度学习技术的网络异常检测技术研究方兴未艾。然而, 现有的研究工作在深层次图结构特征学习方面还有改进空间, 有限的节点特征学习能力影响了网络异常检测效果。为此, 本文提出了一种基于双重自编码器和残差注意力机制的异常检测方法ResDAE, 该方法利用基于残差分析的注意力机制, 可抑制来自异常节点的信息在图神经网络中传播, 降低了解码器的重构误差, 进而提升了异常节点的分类能力。具体来讲, ResDAE方法考虑了双重自编码器在重构过程中产生的残差信息, 并在结构自编码器上引入基于残差分析的注意力模块, 从而有效地捕获了网络结构与节点属性之间的隐式关系; 另一方面, 该方法使用了图神经网络来学习节点的嵌入表示, 提升了图嵌入表示能力。基于三个公开数据集的对比实验结果表明, ResDAE在检测性能上要优于现有的图异常检测方法。此外, 针对僵尸网络检测任务, 基于CTU-13子数据集的离线实验结果表明, ResDAE方法获得了Precision指标和Recall指标得分均超过85%的良好性能, 相比其他对比方法, 其AUC指标的性能表现最佳, 从而进一步验证了本文方法在这一特定检测任务下的优越性能以及残差注意力机制带来的性能增益。 |
| 关键词: 图深度学习 异常检测 双重自编码器 残差注意力机制 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2025.09.08 |
| 投稿时间:2023-09-26修订日期:2024-02-20 |
| 基金项目:本课题得到湖南省自然科学基金项目(No. 2021JJ30779)资助。 |
|
| An Anomaly Detection Method Based on Dual Auto -Encoder with Residual Attention Mechanism |
| WU Xiaojie,LIU Qiang |
| College of Computer Science and Technology, National University of Defense Technology, Changsha 410073, China |
| Abstract: |
| In the rapidly developing era of information and data, cyberattacks pose a serious threat to human privacy, work and even the safety of life and property. As an important equipment for human to communicate in daily work, and for entertainment and data storage, the host has become the main target of cyberattacks. Therefore, it is urgent and necessary to study the host attack discovery technology. And as a carrier to record all behaviors in the host, host events have become the focus of research. Attackers' various malicious operations in the host will inevitably be recorded as host events. However, malicious events are hidden in large-scale normal events, that are difficult to detect and filter out, leading to academic research on a series of issues such as how to obtain host events, how to identify and extract malicious events, how to reconstruct the attack process, and how to conduct security protection. This paper has carried out extensive research and detailed summary on the research related to host event based attack discovery technology, and combed its research and development history, then compares with intrusion detection and digital forensics from four aspects: analysis object, analysis method, time of action, and analysis purpose. After, the definition of host event based attack discovery technology was conducted. Subsequently, this paper explains the key concepts involved. Two major problems which are dependency explosion and timeliness are pointed out. Then the research is divided into three categories according to the stages: host event collection, host event processing and host event analysis. The research results and progress of the three categories around the two major problems, which are 12 subcategories in total, are introduced respectively. Finally, the possible research directions in the future are pointed out according to the current research situation, including integrity and credibility of host event records, timeliness of attack discovery, cross-device attack discovery, multi-step attack discovery, and algorithm application. |
| Key words: graph deep learning anomaly detection dual auto-encoder residual attention mechanism |
