| 摘要: |
| 目前,为有效检测网络上各种恶意攻击,研究人员开发了大量的入侵检测系统。但面对零日攻击等新型攻击,现有的检测系统难以在短时间内获得足够的攻击样本并进行充分训练,导致识别准确率和网络系统安全性大幅下降。为解决以上问题,本文提出一种基于元学习和特征增强的网络入侵检测模型MCIDS(Meta-CLIP based Intrusion Detection System),旨在模仿安全专家利用元知识进行学习、检测未知入侵流量的能力,仅使用少量样本解决新的入侵检测任务。模型首先将网络流量数据转换为灰度图传入CLIP图像编码器进行特征增强,以提升网络流量特征在高维向量空间中的表示能力。随后将其生成的高维向量转换二维数据传入任务池。在此基础上,模型基学习器在任务支持集上更新局部参数,元学习器在任务查询集上更新全局参数。在每个训练周期中, MCIDS通过检验全局参数的线性组合与其在子空间投影的偏离程度,决定是否扩大参数数量,以保证最优初始化参数集合可覆盖所有检测任务。最后,模型通过从少量新型攻击数据中获得的梯度步骤进行元更新,从而在该任务上产生良好的检测效果。所构建的MCIDS在UNSW-NB15和CSE-CIC-IDS2018数据集上均取得了良好的检测效果,对比MAML+CNN、Meta-SGD和无监督Kitsune模型,检测准确率均值分别提高了2.93%、4.74%和16.07%。 |
| 关键词: 网络入侵检测 元学习 特征增强 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2026.01.17 |
| Received:July 08, 2024Revised:September 20, 2024 |
| 基金项目:国家重点研发计划课题跨域多源视频监控网络安全体系研究(No.2022YFC3301101)资助。 |
|
| Network Intrusion Detection Model based on Meta-Learning and Feature Enhancement |
| JIANG Zhangtao,LI Xin,XUE Di,PENG Yijie |
| Information Network Security Academy, People's Public Security University of China, Beijing 100045, China;Information Network Security Academy, People's Public Security University of China, Beijing 100045, China;China Security Prevention Technology and Risk Assessment Key Laboratory of Ministry of Public Security, Beijing 100026, China |
| Abstract: |
| In response to the pressing need for effective detection of various malicious attacks on networks, a plethora of intrusion detection systems have been developed by researchers. However, in the face of new types of attacks such as zero-day attacks, it is difficult for existing detection systems to obtain sufficient attack samples and train them adequately in a short period of time, which leads to a significant decrease in recognition accuracy and network system security. To solve the above problems, this paper proposes a meta-learning and feature-enhanced network intrusion detection model MCIDS(Meta-CLIP based Intrusion Detection System), which is designed to mimic the ability of security experts to use meta-knowledge for learning and detecting unknown intrusion traffic, and to use only a small number of samples to solve the new intrusion detection task. The model first converts network traffic data into grey-scale maps to be passed into a CLIP image encoder for feature enhancement to improve the representation of network traffic features in a high-dimensional vector space. Subsequently, its generated high-dimensional vectors are converted into 2D data to be passed into the task pool. On this basis, the model base learner updates local parameters on the task support set and the meta-learner updates global parameters on the task query set. In each training cycle, MCIDS decides whether to expand the number of parameters by examining how much the linear combination of global parameters deviates from its projection in the subspace to ensure that the optimal initialised parameter set can cover all detection tasks. Finally, the model is meta-updated with gradient steps obtained from a small amount of novel attack data, which produces good detection results on this task. The constructed MCIDS achieves good detection results on both UNSW-NB15 and CSE-CIC-IDS2018 datasets, and the mean detection accuracy is improved by 2.93%, 4.74%, and 16.07% compared to MAML+CNN, Meta-SGD, and Unsupervised Kitsune models, respectively. |
| Key words: network intrusion detection meta-learning feature enhancement |
