引用本文: |
-
张文哲,杨栋,魏松杰.交互博弈引导的网络流量异常检测建模方法研究[J].信息安全学报,2024,9(2):36-46 [点击复制]
- ZHANG Wenzhe,YANG Dong,WEI Songjie.Interactive-Gaming Guided Modeling and Detection for Network Traffic Anomaly Detection[J].Journal of Cyber Security,2024,9(2):36-46 [点击复制]
|
|
摘要: |
基于网络流量的系统入侵会带来严重破坏,因此寻找能够准确识别和分类异常流量的方法具有重要的研究价值。数据作为基于机器学习模型的检测算法的唯一依据,训练过程对于外界是一个黑盒过程,整个模型在训练和使用过程中缺乏用户交互。这导致在网络运维场景中,专业运维人员不能根据当前模型检测结果,实时将指导信息反馈到系统中,进而削弱了系统的场景适应能力和检测纠错能力。本文基于强化学习过程,设计了一种基于动态贝叶斯博弈的交互引导式的网络流量异常检测方法。通过检测模型和运维人员交互的方式,在训练过程中让运维人员提供专业反馈使得模型获得外界针对当前检测效果的奖惩信号,从而对自身特征聚焦方向和收敛过程起到引导的作用。将运维人员和检测模型视为博弈的双方,建立博弈模型,使双方之间的交互引导行为达到动态平衡状态。通过博弈对于模型交互频次和内容反馈给出指导,从而使得模型具有动态适应当前场景的能力,有效控制了人机交互反馈所带来的系统开销。实验部分验证了交互式博弈的流量检测方法中,双方博弈指导交互行为的可行性与有效性,证明了该方法在动态场景中具有良好的适应能力。相较于传统的机器学习方法,交互引导式模型提高了模型整体的检测性能。性能对比测试结果表明交互频次每增加0.02%,系统整体检测性能随之提升0.01%。 |
关键词: 动态贝叶斯博弈 强化学习 网络流量 异常检测 |
DOI:10.19363/J.cnki.cn10-1380/tn.2024.03.03 |
投稿时间:2022-05-25修订日期:2022-07-05 |
基金项目:本课题得到国家重点研发计划子课题内生安全交换机关键技术研究(No.2020YFB1804604)、工业互联网创新发展工程项目工业企业网络安全综合防护平台(No.TC200H01V)资助。 |
|
Interactive-Gaming Guided Modeling and Detection for Network Traffic Anomaly Detection |
ZHANG Wenzhe, YANG Dong, WEI Songjie
|
(School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing 210094, China) |
Abstract: |
Since system intrusion through network traffic may cause serious damages, it is of great value to research for more accurate methods for network traffic recognition and anomaly classification. Traditional machine-learning based detection methods rely only on data, with the model training and application procedures lack interaction with domain users, which makes the mode just mystery running in a black box. The domain experts in network anomaly detection scenarios cannot provide instant feedback about the model detection results to the system, and thus the detection system is short of adaptability and self-correction capability in these scenarios. This paper proposes an interaction guided network traffic anomaly detection based on the improved reinforcement learning procedure with the dynamic Bayesian gaming. The new model training and detection procedure enables system administrators and domain experts to return feedbacks about the model behaviors into the system as incentive signals for feature focusing and model convergence. System administrators and detection models are interacting with each other following the gaming theory to approximate a dynamic equilibrium state. We design the interactive gaming strategy to control the interaction frequency and content, which optimize the detection model to achieve dynamic adaptability to the current network traffic scenarios, with constrained interaction overhead. We have conduct experiments with public dataset for traffic anomaly detection to verify the interactive gaming performance, detection improvement and effectiveness. The experimental results effectively prove that the interaction-guided model has good adaptability and usability in dynamic scenarios. It can make the interaction frequency controllable by adjusting parameters. It can achieve a balance between performance and interaction frequency on data sets of different types and scenarios. Compared with traditional machine learning methods, the interactive guided model improves the overall detection performance of the model. Results show that the detection performance is improve by 0.01% for every 0.02% more interaction frequency. |
Key words: dynamic Bayesian gaming reinforcement learning network traffic anomaly detection |