CN-121859003-B - Abnormal behavior sample data generation method based on countermeasure generation network

Abstract

The invention relates to the technical field of artificial intelligence and network security, in particular to an abnormal behavior sample data generation method based on an countermeasure generation network, which comprises a potential space mapping step, a step of acquiring normal behavior sequence data and a step of mapping to generate potential feature vectors; the method comprises a causal path filtering step, an energy composite calculating step, a convergence judging and outputting step, wherein the causal path filtering step is used for generating an abnormal sample to be evaluated by utilizing causal adjacency matrix filtering based on an abnormal guide noise disturbance vector, the energy composite calculating step is used for receiving the sample and calculating a total energy value based on a weighted result of the distribution anomaly degree and the logic violation degree, the convergence judging and outputting step is used for outputting target anomaly behavior sample data when the total energy value meets a preset convergence condition, the problem of impossible triangular deadlock is solved through an energy field constraint mechanism, and a balanced saddle point is found at a manifold boundary, so that the sample has concealment, aggressiveness and logic compliance.

Inventors

• HE YIFAN
• WANG ZONGYUE
• SU JINHE

Assignees

• 集美大学

Dates

Publication Date

20260512

Application Date

20260319

Claims (8)

1. 1. A method of generating abnormal behavior sample data based on an countermeasure generation network, the countermeasure generation network comprising a generation network, an energy discrimination network, and a causal constraint module, the method comprising: the generating network acquires target normal behavior sequence data to be processed, and maps the target normal behavior sequence data to a potential space to generate a potential feature vector; The generation network carries out disturbance processing on the potential feature vector based on a preset abnormal guide noise vector, carries out causal path filtering on the disturbed vector based on a causal adjacency matrix which is pre-constructed by a historical normal behavior state transfer relation, and generates an abnormal sample to be evaluated; The energy discrimination network receives the to-be-evaluated abnormal sample and calculates the total energy value of the to-be-evaluated abnormal sample based on a preset energy function, wherein the total energy value is determined based on a weighted calculation result of the distribution abnormality degree and the logic violation degree of the sample; the generation network determines the to-be-evaluated abnormal sample as target abnormal behavior sample data and outputs the target abnormal behavior sample data under the condition that the total energy value meets a preset convergence condition; The causal adjacency matrix pre-constructed based on the historical normal behavior state transition relation carries out causal path filtering on the vector after disturbance to generate an abnormal sample to be evaluated, and the causal adjacency matrix comprises the following components: The generating network generates an initial attack vector; The generating network executes Hadamard product operation of the initial attack vector and the causal adjacency matrix to inhibit disturbance components which do not accord with causal logic, and generates a corrected attack vector; and the generation network superimposes the modified attack vector on the potential feature vector to generate the abnormal sample to be evaluated.
2. 2. The method for generating abnormal behavior sample data based on an countermeasure generation network according to claim 1, wherein the calculating the total energy value of the abnormal sample to be evaluated based on a preset energy function includes: the energy discrimination network calculates the logic violation energy value of the to-be-evaluated abnormal sample based on a preset logic check rule; the energy discrimination network calculates the distribution distance energy value of the to-be-evaluated abnormal sample and the target normal behavior sequence data in a feature space; and the energy discrimination network performs weighted summation on the logic violation energy value and the distribution distance energy value to obtain the total energy value.
3. 3. The method for generating abnormal behavior sample data based on an countermeasure generation network according to claim 2, wherein the calculating the logic violation energy value of the abnormal sample to be evaluated based on a preset logic check rule includes: Under the condition that the behavior node connection relation in the abnormal sample to be evaluated is detected to be not in accordance with the logic check rule, the energy discrimination network sets the logic violation energy value as a preset forward punishment value; and under the condition that the behavior node connection relation in the abnormal sample to be evaluated accords with the logic check rule, the energy discrimination network sets the logic violation energy value to zero or a preset minimum value.
4. 4. A method of generating anomaly behavior sample data based on an antagonism generation network of claim 1, the method further comprising: The generating network executes vector updating operation based on gradient information of the total energy value under the condition that the total energy value does not meet a preset convergence condition; And the generation network regenerates the to-be-evaluated abnormal sample according to the updated potential feature vector.
5. 5. The method for generating abnormal behavior sample data based on an countermeasure generation network according to claim 4, wherein the performing a vector update operation based on gradient information of the total energy value includes: The generation network calculates a first gradient direction for increasing the degree of abnormality of the distribution; the generating network calculates a second gradient direction that reduces the logic violation; the generation network updates the position of the potential feature vector in the potential space based on a weighted sum of the first gradient direction and the second gradient direction.
6. 6. A method of generating anomaly behavior sample data based on an antagonism generation network of claim 1, the method further comprising: before generating the target abnormal behavior sample data, the generating network converts continuous feature vectors into discrete behavior event sequences by utilizing a discretization mapping layer; And the generation network performs format verification on the discrete behavior event sequence based on a preset data format standard.
7. 7. A method of generating anomaly behavior sample data based on an antagonism generation network of claim 1, the method further comprising: the energy discrimination network performs countermeasure training on a preset abnormal detection model by utilizing the target abnormal behavior sample data; And the energy discrimination network adjusts the weight parameters in the causal adjacency matrix according to the loss function gradient of the countermeasure training, and determines a path with the weight parameter variation exceeding a preset threshold as a fragile logic path in the target normal behavior sequence data.
8. 8. A method of generating abnormal behavior sample data based on an antagonism generation network according to claim 1, wherein the target normal behavior sequence data comprises web traffic log data, application program interface call sequence data, or industrial control instruction sequence data.

Description

Abnormal behavior sample data generation method based on countermeasure generation network Technical Field The invention relates to the technical field of artificial intelligence and network security, in particular to an abnormal behavior sample data generation method based on an countermeasure generation network. Background In order to verify the robustness of the detection system and improve the interception capability of the detection system, modeling and simulation analysis of a high-fidelity abnormal behavior sample become particularly important; In the traditional generation task, the attack success rate is improved at the cost of destroying the business logic constraint, and in order to ensure the logic compliance, the sample is easy to lose diversity and antagonism intensity, and a mechanism capable of effectively balancing statistical distribution characteristics and hard logic rules on manifold boundaries is lacked; Therefore, how to construct an energy field model containing causal constraint based on target normal behavior sequence data, and generate target abnormal behavior sample data with high concealment and strong attack on the premise of ensuring strict adherence to business logic verification rules, is important to ensuring actual combat defense efficiency of various safety systems. Disclosure of Invention In order to solve the above technical problems, the present invention provides a method for generating abnormal behavior sample data based on an countermeasure generation network, specifically, the technical scheme of the present invention includes: The countermeasure generation network includes a generation network, an energy discrimination network, and a causal constraint module, the method comprising: the generating network acquires target normal behavior sequence data to be processed, and maps the target normal behavior sequence data to a potential space to generate a potential feature vector; The generation network carries out disturbance processing on the potential feature vector based on a preset abnormal guide noise vector, carries out causal path filtering on the disturbed vector based on a causal adjacency matrix which is pre-constructed by a historical normal behavior state transfer relation, and generates an abnormal sample to be evaluated; The energy discrimination network receives the to-be-evaluated abnormal sample and calculates the total energy value of the to-be-evaluated abnormal sample based on a preset energy function, wherein the total energy value is determined based on a weighted calculation result of the distribution abnormality degree and the logic violation degree of the sample; and under the condition that the total energy value meets a preset convergence condition, the generating network determines the to-be-evaluated abnormal sample as target abnormal behavior sample data and outputs the target abnormal behavior sample data. Preferably, the calculating the total energy value of the abnormal sample to be evaluated based on a preset energy function includes: the energy discrimination network calculates the logic violation energy value of the to-be-evaluated abnormal sample based on a preset logic check rule; the energy discrimination network calculates the distribution distance energy value of the to-be-evaluated abnormal sample and the target normal behavior sequence data in a feature space; and the energy discrimination network performs weighted summation on the logic violation energy value and the distribution distance energy value to obtain the total energy value. Preferably, the calculating the logic violation energy value of the to-be-evaluated abnormal sample based on a preset logic check rule includes: Under the condition that the behavior node connection relation in the abnormal sample to be evaluated is detected to be not in accordance with the logic check rule, the energy discrimination network sets the logic violation energy value as a preset forward punishment value; and under the condition that the behavior node connection relation in the abnormal sample to be evaluated accords with the logic check rule, the energy discrimination network sets the logic violation energy value to zero or a preset minimum value. Preferably, the performing causal path filtering on the vector after disturbance by using a pre-constructed causal adjacency matrix to generate an abnormal sample to be evaluated includes: The generating network generates an initial attack vector; The generating network executes Hadamard product operation of the initial attack vector and the causal adjacency matrix to inhibit disturbance components which do not accord with causal logic, and generates a corrected attack vector; and the generation network superimposes the modified attack vector on the potential feature vector to generate the abnormal sample to be evaluated. Preferably, the method further comprises: The generating network executes vector updating operation based on gradient in