CN-122001622-A - Consistent-driven countermeasure defense method

Abstract

The embodiment of the application discloses a consistency-driven countermeasure method, which comprises the following steps of constructing a characteristic view network and a structure view network, analyzing node characteristics of a target node by utilizing the characteristic view network, analyzing a graph structure of the target node by utilizing the structure view network, comparing whether analysis results of the characteristic view and the structure view are consistent or not, and if the analysis results of the characteristic view and the structure view are inconsistent, adopting a structure guide correction mechanism based on neighbor voting to determine whether the target node is attacked or not. The application utilizes the characteristic that the data packet level characteristic is easy to be operated by an adversary in network intrusion detection, but the network topology is basically kept stable, and the robustness is kept at 95.9% under strong white box attack through double-view learning, cross-view consistency analysis and neighbor voting guided by a structure.

Inventors

• LI XIULAI
• LIU XIAOZHANG
• LI XING
• XU JIAJIN
• WU XINZHE

Assignees

• 海南大学

Dates

Publication Date

20260508

Application Date

20251231

Claims (9)

1. 1. A method of consistent driven challenge defense, comprising the steps of: constructing a characteristic view network and a structural view network; Analyzing node characteristics of the target node by utilizing the characteristic view network; Analyzing the graph structure of the target node by utilizing the structure view network; Comparing whether the analysis results of the feature view and the structure view are consistent; and if the analysis results between the characteristic view and the structure view are inconsistent, adopting a structure-guided correction mechanism based on neighbor voting to determine whether the target node is attacked.
2. 2. The method of claim 1, wherein analyzing node characteristics of the target node using the characteristics view network comprises: the feature view network adopts a graph attention network, and node features of the target nodes are aggregated through attention weighting.
3. 3. The method of claim 1, wherein analyzing the graph structure of the target node using the structure view network comprises: The structural view network injects gaussian noise in the node characteristics of the target nodes and introduces structural similarity metrics in the attention mechanism.
4. 4. The method of claim 1, wherein the comparing whether the analysis results of the feature view and the structure view are consistent comprises: And calculating a consistency score and an adaptive threshold of the target node, and determining whether the analysis results of the feature view and the structure view are consistent according to the consistency score and the adaptive threshold.
5. 5. The method of claim 4, wherein the consistency score of the target node comprises a prediction level consistency and an embedding level consistency; And taking the embedded feature view and the structure view of the target node and the node structure statistical information as input, and calculating the self-adaptive threshold value of the target node.
6. 6. The method of claim 1, wherein the employing a neighbor voting-based structure-guided correction mechanism to determine whether the target node is attacked comprises: screening the trusted neighbor nodes according to the structure view of the target node; And determining whether the target node is attacked or not based on the weighted voting result of the trusted neighbor node.
7. 7. The method according to claim 1, wherein the method further comprises: Robustness of the structural view is enhanced in combination with the countermeasure training, and orthogonality of the dual-view representation is maintained by regularization constraints.
8. 8. A consistency driven countermeasure defensive apparatus comprising a feature view network and a structure view network, the apparatus comprising: the characteristic view network is used for analyzing node characteristics of the target node; The structure view network is used for analyzing the graph structure of the target node; The consistency detection module is used for comparing whether the analysis results of the characteristic view and the structural view are consistent; And the correction module is used for determining whether the target node is attacked or not by adopting a structure-guided correction mechanism based on neighbor voting when the analysis results between the characteristic view and the structure view are inconsistent.
9. 9. A consistency driven challenge defense device comprising a memory and a processor, the memory for storing a computer program which when executed by the processor implements the method of any of claims 1 to 7.

Description

Consistent-driven countermeasure defense method Technical Field The application relates to the technical field of network security, in particular to a consistent driving countermeasure method. Background In modern network security architectures, network Intrusion Detection Systems (IDS) act as a key layer of defense, continuously monitoring network traffic to identify malicious activities such as denial of service attacks, unauthorized access, and malware propagation. Traditional feature-based and anomaly-based IDS approaches are increasingly struggling against increasingly complex network threats, as attackers are continually breaking out technologies that can bypass these detection mechanisms. Recently, research into applying Graph Neural Networks (GNNs) to network intrusion detection has attracted attention because GNNs can naturally represent network communications as graphs, capturing the relationship between hosts and traffic. GNN-based NIDS exhibit high detection accuracy on non-attack data. However, the rise of resistive machine learning poses a fundamental threat to GNN-based IDS deployment in that elaborate challenge samples can fool GNNs into detecting attacks that can lead to catastrophic consequences if they are successful in circumventing the detection. Most of the existing anti-attack defense mechanisms for the GNN are concentrated in the fields of social networks, recommendation systems and the like, and the background of network intrusion detection is lack of research. Some of the robust training and graph structure detection techniques proposed in these fields are not necessarily directly applicable to network traffic graphs, as the network environment has its unique challenges. Furthermore, previous studies have generally only evaluated the effectiveness of a single defensive component without comprehensively considering the synergistic effects of multiple defensive measures. Disclosure of Invention In order to solve the existing technical problems, the embodiment of the application provides a consistent driving countermeasure method. The technical scheme is as follows: In a first aspect, a method of consistent driven challenge defense is provided, comprising the steps of: constructing a characteristic view network and a structural view network; Analyzing node characteristics of the target node by utilizing the characteristic view network; Analyzing the graph structure of the target node by utilizing the structure view network; Comparing whether the analysis results of the feature view and the structure view are consistent; and if the analysis results between the characteristic view and the structure view are inconsistent, adopting a structure-guided correction mechanism based on neighbor voting to determine whether the target node is attacked. Further, the analyzing the node characteristics of the target node by using the characteristic view network includes: the feature view network adopts a graph attention network, and node features of the target nodes are aggregated through attention weighting. Further, the analyzing the graph structure of the target node by using the structure view network includes: The structural view network injects gaussian noise in the node characteristics of the target nodes and introduces structural similarity metrics in the attention mechanism. Further, the comparing whether the analysis results of the feature view and the structure view are consistent includes: And calculating a consistency score and an adaptive threshold of the target node, and determining whether the analysis results of the feature view and the structure view are consistent according to the consistency score and the adaptive threshold. Further, the consistency score of the target node comprises a prediction level consistency and an embedding level consistency; And taking the embedded feature view and the structure view of the target node and the node structure statistical information as input, and calculating the self-adaptive threshold value of the target node. Further, the determining whether the target node is attacked by adopting a structure-guided correction mechanism based on neighbor voting includes: screening the trusted neighbor nodes according to the structure view of the target node; And determining whether the target node is attacked or not based on the weighted voting result of the trusted neighbor node. Further, the method further comprises: Robustness of the structural view is enhanced in combination with the countermeasure training, and orthogonality of the dual-view representation is maintained by regularization constraints. In a second aspect, there is provided a consistency driven countermeasure device comprising a feature view network and a structure view network, the device comprising: the characteristic view network is used for analyzing node characteristics of the target node; The structure view network is used for analyzing the graph structure of the target node; The