Search

CN-122001633-A - Personalized federal intrusion detection method based on meta-learning local self-adaption and prototype guidance

CN122001633ACN 122001633 ACN122001633 ACN 122001633ACN-122001633-A

Abstract

The invention discloses a personalized federation intrusion detection method based on meta-learning local self-adaption and prototype guidance, which comprises initializing a global model and sending the global model to all boundary equipment clients, randomly sending the global model and a fair global prototype to each boundary equipment client in a client terminal set through a central server, carrying out local training after receiving the global model and the fair global prototype through the client terminal to obtain a local model and a local prototype, uploading the local model and the local prototype to a server terminal, carrying out prototype clustering on the local prototype through the server terminal based on the local model and the local prototype uploaded by the client terminal, generating a new round of fair global prototype, repeatedly executing S2 to S4 to obtain an optimized global model, sending the optimized global model to each boundary equipment client through the server terminal, and carrying out one round of local training on the received global model through the client terminal to obtain a local personalized model.

Inventors

  • ZHANG KEJUN
  • WANG JUN
  • SHI XINGLONG
  • Zeng Taiheng
  • LI PENGCHENG
  • WANG WENBIN
  • WANG XUNXI
  • ZOU BING
  • JIAO MENG

Assignees

  • 北京电子科技学院

Dates

Publication Date
20260508
Application Date
20260122

Claims (8)

  1. 1. A personalized federal intrusion detection method based on meta-learning local self-adaption and prototype guidance is characterized by comprising the following steps: S1, initializing a global model through a server, initializing parameters of a feature extractor and a classifier by a central server, and transmitting the initial global model to all boundary equipment clients; S2, the subset of the clients is random through a central server, and a global model and a fair global prototype are sent to each boundary equipment client in a client terminal set; S3, after receiving the global model and the fair global prototype through the selected boundary equipment client, performing local training of combining element learning local self-adaption and prototype alignment constraint to obtain a local model and a local prototype, and uploading the local model and the local prototype to a server; s4, generating a global model and a global classifier optimization data set through a server end based on the local model and the local prototype uploaded by the client, performing prototype clustering on the local prototype, generating a new round of fair global prototype, and optimizing the global classifier; s5, repeatedly executing the steps S2 to S4 until the preset global cooperative round number is reached, and obtaining an optimized global model; And S6, sending the optimized global model to each boundary equipment client through the server, and carrying out a round of local training on the received global model through the clients to obtain a local personalized model.
  2. 2. The method of claim 1, wherein the client in S2 The local prototype calculation formula is: Wherein, the Is a category of Is a model of the local prototype of (a), Is a client terminal Private data Is composed of All of the classes of (1) Is a data structure of (1).
  3. 3. The method of claim 1, wherein S3 further comprises: S31, receiving a global model and a fair global prototype through the selected boundary equipment client; S32, constructing prototype alignment constraint based on the fair global prototype, and carrying out local training by combining a meta-learning local self-adaptive method; s33, generating a smoothed local data set through the client Local data set The smooth labels of (2) are: Wherein, the Representing one-hot tags The label is smoothed after the smoothing process is performed, Representing in smooth labels The tag value of the class is used to determine, Represents a smoothing factor for controlling the softening degree of the label, Representing the smoothed local data set; s34, fine tuning the local classifier based on the balance smooth labels in the local data set; and S35, generating a local prototype, and uploading the updated local model and the local prototype to a server.
  4. 4. A method according to claim 3, wherein S32 comprises: definition client The local fairness global prototype alignment constraint penalty of (1) is: Wherein, the Is a client terminal The output of the local feature extractor for the class c local data is defined as ; Is that And Is defined as ; Redefining client Local loss function The method comprises the following steps: Wherein, the Is a local supervision of the loss of training, ; The overall training objectives of meta-learning local adaptation redefinition combined with the fair global prototype alignment constraint are: Wherein, the It is the step size that represents the local training learning rate, Representing clients Relative to model parameters Is a gradient of (2); Defining local meta function of a border device client The method comprises the following steps: Definition of local meta function The gradient calculation of (2) is: in the e-round local training, the following steps are carried out Step element learning random gradient descent and setting Is a client Parameters for performing the k-th element learning gradient calculation The method comprises the following steps: Wherein, the Representing a local update learning rate; the computing cost of the method is large, and a batch of data is used according to gradient unbiasedness by combining the actual computing resource capability of the boundary equipment of the Internet of things The gradient is approximately calculated, and the calculation formula is as follows: Meta-gradient Estimated value The calculation formula of (2) is as follows: Wherein, the , , In the multi-round local training, the client side iteratively updates the model parameters in the following modes: Wherein, the Representing model parameters of client i at the beginning of the (e+1) th round of local training.
  5. 5. The method of claim 1, wherein S4 further comprises: s41, receiving a local prototype sent by a client through a server, and generating a global model by using weighted average calculation, wherein the server generates a t-th round global model by using a weighted average aggregation calculation mode, and a parameter calculation formula is as follows: Wherein, the Representing a set of clients participating in a t-th round of global collaboration training, Global model parameters representing a t-th round of global collaborative training; s42, collecting local prototypes uploaded by the clients participating in training into a global classifier optimization data set Wherein The definition is as follows: Wherein, the Is a local prototype set uploaded by a client, defined as , Is a local prototype A corresponding category label; S43, performing prototype clustering on the local prototypes to generate fair global prototypes, selecting a local prototype clustering center set for the local prototypes of each type of data The process of (1) can be expressed as: Wherein, the Is the set of clients that participate in global collaboration for the round, Representation of The number of clusters of the class local prototypes; Redefining a calculation formula of a global prototype, and clustering a center set by a local prototype Calculating an average prototype to obtain a fair global prototype, wherein the calculation formula is as follows: Wherein, the A fair global prototype calculated by a class c local prototype clustering center; S44, by the method Optimizing the global classifier to obtain a final updated global model and a fair global prototype, wherein the loss function of the global classifier optimization is as follows: Wherein, the The data set is optimized for the global classifier.
  6. 6. A meta-learning local adaptation and prototype guided personalized federal intrusion detection device, comprising: The initialization module is used for initializing the global model through the server, initializing parameters of the feature extractor and the classifier by the central server, and transmitting the initial global model to all boundary equipment clients; The distribution module is used for randomly selecting a subset of the clients through the central server and sending the global model and the fair global prototype to each boundary equipment client in the client terminal set; The training module is used for receiving the global model and the fair global prototype through the selected boundary equipment client, then executing local training combined with element learning local self-adaption and prototype alignment constraint, obtaining a local model and a local prototype, and uploading the local model and the local prototype to the server; The aggregation module is used for generating a global model and a global classifier optimization data set through a server end based on the local model and the local prototype uploaded by the client, performing prototype clustering on the local prototype, generating a new round of fair global prototype, and optimizing the global classifier; The loop optimization module is used for repeatedly executing the steps S2 to S4 until the preset global cooperative round number is reached, and an optimized global model is obtained; And the individuation module is used for sending the optimized global model to each boundary equipment client through the server, and carrying out a round of local training on the received global model through the clients to obtain a local individuation model.
  7. 7. A computer device comprising a processor and a memory; wherein the processor runs a program corresponding to executable program code stored in the memory by reading the executable program code for implementing the meta-learning local adaptation and prototyping personalized federal intrusion detection method according to any one of claims 1-5.
  8. 8. A non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor implements a meta-learning local adaptation and prototyping-guided personalized federal intrusion detection method according to any one of claims 1-5.

Description

Personalized federal intrusion detection method based on meta-learning local self-adaption and prototype guidance Technical Field The invention relates to the technical field of artificial intelligence, in particular to a personalized federal intrusion detection method based on meta-learning local self-adaption and prototype guidance. Background With the rapid expansion of the number of devices and application scenes of the internet of things, the network security threat faced by the devices is also increasingly severe. Malicious attackers frequently launch network attack events such as DDoS attacks, malicious invasion and the like by utilizing equipment vulnerabilities, network protocol defects and non-updated security protection means, and form continuous and complex threats to the Internet of things system, so that high-efficiency intrusion detection systems IDS are urgently required to be deployed to ensure the safe and stable operation of the system. Traditional intrusion detection methods (e.g., rule-matching-based signature detection) rely on a priori knowledge base, and are difficult to effectively pose a current complex network security threat. The intrusion detection method based on deep learning automatically extracts flow characteristics and identifies through end-to-end training, improves the accuracy and generalization capability of intrusion detection, and achieves great success. The intrusion detection method based on deep learning generally adopts a centralized training mode, and network flow data distributed on each boundary device needs to be collected to a central server for training. The centralized processing mode of the data has the risk of information leakage, and the local sensitive data is easy to be abused by a server. And centralized intrusion detection is difficult to be applied to the internet of things equipment with the current distributed architecture, when the internet of things flow data is increased, the calculation cost of a central server can be increased linearly, and additional time cost is brought. The intrusion detection algorithm based on federal learning aims to realize cooperative training of network boundary equipment of a distributed architecture on the premise of safe and reliable data privacy, and is to a certain extent. Federal learning is an emerging distributed machine learning paradigm oriented to data privacy protection by transmitting local model parameters to a server, building a global model at a central server to achieve collaborative training of multiple clients. The intrusion detection method based on the traditional federal learning algorithm mainly utilizes the existing federal learning method, and improves the local recognition accuracy of the boundary equipment by improving the local model structure. The algorithm research is based on boundary equipment clusters with even data distribution for experiments, however, network traffic data locally collected by boundary equipment in the distributed architecture Internet of things has the characteristic of heterogeneity, namely local data sets of different boundary equipment are not independently and uniformly distributed. Because of the differences in deployment environments, device performance and types of network threats faced by different boundary devices, the locally collected traffic data are obviously inconsistent in quantity, characteristics, category distribution and the like. The problem of local data heterogeneity of the boundary device severely affects the performance and convergence speed of the global model. The personalized federal learning optimizes global model aggregation aiming at client data distribution difference, and can optimize performance of the model when the local data heterogeneity problem is faced to a certain extent. However, these algorithms are mainly directed to data distribution differences among customer orders, and lack attention to the distribution characteristics in the local dataset. The benign data of the local intrusion detection data set occupies larger area, the abnormal flow data is less, and the characteristic of unbalanced local data distribution influences the generalization capability of the model to a certain extent. When the current majority of methods realize the identification of the full-class abnormal traffic, the performance improvement of the current majority of methods mainly depends on the generalization capability of the global model. Because the local data of the client in the Internet of things environment has obvious independent same distribution characteristics, the migration capability between different clients is limited by simply relying on a global model, and the recognition effect on rare or unknown type attacks is poor. More importantly, the existing research generally lacks a mechanism design for sharing the full-class attack traffic information, so that the recognition capability and the robustness improvement space of the model