Search

CN-122027235-A - Federal intrusion detection method and system

CN122027235ACN 122027235 ACN122027235 ACN 122027235ACN-122027235-A

Abstract

The invention provides a federal intrusion detection method and a federal intrusion detection system, which belong to the technical field of network security, and are applied to a federal server, wherein the method comprises the steps of determining an optimal feature subset based on network flow features uploaded by each security gateway; in multiple iterations, the optimal feature subset and the global model parameters of the previous round are issued, model parameter updating values and weights obtained by the security gateway based on the subset and the local data training are received, the global model is updated according to the parameter updating values and weights, and finally the optimal global model is issued for detection. According to the method, redundancy is removed through global feature optimization, the calculation burden and communication expenditure of the edge end are obviously reduced, meanwhile, dynamic aggregation is carried out by combining weights, model deviation caused by uneven data distribution is effectively corrected, and therefore the accuracy and convergence speed of the finally generated optimized global model in intrusion detection are improved.

Inventors

  • DU XIAOPENG
  • DING XIAOMING
  • ZHU QINGYI
  • CHEN HANG
  • LI SHAO
  • LI KAI
  • YIN YILEI
  • TIAN JING

Assignees

  • 农业农村部规划设计研究院

Dates

Publication Date
20260512
Application Date
20260120

Claims (10)

  1. 1. A federal intrusion detection method, for use with a federal server, comprising: determining an optimal feature subset based on network traffic features uploaded by each security gateway; performing multiple rounds of iterative training on the initial global model, and updating the initial global model based on global model parameters when iteration is completed to obtain an optimized global model; issuing the optimized global model to each security gateway for intrusion detection; wherein in each iteration, the following steps are performed: Issuing the optimal feature subset and global model parameters in the previous iteration to each security gateway; The model parameter updating values and weights uploaded by the safety gateways are received, wherein the model parameter updating values are obtained by the safety gateways according to local model parameters and global model parameters in the previous iteration, and the local model parameters are obtained by the safety gateways according to the optimal feature subset and the local training data set in a training mode; and updating the global model parameters in the previous iteration according to the model parameter updating values and the weights of the security gateways to obtain the global model parameters in the current iteration.
  2. 2. The federal intrusion detection method according to claim 1, wherein the determining an optimal feature subset based on network traffic features uploaded by each security gateway comprises: Constructing a feature selection search space according to the network traffic features, and initializing a population containing a plurality of candidate feature subsets according to the feature selection search space; within the preset iteration times, calculating the fitness value of each candidate feature subset according to the fitness function, and dividing the group into four-level character groups; updating the positions of other candidate feature subsets in the group according to the current positions of each character group, and generating an optimal candidate subset of the round when each iteration is finished; and when a preset iteration termination condition is reached, taking the final optimal candidate subset as the optimal feature subset.
  3. 3. The federal intrusion detection method according to claim 2, wherein the updating the locations of the other candidate feature subsets in the population based on the current locations of the character groups comprises: Respectively acquiring position vectors of the character groups of the four levels in the current iteration; Calculating the distance vector of the candidate feature subset to be updated in the group relative to the character group of the four levels; based on the distance vector and a preset dynamic coefficient vector, respectively calculating update components of the candidate feature subset to be updated relative to each role group; And calculating the average value of the four updating components, and taking the average value as a position vector of the candidate feature subset to be updated in the next round of iteration.
  4. 4. The federal intrusion detection method according to claim 1, wherein updating the global model parameters at the previous iteration according to the model parameter update values and the weights of each security gateway to obtain global model parameters at the current iteration comprises: the global model parameters at the current iteration are calculated by the following formula: ; Wherein, the As global model parameters at the current iteration, As global model parameters at the time of the previous iteration, Updating values for the model parameters of the ith said security gateway, And K is the number of the security gateways and is the weight of the ith security gateway.
  5. 5. A federal intrusion detection method, for use in a security gateway, comprising: uploading the network traffic characteristics to a federal server; Receiving an optimal feature subset issued by the federation server and global model parameters in the previous iteration, wherein the optimal feature subset is determined by the federation server based on the network flow characteristics; According to the optimal feature subset and the local training data set, training to obtain local model parameters; Obtaining a model parameter updating value according to the local model parameter and the global model parameter in the previous iteration; Uploading the model parameter update value and the weight to the federation server, wherein the weight is used for representing the information quantity of a local training data set of the security gateway; The method comprises the steps of receiving an optimized global model issued by a federation server, wherein the optimized global model is obtained by the federation server by performing multiple rounds of iterative training on an initial global model and updating the initial global model based on global model parameters when iteration is completed; And performing intrusion detection based on the optimized global model.
  6. 6. The federal intrusion detection method according to claim 5, wherein the training based on the optimal feature subset and a local training data set to obtain local model parameters comprises: Performing feature coding on the local unlabeled data by utilizing the optimal feature subset to generate feature vectors after dimension reduction; calculating potential information content scores of the local unlabeled data; screening a preset number of target samples from the local unlabeled data based on the potential information amount scores; Labeling the target sample, and adding the labeled target sample to a local training data set; and training a local intrusion detection model according to the feature vector after dimension reduction and the local training data set to obtain the local model parameters.
  7. 7. The federal intrusion detection method according to claim 6, further comprising: calculating an average value of potential information content scores of all the target samples; and determining the weight according to the average value, wherein the weight and the average value are in positive correlation.
  8. 8. The federal intrusion detection method according to claim 5, further comprising, prior to uploading the network traffic characteristics to the federal server: collecting network traffic data; preprocessing the network traffic data, and converting the preprocessed network traffic data into the network traffic characteristics by adopting a preset characteristic extraction method.
  9. 9. A federal intrusion detection system, for use with a federal server, comprising: the feature selection module is used for determining an optimal feature subset based on the network flow features uploaded by each security gateway; The model iteration training module is used for executing multiple rounds of iteration training on an initial global model, and updating the initial global model based on global model parameters when iteration is completed to obtain an optimized global model, wherein in each round of iteration, the method comprises the following steps of issuing the optimal feature subset and global model parameters when iteration is completed to each safety gateway, receiving model parameter updating values and weights uploaded by each safety gateway, wherein the model parameter updating values are obtained by the safety gateway according to local model parameters and global model parameters when iteration is completed, and the local model parameters are obtained by the safety gateway according to the optimal feature subset and the local training data set, and updating the global model parameters when iteration is completed to obtain the global model parameters when iteration is completed to the current time according to the model parameter updating values and the weights of each safety gateway; and the model issuing module is used for issuing the optimized global model to each security gateway for intrusion detection.
  10. 10. A federal intrusion detection system, for use in a security gateway, comprising: the data receiving and transmitting module is used for uploading the network flow characteristics to the federal server; The data receiving and transmitting module is used for receiving an optimal feature subset issued by the federation server and global model parameters in the previous iteration, wherein the optimal feature subset is determined by the federation server based on the network flow characteristics; the active learning module is used for training to obtain local model parameters according to the optimal feature subset and the local training data set; the active learning module is also used for obtaining a model parameter updating value according to the local model parameter and the global model parameter in the previous iteration; the data receiving and transmitting module is also used for uploading the model parameter updating value and the weight to the federal server; the data receiving and transmitting module is also used for receiving an optimized global model issued by the federation server, wherein the optimized global model is obtained by the federation server by performing multiple rounds of iterative training on an initial global model and updating the initial global model based on global model parameters when iteration is completed; And the intrusion detection module is used for performing intrusion detection based on the optimized global model.

Description

Federal intrusion detection method and system Technical Field The invention relates to the technical field of network security, in particular to a federal intrusion detection method and system. Background With the wide deployment of the internet of things equipment in the key infrastructure, the risk of network attack facing the internet of things equipment is increased dramatically, and how to construct an efficient collaborative intrusion detection mechanism under the edge environment with limited resources and sensitive privacy is a problem to be solved in the industry. In the prior art, an intrusion detection scheme based on a federal average algorithm is generally adopted, namely, all edge devices locally use full-scale feature training models, and a central server carries out weighted aggregation on uploaded model parameters according to the proportion of the number of samples of all the devices. The method avoids the uploading of the original data, and realizes preliminary privacy protection. However, the prior art has obvious defects that firstly, training and parameter transmission are directly carried out by using high-dimensional full-quantity original features, so that edge calculation burden is heavy and communication expense is high, secondly, the aggregation process only determines weights according to the number of samples, the difference of data quality of each device is ignored, and in the scene of the Internet of things with uneven data distribution, a global model is easily led to be led by samples with large data quantity and low value, so that the accuracy and convergence speed of the model in intrusion detection are poor. Disclosure of Invention The invention provides a federal intrusion detection method and a federal intrusion detection system, which are used for solving the defects in the prior art and improving the accuracy and convergence rate of a generated optimized global model in intrusion detection. The invention provides a federal intrusion detection method, which is applied to a federal server and comprises the following steps: determining an optimal feature subset based on network traffic features uploaded by each security gateway; performing multiple rounds of iterative training on the initial global model, and updating the initial global model based on global model parameters when iteration is completed to obtain an optimized global model; issuing the optimized global model to each security gateway for intrusion detection; wherein in each iteration, the following steps are performed: Issuing the optimal feature subset and global model parameters in the previous iteration to each security gateway; The model parameter updating values and weights uploaded by the safety gateways are received, wherein the model parameter updating values are obtained by the safety gateways according to local model parameters and global model parameters in the previous iteration, and the local model parameters are obtained by the safety gateways according to the optimal feature subset and the local training data set in a training mode; and updating the global model parameters in the previous iteration according to the model parameter updating values and the weights of the security gateways to obtain the global model parameters in the current iteration. According to the federal intrusion detection method provided by the invention, the method for determining the optimal feature subset based on the network traffic features uploaded by each security gateway comprises the following steps: Constructing a feature selection search space according to the network traffic features, and initializing a population containing a plurality of candidate feature subsets according to the feature selection search space; within the preset iteration times, calculating the fitness value of each candidate feature subset according to the fitness function, and dividing the group into four-level character groups; updating the positions of other candidate feature subsets in the group according to the current positions of each character group, and generating an optimal candidate subset of the round when each iteration is finished; and when a preset iteration termination condition is reached, taking the final optimal candidate subset as the optimal feature subset. According to the federal intrusion detection method provided by the invention, the updating of the positions of other candidate feature subsets in the group according to the current positions of the role groups comprises the following steps: Respectively acquiring position vectors of the character groups of the four levels in the current iteration; Calculating the distance vector of the candidate feature subset to be updated in the group relative to the character group of the four levels; based on the distance vector and a preset dynamic coefficient vector, respectively calculating update components of the candidate feature subset to be updated relative to each rol