CN-122027315-A - Network intrusion intelligent detection system integrating countermeasure training and graph data enhancement

Abstract

The invention relates to the technical field of network security and artificial intelligence, and provides a network intrusion intelligent detection system integrating countermeasure training and graph data enhancement, which comprises a dynamic flow graph construction module, a graph data enhancement module, a countermeasure sample generation module, a layered graph convolution detection module and an online increment learning and feedback regulation module, the system models network flow data into a dynamic flow diagram, relieves the unbalanced problem of attack samples through diagram enhancement strategies such as node feature masks, edge structure reconnection and the like, generates enhancement model robustness through the gradient-guided countermeasure samples, extracts local flow features and global topological features through a hierarchical diagram convolution network, and realizes the accurate detection of multi-type attacks by cross-layer fusion.

Inventors

• HAO JIANXIANG

Assignees

• 北京邮电大学

Dates

Publication Date

20260512

Application Date

20260305

Claims (10)

1. 1. The intelligent network intrusion detection system integrating the countermeasure training and the graph data enhancement is characterized by comprising the following components: The dynamic flow diagram construction module is used for acquiring flow packet data, IP communication relation and port access records in a target network in real time, converting acquired multidimensional network information into a dynamic flow diagram according to a preset diagram abstraction rule, wherein an IP address and a port are used as nodes, communication relation and flow characteristics are used as edges, corresponding node characteristic vectors are added for each node, and corresponding edge weight vectors are added for each edge to form the dynamic flow diagram containing topological structure information and flow attribute information; The graph data enhancement module is connected with the dynamic flow graph construction module and is used for receiving the dynamic flow graph, executing node feature mask operation, edge structure reconnection operation and sub-graph sampling operation on the dynamic flow graph to generate a plurality of enhancement views, expanding the number of attack samples, improving the diversity of the samples and relieving the problem of unbalance of the attack samples; The contrast sample generation module is connected with the graph data enhancement module and is used for receiving the enhanced dynamic flow graph, adding limited disturbance in the graph node feature space based on a gradient guiding strategy to generate a graph contrast sample, and forming the graph contrast sample and the enhanced original sample into a contrast training data set; The hierarchical graph convolution detection module is connected with the countermeasure sample generation module and is used for receiving the countermeasure training data set, extracting local flow characteristics and global topological characteristics from the dynamic flow graph through a hierarchical graph convolution network respectively, performing cross-layer fusion on the local flow characteristics and the global topological characteristics, inputting the cross-layer fusion into a classifier, and outputting a network intrusion type detection result.
2. 2. The intelligent network intrusion detection system according to claim 1, wherein the dimension of the node feature vector in the dynamic traffic map construction module is 64-256 dimensions, and the edge weight vector comprises a number of traffic bytes, a packet rate, and a protocol type code.
3. 3. The intelligent network intrusion detection system according to claim 1, wherein the graph data enhancement module has a mask ratio of the node feature masking operation of 0.1 to 0.3 and a reconnection ratio of the edge structure reconnection operation of 0.05 to 0.2.
4. 4. The intelligent network intrusion detection system for merging challenge training and graph data enhancement according to claim 1, wherein in the challenge sample generation module, the maximum disturbance radius of the limited disturbance is 0.01 to 0.1, and the number of disturbance iteration steps is 3 to 10 steps.
5. 5. The network intrusion intelligent detection system integrating countermeasure training and graph data enhancement of claim 1, wherein the hierarchical graph convolution detection module comprises a local feature extraction sub-network and a global feature extraction sub-network, the local feature extraction sub-network extracts local traffic features using a 2-hop neighborhood aggregated graph convolution layer, and the global feature extraction sub-network extracts global topology features using a graph pooling layer and a global attention layer.
6. 6. The intelligent network intrusion detection system for merging challenge training and graph data enhancement according to claim 5, wherein the local feature extraction sub-network comprises 3 graph convolution layers, the number of convolution kernel channels of each graph convolution layer is 128, 256 and 256 in sequence, and a batch normalization layer and an activation function layer are arranged behind each graph convolution layer.
7. 7. The intelligent network intrusion detection system integrating countermeasure training and graph data enhancement according to claim 1, wherein the sub-sampling operation in the graph data enhancement module adopts a sampling strategy based on attack type perception, and the sub-graphs where few classes of attack samples are located are over-sampled, and the over-sampling multiplying power is inversely proportional to the number of the attack types of samples.
8. 8. The network intrusion intelligent detection system integrating challenge training and graph data enhancement according to claim 1, wherein the challenge sample generation module further comprises a disturbance validity verification unit for verifying semantic consistency of graph challenge samples after generating the graph challenge samples, discarding challenge samples whose semantic offset exceeds a preset threshold.
9. 9. The intelligent network intrusion detection system based on the fusion countermeasure training and graph data enhancement of claim 1, further comprising an online incremental learning and feedback regulation module respectively connected with the dynamic flow graph construction module, the graph data enhancement module and the hierarchical graph convolution detection module, wherein the online incremental learning and feedback regulation module is used for monitoring the detection accuracy change trend and the confidence distribution of the hierarchical graph convolution detection module, triggering an incremental learning process when detecting the detection performance decline, merging newly acquired flow samples into existing training data to perform model fine adjustment update, feeding back updated model parameters to the hierarchical graph convolution detection module, feeding back abnormal mode information in a detection result to the dynamic flow graph construction module to dynamically adjust graph construction strategies, and feeding back to the graph data enhancement module to adjust enhancement strategy parameters, wherein the incremental learning process adopts an elastic weight consolidation strategy, and the model parameter update amplitude is constrained through a Fisher information matrix to prevent catastrophic forgetting.
10. 10. The intelligent network intrusion detection system for merging countermeasure training and graph data enhancement according to claim 1, wherein the cross-layer merging of the hierarchical graph convolution detection module adopts a gating attention mechanism, and the merging weight of local flow characteristics and global topological characteristics is dynamically adjusted through a learnable gating parameter.

Description

Network intrusion intelligent detection system integrating countermeasure training and graph data enhancement Technical Field The invention relates to the technical field of network security and artificial intelligence, in particular to a network intrusion intelligent detection system integrating countermeasure training and graph data enhancement. Background With the continuous expansion of internet scale and the continuous evolution of network attack means, the importance of network intrusion detection systems is increasingly highlighted. Traditional intrusion detection schemes rely mainly on detection methods based on rule matching or statistical features, which perform well in the face of known attack patterns, but have weak detection capability for new attacks and variant attacks. In recent years, deep learning technology is gradually introduced into the field of intrusion detection, and detection performance is remarkably improved by automatically learning attack pattern features from a large amount of network traffic data. The Chinese patent with publication number CN119854052A discloses an intelligent network security detection system and method based on big data analysis. According to the scheme, countermeasure data is generated through a historical network data set, and a countermeasure training objective function is dynamically adjusted in training to balance the robustness and accuracy of a network security detection model. In addition, the scheme is combined with a graph neural network and a causal reasoning algorithm to construct an attack chain graph, the graph attention network is used for aggregating neighbor information to generate node embedded representation, and key causal nodes in the attack chain are identified based on a causal discovery algorithm. The scheme enhances the robustness of the detection model to a certain extent, but still has the following defects: First, this approach treats network traffic data as a flattened eigenvector input model, failing to fully exploit the complex topological relationships between network entities. Although the graph neural network is introduced to model the attack chain, the construction of the attack chain graph depends on post analysis, and the graph structural characteristics of the network traffic cannot be dynamically reflected in real time. Second, the countermeasure training strategy of this approach focuses on adding perturbations in the feature space, but does not consider the challenge of resistance at the graph structure level. In reality, an attacker can tamper with the traffic content characteristics, and can change the network topology structure by forging the communication relationship, thereby bypassing the detection based on the graph neural network. Third, this approach lacks an efficient handling mechanism for the problem of attack sample imbalance. In an actual network environment, the ratio of normal traffic to attack traffic is seriously unbalanced, and the number of samples between different attack types is greatly different. Relying solely on challenge training cannot fundamentally solve the problem of insufficient detection sensitivity of the model to minority class attacks. Fourth, the scheme adopts a feature aggregation mode with single granularity in the process of extracting the graph convolution features, and does not distinguish a local flow abnormal mode from a global topology abnormal mode. However, different types of network attacks have different manifestations on spatial scales, port scan attacks usually exhibit local diffusion features, whereas distributed denial-of-service attacks exhibit global aggregation features, and single-granularity feature extraction has difficulty in achieving both modes. Disclosure of Invention Aiming at the problems of weak generalization capability and insufficient robustness against attacks of an intrusion detection system in the prior art, the invention provides a network intrusion intelligent detection system with integrated against training and graph data enhancement. The system models network flow data into a dynamic flow diagram, designs a double-reinforcement framework comprising an countermeasure training module and a diagram data reinforcing module, and proposes a hierarchical diagram convolution network to capture local flow characteristics and global topological characteristics at the same time, so as to realize accurate detection of various complex network attacks. The technical scheme provided by the invention is that the network intrusion intelligent detection system integrating the countermeasure training and the graph data enhancement comprises: The dynamic flow diagram construction module is used for acquiring flow packet data, IP communication relation and port access records in a target network in real time, converting acquired multidimensional network information into a dynamic flow diagram according to a preset diagram abstraction rule, wherein an IP address