| Инд. авторы: | Нечахин В.А., Пищик Б.Н. |
| Заглавие: | Применение методов глубинного обучения для обнаружения вторжений |
| Библ. ссылка: | Нечахин В.А., Пищик Б.Н. Применение методов глубинного обучения для обнаружения вторжений // Вестник Новосибирского государственного университета. Серия: Информационные технологии. - 2019. - Т.17. - № 2. - С.114-121. - ISSN 1818-7900. - EISSN 2410-0420. |
| Внешние системы: | DOI: 10.25205/1818-7900-2019-17-2-114-121; РИНЦ: 41661986; |
| Реферат: | rus: Приведены результаты применения глубоких нейронных сетей для детектирования вредоносной активности в сетевом трафике. В процессе исследования реализованы два вида нейронной сети: рекуррентный автоэнкодер и генеративно-состязательная сеть. Приведены результаты исследования на наборе данных CICIDS2017. eng: One of the ways of ensuring information security are intrusion detection systems (IDS). IDS are used to detect malicious activity on the network. The standard approach to the detection of attacks it is looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware. This approach is highly efficient, but it does not able to detect the attacks without patterns. Modern approaches to detection of attacks use deep learning. The purpose of this work was to explore the possibility of building a universal classifier of network traffic based on a deep neural network. For this, a recurrent autoencoder was trained on TCP packets from the CICIDS2017 dataset. During training the neural network was a model in which the expected vector was set the same as the original one. And learning was on normal traffic. The main idea was that a recurrent autoencoder trained in this way should recover anomalous traffic with a high loss. The TCP package is considered malicious if the recovery loss is above the threshold. However, the accuracy of recovering normal TCP packets was low due to the insufficient model capacity and the lack of the suitable representation learning method. After the results analyzing, we proposed an approach that can improve accuracy of detection for some attacks. Based on this approach, the VAEGAN network was trained on normal network flows from CICIDS2017. The VAEGAN was used to detect malicious network flows: to calculate the anomaly score for flow; if score is above the threshold - the flow is malicious. The VAEGAN network showed a high percentage of attacks detection and the F-score value - 0.933. |
| Ключевые слова: | глубинное обучение; generative adversarial network; autoencoder; deep learning; anomaly detection; генеративно-состязательная сеть; автоэнкодер; CICIDS2017; обнаружение вторжений; |
| Издано: | 2019 |
| Физ. характеристика: | с.114-121 |
| Цитирование: | 1. Браницкий А., Котенко И. Анализи классификация методов обнаружения сетевых атак // Тр. СПИИРАН. 2016. №. 45. С. 207-244. DOI: https://doi.org/10.15622/sp.45.13 2. Goodfellow I., Bengio Y., Courville A. Deep Learning. MIT Press, 2016, 802 с 3. Masakazu M., Mori K., Mitari Y., Kaneda Y. Subject Independent Facial Expression Recognition With Robust Face Detection Using a Convolutional Neural Network. Neural Networks, 2003, no. 16, p. 555-559. DOI 10.1016/S0893-6080(03)00115-1 4. Zenati H., Foo C. S., Lecouat B., Manek G., Chandrasekhar V. R. Efficient GAN-based anomaly detection. In: 6th International Conference on Learning Representations, 2018 5. Larsen A. B. L., Sonderby S. K., Larochelle H., Winther O. Autoencoding beyond pixels using a learned similarity metric. In: ICML'16 Proceedings of the 33rd International Conference on International Conference on Machine Learning, 2016, no. 48, p. 1558-1566 6. Schlegl T., Seeböck P., Waldstein S. M., Schmidt-Erfurth U., Langs G. Unsupervised Anomaly Detection with Generative Adversarial Networks to Guide Marker Discovery. In: The proceedings of the international conference on Information Processing in Medical Imaging (IPMI), 2017. DOI 10.1007/978-3-319-59050-9_12 |