解耦动态入侵检测 (Disentangled Dynamic Intrusion Detection)

from arxiv, V2(Existing Extension Version):A SUBMISSION TO IEEE TRANSACTION ON PATTERN ANALYSIS AND MACHINE INTELLIGENCE(TPAMI) (Under Review) ||||| V1:Accepted and appeared in the proceedings of the KDD 2023 Research Track (DOI:10.1145/3580305.3599238)

Network-based intrusion detection system (NIDS) monitors network traffic for malicious activities, forming the frontline defense against increasing attacks over information infrastructures. Although promising, our quantitative analysis shows that existing methods perform inconsistently in declaring various attacks, and perform poorly in few-shot intrusion detections. We reveal that the underlying cause is entangled distributions of flow features. This motivates us to propose DIDS-MFL, a disentangled intrusion detection method to handle various intrusion detection scenarios. DIDS-MFL involves two key components, respectively: a double Disentanglementbased Intrusion Detection System (DIDS) and a plug-and-play Multi-scale Few-shot Learning-based (MFL) intrusion detection module. Specifically, the proposed DIDS first disentangles traffic features by a non-parameterized optimization, automatically differentiating tens and hundreds of complex features of various attacks. Such differentiated features will be further disentangled to highlight the attack-specific features. Our DIDS additionally uses a novel graph diffusion method that dynamically fuses the network topology in evolving data streams. Furthermore, the proposed MFL involves an alternating optimization framework to address the entangled representations in few-shot traffic threats with rigorous derivation. MFL first captures multiscale information in latent space to distinguish attack-specific information and then optimizes the disentanglement term to highlight the attack-specific information. Finally, MFL fuses and alternately solves them in an end-to-end way. Experiments show the superiority of our proposed DIDS-MFL. Our code is available at https://github.com/qcydm/DIDS-MFL

翻译：基于网络的入侵检测系统（NIDS）通过监控网络流量以识别恶意活动，构成了抵御信息基础设施日益增长攻击的第一道防线。尽管前景广阔，但我们的定量分析表明，现有方法在声明各类攻击时表现不一致，且在少样本入侵检测中表现不佳。我们揭示了其根本原因是流量特征的分布存在纠缠。这促使我们提出DIDS-MFL，一种解耦的入侵检测方法，以应对各种入侵检测场景。DIDS-MFL包含两个关键组件：一个基于双重解耦的入侵检测系统（DIDS）和一个即插即用的基于多尺度少样本学习（MFL）的入侵检测模块。具体而言，所提出的DIDS首先通过无参数化优化解耦流量特征，自动区分各类攻击的数十乃至数百种复杂特征。这些已区分的特征将进一步被解耦以突出攻击特异性特征。我们的DIDS还采用了一种新颖的图扩散方法，在演化数据流中动态融合网络拓扑。此外，所提出的MFL涉及一个交替优化框架，通过严格推导解决少样本流量威胁中的纠缠表示问题。MFL首先在潜在空间中捕获多尺度信息以区分攻击特异性信息，然后优化解耦项以突出这些信息。最后，MFL以端到端的方式融合并交替求解它们。实验证明了我们提出的DIDS-MFL的优越性。我们的代码可在 https://github.com/qcydm/DIDS-MFL 获取。