计算机科学

计算机科学 ›› 2025, Vol. 52 ›› Issue (4): 369-380.doi: 10.11896/jsjkx.240200092

• 信息安全 • 上一篇    下一篇

基于特征差分选择的集成模型流量对抗样本防御架构

何元康1, 马海龙1,2, 胡涛1, 江逸茗1,2   

  1. 1 解放军战略支援部队信息工程大学 郑州 450000
    2 网络空间安全教育部重点实验室 郑州 450000
  • 收稿日期:2024-02-26 修回日期:2024-07-25 出版日期:2025-04-15 发布日期:2025-04-14
  • 通讯作者: 马海龙(longmanclear@163.com)
  • 作者简介:(yuankang_he@163.com)
  • 基金资助:
    雄安新区科技创新专项(2022XAGG0111)

Defense Architecture for Adversarial Examples of Ensemble Model Traffic Based on FeatureDifference Selection

HE Yuankang1, MA Hailong1,2, HU Tao1, JIANG Yiming1,2   

  1. 1 PLA Strategic Support Force Information Engineering University,Zhengzhou 450000,China
    2 Key Laboratory of Cyberspace Security Ministry of Education,Zhengzhou 450000,China
  • Received:2024-02-26 Revised:2024-07-25 Online:2025-04-15 Published:2025-04-14
  • About author:HE Yuankang,born in 1999,master.His main research interests include network security and cyberspace security,machine learning and adversarial example.
    MA Hailong,born in 1980,Ph.D,professor,Ph.D supervisor.His main research interests include endogenous security in cyberspace,intelligent awareness of cyber threats,and innovative cyber systems.
  • Supported by:
    Xiong’an New Area Science and Technology Innovation Special Project(2022XAGG0111).

PDF (PC)

158

摘要: 当前,基于深度学习的异常流量检测模型容易遭受流量对抗样本攻击。作为防御对抗攻击的有效方法,对抗训练虽然提升了模型鲁棒性,但也导致了模型检测精度下降。因此,如何有效平衡模型检测性能和鲁棒性是当前学术界研究的热点问题。针对该问题,基于集成学习思想构建多模型对抗防御框架,通过结合主动性特征差分选择和被动性对抗训练,来提升模型的对抗鲁棒性和检测性能。该框架由特征差分选择模块、检测体集成模块和投票裁决模块组成,用于解决单检测模型无法平衡检测性能与鲁棒性、防御滞后的问题。在模型训练方面,设计了基于特征差分选择的训练数据构造方法,通过有差异性地选择和组合流量特征,形成差异化流量样本数据,用于训练多个异构检测模型,以抵御单模型对抗攻击;在模型裁决方面,对多模型检测结果进行裁决输出,基于改进的启发式种群算法优化集成模型裁决策略,在提升检测精度的同时,增大了对抗样本生成的难度。实验效果显示,所提方法的性能相比单个模型对抗训练有较大提升,相较于现有的集成防御方法,其准确率和鲁棒性提升了近10%。

关键词: 异常流量检测, 对抗样本攻击, 集成学习, 多模裁决

Abstract: Currently,anomaly traffic detection models that leverage deep learning technologies are increasingly vulnerable to adversarial example attacks.Adversarial training has emerged as a potent defense mechanism against these adversarial attacks.By incorporating adversarial examples into the training process,it aims to enhance the model’s robustness,making it more resistant to similar attacks in the future.However,this approach is not without its drawbacks.While it indeed increases the model’s robustness,it also inadvertently leads to a decrease in the model’s detection accuracy.This trade-off between robustness and accuracy has become a pivotal concern in the realm of deep learning-based anomaly detection,sparking intense debate and research within the academic community.Addressing this critical issue,this paper proposes a novel framework that seeks to balance the model’s detection performance with its robustness against adversarial attacks.Drawing inspiration from ensemble learning,we construct a multi-model adversarial defense framework.This framework not only enhances the model’s adversarial robustness but also aims to improve its detection performance.By integrating proactive feature differential selection with passive adversarial training,we develop a comprehensive strategy that fortifies the model against adversarial threats while maintaining high detection accuracy.The model consists of a feature differential selection module,a detection body integration module,and a voting decision module,to address the issue that a single detection model cannot balance detection performance and robustness,and the problem of defense lagging.In the aspect of model training,we introduce a sophisticated method for constructing training data based on feature differential selection.This method involves selectively combining traffic features that exhibit significant differences,thereby creating a set of differentiated traffic example data.These examples are then used to train multiple heterogeneous detection models.This approach is designed to bolster the models’ resistance to adversarial attacks targeted at single models,presenting a more formidable challenge to attackers.Furthermore,the framework includes a novel adjudication mechanism for the detection results produced by the multiple models.Leveraging an improved heuristic population algorithm,we optimize the ensemble model’s adjudication strategy.This not only enhances the detection accuracy but also significantly increases the complexity and difficulty of generating effective adversarial examples,thereby providing an additional layer of defense.Experimental results underscore the efficacy of the proposed method.Compared to traditional single -model adversarial training approaches,the multi-model framework demonstrates a substantial improvement,with nearly a 10% increase in both accuracy and robustness.

Key words: Abnormal traffic detection, Adversarial example attack, Integrated learning, Multimode adjudication

中图分类号: 

  • TP309
[1]LECUN Y,BOTTOU L,BENGIO Y,et al.Gradient-BasedLearning Applied to Document Recognition[J].The IEEE,1998,86(11):2278-2324.
[2]MCCARTHY A,GHADAFI E,ANDRIOTIS P,et al.Defending against adversarial machine learning attacks using hierarchical learning:A case study on network traffic attack classification[J].Journal of Information Security and Applications,2023,72:103398.
[3]BONNET B.Understanding,taming,and defending from adversarial examples[D].Université de Rennes,2023.
[4]KO K,KIM S H,KWON H.Multi-targeted audio adversarial example for use against speech recognition systems[J].Computers & Security,2023,128:103168.
[5]MACAS M,WU C,FUERTES W.Adversarial examples:A survey of attacks and defenses in deep learning-enabled cybersecurity systems[J].Expert Systems with Applications,2023:122223.
[6]FAN H,WANG R,HUANG X,et al.Deep joint adversariallearning for anomaly detection on attribute networks[J].Information Sciences,2024,654:119840.
[7]WANG K,WANG Z,HAN D,et al.BARS:Local Robustness Certification for Deep Learning based Traffic Analysis Systems[C]//NDSS.2023.
[8]ANTHI E,WILLIAMS L,RHODE M,et al.Adversarial attacks on machine learning cybersecurity defences in industrial control systems[J].Journal of Information Security and Applications,2021,58:102717.
[9]HORCHULHACK P,VIEGAS E K,LOPEZ M A.A StreamLearning Intrusion Detection System for Concept Drifting Network Traffic[C]//2022 6th Cyber Security in Networking Conference(CSNet).IEEE,2022:1-7.
[10]HU Y J,GUO Y B,MA J,et al.Method to generate cyber deception traffic based on adversarial example[J].Journal on Communications,2020,41(9):59-70.
[11]SHARON Y,BEREND D,LIU Y,et al.Tantra:timing-basedadversarial network traffic reshaping attack[J].IEEE Transactions on Information Forensics and Security,2022,17:3225-3237.
[12]NOVO C,MORLA R.Flow-based detection and proxy-basedevasion of encrypted malware c2 traffic[C]//Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security.2020:83-91.
[13]SADEGHZADEH A M,SHIRAVI S,JALILI R.Adversarialnetwork traffic:Towards evaluating the robustness of deep-learning-based network traffic classification[J].IEEE Transactions on Network and Service Management,2021,18(2):1962-1976.
[14]XIANG Y,HØJVANG J L,RASMUSSEN M H,et al.A two-stage deep representation learning-based speech enhancement method using variational autoencoder and adversarial training[J].IEEE/ACM Transactions on Audio,Speech,and Language Processing,2023,32:164-177.
[15]YIN Y,JANG-JACCARD J,XU W,et al.IGRF-RFE:a hybrid feature selection method for MLP-based network intrusion detection on UNSW-NB15 dataset[J].Journal of Big data,2023,10(1):15.
[16]ARIVAZHAGAN S,RUSSEL N S,SARANYAA M.CNN-based Approach for Robust Detection of Copy-Move Forgery in Images[J].Inteligencia Artificial,2024,27(73):80-91.
[17]DEBICHA I,BAUWENS R,DEBATTY T,et al.TAD:Transfer learning-based multi-adversarial detection of evasion attacks against network intrusion detection systems[J].Future Generation Computer Systems,2023,138:185-197.
[18]SHU D,LESLIE N O,KAMHOUA C A,et al.Generative adversarial attacks against intrusion detection systems using active learning[C]//Proceedings of the 2nd ACM Workshop on Wireless Security and Machine Learning.2020:1-6.
[19]MACHADO G R,SILVA E,GOLDSCHMIDT R R.Adversarial machine learning in image classification:A survey toward the defender’s perspective[J].ACM Computing Surveys,2021,55(1):1-38.
[20]SUN P,LI S,XIE J,et al.GPMT:Generating practical malicious traffic based on adversarial attacks with little prior knowledge[J].Computers & Security,2023,130:103257.
[21]RUST-NGUYEN N,SHARMA S,STAMP M.Darknet Traffic Classification and Adversarial Attacks Using Machine Learning[J].Computers & Security,2023,127:103098.
[22]CHENG Q,ZHOU S,SHEN Y,et al.Packet-level adversarialnetwork traffic crafting using sequence generative adversarial networks[J].arXiv:2103.04794,2021.
[23]CHERNIKOVA A,OPREA A.Fence:Feasible evasion attacks on neural networks in constrained environments[J].ACM Transactions on Privacy and Security,2022,25(4):1-34.
[24]WANG N,CHEN Y,XIAO Y,et al.Manda:On adversarial example detection for network intrusion detection system[J].IEEE Transactions on Dependable and Secure Computing,2022,20(2):1139-1153.
[25]HUANG W,PENG X,SHI Z,et al.Adversarial attack against LSTM-based DDoS intrusion detection system[C]//2020 IEEE 32nd International Conference on Tools with Artificial Intelligence(ICTAI).IEEE,2020:686-693.
[26]CHEN J Y,WU C A,ZHENG H B.Novel defense based onsoftmax activation transformation[J].Chinese Journal of Network and Information Security,2022,8(2):48-63.
[27]PAPERNOT N,MCDANIEL P,WU X,et al.Distillation as a defense to adversarial perturbations against deep neural networks[C]//2016 IEEE Symposium on Security and Privacy(SP).IEEE,2016:582-597.
[28]WANG B,GUO Y K,QIAN Y G,et al.Defense of Traffic Classifiers based on Convolutional Networks against Adversarial Examples[J].Journal of Cyber Security,2022,7(1):145-156.
[29]DE LUCIA M J,COTTON C.A network security classifier defense:against adversarial machine learning attacks[C]//Proceedings of the 2nd ACM Workshop on Wireless Security and Machine Learning.2020:67-73.
[30]RUST-NGUYEN N,SHARMA S,STAMP M.Darknet trafficclassification and adversarial attacks using machine learning[J].Computers & Security,2023,127:103098.
[31]ROSS A,MACHADO G R,SILVA E,et al.Adversarial machine learning in image classification:A survey toward the defender’s perspective[J].ACM Computing Surveys(CSUR),2021,55(1):1-38.
[32]HASHEMI M J,KELLER E.Enhancing robustness against adversarial examples in network intrusion detection systems[C]//2020 IEEE Conference on Network Function Virtualization and Software Defined Networks(NFV-SDN).IEEE,2020:37-43.
[33]BEECHEY M,LAMBOTHARAN S,KYRIAKOPOULOS KG.Evidential classification for defending against adversarial attacks on network traffic[J].Information Fusion,2023,92:115-126.
[34]CHEN S H,SHEN H J,WANG R,et al.Relationship Between Prediction Uncertainty and Adversarial Robustness[J].Journal of Software,2022,33(2):524-538.
[35]GOODFELLOW I J,SHLENS J,SZEGEDY C.Explaining and harnessing adversarial examples[J].arXiv:1412.6572,2014.
[36]HINTON G,VINYALS O,DEAN J.Distilling the knowledge in a neural network[J].arXiv:1503.02531,2015.
[37]MACAS M,WU C,FUERTES W.Adversarial examples:A survey of attacks and defenses in deep learning-enabled cybersecurity systems[J].Expert Systems with Applications,2023,238:122223.
[38]BORGONJON T,MAENHOUT B.A genetic algorithm for the personnel task rescheduling problem with time preemption[J].Expert Systems with Applications,2024,238:121868.
[39]SHARAFALDIN I,LASHKARI A H,GHORBANI A A.Toward generating a new intrusion detection dataset and intrusion traffic characterization[J].ICISSP,2018,1:108-116.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发