基于轻量级梯度提升机优化的工业互联网入侵检测方法

doi:10.11959/j.issn.2096-109x.2023020

摘要/Abstract

摘要：

入侵检测作为一种积极主动的安全防护技术，对于确保工业互联网安全起着至关重要的作用。为了满足工业互联网高准确率和高实时性的入侵检测需求，提出基于轻量级梯度提升机优化的工业互联网入侵检测方法。针对工业互联网业务数据中难分类样本导致检测准确率低的问题，改进轻量级梯度提升机原有的损失函数为焦点损失函数，该损失函数可自适应动态调节不同类别数据样本的损失值和权重，支持模型在训练过程中降低易分类样本的权重，进而提高难分类样本的检测准确率；针对轻量级梯度提升机参数较多并且对模型的检测准确率、检测时间和拟合程度等影响较大的问题，利用果蝇优化算法选择模型的最优参数组合；在密西西比州立大学提供的天然气管道数据集上得到模型的最优参数组合并进行验证，并在储水罐数据集上进一步验证所提模型的有效性。实验结果表明，采用所提方法改进的模型在天然气管道数据集上的检测准确率较对比模型最少提高了3.14%，检测时间较对比模型中的随机森林和支持向量机分别降低了0.35 s和19.53 s，较决策树和极端梯度提升机分别增加了0.06 s和0.02 s，同时在储水罐数据集上取得了良好的检测结果。因此证明所提方法可以很好地识别工业互联网业务数据中的攻击数据样本，提升了在工业互联网入侵检测中的实用性。

关键词: 工业互联网, 入侵检测, 轻量级梯度提升机, 焦点损失函数, 果蝇优化算法

Abstract:

Intrusion detection is a critical security protection technology in the industrial internet, and it plays a vital role in ensuring the security of the system.In order to meet the requirements of high accuracy and high real-time intrusion detection in industrial internet, an industrial internet intrusion detection method based on light gradient boosting machine optimization was proposed.To address the problem of low detection accuracy caused by difficult-to-classify samples in industrial internet business data, the original loss function of the light gradient boosting machine as a focal loss function was improved.This function can dynamically adjust the loss value and weight of different types of data samples during the training process, reducing the weight of easy-to-classify samples to improve detection accuracy for difficult-to-classify samples.Then a fruit fly optimization algorithm was used to select the optimal parameter combination of the model for the problem that the light gradient boosting machine has many parameters and has great influence on the detection accuracy, detection time and fitting degree of the model.Finally, the optimal parameter combination of the model was obtained and verified on the gas pipeline dataset provided by Mississippi State University, then the effectiveness of the proposed mode was further verified on the water dataset.The experimental results show that the proposed method achieves higher detection accuracy and lower detection time than the comparison model.The detection accuracy of the proposed method on the gas pipeline dataset is at least 3.14% higher than that of the comparison model.The detection time is 0.35s and 19.53s lower than that of the random forest and support vector machine in the comparison model, and 0.06s and 0.02s higher than that of the decision tree and extreme gradient boosting machine, respectively.The proposed method also achieved good detection results on the water dataset.Therefore, the proposed method can effectively identify attack data samples in industrial internet business data and improve the practicality and efficiency of intrusion detection in the industrial internet.

Key words: industrial Internet, intrusion detection, light gradient boosting machine, focal loss, fruit fly optimization algorithm

中图分类号:

TN918.91

胡向东, 唐玲玲. 基于轻量级梯度提升机优化的工业互联网入侵检测方法[J]. 网络与信息安全学报, 2023, 9(2): 46-55.

Xiangdong HU, Lingling TANG. Method on intrusion detection for industrial internet based on light gradient boosting machine[J]. Chinese Journal of Network and Information Security, 2023, 9(2): 46-55.

图/表 16

图1

图2

图3

图4

表1

图5

表2

表3

图6

表4

图7

图8

表5

表6

表7

表8

参考文献 16

[1]	张文安, 洪榛, 朱俊威 ,等. 工业控制系统网络入侵检测方法综述[J]. 控制与决策, 2019,34(11): 2277-2288.
	ZHANG W A , HONG Z , ZHU J W ,et al. A survey of network intrusion detection methods for industrial control systems[J]. Control and Decision, 2019,34(11): 2277-2288.
[2]	LIN J , LIU L . Research on security detection and data analysis for industrial internet[C]// Proceedings of 2019 IEEE 19th International Conference on Software Quality,Reliability and Security Companion (QRSC). 2019: 466-470.
[3]	KEVRIC J , JUKIC S , SUBASI A . An effective combining classifier approach using tree algorithms for network intrusion detection[J]. Neural Computing and Applications, 2017,28(1): 1051-1058.
[4]	LANLAN P , LIANGYU H , ZHENGYA L . Simulation of English part-of-speech recognition based on machine learning prediction algorithm[J]. Journal of Intelligent ＆ Fuzzy Systems, 2021,40(2): 2409-2419.
[5]	OTA R , IDE T , MICHIUE T . A rapid segmentation method of cell boundary for developing embryos using machine learning with a personal computer[J]. Development,Growth ＆ Differentiation, 2021,63(8): 406-416.
[6]	ELHOSENY M . Multi-object detection and tracking （MODT） machine learning model for real-time video surveillance systems[J]. Circuits,Systems,and Signal Processing, 2020,39(2): 611-630.
[7]	SETH S , SINGH G , KAUR C K . A novel time efficient learning-based approach for smart intrusion detection system[J]. Journal of Big Data, 2021,8(1): 1-28.
[8]	LIANG W , LI K C , LONG J ,et al. An industrial network intrusion etection algorithm based on multi-feature data clustering optimization model[J]. IEEE Transactions on Industrial Informatics, 2019,16(3): 2063-2071.
[9]	石乐义, 朱红强, 刘祎豪 ,等. 基于相关信息熵和 CNN-BiLSTM的工业控制系统入侵检测[J]. 计算机研究与发展, 2019,56(11): 2330-2338.
	SHI L Y , ZHU H Q , LIU Y H ,et al. Intrusion detection of industrial control system based on correlation information entropy and CNN-BiLSTM[J]. Journal of Computer Research and Development, 2019,56(11): 2330-2338.
[10]	王华忠, 程奇 . 基于改进鲸鱼算法的工控系统入侵检测研究[J]. 信息网络安全, 2021,21(2): 53-60.
	WANG H Z , CHENG Q . Research on intrusion detection of industrial control system based on improved whale algorithm[J]. Netinfo Security, 2021,21(2): 53-60.
[11]	LI X , ZHU M , YANG L T ,et al. Sustainable ensemble learning driving intrusion detection model[J]. IEEE Transactions on Dependable and Secure Computing, 2021,18(4): 1591-1604.
[12]	LIN T Y , GOYAL P , GIRSHICK R et al . Focal loss for dense object detection[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2020,42(2): 2980-2988.
[13]	宋玲玲, 王时绘, 杨超 ,等. 改进的 XGBoost 在不平衡数据处理中的应用研究[J]. 计算机科学, 2020,47(6): 98-103.
	SONG L L , WANG S H , YANG C ,et al. Application research of improved XGBoost in imbalanced data processing[J]. Computer Science, 2020,47(6): 98-103.
[14]	KE G , MENG Q , FINLEY T ,et al. LightGBM:a highly efficient gradient boosting decision tree[C]// Proceedings of the 31st International Conference on Neural Information Processing Systems. 2017: 3149-3157.
[15]	LYU S X , ZENG Y R , WANG L . An effective fruit fly optimization algorithm with hybrid information exchange and its applications[J]. International Journal of Machine Learning and Cybernetics, 2018,9(10): 1623-1648.
[16]	MORRIS T , GAO W . Industrial control system traffic data sets for intrusion detection research[C]// Proceedings of International Conference on Critical Infrastructure Protection. 2014: 65-78.

名称	取值范围	定义	作用
learning_rate	（0.01,0.5）	学习率	提高准确率
num_leaves	（0,100）	叶子节点数	防止过拟合
max_depth	（0,100）	树的最大深度	防止过拟合
bagging_fraction	（0.0,1.0）	训练数据比例	加快训练速度
reg_alpha	（0.0,1.0）	L1正则化参数	防止过拟合
reg_lambda	（0.0,1.0）	L2正则化参数	防止过拟合

数据类型	描述	数据/条
数据类型	描述	天然气管道	储水罐
Normal	正常数据	61 156	172 415
NMRI	简单恶意响应注入攻击	2 763	9 187
CMRI	复杂恶意响应注入攻击	15 466	12 460
MSCI	恶意状态命令注入攻击	782	1 833
MPCI	非法参数命令注入攻击	7 637	3 725
MFCI	恶意操作命令注入攻击	573	1 320
DoS	拒绝服务攻击	1 837	1 237
Recon	侦查攻击	6 805	34 002
总计	—	97 019	236 179

混淆矩阵		真实值
混淆矩阵		正常	攻击
预测值	正常	TN	FP
	攻击	FN	TP

名称	参数取值
learning_rate	0.197
num_leaves	42
max_depth	54
bagging_fraction	0.305
reg_alpha	0.588
reg_lambda	0.175

模型	LightGBM				本文
模型	准确率	漏报率	误报率	F1	准确率	漏报率	误报率	F1
Normal	96.46%	1.95%	6.22%	97.21%	99.05%	0.60%	1.54%	99.24%
NMRI	98.15%	65.12%	0	51.66%	99.60%	12.02%	0.05%	92.64%
CMRI	98.73%	1.63%	1.19%	96.09%	99.88%	0.10%	0.11%	99.64%
MSCI	99.93%	4.62%	0.03%	95.78%	99.93%	4.62%	0.03%	95.78%
MPCI	99.64%	1.67%	0.23%	97.79%	99.64%	1.67%	0.23%	97.79%
MFCI	99.96%	5.78%	0	97.02%	99.96%	5.78%	0	97.02%
DoS	99.94%	1.78%	0%	98.64%	99.94%	1.96%	0.01%	98.64%
Recon	100%	0	0	100%	100%	0	0	100%