Research On Anomaly-based Intrusion Detection And Adversarial Defense Mechanism

The intrusion detection system is a security system that monitors local systems and network transmissions.As an important part of computer security systems,intrusion detection has been widely used in various fields.In recent years,existing intrusion detection techniques have faced tremendous challenges due to continuous advances in attack techniques.To improve the performance of the intrusion detection system,a terminal intrusion detection algorithm and an adversarial intrusion detection training framework are proposed in this thesis,respectively.The specific work is as follows.(1)To improve the performance of the intrusion detection system,a Terminal-Level Intrusion Detection Algorithm(TL-IDA)is proposed in this thesis.In the data preprocessing stage,the system logs are cut into sequential,small chunks of command sequences and statistical metrics are introduced to construct feature vectors for these command sequences.Subsequently,the user data is modeled using TL-IDA.Based on this,this thesis also proposes a sliding window detection method to improve the confidence of the system alerts,thus improving the performance of the terminal intrusion detection algorithm.(2)To improve the robustness of the intrusion detection system,an Adversarial Intrusion Detection Training Framework(AIDTF)is proposed in this thesis.AIDTF consists of an attacker,a defender,and a black box trainer,where both the attacker and the defender are multilayer perceptrons and the trainer is a module used to train the intrusion detection system.AIDTF uses an adversarial training approach to improve the accuracy of intrusion detection systems.The goal of the attacker is to generate samples that deceive the defender,while the goal of the defender is to determine whether the input samples are real samples,so there is an adversarial relationship between the attacker and the defender.The trainer can train different types of intrusion detection systems using the samples generated by confrontation.This paper refer to this network-side intrusion detection system as an Adversarial Training Intrusion Detection System(ATIDS).Experiments show that the recognition rate and false alarm rate of TL-IDA are better than other terminal intrusion detection algorithms such as ADMIT and Hidden Markov Model.Meanwhile,ATIDS not only has higher accuracy for the test set,but also achieves a 99%recognition rate for attack samples,indicating that AIDTF outperforms other adversarial training methods such as the Fast Gradient Method,Fast Gradient Sign Method,Projected Gradient Descent Method,and Jacobs Saliency Map Algorithm.