基于变分自编码器和三支决策的工控入侵检测算法

An industrial intrusion detection algorithm based on variational autoencoder and three-way decisions

为了更精确地提取工控入侵数据集特征和更精准地分类恶意数据,使得入侵检测方法满足当前工业控制网络的安全需求,提出了基于变分自编码器(Variational Autoencoder,VAE)和三支决策理论(Three-way Decisions,TWD)的新型工业控制网络入侵检测算法(VAE-TWD)。该算法利用变分自编码器强大的感知能力对高维数据进行降维映射和特征提取,再对正常和恶意数据利用三支决策理论进行即刻决策,划分入正向决策域和负向决策域。而对于边界域内不确定的数据,将通过不同粒度的特征,选择适当数据构成新的训练集并扩充到原有数据集中。然后重复决策过程,直至决策域中数据为空,规避盲目决策的风险。实验结果表明VAE-TWD算法提升了对工控入侵检测的特征提取能力和分类能力,且在准确率、检出率、误报率、F1得分等指标上均优于对比算法,有效提高了工控入侵检测的性能。

In order to extract the characteristics of industrial control intrusion data set and classify malicious data more accurately,make the intrusion detection methods meet the security needs of the current industrial control network,a novel VAE-TWD algorithm based on variational auto-encoders(VAE)and three-way decisions theory(TWD)is proposed.The algorithm uses the powerful perceptive ability of variational autoencoder to reduce dimension mapping and extract feature for high-dimensional data,and then makes instant decision for normal and malicious data by using three-way decision theory,divides them into positive decision domain and negative decision domain.For the uncertain data in the boundary region,the new training set will be constructed by selecting appropriate data with different granularity features and then extended to the original data set.Then the decision-making process is repeated until the data in the decision-making domain is empty to avoid the risk of blind decision-making.The experimental results show that VAE-TWD algorithm improves feature extraction ability and classification ability of industrial control intrusion detection,is superior to the comparison algorithms in accuracy,detection rate,false positive rate,F1 score and other indicators,and effectively improves the performance of industrial control intrusion detection.