物聯網入侵偵測研究中跨網路資料集之類別不平衡處理

Abstract

隨著物聯網（IoT）中的網路攻擊增加，入侵偵測系統（IDS）的穩健性變得特別重要。然而，大多數現有的研究並未考慮內部和外部網路環境之間的行為差異，且現有的入侵偵測相關研究也很少有對偵察型攻擊進行探討，但偵察型攻擊卻是網路攻擊生命週期中的關鍵階段。相較之下，一般研究通常更專注於較為常見的攻擊，如阻斷服務（DoS）和分散式阻斷服務（DDoS）攻擊。一個完善的IDS應能夠適應不同的環境，最大限度的減少攻擊的影響，甚至防止攻擊的發生。基於上述內容，我們結合了外部網路資料集UNSW-NB15和內部網路資料集Bot-IoT，創建了一個能夠確切反映現實情境的物聯網網路資料集，並緩解了入侵偵測資料集中很常見的資料不平衡問題，因為在這些資料集的收集期間，攻擊行為發生的頻率通常很低，從而導致類別不平衡的問題。為了進一步解決偵察型攻擊數據缺乏的問題，我們提出了KLB-SMOTE，一種結合異常值移除和過採樣技術的資料採樣方法。我們對少數類別樣本進行分類，對雜訊群組應用基於距離和密度的異常值檢測，並專注於在邊界上進行少數類別樣本的資料合成。經KLB-SMOTE產生的合成樣本更準確的反映了資料分佈及實現了類別平衡，同時也提高了模型的有效性。最後，我們利用深度學習技術來對DoS、DDoS和偵察型攻擊進行多元分類。這一方法使偵察型攻擊的準確率提高了約45%，每個類別的準確率均超過95.9%，整體準確率達到97.6%。

The rise in IoT cyber-attacks highlights the need for robust intrusion detection systems (IDS). However, most existing research does not consider the differences in network behavior between internal and external environments, and the existing intrusion detection works rarely perform experiments on reconnaissance attacks, which are a crucial phase in the cyber attack lifecycle, instead focusing on more common attacks like Denial of Service (DoS) and Distributed DoS (DDoS) attacks. A robust IDS should be capable of adapting to different environments, minimizing the impact of attacks, and even preventing them from occurring. Considering the content above, we combined the external network dataset UNSW-NB15 and the internal network dataset Bot-IoT to create an IoT network dataset that closely reflects real-world scenarios and mitigates data imbalance issues, which are common in intrusion detection datasets because attacks typically occur at low frequency. Among them, to address the lack of reconnaissance attack data, we further proposed KLB-SMOTE, a data sampling method integrating outlier removal and oversampling techniques. We categorize minority class samples, apply distance-based and density-based outlier detection to noise group, and focus on synthesizing data specifically within the boundaries of minority class data. KLB-SMOTE generates synthetic samples that more accurately reflect the data distribution, achieving class balance while enhancing model effectiveness. Finally, leveraging deep learning techniques, we conducted a multi-class classification of various attack types, including DoS, DDoS, and Reconnaissance. This approach improved reconnaissance prediction accuracy by approximately 45%, with each class achieving a prediction accuracy of over 95.9% and an overall accuracy score of 97.6%.