摘要: | 隨著網路的迅速發展,惡意攻擊事件日益增多,為了應對這種情況,使用機器學習 (Machine Learning) 或深度學習 (Deep Learning) 在入侵檢測系統 (In-trusion Detection System, IDS) 上來偵測惡意流量已成為主要趨勢。然而,由於許多資料集是公開的,並且公開資料集往往存在資料不平衡的問題,常見的解決方案是透過合成少數過採樣技術 (Synthetic Minority Over-sampling Technique, SMOTE) ,但這種方法所生成的流量缺乏真實性,如何有效地生成多樣且符合真實狀況的流量是為一大挑戰。 本論文提出了一種名為 "Malicious Cyber Maker GAN (MCM-GAN) " 的架構,旨在解決訓練不穩定性和模式崩潰 (Mode collapse) 問題,確保生成樣本多樣性。該架構採用了Wasserstein Generative Adversarial Network with Gradient Penalty (WGAN-GP) 設計,通過引入梯度懲罰來改進原有的權重剪切方法,使生成過程更加穩定。此外,本論文還引入了條件生成對抗網路 (Conditional Generative Adversarial Network, CGAN) 和雙時間尺度更新規則 (Two Time-Scale Update Rule, TTUR) ,以進一步提高生成效果和訓練效率。在UNSW-NB15資料集上的實驗結果顯示,使用MCM-GAN生成9種網路惡意攻擊類型時,訓練時間相比使用LSTM作為生成器和鑑別器減少了21.99%,模型大小則減少了27.62%。使用原始資料結合MCM-GAN生成資料進行訓練的XGBoost、Random Forest和SVC模型,其預測F1-Score分別達到89.07%、87.04%和84.31%。相較於SVM-SMOTE、GRU-CGAN和LSTM-CGAN等生成技術,MCM-GAN能達到更高的F1-Score。此外,相較於僅使用原始資料訓練的模型,這些模型的平均F1-Score分別提升了6.83%、6.48%和9.91%。 ;With the rapid development of the Internet, malicious attacks are becoming in-creasingly common. To address this issue, the use of machine learning or deep learn-ing technologies in intrusion detection systems (IDS) to detect malicious traffic has become a major trend. However, since many datasets are public and often have data imbalances, a common solution is to use the Synthetic Minority Over-sampling Tech-nique (SMOTE). However, the traffic generated by this method lacks authenticity. Effectively generating diverse and realistic traffic is a significant challenge. This paper presents an architecture called "Malicious Cyber Maker GAN (MCM-GAN)", which aims to address training instability and mode collapse issues by ensuring diversity in the generated samples. This framework adopts the Wasserstein Generative Adversarial Network with Gradient Penalty (WGAN-GP) design, which improves on the original weight clipping method by incorporating a gradient penalty to stabilize the generation process. In addition, the work incorporates the Conditional Generative Adversarial Network (CGAN) and the Two Time-Scale Update Rule (TTUR) to further improve generation effectiveness and training efficiency. Experimental results on the UNSW-NB15 dataset show that when generating nine types of malicious network attacks using MCM-GAN, the training time was reduced by 21.99% compared to using LSTM as the generator and discriminator, and the model size was reduced by 27.62%. Models trained on original data combined with MCM-GAN generated data, namely XGBoost, Random Forest and SVC, achieved F1 scores of 89.07%, 87.04% and 84.31% respectively. These accuracy levels are higher compared to generation techniques such as SVM-SMOTE, GRU-CGAN and LSTM-CGAN. In addition, these models showed an average F1 score improvement of 6.83%, 6.48% and 9.91%, respectively, compared to models trained only on original data. |