An internet of things intrusion detection method fusing LSTM and GAN

By integrating LSTM and GAN, and utilizing temporal reconstruction and multidimensional loss constraints to generate high-quality attack samples, the problem of insufficient authenticity of GAN-generated data in IoT intrusion detection is solved, thereby improving detection accuracy.

CN122247771APending Publication Date: 2026-06-19CIVIL AVIATION UNIV OF CHINA

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CIVIL AVIATION UNIV OF CHINA
Filing Date
2026-05-22
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing GAN generators and discriminators struggle to capture temporal correlations between traffic flows in IoT intrusion detection, and the generated data samples lack authenticity, resulting in low intrusion detection accuracy.

Method used

By combining LSTM and GAN, and through temporal reconstruction and multidimensional loss constraints, the generator and discriminator introduce cosine similarity loss and temporal authenticity loss on the basis of adversarial loss to generate high-quality attack samples.

Benefits of technology

It effectively solves the problem that traditional GAN-generated data cannot capture the temporal correlation between traffic features, improves the accuracy of intrusion detection, and reduces the false negative rate of minority attacks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122247771A_ABST
    Figure CN122247771A_ABST
Patent Text Reader

Abstract

This invention discloses an IoT intrusion detection method integrating LSTM and GAN, belonging to the field of IoT intrusion detection technology. It addresses the problem of low intrusion detection accuracy caused by insufficient data authenticity generated by existing GANs. Specifically, the method includes: preprocessing IoT traffic; performing temporal reconstruction on the preprocessed IoT traffic; constructing a generator based on a Long Short-Term Memory (LSTM) network and a discriminator based on a bidirectional LSTM network; constraining the generator by calculating the cosine similarity loss, temporal similarity loss, and adversarial loss between real and generated samples; expanding the generated samples to the original dataset to train the DNN model; normalizing the IoT traffic to be detected and inputting the normalized result into the trained DNN model to obtain the IoT intrusion detection result. This invention can be used for IoT intrusion detection.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of IoT intrusion detection, specifically involving an IoT intrusion detection method that integrates LSTM (Long Short-Term Memory Network) and GAN (Generative Adversarial Network). Background Technology

[0002] The Internet of Things (IoT) connects devices, sensors, and objects in the physical world via the internet, enabling them to communicate, exchange data, and operate intelligently. From smart homes to the industrial internet, the application scenarios of IoT are expanding daily, greatly promoting social progress and economic growth. With the continuous evolution of the computer network environment, the types of attacks faced by networks are gradually increasing; therefore, network security protection is indispensable.

[0003] Currently, the main network security protection methods include firewalls and intrusion detection. Firewalls, as the first layer of network defense, can filter some attacks by scanning network communications, but they cannot deal with complex attacks. Intrusion detection, as the second layer of network defense, is an effective proactive defense technology that can effectively monitor the network environment in real time, thereby making up for the shortcomings of the first layer of defense and reducing the losses caused by network attacks. Therefore, intrusion detection has become a research focus in this field.

[0004] Machine learning-based intrusion detection methods can efficiently process large amounts of data and perform classification detection. However, due to the frequent class imbalance problem in IoT datasets, classifiers tend to favor the majority class during training, ultimately leading to a significantly higher false negative rate for the minority class. Currently, oversampling is mainly used to address class imbalance. Oversampling increases the number of minority classes by synthesizing or generating a smaller number of minority classes, thereby balancing the proportion of each class in the dataset. Current oversampling methods are divided into random oversampling methods, traditional oversampling methods, and generative model oversampling methods. Random oversampling achieves oversampling by randomly copying minority class samples, but this can lead to overfitting due to sample duplication. The synthetic minority oversampling technique (SMOTE) is a typical method for solving overfitting problems in traditional oversampling techniques. It calculates the distance between minority class samples and selects one of the k nearest neighbors to generate a new sample. However, SMOTE also oversamples noisy samples; if the original minority class samples contain noisy data, the synthetic samples generated by SMOTE will also contain more noise, which may lead to underfitting of the model. Generative oversampling methods involve introducing Generative Adversarial Networks (GANs) to generate data for the minority class. The generator aims to produce data sufficient to fool the discriminator, while the discriminator aims to maximize the accuracy of distinguishing between real and generated data. The two work alternately in an adversarial game, optimizing until the generated samples approximate the real data distribution. GAN-generated data can capture global feature correlations compared to other oversampling methods, hence its widespread application. However, existing GAN generators and discriminators often use fully connected layers, making it difficult to capture the temporal feature correlations between traffic flows in IoT scenarios. Furthermore, existing GANs rely on a single adversarial loss constraint to generate samples, making the generator prone to pattern collapse. This results in a large number of simple, repetitive samples becoming noise that negatively impacts classifier performance. In summary, the data samples generated by existing GANs still lack sufficient realism, making it difficult to achieve ideal intrusion detection accuracy. Summary of the Invention

[0005] The purpose of this invention is to address the problem of low intrusion detection accuracy in imbalanced scenarios due to insufficient data authenticity generated by existing GANs, and to propose an IoT intrusion detection method that integrates LSTM and GAN.

[0006] The technical solution adopted by this invention to solve the above-mentioned technical problems is: an IoT intrusion detection method integrating LSTM and GAN, the method specifically including the following steps:

[0007] Step 1: Obtain the IoT traffic training set. Preprocess each IoT traffic item in the IoT traffic training set to obtain the preprocessed IoT traffic training set.

[0008] Step 2: According to the preset time step, perform time-series reconstruction on various types of IoT traffic in the preprocessed IoT traffic training set to obtain a time-series traffic dataset containing three-dimensional time-series traffic samples.

[0009] The specific process of the time-series reconstruction is as follows:

[0010] Taking any type of IoT traffic as the current type of IoT traffic, first process the current type of IoT traffic in batches, and then reconstruct the time sequence of IoT traffic for each batch. For any batch:

[0011] The current batch of IoT traffic is reconstructed using a sliding window according to a preset time step, and the current batch of IoT traffic is converted into a three-dimensional time-series traffic sample.

[0012] Step 3: Count the number of three-dimensional time-series traffic samples corresponding to each IoT traffic category in the time-series traffic dataset, and then determine whether the number of three-dimensional time-series traffic samples for each category is less than the preset number of samples. Identify the categories whose number of three-dimensional time-series traffic samples is less than the preset number of samples. The identified categories are the categories that need to expand the samples.

[0013] The time-series traffic dataset obtained in step two is then used to train the GAN, which includes a generator and a discriminator.

[0014] The generator's input is the concatenation of a random noise vector and a class label vector to be generated, and its output is the generated three-dimensional time-series flow sample.

[0015] The input to the discriminator is the three-dimensional time-series flow sample output by the generator. Within the discriminator, forward and backward time-series dependency features of the three-dimensional time-series flow sample are extracted through a bidirectional long short-term memory network. Then, the hidden state sequence of the three-dimensional time-series flow sample is obtained based on the extracted forward and backward time-series dependency features. The hidden state of each time step in the hidden state sequence is linearly transformed to extract the global time-series features, which are the output of the discriminator.

[0016] Then, based on the trained GAN generator, three-dimensional time-series traffic samples belonging to each category that needs to expand the number of samples are generated respectively. The generated three-dimensional time-series traffic samples and the preprocessed IoT traffic in step one are used to form a training sample dataset.

[0017] Step 4: Train the DNN model using the training sample dataset constructed in Step 3;

[0018] Step 5: Obtain the IoT traffic to be detected. After normalizing the IoT traffic to be detected, use the normalized IoT traffic to be detected as the input of the trained DNN model, and output the intrusion detection result through the DNN model.

[0019] Furthermore, in step one, each IoT traffic in the IoT traffic training set is preprocessed, specifically by normalizing the numerical features in each IoT traffic and encoding the protocol type features in each IoT traffic.

[0020] For the first in the IoT traffic training set Numerical characteristics of IoT traffic:

[0021] ,

[0022] in, Indicates the first The first in the IoT traffic One data point, This represents the first [number] of each IoT traffic stream. The minimum value among the data. This represents the first [number] of each IoT traffic stream. The maximum value among the data. Indicates the first The first in the IoT traffic The preprocessed data corresponding to each data point;

[0023] For the first in the IoT traffic training set The protocol type characteristics in the IoT traffic are binary encoded to obtain the binary encoding result of the protocol type characteristics;

[0024] For the The IoT traffic, utilizing the first The normalized result of numerical characteristics in IoT traffic and the binary encoding result of protocol type characteristics constitute the first... The preprocessing result of the first IoT traffic, i.e., obtaining the preprocessed first... IoT traffic.

[0025] Furthermore, the training process of the GAN is as follows:

[0026] Step 1: Transfer the randomly generated noise vector Label vectors of the categories to be generated splicing result As input to the generator in GAN;

[0027] Within the generator, the concatenated result is sequentially passed through an LSTM and a fully connected layer to obtain the mapped features. ;

[0028] Step 2, Features After local smoothing using a one-dimensional convolutional layer, a three-dimensional temporal flow sample generated by the generator is obtained. ;

[0029] Step 3: Use the 3D time-series flow samples generated by the generator as input to the discriminator in GAN. In the discriminator, extract the forward and backward time-series dependency features of each time step through the BiLSTM layer, and construct the complete hidden state sequence based on the extracted forward and backward time-series dependency features.

[0030] Step 4: Perform linear transformation and temporal average pooling on the hidden states at each time step in the hidden state sequence to extract the three-dimensional temporal flow samples. Global temporal features of each two-dimensional sample;

[0031] Step 5: Calculate the adversarial loss of the generated time-series traffic samples based on global time-series features. and loss of time series authenticity ;

[0032] Step 6: Flatten the generated three-dimensional time-series flow samples into one-dimensional vectors, and then calculate the cosine similarity loss. , We construct a comprehensive objective function by weighted summation of the cosine similarity loss and the cosine similarity loss.

[0033] Step 7: Iteratively optimize the generator's internal parameters based on the gradient descent direction of the comprehensive objective function;

[0034] Step 8: Return to step 1 until the preset training rounds are reached or the convergence condition is met, and obtain the trained GAN.

[0035] Furthermore, the process of sequentially passing the concatenated result through an LSTM and a fully connected layer to obtain the mapped features is as follows:

[0036] ,

[0037] in, for The initial feature sequence output by LSTM This represents the weight matrix of the fully connected layer that maps the output of the LSTM back to the feature space. This represents the bias vector of the fully connected layer that maps the output of the LSTM back to the feature space. This represents the mapped features.

[0038] Furthermore, the specific process of step 2 is as follows:

[0039] ,

[0040] in, It is a one-dimensional convolution smoothing operation. It is the hyperbolic tangent activation function. It is a three-dimensional time-series flow sample generated by the generator.

[0041] Further, in step 3, the forward and backward temporal dependency features of each time step are extracted using a BiLSTM layer, and a complete hidden state sequence is constructed based on the extracted forward and backward temporal dependency features, specifically as follows:

[0042] ,

[0043] ,

[0044] ,

[0045] in, Representing three-dimensional time-series flow samples The Middle Two-dimensional sample The Data at each time step, Indicates the first Two-dimensional sample The The forward hidden state at each time step Indicates the first Two-dimensional sample The The forward hidden state at each time step Indicates the first Two-dimensional sample The The backward hidden state at each time step Indicates the first Two-dimensional sample The The backward hidden state at each time step Indicates a forward BiLSTM layer. Indicates a backward BiLSTM layer. Indicates to and The joint tensor obtained by splicing, i.e. It is the first Two-dimensional sample The hidden state sequence of the first The hidden state at each time step.

[0046] Furthermore, the specific process of performing linear transformation and temporal average pooling on the hidden states at each time step in the hidden state sequence is as follows:

[0047] ,

[0048] ,

[0049] in, and These represent the weight matrix and bias vector of the linear transformation, respectively; This indicates a modified linear unit activation function; express After linear transformation and activation, the first... Temporary feature vectors at each time step; It is the total number of time steps; It is the first Two-dimensional sample The global temporal characteristics.

[0050] Furthermore, the specific process of step 5 is as follows:

[0051] ,

[0052] ,

[0053] in, This represents the Sigmoid activation function. and These represent the weight matrix and bias vector for adversarial loss discrimination, respectively. and These represent the weight matrix and bias vector for determining the time series authenticity loss, respectively. It is to combat losses. It is a loss of temporal authenticity. , Representing three-dimensional time-series flow samples The total number of two-dimensional samples in the dataset.

[0054] Furthermore, the aforementioned , The comprehensive objective function is constructed by weighted summation of the cosine similarity loss and the cosine similarity loss. The specific process is as follows:

[0055] ,

[0056] in, Represents the overall objective function. This represents the cosine similarity loss. and All of these represent weighting coefficients.

[0057] Furthermore, the step of flattening the generated three-dimensional time-series flow samples into one-dimensional vectors and then calculating the cosine similarity loss is as follows:

[0058] ,

[0059] in, This represents the three-dimensional time-series flow samples generated by the generator. The Middle A two-dimensional sample, Indicates the first A real sample, This represents the operation of flattening a two-dimensional sample into a one-dimensional vector. This represents the L2 norm.

[0060] The beneficial effects of this invention are:

[0061] This invention first normalizes and reconstructs the temporal sequence of IoT traffic in the training set, eliminating the order-of-magnitude differences between traffic flows while preserving the contextual dependencies of traffic flows in the temporal dimension. This enables the model to capture the dynamic evolution of IoT attack behavior. This invention integrates LSTM and GAN as generative models, using LSTM to construct the generator and discriminator of the GAN, and introducing cosine similarity loss and temporal authenticity loss as multi-dimensional loss constraints on top of adversarial loss. By calculating the temporal authenticity of the feature vector space, it effectively solves the problem that traditional GAN-generated data cannot capture the temporal correlation between traffic features; by calculating the cosine similarity between generated samples and real samples, it effectively solves the problem of pattern collapse that may occur in traditional GAN-generated data. Through these strategies, it helps GAN generate high-quality attack samples that conform to statistical distribution characteristics and temporal logic. This invention utilizes the trained generative model to oversample the minority class attacks in the dataset, constructing an augmented dataset with a balanced class distribution. This fundamentally solves the problem of high false negative rates for minority class attacks caused by class imbalance in IoT intrusion detection, improving intrusion detection accuracy. Attached Figure Description

[0062] Figure 1 This is a flowchart of an IoT intrusion detection method that integrates LSTM and GAN according to the present invention;

[0063] Figure 2 This is a comparison chart of the precision, recall, and F1 score between the method of this invention and different improved GAN methods. Detailed Implementation

[0064] This invention designs a GAN generator and discriminator based on an LSTM model, and introduces cosine similarity loss and temporal authenticity loss on the basis of adversarial loss. This can improve the authenticity of the generated samples while ensuring the diversity of the generated samples, and ultimately improve the performance of intrusion detection. The method of this invention will be further described in detail below with reference to the accompanying drawings.

[0065] Combination Figure 1 This embodiment describes an IoT intrusion detection method that integrates LSTM and GAN. The method specifically includes the following steps:

[0066] Step 1: Obtain the IoT traffic training set, which includes normal IoT traffic and abnormal IoT traffic. Preprocess each IoT traffic item in the IoT traffic training set to obtain the preprocessed IoT traffic training set.

[0067] Specifically, the preprocessing of IoT traffic in the IoT traffic training set involves normalizing the numerical features in the IoT traffic and encoding the protocol type features in the IoT traffic.

[0068] That is, for the first in the IoT traffic training set Numerical characteristics in IoT traffic:

[0069] ,

[0070] in, Indicates the first The first in the IoT traffic One data point, This represents the first [number] of each IoT traffic stream. The minimum value among the data. This represents the first [number] of each IoT traffic stream. The maximum value among the data. Indicates the first The first in the IoT traffic The preprocessed data corresponding to each data point;

[0071] For the first in the IoT traffic training set Protocol type characteristics in IoT traffic:

[0072] The protocol type characteristics are binary encoded to obtain the binary encoding result of the protocol type characteristics. For example, for the TCP network protocol (Transmission Control Protocol), the TCP network protocol is encoded as 100; for the UDP network protocol (User Datagram Protocol), the UDP network protocol is encoded as 010; and for the ICMP network protocol (Internet Control Message Protocol), the ICMP network protocol is encoded as 001.

[0073] For the The IoT traffic, utilizing the first The normalized result of numerical characteristics in IoT traffic and the binary encoding result of protocol type characteristics constitute the first... The preprocessing result of the first IoT traffic, i.e., obtaining the preprocessed first... For IoT traffic, preprocessing can eliminate the order-of-magnitude differences between data points, thereby avoiding excessive errors in subsequent classification and prediction.

[0074] Step 2: According to the preset time step, perform temporal reconstruction on various types of IoT traffic in the preprocessed IoT traffic training set to obtain a temporal traffic dataset containing three-dimensional temporal traffic samples. After temporal reconstruction, IoT traffic can be captured by LSTM to capture the temporal dependencies between features, which is the basis for the temporal authenticity loss calculation in the following text.

[0075] Specifically, the IoT traffic categories in this invention include normal IoT traffic and various types of abnormal IoT traffic. Since abnormal IoT traffic data accounts for a relatively small proportion, in order to balance the various samples in the training set, it is necessary to generate some IoT traffic data for the abnormal types with fewer samples. For any type of preprocessed IoT traffic, the preprocessed IoT traffic of this type is first reconstructed in batches according to time series. Taking any batch as an example, the IoT traffic of the current batch is reconstructed by a sliding window according to a preset time step, and the preprocessed IoT traffic of the current batch is converted into a three-dimensional time series sample tensor. , For the 3D data tensor after temporal reconstruction, The total number of two-dimensional samples, The total number of time steps. As a feature dimension, in the process of temporal reconstruction, This corresponds to the data dimension of each time step in the IoT traffic (i.e., the dimension of data within each IoT traffic stream), for example, setting the length of the sliding window to... That is, the total number of time steps contained within the sliding window is Then, the data from the first time step in the current batch of IoT traffic will be up to the second time step. Data from each time step is used to form a sample. Then, a window slides across this type of IoT traffic, determining the position of the next window based on the sliding step size. A new sample is then obtained based on the position of the next window. In the current batch, a total of samples are obtained through window sliding. One sample, After the samples are superimposed on the third dimension, the 3D data tensor of the current batch after temporal reconstruction is obtained. , three-dimensional data tensor As a three-dimensional sample in a time-series traffic dataset;

[0076] Similarly, each batch of preprocessed IoT traffic is processed separately.

[0077] Step 3: Count the number of three-dimensional time-series traffic samples corresponding to each IoT traffic category in the time-series traffic dataset, and then determine whether the number of three-dimensional time-series traffic samples for each category is less than the preset number of samples. Identify the categories whose number of three-dimensional time-series traffic samples is less than the preset number of samples. The identified categories are the categories that need to expand the samples.

[0078] The time-series traffic dataset obtained in step two is then used to train the GAN, which includes a generator and a discriminator.

[0079] The generator's input is the concatenation of a random noise vector and a class label vector to be generated, and its output is the generated three-dimensional time-series flow sample.

[0080] The input to the discriminator is the three-dimensional time-series flow sample output by the generator. Within the discriminator, forward and backward time-series dependency features of the three-dimensional time-series flow sample are extracted through a bidirectional long short-term memory network. Then, the hidden state sequence of the three-dimensional time-series flow sample is obtained based on the extracted forward and backward time-series dependency features. The hidden state of each time step in the hidden state sequence is linearly transformed to extract the global time-series features, which are the output of the discriminator.

[0081] Then, based on the trained GAN generator, three-dimensional time-series traffic samples belonging to each category of samples that need to be expanded are generated. The generated three-dimensional time-series traffic samples (which can be broken down into each IoT traffic) and the IoT traffic preprocessed in step one are used to form a training sample dataset.

[0082] It should be noted that the generator in GAN is built on LSTM. The generator can obtain the latent distribution of minority class samples, and LSTM can extract temporal correlations.

[0083] For any class with a sample size less than a preset sample size, the training process of GAN is as follows:

[0084] Step 1: The input to the generator in a GAN includes a randomly generated noise vector. and the label vector of the category to be generated That is, the input of the generator is a noise vector. Label vectors of the categories to be generated splicing result ;

[0085] ,

[0086] in, for The initial feature sequence output by LSTM This represents the weight matrix of the fully connected layer that maps the output of the LSTM back to the feature space. This represents the bias vector of the fully connected layer that maps the output of the LSTM back to the feature space. Represents the mapped features;

[0087] The noise vector is used to improve the diversity of the generated samples. The dimension of the noise vector is the same as the dimension of each three-dimensional sample in the time-series traffic dataset. The label vector also corresponds to the three dimensions of the time-series reconstruction result. In the feature dimension of the two-dimensional sample, the label vector... The feature dimension is the same as the total number of IoT traffic categories. In the two-dimensional sample time step dimension, the data at each time step is the same one-hot encoded vector. In the one-hot encoded vector, only the element corresponding to the category to be generated has a value of 1, and all other elements have a value of 0. In the label vector... In terms of sample size, it includes a total of Two identical two-dimensional samples;

[0088] Step 2 Local smoothing is performed after a one-dimensional convolutional layer, specifically as follows:

[0089] ,

[0090] in, It is a one-dimensional convolution smoothing operation. It is the hyperbolic tangent activation function. It is a three-dimensional time-series flow sample generated by the generator;

[0091] Because IoT traffic exhibits temporal correlation, traditional GANs built on fully connected layers struggle to capture these temporal relationships, resulting in discrete samples lacking genuine temporal correlation. Therefore, this invention employs LSTM as the backbone of the generator network, utilizing its gating mechanism to capture the temporal correlations in IoT traffic. Furthermore, addressing the issue of high-frequency noise generated during the initial training phase of LSTM-based GANs, this invention introduces Conv1d as a smoothing filter at the LSTM output. A sliding window is used to locally weight the generated feature sequences, eliminating unnatural abrupt noise and making the generated attack traffic more closely resemble real traffic data samples.

[0092] Step 3: Use the 3D time-series flow samples generated by the generator as input to the discriminator in the GAN. Within the discriminator, extract the forward and backward temporal dependency features for each time step using a BiLSTM layer, and construct a complete hidden state sequence based on the extracted forward and backward temporal dependency features; that is...

[0093] ,

[0094] ,

[0095] ,

[0096] in, Representing three-dimensional time-series flow samples The Middle Two-dimensional sample The Data at each time step, Indicates the first Two-dimensional sample The The forward hidden state at each time step Indicates the first Two-dimensional sample The The forward hidden state at each time step Indicates the first Two-dimensional sample The The backward hidden state at each time step Indicates the first Two-dimensional sample The The backward hidden state at each time step Indicates a forward BiLSTM layer. Indicates a backward BiLSTM layer. Indicates to and The joint tensor obtained by splicing, i.e. It is the first Two-dimensional sample The hidden state sequence of the first The hidden state at each time step;

[0097] Step 4: Perform linear transformation and temporal average pooling on the hidden states at each time step in the hidden state sequence to extract the three-dimensional temporal flow samples. The Middle Global temporal features of a two-dimensional sample:

[0098] ,

[0099] ,

[0100] in, and These represent the weight matrix and bias vector of the linear transformation, respectively; This indicates a modified linear unit activation function, used to increase nonlinear fitting capability; express After linear transformation and activation, the first... Temporary feature vectors at each time step; It is the total number of time steps; It is the first Two-dimensional sample Global temporal characteristics;

[0101] In this invention, in order to improve the quality of generated data, the discriminator adopts a bidirectional BiLSTM structure, which can capture historical information from both forward and backward directions to capture more realistic and global temporal features.

[0102] Step 5: Calculate the adversarial loss and temporal realism loss of the generated temporal traffic samples based on global temporal features:

[0103] ,

[0104] ,

[0105] in, This represents the Sigmoid activation function. and These represent the weight matrix and bias vector for adversarial loss discrimination, respectively. and These represent the weight matrix and bias vector for determining the time series authenticity loss, respectively. It is to combat losses. It is a loss of temporal authenticity. , Representing three-dimensional time-series flow samples The total number of two-dimensional samples in the sample;

[0106] This invention incorporates a dual-output head structure into the discriminator, which, in addition to generating the adversarial loss in traditional GANs, also outputs temporal realism loss. This improvement requires the discriminator to not only focus on whether the generated sample data is realistic in terms of numerical distribution, but also on whether the generated sample data is close to real sample data in terms of temporal realism. This improvement increases the information provided by the discriminator to the generator, helping the generator to generate more realistic sample data.

[0107] This invention also introduces a multi-dimensional loss aggregation strategy, which improves the generation quality of fewer class samples in the generator by weighted aggregation of adversarial loss, cosine similarity loss and temporal authenticity loss.

[0108] Step 6, for , We construct a comprehensive objective function by weighting and summing the cosine similarity loss:

[0109] ,

[0110] in, This represents the weighted aggregation loss (i.e., the overall loss value of the generator). This represents the cosine similarity loss. and All represent weighting coefficients;

[0111] To address the sparse and complex distribution of IoT traffic in a high-dimensional feature space, traditional GANs relying solely on adversarial loss often struggle to accurately capture the subtle features of attack traffic, leading to generator mode collapse or the generation of invalid samples with unreasonable feature combinations. This invention innovatively introduces cosine similarity loss as a geometric constraint. In intrusion detection, the same type of attack traffic often shares a consistent feature vector direction. By calculating and minimizing the cosine similarity loss between real and generated samples, the generated samples are forced to closely approximate the feature vector direction of the real samples, thereby improving the realism of the generated samples.

[0112] ,

[0113] in, This represents the three-dimensional time-series flow samples generated by the generator. The Middle A two-dimensional sample, Indicates the first One real sample (i.e., any two-dimensional real sample in the time-series traffic sample dataset that the generator needs to generate for the current category). This represents the operation of flattening a two-dimensional sample into a one-dimensional vector. Represents the L2 norm;

[0114] Step 7: Update the generator parameters based on the calculated weighted aggregation loss using the backpropagation algorithm;

[0115] Then fix the network parameters of the generator, and use the current generator to generate samples. Then use the generated samples and the temporal reconstruction results in step 2 as input to the discriminator. Calculate the discriminant loss based on the adversarial discrimination probability value and temporal authenticity probability value output by the discriminator. Update the discriminator parameters by combining the backpropagation algorithm, and fix the current discriminator parameters after the update.

[0116] Step 8: Return to step 1 and use alternating optimization to achieve Nash equilibrium between the generator and the discriminator, thus obtaining a trained GAN.

[0117] Since the generator is trained in the preprocessed feature space, the generated sample data already possesses normalized features. Based on the generator's output in the trained GAN, each IoT traffic instance is obtained. These IoT traffic instances are then merged with the preprocessed IoT traffic dataset obtained in step one to form a class-balanced training sample dataset.

[0118] Step 4: Train the DNN model (Deep Neural Network) using the class-balanced training sample dataset constructed in Step 3;

[0119] Specifically, the data in the training sample dataset is used as the input to the DNN model. During the training process, the parameters of the DNN model are optimized by minimizing the cross-entropy loss function, thereby obtaining a trained DNN model.

[0120] Step 5: Obtain the IoT traffic to be detected. After normalizing the IoT traffic to be detected, use the normalized IoT traffic to be detected as the input of the trained DNN model. The DNN model outputs the intrusion detection result, that is, determines whether an IoT intrusion has occurred and the specific IoT intrusion category.

[0121] Experimental Section

[0122] To verify the effectiveness of the method of this invention, GAN, GANBLR (Generative Adversarial Network inspired by the relationship between Naive Bayes and Logistic Regression), TMGGAN (Multi-Generator Generative Adversarial Network), and VAEGAN (Variational Autoencoder Generative Adversarial Network) were used as comparative models for intrusion detection, and the intrusion detection results of different GAN models were evaluated using the following metrics:

[0123] ,

[0124] ,

[0125] ,

[0126] in, It's about accuracy. It's the recall rate. It is the F1 score. It represents the number of true positive samples. It represents the number of false positive samples. This represents the number of false negative samples.

[0127] The comparison results of different GAN methods in terms of precision, recall, and F1 score are as follows: Figure 2 As shown, the method of the present invention demonstrates better classification and detection performance compared to other methods.

[0128] The above examples of the present invention are merely illustrative of the computational model and process of the present invention, and are not intended to limit the implementation of the present invention. Those skilled in the art will recognize that other variations or modifications can be made based on the above description. It is impossible to exhaustively list all possible implementations here. Any obvious variations or modifications derived from the technical solutions of the present invention are still within the scope of protection of the present invention.

Claims

1. An IoT intrusion detection method integrating LSTM and GAN, characterized in that, The method specifically includes the following steps: Step 1: Obtain the IoT traffic training set. Preprocess each IoT traffic item in the IoT traffic training set to obtain the preprocessed IoT traffic training set. Step 2: According to the preset time step, perform time-series reconstruction on various types of IoT traffic in the preprocessed IoT traffic training set to obtain a time-series traffic dataset containing three-dimensional time-series traffic samples. Step 3: Count the number of three-dimensional time-series traffic samples corresponding to each IoT traffic category in the time-series traffic dataset, and then determine whether the number of three-dimensional time-series traffic samples for each category is less than the preset number of samples. Identify the categories whose number of three-dimensional time-series traffic samples is less than the preset number of samples. The identified categories are the categories that need to expand the samples. The time-series traffic dataset obtained in step two is then used to train the GAN, which includes a generator and a discriminator. Then, based on the trained GAN generator, three-dimensional time-series traffic samples belonging to each category that needs to expand the number of samples are generated respectively. The generated three-dimensional time-series traffic samples and the preprocessed IoT traffic in step one are used to form a training sample dataset. Step 4: Train the DNN model using the training sample dataset constructed in Step 3; Step 5: Obtain the IoT traffic to be detected. After normalizing the IoT traffic to be detected, use the normalized IoT traffic to be detected as the input of the trained DNN model, and output the intrusion detection result through the DNN model.

2. The IoT intrusion detection method integrating LSTM and GAN according to claim 1, characterized in that, In step one, each IoT traffic in the IoT traffic training set is preprocessed, specifically by normalizing the numerical features in each IoT traffic and encoding the protocol type features in each IoT traffic. For the first in the IoT traffic training set Numerical characteristics of IoT traffic: , in, Indicates the first The first in the IoT traffic One data point, This represents the first [number] of each IoT traffic stream. The minimum value among the data. This represents the first [number] of each IoT traffic stream. The maximum value among the data. Indicates the first The first in the IoT traffic The preprocessed data corresponding to each data point; For the first in the IoT traffic training set The protocol type characteristics in the IoT traffic are binary encoded to obtain the binary encoding result of the protocol type characteristics; For the The IoT traffic, utilizing the first The normalized result of numerical characteristics in IoT traffic and the binary encoding result of protocol type characteristics constitute the first... The preprocessing result of the first IoT traffic, i.e., obtaining the preprocessed first... IoT traffic.

3. The IoT intrusion detection method integrating LSTM and GAN according to claim 2, characterized in that, The training process of the GAN is as follows: Step 1: Transfer the randomly generated noise vector Label vectors of the categories to be generated splicing result As input to the generator in GAN; Within the generator, the concatenated result is sequentially passed through an LSTM and a fully connected layer to obtain the mapped features. ; Step 2, Features After local smoothing using a one-dimensional convolutional layer, a three-dimensional temporal flow sample generated by the generator is obtained. ; Step 3: Use the 3D time-series flow samples generated by the generator as input to the discriminator in GAN. In the discriminator, extract the forward and backward time-series dependency features of each time step through the BiLSTM layer, and construct a complete hidden state sequence based on the extracted forward and backward time-series dependency features. Step 4: Perform linear transformation and temporal average pooling on the hidden states at each time step in the hidden state sequence to extract the three-dimensional temporal flow samples. Global temporal features of each two-dimensional sample; Step 5: Calculate the adversarial loss of the generated time-series traffic samples based on global time-series features. and loss of time series authenticity ; Step 6: Flatten the generated 3D time-series flow samples into 1D vectors, then calculate the cosine similarity loss; , We construct a comprehensive objective function by weighted summation of the cosine similarity loss and the cosine similarity loss. Step 7: Iteratively optimize the generator's internal parameters based on the gradient descent direction of the comprehensive objective function; Step 8: Return to step 1 until the preset training rounds are reached or the convergence condition is met, and obtain the trained GAN.

4. The IoT intrusion detection method integrating LSTM and GAN according to claim 3, characterized in that, The process of passing the concatenated result sequentially through an LSTM and a fully connected layer to obtain the mapped features is as follows: , in, for The initial feature sequence output by LSTM This represents the weight matrix of the fully connected layer that maps the output of the LSTM back to the feature space. This represents the bias vector of the fully connected layer that maps the output of the LSTM back to the feature space. This represents the features after mapping.

5. The IoT intrusion detection method integrating LSTM and GAN according to claim 4, characterized in that, The specific process of step 2 is as follows: , in, It is a one-dimensional convolution smoothing operation. It is the hyperbolic tangent activation function. It is a three-dimensional time-series flow sample generated by the generator.

6. The IoT intrusion detection method integrating LSTM and GAN according to claim 5, characterized in that, In step 3, forward and backward temporal dependency features for each time step are extracted using a BiLSTM layer, and a complete hidden state sequence is constructed based on the extracted forward and backward temporal dependency features, specifically as follows: , , , in, Representing three-dimensional time-series flow samples The Middle Two-dimensional sample The Data at each time step, Indicates the first Two-dimensional sample The The forward hidden state at each time step Indicates the first Two-dimensional sample The The forward hidden state at each time step Indicates the first Two-dimensional sample The The backward hidden state at each time step Indicates the first Two-dimensional sample The The backward hidden state at each time step Indicates a forward BiLSTM layer. Indicates a backward BiLSTM layer. Indicates to and The joint tensor obtained by splicing, i.e. It is the first Two-dimensional sample The hidden state sequence of the first The hidden state at each time step.

7. The IoT intrusion detection method integrating LSTM and GAN according to claim 6, characterized in that, The specific process of performing linear transformation and temporal average pooling on the hidden states at each time step in the hidden state sequence is as follows: , , in, and These represent the weight matrix and bias vector of the linear transformation, respectively. This represents the modified linear unit activation function; express After linear transformation and activation, the first... Temporary feature vectors at each time step; It is the total number of time steps; It is the first Two-dimensional sample The global temporal characteristics.

8. The IoT intrusion detection method integrating LSTM and GAN according to claim 7, characterized in that, The specific process of step 5 is as follows: , , in, This represents the Sigmoid activation function. and These represent the weight matrix and bias vector for adversarial loss discrimination, respectively. and These represent the weight matrix and bias vector for determining the time series authenticity loss, respectively. It is to combat losses. It is a loss of temporal authenticity. , Representing three-dimensional time-series flow samples The total number of two-dimensional samples in the dataset.

9. The IoT intrusion detection method integrating LSTM and GAN according to claim 8, characterized in that, The pair , The comprehensive objective function is constructed by weighted summation of the cosine similarity loss and the cosine similarity loss. The specific process is as follows: , in, Represents the overall objective function. This represents the cosine similarity loss. and All of these represent weighting coefficients.

10. The IoT intrusion detection method integrating LSTM and GAN according to claim 9, characterized in that, The process of flattening the generated three-dimensional time-series flow samples into one-dimensional vectors and then calculating the cosine similarity loss is as follows: , in, This represents the three-dimensional time-series flow samples generated by the generator. The Middle A two-dimensional sample, Indicates the first A real sample, This represents the operation of flattening a two-dimensional sample into a one-dimensional vector. This represents the L2 norm.