CN113259331A - Unknown abnormal flow online detection method and system based on incremental learning - Google Patents
Unknown abnormal flow online detection method and system based on incremental learning Download PDFInfo
- Publication number
- CN113259331A CN113259331A CN202110472804.1A CN202110472804A CN113259331A CN 113259331 A CN113259331 A CN 113259331A CN 202110472804 A CN202110472804 A CN 202110472804A CN 113259331 A CN113259331 A CN 113259331A
- Authority
- CN
- China
- Prior art keywords
- unknown
- module
- sample
- class
- training
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 75
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 45
- 238000012549 training Methods 0.000 claims abstract description 61
- 238000013145 classification model Methods 0.000 claims abstract description 51
- 238000013135 deep learning Methods 0.000 claims abstract description 6
- 230000006870 function Effects 0.000 claims description 23
- 238000009826 distribution Methods 0.000 claims description 18
- 239000011159 matrix material Substances 0.000 claims description 6
- 238000013527 convolutional neural network Methods 0.000 claims description 5
- 238000013528 artificial neural network Methods 0.000 claims description 3
- 238000010606 normalization Methods 0.000 claims description 3
- 239000000203 mixture Substances 0.000 claims 2
- 239000002994 raw material Substances 0.000 claims 2
- 238000000034 method Methods 0.000 description 28
- 238000003860 storage Methods 0.000 description 6
- 230000005856 abnormality Effects 0.000 description 5
- 238000004590 computer program Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 238000010801 machine learning Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- ORILYTVJVMAKLC-UHFFFAOYSA-N Adamantane Natural products C1C(C2)CC3CC1CC2C3 ORILYTVJVMAKLC-UHFFFAOYSA-N 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000003384 imaging method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000002245 particle Substances 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
- G06F18/232—Non-hierarchical techniques
- G06F18/2321—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
- G06F18/23213—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2415—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on parametric or probabilistic models, e.g. based on likelihood ratio or false acceptance rate versus a false rejection rate
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/044—Recurrent networks, e.g. Hopfield networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/049—Temporal neural networks, e.g. delay elements, oscillating neurons or pulsed inputs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention discloses an incremental learning-based online detection method and system for unknown abnormal flow, which comprises the steps of constructing an initial classification model based on deep learning, and performing initial training on the initial classification model by using a Softmax classifier; judging whether the input data sample is of a known type or an unknown type through an unknown detection module, then automatically marking the sample characteristics of the unknown type, and adding the sample characteristics to a network updating module and a buffer area module; updating and training an initial classification model through a network updating module, and converting an unknown class into a known class; storing sample characteristics and labels of unknown classes through a buffer module so as to adapt to an online mode and help to distinguish the types of unknown exceptions; the invention realizes the learning of new samples and the updating of models and realizes the identification of unknown anomalies in an incremental training mode; meanwhile, the accuracy and speed of unknown abnormal flow detection are improved.
Description
Technical Field
The invention relates to the technical field of anomaly detection of a machine learning network, in particular to an unknown abnormal flow online detection method and system based on incremental learning.
Background
The problem of network traffic anomaly detection is an important subject in network security research work, and currently, most researches on the detection of network anomaly traffic are based on a closed scene, namely all categories are known. However, in a real-world network environment, the detection of unknown abnormal traffic is an open-set-based scenario, i.e., traffic data of unknown (not previously seen) classes may be encountered. The detection of unknown abnormal traffic has important significance for maintaining network security.
Although the open set-based unknown anomaly detection methods achieve some significant effects, these methods can only distinguish known or unknown anomalies, and cannot distinguish the types of different unknown anomalies. Meanwhile, the model training of the methods needs a lot of time, and the requirements of the network on real-time detection of unknown abnormalities cannot be met. Therefore, how to distinguish known from unknown, distinguish different types of unknown anomalies, and detect unknown anomalies online are three important difficulties faced by the unknown anomaly traffic detection problem.
Disclosure of Invention
This section is for the purpose of summarizing some aspects of embodiments of the invention and to briefly introduce some preferred embodiments. In this section, as well as in the abstract and the title of the invention of this application, simplifications or omissions may be made to avoid obscuring the purpose of the section, the abstract and the title, and such simplifications or omissions are not intended to limit the scope of the invention.
The present invention has been made in view of the above-mentioned conventional problems.
Therefore, the invention provides an online detection method for unknown abnormal flow based on incremental learning, which can solve the problems that the prior art cannot distinguish different types of unknown abnormal and needs a large amount of time to train a model.
In order to solve the technical problems, the invention provides the following technical scheme: the method comprises the steps of constructing an initial classification model based on deep learning, and performing initial training on the initial classification model by using a Softmax classifier; judging whether the input data sample is of a known type or an unknown type through an unknown detection module, then automatically marking the sample characteristics of the unknown type, and adding the sample characteristics to a network updating module and a buffer area module; updating and training the initial classification model through a network updating module, and converting the unknown class into the known class; storing the sample characteristics and the labels of the unknown classes through a buffer area module, when the input sample is detected to be the unknown class, comparing the input sample with the sample of the unknown class of the buffer area module again, and if the sample characteristics are found to be the known class in the buffer area, outputting the class to which the sample belongs; otherwise, adding a sample to the buffer module.
As a preferable scheme of the incremental learning-based unknown abnormal flow online detection method, the incremental learning-based unknown abnormal flow online detection method comprises the following steps: the initial classification model is constructed by the steps that the initial classification model comprises a convolutional neural network and a long-short term memory artificial neural network, cross entropy is used as a loss function of the initial classification model, and initial training is carried out on the initial classification model according to the loss function and by a Softmax classifier.
As a preferable scheme of the incremental learning-based unknown abnormal flow online detection method, the incremental learning-based unknown abnormal flow online detection method comprises the following steps: determining the input data samples includes calculating each sample characteristic f according toiWith each class prototype pjEuclidean distance therebetween, obtaining a distance distribution matrix Dist:
constructing a threshold function based on the average distance distribution matrix, and judging whether the input data sample is a known type or an unknown type according to the threshold function; where i is 1, …, S is the number of samples per batch of features, j is 1, …, n is the number of classes of the prototype, and epsilon is the set parameter.
As a preferable scheme of the incremental learning-based unknown abnormal flow online detection method, the incremental learning-based unknown abnormal flow online detection method comprises the following steps: the threshold function may include a function of,
ρi=λ*θi
wherein, thetaiIs a threshold value, MijThe maximum confidence value of the ith correctly classified sample of the category j, Z is the number of correctly classified sample sets, and lambda is an empirical parameter; when all confidence values of the sample are less than the threshold value piThen the sample is considered unknown.
As a preferable scheme of the incremental learning-based unknown abnormal flow online detection method, the incremental learning-based unknown abnormal flow online detection method comprises the following steps: the method further comprises the steps of clustering samples of unknown classes by using a Kmeans clustering strategy, and adding the weight of each class of samples into a network layer of the initial classification model to assist training and updating of the initial classification model.
As a preferable scheme of the incremental learning-based unknown abnormal flow online detection method, the incremental learning-based unknown abnormal flow online detection method comprises the following steps: the updating and training of the initial classification model comprises the steps of carrying out mean value normalization on the distance distribution between the obtained prototype and the new sample characteristics during each iterative training to obtain weight distribution [ alpha ]1,α2,α3,…,αH,αH+1,…,,αH+G](ii) a Wherein [ alpha ] is1,α2,α3,…,αH]Is a weight distribution of a known class, [ alpha ]H+1,…,,αH+G]Is a weight distribution of unknown classes, and
and adding the weights of the unknown classes to the last layer of the initial classification model respectively to finish the updating training of the initial classification model.
As a preferable scheme of the incremental learning-based unknown abnormal flow online detection method, the incremental learning-based unknown abnormal flow online detection method comprises the following steps: the buffer module includes, assuming that m new classes are found at the time of the tth detection, the information contained in the buffer module is as follows:
wherein, BTIs information f of the buffer at the time of the Tth detectionuIs a feature of the unknown sample U,/uIs a class label of U, WTRepresents the weight vector of the T-th time.
As a preferable scheme of the incremental learning-based unknown abnormal flow online detection method, the incremental learning-based unknown abnormal flow online detection method comprises the following steps: the cross-entropy includes the cross-entropy of,
wherein L is a cross entropy loss function; n is the number of samples; m is the number of categories; y isicIf the category c is the same as that of the observation sample i, the indicator variable is 1, otherwise, the indicator variable is 0; p is a radical oficIs the predicted probability that the observation sample i belongs to class c.
As a preferable scheme of the incremental learning-based unknown abnormal flow online detection system of the present invention, wherein: the system comprises an initial training module, a classification module and a classification module, wherein the initial training module is used for constructing and training an initial classification model and judging whether an input sample is a known class or an unknown class; the increment training module is connected with the initial training module and can learn new samples and identify unknown abnormalities according to unknown class samples obtained by judging of the initial training module.
As a preferable scheme of the incremental learning-based unknown abnormal flow online detection system of the present invention, wherein: the increment training module comprises an unknown detection module, a network updating module and a buffer area module; the unknown detection module is used for judging whether the sample output by the initial training module is of a known type or an unknown type and for automatically marking the sample characteristics of the unknown type; the network updating module is connected with the unknown detection module and used for updating and training an initial classification model and converting the unknown class into the known class; and the buffer area module is respectively connected with the unknown detection module and the network updating module, and is used for storing the sample characteristics and the labels of the unknown types and updating the network updating module.
The invention has the beneficial effects that: the invention realizes the learning of new samples and the updating of models and realizes the identification of unknown anomalies in an incremental training mode; meanwhile, the accuracy and speed of unknown abnormal flow detection are improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise. Wherein:
fig. 1 is a schematic flow chart of an unknown abnormal flow online detection method based on incremental learning according to a first embodiment of the present invention;
fig. 2 is a schematic diagram of an initial training phase of an incremental learning-based unknown abnormal flow online detection method according to a first embodiment of the present invention;
fig. 3 is a schematic diagram illustrating an operation principle of an unknown detection module 100 of an online unknown abnormal flow detection method based on incremental learning according to a first embodiment of the present invention;
fig. 4 is a schematic diagram illustrating an operation principle of a network update module 200 of an incremental learning-based unknown abnormal traffic online detection method according to a first embodiment of the present invention;
fig. 5 is a schematic structural diagram of a module of an incremental learning-based unknown abnormal flow online detection system according to a second embodiment of the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, specific embodiments accompanied with figures are described in detail below, and it is apparent that the described embodiments are a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making creative efforts based on the embodiments of the present invention, shall fall within the protection scope of the present invention.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways than those specifically described and will be readily apparent to those of ordinary skill in the art without departing from the spirit of the present invention, and therefore the present invention is not limited to the specific embodiments disclosed below.
Furthermore, reference herein to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one implementation of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
The present invention will be described in detail with reference to the drawings, wherein the cross-sectional views illustrating the structure of the device are not enlarged partially in general scale for convenience of illustration, and the drawings are only exemplary and should not be construed as limiting the scope of the present invention. In addition, the three-dimensional dimensions of length, width and depth should be included in the actual fabrication.
Meanwhile, in the description of the present invention, it should be noted that the terms "upper, lower, inner and outer" and the like indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of describing the present invention and simplifying the description, but do not indicate or imply that the referred device or element must have a specific orientation, be constructed in a specific orientation and operate, and thus, cannot be construed as limiting the present invention. Furthermore, the terms first, second, or third are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
The terms "mounted, connected and connected" in the present invention are to be understood broadly, unless otherwise explicitly specified or limited, for example: can be fixedly connected, detachably connected or integrally connected; they may be mechanically, electrically, or directly connected, or indirectly connected through intervening media, or may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Example 1
Referring to fig. 1 to 4, a first embodiment of the present invention provides an incremental learning-based unknown abnormal flow online detection method, including:
s1: and constructing an initial classification model based on deep learning, and performing initial training on the initial classification model by using a Softmax classifier.
It should be noted that the present example uses UNSW-NB15 data set for model training and sample identification, which contains nine types of attacks, namely Fuzzers, Analysis, Backdoor, DoS, explore, Generic, Reconnaissance, Shellcode, and Worms; in this embodiment, normal data and Generic anomalies are used as known samples to train an initial classification model, as shown in fig. 2, the remaining 8 anomalies are used to evaluate the detection capability of the unknown samples, the normal data is marked as 0, and nine anomaly types are marked as 1-9 in sequence.
Before an initial classification model is built, input sample data is preprocessed, non-numerical data in the UNSW-NB15 data set is processed into a numerical form through a LabeleEncoder () function in a machine learning module sklern, and then the data is normalized through a MinMaxScaler () function.
The initial classification model constructed in the embodiment consists of a convolutional neural network and a long-short term memory artificial neural network, and the initial classification model is used for learning the characteristics of known input data; in the initial training stage of the initial classification model, cross entropy is used as a loss function of the initial classification model, and the initial classification model is initially trained by a Softmax classifier according to the loss function.
The expression of cross entropy is as follows:
wherein L is a cross entropy loss function; n is the number of samples; m is the number of categories; y isicIf the category c is the same as that of the observation sample i, the indication variable is 1, otherwise, the indication variable is 0; p is a radical oficIs the predicted probability that the observation sample i belongs to class c.
S2: the unknown detection module 100 determines whether the input data sample is of a known class or an unknown class, then automatically marks the sample characteristics of the unknown class, and adds the sample characteristics to the network update module 200 and the buffer module 300.
The input data sample comprises a known class and an unknown class, and the embodiment introduces prototype learning into the open set identification task and further utilizes the prototype to detect the unknown class because the prototype learning can improve the difference between the classes.
(1) First, each sample feature f is calculated according to the following formulaiWith each class prototype pjEuclidean distance therebetween, obtaining a distance distribution matrix Dist:
where i is 1, …, S is the number of samples per batch of features, j is 1, …, n is the number of categories of the prototype, the distance between the features and the prototype is inverted, a greater probability value is obtained for features close to the prototype, and the parameter e is set to 0.001 to avoid division by zero.
(2) Constructing a threshold function based on the average distance distribution matrix, and judging whether the input data sample is a known type or an unknown type according to the threshold function;
the expression of the threshold function is as follows:
ρi=λ*θi
wherein, thetaiIs a threshold value, MijMaximum of the ith correctly classified sample for class jThe confidence value, Z is the number of correctly classified sample sets, and lambda is an empirical parameter;
when all confidence values of the sample are less than the threshold value piThen the sample is considered unknown.
(3) And clustering the samples of unknown classes by using a Kmeans clustering strategy, and adding the weight of each class of samples into a network layer of the initial classification model to assist the training and updating of the initial classification model.
By clustering unknown samples, potential different classes are further searched for to help to detect the unknown samples; suppose the unknown set of the T-th training is UTUsing Kmeans clustering algorithm to cluster UTDivided into h clusters, i.e. { Cluster1,Cluster2,…,ClusterhAnd adding the weight information of each type of sample into a network layer to help the training and updating of the initial classification model.
S3: the training initial classification model is updated by the network update module 200 to convert unknown classes into known classes.
The steps of updating the training initial classification model are as follows:
(1) carrying out mean normalization on the distance distribution between the obtained prototype and the new sample characteristics during each iterative training to obtain weight distribution [ alpha ]1,α2,α3,…,αH,αH+1,…,,αH+G];
Wherein [ alpha ] is1,α2,α3,…,αH]Is a weight distribution of a known class, [ alpha ]H+1,…,,αH+G]Is a weight distribution of unknown classes, and
(2) and respectively adding the weights of the unknown classes to the last layer of the initial classification model to finish the updating training of the initial classification model.
S4: storing the sample characteristics and labels of unknown classes through the buffer module 300, when the input sample is detected as an unknown class, comparing the input sample with the sample of the unknown class of the buffer module 300 again, and if the sample characteristics are found to be the known classes in the buffer, outputting the class to which the sample belongs; otherwise, the sample is added to the buffer module 300.
In order to avoid that the detected unknown information cannot be effectively utilized due to the untimely network update, in this embodiment, a Buffer module 300 (Buffer) is provided to store the unknown information that has been detected at the current time, so as to adapt to the online mode and help to distinguish the type of the unknown anomaly, and the working operation principle of the Buffer module 300 can be shown in fig. 4.
Assuming that m new classes are found at the time of the Tth test, the information contained in the buffer module 300 can be expressed as:
wherein, BTIs information f of the buffer at the time of the Tth detectionuIs a feature of the unknown sample U,/uIs a class label of U, WTRepresents the weight vector of the T-th time.
When the input sample is detected as unknown, it needs to be compared with the sample in the buffer module 300 again to know whether the unknown sample is present; if the sample is found in the buffer module 300 to be of a known class, outputting the class to which the sample belongs; otherwise, the sample is considered as a new unknown to be added to the buffer module 300; with the continuous update of the network update module 200, the anomalies in the buffer module 300 are continuously updated, the types of the anomalies are continuously increased, and finally different types of anomaly detection results can be output.
In order to verify and explain the technical effect adopted in the method, the embodiment selects a deep learning-based DNN method and an Open-CNN method and adopts the method to perform a comparison test, and compares test results by means of scientific demonstration to verify the real effect of the method.
The method is compared with a deep learning-based DNN method and an Open-CNN method on 5 unknown abnormal types (Dos _ Hulk, Dos, explores, Fuzzers and Reconnaisnce) by using Accuracy (Accuracy) and F1-Score.
In the model training process, Adam is used as an optimizer to execute gradient descent, and early stop is set to avoid the phenomenon of overfitting; the sub-sampling size batchsize is set to 256, epoch is set to 30, and the known sample is divided into two parts, wherein 50% of the two parts are used as initial training data for training an initial classification model; the other 50% of the samples are used for incremental training, and in the incremental training stage, the test samples comprise known samples and unknown samples and are used for verifying the effectiveness of the model; in addition, in order to avoid the contingency of the experimental results, the average results of 10 independent runs were taken for the above indexes, and the experimental results are shown in table 1.
Table 1: and comparing the experimental results.
In addition, on the UNSW-NB15 data set, the online detection performance of the method was evaluated by comparison with the running time in the offline mode; because the trained model can detect multiple types of abnormalities at one time in the offline mode, and the online mode is detection while training, the running time of the offline mode corresponds to the total time of detection of various types of abnormalities in the online mode, and the result is shown in table 2.
Table 2: run time compares the results.
As can be seen from tables 1 and 2, except for the anomaly of the Dos _ Hulk type, the method obtains a better effect on detecting the unknown anomaly type, and greatly improves the accuracy, the F1-core and the running time index; therefore, the method provided by the invention can be proved to effectively improve the accuracy and speed of unknown abnormal flow detection.
Example 2
Referring to fig. 5, a second embodiment of the present invention, which is different from the first embodiment, provides an incremental learning-based unknown abnormal flow online detection system, including:
an initial training module 100, configured to construct and train an initial classification model, and determine whether an input sample is a known class or an unknown class; wherein the initial training module 100 trains the initial classification model through the Softmax classifier.
The incremental training module 200 is connected with the initial training module 100, and can learn a new sample and identify unknown abnormality according to the unknown type sample obtained by the initial training module 100; specifically, the incremental training module 200 includes an unknown detection module 201, a network update module 202, and a buffer module 203; an unknown detection module 201, configured to determine whether the sample output by the initial training module 100 is a known class or an unknown class, and configured to automatically mark a sample feature of the unknown class; the network updating module 202 is connected with the unknown detection module 201, and is used for updating and training the initial classification model and converting the unknown class into a known class; the buffer module 203 is connected to the unknown detection module 201 and the network update module 202, respectively, and is used for storing the sample features and tags of the unknown classes and updating the network update module 202.
It should be recognized that embodiments of the present invention can be realized and implemented by computer hardware, a combination of hardware and software, or by computer instructions stored in a non-transitory computer readable memory. The methods may be implemented in a computer program using standard programming techniques, including a non-transitory computer-readable storage medium configured with the computer program, where the storage medium so configured causes a computer to operate in a specific and predefined manner, according to the methods and figures described in the detailed description. Each program may be implemented in a high level procedural or object oriented programming language to communicate with a computer system. However, the program(s) can be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language. Furthermore, the program can be run on a programmed application specific integrated circuit for this purpose.
Further, the operations of processes described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The processes described herein (or variations and/or combinations thereof) may be performed under the control of one or more computer systems configured with executable instructions, and may be implemented as code (e.g., executable instructions, one or more computer programs, or one or more applications) collectively executed on one or more processors, by hardware, or combinations thereof. The computer program includes a plurality of instructions executable by one or more processors.
Further, the method may be implemented in any type of computing platform operatively connected to a suitable interface, including but not limited to a personal computer, mini computer, mainframe, workstation, networked or distributed computing environment, separate or integrated computer platform, or in communication with a charged particle tool or other imaging device, and the like. Aspects of the invention may be embodied in machine-readable code stored on a non-transitory storage medium or device, whether removable or integrated into a computing platform, such as a hard disk, optically read and/or write storage medium, RAM, ROM, or the like, such that it may be read by a programmable computer, which when read by the storage medium or device, is operative to configure and operate the computer to perform the procedures described herein. Further, the machine-readable code, or portions thereof, may be transmitted over a wired or wireless network. The invention described herein includes these and other different types of non-transitory computer-readable storage media when such media include instructions or programs that implement the steps described above in conjunction with a microprocessor or other data processor. The invention also includes the computer itself when programmed according to the methods and techniques described herein. A computer program can be applied to input data to perform the functions described herein to transform the input data to generate output data that is stored to non-volatile memory. The output information may also be applied to one or more output devices, such as a display. In a preferred embodiment of the invention, the transformed data represents physical and tangible objects, including particular visual depictions of physical and tangible objects produced on a display.
As used in this application, the terms "component," "module," "system," and the like are intended to refer to a computer-related entity, either hardware, firmware, a combination of hardware and software, or software in execution. For example, a component may be, but is not limited to being: a process running on a processor, an object, an executable, a thread of execution, a program, and/or a computer. By way of example, both an application running on a computing device and the computing device can be a component. One or more components can reside within a process and/or thread of execution and a component can be localized on one computer and/or distributed between two or more computers. In addition, these components can execute from various computer readable media having various data structures thereon. The components may communicate by way of local and/or remote processes such as in accordance with a signal having one or more data packets (e.g., data from one component interacting with another component in a local system, distributed system, and/or across a network such as the internet with other systems by way of the signal).
It should be noted that the above-mentioned embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, which should be covered by the claims of the present invention.
Claims (10)
1. An unknown abnormal flow online detection method based on incremental learning is characterized in that: comprises the steps of (a) preparing a mixture of a plurality of raw materials,
constructing an initial classification model based on deep learning, and performing initial training on the initial classification model by using a Softmax classifier;
judging whether the input data sample is a known class or an unknown class through an unknown detection module (100), then automatically marking the sample characteristics of the unknown class, and adding the sample characteristics to a network updating module (200) and a buffer area module (300);
updating and training the initial classification model through a network updating module (200) to convert the unknown class into the known class;
storing the sample characteristics and the labels of the unknown classes through a buffer module (300), comparing the input sample with the sample of the unknown classes of the buffer module (300) again when the input sample is detected as the unknown class, and outputting the class to which the sample belongs if the sample characteristics are found to be the known classes in the buffer; otherwise, adding samples to the buffer module (300).
2. The incremental learning-based unknown abnormal flow online detection method as claimed in claim 1, characterized in that: constructing the initial classification model may include,
the initial classification model comprises a convolutional neural network and a long-short term memory artificial neural network, cross entropy is used as a loss function of the initial classification model, and initial training is carried out on the initial classification model according to the loss function and by using a Softmax classifier.
3. The incremental learning-based unknown abnormal flow online detection method as claimed in claim 1 or 2, characterized in that: it is determined that the input data sample includes,
calculating the characteristic f of each sample according to the following formulaiWith each class prototype pjEuclidean distance therebetween, obtaining a distance distribution matrix Dist:
constructing a threshold function based on the average distance distribution matrix, and judging whether the input data sample is a known type or an unknown type according to the threshold function;
where i is 1, …, S is the number of samples per batch of features, j is 1, …, n is the number of classes of the prototype, and epsilon is the set parameter.
4. The incremental learning-based unknown abnormal flow online detection method as claimed in claim 3, characterized in that: the threshold function may include a function of,
ρi=λ*θi
wherein, thetaiIs a threshold value, MijThe maximum confidence value of the ith correctly classified sample of the category j, Z is the number of correctly classified sample sets, and lambda is an empirical parameter;
when all confidence values of the sample are less than the threshold value piThen the sample is considered unknown.
5. The incremental learning-based unknown abnormal flow online detection method as claimed in claim 4, wherein: also comprises the following steps of (1) preparing,
and clustering the samples of unknown classes by using a Kmeans clustering strategy, and adding the weight of each class of samples into a network layer of the initial classification model to assist the training and updating of the initial classification model.
6. The incremental learning-based unknown abnormal flow online detection method as claimed in any one of claims 1, 2 and 5, wherein: the updating of the training of the initial classification model includes,
carrying out mean normalization on the distance distribution between the obtained prototype and the new sample characteristics during each iterative training to obtain weight distribution [ alpha ]1,α2,α3,...,αH,αH+1,...,,αH+G];
Wherein [ alpha ] is1,α2,α3,...,αH]Is a weight distribution of a known class, [ alpha ]H+1,...,,αH+G]Is a weight distribution of unknown classes, and
and adding the weights of the unknown classes to the last layer of the initial classification model respectively to finish the updating training of the initial classification model.
7. The incremental learning-based unknown abnormal flow online detection method as claimed in claim 6, wherein: the buffer module (300) comprises,
assuming that m new classes are found at the time of the Tth detection, the information contained in the buffer module (300) is as follows:
wherein, BTIs information f of the buffer at the time of the Tth detectionuIs a feature of the unknown sample U,/uIs a class label of U, WTRepresents the weight vector of the T-th time.
8. The incremental learning-based unknown abnormal flow online detection method as claimed in claim 2, characterized in that: the cross-entropy includes the cross-entropy of,
wherein L is a cross entropy loss function; n is the number of samples; m is the number of categories; y isicIf the category c is the same as that of the observation sample i, the indicator variable is 1, otherwise, the indicator variable is 0; p is a radical oficIs the predicted probability that the observation sample i belongs to class c.
9. An unknown abnormal flow online detection system based on incremental learning is characterized in that: comprises the steps of (a) preparing a mixture of a plurality of raw materials,
an initial training module (100) for constructing and training an initial classification model and for determining whether an input sample is a known class or an unknown class;
the increment training module (200) is connected with the initial training module (100) and can learn new samples and identify unknown anomalies according to the unknown class samples judged and obtained by the initial training module (100).
10. The incremental learning-based online unknown abnormal flow detection system as claimed in claim 9, wherein: the incremental training module (200) comprises an unknown detection module (201), a network update module (202) and a buffer module (203);
the unknown detection module (201) is used for judging whether the sample output by the initial training module (100) is a known class or an unknown class, and is used for automatically marking the sample characteristics of the unknown class;
the network updating module (202) is connected with the unknown detection module (201) and used for updating and training an initial classification model and converting the unknown class into the known class;
the buffer module (203) is respectively connected with the unknown detection module (201) and the network updating module (202) and is used for storing the sample characteristics and the labels of the unknown classes and updating the network updating module (202).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110472804.1A CN113259331B (en) | 2021-04-29 | 2021-04-29 | Unknown abnormal flow online detection method and system based on incremental learning |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110472804.1A CN113259331B (en) | 2021-04-29 | 2021-04-29 | Unknown abnormal flow online detection method and system based on incremental learning |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113259331A true CN113259331A (en) | 2021-08-13 |
| CN113259331B CN113259331B (en) | 2022-10-11 |
Family
ID=77223428
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110472804.1A Active CN113259331B (en) | 2021-04-29 | 2021-04-29 | Unknown abnormal flow online detection method and system based on incremental learning |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113259331B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113746841A (en) * | 2021-09-03 | 2021-12-03 | 天津芯海创科技有限公司 | High-safety heterogeneous redundancy structure with intelligent learning capacity |
| CN113807243A (en) * | 2021-09-16 | 2021-12-17 | 上海交通大学 | Water obstacle detection system and method based on attention to unknown target |
| CN114329556A (en) * | 2021-12-30 | 2022-04-12 | 江苏瞭望神州大数据科技有限公司 | All-in-one machine with chip data protection function |
| CN114861670A (en) * | 2022-07-07 | 2022-08-05 | 浙江一山智慧医疗研究有限公司 | Entity identification method, device and application for learning unknown label based on known label |
| CN115580445A (en) * | 2022-09-22 | 2023-01-06 | 东北大学 | Unknown attack intrusion detection method, device and computer readable storage medium |
| CN116915512A (en) * | 2023-09-14 | 2023-10-20 | 国网江苏省电力有限公司常州供电分公司 | Method and device for detecting communication flow in power grid |
| WO2024020933A1 (en) * | 2022-07-28 | 2024-02-01 | Intel Corporation | Apparatus and method for patching embedding table on the fly for new categorical feature in deep learning |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170104774A1 (en) * | 2015-10-08 | 2017-04-13 | Cisco Technology, Inc. | Anomaly detection in a network coupling state information with machine learning outputs |
| CN107358257A (en) * | 2017-07-07 | 2017-11-17 | 华南理工大学 | Under a kind of big data scene can incremental learning image classification training method |
| CN108173708A (en) * | 2017-12-18 | 2018-06-15 | 北京天融信网络安全技术有限公司 | Anomalous traffic detection method, device and storage medium based on incremental learning |
| CN108900432A (en) * | 2018-07-05 | 2018-11-27 | 中山大学 | A kind of perception of content method based on network Flow Behavior |
| US20190188065A1 (en) * | 2017-12-15 | 2019-06-20 | International Business Machines Corporation | Computerized high-speed anomaly detection |
| CN111209563A (en) * | 2019-12-27 | 2020-05-29 | 北京邮电大学 | Network intrusion detection method and system |
| CN111368874A (en) * | 2020-01-23 | 2020-07-03 | 天津大学 | Image category incremental learning method based on single classification technology |
| CN111783997A (en) * | 2020-06-29 | 2020-10-16 | 杭州海康威视数字技术股份有限公司 | Data processing method, device and equipment |
| CN111985601A (en) * | 2019-05-21 | 2020-11-24 | 富士通株式会社 | Data identification method for incremental learning |
| WO2020256738A1 (en) * | 2019-06-21 | 2020-12-24 | Schlumberger Technology Corporation | Field development planning based on deep reinforcement learning |
-
2021
- 2021-04-29 CN CN202110472804.1A patent/CN113259331B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170104774A1 (en) * | 2015-10-08 | 2017-04-13 | Cisco Technology, Inc. | Anomaly detection in a network coupling state information with machine learning outputs |
| CN107358257A (en) * | 2017-07-07 | 2017-11-17 | 华南理工大学 | Under a kind of big data scene can incremental learning image classification training method |
| US20190188065A1 (en) * | 2017-12-15 | 2019-06-20 | International Business Machines Corporation | Computerized high-speed anomaly detection |
| CN108173708A (en) * | 2017-12-18 | 2018-06-15 | 北京天融信网络安全技术有限公司 | Anomalous traffic detection method, device and storage medium based on incremental learning |
| CN108900432A (en) * | 2018-07-05 | 2018-11-27 | 中山大学 | A kind of perception of content method based on network Flow Behavior |
| CN111985601A (en) * | 2019-05-21 | 2020-11-24 | 富士通株式会社 | Data identification method for incremental learning |
| WO2020256738A1 (en) * | 2019-06-21 | 2020-12-24 | Schlumberger Technology Corporation | Field development planning based on deep reinforcement learning |
| CN111209563A (en) * | 2019-12-27 | 2020-05-29 | 北京邮电大学 | Network intrusion detection method and system |
| CN111368874A (en) * | 2020-01-23 | 2020-07-03 | 天津大学 | Image category incremental learning method based on single classification technology |
| CN111783997A (en) * | 2020-06-29 | 2020-10-16 | 杭州海康威视数字技术股份有限公司 | Data processing method, device and equipment |
Non-Patent Citations (1)
| Title |
|---|
| XIN YE,QIUYU ZHU: "Class-Incremental Learning Based on Feature Extraction of CNN", 《IEEE ACCESS》, vol. 7, 12 March 2019 (2019-03-12) * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113746841A (en) * | 2021-09-03 | 2021-12-03 | 天津芯海创科技有限公司 | High-safety heterogeneous redundancy structure with intelligent learning capacity |
| CN113807243A (en) * | 2021-09-16 | 2021-12-17 | 上海交通大学 | Water obstacle detection system and method based on attention to unknown target |
| CN113807243B (en) * | 2021-09-16 | 2023-12-05 | 上海交通大学 | Water obstacle detection system and method based on attention to unknown target |
| CN114329556A (en) * | 2021-12-30 | 2022-04-12 | 江苏瞭望神州大数据科技有限公司 | All-in-one machine with chip data protection function |
| CN114329556B (en) * | 2021-12-30 | 2023-03-24 | 江苏瞭望神州大数据科技有限公司 | All-in-one machine with chip data protection function |
| CN114861670A (en) * | 2022-07-07 | 2022-08-05 | 浙江一山智慧医疗研究有限公司 | Entity identification method, device and application for learning unknown label based on known label |
| WO2024020933A1 (en) * | 2022-07-28 | 2024-02-01 | Intel Corporation | Apparatus and method for patching embedding table on the fly for new categorical feature in deep learning |
| CN115580445A (en) * | 2022-09-22 | 2023-01-06 | 东北大学 | Unknown attack intrusion detection method, device and computer readable storage medium |
| CN116915512A (en) * | 2023-09-14 | 2023-10-20 | 国网江苏省电力有限公司常州供电分公司 | Method and device for detecting communication flow in power grid |
| CN116915512B (en) * | 2023-09-14 | 2023-12-01 | 国网江苏省电力有限公司常州供电分公司 | Method and device for detecting communication flow in power grid |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113259331B (en) | 2022-10-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113259331B (en) | Unknown abnormal flow online detection method and system based on incremental learning | |
| CN110070141B (en) | Network intrusion detection method | |
| Wang et al. | Remote sensing image classification based on the optimal support vector machine and modified binary coded ant colony optimization algorithm | |
| Chen et al. | Multi-fault diagnosis study on roller bearing based on multi-kernel support vector machine with chaotic particle swarm optimization | |
| Cheng et al. | Fault detection and diagnosis for Air Handling Unit based on multiscale convolutional neural networks | |
| CN111753918B (en) | Gender bias-removed image recognition model based on countermeasure learning and application | |
| CN111079978B (en) | Coal and gas outburst prediction method based on logistic regression and reinforcement learning | |
| CN114912612A (en) | Bird identification method and device, computer equipment and storage medium | |
| CN112529638B (en) | Service demand dynamic prediction method and system based on user classification and deep learning | |
| CN105809119A (en) | Sparse low-rank structure based multi-task learning behavior identification method | |
| CN111461354A (en) | Machine learning integration classification method and software system for high-dimensional data | |
| CN113259332A (en) | Multi-type network flow abnormity detection method and system based on end-to-end | |
| CN114448657B (en) | Distribution communication network security situation awareness and abnormal intrusion detection method | |
| CN114925938A (en) | Electric energy meter running state prediction method and device based on self-adaptive SVM model | |
| Saravanan et al. | Prediction of Insufficient Accuracy for Human Activity Recognition using Convolutional Neural Network in Compared with Support Vector Machine | |
| Bi et al. | Critical direction projection networks for few-shot learning | |
| Maliha et al. | Extreme learning machine for structured output spaces | |
| CN114637620B (en) | Database system abnormal classification prediction method based on SVM algorithm | |
| CN111860441B (en) | Video target identification method based on unbiased depth migration learning | |
| CN113901932A (en) | Engineering machinery image recognition method and system fusing artificial fish and particle swarm algorithm | |
| CN114971375A (en) | Examination data processing method, device, equipment and medium based on artificial intelligence | |
| CN114095268A (en) | Method, terminal and storage medium for network intrusion detection | |
| CN113656707A (en) | Financing product recommendation method, system, storage medium and equipment | |
| CN112884065A (en) | Deep learning model robust boundary assessment method and device based on support vector machine and application | |
| JP2020181265A (en) | Information processing device, system, information processing method, and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20210813 Assignee: Shanghai Adisai Artificial Intelligence Technology Co.,Ltd. Assignor: Shanghai Electric Power University Contract record no.: X2024310000012 Denomination of invention: An online detection method and system for unknown abnormal traffic based on incremental learning Granted publication date: 20221011 License type: Common License Record date: 20240116 |