CN113538288A - Network anomaly detection method and device and computer readable storage medium - Google Patents
Network anomaly detection method and device and computer readable storage medium Download PDFInfo
- Publication number
- CN113538288A CN113538288A CN202110867664.8A CN202110867664A CN113538288A CN 113538288 A CN113538288 A CN 113538288A CN 202110867664 A CN202110867664 A CN 202110867664A CN 113538288 A CN113538288 A CN 113538288A
- Authority
- CN
- China
- Prior art keywords
- data packet
- detected
- state value
- data
- neural network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 95
- 238000013527 convolutional neural network Methods 0.000 claims abstract description 89
- 230000002159 abnormal effect Effects 0.000 claims abstract description 52
- 238000012549 training Methods 0.000 claims description 76
- 238000000034 method Methods 0.000 claims description 35
- 238000011176 pooling Methods 0.000 claims description 31
- 238000004364 calculation method Methods 0.000 claims description 12
- 238000010586 diagram Methods 0.000 claims description 11
- 238000003062 neural network model Methods 0.000 claims description 6
- 238000006243 chemical reaction Methods 0.000 claims description 5
- 238000002347 injection Methods 0.000 description 13
- 239000007924 injection Substances 0.000 description 13
- 230000005856 abnormality Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000005070 sampling Methods 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 235000014510 cooky Nutrition 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 238000013136 deep learning model Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G06T5/90—
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06T—IMAGE DATA PROCESSING OR GENERATION, IN GENERAL
- G06T5/00—Image enhancement or restoration
- G06T5/20—Image enhancement or restoration by the use of local operators
- G06T5/30—Erosion or dilatation, e.g. thinning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06T—IMAGE DATA PROCESSING OR GENERATION, IN GENERAL
- G06T2207/00—Indexing scheme for image analysis or image enhancement
- G06T2207/20—Special algorithmic details
- G06T2207/20081—Training; Learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06T—IMAGE DATA PROCESSING OR GENERATION, IN GENERAL
- G06T2207/00—Indexing scheme for image analysis or image enhancement
- G06T2207/20—Special algorithmic details
- G06T2207/20084—Artificial neural networks [ANN]
Abstract
The invention discloses a network anomaly detection method, a device and a computer readable storage medium, wherein the network anomaly detection method comprises the following steps: acquiring a data packet to be detected; converting the data in the data packet to be detected into a gray image; determining a state value corresponding to the data packet to be detected according to the gray level image and a target convolutional neural network model, wherein the state value comprises a normal state value or an abnormal state value; and when the state value is an abnormal state value, judging that the data packet to be detected is a data packet corresponding to the abnormal data request. The invention can improve the robustness of the network anomaly detection mode.
Description
Technical Field
The present invention relates to the field of deep learning technologies, and in particular, to a method and an apparatus for detecting network anomalies, and a computer-readable storage medium.
Background
The main modes of the network attack include SQL injection attack, cross-site scripting attack, webpage horse hanging attack and the like. In order to detect whether the network is attacked to cause abnormity, the currently adopted network abnormity detection mode is a detection mode based on rule matching, firstly, detection personnel needs to set a detection rule, then messages are matched one by one, the method needs to find out a regular matching algorithm according to the attack characteristics of hackers, and meanwhile, a rule base needs to be updated and upgraded continuously so as to meet the continuously changing attack types. However, the detection method needs to continuously update and upgrade the rule base, and is difficult to adapt to the continuously changing network attack types, so that the robustness of the network anomaly detection method is poor.
Disclosure of Invention
The invention mainly aims to provide a network anomaly detection method, a network anomaly detection device and a computer readable storage medium, aiming at improving the robustness of a network anomaly detection mode.
In order to achieve the above object, the present invention provides a network anomaly detection method, which includes:
acquiring a data packet to be detected;
converting the data in the data packet to be detected into a gray image;
determining a state value corresponding to the data packet to be detected according to the gray level image and a target convolutional neural network model, wherein the state value comprises a normal state value or an abnormal state value;
and when the state value is an abnormal state value, judging that the data packet to be detected is a data packet corresponding to the abnormal data request.
In an embodiment, the target convolutional neural network model includes an input layer, a convolutional layer, a maximum pooling layer, a spatial pyramid pooling layer, a full-link layer, a classification layer, and an output layer, the input layer is configured to input the grayscale image, the convolutional layer is configured to extract features of the grayscale image to obtain a feature map, and input the feature map to the maximum pooling layer, the maximum pooling layer is configured to compress the feature map and input the compressed feature map to the spatial pyramid pooling layer, the spatial pyramid pooling layer is configured to unify sizes of the compressed feature maps into a preset size and input the feature map with the unified size to the full-link layer, the full-link layer is configured to perform weighting calculation on the feature maps with the unified size and input the feature map after the weighting calculation to the classification layer, and the classification layer is used for determining a state value corresponding to the data packet to be detected according to the characteristic diagram after weighting calculation, and inputting the state value to the output layer for output.
In an embodiment, before the step of determining the state value corresponding to the data packet to be detected according to the grayscale image and the target convolutional neural network model, the method further includes:
acquiring a preset convolutional neural network model and a training data packet, wherein the training data packet comprises a data packet corresponding to a normal data request and a data packet corresponding to an abnormal data request;
converting data in the training data packet into a gray image;
and training the preset convolutional neural network model through the gray level image corresponding to the training data packet to obtain a target convolutional neural network model.
In an embodiment, the step of training the preset convolutional neural network model through the gray level image corresponding to the training data packet to obtain a target convolutional neural network model includes:
training the preset convolution neural network model through the gray level image corresponding to the training data packet;
acquiring a detection error of a data packet corresponding to the trained detection abnormal data request of the preset convolutional neural network model;
when the detection error is smaller than a preset threshold value, determining the trained preset convolutional neural network model as the target convolutional neural network model;
and when the detection error is larger than or equal to the preset threshold value, adjusting the training parameters of the preset convolutional neural network model, and returning to the step of executing the training of the preset convolutional neural network model through the gray level image corresponding to the training data packet.
In an embodiment, after the step of determining the state value corresponding to the data packet to be detected according to the grayscale image and the target convolutional neural network model, the method further includes:
and when the state value of the data packet to be detected is a normal state value, judging that the data packet to be detected is a data packet corresponding to the normal data request.
In an embodiment, before the step of converting the data in the data packet to be detected into the grayscale image, the method further includes:
acquiring the byte length of data in the data packet to be detected;
performing an evolution operation on the byte length to obtain the side length of the gray level image;
wherein, the step of converting the data in the data packet to be detected into a gray image comprises the following steps:
and converting the data in the data packet to be detected into a gray image corresponding to the side length.
In an embodiment, the step of acquiring the data packet to be detected includes:
acquiring a data request;
acquiring a data packet corresponding to the data request;
and assembling the data packet corresponding to the data request to obtain the data packet to be detected.
In addition, to achieve the above object, the present invention provides a network anomaly detection device, including:
the acquisition module is used for acquiring a data packet to be detected;
the conversion module is used for converting the data in the data packet to be detected into a gray image;
the determining module is used for determining a state value corresponding to the data packet to be detected according to the gray level image and a target convolutional neural network model, wherein the state value comprises a normal state value or an abnormal state value;
and the judging module is used for judging that the data packet to be detected is a data packet corresponding to the abnormal data request when the state value is an abnormal state value.
In addition, in order to achieve the above object, the present invention further provides a network anomaly detection device, which includes a memory, a processor, and a network anomaly detection program stored in the memory and operable on the processor, wherein the network anomaly detection program implements the steps of the network anomaly detection method according to any one of the above aspects when executed by the processor.
In addition, to achieve the above object, the present invention further provides a computer-readable storage medium having a network anomaly detection program stored thereon, where the network anomaly detection program, when executed by a processor, implements the steps of the network anomaly detection method according to any one of the above.
The invention provides a network anomaly detection method, a network anomaly detection device and a computer readable storage medium. The method and the device are based on the convolutional neural network model, whether the data packet to be detected is the data packet corresponding to the abnormal data request or not is determined according to the state value corresponding to the data packet to be detected, detection rules do not need to be set, the method and the device can adapt to the continuously changing network attack types, and the robustness of a network abnormality detection mode is improved.
Drawings
Fig. 1 is a schematic hardware architecture diagram of a network anomaly detection apparatus according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a network anomaly detection method according to a first embodiment of the present invention;
FIG. 3 is a flowchart illustrating a network anomaly detection method according to a second embodiment of the present invention;
FIG. 4 is a flowchart illustrating a third embodiment of the network anomaly detection method according to the present invention;
FIG. 5 is a schematic diagram of a network architecture of a target neural network model according to an embodiment of the present invention;
fig. 6 is a schematic block diagram of a network anomaly detection device according to an embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As an implementation solution, referring to fig. 1, fig. 1 is a schematic diagram of a hardware architecture of a network anomaly detection apparatus according to an embodiment of the present invention, as shown in fig. 1, the network anomaly detection apparatus may include a processor 101, for example, a CPU, a memory 102, and a communication bus 103, where the communication bus 103 is used to implement connection communication between these modules.
The memory 102 may be a high-speed RAM memory or a non-volatile memory (e.g., a disk memory). As shown in fig. 1, a network anomaly detection program may be included in a memory 102, which is a kind of computer-readable storage medium; and the processor 101 may be configured to invoke the network anomaly detection program stored in the memory 102 and perform the following operations:
acquiring a data packet to be detected;
converting the data in the data packet to be detected into a gray image;
determining a state value corresponding to the data packet to be detected according to the gray level image and a target convolutional neural network model, wherein the state value comprises a normal state value or an abnormal state value;
and when the state value is an abnormal state value, judging that the data packet to be detected is a data packet corresponding to the abnormal data request.
In one embodiment, the processor 101 may be configured to invoke a network anomaly detection program stored in the memory 102 and perform the following operations:
acquiring a preset convolutional neural network model and a training data packet, wherein the training data packet comprises a data packet corresponding to a normal data request and a data packet corresponding to an abnormal data request;
converting data in the training data packet into a gray image;
and training the preset convolutional neural network model through the gray level image corresponding to the training data packet to obtain a target convolutional neural network model.
In one embodiment, the processor 101 may be configured to invoke a network anomaly detection program stored in the memory 102 and perform the following operations:
training the preset convolution neural network model through the gray level image corresponding to the training data packet;
acquiring a detection error of a data packet corresponding to the trained detection abnormal data request of the preset convolutional neural network model;
when the detection error is smaller than a preset threshold value, determining the trained preset convolutional neural network model as the target convolutional neural network model;
and when the detection error is larger than or equal to the preset threshold value, adjusting the training parameters of the preset convolutional neural network model, and returning to the step of executing the training of the preset convolutional neural network model through the gray level image corresponding to the training data packet.
In one embodiment, the processor 101 may be configured to invoke a network anomaly detection program stored in the memory 102 and perform the following operations:
and when the state value of the data packet to be detected is a normal state value, judging that the data packet to be detected is a data packet corresponding to the normal data request.
In one embodiment, the processor 101 may be configured to invoke a network anomaly detection program stored in the memory 102 and perform the following operations:
acquiring the byte length of data in the data packet to be detected;
performing an evolution operation on the byte length to obtain the side length of the gray level image;
wherein, the step of converting the data in the data packet to be detected into a gray image comprises the following steps:
and converting the data in the data packet to be detected into a gray image corresponding to the side length.
In one embodiment, the processor 101 may be configured to invoke a network anomaly detection program stored in the memory 102 and perform the following operations:
acquiring a data request;
acquiring a data packet corresponding to the data request;
and assembling the data packet corresponding to the data request to obtain the data packet to be detected.
Referring to fig. 2, fig. 2 is a schematic flow chart of a first embodiment of a network anomaly detection method according to the present invention, where the network anomaly detection method includes:
step S10, acquiring a data packet to be detected;
currently, the main modes of network attack include SQL injection attack, cross-site scripting attack, webpage horse hanging attack, and the like. The SQL injection attack refers to the negligence of an attacker to input verification of a user by using a Web application program, and adds symbols or commands which have special significance to some database systems into input data, so that the attacker has an opportunity to directly issue instructions to a background database system, and further realize the invasion to the background database and even the whole application system, and the basic principle is as follows: (1) searching an injection point: the very practical and classical method for searching for the injection point is to follow the parameter with a single quotation mark or to judge whether the returned webpage is normal or not when the and 1 is equal to 1 and the and 1 is equal to 2; (2) judging the type of the database: judging or guessing according to error information returned by the injection request and the script type of the website; (3) acquiring database contents: the method for acquiring the database content comprises two methods, namely, a database table, a field and a record are directly acquired according to error information returned by an injection request, and the injection speed is high; secondly, the database content is gradually disassembled according to the difference returned by constructing the injection statement, and the injection speed is slow. (4) Attempt to write to webhell: the background of the website can often provide more rights than the foreground, but the rights of the whole website are not enough, and a method for uploading webhell to obtain the larger rights is needed, and the method usually includes writing files through SQL injection statements, utilizing backup and uploading functions of the background, and the like.
The cross-Site scripting attack is also called XSS or CSS (Cross Site script), and means that a malicious attacker inserts a malicious html code into a WEB page, and when a user browses the page, the html code embedded in the WEB can be executed, so that the special purpose of the malicious user is achieved. It can be divided into two kinds of cross-site scripting attacks, storage type and reflection type. The basic principle of the storage type cross-site scripting attack is as follows: the attack code is submitted to a database or a file system of a server side, a URL is not constructed, but is stored in an article or a forum post, so that users accessing the page are likely to be attacked; the basic principle of the reflection-type cross-site scripting attack is as follows: inserting a script program into a URL of a webpage with XSS vulnerability to construct a URL, sending the URL to a user (phishing) through a mail or the like, and executing a script of an attacker when the user clicks a link, wherein the script generally steals personal data such as cookie of the user, leads the user to a malicious website and the like.
The webpage horse hanging attack means that an attacker inserts a piece of malicious code into a normal page. If the browser of the browser or the component loaded by the browser has a bug, the browser executes the code when opening the page, and then downloads and runs the server-side program of a Trojan. The basic principle is as follows: (1) iframe type horse hanging: an attacker uses an iframe label with the size of 0 to steal and load the malicious code into a webpage; (2) and (3) hanging the horse by the JS script: calling the malicious code by using the js script file; (3) CSS horse hanging: CSS is a style file for a web page, and attackers often hide malicious code into the CSS file. (4) ARP horse hanging: an attacker already acquires the authority of a certain server in the local area network, the server is utilized to implement ARP spoofing attack, for other servers in the local area network, the server is disguised as a gateway, for the gateway, the server is disguised as a server, therefore, the communication between other servers and the gateway is intercepted, malicious codes are inserted into the response of HTTP communication, the whole local area network is influenced by the horse hanging mode, and the damage is huge.
In order to ensure network security, it is often necessary to detect whether the network is abnormally attacked or not, and the currently commonly used network abnormality detection mode is a detection mode based on rule matching, but the detection mode cannot adapt to the continuously changing network attack types because the rule base needs to be continuously updated and upgraded, so that the robustness of the network abnormality detection mode is poor.
Based on the problems in the prior art, the data packet corresponding to the data request in the network is converted into the gray image through designing the deep learning model, and the gray image is detected by utilizing the convolutional neural network model, so that whether the data packet corresponding to the data request is the data packet corresponding to the abnormal data request or not is output end to end, a detection rule is not required to be set, the method can adapt to the continuously changing network attack type, and the robustness of network abnormality detection is improved.
In this embodiment, an execution main body of the network anomaly detection method is a network anomaly detection device, where the network anomaly detection device is a device for detecting whether a data request in a network is attacked by the network, and the network anomaly detection device may be a terminal device, such as a computer, a mobile phone, and the like.
In this embodiment, the network anomaly detection device may obtain a data packet to be detected, where the data packet to be detected refers to a data stream corresponding to a certain data request, the data stream corresponding to the data request generally exists in the form of a data packet, one data request may have one or more data packets, and the network anomaly detection device may obtain the data packet to be detected by obtaining the data request. Since each data request begins with GET or POST, the data request can be obtained by obtaining the data beginning with GET or POST, and the data between GET or POST and the next GET or POST is taken as the data stream corresponding to one data request.
Specifically, the network anomaly detection device acquires a data request, acquires a data packet corresponding to the data request, and takes the data packet as a data packet to be detected when the data request only has one data packet; when the data request has a plurality of data packets, assembling the plurality of data packets of the data request to obtain a data packet to be detected, wherein the assembling of the plurality of data packets of the data request means that the plurality of data packets are packaged into a larger data packet without influencing the data of the data packet.
Step S20, converting the data in the data packet to be detected into a gray image;
specifically, after acquiring a data packet to be detected, a network anomaly detection device converts data in the data packet to be detected into a grayscale image, where the grayscale image refers to an image in which each pixel has only one sampling color, the network anomaly detection device can convert data in the data packet to be detected into the grayscale image in a binary manner, before converting the data packet to be detected into the grayscale image, an evolution operation can be performed on the length of data in the data packet to be detected, an evolution result is rounded, the evolution result is set as the side length of the grayscale image, and the insufficient portion in the grayscale image is supplemented with 0.
Step S30, determining a state value corresponding to the data packet to be detected according to the gray level image and the target convolutional neural network model, wherein the state value comprises a normal state value or an abnormal state value;
in this embodiment, the target convolutional neural network model includes an input layer, a convolutional layer, a max pooling layer, a spatial pyramid pooling layer, a full-link layer, a classification layer, and an output layer. The input layer is used for inputting a gray level image; the convolution layer is used for extracting the characteristics of the gray level image to obtain a characteristic diagram and inputting the characteristic diagram into the maximum pooling layer; the maximum pooling layer is used for compressing the feature map and inputting the compressed feature map into the spatial pyramid pooling layer; the spatial pyramid pooling layer is used for unifying the size of the compressed feature map into a preset size, and inputting the feature map with the unified size into the full-connection layer, wherein the preset size can be determined according to actual needs, and the embodiment does not limit the size; the full connection layer is used for carrying out weighting calculation on the feature maps with uniform sizes and inputting the feature maps after weighting calculation into the classification layer; and the classification layer is used for determining a state value corresponding to the data packet to be detected according to the characteristic diagram after weighting calculation, and inputting the state value to the output layer for output.
In this embodiment, the state value corresponding to the to-be-detected data packet is used to determine whether the to-be-detected data packet is a data packet corresponding to a normal data request or a data packet corresponding to an abnormal data request, and the state value may be represented by binary numbers 0 and 1, for example, the state value 0 represents that the to-be-detected data packet is a data packet corresponding to a normal data request, and the state value 1 represents that the to-be-detected data packet is a data packet corresponding to an abnormal data request. Of course, in other embodiments, the representation manner of the state value corresponding to the to-be-detected data packet may be determined according to actual needs, which is not limited in this embodiment.
Specifically, referring to fig. 5, fig. 5 is a schematic diagram of a network structure of a target convolutional neural network model according to an embodiment of the present invention, as shown in fig. 5, the target convolutional neural network model is composed of an input layer, 3 convolutional layers, a maximum pooling layer, a spatial pyramid pooling layer, 2 fully-connected layers, a classification layer, and an output layer, where the convolutional layers include a first convolutional layer, a second convolutional layer, and a third convolutional layer, and the fully-connected layers include a first fully-connected layer and a second fully-connected layer. The connection sequence of each network layer in the target convolutional neural network model is as follows: input layer-first convolution layer-second convolution layer-maximum pooling layer-third convolution layer-spatial pyramid pooling layer-first fully-connected layer-second fully-connected layer-classification layer-output layer. The input layer is mainly used for inputting the gray level image to a first convolution layer of the target convolution neural network model, and the first convolution layer and the second convolution layer are mainly used for performing feature extraction on the gray level image input by the input layer through convolution operation to generate a feature map corresponding to the gray level image and sending the generated feature map to the maximum pooling layer; the maximum pooling layer is mainly used for compressing the feature map input by the second convolution layer through a down-sampling method, and the maximum pooling layer adopts a maximum pooling algorithm to select a maximum value in a sliding window as an element on a new feature map so as to reduce the parameter quantity of the feature map. Simplifying the computational complexity of the network, inputting the compressed feature map into a third convolution layer for convolution operation after the feature map is compressed by the maximum pooling layer, and inputting the feature map after convolution processing into a spatial pyramid pooling layer by the third convolution layer; the spatial pyramid pooling layer is mainly used for generating a feature map with fixed-size output for a feature map with any size input, and can divide the feature map into blocks with a plurality of scales. Then, extracting features of each block, fusing the extracted features together to be compatible with the features of multiple scales, unifying the sizes of the feature graphs into a preset size by the spatial pyramid pooling layer, and sending the feature graphs with unified sizes to the first full-connection layer; the first full-connection layer performs weighted calculation on the feature map with the uniform size and inputs the feature map to the second full-connection layer; the second full-connection layer further performs weighted calculation on the feature map subjected to weighted calculation of the first full-connection layer to synthesize the features of the gray level image, and inputs the synthesized features into the classification layer; the classification layer is mainly used for determining a state value of the data packet to be detected according to the characteristics of the integrated gray level image and inputting the state value into the output layer, wherein a classifier adopted by the classification layer is a softmax classifier; the output layer is mainly used for outputting the state value of the data packet to be detected.
Specifically, after the network anomaly detection device acquires the gray level image, the gray level image is input into the target convolutional neural network model, and the state value of the data packet to be detected is obtained by carrying out layer-by-layer convolution, pooling, connection and classification on the gray level image through the target convolutional neural network model.
And step S40, when the state value is an abnormal state value, determining that the data packet to be detected is a data packet corresponding to the abnormal data request.
In this embodiment, after obtaining the state value of the data packet to be detected, the network anomaly detection device determines whether the data packet to be detected is a data packet corresponding to the abnormal data request according to the state value, so as to determine whether the network is attacked.
Specifically, when the state value of the data packet to be detected is an abnormal state value, it is determined that the data packet to be detected is a data packet corresponding to an abnormal data request, which indicates that the data request is attacked by a network and the data request is abnormal; and when the state value of the data packet to be detected is a normal state value, judging that the data packet to be detected is a data packet corresponding to the normal data request, and indicating that the data request is not attacked by a network and the data request is not abnormal.
In the technical scheme provided by this embodiment, a data packet to be detected is obtained, data in the data packet to be detected is converted into a grayscale image, a state value corresponding to the data packet to be detected is determined according to the grayscale image and a target convolutional neural network model, where the state value includes a normal state value or an abnormal state value, and when the state value is the abnormal state value, it is determined that the data packet to be detected is a data packet corresponding to an abnormal data request. The method and the device are based on the convolutional neural network model, whether the data packet to be detected is the data packet corresponding to the abnormal data request or not is determined according to the state value corresponding to the data packet to be detected, detection rules do not need to be set, the method and the device can adapt to the continuously changing network attack types, and robustness and accuracy of a network abnormality detection mode are improved.
Referring to fig. 3, fig. 3 is a flowchart illustrating a second embodiment of the network anomaly detection method according to the present invention, and based on the first embodiment, before the step of S30, the method further includes:
step S50, acquiring a preset convolutional neural network model and a training data packet, wherein the training data packet comprises a data packet corresponding to a normal data request and a data packet corresponding to an abnormal data request;
in this embodiment, the preset convolutional neural network model refers to a convolutional neural network model that is preset in the network anomaly detection device and is not trained, and a network structure of the preset convolutional neural network model is completely the same as a network structure of the target convolutional neural network model, which is not described herein again. It should be noted that, since the detection error needs to be calculated in the training phase of the preset convolutional neural network model, in the training phase of the convolutional neural network model, the classifier of the classification layer is softmax with the error to calculate the detection error.
In this embodiment, the training data packet refers to a data packet including a data packet corresponding to a normal data request and a data packet corresponding to an abnormal data request, the training data packet is automatically generated by the network attack protection system, and the training data packet includes a preset number of data packets corresponding to a normal data request and a preset number of data packets corresponding to an abnormal data request, where the abnormal request covers SQL injection, buffer overflow, information collection, file leakage, CRFL injection, cross-site scripting, and the like, and the preset number may be 36000 data packets corresponding to a normal data request and 25000 data packets corresponding to an abnormal data request.
Specifically, the network anomaly detection device obtains a preset convolutional neural network model and a training data packet after converting a data packet to be detected into a gray image, so as to obtain a target convolutional neural network model by training the preset convolutional neural network model through the training data packet.
Step S60, converting the data in the training data packet into gray level images;
specifically, after the network anomaly detection device obtains the preset convolutional neural network model and the training data packet, the data in the training data packet is converted into the grayscale image, the conversion mode is completely the same as the mode of converting the data packet to be detected into the grayscale image, specifically, reference may be made to the contents of the first embodiment, and details of this embodiment are not repeated here.
And step S70, training the preset convolutional neural network model through the gray level image corresponding to the training data packet to obtain a target convolutional neural network model.
Specifically, after the network anomaly detection device acquires a gray image corresponding to a training data packet, inputting the gray image corresponding to the training data packet into a preset convolutional neural network model, training the preset convolutional neural network model through the gray image corresponding to the training data packet, then acquiring a detection error of the trained preset convolutional neural network model corresponding to an anomaly data request, and when the detection error is smaller than a preset threshold value, determining the trained preset convolutional neural network model as a target convolutional neural network model; and when the detection error is larger than or equal to the preset threshold value, adjusting the training parameters of the preset convolutional neural network model, and returning to the step of training the preset convolutional neural network model through the gray level image corresponding to the training data packet until the detection error is smaller than the preset threshold value.
In the technical scheme provided by this embodiment, a preset convolutional neural network model and a training data packet are obtained, where the training data packet includes a data packet corresponding to a normal data request and a data packet corresponding to an abnormal data request, data in the training data packet is converted into a grayscale image, and the preset convolutional neural network model is trained through the grayscale image corresponding to the training data packet to obtain a target convolutional neural network model. According to the scheme, the target convolutional neural network model is obtained by training the preset convolutional neural network model through a large number of training data packets, so that the target convolutional neural network model can accurately identify and detect the data packets corresponding to the abnormal data requests, and the accuracy and robustness of network abnormality detection are improved.
Referring to fig. 4, fig. 4 is a flowchart illustrating a third embodiment of the network anomaly detection method according to the present invention, and based on the first embodiment, before the step of S20, the method further includes:
step S80, acquiring the byte length of the data in the data packet to be detected;
step S90, performing evolution operation on the byte length to obtain the side length of the gray level image;
wherein the step of S20 includes:
and step S21, converting the data in the data packet to be detected into a gray image corresponding to the side length.
Specifically, after the network anomaly detection device acquires the data packet to be detected, the byte length of the data in the data packet to be detected is acquired, then the side length of the gray scale image is obtained by performing square operation on the acquired byte length, and then the data in the data packet to be detected is converted into the gray scale image with the side length.
In the technical scheme provided by this embodiment, the length of the byte of the data in the data packet to be detected is obtained, then the length of the byte is subjected to an evolution operation to obtain the side length of the grayscale image, and finally the data in the data packet to be detected is converted into the grayscale image with the side length, and the identification accuracy of the convolutional neural network model on the network attack can be improved by strictly controlling the size of the grayscale image.
Referring to fig. 6, the present invention further provides a network anomaly detection apparatus, including:
an obtaining module 100, configured to obtain a data packet to be detected;
the conversion module 200 is configured to convert data in the to-be-detected data packet into a grayscale image;
a determining module 300, configured to determine a state value corresponding to the to-be-detected data packet according to the grayscale image and a target convolutional neural network model, where the state value includes a normal state value or an abnormal state value;
the determining module 400 is configured to determine that the data packet to be detected is a data packet corresponding to the abnormal data request when the state value is the abnormal state value.
In an embodiment, the network anomaly detection apparatus further includes a training module 500, where the training module 500 is specifically applied to:
acquiring a preset convolutional neural network model and a training data packet, wherein the training data packet comprises a data packet corresponding to a normal data request and a data packet corresponding to an abnormal data request;
converting data in the training data packet into a gray image;
and training the preset convolutional neural network model through the gray level image corresponding to the training data packet to obtain a target convolutional neural network model.
In an embodiment, in the aspect that the preset convolutional neural network model is trained through the gray level image corresponding to the training data packet to obtain the target convolutional neural network model, the training module 500 is specifically applied to:
training the preset convolution neural network model through the gray level image corresponding to the training data packet;
acquiring a detection error of a data packet corresponding to the trained detection abnormal data request of the preset convolutional neural network model;
when the detection error is smaller than a preset threshold value, determining the trained preset convolutional neural network model as the target convolutional neural network model;
and when the detection error is larger than or equal to the preset threshold value, adjusting the training parameters of the preset convolutional neural network model, and returning to the step of executing the training of the preset convolutional neural network model through the gray level image corresponding to the training data packet.
In one embodiment, the decision module 400 is specifically applied to:
and when the state value of the data packet to be detected is a normal state value, judging that the data packet to be detected is a data packet corresponding to the normal data request.
In an embodiment, in the aspect of converting the data in the data packet to be detected into the grayscale image, the conversion module 200 is specifically applied to:
acquiring the byte length of data in the data packet to be detected;
performing an evolution operation on the byte length to obtain the side length of the gray level image;
wherein, the step of converting the data in the data packet to be detected into a gray image comprises the following steps:
and converting the data in the data packet to be detected into a gray image corresponding to the side length.
In an embodiment, in the aspect of acquiring the data packet to be detected, the acquiring module 100 is specifically applied;
acquiring a data request;
acquiring a data packet corresponding to the data request;
and assembling the data packet corresponding to the data request to obtain the data packet to be detected.
Based on the foregoing embodiments, the present invention further provides a network anomaly detection apparatus, where the network anomaly detection apparatus may include a memory, a processor, and a network anomaly detection program that is stored in the memory and is executable on the processor, and when the processor executes the network anomaly detection program, the steps of the network anomaly detection method according to any one of the foregoing embodiments are implemented.
Based on the foregoing embodiments, the present invention further provides a computer-readable storage medium, on which a network anomaly detection program is stored, where the network anomaly detection program, when executed by a processor, implements the steps of the network anomaly detection method according to any one of the foregoing embodiments.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a smart tv, a mobile phone, a computer, etc.) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. A network anomaly detection method is characterized by comprising the following steps:
acquiring a data packet to be detected;
converting the data in the data packet to be detected into a gray image;
determining a state value corresponding to the data packet to be detected according to the gray level image and a target convolutional neural network model, wherein the state value comprises a normal state value or an abnormal state value;
and when the state value is an abnormal state value, judging that the data packet to be detected is a data packet corresponding to the abnormal data request.
2. The network anomaly detection method according to claim 1, wherein the target convolutional neural network model includes an input layer, a convolutional layer, a max pooling layer, a spatial pyramid pooling layer, a full-link layer, a classification layer, and an output layer, the input layer is used for inputting the gray-scale image, the convolutional layer is used for extracting features of the gray-scale image to obtain a feature map, and inputting the feature map to the max pooling layer, the max pooling layer is used for compressing the feature map and inputting the compressed feature map to the spatial pyramid pooling layer, the spatial pyramid pooling layer is used for unifying sizes of the compressed feature maps into a preset size and inputting the feature map after unifying sizes into the full-link layer, and the full-link layer is used for performing weighted calculation on the feature map after unifying sizes, and inputting the characteristic diagram after weighted calculation into a classification layer, wherein the classification layer is used for determining a state value corresponding to the data packet to be detected according to the characteristic diagram after weighted calculation, and inputting the state value into the output layer for output.
3. The method according to claim 1, wherein before the step of determining the state value corresponding to the data packet to be detected according to the gray-scale image and the target convolutional neural network model, the method further comprises:
acquiring a preset convolutional neural network model and a training data packet, wherein the training data packet comprises a data packet corresponding to a normal data request and a data packet corresponding to an abnormal data request;
converting data in the training data packet into a gray image;
and training the preset convolutional neural network model through the gray level image corresponding to the training data packet to obtain a target convolutional neural network model.
4. The method according to claim 3, wherein the step of training the predetermined convolutional neural network model by using the gray scale image corresponding to the training data packet to obtain the target convolutional neural network model comprises:
training the preset convolution neural network model through the gray level image corresponding to the training data packet;
acquiring a detection error of a data packet corresponding to the trained detection abnormal data request of the preset convolutional neural network model;
when the detection error is smaller than a preset threshold value, determining the trained preset convolutional neural network model as the target convolutional neural network model;
and when the detection error is larger than or equal to the preset threshold value, adjusting the training parameters of the preset convolutional neural network model, and returning to the step of executing the training of the preset convolutional neural network model through the gray level image corresponding to the training data packet.
5. The method according to claim 1, wherein after the step of determining the state value corresponding to the data packet to be detected according to the gray-scale image and the target convolutional neural network model, the method further comprises:
and when the state value of the data packet to be detected is a normal state value, judging that the data packet to be detected is a data packet corresponding to the normal data request.
6. The method for detecting network anomaly according to claim 1, wherein before the step of converting the data in the data packet to be detected into the gray scale image, the method further comprises:
acquiring the byte length of data in the data packet to be detected;
performing an evolution operation on the byte length to obtain the side length of the gray level image;
wherein, the step of converting the data in the data packet to be detected into a gray image comprises the following steps:
and converting the data in the data packet to be detected into a gray image corresponding to the side length.
7. The method for detecting network anomaly according to claim 1, wherein said step of obtaining data packets to be detected comprises:
acquiring a data request;
acquiring a data packet corresponding to the data request;
and assembling the data packet corresponding to the data request to obtain the data packet to be detected.
8. A network anomaly detection device, characterized in that the network anomaly detection device comprises:
the acquisition module is used for acquiring a data packet to be detected;
the conversion module is used for converting the data in the data packet to be detected into a gray image;
the determining module is used for determining a state value corresponding to the data packet to be detected according to the gray level image and a target convolutional neural network model, wherein the state value comprises a normal state value or an abnormal state value;
and the judging module is used for judging that the data packet to be detected is a data packet corresponding to the abnormal data request when the state value is an abnormal state value.
9. A network anomaly detection device, characterized in that the network anomaly detection device comprises a memory, a processor and a network anomaly detection program stored on the memory and executable on the processor, the network anomaly detection program, when executed by the processor, implementing the steps of the network anomaly detection method according to any one of claims 1-7.
10. A computer-readable storage medium, having a network anomaly detection program stored thereon, which when executed by a processor implements the steps of the network anomaly detection method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110867664.8A CN113538288A (en) | 2021-07-29 | 2021-07-29 | Network anomaly detection method and device and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110867664.8A CN113538288A (en) | 2021-07-29 | 2021-07-29 | Network anomaly detection method and device and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113538288A true CN113538288A (en) | 2021-10-22 |
Family
ID=78089775
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110867664.8A Pending CN113538288A (en) | 2021-07-29 | 2021-07-29 | Network anomaly detection method and device and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113538288A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115277071A (en) * | 2022-06-17 | 2022-11-01 | 中国科学院信息工程研究所 | Method and device for detecting abnormal communication behavior of equipment |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108156130A (en) * | 2017-03-27 | 2018-06-12 | 上海观安信息技术股份有限公司 | Network attack detecting method and device |
| CN109447184A (en) * | 2018-11-28 | 2019-03-08 | 南京理工大学 | Android application network behavior classification method and system based on deep learning |
| CN111552964A (en) * | 2020-04-07 | 2020-08-18 | 哈尔滨工程大学 | Malicious software classification method based on static analysis |
| CN112087443A (en) * | 2020-09-04 | 2020-12-15 | 浙江大学 | Intelligent detection method for sensing data abnormity under large-scale industrial sensing network information physical attack |
| CN112491796A (en) * | 2020-10-28 | 2021-03-12 | 北京工业大学 | Intrusion detection and semantic decision tree quantitative interpretation method based on convolutional neural network |
| CN112953924A (en) * | 2021-02-04 | 2021-06-11 | 西安电子科技大学 | Network abnormal flow detection method, system, storage medium, terminal and application |
| CN113037748A (en) * | 2021-03-08 | 2021-06-25 | 中国科学院信息工程研究所 | C and C channel hybrid detection method and system |
-
2021
- 2021-07-29 CN CN202110867664.8A patent/CN113538288A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108156130A (en) * | 2017-03-27 | 2018-06-12 | 上海观安信息技术股份有限公司 | Network attack detecting method and device |
| CN109447184A (en) * | 2018-11-28 | 2019-03-08 | 南京理工大学 | Android application network behavior classification method and system based on deep learning |
| CN111552964A (en) * | 2020-04-07 | 2020-08-18 | 哈尔滨工程大学 | Malicious software classification method based on static analysis |
| CN112087443A (en) * | 2020-09-04 | 2020-12-15 | 浙江大学 | Intelligent detection method for sensing data abnormity under large-scale industrial sensing network information physical attack |
| CN112491796A (en) * | 2020-10-28 | 2021-03-12 | 北京工业大学 | Intrusion detection and semantic decision tree quantitative interpretation method based on convolutional neural network |
| CN112953924A (en) * | 2021-02-04 | 2021-06-11 | 西安电子科技大学 | Network abnormal flow detection method, system, storage medium, terminal and application |
| CN113037748A (en) * | 2021-03-08 | 2021-06-25 | 中国科学院信息工程研究所 | C and C channel hybrid detection method and system |
Non-Patent Citations (1)
| Title |
|---|
| 田俊峰 等: "一种基于卷积神经网络的 Web 攻击检测方法", 《小型微型计算机系统》, pages 584 - 587 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115277071A (en) * | 2022-06-17 | 2022-11-01 | 中国科学院信息工程研究所 | Method and device for detecting abnormal communication behavior of equipment |
| CN115277071B (en) * | 2022-06-17 | 2024-04-02 | 中国科学院信息工程研究所 | Method and device for detecting abnormal communication behavior of equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107918733B (en) | System and method for detecting malicious elements of web page | |
| AU2015380394B2 (en) | Methods and systems for identifying potential enterprise software threats based on visual and non-visual data | |
| US9215246B2 (en) | Website scanning device and method | |
| CN102833258B (en) | Network address access method and system | |
| US11212297B2 (en) | Access classification device, access classification method, and recording medium | |
| Zhao et al. | A review of computer vision methods in network security | |
| CN109768992B (en) | Webpage malicious scanning processing method and device, terminal device and readable storage medium | |
| CN112685739B (en) | Malicious code detection method, data interaction method and related equipment | |
| CN111835777B (en) | Abnormal flow detection method, device, equipment and medium | |
| CN107463844B (en) | WEB Trojan horse detection method and system | |
| CN116303290B (en) | Office document detection method, device, equipment and medium | |
| CN107808095B (en) | System and method for detecting abnormal elements of web page | |
| CN111953665B (en) | Server attack access identification method and system, computer equipment and storage medium | |
| CN110474889A (en) | One kind being based on the recognition methods of web graph target fishing website and device | |
| CN110674488B (en) | Verification code identification method, system and computer equipment based on neural network | |
| CN113360300B (en) | Interface call link generation method, device, equipment and readable storage medium | |
| CN113538288A (en) | Network anomaly detection method and device and computer readable storage medium | |
| US11423099B2 (en) | Classification apparatus, classification method, and classification program | |
| CN111382432A (en) | Malicious software detection and classification model generation method and device | |
| CN109684844B (en) | Webshell detection method and device, computing equipment and computer-readable storage medium | |
| EP3306511B1 (en) | System and methods of detecting malicious elements of web pages | |
| CN106487771B (en) | Network behavior acquisition method and device | |
| EP3293661A1 (en) | System and method for detecting anomalous elements of web pages | |
| CN113810342B (en) | Intrusion detection method, device, equipment and medium | |
| CN114461833A (en) | Picture evidence obtaining method and device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |