CN114567512B - Network intrusion detection method, device and terminal based on improved ART2 - Google Patents

Network intrusion detection method, device and terminal based on improved ART2 Download PDF

Info

Publication number
CN114567512B
CN114567512B CN202210445030.8A CN202210445030A CN114567512B CN 114567512 B CN114567512 B CN 114567512B CN 202210445030 A CN202210445030 A CN 202210445030A CN 114567512 B CN114567512 B CN 114567512B
Authority
CN
China
Prior art keywords
amplitude
input
difference
mode
pattern
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210445030.8A
Other languages
Chinese (zh)
Other versions
CN114567512A (en
Inventor
戚建淮
韩丹丹
崔宸
刘航
唐娟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Y&D Electronics Information Co Ltd
Original Assignee
Shenzhen Y&D Electronics Information Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Y&D Electronics Information Co Ltd filed Critical Shenzhen Y&D Electronics Information Co Ltd
Priority to CN202210445030.8A priority Critical patent/CN114567512B/en
Publication of CN114567512A publication Critical patent/CN114567512A/en
Application granted granted Critical
Publication of CN114567512B publication Critical patent/CN114567512B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Burglar Alarm Systems (AREA)
  • Alarm Systems (AREA)
  • Image Analysis (AREA)

Abstract

The application is applicable to the technical field of computer network security, and provides a network intrusion detection method based on improved ART2, which comprises the following steps: the method comprises the steps of obtaining an input mode of a feature vector representing network intrusion data, carrying out mode recognition on the input mode by utilizing an improved ART2, and selecting a target classification mode, wherein the improved ART2 learns a plurality of classification modes in advance, the target classification mode represents one of the classification modes which is most matched with the input mode, the matching degree of the target classification mode and the input mode is not less than an alert value of the improved ART2, calculating the amplitude difference between the input mode and the target classification mode, and if the amplitude difference is less than a preset threshold value, determining the category of the network intrusion data as the category corresponding to the target classification mode.

Description

Network intrusion detection method, device and terminal based on improved ART2
Technical Field
The application belongs to the technical field of computer network security, and particularly relates to a network intrusion detection method, device, terminal and computer readable storage medium based on improved ART 2.
Background
At present, with the development of network technologies, network intrusion behaviors are increasingly diversified, which relates to a new generation of network security technology.
Intrusion Detection Systems (IDS) are used to identify illegal attacks against computer systems, network systems or more generally information systems, including malicious attacks or heuristics to detect external illegal intruders, and illegal actions by internal legitimate users that override usage rights. Intrusion detection has the characteristics of initiative and real-time performance, and becomes powerful supplement of a firewall, so that intrusion behaviors can be classified quickly and accurately, and intrusion prevention measures can be provided more pertinently.
However, due to the diversification of network intrusion behaviors, many new types of network intrusion behaviors may occur, and if the intrusion behavior classification is performed by still referring to the characteristics of the historical data, the situations of erroneous judgment and missed judgment may occur, which affects the classification accuracy of intrusion detection.
Disclosure of Invention
In view of the above, the present application provides a network intrusion detection method, apparatus, terminal and computer readable storage medium based on an improved ART2, so as to solve the problem in the prior ART that false judgment and missed judgment may occur when network intrusion classification is performed, which may affect the classification accuracy of intrusion detection.
A first aspect of the present application provides a network intrusion detection method based on an improved ART2, including:
acquiring an input mode, wherein the input mode represents a feature vector of network intrusion data;
performing pattern recognition on the input pattern by using an improved ART2, and selecting a target classification pattern, wherein the improved ART2 learns a plurality of classification patterns in advance, the target classification pattern represents one of the classification patterns which is most matched with the input pattern, and the matching degree of the target classification pattern and the input pattern is not less than the alert value of the improved ART 2;
calculating the amplitude difference of the input mode and the target classification mode;
and if the amplitude difference is smaller than a preset threshold value, determining the category of the network intrusion data as the category corresponding to the target classification mode.
In one implementation, after the calculating the difference in amplitude of the input pattern and the target classification pattern, the method further comprises:
and if the amplitude difference is not smaller than a preset threshold value, inhibiting the selected classification mode, reselecting a target classification mode, and executing the step of calculating the amplitude difference between the input mode and the target classification mode until the calculated amplitude difference between the input mode and the target classification mode is smaller than the preset threshold value.
In one implementation, the method further comprises:
and if all the classification modes in the plurality of classification modes are inhibited, creating a new classification mode, and determining the created new classification mode as the class of the network intrusion data.
In one implementation, the calculating the amplitude difference of the input pattern and the target classification pattern includes:
calculating the maximum amplitude and the minimum amplitude of the input mode, and recording as the input maximum amplitude and the input minimum amplitude;
calculating the maximum amplitude and the minimum amplitude of the target classification mode, and recording the maximum amplitude and the minimum amplitude as feedback maximum amplitude and feedback minimum amplitude;
calculating the absolute value of the difference between the input maximum amplitude and the feedback maximum amplitude, and recording the absolute value as a first difference value;
calculating the absolute value of the difference between the input minimum amplitude and the feedback minimum amplitude, and recording the absolute value as a second difference value;
if the first difference value and the second difference value are both smaller than a preset threshold value, determining that the amplitude difference is smaller than the preset threshold value;
and if any one of the first difference value and the second difference value is not less than a preset threshold value, determining that the amplitude difference is not less than the preset threshold value.
In one implementation, prior to the performing the pattern recognition on the input pattern with the enhanced ART2, further comprises: training the improved ART2 by using a preset network intrusion data training set based on a genetic algorithm, acquiring a super parameter, and initializing the parameter of the improved ART2 by using the super parameter.
In one implementation, after the calculating the amplitude difference between the input pattern and the target classification pattern, the method further includes:
and if the amplitude difference is smaller than a preset threshold value, updating the internal star weight of the neuron corresponding to the target classification mode in the improved ART2 and memorizing.
In one implementation, the comparison layer of the attention subsystem of the modified ART2 includes a first amplitude recording neuron and a second amplitude recording neuron; wherein the first amplitude recording neuron is configured to record a maximum amplitude of an input pattern; the second amplitude record is used to record the minimum amplitude of the input pattern.
A second aspect of the present application provides a network intrusion detection apparatus based on an improved ART2, including:
the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring an input mode, and the input mode represents a feature vector of network intrusion data;
a recognition unit, configured to perform pattern recognition on the input pattern by using an improved ART2, and select a target classification pattern, where the improved ART2 learns a plurality of classification patterns in advance, the target classification pattern represents one of the classification patterns that is the closest to the input pattern, and a matching degree between the target classification pattern and the input pattern is not less than an alert value of the improved ART 2;
a calculating unit, configured to calculate a magnitude difference between the input pattern and the target classification pattern;
and the determining unit is used for determining the category of the network intrusion data as the category corresponding to the target classification mode if the amplitude difference is smaller than a preset threshold value.
In one implementation manner, the network intrusion detection apparatus further includes:
and the iteration processing unit is used for inhibiting the selected classification mode at this time when the amplitude difference calculated by the calculating unit is not less than the preset threshold, reselecting the target classification mode, and jumping to the identifying unit to re-execute the step of calculating the amplitude difference between the input mode and the target classification mode until the calculated amplitude difference between the input mode and the target classification mode is less than the preset threshold.
In one implementation, the determining unit is further configured to create a new classification pattern when each classification pattern of the plurality of classification patterns is suppressed, and determine the created new classification pattern as the class of the network intrusion data.
In one implementation, the computing unit is specifically configured to:
calculating the maximum amplitude and the minimum amplitude of the input mode, and recording as the input maximum amplitude and the input minimum amplitude; calculating the maximum amplitude and the minimum amplitude of the target classification mode, and recording as the feedback maximum amplitude and the feedback minimum amplitude; calculating the absolute value of the difference between the input maximum amplitude and the feedback maximum amplitude, and recording the absolute value as a first difference value; calculating the absolute value of the difference between the input minimum amplitude and the feedback minimum amplitude, and recording the absolute value as a second difference value;
if the first difference value and the second difference value are both smaller than a preset threshold value, determining that the amplitude difference is smaller than the preset threshold value; and if any one of the first difference value and the second difference value is not smaller than a preset threshold value, determining that the amplitude difference is not smaller than the preset threshold value.
In one implementation, the network intrusion detection apparatus further includes: and the initialization unit is used for training the improved ART2 by utilizing a preset network intrusion data training set based on a genetic algorithm, acquiring a super parameter and initializing the parameter of the improved ART2 by utilizing the super parameter.
In one implementation, the network intrusion detection apparatus further includes:
and the weight updating unit is used for updating and memorizing the intra-star weight of the neuron corresponding to the target classification mode in the improved ART2 when the amplitude difference is smaller than a preset threshold value.
In one implementation, the comparison layer of the attention subsystem of the improved ART2 includes a first amplitude recording neuron and a second amplitude recording neuron; wherein the first amplitude recording neuron is configured to record a maximum amplitude of an input pattern; the second amplitude record is used to record the minimum amplitude of the input pattern.
A third aspect of the present application provides a terminal comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of any one of the network intrusion detection methods as described above when executing the computer program.
A fourth aspect of the present application provides a computer-readable storage medium, in which a computer program is stored, which computer program, when being executed by a processor, performs the steps of the network intrusion detection method according to any one of the above.
Compared with the prior art, the application has the beneficial effects that:
the method comprises the steps of obtaining a characteristic vector input mode representing network intrusion data, carrying out mode recognition on the input mode by utilizing an improved ART2, selecting a target classification mode, calculating the amplitude difference between the input mode and the target classification mode, and determining the category of the network intrusion data as the category corresponding to the target classification mode if the amplitude difference is smaller than a preset threshold value; therefore, the improved ART2 is used for pattern recognition, after the target classification pattern which is most matched with the input pattern is recognized, secondary judgment is carried out according to the amplitude difference between the input pattern and the target classification pattern, and finally a more accurate pattern recognition result is obtained, so that the accuracy of network intrusion behavior classification is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1 is a schematic diagram of the architecture of one unit of an improved ART2 provided by the embodiment of the application;
fig. 2 is a flowchart of an implementation of a network intrusion detection method based on the improved ART2 according to an embodiment of the present application;
fig. 3 is a flowchart of another implementation of the network intrusion detection method based on the improved ART2 according to the embodiment of the present application;
fig. 4 is a schematic structural diagram of a network intrusion detection device based on an improved ART2 according to an embodiment of the present application;
fig. 5 is a schematic diagram of a terminal provided in an embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
To make the objects, technical solutions and advantages of the present application more clear, the following description is made by way of specific embodiments with reference to the accompanying drawings.
The adaptive Resonance theory art (adaptive Resonance theory) model is a self-organizing neural network proposed by s.grossberg and a.carpenter in 1986. The ART model successfully solves the problem of the relationship between stability and plasticity in neural network learning. ART models are ART and ART 2. Of these, ART can only process binary data, while ART2 is widely used for pattern clustering and recognition due to its powerful and moderate computational complexity. In some applications, however, direct use of the original ART2 may not be ideal and only modifications of the original ART2 to the problem features may provide better results.
For example, the comparison and identification process of the original ART2 ignores the mode vector magnitude information, which may cause inaccurate identification result; for another example, based on the competition mechanism of the winner being the king, the original ART2 also has the problem that only the neuron with the highest matching degree is selected as the output category, and actually the neuron with the highest matching degree is not necessarily the most accurate classification result; for another example, the original ART2 has the defect that noise has a large influence on the result.
Based on the above, the application improves the architecture of the original ART2, adds two amplitude recording neurons, considers the mode vector amplitude information and the noise influence, improves the processing algorithm, does not adopt the competition mechanism of the winner, and is specifically described as follows:
as shown in fig. 1, an architecture diagram of a unit of an improved ART2 provided for the embodiment of the present application, the improved ART2 includes: a control subsystem 10 and an attention subsystem 11.
The control subsystem 10 includes a comparison sublayer r1 and a warning parameter ρ.
Note that the subsystem 11 includes a comparison layer F1 and an identification layer F2, the comparison layer F1 being composed ofnGroups of neurons (only 1 group is shown in FIG. 1), and each group is composed of many neurons: (w ix iv iu ip iq i Formed of | P |, | V |, | W |) for accepting external inputnDimension state vector (a)i 1 ,i 2 ,…,i n ) Processing and short-term memory; the identification layer F2 is composed ofmA single neuron (only 1 is shown in FIG. 1) for dividing the data processed by the F1 layer intomClass, each neuron represents a pattern class, and the relationship between the F1 level and the F2 level is by weight vectors. The F1 layer receives n-dimensional input patterns from the outside (i 1 ,i 2 ,…,i n ) After being treated in the F1 layer, the mixture is sent to the F2 layer and distributed to the F2 layermProcessing in each neuron, and outputting the result (y 1 ,y 2 ,…,y m ) And selecting the neuron with the maximum output value to activate, and then updating the weight vector. When the similarity between the input vector and the feedback vector is lower than the warning value, the directional subsystem controls the F2 layer, inhibits the neurons activated by the F2 layer, reselects the winning neurons and tests the similarity of the winning neurons, and stops the selection until the requirement is met. Wherein the open circles in FIG. 1 represent the computational neurons, the filled circles represent the incremental control neurons, and the filled circles with diagonal lines represent the amplitude recording neurons that are added in the present application by improvement: (u min Andu max )。
in the embodiment of the present application, the comparison layer of the attention subsystem of the improved ART2 includes a first amplitude recording neuron and a second amplitude recording neuron; wherein the first amplitude recording neuron is configured to record a maximum amplitude of an input pattern; the second amplitude record is used to record the minimum amplitude of the input pattern.
That is to say that the first and second electrodes,
Figure DEST_PATH_IMAGE001
referring to fig. 2, it shows a flowchart of an implementation of the network intrusion detection method based on the improved ART2 provided in the embodiment of the present application, which is detailed as follows:
in step 201, an input pattern is acquired.
In the embodiment of the application, the input mode is the input of an improved ART2 model, which represents the feature vector of the network intrusion data. Illustratively, a network intrusion data record is represented by a 40-dimensional input vector, also called input vector, through feature extraction. The input vector may include a discrete number or may include continuity data.
In step 202, the input pattern is pattern-recognized using the modified ART2 to select a target classification pattern.
In the embodiment of the present application, the improved ART2 may be learned in advance with a plurality of classification patterns, the target classification pattern indicates one of the plurality of classification patterns that most matches the input pattern, and the degree of matching of the target classification pattern with the input pattern is not less than the guard value of the improved ART 2.
With reference to fig. 1, the improved ART2 performs pattern recognition on the input pattern as follows:
calculating intermediate variables until the variables according to the following formulauAnd (3) stabilizing:
Figure 660268DEST_PATH_IMAGE002
wherein the content of the first and second substances,
Figure DEST_PATH_IMAGE003
wherein the function
Figure 55477DEST_PATH_IMAGE004
Or
Figure DEST_PATH_IMAGE005
Figure 869850DEST_PATH_IMAGE006
Wherein the amplitude value records the neuron
Figure DEST_PATH_IMAGE007
According to the calculation formula of matching degree
Figure 629995DEST_PATH_IMAGE008
Calculating each component of the comparison vector r if
Figure DEST_PATH_IMAGE009
Figure 897029DEST_PATH_IMAGE010
Then the mode fed back by the layer F2 is the target classification mode of the input mode.
Wherein, in the formula, the first and the second groups,
Figure DEST_PATH_IMAGE011
to improve the hyper-parameters of the ART2 model, it may be determined based on prior training learning.
In step 203, the amplitude difference between the input pattern and the target classification pattern is calculated.
In the embodiment of the present application, the target classification mode needs to be secondarily compared and determined based on the amplitude difference between the target classification mode and the input mode, and the amplitude difference may include a minimum amplitude difference and a maximum amplitude difference.
Specifically, one implementation of step 203 may include:
calculating the maximum amplitude and the minimum amplitude of the input mode, and recording as the input maximum amplitude and the input minimum amplitude;
calculating the maximum amplitude and the minimum amplitude of the target classification mode, and recording the maximum amplitude and the minimum amplitude as feedback maximum amplitude and feedback minimum amplitude;
calculating the absolute value of the difference between the input maximum amplitude and the feedback maximum amplitude, and recording the absolute value as a first difference value;
calculating the absolute value of the difference between the input minimum amplitude and the feedback minimum amplitude, and recording the absolute value as a second difference value;
if the first difference value and the second difference value are both smaller than a preset threshold value, determining that the amplitude difference is smaller than the preset threshold value;
and if any one of the first difference value and the second difference value is not smaller than a preset threshold value, determining that the amplitude difference is not smaller than the preset threshold value.
In this embodiment, by calculating the amplitude difference between the input mode and the target classification mode, the defect of the indicated original ART model can be avoided, and a more accurate mode recognition result can be obtained, thereby improving the accuracy of network intrusion behavior classification. In practical applications, the preset threshold may be 0.005.
In step 204, if the amplitude difference is smaller than the preset threshold, the class of the network intrusion data is determined as the class corresponding to the target classification mode.
In this embodiment, the amplitude difference between the input mode and the target classification mode is smaller than the preset threshold, which means that the minimum amplitude difference and the maximum amplitude difference between the input mode and the target classification mode are both smaller than the preset threshold, and the real matching degree between the input mode and the target classification mode is higher, and the input mode and the target classification mode should belong to the same class, so that the class of the network intrusion data may be the class corresponding to the target classification mode.
In one implementation, the enhanced ART2 may also require parameter initialization, i.e., setting of hyper-parameters, prior to pattern recognition
Figure 95929DEST_PATH_IMAGE011
The value of (c).
Specifically, the improved ART2 may be trained based on a genetic algorithm using a preset network intrusion data training set, a super-parameter may be obtained, and the parameter initialization of the improved ART2 may be performed using the super-parameter.
Illustratively, as a training set of models, a network intrusion data record may be described by 41 features, such as: 2, tcp, smtp, SF, 1684, 363, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0.00, 0.00, 0.00, 0.00, 1.00, 0.00, 0.00, 104, 66, 0.63, 0.03, 0.01, 0.00, 0.00, 0.00, 0.00, 0.00, normal, wherein normal in 42 th dimension represents data identification, 2, 3, 4, 7, 12, 14, 15, 21, 22 is discrete data, and the remaining 32 dimensions are continuous data, and an adjustment is made to the data after reading so that the continuous data to be processed is in 11 th to 32 th columns.
In practical application, the input data needs to be preprocessed: the character type variables (2 nd, 3 rd and 4 th dimensions) are converted into numerical type variables by defining preset arrays; the continuous variable is represented by the formula:
Figure 702491DEST_PATH_IMAGE012
wherein the content of the first and second substances,
Figure DEST_PATH_IMAGE013
carrying out standardized processing on the data;
by the formula:
Figure 695854DEST_PATH_IMAGE014
Figure DEST_PATH_IMAGE015
and normalizing the data after normalization.
Taking the second-dimension data as an example for description, for example, if the second-dimension variable is one of tcp, udp and icmp, a preset array protocol _ list = [ "tcp", "udp" and icmp ] is defined, and the character type variable and the position of the variable in the preset array are in one-to-one correspondence, that is, tcp- - -0; the third and the fourth dimensional variables are transformed in the same way.
Specifically, the process of training the genetic algorithm may include:
1) network initialization including but not limited to population size, population evolution times, cross probability, mutation probability, and determining coding mode (which may be binary coding).
2) Calculating the fitness, namely calculating the fitness value by utilizing a fitness function F; a higher fitness value indicates a greater chance of inheritance in the individual, and since the data is intended for intrusion detection, the accuracy rate is selected as a fitness function.
3) And selecting operation, wherein the individuals with higher fitness in the current group are inherited to the next group according to a certain rule or model, and generally, the individuals with high fitness are selected to have more chances to be inherited to the next generation group.
4) Crossover operations, crossover being the main operation in genetic algorithms to generate new individuals, interchange parts of chromosomes between two individuals with a given crossover probability.
5) Mutation operation, which is an operation method for generating new individuals by changing the gene value of one or some genes of an individual according to the input mutation probability.
6) When the evolution times reach the set times, the evolution is stopped, and the parameter corresponding to the maximum fitness is found out
Figure 450184DEST_PATH_IMAGE011
And output.
The adaptive function in the above process may be defined as:
Figure 623414DEST_PATH_IMAGE016
(TP indicates if an instance is a positive class and is predicted to be a positive class; FN indicates if an instance is a positive class but is predicted to be a negative class; FP indicates if an instance is a negative class but is predicted to be a positive class; TN indicates if an instance is a negative class and is predicted to be a negative class; Note that, because of the multi-classification problem, for instance I, if it belongs to class k, for I, class k is an instance, and the other classes are negative classes).
In one implementation, the step 203 may further include, after:
and if the amplitude difference is smaller than the preset threshold, updating the internal star weight of the neuron corresponding to the target classification mode in the improved ART2 and memorizing.
In this embodiment, when the amplitude difference between the input mode and the target classification mode is smaller than the preset threshold, which means that the input mode and the target classification mode belong to the same class, the classification result may be output, and in order to learn the current classification process, the intra-star weight of the neuron corresponding to the target classification mode in the ART2 may be updated and stored.
As can be seen from the above, in the application, by acquiring the feature vector input mode representing the network intrusion data, performing mode identification on the input mode by using the improved ART2, selecting the target classification mode, calculating the amplitude difference between the input mode and the target classification mode, and if the amplitude difference is smaller than a preset threshold, determining the category of the network intrusion data as the category corresponding to the target classification mode; therefore, the improved ART2 is used for pattern recognition, after the target classification pattern which is most matched with the input pattern is recognized, secondary judgment is carried out according to the amplitude difference between the input pattern and the target classification pattern, and finally a more accurate pattern recognition result is obtained, so that the accuracy of network intrusion behavior classification is improved.
Fig. 3 shows a flow chart of another implementation of the network intrusion detection method based on the improved ART2 provided by the embodiment of the present application, which is detailed as follows:
in step 301, an input mode is acquired;
in step 302, performing mode recognition on the input mode by using an improved ART2, and selecting a target classification mode;
in step 303, the amplitude difference between the input pattern and the target classification pattern is calculated.
In step 304, if the amplitude difference is smaller than the preset threshold, the class of the network intrusion data is determined to be the class corresponding to the target classification mode.
The steps 301 to 304 may specifically refer to the steps 201 to 204 in the embodiment of fig. 2, and are not described herein again.
In step 305, if the amplitude difference is not smaller than the preset threshold, the selected classification mode is suppressed; and reselecting the target classification mode, and executing the step of calculating the amplitude difference between the input mode and the target classification mode until the calculated amplitude difference between the input mode and the target classification mode is smaller than a preset threshold value.
In this embodiment, when the difference between the input mode and the target classification mode is not less than the preset threshold, that is, the difference between the input mode and the target classification mode is not less than the preset threshold, or the difference between the maximum amplitude is not less than the preset threshold, or the difference between the minimum amplitude and the maximum amplitude is not less than the preset threshold, this means that although the target classification mode identified by the improved ART2 mode is actually different from the input mode, the target classification mode should not belong to the same class. Then, the selected classification mode may be suppressed, and the step 302 may be skipped to reselect the target classification mode, and the following steps are performed until the calculated amplitude difference between the input mode and the target classification mode is smaller than the preset threshold.
Further, see fig. 3:
in step 306, if each classification mode of the plurality of classification modes is suppressed, a new classification mode is created, and the created new classification mode is determined as the classification of the network intrusion data.
In this embodiment, when each of the classification patterns learned in advance by the advanced ART2 is suppressed, which means that none of the classification patterns learned in advance matches the current input pattern, a new classification pattern may be created, and the created new classification pattern is determined as the category of the network intrusion data. Therefore, the improved ART2 has better continuous learning, can automatically identify and create new classification in the face of diversified intrusion modes, and further improves the accuracy of classifying network intrusion behaviors.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.
The following are apparatus embodiments of the present application, and for details not described in detail therein, reference may be made to the corresponding method embodiments described above.
Fig. 4 shows a schematic structural diagram of a network intrusion detection device based on an improved ART2 provided in an embodiment of the present application, and for convenience of description, only the parts related to the embodiment of the present application are shown, which are detailed as follows:
as shown in fig. 4, the network intrusion detection device 4 includes: an acquisition unit 41, a recognition unit 42, a calculation unit 43 and a determination unit 44.
An obtaining unit 41, configured to obtain an input pattern, where the input pattern represents a feature vector of network intrusion data;
a recognition unit 42, configured to perform pattern recognition on the input pattern by using an improved ART2, and select a target classification pattern, where the improved ART2 learns a plurality of classification patterns in advance, the target classification pattern represents one of the classification patterns that is the closest to the input pattern, and a matching degree between the target classification pattern and the input pattern is not less than an alert value of the improved ART 2;
a calculating unit 43 for calculating a magnitude difference between the input pattern and the target classification pattern;
a determining unit 44, configured to determine, if the amplitude difference is smaller than a preset threshold, that the category of the network intrusion data is a category corresponding to the target classification mode.
In one implementation, the network intrusion detection device 4 further includes:
and the iteration processing unit is configured to, when the amplitude difference calculated by the calculating unit 43 is not less than the preset threshold, suppress the currently selected classification mode, reselect the target classification mode, and jump to the identifying unit 42 to re-execute the step of calculating the amplitude difference between the input mode and the target classification mode until the calculated amplitude difference between the input mode and the target classification mode is less than the preset threshold.
In one implementation, the determining unit 44 is further configured to create a new classification pattern when each classification pattern of the plurality of classification patterns is suppressed, and determine the created new classification pattern as the class of the network intrusion data.
In one implementation, the computing unit 43 is specifically configured to:
calculating the maximum amplitude and the minimum amplitude of the input mode, and recording as the input maximum amplitude and the input minimum amplitude; calculating the maximum amplitude and the minimum amplitude of the target classification mode, and recording the maximum amplitude and the minimum amplitude as feedback maximum amplitude and feedback minimum amplitude; calculating the absolute value of the difference between the input maximum amplitude and the feedback maximum amplitude, and recording the absolute value as a first difference value; calculating the absolute value of the difference between the input minimum amplitude and the feedback minimum amplitude, and recording the absolute value as a second difference value;
if the first difference value and the second difference value are both smaller than a preset threshold value, determining that the amplitude difference is smaller than the preset threshold value; and if any one of the first difference value and the second difference value is not smaller than a preset threshold value, determining that the amplitude difference is not smaller than the preset threshold value.
In one implementation, the network intrusion detection apparatus further includes: and the initialization unit is used for training the improved ART2 by utilizing a preset network intrusion data training set based on a genetic algorithm, acquiring a super parameter and initializing the parameter of the improved ART2 by utilizing the super parameter.
In one implementation, the network intrusion detection apparatus further includes:
and the weight updating unit is used for updating and memorizing the intra-star weight of the neuron corresponding to the target classification mode in the improved ART2 when the amplitude difference is smaller than a preset threshold value.
In one implementation, the comparison layer of the attention subsystem of the improved ART2 includes a first amplitude recording neuron and a second amplitude recording neuron; wherein the first amplitude recording neuron is configured to record a maximum amplitude of an input pattern; the second amplitude record is used to record the minimum amplitude of the input pattern.
As can be seen from the above, the method includes the steps of obtaining a feature vector input mode representing network intrusion data, performing mode recognition on the input mode by using the improved ART2, selecting a target classification mode, calculating an amplitude difference between the input mode and the target classification mode, and determining the category of the network intrusion data as a category corresponding to the target classification mode if the amplitude difference is smaller than a preset threshold; therefore, the improved ART2 is used for pattern recognition, after the target classification pattern which is most matched with the input pattern is recognized, secondary judgment is carried out according to the amplitude difference between the input pattern and the target classification pattern, and finally a more accurate pattern recognition result is obtained, so that the accuracy of network intrusion behavior classification is improved.
Fig. 5 is a schematic diagram of a terminal according to an embodiment of the present application. As shown in fig. 5, the terminal 5 of this embodiment includes: a processor 50, a memory 51 and a computer program 52 stored in the memory 51 and executable on the processor 50. The processor 50, when executing the computer program 52, implements the steps of the various embodiments of the network intrusion detection method based on the improved ART2 described above, such as the steps 101 to 104 shown in fig. 1. Alternatively, the processor 50, when executing the computer program 52, implements the functions of the units in the above-described device embodiments, such as the functions of the units 41 to 43 shown in fig. 4.
Illustratively, the computer program 52 may be divided into one or more units, which are stored in the memory 51 and executed by the processor 50 to accomplish the present application. One or more of the elements may be a series of computer program instruction segments capable of performing specific functions, which are used to describe the execution of the computer program 52 in the terminal 5. For example, the computer program 52 may be divided into the acquisition unit 41, the recognition unit 42, the calculation unit 43 and the determination unit 44.
The terminal 5 may be a desktop computer, a notebook, a palm computer, a cloud server, or other computing devices. The terminal may include, but is not limited to, a processor 50, a memory 51. It will be appreciated by those skilled in the art that fig. 5 is only an example of a terminal 5 and does not constitute a limitation of the terminal 5 and may include more or less components than those shown, or some components in combination, or different components, for example the terminal may also include input output devices, network access devices, buses, etc.
The Processor 50 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 51 may be an internal storage unit of the terminal 5, such as a hard disk or a memory of the terminal 5. The memory 51 may also be an external storage device of the terminal 5, such as a plug-in hard disk provided on the terminal 5, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like. Further, the memory 51 may also include both an internal storage unit of the terminal 5 and an external storage device. The memory 51 is used for storing the computer program and other programs and data required by the terminal. The memory 51 may also be used to temporarily store data that has been output or is to be output.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-mentioned division of the functional units and modules is illustrated, and in practical applications, the above-mentioned function distribution may be performed by different functional units and modules according to needs, that is, the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-mentioned functions. Each functional unit and module in the embodiments may be integrated in one processing unit, or each unit may exist alone physically, or two or more units are integrated in one unit, and the integrated unit may be implemented in a form of hardware, or in a form of software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. For the specific working processes of the units and modules in the system, reference may be made to the corresponding processes in the foregoing method embodiments, which are not described herein again.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus/terminal and method may be implemented in other ways. For example, the above-described apparatus/terminal embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated modules/units, if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer readable storage medium. Based on such understanding, all or part of the flow in the method of the embodiments described above can be realized by a computer program, which can be stored in a computer-readable storage medium and can realize the steps of the embodiments of the methods described above when the computer program is executed by a processor. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, U.S. disk, removable hard disk, magnetic diskette, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signal, telecommunications signal, and software distribution medium, etc. It should be noted that the computer readable medium may contain other components which may be suitably increased or decreased as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media which may not include electrical carrier signals and telecommunications signals in accordance with legislation and patent practice.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present application and are intended to be included within the scope of the present application.

Claims (9)

1. A network intrusion detection method based on improved ART2 is characterized by comprising the following steps:
acquiring an input mode, wherein the input mode represents a feature vector of network intrusion data;
performing pattern recognition on the input pattern by using an improved ART2, and selecting a target classification pattern, wherein the improved ART2 learns a plurality of classification patterns in advance, the target classification pattern represents one of the classification patterns which is most matched with the input pattern, and the matching degree of the target classification pattern and the input pattern is not less than the alert value of the improved ART 2;
calculating the amplitude difference of the input mode and the target classification mode;
if the amplitude difference is smaller than a preset threshold value, determining the category of the network intrusion data as the category corresponding to the target classification mode;
wherein the calculating the amplitude difference of the input pattern and the target classification pattern comprises:
calculating the maximum amplitude and the minimum amplitude of the input mode, and recording as the input maximum amplitude and the input minimum amplitude;
calculating the maximum amplitude and the minimum amplitude of the target classification mode, and recording the maximum amplitude and the minimum amplitude as feedback maximum amplitude and feedback minimum amplitude;
calculating the absolute value of the difference between the input maximum amplitude and the feedback maximum amplitude, and recording the absolute value as a first difference value;
calculating the absolute value of the difference between the input minimum amplitude and the feedback minimum amplitude, and recording the absolute value as a second difference value;
if the first difference value and the second difference value are both smaller than a preset threshold value, determining that the amplitude difference is smaller than the preset threshold value;
and if any one of the first difference value and the second difference value is not smaller than a preset threshold value, determining that the amplitude difference is not smaller than the preset threshold value.
2. The network intrusion detection method of claim 1, wherein after the calculating the magnitude difference of the input pattern and the target classification pattern, the method further comprises:
and if the amplitude difference is not smaller than a preset threshold value, inhibiting the selected classification mode, reselecting a target classification mode, and executing the step of calculating the amplitude difference between the input mode and the target classification mode until the calculated amplitude difference between the input mode and the target classification mode is smaller than the preset threshold value.
3. The method of network intrusion detection according to claim 2, the method further comprising:
and if all the classification modes in the plurality of classification modes are inhibited, creating a new classification mode, and determining the created new classification mode as the class of the network intrusion data.
4. The network intrusion detection method according to claim 1, further comprising, prior to the pattern recognition of the input pattern using the enhanced ART 2:
training the improved ART2 by using a preset network intrusion data training set based on a genetic algorithm, acquiring a super parameter, and initializing the parameter of the improved ART2 by using the super parameter.
5. The network intrusion detection method of claim 1, further comprising, after the calculating the magnitude difference between the input pattern and the target classification pattern:
and if the amplitude difference is smaller than a preset threshold value, updating the internal star weight of the neuron corresponding to the target classification mode in the improved ART2 and memorizing.
6. The network intrusion detection method according to claim 1, wherein the comparison layer of the attention subsystem of the modified ART2 includes a first amplitude recording neuron and a second amplitude recording neuron;
wherein the first amplitude recording neuron is configured to record a maximum amplitude of an input pattern;
the second amplitude record is used to record the minimum amplitude of the input pattern.
7. A network intrusion detection device based on an improved ART2, comprising:
the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring an input mode, and the input mode represents a feature vector of network intrusion data;
a recognition unit, configured to perform pattern recognition on the input pattern by using an improved ART2, and select a target classification pattern, where the improved ART2 learns a plurality of classification patterns in advance, the target classification pattern represents one of the classification patterns that is the closest to the input pattern, and a matching degree between the target classification pattern and the input pattern is not less than an alert value of the improved ART 2;
a calculating unit, configured to calculate a magnitude difference between the input pattern and the target classification pattern;
a determining unit, configured to determine a category of the network intrusion data as a category corresponding to the target classification mode if the amplitude difference is smaller than a preset threshold;
wherein the computing unit is specifically configured to:
calculating the maximum amplitude and the minimum amplitude of the input mode, and recording as the input maximum amplitude and the input minimum amplitude; calculating the maximum amplitude and the minimum amplitude of the target classification mode, and recording as the feedback maximum amplitude and the feedback minimum amplitude; calculating the absolute value of the difference between the input maximum amplitude and the feedback maximum amplitude, and recording the absolute value as a first difference value; calculating the absolute value of the difference between the input minimum amplitude and the feedback minimum amplitude, and recording the absolute value as a second difference value;
if the first difference value and the second difference value are both smaller than a preset threshold value, determining that the amplitude difference is smaller than the preset threshold value; and if any one of the first difference value and the second difference value is not smaller than a preset threshold value, determining that the amplitude difference is not smaller than the preset threshold value.
8. A terminal comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor when executing the computer program implements the steps of the method of any of claims 1 to 6 as above for improved ART2 based network intrusion detection.
9. A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the steps of the improved ART2 based network intrusion detection method according to any one of claims 1 to 6.
CN202210445030.8A 2022-04-26 2022-04-26 Network intrusion detection method, device and terminal based on improved ART2 Active CN114567512B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210445030.8A CN114567512B (en) 2022-04-26 2022-04-26 Network intrusion detection method, device and terminal based on improved ART2

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210445030.8A CN114567512B (en) 2022-04-26 2022-04-26 Network intrusion detection method, device and terminal based on improved ART2

Publications (2)

Publication Number Publication Date
CN114567512A CN114567512A (en) 2022-05-31
CN114567512B true CN114567512B (en) 2022-08-23

Family

ID=81721122

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210445030.8A Active CN114567512B (en) 2022-04-26 2022-04-26 Network intrusion detection method, device and terminal based on improved ART2

Country Status (1)

Country Link
CN (1) CN114567512B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116866047A (en) * 2023-07-18 2023-10-10 山东溯源安全科技有限公司 Method, medium and device for determining malicious equipment in industrial equipment network

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2714748A1 (en) * 1993-12-30 1995-07-07 Caterpillar Inc Supervised learning of modified adaptive resonance neural network
US6301572B1 (en) * 1998-12-02 2001-10-09 Lockheed Martin Corporation Neural network based analysis system for vibration analysis and condition monitoring
CN101667252A (en) * 2009-10-15 2010-03-10 哈尔滨工业大学 Classification and identification method for communication signal modulating mode based on ART2A-DWNN
CN101834875A (en) * 2010-05-27 2010-09-15 华为技术有限公司 Method, device and system for defending DDoS (Distributed Denial of Service) attacks
CN108830244A (en) * 2018-06-22 2018-11-16 石家庄铁道大学 Determination method based on ART2 neural network classification
CN109347872A (en) * 2018-11-29 2019-02-15 电子科技大学 A kind of network inbreak detection method based on fuzziness and integrated study
CN109768985A (en) * 2019-01-30 2019-05-17 电子科技大学 A kind of intrusion detection method based on traffic visualization and machine learning algorithm
KR20200043725A (en) * 2018-10-18 2020-04-28 한국과학기술원 Hierarchical classification-based incremental class learning method and computing device for digital storytelling
CN111181939A (en) * 2019-12-20 2020-05-19 广东工业大学 Network intrusion detection method and device based on ensemble learning
CN113489711A (en) * 2021-07-01 2021-10-08 中国电信股份有限公司 DDoS attack detection method, system, electronic device and storage medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106599927B (en) * 2016-12-20 2019-05-17 中国电子科技集团公司第五十四研究所 The Target cluster dividing method divided based on Fuzzy ART
CA3075661A1 (en) * 2017-09-14 2019-03-21 University Of Manitoba System and method for analyzing internet traffic to detect distributed denial of service (ddos) attack
CN109993182B (en) * 2017-12-29 2021-08-17 中移(杭州)信息技术有限公司 Pattern recognition method and device based on Fuzzy ART
CN112464851A (en) * 2020-12-08 2021-03-09 国网陕西省电力公司电力科学研究院 Smart power grid foreign matter intrusion detection method and system based on visual perception
CN112734094B (en) * 2020-12-30 2023-11-24 中南大学 Intelligent city intelligent rail vehicle fault gene prediction method and system

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2714748A1 (en) * 1993-12-30 1995-07-07 Caterpillar Inc Supervised learning of modified adaptive resonance neural network
US6301572B1 (en) * 1998-12-02 2001-10-09 Lockheed Martin Corporation Neural network based analysis system for vibration analysis and condition monitoring
CN101667252A (en) * 2009-10-15 2010-03-10 哈尔滨工业大学 Classification and identification method for communication signal modulating mode based on ART2A-DWNN
CN101834875A (en) * 2010-05-27 2010-09-15 华为技术有限公司 Method, device and system for defending DDoS (Distributed Denial of Service) attacks
CN108830244A (en) * 2018-06-22 2018-11-16 石家庄铁道大学 Determination method based on ART2 neural network classification
KR20200043725A (en) * 2018-10-18 2020-04-28 한국과학기술원 Hierarchical classification-based incremental class learning method and computing device for digital storytelling
CN109347872A (en) * 2018-11-29 2019-02-15 电子科技大学 A kind of network inbreak detection method based on fuzziness and integrated study
CN109768985A (en) * 2019-01-30 2019-05-17 电子科技大学 A kind of intrusion detection method based on traffic visualization and machine learning algorithm
CN111181939A (en) * 2019-12-20 2020-05-19 广东工业大学 Network intrusion detection method and device based on ensemble learning
CN113489711A (en) * 2021-07-01 2021-10-08 中国电信股份有限公司 DDoS attack detection method, system, electronic device and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"Intrusion Detection Based on An Improved ART2 Neural Network";Wu Di等;《Sixth International Conference on Parallel and Distributed Computing Applications and Technologies (PDCAT"05)》;20050123;全文 *
"一种改进的ART2网络学习算法";徐艺萍等;《计算机应用》;20060331;全文 *

Also Published As

Publication number Publication date
CN114567512A (en) 2022-05-31

Similar Documents

Publication Publication Date Title
CN110741388B (en) Confrontation sample detection method and device, computing equipment and computer storage medium
CN108111489B (en) URL attack detection method and device and electronic equipment
CN109840413B (en) Phishing website detection method and device
CN111062036A (en) Malicious software identification model construction method, malicious software identification medium and malicious software identification equipment
CN110672323B (en) Bearing health state assessment method and device based on neural network
JP2022141931A (en) Method and device for training living body detection model, method and apparatus for living body detection, electronic apparatus, storage medium, and computer program
CN107223260B (en) Method for dynamically updating classifier complexity
CN110807468B (en) Method, device, equipment and storage medium for detecting abnormal mail
CN113298152B (en) Model training method, device, terminal equipment and computer readable storage medium
CN113297572B (en) Deep learning sample-level anti-attack defense method and device based on neuron activation mode
CN112766324A (en) Image confrontation sample detection method, system, storage medium, terminal and application
CN114567512B (en) Network intrusion detection method, device and terminal based on improved ART2
CN116743493A (en) Network intrusion detection model construction method and network intrusion detection method
Zhao et al. CLPA: Clean-label poisoning availability attacks using generative adversarial nets
CN110602120A (en) Network-oriented intrusion data detection method
CN111694954B (en) Image classification method and device and electronic equipment
CN114140670A (en) Method and device for model ownership verification based on exogenous features
CN116484274A (en) Robust training method for neural network algorithm poisoning attack
CN114925765A (en) Construction method, device, equipment and storage medium of antagonism integrated classification model
Wu A method of character verification code recognition in network based on artificial intelligence technology
Melis Explaining Vulnerability of Machine Learning to Adversarial Attacks
Al-Andoli et al. A Framework for Robust Deep Learning Models Against Adversarial Attacks Based on a Protection Layer Approach
EP4127984B1 (en) Neural network watermarking
CN117454187B (en) Integrated model training method based on frequency domain limiting target attack
CN111507198B (en) Training method for printing iris detection model, and printing iris detection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant