CN101051953A - Abnormal detecting method based on fuzzy nervous network - Google Patents
Abnormal detecting method based on fuzzy nervous network Download PDFInfo
- Publication number
- CN101051953A CN101051953A CN 200710027984 CN200710027984A CN101051953A CN 101051953 A CN101051953 A CN 101051953A CN 200710027984 CN200710027984 CN 200710027984 CN 200710027984 A CN200710027984 A CN 200710027984A CN 101051953 A CN101051953 A CN 101051953A
- Authority
- CN
- China
- Prior art keywords
- network
- vector
- fuzzy
- neural network
- data vector
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The method comprises two stages -a training stage and a test stage. The training stage comprises: getting the connection vector of the input network from the network connection data vector training sample set; making a feature selection and a feature conversion for it to generate a feature vector; sending the feature vector to the fuzzy neural network; using ANFIS to make training, and until it is stabilized to get the fuzzy neutral network model. The test stage comprises: in the first, getting the network connection vector from the network connection data vector training sampling set; after making pre-process, generating a feature vector; inputting the feature vector into the trained fuzzy neural network to get relevant output value; finally, making the fuzzy clustering for the output value set.
Description
Technical field
The present invention relates to a kind of method for detecting abnormality, belong to the computer network security technology field at network intrusions.
Background technology
The unusual main finger network environment of network is different from the situation of normal network behavior, can be divided into two big classes widely: the first kind is relevant with problems such as network failure (as node, link failure) and keeper's misoperations, second class is relevant with network security problem, one of network security main threaten be exactly to network attack, destruction and by the invasion of network to information system.Network intrusions can be defined as: attempt to destroy the integrality of information system, the set of any network activity of confidentiality or availability.
Traditional network inbreak detection method is that misuse (misuse) detects, and it can detect the known attack type that is listed in the feature database exactly, but powerless for the new invasion type outside the feature database.The Chinese patent publication number is that application case, open source code Snort, the Bro of CN1599334 (a kind of intruding detection system and intrusion detection method thereof, open day is 2005.03.23) adopted this method.
Unusually (anomaly) detects as another network inbreak detection method, can detect some unknown network intrusions behaviors.The Chinese patent publication number is CN1567810 (network security intruding detection system and a method, open day is 2005.01.19) and CN1555156 (based on the self adaptation intrusion detection method of self-organized mapping network, be 2004.12.15 in open day) application case adopted this method, has adaptive ability, but they are unresolved following problem also:
1, eigentransformation problem.Eigentransformation is very crucial for operational efficiency that improves method for detecting abnormality and accuracy.
2, the output valve sets classification problem of detection-phase.Adopted the method for discrimination based on threshold value in the application case of CN1555156, this method is extremely dumb.
Summary of the invention
The objective of the invention is to overcome the deficiency in eigentransformation, output valve sets classification process in the existing method for detecting abnormality, a kind of network anomaly detection method based on fuzzy neural network is provided.Adopt the unusual intruding detection system of network of the present invention to can be considered a black box, its input is the network connection data vector that extracts from real network environment, and output is exactly 0 or 1, and 0 representative here is normal, and 1 representative is unusual.
The objective of the invention is to reach by the following technical programs, the inventive method was divided into for two megastages: training stage and detection-phase, at first, adopt training sample to train to fuzzy neural network, reach stable, then, the fuzzy neural network after training finishes is used for actual network abnormality detection task, and is specific as follows:
The first, the training stage
In the training stage, at first obtain the fan-in network link vector from network connection data vector training sample set, it is carried out generating feature vector after feature selecting and the eigentransformation, then characteristic vector is sent into fuzzy neural network, utilize ANFIS, (the neural inference system of adaptive fuzzy) trains until reaching stable, obtains fuzzy neural network model.
The concrete steps of obtaining input feature value are:
STEP1: connect data vector from the IP set of data packets building network that is captured, promptly single network connects in the data vector and comprises essential characteristic, content characteristic and traffic characteristic three parts;
STEP2: feature selecting, from the network connection data vector, select the certain characteristics relevant to form new data vector with the network abnormality detection;
STEP3: eigentransformation, at first reject the singular data vector and remaining data vector is carried out normalized, utilize independent component analysis (PCA) that the data vector is carried out linear transformation then, reduce the dimension of data vector, thereby obtain input feature value.
The second, detection-phase
At detection-phase, at first obtain the fan-in network link vector from network connection data vector training sample set, it is carried out generating feature vector after the preliminary treatment, then characteristic vector is sent in the fuzzy neural network model after training finishes, obtain corresponding output valve, fuzzy clustering is carried out in set to output valve at last, thereby tells whether the network connection data vector sample of being imported is unusual.Its concrete steps are:
STEP1: the method construct input sample set X (x that connects data and above-mentioned structure input feature value according to current network
1, x
2..., x
n), deliver in the fuzzy neural network after training finishes, obtain corresponding output valve set Y (y
1, y
2..., y
n).
STEP2: utilize Fuzzy C-Means Clustering (FCM) that output valve is gathered Y and classify, if y
i(1≤i≤n) is positioned at 1 class, then input feature value x
i(1≤i≤n) corresponding network is connected to unusually, if y
i(1≤i≤n) is positioned at 0 class, then input feature value x
i(1≤i≤n) corresponding network is connected to normally.
Compared with prior art, the advantage of this method is:
1, comprehensively used supervision pattern and the non-supervision pattern in the pattern recognition, the ANFIS that uses at training fuzzy neural model is the supervision pattern, and the FCM of detection-phase then is non-supervision pattern.
2, utilize the PCA linear transformation to effectively reduce the dimension of input vector, improved operational efficiency.
3, utilize Fuzzy C-Means Clustering algorithm FCM to solve the problem of artificial setting threshold.
Description of drawings
Fig. 1 is the flow process frame diagram based on the method for detecting abnormality of fuzzy neural network.
Embodiment
Below in conjunction with accompanying drawing the present invention is further set forth.
As shown in Figure 1, mainly comprised for two megastages based on the method for detecting abnormality of fuzzy neural network: training stage and detection-phase.In the training stage, at first obtain the fan-in network link vector from network connection data vector training sample set, it is carried out generating feature vector after feature selecting and the eigentransformation, then characteristic vector is sent into fuzzy neural network, utilize ANFIS, (the neural inference system of adaptive fuzzy) trains until reaching stable, obtains fuzzy neural network model.At detection-phase, at first obtain the fan-in network link vector from network connection data vector training sample set, it is carried out generating feature vector after the preliminary treatment, then characteristic vector is sent in the fuzzy neural network model after training finishes, obtain corresponding output valve, fuzzy clustering is carried out in set to output valve at last, thereby tells whether the network connection data vector sample of being imported is unusual.
In conjunction with the invention provides following typical embodiment:
Be the scale that guarantees accuracy, typicalness and the data set of data in implementation process, we have used is the KDD99 data set that is exclusively used in Study of Intrusion Detection in the world, and it comprises the attack type of DoS, Probing, R2L, U2R four quasi-representatives.Key step is as follows:
1, consider the actual conditions of network intrusions in the Internet environment, we only consider DoS, the attack of Probing two classes. so concentrate the attack of removal R2L and U2R two classes at training data.
2, feature selecting. in 41 features that training dataset provides, only have 8 selected, src_bytes, dst_bytes, count, srv_count, dst_host_count, dst_host_srv_count, st_host_same_src_port_rate, dst host_srv_diff_host_rate.
3, feature generates, and utilizes PCA to extract feature, and the dimension that extracts the back characteristic vector reduces to 5 by original 8.
4, utilize ANFIS training fuzzy neural model.
5, detect.Test data set is connected to form by three class networks: normal (60593); Unusually, once appeared at training dataset (166041); Unusually, not appearing at training dataset (84395). the verification and measurement ratio for normal class is 96.94%, and the exception class verification and measurement ratio that has occurred is 99.81%, and emerging exception class verification and measurement ratio is 73.01%.
Claims (5)
1, a kind of method for detecting abnormality based on fuzzy neural network, it comprises training stage and detection-phase, it is characterized in that, at first, adopt training sample to train to fuzzy neural network, reach stable, then, fuzzy neural network after training finishes is used for actual network abnormality detection task, and is specific as follows:
The first, the training stage
In the training stage, at first obtain the fan-in network link vector from network connection data vector training sample set, it is carried out generating feature vector after feature selecting and the eigentransformation, then characteristic vector is sent into fuzzy neural network, utilize the neural inference system of adaptive fuzzy to train, obtain fuzzy neural network model until reaching stable;
The second, detection-phase
At detection-phase, at first obtain the fan-in network link vector from network connection data vector training sample set, it is carried out generating feature vector after the preliminary treatment, then characteristic vector is sent in the fuzzy neural network model after training finishes, obtain corresponding output valve, fuzzy clustering is carried out in set to output valve at last, thereby tells whether the network connection data vector sample of being imported is unusual.
2, the method for detecting abnormality based on fuzzy neural network according to claim 1 is characterized in that, the described concrete steps of obtaining input feature value are:
STEP1: connect data vector from the IP set of data packets building network that is captured;
STEP2: feature selecting, from the network connection data vector, select the certain characteristics relevant to form new data vector with the network abnormality detection;
STEP3: eigentransformation, at first reject the singular data vector and remaining data vector is carried out normalized, utilize independent component analysis that the data vector is carried out linear transformation then, reduce the dimension of data vector, thereby obtain input feature value.
3, the method for detecting abnormality based on fuzzy neural network according to claim 2 is characterized in that, comprises essential characteristic, content characteristic and traffic characteristic three parts in the described network connection data vector.
4, the method for detecting abnormality based on fuzzy neural network according to claim 1 is characterized in that, described detection-phase specifically may further comprise the steps:
STEP1: the method construct input sample set X (x that connects data and above-mentioned structure input feature value according to current network
1, x
2..., x
n), deliver in the fuzzy neural network after training finishes, obtain corresponding output valve set Y (y
1, y
2..., y
n);
STEP2: utilize Fuzzy C-Means Clustering (FCM) that output valve is gathered Y and classify, if y
i(1≤i≤n) is positioned at 1 class, then input feature value x
i(1≤i≤n) corresponding network is connected to unusually, if y
i(1≤i≤n) is positioned at 0 class, then input feature value x
i(1≤i≤n) corresponding network is connected to normally.
5, the method for detecting abnormality based on fuzzy neural network according to claim 1, it is characterized in that, the unusual intruding detection system of network that adopts this method to realize can be considered a black box, its input is the network connection data vector that extracts from real network environment, output is exactly 0 or 1, wherein 0 representative is normal, and 1 representative is unusual.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200710027984 CN101051953A (en) | 2007-05-14 | 2007-05-14 | Abnormal detecting method based on fuzzy nervous network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200710027984 CN101051953A (en) | 2007-05-14 | 2007-05-14 | Abnormal detecting method based on fuzzy nervous network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101051953A true CN101051953A (en) | 2007-10-10 |
Family
ID=38783160
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200710027984 Pending CN101051953A (en) | 2007-05-14 | 2007-05-14 | Abnormal detecting method based on fuzzy nervous network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101051953A (en) |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101561878A (en) * | 2009-05-31 | 2009-10-21 | 河海大学 | Unsupervised anomaly detection method and system based on improved CURE clustering algorithm |
| CN102075383A (en) * | 2010-12-29 | 2011-05-25 | 深圳市永达电子股份有限公司 | Neural network-based low amplitude network flow anomaly detection method |
| CN102270264A (en) * | 2010-06-04 | 2011-12-07 | 中国科学院深圳先进技术研究院 | Physiological signal quality evaluation system and method |
| CN102305910A (en) * | 2011-06-22 | 2012-01-04 | 长沙河野电气科技有限公司 | Fuzzy neural network-based large-scale direct current analog circuit interval diagnosis method |
| CN103795595A (en) * | 2014-02-13 | 2014-05-14 | 杨启帆 | Intelligent detection method for local area network intranet invasion |
| CN104539484A (en) * | 2014-12-31 | 2015-04-22 | 深圳先进技术研究院 | Method and system for dynamically estimating network connection reliability |
| CN106100885A (en) * | 2016-06-23 | 2016-11-09 | 浪潮电子信息产业股份有限公司 | A kind of network security warning system and design |
| CN106789837A (en) * | 2015-11-20 | 2017-05-31 | 腾讯科技(深圳)有限公司 | Network anomalous behaviors detection method and detection means |
| CN107070940A (en) * | 2017-05-03 | 2017-08-18 | 微梦创科网络科技(中国)有限公司 | Judge that malice logs in the method and device of IP address in a kind of login daily record from streaming |
| WO2017148196A1 (en) * | 2016-03-03 | 2017-09-08 | 中兴通讯股份有限公司 | Anomaly detection method and device |
| CN107422272A (en) * | 2017-07-07 | 2017-12-01 | 淮阴工学院 | A kind of electric automobile power battery SOC intellectualized detection devices |
| CN107733937A (en) * | 2017-12-01 | 2018-02-23 | 广东奥飞数据科技股份有限公司 | A kind of Abnormal network traffic detection method |
| CN108011782A (en) * | 2017-12-06 | 2018-05-08 | 北京百度网讯科技有限公司 | Method and apparatus for pushing warning information |
| CN108521434A (en) * | 2018-05-29 | 2018-09-11 | 广西电网有限责任公司 | A kind of network security intrusion detecting system based on block chain technology |
| CN109412900A (en) * | 2018-12-04 | 2019-03-01 | 腾讯科技(深圳)有限公司 | A kind of network state knows the method and device of method for distinguishing, model training |
| CN109714322A (en) * | 2018-12-14 | 2019-05-03 | 中国科学院声学研究所 | A kind of method and its system detecting exception flow of network |
| CN110061986A (en) * | 2019-04-19 | 2019-07-26 | 长沙理工大学 | A kind of network intrusions method for detecting abnormality combined based on genetic algorithm and ANFIS |
| CN110661781A (en) * | 2019-08-22 | 2020-01-07 | 中科创达软件股份有限公司 | DDoS attack detection method, device, electronic equipment and storage medium |
| CN112153076A (en) * | 2020-10-20 | 2020-12-29 | 台州学院 | Computer network safety intrusion detection system |
-
2007
- 2007-05-14 CN CN 200710027984 patent/CN101051953A/en active Pending
Cited By (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101561878A (en) * | 2009-05-31 | 2009-10-21 | 河海大学 | Unsupervised anomaly detection method and system based on improved CURE clustering algorithm |
| CN101561878B (en) * | 2009-05-31 | 2012-11-21 | 河海大学 | Unsupervised anomaly detection method and system based on improved CURE clustering algorithm |
| CN102270264B (en) * | 2010-06-04 | 2014-05-21 | 中国科学院深圳先进技术研究院 | Physiological signal quality evaluation system and method |
| CN102270264A (en) * | 2010-06-04 | 2011-12-07 | 中国科学院深圳先进技术研究院 | Physiological signal quality evaluation system and method |
| CN102075383A (en) * | 2010-12-29 | 2011-05-25 | 深圳市永达电子股份有限公司 | Neural network-based low amplitude network flow anomaly detection method |
| CN102305910A (en) * | 2011-06-22 | 2012-01-04 | 长沙河野电气科技有限公司 | Fuzzy neural network-based large-scale direct current analog circuit interval diagnosis method |
| CN103795595A (en) * | 2014-02-13 | 2014-05-14 | 杨启帆 | Intelligent detection method for local area network intranet invasion |
| CN104539484A (en) * | 2014-12-31 | 2015-04-22 | 深圳先进技术研究院 | Method and system for dynamically estimating network connection reliability |
| CN104539484B (en) * | 2014-12-31 | 2018-01-26 | 深圳先进技术研究院 | A kind of method and system of dynamic evaluation network connection confidence level |
| CN106789837A (en) * | 2015-11-20 | 2017-05-31 | 腾讯科技(深圳)有限公司 | Network anomalous behaviors detection method and detection means |
| WO2017148196A1 (en) * | 2016-03-03 | 2017-09-08 | 中兴通讯股份有限公司 | Anomaly detection method and device |
| CN106100885A (en) * | 2016-06-23 | 2016-11-09 | 浪潮电子信息产业股份有限公司 | A kind of network security warning system and design |
| CN107070940A (en) * | 2017-05-03 | 2017-08-18 | 微梦创科网络科技(中国)有限公司 | Judge that malice logs in the method and device of IP address in a kind of login daily record from streaming |
| CN107070940B (en) * | 2017-05-03 | 2020-02-21 | 微梦创科网络科技(中国)有限公司 | Method and device for judging malicious login IP address from streaming login log |
| CN107422272A (en) * | 2017-07-07 | 2017-12-01 | 淮阴工学院 | A kind of electric automobile power battery SOC intellectualized detection devices |
| CN107733937A (en) * | 2017-12-01 | 2018-02-23 | 广东奥飞数据科技股份有限公司 | A kind of Abnormal network traffic detection method |
| CN108011782A (en) * | 2017-12-06 | 2018-05-08 | 北京百度网讯科技有限公司 | Method and apparatus for pushing warning information |
| CN108011782B (en) * | 2017-12-06 | 2020-10-16 | 北京百度网讯科技有限公司 | Method and device for pushing alarm information |
| CN108521434A (en) * | 2018-05-29 | 2018-09-11 | 广西电网有限责任公司 | A kind of network security intrusion detecting system based on block chain technology |
| CN108521434B (en) * | 2018-05-29 | 2019-11-19 | 东莞市大易产业链服务有限公司 | A kind of network security intrusion detecting system based on block chain technology |
| CN109412900A (en) * | 2018-12-04 | 2019-03-01 | 腾讯科技(深圳)有限公司 | A kind of network state knows the method and device of method for distinguishing, model training |
| CN109714322A (en) * | 2018-12-14 | 2019-05-03 | 中国科学院声学研究所 | A kind of method and its system detecting exception flow of network |
| CN109714322B (en) * | 2018-12-14 | 2020-04-24 | 中国科学院声学研究所 | Method and system for detecting network abnormal flow |
| CN110061986A (en) * | 2019-04-19 | 2019-07-26 | 长沙理工大学 | A kind of network intrusions method for detecting abnormality combined based on genetic algorithm and ANFIS |
| CN110061986B (en) * | 2019-04-19 | 2021-05-25 | 长沙理工大学 | Network intrusion anomaly detection method based on combination of genetic algorithm and ANFIS |
| CN110661781A (en) * | 2019-08-22 | 2020-01-07 | 中科创达软件股份有限公司 | DDoS attack detection method, device, electronic equipment and storage medium |
| CN110661781B (en) * | 2019-08-22 | 2022-05-17 | 中科创达软件股份有限公司 | DDoS attack detection method, device, electronic equipment and storage medium |
| CN112153076A (en) * | 2020-10-20 | 2020-12-29 | 台州学院 | Computer network safety intrusion detection system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101051953A (en) | Abnormal detecting method based on fuzzy nervous network | |
| CN107483455B (en) | Flow-based network node anomaly detection method and system | |
| Khan et al. | Malicious insider attack detection in IoTs using data analytics | |
| CN109391700B (en) | Internet of things security cloud platform based on depth flow sensing | |
| CN109962909B (en) | Network intrusion anomaly detection method based on machine learning | |
| Xu | Adaptive intrusion detection based on machine learning: feature extraction, classifier construction and sequential pattern prediction | |
| CN1761203A (en) | System for synthetical analyzing and monitoring safety of information on network | |
| CN1809000A (en) | Network intrusion detection method | |
| Guezzaz et al. | A Global Intrusion Detection System using PcapSockS Sniffer and Multilayer Perceptron Classifier. | |
| Cahyo et al. | Performance comparison of intrusion detection system based anomaly detection using artificial neural network and support vector machine | |
| CN109639734B (en) | Abnormal flow detection method with computing resource adaptivity | |
| Liu | An intrusion detection system based on convolutional neural network | |
| CN115378744B (en) | Network security test evaluation system and method | |
| CN112433518A (en) | Industrial control system intrusion detection method based on recurrent neural network | |
| Kong et al. | Identification of abnormal network traffic using support vector machine | |
| Labib et al. | Detecting and visualizing denialof-service and network probe attacks using principal component analysis | |
| CN115047848A (en) | Industrial control system anomaly detection method based on PID neural network | |
| CN110650124A (en) | Network flow abnormity detection method based on multilayer echo state network | |
| CN113902052A (en) | Distributed denial of service attack network anomaly detection method based on AE-SVM model | |
| Arora et al. | Improvement in the performance of deep neural network model using learning rate | |
| Amini et al. | Network-based intrusion detection using unsupervised adaptive resonance theory (ART) | |
| Shahbaz Pervez et al. | A comparative analysis of artificial neural network technologies in intrusion detection systems | |
| Yao | Information Security Situation Awareness Based on Big Data and Artificial Intelligence Technology | |
| Meng et al. | Network Intrusion Detection Model Based on Artificial Intelligence | |
| Fowler et al. | Building baseline preprocessed common data sets for multiple follow-on data mining algorithms |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |