CN104935600B - A kind of mobile ad-hoc network intrusion detection method and equipment based on deep learning - Google Patents

A kind of mobile ad-hoc network intrusion detection method and equipment based on deep learning Download PDF

Info

Publication number
CN104935600B
CN104935600B CN201510344393.2A CN201510344393A CN104935600B CN 104935600 B CN104935600 B CN 104935600B CN 201510344393 A CN201510344393 A CN 201510344393A CN 104935600 B CN104935600 B CN 104935600B
Authority
CN
China
Prior art keywords
network
node
data packet
module
invasion
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510344393.2A
Other languages
Chinese (zh)
Other versions
CN104935600A (en
Inventor
吴巍
黄炜
张林杰
贾哲
庄杰
李强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CETC 54 Research Institute
Original Assignee
CETC 54 Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CETC 54 Research Institute filed Critical CETC 54 Research Institute
Priority to CN201510344393.2A priority Critical patent/CN104935600B/en
Publication of CN104935600A publication Critical patent/CN104935600A/en
Application granted granted Critical
Publication of CN104935600B publication Critical patent/CN104935600B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud

Abstract

The invention discloses a kind of mobile ad-hoc network intrusion detection method and equipment based on deep learning, is related to wireless network secure field.Equipment of the invention includes data acquisition module, data fusion module, preprocessing module, memory module, intrusion detection module and response alarm module, after the wireless data packet that will be captured carries out fusion and de-redundancy, extracts network behavior feature and stores;The deep neural network model of expression network behavior is established after deep learning network behavior feature;Network data to be detected is inputted into deep neural network model, completes to alert response after the judgement and identification of invasion.The method of the present invention, which will test, store for abnormal network behavior feature vector and is used to train deep neural network, when these invasion types occur again, can be detected identification.The present invention improves Detection accuracy, further increases the safety of mobile ad-hoc network under the premise of guaranteeing model training and detection efficiency.

Description

A kind of mobile ad-hoc network intrusion detection method and equipment based on deep learning
Technical field
The present invention relates to mobile ad-hoc network fields and deep learning field, the especially intrusion detection in self-organizing network Method and apparatus.
Background technique
The difference of movable self-organization (Ad hoc) network and fixed cable network, leads to intruding detection system (Intrusion Detection System, IDS) in Adhoc network face different problems.Adhoc network uses open wireless communication Road, no fixed router make it easier to be invaded.Ad hoc network causes IDS good without static infrastructure Statistical data, the network characterization of acquisition are confined to specific range for wireless communication.Therefore, Intrusion Detection Technique in the urgent need to address Problems faced in mobile ad-hoc network, and then the security protection system of network can be enhanced.
Deep learning big data, multidimensional characteristic Machine Learning Problems on show good performance.Ad hoc net Invasion present in network is varied, needs to collect mass data, statistics multidimensional characteristic to analyze ad hoc network behavior, carries out Intrusion detection.Deep learning is applied in the intrusion detection of ad hoc network, deep neural network can be played in machine learning, spy The advantage that sign is extracted, for the intrusion detection of ad hoc network, this complicated behavior pattern recognition problem provides an effectively way Diameter.
It is CN101610516A, entitled " intrusion detection method and equipment in self-organizing network " in notification number One kind is disclosed in patent document network characterization is classified based on information gain, screened from grouping using support vector machines optimal Character subset judges the intrusion detection method whether network is invaded.But this method is only able to detect in network and whether there is Invasion, cannot recognize that invasion type, only a kind of abnormality detection technology;This method uses a kind of shallow-layer Neural Network Science Practise model, the advantage without deep learning;In addition, this method is without reference to wireless monitor and packet capture.
Application No. is a kind of 201310682813.9, entitled " wireless sensor networks neural network based Intrusion detection algorithm " discloses a kind of wireless sensor network IDS Framework, including misuse detection, abnormality detection and decision Module has chosen BP neural network, generalized regression nerve networks, the BP neural network based on genetic algorithm optimization and carries out MATLAB Emulation experiment.The invention does not use deep neural network, and has only carried out MATLAB emulation, it cannot be said that bright algorithm is true Validity in network environment does not capture wireless self-organization network data packet, extracts without reference to network characterization, cannot be direct Applied to the intrusion detection in self-organizing network.
Summary of the invention
The technical problem to be solved by the present invention is to, it is faced with extremely complex security threat for current ad hoc network, Still lack mature research achievement for the Intrusion Detection Technique of ad hoc network, ad hoc network cannot be met well Demand for security proposes the intrusion detection method in a kind of mobile ad-hoc network, can guarantee model training and detection efficiency Under the premise of, improve Detection accuracy.
In order to solve the above technical problems, the present invention adopts the following technical scheme:
A kind of mobile ad-hoc network intrusion detection method based on deep learning, comprising the following steps:
1. capturing wireless data packet from normal mobile ad-hoc network, by data prediction, it is normal to obtain network Behavioural characteristic data set, and it is split as the training set and test set of normal behavior of the network feature;In mobile ad-hoc network It is middle that a variety of known invasion nodes are added, wireless data packet is captured from the mobile ad-hoc network that invasion node is added, is passed through Data prediction obtains network intrusions behavioural characteristic data set, and be split as network intrusions behavioural characteristic training set and Test set;The wireless data packet includes routing request packet, route replies packet, routing error packet and business data packet;
Feature in the normal behavior of the network characteristic data set and network intrusions behavioural characteristic data set includes:
(1) RREQ Sent: the route request information packet sum that node is sent;
(2) RREQ Received: the received route request information packet sum of node;
(3) RREP Sent: the route replies message package sum that node is sent;
(4) RREP Received: the received route replies message package sum of node;
(5) RERR Sent: the routing error message package sum that node is sent;
(6) RERR Received: the received routing error message package sum of node;
(7) Data Sent: the business data packet sum that node is sent;
(8) Data Received: the received business data packet sum of node;
(9) Route Drop: the routing packet sum that node abandons;
(10) Route Transmit: the routing packet sum of node forwarding;
(11) Data Drop: the business data packet sum that node abandons;
(12) Data Transmit: the business data packet sum of node forwarding;
(13) Packet size: data packet mean size;
(14) Active Node: live-vertex number;
2. being obtained to network just using normal behavior of the network feature training set training deep neural network abnormality detection model The expression of Chang Hangwei;Using network intrusions behavioural characteristic training set training deep neural network Misuse Detection Model, obtain to net The expression of network intrusion behavior;
3. normal behavior of the network characteristic test collection test depth neural network abnormality detection model is used, according to test result Further adjust model parameter;Use network intrusions behavioural characteristic test set test depth neural network Misuse Detection Model, root Model parameter is further adjusted according to test result;
4. when intrusion detection, multiple wireless monitor nodes capture wireless data packet from mobile ad-hoc network in real time, warp It crosses data prediction and obtains network behavior feature vector, the depth nerve net after network behavior feature vector to be inputted to adjusting parameter Network abnormality detection model is identified that the depth after will be deemed as abnormal network behavior feature vector input adjusting parameter is neural Network Misuse & detection model is identified, is judged the recognition result of invasion type;
5. alerting such invasion of display if recognition result meets known invasion type;If recognition result is not met Abnormal network behavior feature vector is then stored as new network intrusion character vector, works as depth by known invasion type After neural network can identify the new network intrusion character vector of storage, class division is carried out to it using clustering algorithm, will be clustered New network intrusion character vector afterwards trains deep neural network Misuse Detection Model as network intrusions behavioural characteristic training set, When these invasion types occur again, identification can be detected;
Complete the mobile ad-hoc network intrusion detection method based on deep learning.
Wherein, the data prediction specifically includes the following steps:
(101) size of each wireless data packet captured is calculated, then carry out frame parsing respectively and extracts representative nothing The field of line type of data packet;
(102) judge the type of each wireless data packet and classify to each wireless data packet;
(103) the network behavior feature vector of every class wireless data packet is extracted.
Wherein, the vector that the network behavior feature vector is made of the element of multiple characterization network performances, It specifically includes: the transmitting and receiving frequency of route request information, the transmitting and receiving frequency of route replies message and data packet delivery fraction.
Wherein, the use normal behavior of the network feature training set training deep neural network abnormality detection model is specific The following steps are included:
(201) model parameter of deep neural network is initialized;The model parameter of the deep neural network includes learning Habit rate, depth and each layer of neuron number;
(202) normal behavior of the network feature training set is inputted into deep neural network model, deep neural network model is certainly Connection weight between dynamic adjustment neuron, obtains the abstract expression to training data.
Wherein, the number that the deep neural network abnormality detection model and deep neural network Misuse Detection Model use Learning model is deep neural network model;The deep neural network is the mathematical model using deep learning algorithm, tool Body are as follows: deepness belief network or convolutional neural networks.
Wherein, the step 3. specifically includes the following steps:
It (301) will be after normal behavior of the network characteristic test collection and network intrusions behavioural characteristic test set input adjusting parameter Deep neural network abnormality detection model, deep neural network abnormality detection model identify each of test set feature vector Be it is normal or abnormal, count detection accuracy, rate of failing to report and rate of false alarm;
(302) deep neural network after the feature vector that recognition result in (301) is exception to be inputted to adjusting parameter is missed With detection model, invasion type is identified, recognition correct rate is counted;
(303) if statistical result does not reach goal-selling requirement, percentage regulation neural network abnormality detection model and The parameter of Misuse Detection Model, the parameter of re -training deep neural network abnormality detection model and Misuse Detection Model, until Reach goal-selling requirement.
A kind of mobile ad-hoc network intrusion detection device based on deep learning, comprising: data acquisition module, data are melted Mold block, preprocessing module, memory module, intrusion detection module and response alarm module;
The data acquisition module, according to the mobile ad-hoc network size to be detected, the cloth in mobile ad-hoc network Set multiple wireless monitor nodes, for capture the wireless data packet in mobile ad-hoc network in real time and by wireless data packet it is wireless It is transmitted to data fusion module;The wireless data packet includes routing request packet, route replies packet, routing error packet and business Data packet;
The wireless data packet for multiple wireless monitor points capture that the data fusion module is used to receive merges, Preprocessing module is sent or is wirelessly transmitted to through cable after removing redundancy;
The preprocessing module is used to carry out frame dissection process to fused data, extracts, statistics network behavioural characteristic, Network behavior feature vector is obtained, and network behavior feature vector is sent to memory module;
The network behavior feature includes:
(1) RREQ Sent: the route request information packet sum that node is sent;
(2) RREQ Received: the received route request information packet sum of node;
(3) RREP Sent: the route replies message package sum that node is sent;
(4) RREP Received: the received route replies message package sum of node;
(5) RERR Sent: the routing error message package sum that node is sent;
(6) RERR Received: the received routing error message package sum of node;
(7) Data Sent: the business data packet sum that node is sent;
(8) Data Received: the received business data packet sum of node;
(9) Route Drop: the routing packet sum that node abandons;
(10) Route Transmit: the routing packet sum of node forwarding;
(11) Data Drop: the business data packet sum that node abandons;
(12) Data Transmit: the business data packet sum of node forwarding;
(13) Packet size: data packet mean size;
(14) Active Node: live-vertex number;
The memory module includes general memory block and new Intrusion Signatures memory block, for what will be obtained after pretreatment Network behavior feature vector is stored in general memory block, and network behavior feature vector is sent to intrusion detection module;
The intrusion detection module is used for real-time detection network intrusions, will invade information push-notification-answer alarm module and incite somebody to action New invasion network behavior characteristic storage is in new Intrusion Signatures memory block;
If detecting network intrusions and identifying invasion type, information push-notification-answer alarm module will be invaded;If It detects network intrusions but does not identify invasion type, judge that, there are unknown invasion type in network, push-notification-answer alerts mould Block, by corresponding new invasion network behavior characteristic storage in new Intrusion Signatures memory block, the invasion information includes invasion class Type and invasion time of origin;
The response alarm module is for issuing warning information after the notice for receiving intrusion detection module;The announcement Alert information includes invasion type and invasion time of origin;
The new Intrusion Signatures memory block is used to reach intrusion detection module in the amount of storage of newly invasion network behavior feature After capable of identifying, class division is carried out to it using clustering algorithm, and the new invasion network behavior feature after cluster is sent to invasion Detection module.
Wherein, the intrusion detection module include abnormality detecting unit and misuse detection unit,
The abnormality detecting unit, for obtaining to network based on normal behavior of the network feature training deep neural network The expression of normal behaviour, and real-time detection network intrusions;The normal behavior of the network feature vector is moved certainly from normal It is obtained after the preprocessed module pretreatment of the wireless data packet acquired in tissue network;
The misuse detection unit, for obtaining to network based on network intrusions behavioural characteristic training deep neural network The expression of intrusion behavior, and identify then invasion type will invade information push-notification-answer alarm module;The network intrusions row Be characterized be from the preprocessed module of wireless data packet acquired in the mobile ad-hoc network that known invasion node is added in advance from It is obtained after reason.
The present invention with respect to the background art the advantages of be:
By using the intrusion detection method and equipment, due to constructing deep neural network using depth learning technology IDS Framework, the deep layer attribute of energy learning training data, obtains the feature representation to normal behavior of the network or intrusion behavior, So Detection accuracy can be improved under the premise of guaranteeing model training and detection efficiency.
Detailed description of the invention
Fig. 1 is intrusion detection method flow chart of the present invention;
Fig. 2 is intrusion detection device block diagram of the present invention;
Fig. 3 is the training test process flow chart of intrusion detection in the embodiment of the present invention;
Fig. 4 is intrusion detection overhaul flow chart in the embodiment of the present invention.
In Fig. 2: 1. intrusion detection devices, 2. data acquisition modules (wireless monitor node), 3. data fusion modules, 4. are in advance Processing module, 5. memory modules, 6. intrusion detection modules, 7. response alarm modules, 8. mobile ad-hoc networks, 9. network sections Point.
Specific embodiment
The embodiment of the present invention provides a kind of intrusion detection method in the mobile ad-hoc network based on deep learning and sets It is standby, Detection accuracy can be improved under the premise of guaranteeing model training and detection efficiency.
The embodiment of the present invention is described in detail with reference to the accompanying drawing.
As shown in Figure 1, a kind of mobile ad-hoc network intrusion detection method based on deep learning of the invention include with Lower step:
1. packet capture and pretreatment: mass data packet is captured from normal mobile ad-hoc network, by frame solution Analysis judges data package size, extracts the field for representing type of data packet, judges type of data packet, each in the statistical unit time The transmission frequency of the data packet of seed type receives the characteristic informations such as frequency, mean size, duration, obtains the normal row of network It is characterized data set, and it is split as training set and test set according to the ratio of 3:1;Add respectively in mobile ad-hoc network Entering a variety of known invasion nodes, captures mass data respectively, the same above process obtains network intrusions behavioural characteristic data set, And it is split as training set and test set;The wireless data packet includes routing request packet, route replies packet, routing error Packet and business data packet;
2. using network behavior feature training set training deep neural network detection model: normal behavior of the network feature is instructed Practice collection input deep neural network abnormality detection model, the connection weight between model adjust automatically neuron is obtained to network The expression of normal behaviour;Network intrusion character training set is inputted into deep neural network Misuse Detection Model, model adjust automatically Connection weight between neuron obtains the expression to network intrusions behavior;
Training process specifically:
(201) model parameter of deep neural network is initialized;The model parameter of the deep neural network includes learning Habit rate, depth and each layer of neuron number;
(202) network behavior feature training set is inputted into deep neural network model, deep neural network model is adjusted automatically Connection weight between whole neuron obtains the abstract expression to training data.
3. using network behavior characteristic test collection test depth neural network detection model: normal behavior of the network feature is surveyed Examination collection input deep neural network abnormality detection model, test model detection effect further adjust model parameter (number of plies, mind Through first number, learning rate etc.);Network intrusions behavioural characteristic test set is inputted into deep neural network abnormality detection model, test Model inspection effect further adjusts model parameter (number of plies, neuron number, learning rate etc.);
Test process specifically:
(301) by the depth after network behavior characteristic test collection and network intrusions behavioural characteristic test set input adjusting parameter Neural network abnormality detection model, deep neural network abnormality detection model identify that each of test set feature vector is just It is normal or abnormal, count detection accuracy, rate of failing to report and rate of false alarm;
(302) deep neural network after the feature vector that recognition result in (301) is exception to be inputted to adjusting parameter is missed With detection model, invasion type is identified, recognition correct rate is counted;
(303) if statistical result does not reach goal-selling requirement, percentage regulation neural network abnormality detection model and The parameter of Misuse Detection Model, the parameter of re -training deep neural network abnormality detection model and Misuse Detection Model, until Reach goal-selling requirement.
Embodiment: intrusion detection method is to deep neural network intrusion detection in mobile ad-hoc network of the embodiment of the present invention Training testing process as shown in figure 3, intrusion detection process is as shown in Figure 4.
For example, routing layer attacks for mobile ad-hoc network, comprising: sequence number attack, mistake distance vector are attacked, are black Hole attack etc., wireless monitor node captures wireless data packet, by data fusion, pretreatment, extracts following characteristics set:
(1) RREQ Sent: the route request information packet sum that node is sent;
(2) RREQ Received: the received route request information packet sum of node;
(3) RREP Sent: the route replies message package sum that node is sent;
(4) RREP Received: the received route replies message package sum of node;
(5) RERR Sent: the routing error message package sum that node is sent;
(6) RERR Received: the received routing error message package sum of node;
(7) Data Sent: the business data packet sum that node is sent;
(8) Data Received: the received business data packet sum of node;
(9) Route Drop: the routing packet sum that node abandons;
(10) Route Transmit: the routing packet sum of node forwarding;
(11) Data Drop: the business data packet sum that node abandons;
(12) Data Transmit: the business data packet sum of node forwarding;
(13) Packet size: data packet mean size;
(14) Active Node: live-vertex number.
All of above feature collectively constitutes network behavior feature vector, the input as deep neural network.
The embodiment of the present invention models training data using deepness belief network (Deep Belief Nets, DBN), DBN is a kind of deep neural network model of comparative maturity, by two layers of limited Boltzmann machine (Restricted Boltzmann Machine, RBM) plus one layer of BP (BackPropagation) neural network composition.To DBN by the way of successively training, close Key is to train RBM that formula (1) (2) (3) can be obtained by derivation according to the structure of RBM unsupervisedly.In formula (1), T is indicated Sample size, v indicate network characterization vector, the i.e. state vector of RBM visible layer;In formula (2), formula (3), viIndicate visible The state of i-th of neuron of layer, aiIndicate the biasing of i-th of neuron of visible layer, hjIndicate the shape of j-th of neuron of hidden layer State, bjIndicate the biasing of j-th of neuron of hidden layer;P (h | v, θ) it is that condition is distributed;θ is the parameter set { W, a, b } of RBM;W is Connection weight matrix.
One RBM of training is actually adjusting parameter collection θ, to be fitted given training sample, that is, under the parameter by The probability distribution that corresponding RBM is indicated is consistent with training data as much as possible, can be described as maximizing on mathematical expression public The likelihood function of formula (1) description.
If Direct calculation formulas (1), process will be extremely complex, and the embodiment of the present invention uses the higher CD of computational efficiency Fast learning algorithm, key step are as follows:
(1) the parameter set θ of RBM={ W, a, b } is initialized as smaller value, training data is split as supreme comprising tens The small lot data of hundred samples;
(2) visual layers v is enabled1Equal to first small lot sample batch 1;
(3) h is acquired using formula (2)1=sigmoid (b'+v1·W');V is obtained using formula (3)2=sigmoid (a'+ h1W), formula (2) are recycled to acquire h2=sigmoid (b'+v2·W');
(4) parameters are updated according to following formula (4);In formula (4), W is connection weight matrix, a is visible Layer bias vector, b are hidden layer bias vector, η is learning rate;
(5) v is enabled1Respectively equal to other small lot data repeat step (3) and step (4), obtain model parameter;
After the completion of two layers of RBM individually unsupervised training, upper label is added to training data, with having supervision training BP nerve Network.
4. when intrusion detection, multiple wireless monitor nodes capture wireless data packet from mobile ad-hoc network in real time, warp Frame parsing is crossed, judges data package size, the field for representing type of data packet is extracted, judges type of data packet, statistical unit time The transmission frequency of the data packet of interior each type receives the characteristic informations such as frequency, mean size, duration, obtains network Behavioural characteristic vector, the deep neural network abnormality detection model after network behavior feature vector to be inputted to adjusting parameter are known Not, the deep neural network Misuse Detection Model after will be deemed as abnormal network behavior feature vector input adjusting parameter carries out Identification judges the recognition result of invasion type;
The vector that the network behavior feature vector is made of the element of multiple characterization network performances, it is specific to wrap It includes: the transmitting and receiving frequency of route request information, the transmitting and receiving frequency of route replies message and data packet delivery fraction.
5. alerting such invasion of display if recognition result meets known invasion type;If recognition result is not met Abnormal network behavior feature vector is then stored as new network intrusion character vector, works as depth by known invasion type After neural network can identify the new network intrusion character vector of storage, class division is carried out to it using clustering algorithm, will be clustered New network intrusion character vector afterwards is as network intrusion character training set training deep neural network Misuse Detection Model, when this When a little invasion types occur again, identification can be detected;
Embodiment: the DBN model after training, the normal or intrusion behavior that network is saved in the form of parameter set are special Sign, to establish the normal or intrusion behavior identification model of mobile ad-hoc network, in detection process and normal behaviour deviation Larger network characterization is judged as exception, with certain higher network characterization of intrusion behavior matching degree be judged as it is this enter It invades.After detecting invasion, equipment issues warning information to network management, then updates detection journal file, continues next inspection It surveys.
Complete the mobile ad-hoc network intrusion detection method based on deep learning.
As shown in Fig. 2, a kind of mobile ad-hoc network intrusion detection device based on deep learning of the invention includes: number According to acquisition module, data fusion module, preprocessing module, memory module, intrusion detection module and response alarm module.
1. data acquisition module arranges that multiple wireless monitor nodes, monitoring network flow are caught in mobile ad-hoc network Wireless data packet is obtained, the data of capture are radioed into data fusion module, the fusion of complete paired data, removal redundancy letter Breath;
2. data fusion module merges the data that multiple monitoring points capture, redundancy is removed, guarantees information Accuracy;
3. preprocessing module judges data package size, the field for representing type of data packet is extracted, judges type of data packet, The features letter such as the transmission frequency of the data packet of each type, reception frequency, mean size, duration in the statistical unit time Breath, obtains network behavior feature vector;
4. memory module, including general memory block and new Intrusion Signatures memory block, the network that will be obtained after pretreatment Behavioural characteristic vector is stored in general memory block, convenient for analyzing in next step;
5. intrusion detection module, including abnormality detecting unit and misuse detection unit, are used for real-time detection network intrusions, will Invasion information push-notification-answer alarm module simultaneously will newly invade network behavior characteristic storage in new Intrusion Signatures memory block;
If detecting network intrusions and identifying invasion type, information push-notification-answer alarm module will be invaded;If It detects network intrusions but does not identify invasion type, judge that, there are unknown invasion type in network, push-notification-answer alerts mould Block, by corresponding new invasion network behavior characteristic storage in new Intrusion Signatures memory block, the invasion information includes invasion class Type and invasion time of origin;
Abnormality detecting unit, for obtaining normal to network based on normal behavior of the network feature training deep neural network The expression of behavior, and real-time detection network intrusions;The normal behavior of the network feature vector is from normal movable self-organization It is obtained after the preprocessed module pretreatment of the wireless data packet acquired in network;
Detection unit is misapplied, for obtaining to network intrusions based on network intrusions behavioural characteristic training deep neural network The expression of behavior, and identify then invasion type will invade information push-notification-answer alarm module;The network intrusions behavior is special Sign is after the preprocessed module pretreatment of wireless data packet acquired in the mobile ad-hoc network that known invasion node is added It obtains;
6. responding alarm module, warning information is issued after receiving the notice of intrusion detection module;The warning information Including invasion type and invasion time of origin;
7. new Intrusion Signatures memory block, for reaching intrusion detection module energy in the amount of storage of newly invasion network behavior feature After identification, class division is carried out to it using clustering algorithm, and the new invasion network behavior feature after cluster is sent to invasion inspection Survey module.

Claims (8)

1. a kind of mobile ad-hoc network intrusion detection method based on deep learning, which comprises the following steps:
1. capturing wireless data packet from normal mobile ad-hoc network, by data prediction, normal behavior of the network is obtained Characteristic data set, and it is split as the training set and test set of normal behavior of the network feature;Add in mobile ad-hoc network Enter a variety of known invasion nodes, wireless data packet is captured from the mobile ad-hoc network that invasion node is added, by data Pretreatment, obtains network intrusions behavioural characteristic data set, and be split as training set and the test of network intrusions behavioural characteristic Collection;The wireless data packet includes routing request packet, route replies packet, routing error packet and business data packet;
Feature in the normal behavior of the network characteristic data set and network intrusions behavioural characteristic data set includes:
(1) RREQ Sent: the route request information packet sum that node is sent;
(2) RREQ Received: the received route request information packet sum of node;
(3) RREP Sent: the route replies message package sum that node is sent;
(4) RREP Received: the received route replies message package sum of node;
(5) RERR Sent: the routing error message package sum that node is sent;
(6) RERR Received: the received routing error message package sum of node;
(7) Data Sent: the business data packet sum that node is sent;
(8) Data Received: the received business data packet sum of node;
(9) Route Drop: the routing packet sum that node abandons;
(10) Route Transmit: the routing packet sum of node forwarding;
(11) Data Drop: the business data packet sum that node abandons;
(12) Data Transmit: the business data packet sum of node forwarding;
(13) Packet size: data packet mean size;
(14) Active Node: live-vertex number;
2. being obtained using normal behavior of the network feature training set training deep neural network abnormality detection model to the normal row of network For expression;Using network intrusions behavioural characteristic training set training deep neural network Misuse Detection Model, obtain entering network Invade the expression of behavior;
3. normal behavior of the network characteristic test collection test depth neural network abnormality detection model is used, according to test result into one Successive step model parameter;Using network intrusions behavioural characteristic test set test depth neural network Misuse Detection Model, according to survey Test result further adjusts model parameter;
4. when intrusion detection, multiple wireless monitor nodes capture wireless data packet from mobile ad-hoc network in real time, by number Data preprocess obtains network behavior feature vector, and the deep neural network after network behavior feature vector to be inputted to adjusting parameter is different Normal detection model is identified, be will be deemed as abnormal network behavior feature vector and is inputted the deep neural network after adjusting parameter Misuse Detection Model is identified, is judged the recognition result of invasion type;
5. alerting such invasion of display if recognition result meets known invasion type;If recognition result does not meet known Type is invaded, then is stored abnormal network behavior feature vector as new network intrusion character vector, when depth nerve After network can identify the new network intrusion character vector of storage, class division is carried out to it using clustering algorithm, after cluster New network intrusion character vector is as network intrusions behavioural characteristic training set training deep neural network Misuse Detection Model, when this When a little invasion types occur again, identification can be detected;
Complete the mobile ad-hoc network intrusion detection method based on deep learning.
2. a kind of mobile ad-hoc network intrusion detection method based on deep learning according to claim 1, feature Be: the data prediction specifically includes the following steps:
(101) size of each wireless data packet captured is calculated, then carry out frame parsing respectively and extracts representative without line number According to the field of Packet type;
(102) judge the type of each wireless data packet and classify to each wireless data packet;
(103) the network behavior feature vector of every class wireless data packet is extracted.
3. a kind of mobile ad-hoc network intrusion detection method based on deep learning according to claim 1 or 2, special Sign is: the vector that the network behavior feature vector is made of the element of multiple characterization network performances, specific to wrap It includes: the transmitting and receiving frequency of route request information, the transmitting and receiving frequency of route replies message and data packet delivery fraction;
The acquisition modes of the network behavior feature vector are as follows: frame parsing is carried out to wireless data packet, data package size is judged, mentions The field for replacing table type of data packet, judges type of data packet, the transmission of the data packet of each type in the statistical unit time Frequency receives frequency, mean size, duration, obtains network behavior feature vector.
4. a kind of mobile ad-hoc network intrusion detection method based on deep learning according to claim 1, feature Be: described being specifically included using normal behavior of the network feature training set training deep neural network abnormality detection model is following Step:
(201) model parameter of deep neural network is initialized;The model parameter of the deep neural network include learning rate, Depth and each layer of neuron number;
(202) normal behavior of the network feature training set is inputted into deep neural network model, deep neural network model is adjusted automatically Connection weight between whole neuron obtains the abstract expression to training data.
5. a kind of mobile ad-hoc network intrusion detection method based on deep learning according to claim 1 or 4, special Sign is: the mathematical model that the deep neural network abnormality detection model and deep neural network Misuse Detection Model use It is deep neural network model;The deep neural network is the mathematical model using deep learning algorithm, specifically: it is deep Spend belief network or convolutional neural networks.
6. a kind of mobile ad-hoc network intrusion detection method based on deep learning according to claim 1, feature Be: the step 3. specifically includes the following steps:
(301) by the depth after normal behavior of the network characteristic test collection and network intrusions behavioural characteristic test set input adjusting parameter Neural network abnormality detection model, deep neural network abnormality detection model identify that each of test set feature vector is just It is normal or abnormal, count detection accuracy, rate of failing to report and rate of false alarm;
(302) deep neural network after the feature vector that recognition result in (301) is exception to be inputted to adjusting parameter misapplies inspection Model is surveyed, invasion type is identified, recognition correct rate is counted;
(303) if statistical result does not reach goal-selling requirement, percentage regulation neural network abnormality detection model and misuse The parameter of detection model, the parameter of re -training deep neural network abnormality detection model and Misuse Detection Model, until reaching Goal-selling requirement.
7. a kind of mobile ad-hoc network intrusion detection device based on deep learning, characterized by comprising: data acquisition module Block, data fusion module, preprocessing module, memory module, intrusion detection module and response alarm module;
The data acquisition module, according to the mobile ad-hoc network size to be detected, in the covering model of mobile ad-hoc network The multiple wireless monitor nodes of middle arrangement are enclosed, for capturing the wireless data packet in mobile ad-hoc network in real time and by wireless data Packet is wirelessly transmitted to data fusion module;The wireless data packet includes routing request packet, route replies packet, routing error packet And business data packet;
The wireless data packet for multiple wireless monitor nodes capture that the data fusion module is used to receive merges, and goes Preprocessing module is sent or is wirelessly transmitted to through cable after falling redundancy;
The preprocessing module is used to carry out frame dissection process to fused data, extracts, statistics network behavioural characteristic, obtains Network behavior feature vector, and network behavior feature vector is sent to memory module;
The network behavior feature includes:
(1) RREQ Sent: the route request information packet sum that node is sent;
(2) RREQ Received: the received route request information packet sum of node;
(3) RREP Sent: the route replies message package sum that node is sent;
(4) RREP Received: the received route replies message package sum of node;
(5) RERR Sent: the routing error message package sum that node is sent;
(6) RERR Received: the received routing error message package sum of node;
(7) Data Sent: the business data packet sum that node is sent;
(8) Data Received: the received business data packet sum of node;
(9) Route Drop: the routing packet sum that node abandons;
(10) Route Transmit: the routing packet sum of node forwarding;
(11) Data Drop: the business data packet sum that node abandons;
(12) Data Transmit: the business data packet sum of node forwarding;
(13) Packet size: data packet mean size;
(14) Active Node: live-vertex number;
The memory module includes general memory block and new Intrusion Signatures memory block, the network for will obtain after pretreatment Behavioural characteristic vector is stored in general memory block, and network behavior feature vector is sent to intrusion detection module;
The intrusion detection module is used for real-time detection network intrusions, will enter invasion information push-notification-answer alarm module and newly Network behavior characteristic storage is invaded in new Intrusion Signatures memory block;
If detecting network intrusions and identifying invasion type, information push-notification-answer alarm module will be invaded;If detection It does not identify to network intrusions but invasion type, judges that there are unknown invasion types in network, push-notification-answer alarm module will In new Intrusion Signatures memory block, the invasion information includes invasion type and enters corresponding new invasion network behavior characteristic storage Invade time of origin;
The response alarm module is for issuing warning information after the notice for receiving intrusion detection module;The alarm letter Breath includes invasion type and invasion time of origin;
The new Intrusion Signatures memory block, which is used to reach intrusion detection module in the newly amount of storage of invasion network behavior feature, to know After not, class division is carried out to it using clustering algorithm, and the new invasion network behavior feature after cluster is sent to intrusion detection Module.
8. a kind of mobile ad-hoc network intrusion detection device based on deep learning according to claim 7, feature Be: the intrusion detection module include abnormality detecting unit and misuse detection unit,
The abnormality detecting unit, for obtaining to network based on normal behavior of the network feature vector training deep neural network The expression of normal behaviour, and real-time detection network intrusions;The normal behavior of the network feature vector is moved certainly from normal It is obtained after the preprocessed module pretreatment of the wireless data packet acquired in tissue network;
The misuse detection unit, for obtaining to network intrusions based on network intrusions behavioural characteristic training deep neural network The expression of behavior, and identify then invasion type will invade information push-notification-answer alarm module;The network intrusions behavior is special Sign is after the preprocessed module pretreatment of wireless data packet acquired in the mobile ad-hoc network that known invasion node is added It obtains.
CN201510344393.2A 2015-06-19 2015-06-19 A kind of mobile ad-hoc network intrusion detection method and equipment based on deep learning Active CN104935600B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510344393.2A CN104935600B (en) 2015-06-19 2015-06-19 A kind of mobile ad-hoc network intrusion detection method and equipment based on deep learning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510344393.2A CN104935600B (en) 2015-06-19 2015-06-19 A kind of mobile ad-hoc network intrusion detection method and equipment based on deep learning

Publications (2)

Publication Number Publication Date
CN104935600A CN104935600A (en) 2015-09-23
CN104935600B true CN104935600B (en) 2019-03-22

Family

ID=54122572

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510344393.2A Active CN104935600B (en) 2015-06-19 2015-06-19 A kind of mobile ad-hoc network intrusion detection method and equipment based on deep learning

Country Status (1)

Country Link
CN (1) CN104935600B (en)

Families Citing this family (60)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105471854B (en) * 2015-11-18 2019-06-28 国网智能电网研究院 A kind of adaptive boundary method for detecting abnormality based on multistage strategy
CN105959255A (en) * 2016-01-08 2016-09-21 杭州迪普科技有限公司 Intrusion message shunting method and device
CN105577685A (en) * 2016-01-25 2016-05-11 浙江海洋学院 Intrusion detection independent analysis method and system in cloud calculation environment
CN105933312A (en) * 2016-04-21 2016-09-07 温州大学瓯江学院 Identity detection method of cognitive wireless network based on BP neural network
CN105915555B (en) * 2016-06-29 2020-02-18 北京奇虎科技有限公司 Method and system for detecting network abnormal behavior
CN106327324B (en) * 2016-08-23 2019-08-16 同盾控股有限公司 A kind of quick calculation method and system of network behavior feature
CN107889111A (en) * 2016-09-30 2018-04-06 北京金山安全软件有限公司 Crank call identification method and device based on deep neural network
CN106656981B (en) * 2016-10-21 2020-04-28 东软集团股份有限公司 Network intrusion detection method and device
CN109891436A (en) * 2016-10-24 2019-06-14 Lg 电子株式会社 Security system and its control method based on deep learning neural network
CN106572493B (en) 2016-10-28 2018-07-06 南京华苏科技有限公司 Rejecting outliers method and system in LTE network
CN106453416A (en) * 2016-12-01 2017-02-22 广东技术师范学院 Detection method of distributed attack intrusion based on deep belief network
CN106603531A (en) * 2016-12-15 2017-04-26 中国科学院沈阳自动化研究所 Automatic establishing method of intrusion detection model based on industrial control network and apparatus thereof
CN107070913B (en) * 2017-04-07 2020-04-28 杭州安恒信息技术股份有限公司 Webshell attack-based detection and protection method and system
CN107222867A (en) * 2017-06-22 2017-09-29 刘诗楠 Method, device and the wireless signal detection device of wireless signal detection
CN107241358B (en) * 2017-08-02 2020-04-07 重庆邮电大学 Smart home intrusion detection method based on deep learning
CN107371175B (en) * 2017-08-17 2020-02-18 东南大学 Self-organizing network fault detection method using cooperative prediction
CN108200008A (en) * 2017-12-05 2018-06-22 阿里巴巴集团控股有限公司 The recognition methods and device that abnormal data accesses
CN108011782B (en) * 2017-12-06 2020-10-16 北京百度网讯科技有限公司 Method and device for pushing alarm information
CN107819790A (en) * 2017-12-08 2018-03-20 中盈优创资讯科技有限公司 The recognition methods of attack message and device
CN108156142A (en) * 2017-12-14 2018-06-12 哈尔滨理工大学 Network inbreak detection method based on data mining
CN108055276B (en) * 2017-12-25 2020-10-20 南京南邮信息产业技术研究院有限公司 Intrusion detection real-time analysis system for big data application platform
CN109995601B (en) * 2017-12-29 2020-12-01 中国移动通信集团上海有限公司 Network traffic identification method and device
CN108377240B (en) * 2018-02-07 2020-05-15 平安科技(深圳)有限公司 Abnormal interface detection method and device, computer equipment and storage medium
CN108712404B (en) * 2018-05-04 2020-11-06 重庆邮电大学 Internet of things intrusion detection method based on machine learning
CN108684043B (en) * 2018-05-15 2021-09-28 南京邮电大学 Abnormal user detection method of deep neural network based on minimum risk
CN108809948B (en) * 2018-05-21 2020-07-10 中国科学院信息工程研究所 Abnormal network connection detection method based on deep learning
CN108924090B (en) * 2018-06-04 2020-12-11 上海交通大学 Method for detecting traffics of shadowsocks based on convolutional neural network
CN108809974A (en) * 2018-06-07 2018-11-13 深圳先进技术研究院 A kind of Network Abnormal recognition detection method and device
CN109272118B (en) * 2018-08-10 2020-03-06 北京达佳互联信息技术有限公司 Data training method, device, equipment and storage medium
CN109067773B (en) * 2018-09-10 2020-10-27 成都信息工程大学 Vehicle-mounted CAN network intrusion detection method and system based on neural network
CN109391624A (en) * 2018-11-14 2019-02-26 国家电网有限公司 A kind of terminal access data exception detection method and device based on machine learning
CN109547254B (en) * 2018-11-28 2022-03-15 湖北文理学院 Intrusion detection method and device, electronic equipment and storage medium
CN109639662A (en) * 2018-12-06 2019-04-16 中国民航大学 Onboard networks intrusion detection method based on deep learning
CN109753992B (en) * 2018-12-10 2020-09-01 南京师范大学 Unsupervised domain adaptive image classification method based on condition generation countermeasure network
CN109391700B (en) * 2018-12-12 2021-04-09 北京华清信安科技有限公司 Internet of things security cloud platform based on depth flow sensing
CN109787958B (en) * 2018-12-15 2021-05-25 深圳先进技术研究院 Network flow real-time detection method, detection terminal and computer readable storage medium
CN109474497A (en) * 2018-12-19 2019-03-15 四川艾贝斯科技发展有限公司 A kind of reliable network maintenance terminal deep learning algorithm
CN109698836B (en) * 2019-02-01 2021-07-23 重庆邮电大学 Wireless local area network intrusion detection method and system based on deep learning
CN110086767A (en) * 2019-03-11 2019-08-02 中国电子科技集团公司电子科学研究院 A kind of hybrid intrusion detection system and method
CN109960929B (en) * 2019-03-20 2023-06-02 西北大学 Regression model-based zero sample intrusion detection method
CN109890027B (en) * 2019-03-20 2022-04-15 上海连尚网络科技有限公司 Method and apparatus for determining security risk information of target wireless access point
CN110086776A (en) * 2019-03-22 2019-08-02 国网河南省电力公司经济技术研究院 Intelligent substation Network Intrusion Detection System and detection method based on deep learning
CN110070857B (en) * 2019-04-25 2021-11-23 北京梧桐车联科技有限责任公司 Model parameter adjusting method and device of voice awakening model and voice equipment
CN110213287B (en) * 2019-06-12 2020-07-10 北京理工大学 Dual-mode intrusion detection device based on integrated machine learning algorithm
CN110262467B (en) * 2019-07-15 2021-06-18 北京工业大学 Industrial control system intrusion attack and clue discovery method based on deep learning
CN110401955B (en) * 2019-09-06 2023-03-24 江门职业技术学院 Method and system for detecting malicious nodes in mobile network
CN110995459B (en) * 2019-10-12 2021-12-14 平安科技(深圳)有限公司 Abnormal object identification method, device, medium and electronic equipment
CN111049828B (en) * 2019-12-13 2021-05-07 国网浙江省电力有限公司信息通信分公司 Network attack detection and response method and system
CN111274216B (en) * 2020-01-09 2023-05-23 腾讯科技(深圳)有限公司 Identification method and identification device of wireless local area network, storage medium and electronic equipment
CN111224998B (en) * 2020-01-21 2020-12-25 福州大学 Botnet identification method based on extreme learning machine
CN111614659B (en) * 2020-05-19 2022-09-23 杭州英视信息科技有限公司 Distributed detection method for unknown network flow
CN111817844B (en) * 2020-07-20 2021-06-25 西安电子科技大学 Double-link wireless ad hoc network and security defense method in emergency scene
CN114647525A (en) * 2020-12-21 2022-06-21 中兴通讯股份有限公司 Diagnostic method, diagnostic device, terminal and storage medium
CN112714446B (en) * 2020-12-31 2023-05-02 中国电子科技集团公司第七研究所 Collaborative intrusion sensing method based on edge intelligence
CN113065127B (en) * 2021-02-24 2022-09-20 山东英信计算机技术有限公司 Database protection method, system and medium
CN114465769B (en) * 2021-12-28 2024-03-15 尚承科技股份有限公司 Network equipment, processing system and method for learning network behavior characteristics
CN114553468A (en) * 2022-01-04 2022-05-27 国网浙江省电力有限公司金华供电公司 Three-level network intrusion detection method based on feature intersection and ensemble learning
CN115604018B (en) * 2022-11-02 2023-05-05 广东网安科技有限公司 Network security monitoring method, system, equipment and storage medium
CN115650460B (en) * 2022-12-14 2023-04-14 鹏凯环境科技股份有限公司 Sewage treatment device and method with online monitoring function
CN117439820B (en) * 2023-12-20 2024-03-19 国家电网有限公司客户服务中心 Network intrusion detection method capable of dynamically adjusting threshold

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1477811A (en) * 2003-07-11 2004-02-25 北京邮电大学 Formalized description method of network infection behaviour and normal behaviour
CN1649311A (en) * 2005-03-23 2005-08-03 北京首信科技有限公司 Detecting system and method for user behaviour abnormal based on machine study
CN101399672A (en) * 2008-10-17 2009-04-01 章毅 Intrusion detection method for fusion of multiple neutral networks
CN101610516A (en) * 2009-08-04 2009-12-23 华为技术有限公司 Intrusion detection method in the self-organizing network and equipment
CN103023927A (en) * 2013-01-10 2013-04-03 西南大学 Method and system for intrusion detection based on non-negative matrix factorization under sparse representation
CN103729678A (en) * 2013-12-12 2014-04-16 中国科学院信息工程研究所 Navy detection method and system based on improved DBN model

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7082117B2 (en) * 2002-08-12 2006-07-25 Harris Corporation Mobile ad-hoc network with intrusion detection features and related methods

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1477811A (en) * 2003-07-11 2004-02-25 北京邮电大学 Formalized description method of network infection behaviour and normal behaviour
CN1649311A (en) * 2005-03-23 2005-08-03 北京首信科技有限公司 Detecting system and method for user behaviour abnormal based on machine study
CN101399672A (en) * 2008-10-17 2009-04-01 章毅 Intrusion detection method for fusion of multiple neutral networks
CN101610516A (en) * 2009-08-04 2009-12-23 华为技术有限公司 Intrusion detection method in the self-organizing network and equipment
CN103023927A (en) * 2013-01-10 2013-04-03 西南大学 Method and system for intrusion detection based on non-negative matrix factorization under sparse representation
CN103729678A (en) * 2013-12-12 2014-04-16 中国科学院信息工程研究所 Navy detection method and system based on improved DBN model

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
一种基于DBN的网络入侵检测算法;徐东辉等;《上海电力学院学报》;20131231;第29卷(第6期);正文第1.1-2.3节、第3节

Also Published As

Publication number Publication date
CN104935600A (en) 2015-09-23

Similar Documents

Publication Publication Date Title
CN104935600B (en) A kind of mobile ad-hoc network intrusion detection method and equipment based on deep learning
CN103581186B (en) A kind of network security situational awareness method and system
CN110210512B (en) Automatic log anomaly detection method and system
CN109768985A (en) A kind of intrusion detection method based on traffic visualization and machine learning algorithm
CN107872460B (en) A kind of wireless sense network DoS attack lightweight detection method based on random forest
Fawzy et al. Outliers detection and classification in wireless sensor networks
CN110428522A (en) A kind of intelligent safety and defence system of wisdom new city
CN106022229B (en) The abnormal behaviour recognition methods with the Back propagation neural networks of self-adaptive enhancement algorithm is extracted based on video motion information characteristics
CN108062349A (en) Video frequency monitoring method and system based on video structural data and deep learning
CN106789904B (en) Internet of Things intrusion detection method and device
CN108809974A (en) A kind of Network Abnormal recognition detection method and device
CN105678247A (en) Abnormal behavior early warning method and system for hovering event space-time big data analysis
CN109726735A (en) A kind of mobile applications recognition methods based on K-means cluster and random forests algorithm
CN106844138A (en) O&M warning system and method
CN105471882A (en) Behavior characteristics-based network attack detection method and device
CN104660464B (en) A kind of network anomaly detection method based on non-extension entropy
CN109787979A (en) A kind of detection method of electric power networks event and invasion
CN107241358A (en) A kind of smart home intrusion detection method based on deep learning
CN109359098A (en) A kind of dispatch data net behavior monitoring system and method
CN106559261A (en) A kind of substation network intrusion detection of feature based fingerprint and analysis method
CN112367303B (en) Distributed self-learning abnormal flow collaborative detection method and system
CN106789351A (en) A kind of online intrusion prevention method and system based on SDN
CN107483451A (en) Based on serial parallel structural network secure data processing method and system, social networks
CN112532652A (en) Attack behavior portrait device and method based on multi-source data
CN115277113A (en) Power grid network intrusion event detection and identification method based on ensemble learning

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant