CN107241358B - Smart home intrusion detection method based on deep learning - Google Patents
Smart home intrusion detection method based on deep learning Download PDFInfo
- Publication number
- CN107241358B CN107241358B CN201710651758.5A CN201710651758A CN107241358B CN 107241358 B CN107241358 B CN 107241358B CN 201710651758 A CN201710651758 A CN 201710651758A CN 107241358 B CN107241358 B CN 107241358B
- Authority
- CN
- China
- Prior art keywords
- data
- neural network
- training
- network
- deep learning
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Abstract
The invention discloses an intelligent household intrusion detection method based on deep learning, and relates to an online system, in particular to a method for judging whether intrusion behaviors exist in a network by combining a fuzzy neural network and the deep learning. The method organically combines deep learning and the fuzzy neural network together, and solves the problems that the existing intelligent household intrusion detection technology is difficult to process a large amount of high-dimensional data, high in false alarm rate, high in missing report rate and low in detection rate. The invention adopts the off-line system to determine the operation parameters of the on-line system, and the on-line system carries out real-time intrusion detection.
Description
Technical Field
The invention relates to the field of intelligent home security, in particular to a multilayer neural network intrusion behavior detection method based on deep learning.
Background
With the rapid development of the internet of things technology, internet of things products such as smart homes are gradually popularized, however, the safety protection capability of the existing intelligent equipment is generally weak, and the problems that the upgrading and maintenance mechanism is not sound, the safety configuration of the intelligent equipment is unreasonable and the like cause more potential safety hazards to the intelligent equipment. With the recent country proposing and implementing an internet plus action plan, a Chinese manufacturing 2025 plan, smart city construction and the like, a large number of intelligent devices are continuously emerging, but corresponding security guarantee measures are not sound enough, smart homes are used as a new internet of things and are moving to more and more families, a smart home system comprises a camera, a router, a gateway and other intelligent devices, the devices have information security vulnerabilities such as right-bypassing, denial of service and information disclosure, and attackers can easily use the vulnerabilities to attack smart home networks, so that the problems of privacy disclosure of users, abnormal use of smart home networks and the like are caused.
The existing intelligent home systems are not perfect in safety, most of the intelligent home systems adopt technologies such as firewall, authentication or encryption to improve the safety, the technologies belong to passive defense, the attack effect is better for certain specific attacks, and attack behaviors cannot be actively discovered and treatment or preventive measures cannot be taken in time.
Disclosure of Invention
In view of the above, the present invention provides an intelligent home-oriented intrusion detection method with low false alarm rate, high detection rate and high detection rate.
The invention aims to realize the technical scheme that an intelligent household intrusion detection method based on deep learning specifically comprises the following steps:
s1 is initialized, an off-line system database with empty content is generated, and the database comprises three sub-databases of training test data with labels, data screening link parameters and multi-layer network parameters based on deep learning;
s2, encoding and normalizing the collected flow data with the label to form data to be detected, and storing the data to be detected into a training test data sub-database with the label;
s3, classifying the data in the training test data sub-database with labels according to the label of each piece of data to form a normal behavior sample data set and an intrusion behavior sample data set; solving the central value of two types of sample data sets by adopting a K-means algorithm, analyzing the distance between each sample in the two types of sample data sets and the sample center, setting a judgment threshold value, enabling the sample data sets with certain characteristics to be within the threshold value range, and storing the sample center and the threshold value into a data screening link parameter sub-database; training the weight and offset value of the multilayer neural network by adopting data in a training test data sub-database with labels, storing the trained neural network parameters into a deep learning-based multilayer neural network parameter sub-database, completing a training link, and jumping to the step S4 to perform online system real-time monitoring;
s4, coding and normalizing the acquired unlabeled flow data to form a piece of data to be detected, calculating the distance from the data to be detected to the centers of the two types of sample data sets in the step S3, if the distance is smaller than a threshold value corresponding to the sample data set, belonging to the type of behavior, otherwise, skipping to the step S5;
and S5, inputting the data to be detected, the types of which cannot be determined in the step S4, into the multilayer neural network for identification, judging whether potential safety hazards exist or not according to output values of the multilayer neural network, and driving the intelligent home alarm module to alarm if the potential safety hazards exist.
Further, in step S3, a K-means algorithm is used to determine sample centers of two types of behaviors in the labeled training database in the offline system database, and calculate the euclidean distance from the midpoint in the offline system database to the sample center, and a distance threshold of the data screening link is determined by using the rayda criterion for the distance.
Further, the step of inputting the data to be detected, the type of which cannot be determined in the step S4, into the multi-layer neural network for identification includes performing data reduction and fuzzy neural network identification by using a deep belief network.
Further, the multilayer neural network comprises a deep confidence network and a fuzzy neural network, the output of the deep confidence network is used as the input of the fuzzy neural network, and the deep neural network is composed of a plurality of limiting boltzmann machines.
Further, in step S2, in training the weight and the bias values of the multi-layer neural network by using the data in the labeled training test data sub-database, the training of the multi-layer neural network includes training of a deep confidence network and training of a fuzzy neural network.
Further, the training of the deep confidence network comprises unsupervised training from bottom to top and supervised parameter fine tuning from top to bottom; and (3) training the fuzzy neural network by adopting a gradient descent method.
Furthermore, an evaluation model is constructed through the reconstruction error of the limiting Boltzmann machines in the deep confidence network, the detection rate and the detection time of the multilayer neural network, and the like, so that the depth of the multilayer neural network is determined, namely the number of the limiting Boltzmann machines in the deep confidence network is determined.
Further, when the reconstruction error is larger than 0.1, the network depth is increased by 1, namely, a limit boltzmann machine is added in the depth confidence network.
Further, if the reconstruction error of the depth confidence network is less than 0.1, the network depth of the intrusion detection model is determined by evaluating the detection rate and the detection time of the multilayer neural network and selecting the number of the proper limit Boltzmann machines by combining the computing power of the intelligent home system server.
Due to the adoption of the technical scheme, the invention has the following advantages:
the invention adopts the combination of an online detection system and an offline system, thereby overcoming the problems of slow speed and larger hysteresis of the traditional detection method; compared with the traditional intrusion detection method, the multi-layer neural network combining deep learning and the fuzzy neural network is introduced, some unknown intrusion behaviors can be detected, and some false alarm behaviors caused by human misoperation are eliminated, namely the scheme has the advantages of low false alarm rate and high detection rate.
Drawings
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail with reference to the accompanying drawings, in which:
FIG. 1 is a flow chart of intrusion detection according to the present invention;
FIG. 2 is a diagram of a smart home system according to the present invention;
FIG. 3 is a schematic diagram of a multi-layer neural network training method according to the present invention;
FIG. 4 is a block diagram of a limiting Boltzmann machine according to the present invention;
fig. 5 is a structural view of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings; it should be understood that the preferred embodiments are illustrative of the invention only and are not limiting upon the scope of the invention.
Referring to a detection flow chart shown in fig. 1, the intelligent home intrusion detection method includes the following steps:
101. initializing, and generating an off-line system database with empty contents, wherein the database comprises three sub-databases of training and testing data with labels, data screening link parameters and multilayer network parameters based on deep learning;
102. the intelligent home system comprises sensor nodes, routing nodes, a server, a client and the like, the intelligent home is composed as shown in fig. 2, flow capturing software is adopted to capture flow data with labels of a gateway of the intelligent home server, the collected data is encoded and normalized to form data to be detected, the data to be detected is added into a training test database with labels in an offline system database in 101, and the step 103 is skipped.
103. 101, classifying the data with labels in the off-line system database according to the label of each piece of data to form a normal behavior sample data set and an intrusion behavior sample data set. Solving the central value of two types of sample data sets by adopting a K-means algorithm, analyzing the distance between each sample and the sample center, and setting a judgment threshold value, so that the sample data sets with certain characteristics are within the threshold value range of the type, and storing the sample center and the threshold value into a data screening link parameter sub-database; training the weight and the offset value of the multilayer neural network by adopting data in the training test data sub-database with the label, storing the trained neural network parameters into the multilayer neural network parameter sub-database based on deep learning, completing the training link, and skipping to the step 104 to perform online system real-time monitoring.
104. Adopting flow packet capturing software to capture the non-label flow data of the intelligent home server gateway, coding and normalizing the captured data to form a piece of data to be detected, finishing a data screening link, namely calculating the distance from the data to be detected to the center of two types of sample data sets in the 103, determining the type of behavior if the distance is less than the threshold value of the type of behavior, otherwise, skipping to the step 105.
105. Inputting the data to be detected, the type of which cannot be determined in the step 104, into a multilayer neural network for recognition, wherein the recognition comprises data reduction and fuzzy neural network recognition by adopting a deep belief network. If the output of the multilayer neural network is [0,1.2], the data is the safety data; if the multi-layer network output is (1.2, 2.5), the data is indicated to have potential safety hazards, an alarm module can be driven to give an alarm, if the output data is not in the interval of [0,2.5], the data cannot be identified by the network, the data is stored in an offline system, and a manager waits for checking and judging whether the data has the potential safety hazards.
In the data screening process in step 103,
a, determining parameters required by a data screening link in an off-line system. The sample centers of two types of behaviors in a training database with labels in an offline system are determined by adopting a K-means algorithm, the algorithm is a clustering algorithm, the clustering center is obtained from the labeled data, and the Euclidean distance from the center of an offline rule base to the sample center is calculatedWherein (X)1,…,Xk) Is the sample center, (x)1,…,xk) The distance threshold value of a data screening link is determined by adopting a Lauda criterion, also called a 3 sigma criterion, for the distance.
And B, in a data screening link in the online detection system, calculating the distance between the data to be detected and two types of sample centers in the offline system, selecting a smaller distance and comparing the smaller distance with a threshold value set by the offline system for the type of the sample center corresponding to the distance, if the smaller distance is smaller than the threshold value, the type of the sample center belongs to, and if the smaller distance is larger than the threshold value, the type of the sample center does not belong to, and then subsequent multilayer neural network detection is performed.
The multilayer neural network algorithm in step 105 comprises:
a, training parameters of a multi-layer neural network in an off-line system, wherein the training method is shown in FIG. 3, and comprises training of a deep confidence network and training of a fuzzy neural network. The training of the deep confidence network comprises unsupervised training from bottom to top and supervised parameter fine tuning from top to bottom, and a gradient descent method is adopted for the training of the fuzzy neural network.
And B, the deep confidence network is composed of a plurality of limited Boltzmann machines, the model is a probability-based energy model, the principle of the model is as shown in figure 4, the probability of the hidden layer V is obtained through approximation by a Gibbs sampling algorithm, and the weight W and hidden layer apparent layer bias values a and B of the deep confidence network are obtained by a method of derivation of logarithm of likelihood function to parameters. And taking the output of the deep confidence network as the input of the fuzzy neural network to classify the behaviors and outputting a number between [0,2.5 ]. And judging the class of the digital television according to the output number.
And C, constructing an evaluation model through the reconstruction error of the limiting Boltzmann machines in the deep confidence network, the detection rate and the detection time of the multilayer neural network and the like to determine the depth of the multilayer neural network, namely determining the number of the limiting Boltzmann machines in the deep confidence network. And when the reconstruction error is larger than 0.1, the network depth is increased by 1, namely, a limit Boltzmann machine is added in the depth confidence network, and if the reconstruction error of the depth confidence network is smaller than 0.1, the network depth of the intrusion detection model is determined by evaluating the detection rate and the detection time of the multilayer neural network and selecting the number of the proper limit Boltzmann machines by combining the factors such as the computing capacity of the intelligent home system server.
The invention is suitable for the intrusion detection of the intelligent home network, and by using the intrusion detection method disclosed by the invention, because the deep learning and the fuzzy neural network are organically combined, the effects of low false alarm rate, low false detection rate and high detection rate can be achieved, the method also has better detection capability for unknown intrusion behaviors and better self-adaptive capability.
In the traditional method, the false alarm rate is generally higher, the method can reduce the false alarm rate to be less than 5 percent, and simultaneously, the detection rate can reach more than 95 percent. Meanwhile, the detection rate of the unknown new intrusion behavior is over 60 percent.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and it is apparent that those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (9)
1. A smart home intrusion detection method based on deep learning is characterized by comprising the following steps: the method specifically comprises the following steps:
s1 is initialized, an off-line system database with empty content is generated, and the database comprises three sub-databases of training test data with labels, data screening link parameters and multi-layer network parameters based on deep learning;
s2, encoding and normalizing the collected flow data with the label to form data to be detected, and storing the data to be detected into a training test data sub-database with the label;
s3, classifying the data in the training test data sub-database with labels according to the label of each piece of data to form a normal behavior sample data set and an intrusion behavior sample data set; solving the central value of two types of sample data sets by adopting a K-means algorithm, analyzing the distance between each sample in the two types of sample data sets and the sample center, setting a judgment threshold value, enabling the sample data sets with certain characteristics to be within the threshold value range, and storing the sample center and the threshold value into a data screening link parameter sub-database; training the weight and offset value of the multilayer neural network by adopting data in a training test data sub-database with labels, storing the trained neural network parameters into a deep learning-based multilayer neural network parameter sub-database, completing a training link, and jumping to the step S4 to perform online system real-time monitoring;
s4, coding and normalizing the acquired unlabeled flow data to form a piece of data to be detected, calculating the distance from the data to be detected to the centers of the two types of sample data sets in the step S3, if the distance is smaller than a threshold value corresponding to the sample data set, belonging to the type of behavior, otherwise, skipping to the step S5;
and S5, inputting the data to be detected, the types of which cannot be determined in the step S4, into the multilayer neural network for identification, judging whether potential safety hazards exist or not according to output values of the multilayer neural network, and driving the intelligent home alarm module to alarm if the potential safety hazards exist.
2. The smart home intrusion detection method based on deep learning according to claim 1, characterized in that: in step S3, a K-means algorithm is used to determine sample centers of two types of behaviors in the labeled training database in the offline system database, and the euclidean distance between the point in the offline system database and the sample center is calculated, and the distance is determined by using the rayde criterion to determine the distance threshold of the data screening link.
3. The smart home intrusion detection method based on deep learning according to claim 1, characterized in that: inputting the data to be detected, the type of which cannot be determined in the step S4, into the multilayer neural network for identification includes performing data reduction and fuzzy neural network identification by using a deep belief network.
4. The smart home intrusion detection method based on deep learning according to claim 1, characterized in that: the multi-layer neural network comprises a deep confidence network and a fuzzy neural network, wherein the output of the deep confidence network is used as the input of the fuzzy neural network, and the deep neural network consists of a plurality of limiting Boltzmann machines.
5. The smart home intrusion detection method based on deep learning according to claim 1, characterized in that: in step S2, in training the weight and bias values of the multi-layer neural network using the data in the tagged training test database, the training of the multi-layer neural network includes training of a deep belief network and training of a fuzzy neural network.
6. The smart home intrusion detection method based on deep learning according to claim 5, characterized in that: training the deep confidence network comprises unsupervised training from bottom to top and supervised parameter fine tuning from top to bottom; and (3) training the fuzzy neural network by adopting a gradient descent method.
7. The smart home intrusion detection method based on deep learning according to claim 3, characterized in that: and constructing an evaluation model to determine the depth of the multilayer neural network through the reconstruction error of the limiting Boltzmann machines in the depth confidence network, the detection rate and the detection time of the multilayer neural network, namely determining the number of the limiting Boltzmann machines in the depth confidence network.
8. The smart home intrusion detection method based on deep learning according to claim 7, characterized in that: when the reconstruction error is larger than 0.1, the network depth is increased by 1, namely, a limit boltzmann machine is added in the depth confidence network.
9. The smart home intrusion detection method based on deep learning according to claim 7, characterized in that: and if the reconstruction error of the depth confidence network is less than 0.1, selecting the number of the proper limit Boltzmann machines by evaluating the detection rate and the detection time of the multilayer neural network and combining the computing power of the intelligent home system server to determine the network depth of the intrusion detection model.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710651758.5A CN107241358B (en) | 2017-08-02 | 2017-08-02 | Smart home intrusion detection method based on deep learning |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710651758.5A CN107241358B (en) | 2017-08-02 | 2017-08-02 | Smart home intrusion detection method based on deep learning |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107241358A CN107241358A (en) | 2017-10-10 |
CN107241358B true CN107241358B (en) | 2020-04-07 |
Family
ID=59989480
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710651758.5A Active CN107241358B (en) | 2017-08-02 | 2017-08-02 | Smart home intrusion detection method based on deep learning |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107241358B (en) |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107895171A (en) * | 2017-10-31 | 2018-04-10 | 天津大学 | A kind of intrusion detection method based on K averages Yu depth confidence network |
CN108234500A (en) * | 2018-01-08 | 2018-06-29 | 重庆邮电大学 | A kind of wireless sense network intrusion detection method based on deep learning |
CN108683658B (en) * | 2018-05-11 | 2020-11-03 | 上海交通大学 | Industrial control network flow abnormity identification method based on multi-RBM network construction reference model |
CN108984904B (en) * | 2018-07-17 | 2022-09-20 | 北京理工大学 | Home design method based on deep neural network |
CN110661781B (en) * | 2019-08-22 | 2022-05-17 | 中科创达软件股份有限公司 | DDoS attack detection method, device, electronic equipment and storage medium |
CN110581802A (en) * | 2019-08-27 | 2019-12-17 | 北京邮电大学 | fully-autonomous intelligent routing method and device based on deep belief network |
CN111131069B (en) * | 2019-11-25 | 2021-06-08 | 北京理工大学 | Abnormal encryption flow detection and classification method based on deep learning strategy |
CN112769750A (en) * | 2020-12-11 | 2021-05-07 | 广东电力通信科技有限公司 | Protocol stack sending method suitable for intelligent gateway data management |
CN112689281B (en) * | 2020-12-21 | 2022-08-05 | 重庆邮电大学 | Sensor network malicious node judgment method based on two-type fuzzy system |
CN113392403B (en) * | 2021-06-11 | 2022-06-07 | 连云港微部落网络技术有限公司 | Website security defense system and method with active defense function |
CN113645231B (en) * | 2021-08-10 | 2023-07-21 | 北京易通信联科技有限公司 | Intrusion detection method, memory and processor for industrial control system |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6114976A (en) * | 1999-02-05 | 2000-09-05 | The Boeing Company | Vehicle emergency warning and control system |
US20130116920A1 (en) * | 2011-11-07 | 2013-05-09 | International Business Machines Corporation | System, method and program product for flood aware travel routing |
CN103336992A (en) * | 2013-06-27 | 2013-10-02 | 电子科技大学 | FNN learning algorithm |
CN104777418B (en) * | 2015-05-11 | 2017-10-13 | 重庆大学 | A kind of analog-circuit fault diagnosis method based on depth Boltzmann machine |
CN104935600B (en) * | 2015-06-19 | 2019-03-22 | 中国电子科技集团公司第五十四研究所 | A kind of mobile ad-hoc network intrusion detection method and equipment based on deep learning |
CN106911669B (en) * | 2017-01-10 | 2020-04-28 | 浙江工商大学 | DDOS detection method based on deep learning |
-
2017
- 2017-08-02 CN CN201710651758.5A patent/CN107241358B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN107241358A (en) | 2017-10-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107241358B (en) | Smart home intrusion detection method based on deep learning | |
US10956808B1 (en) | System and method for unsupervised anomaly detection | |
Cheng et al. | Multi-scale LSTM model for BGP anomaly classification | |
Wang et al. | Processing of massive audit data streams for real-time anomaly intrusion detection | |
CN109194612B (en) | Network attack detection method based on deep belief network and SVM | |
Idrissi et al. | An unsupervised generative adversarial network based-host intrusion detection system for internet of things devices | |
CN113556319B (en) | Intrusion detection method based on long-short term memory self-coding classifier under internet of things | |
CN109688154B (en) | Network intrusion detection model establishing method and network intrusion detection method | |
Wang et al. | Computational intelligence for information security: A survey | |
Wu et al. | Factor-analysis based anomaly detection and clustering | |
Khoei et al. | Boosting-based models with tree-structured parzen estimator optimization to detect intrusion attacks on smart grid | |
Thom et al. | Smart recon: Network traffic fingerprinting for IoT device identification | |
Shao et al. | Deep learning hierarchical representation from heterogeneous flow-level communication data | |
Teixeira et al. | Flow‐based intrusion detection algorithm for supervisory control and data acquisition systems: A real‐time approach | |
Lee et al. | CoNN-IDS: Intrusion detection system based on collaborative neural networks and agile training | |
Yao | A network intrusion detection approach combined with genetic algorithm and back propagation neural network | |
CN110650124A (en) | Network flow abnormity detection method based on multilayer echo state network | |
CN116957049B (en) | Unsupervised internal threat detection method based on countermeasure self-encoder | |
CN112019529B (en) | New forms of energy electric power network intrusion detection system | |
Yue et al. | Detecting temporal attacks: An intrusion detection system for train communication Ethernet based on dynamic temporal convolutional network | |
Gao et al. | The prediction role of hidden markov model in intrusion detection | |
Sekhar | Deep learning algorithms for intrusion detection systems: extensive comparison analysis | |
Devaraju et al. | Performance comparison of intrusion detection system using various techniques–A review | |
Shakhatreh et al. | A review of clustering techniques based on machine learning approach in intrusion detection systems | |
Saha et al. | An unsupervised self-organizing map assisted deep Autoencoder gaussian mixture model for IoT anomaly detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |