CN109194612A - A kind of network attack detecting method based on depth confidence network and SVM - Google Patents

A kind of network attack detecting method based on depth confidence network and SVM Download PDF

Info

Publication number
CN109194612A
CN109194612A CN201810832545.7A CN201810832545A CN109194612A CN 109194612 A CN109194612 A CN 109194612A CN 201810832545 A CN201810832545 A CN 201810832545A CN 109194612 A CN109194612 A CN 109194612A
Authority
CN
China
Prior art keywords
attack
network
data
svm
neuron
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810832545.7A
Other languages
Chinese (zh)
Other versions
CN109194612B (en
Inventor
唐舸轩
石波
赵磊
吴朝雄
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Computer Technology and Applications
Original Assignee
Beijing Institute of Computer Technology and Applications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Computer Technology and Applications filed Critical Beijing Institute of Computer Technology and Applications
Priority to CN201810832545.7A priority Critical patent/CN109194612B/en
Publication of CN109194612A publication Critical patent/CN109194612A/en
Application granted granted Critical
Publication of CN109194612B publication Critical patent/CN109194612B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of network attack detecting method based on depth confidence network and SVM, wherein include: step 1: tectonic network attack feature vector;Step 2: determining model training collection and test set, formulate label to data, distinguish normal behaviour and attack, and attack is classified;Step 3: building depth confidence network model, successively training extract attack feature, and calculate error, until convergence, then the weight of model is finely adjusted, obtain feature vector;Step 4: using the feature vector of extraction as input parameter, selecting suitable SVM classifier to be trained, classify to attack, construct network attack detection model;Step 5: building attack analysis model calculates accuracy rate, rate of false alarm and rate of failing to report using test set test model accuracy rate, and the attack that will identify that is optimized as training data.

Description

A kind of network attack detecting method based on depth confidence network and SVM
Technical field
The invention belongs to technical field of network security, propose a kind of network attack based on depth confidence network and SVM Detection method.
Background technique
Currently, network has played increasingly important role in people's life, various countries for network security also more Pay attention to, cyberspace has been increasingly becoming the new territory competed between global each big country.Attack in cyberspace, which has, to be occurred Speed is fast, and range is wide, the sudden features such as strong, and along with a large amount of event and data during action, this is also to net The discovery of network attack brings completely new challenge.
Attack detection needs to acquire a large amount of data, so that feature vector dimension is excessively high, uses disaggregated model When being trained, accuracy rate decline leads to attack detection failure.And artificial means is used to extract attack The method limitation of feature is big, generalization ability is poor, does not have versatility, is typically only capable to obtain under data set similar in mode good Good result.Therefore characteristic is extracted using the method for deep learning, and with disaggregated model, to the attack row in cyberspace To carry out dynamic detection and discovery, make up that conventional method limitation is big, generalization ability is weak and the short slabs such as poor universality.Utilize depth Learning method extract after feature, often have better classifying quality, conducive to improve model identification accuracy rate.
Representative of the depth confidence network (DBN, Deep Belief Nets) as unsupervised learning in deep neural network, Preferable learning effect can be obtained in the case where lacking largely without label training set.Support vector machines (SVM) is as common Sorting algorithm model also shows many good characteristics in solving non-linear, high dimensional pattern identification.Therefore the present invention is main Utilize the two algorithms, tectonic network attack detection model.
(1) depth confidence network includes:
Depth confidence network is by multiple limited Boltzmann machine (Restricted Boltzmann Machine, RBM) heaps It is stacked, each of depth confidence network hidden layer is exactly a limited Boltzmann machine, deep with RBM layers of increase Degree confidence network structure is successively deepened.Therefore, the weight pre-training mistake of depth confidence network is carried out using RBM training algorithm Journey.The final output layer of depth confidence network joined a Feedback Neural Network, and output layer utilizes training data and number of tags According to comparing, network fine tuning is carried out using error backpropagation algorithm (BP, Back-Propagation).
During DBN network carries out unsupervised weight pre-training, the problem to be solved is, when input data is from aobvious When hidden neuron state is obtained by calculation in layer neuron, how hidden layer neuron state is utilized, by signal reconstruct at defeated Enter data, while guaranteeing that the error between original input data and the input data of reconstruct is as small as possible.It is calculated in wake-sleep In method, model can obtain the state of hidden neuron by aobvious layer neuron input data by study to cognition weight.So Weight is generated by study afterwards, realizes the process that hidden neuron is reconstructed to aobvious layer input.Meanwhile constantly adjustment cognition weight with Weight is generated, generated error when reconstruct data is reduced.
(2) support vector machines includes:
Support vector machines (Support Vectors Machine, SVM) is a kind of supervised learning model, is mainly used for point Analyse data, recognition mode, classification analysis and regression analysis to data.The support vector machines of standard is the linear classification of non-probability Device, that is to say, that for each specific input, it can predict that input is some classification of known two class.Due to SVM Be a classifier, therefore give one group of training set, each training sample will be marked as belonging to two classifications one of, Algorithm of support vector machine is suitble to solution black i.e. white problem by no means, so being normally used for solving the problems, such as two classification.
Summary of the invention
The purpose of the present invention is to provide a kind of network attack detecting method based on depth confidence network and SVM, is used for Solve above-mentioned problem of the prior art.
A kind of network attack detecting method based on depth confidence network and SVM of the present invention, wherein include: step 1: structure Make attack feature vector;Step 2: determining model training collection and test set, formulate label to data, distinguish normal row For with attack, and attack is classified;Step 3: building depth confidence network model, successively training are extracted network and are attacked Behavioural characteristic is hit, and calculates error, until convergence, then the weight of model is finely adjusted, obtain feature vector;Step 4: will mention The feature vector taken selects suitable SVM classifier to be trained, classifies to attack as input parameter, Construct network attack detection model;Step 5: building attack analysis model, using test set test model accuracy rate, Accuracy rate, rate of false alarm and rate of failing to report are calculated, and the attack that will identify that is optimized as training data.
One embodiment of the network attack detecting method according to the present invention based on depth confidence network and SVM, wherein step Rapid 1 includes: the quantitative analytical data that attack characteristic attribute is used to describe current network attack as one group, will be from biography The collected characteristic of sensor constitutes an one-dimensional vector, obtains attack feature vector, attacks for i-th of network Behavior is hit, collected feature vector, is denoted as V in time ti(t): Vi(t)={ a1,a2,a3,…,an};Wherein, anWhen for t Carve the value of i-th of attack, n-th of attribute.
One embodiment of the network attack detecting method according to the present invention based on depth confidence network and SVM, wherein step It in rapid 1, is attacked if it is for windows operating system, the characteristic of acquisition includes system file deletion, system text Part renaming, system file creation, temporary file creation, file execution, file modification, registry entry is deleted, service is deleted, held Line mode change, registration operation, service registration, addition BHO, process creation, process terminates, process is searched for, DLL code note Enter, thread creation, open-ended, port binding, network connection is established, network connection disconnects, data transmission, data receiver, source IP, destination IP, source port, destination port, URL type, content type, behavior act type, network flow packet quantity and packet Length.
One embodiment of the network attack detecting method according to the present invention based on depth confidence network and SVM, wherein step Rapid 2 specifically include: step 2.1: by collected feature vector Vi(t) it is divided into two parts { S with not tape label of tape label1, S2, the data of so-called tape label can determine be which kind of attack attack data, the data S of tape label2Are as follows: Vi(t)∈{P1,P2,P3,…,Pn};Wherein, PnIt represents i-th of assault and belongs to n network attack;Remaining number According to the data S for not tape label1;Step 2.2: production training set Training Set={ S1+S21, wherein S1For not tape label Training data, S21It is from S for the data of tape label2The middle data application for choosing a% tape label is in the weight of BP feedback algorithm Trim process, therefore S21=a%*S2;Step 2.3: construction test set Test Set={ S22, test set is quasi- for model identification The test of true rate, the data of all tape labels of test set, S2Remaining data is as S22;Step 2.4: to training set and test The data of collection do normalized, make: S1,S2∈(0,1)。
One embodiment of the network attack detecting method according to the present invention based on depth confidence network and SVM, wherein A% is 30%.
One embodiment of the network attack detecting method according to the present invention based on depth confidence network and SVM, wherein step Rapid 3 include:
Step 3.1: construction depth confidence network architecture:
The network model constituted using 3 hidden layers, successively trains each RBM layers, including RBM1、RBM2And RBM3; Wherein v is output layer neuron, hnFor n-th of hidden layer, W is weight;
Step 3.2: using training set Training Set, first RBM layers of training calculates the shape of each neuron State, each neuron have activation or inhibit two states:
Wherein, Pstate is neuron state, and α is the probability threshold value whether neuron activates.In depth confidence network, Threshold alpha is randomly generated from being uniformly distributed of (0,1), and calculates hidden neuron and activates probability:
Calculate aobvious layer neuronal activation probability:
WhereinWijFor the connection weight of neuron i and neuron j, bjIt is inclined for aobvious layer neuron j It sets, ciFor hidden layer neuron i biasing;
According to the activation probability of aobvious layer neuron and hidden neuron, weight, aobvious layer neuron biasing and hidden layer mind are updated It is biased through member:
ci=ci+p(hi=1 | v0)-p(hi=1 | vk);
Wherein, vj kFor the value of j-th of neuron at the kth iteration, the error of this time RBM layers of training is calculated:
When Δ v is less than certain threshold value, then it is assumed that otherwise RBM layers of training convergence at this time carries out step 3.2 again, after Continuous this RBM layers of training;
Step 3.3: by RBM1The output data of layer is trained as next RBM layers of input data according still further to step 3.2, Until completing all RBM layers of training;
Step 3.4: using the S in training set Training Set21Data, carry out weight fine tuning, and the adjustment of weight includes Two parts are adjusted output layer weight and are adjusted to hidden layer weight, and the weight of output layer directly affects depth The output of confidence network is spent as a result, the first successive step output layer weight:
wji=wji-ηxjiyi(1-yi)(yi-di);
Wherein wjiFor output layer weight, xjiFor the input value of output layer neuron, yiFor the output knot of output layer neuron Fruit, diFor desired output as a result, η is learning rate;
Adjustment hidden layer neuron weight include:
Wherein WkjFor hidden layer weight, y 'jFor hidden layer neuron output as a result, xkjFor the defeated of hidden layer neuron Enter.
One embodiment of the network attack detecting method according to the present invention based on depth confidence network and SVM, wherein RBM layers of quantity is three layers.
One embodiment of the network attack detecting method according to the present invention based on depth confidence network and SVM, wherein step Rapid 4 include: step 4.1:, as input parameter, being passed to first for by the network attack characteristic vector of dimensionality reduction and feature extraction SVM classifier;Step 4.2: selecting different SVM classifiers, distinguish different attacks.
One embodiment of the network attack detecting method according to the present invention based on depth confidence network and SVM, wherein step Rapid 5 include:
Step 5.1: calculate the recognition accuracy C of network attack detection model:
Wherein NnormalIndicate the normal behaviour quantity detected, niIndicate the quantity of certain network attack detected, m Indicate the number of species of Network Intrusion, n indicates the sum of test set;
Step 5.2: carrying out attack discovery using network attack detection model, the correct data that will classify carry out It demarcates and is put into training set.
One embodiment of the network attack detecting method according to the present invention based on depth confidence network and SVM, wherein SVM classifier specifically includes: distinguishing the SVM classifier and the different attack classes of multiple identifications of normal behaviour and attack The SVM classifier of type.
To sum up, feature vector dimension is excessively high when the present invention is directed to network attack detection, leads to asking for recognition accuracy decline Topic, proposes a kind of Analysis of Network Attack method based on depth confidence network and SVM.Using depth confidence network, to original Higher-dimension attack characteristic carry out dimension-reduction treatment, and by study, extract that ability to express is stronger, has more The better attack feature vector of versatility, classifying quality, and Classification and Identification is carried out to it using SVM.
Detailed description of the invention
Fig. 1 show the flow chart of the network attack detecting method based on depth confidence network and SVM;
Fig. 2 show depth confidence network architecture schematic diagram;
Fig. 3 show the schematic diagram of the processing of SVM classifier.
Specific embodiment
To keep the purpose of the present invention, content and advantage clearer, with reference to the accompanying drawings and examples, to of the invention Specific embodiment is described in further detail.
Fig. 1 show the flow chart of the network attack detecting method based on depth confidence network and SVM, as shown in Figure 1, this Invention based on depth confidence network and SVM network attack detecting method the step of it is as follows:
Step 1: tectonic network attack feature vector;
Step 2: it determines model training collection and test set, formulates label to data, distinguish normal behaviour and attack, and Attack is classified;
Step 3: building depth confidence network model, successively training extract attack feature, and calculate error, Until convergence;
Step 4: dimensionality reduction and feature extraction by depth confidence network make study to attack feature vector To input parameter, suitable SVM kernel function training is selected, is classified to attack;
Step 5: building attack analysis model is calculated accuracy rate, is missed using test set test model accuracy rate Report rate and rate of failing to report.And using the attack successfully identified as training data, model is continued to optimize, it is accurate to improve Rate.
As shown in Figure 1, the network attack detecting method based on depth confidence network and SVM specifically includes:
Step 1: tectonic network attack feature vector, comprising:
Attack characteristic attribute is one group of quantitative analytical data for being used to describe current network attack, will be from sensing The collected characteristic of device constitutes an one-dimensional vector, obtains attack feature vector, such as grasp for windows It is attacked as system, the characteristic that can be acquired includes that system file is deleted, system file renaming, system file are created It builds, temporary file creation, file execution, file modification, registry entry is deleted, service is deleted, executive mode change, registration behaviour Work, service registration, addition BHO, process creation, process termination, process search, DLL code injection, thread creation, port are opened It puts, port binding, network connection foundation, network connection disconnection, data transmission, data receiver, source IP, destination IP, source port, mesh The data such as port, URL type, content type, behavior act type, network flow packet quantity, the length of packet as attribute.
For i-th of attack, collected feature vector, is denoted as V in time ti(t):
Vi(t)={ a1,a2,a3,…,an};
Wherein, anFor the value of t moment i-th of attack, n-th of attribute.
Step 2: it determines model training collection and test set, formulates label to data, distinguish normal behaviour and attack, and By attack manual sort, comprising:
Step 2.1: by collected feature vector Vi(t) it is divided into two parts { S with not tape label of tape label1, S2, The data of so-called tape label can determine be which kind of attack attack data, the data S of tape label2I.e. are as follows:
Vi(t)∈{P1,P2,P3,…,Pn};
Wherein, PnIt represents i-th of assault and belongs to n network attack;Remaining data is not tape label Data S1
Step 2.2: production training set Training Set={ S1+S21, wherein S1As the training data of not tape label, It can be applied to during the weight pre-training of depth confidence network, S21It is from S for the data of tape label230% band of middle selection The data application of label is in the weight trim process of BP feedback algorithm, therefore S21=0.3*S2
Step 2.3: construction test set Test Set={ S22, test set is used for the test of model recognition accuracy, due to Need to calculate accuracy rate, rate of false alarm and rate of failing to report, therefore test set needs the data of all tape labels, S2Remaining data conduct S22
Step 2.4: normalized is done to the data of training set and test set, is made:
S1,S2∈(0,1)。
Step 3: building depth confidence network model, successively training extract attack feature, and calculate error, Until convergence, then the weight of model is finely adjusted, obtain feature vector out, comprising:
Fig. 2 show depth confidence network architecture schematic diagram, as shown in Fig. 2, step 3.1: construction depth confidence net Network model structure:
Such as the network model constituted using 3 hidden layers, successively train each RBM layers of (RBM1、RBM2、RBM3).Its Middle v is output layer neuron, hnFor n-th of hidden layer, W is weight.
Step 3.2: using training set Training Set, training RBM1.The state of each neuron is calculated, each Neuron has activation or inhibits two states:
Wherein, Pstate is neuron state, and α is the probability threshold value whether neuron activates.In depth confidence network, Threshold alpha is randomly generated from being uniformly distributed of (0,1).It calculates hidden neuron and activates probability:
Calculate aobvious layer neuronal activation probability:
WhereinWijFor the connection weight of neuron i and neuron j, bjIt is inclined for aobvious layer neuron j It sets, ciFor hidden layer neuron i biasing.
According to the activation probability of aobvious layer neuron and hidden neuron, weight, aobvious layer neuron biasing and hidden layer mind are updated It is biased through member:
ci=ci+p(hi=1 | v0)-p(hi=1 | vk);
Wherein, vj kFor the value of j-th of neuron at the kth iteration.Finally, the error of this time RBM layers of training is calculated:
When Δ v is less than certain threshold value, then it is assumed that otherwise RBM layers of training convergence at this time carries out step 3.2 again, after Continuous training RBM1
Step 3.3: by RBM1The output data of layer is trained as second RBM layers of input data according to step 3.2 RBM2Layer, meets the requirements to its error amount, according still further to step 3.2 training RBM3Layer, completes all RBM layers of training.
Step 3.4: using the S in training set Training Set21Data carry out weight fine tuning.The adjustment of weight includes Two parts are adjusted output layer weight and are adjusted to hidden layer weight.The weight of output layer directly affects depth The output of confidence network is spent as a result, the first successive step output layer weight:
wji=wji-ηxjiyi(1-yi)(yi-di);
Wherein wjiFor output layer weight, xjiFor the input value of output layer neuron, yiFor the output knot of output layer neuron Fruit, diFor desired output as a result, η is learning rate;
Weight between the neuron of hidden layer can influence the output of entire depth confidence network, therefore its weight indirectly Adjustment will be related with the adjustment of upper one layer of neuron, needs to calculate the residual error of one layer of neuron adjustment, is accumulated this layer On, so the weight of the second successive step hidden layer neuron:
Wherein WkjFor hidden layer weight, y 'jFor hidden layer neuron output as a result, xkjFor the defeated of hidden layer neuron Enter.
Step 4: using the feature vector out extracted in step 3 as input parameter, suitable SVM kernel function being selected to carry out Training carries out classification building network attack detection model to attack, comprising:
Fig. 3 show the schematic diagram of the processing of SVM classifier, as shown in figure 3, step 4.1: will mention by dimensionality reduction with feature The network attack characteristic vector taken is passed to first SVM classifier as input parameter.
First SVM classifier mainly distinguishes normal behaviour and attack, and the normal behaviour that will confirm that is again Label, can be used as the training set data of repetition training, improves the accuracy rate of model.
Step 4.2: in the attack distinguished by first SVM classifier, selecting different kernel functions, distinguish different Attack.For example, SVM2Identify attack type P1, SVM3Identify attack type P2, and so on, until last A classifier SVMnIt is by attack type PnAnd complete the identification of attack type.As use the last one classifier SVMnIt also fails to The attack type of identification is then determined as unknown attack type, needs manually to be determined, if for not in attack type set New network attack.
Step 5: determining network attack detection model, use the accuracy rate of test set test network Attack Detection Model Based, meter Calculate accuracy rate.And using the attack successfully identified as training data, model is continued to optimize, accuracy rate is improved.
Step 5.1: the standard of evaluation attack classification, accuracy rate is a highly important index, therefore, first Calculate the recognition accuracy C of network attack detection model:
Wherein NnormalIndicate the normal behaviour quantity detected, niIndicate the quantity of certain network attack detected, m Indicate the number of species of Network Intrusion, n indicates the sum of test set.
Step 5.2: carrying out attack discovery using network attack detection model, the correct data that will classify carry out Training set is demarcated and be put into, model recognition accuracy is improved.
To sum up, feature vector dimension is excessively high when the present invention is directed to network attack detection, leads to asking for recognition accuracy decline Topic, proposes a kind of Analysis of Network Attack method based on depth confidence network and SVM.Using depth confidence network, to original Higher-dimension attack characteristic carry out dimension-reduction treatment, and by study, extract that ability to express is stronger, has more The better attack feature vector of versatility, classifying quality, and Classification and Identification is carried out to it using SVM.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, without departing from the technical principles of the invention, several improvement and deformations can also be made, these improvement and deformations Also it should be regarded as protection scope of the present invention.

Claims (10)

1. a kind of network attack detecting method based on depth confidence network and SVM characterized by comprising
Step 1: tectonic network attack feature vector;
Step 2: determining model training collection and test set, formulate label to data, distinguish normal behaviour and attack, and will attack Hit behavior classification;
Step 3: building depth confidence network model, successively training extract attack feature, and calculate error, until Convergence, then the weight of model is finely adjusted, obtain feature vector;
Step 4: using the feature vector of extraction as input parameter, selecting suitable SVM classifier to be trained, to network attack Behavior is classified, and network attack detection model is constructed;
Step 5: building attack analysis model calculates accuracy rate, rate of false alarm using test set test model accuracy rate With rate of failing to report, and the attack that will identify that is optimized as training data.
2. the network attack detecting method based on depth confidence network and SVM as described in claim 1, which is characterized in that step Rapid 1 includes:
Attack characteristic attribute is used to describe the quantitative analytical data of current network attack as one group, will be from sensor Collected characteristic constitutes an one-dimensional vector, obtains attack feature vector,
For i-th of attack, collected feature vector, is denoted as V in time ti(t):
Vi(t)={ a1,a2,a3,…,an};
Wherein, anFor the value of t moment i-th of attack, n-th of attribute.
3. the network attack detecting method based on depth confidence network and SVM as described in claim 1, which is characterized in that step It in rapid 1, is attacked if it is for windows operating system, the characteristic of acquisition includes system file deletion, system text Part renaming, system file creation, temporary file creation, file execution, file modification, registry entry is deleted, service is deleted, held Line mode change, registration operation, service registration, addition BHO, process creation, process terminates, process is searched for, DLL code note Enter, thread creation, open-ended, port binding, network connection is established, network connection disconnects, data transmission, data receiver, source IP, destination IP, source port, destination port, URL type, content type, behavior act type, network flow packet quantity and packet Length.
4. the network attack detecting method based on depth confidence network and SVM as described in claim 1, which is characterized in that step Rapid 2 specifically include:
Step 2.1: by collected feature vector Vi(t) it is divided into two parts { S with not tape label of tape label1, S2, it is so-called The data of tape label can determine be which kind of attack attack data, the data S of tape label2Are as follows:
Vi(t)∈{P1,P2,P3,…,Pn};
Wherein, PnIt represents i-th of assault and belongs to n network attack;Remaining data is the data of not tape label S1
Step 2.2: production training set Training Set={ S1+S21, wherein S1For the training data of not tape label, S21For band The data of label are from S2The middle data application for choosing a% tape label is in the weight trim process of BP feedback algorithm, therefore S21= A%*S2
Step 2.3: construction test set Test Set={ S22, test set is used for the test of model recognition accuracy, and test set is complete Portion is the data of tape label, S2Remaining data is as S22
Step 2.4: normalized is done to the data of training set and test set, is made:
S1,S2∈(0,1)。
5. the network attack detecting method based on depth confidence network and SVM as described in claim 1, which is characterized in that a% It is 30%.
6. the network attack detecting method based on depth confidence network and SVM as described in claim 1, which is characterized in that step Rapid 3 include:
Step 3.1: construction depth confidence network architecture:
The network model constituted using 3 hidden layers, successively trains each RBM layers, including RBM1、RBM2And RBM3;Wherein V is output layer neuron, hnFor n-th of hidden layer, W is weight;
Step 3.2: using training set Training Set, first RBM layers of training calculates the state of each neuron, often One neuron has activation or inhibits two states:
Wherein, Pstate is neuron state, and α is the probability threshold value whether neuron activates.In depth confidence network, threshold value α is randomly generated from being uniformly distributed of (0,1), and calculates hidden neuron and activates probability:
Calculate aobvious layer neuronal activation probability:
WhereinWijFor the connection weight of neuron i and neuron j, bjFor aobvious layer neuron j biasing, ci For hidden layer neuron i biasing;
According to the activation probability of aobvious layer neuron and hidden neuron, weight, aobvious layer neuron biasing and hidden neuron are updated Biasing:
ci=ci+p(hi=1 | v0)-p(hi=1 | vk);
Wherein, vj kFor the value of j-th of neuron at the kth iteration, the error of this time RBM layers of training is calculated:
When Δ v is less than certain threshold value, then it is assumed that otherwise RBM layers of training convergence at this time carries out step 3.2 again, continue to instruct Practice this RBM layers;
Step 3.3: by RBM1The output data of layer is as next RBM layers of input data, according still further to step 3.2 training, until complete At all RBM layers of training;
Step 3.4: using the S in training set Training Set21Data, carry out weight fine tuning, and the adjustment of weight includes two Part is adjusted output layer weight and is adjusted to hidden layer weight, and the weight of output layer directly affects depth and sets The output of communication network is as a result, the first successive step output layer weight:
wji=wji-ηxjiyi(1-yi)(yi-di);
Wherein wjiFor output layer weight, xjiFor the input value of output layer neuron, yiFor output layer neuron output as a result, di For desired output as a result, η is learning rate;
Adjustment hidden layer neuron weight include:
Wherein WkjFor hidden layer weight, y 'jFor hidden layer neuron output as a result, xkjFor the input of hidden layer neuron.
7. the network attack detecting method based on depth confidence network and SVM as described in claim 1, which is characterized in that RBM The quantity of layer is three layers.
8. the network attack detecting method based on depth confidence network and SVM as described in claim 1, which is characterized in that step Rapid 4 include:
Step 4.1:, as input parameter, being passed to first SVM for by the network attack characteristic vector of dimensionality reduction and feature extraction Classifier;
Step 4.2: selecting different SVM classifiers, distinguish different attacks.
9. the network attack detecting method based on depth confidence network and SVM as described in claim 1, which is characterized in that step Rapid 5 include:
Step 5.1: calculate the recognition accuracy C of network attack detection model:
Wherein NnormalIndicate the normal behaviour quantity detected, niIndicate the quantity of certain network attack detected, m indicate into The number of species of attack are invaded, n indicates the sum of test set;
Step 5.2: carrying out attack discovery using network attack detection model, the correct data that will classify are demarcated And it is put into training set.
10. the network attack detecting method based on depth confidence network and SVM as claimed in claim 7, which is characterized in that SVM classifier specifically includes: distinguishing the SVM classifier and the different attack classes of multiple identifications of normal behaviour and attack The SVM classifier of type.
CN201810832545.7A 2018-07-26 2018-07-26 Network attack detection method based on deep belief network and SVM Active CN109194612B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810832545.7A CN109194612B (en) 2018-07-26 2018-07-26 Network attack detection method based on deep belief network and SVM

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810832545.7A CN109194612B (en) 2018-07-26 2018-07-26 Network attack detection method based on deep belief network and SVM

Publications (2)

Publication Number Publication Date
CN109194612A true CN109194612A (en) 2019-01-11
CN109194612B CN109194612B (en) 2021-05-18

Family

ID=64937508

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810832545.7A Active CN109194612B (en) 2018-07-26 2018-07-26 Network attack detection method based on deep belief network and SVM

Country Status (1)

Country Link
CN (1) CN109194612B (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110149280A (en) * 2019-05-27 2019-08-20 中国科学技术大学 Net flow assorted method and apparatus
CN110266675A (en) * 2019-06-12 2019-09-20 成都积微物联集团股份有限公司 A kind of xss attack automated detection method based on deep learning
CN110636053A (en) * 2019-09-05 2019-12-31 浙江工业大学 Network attack detection method based on local mean decomposition and support vector machine
CN110889111A (en) * 2019-10-23 2020-03-17 广东工业大学 Power grid virtual data injection attack detection method based on deep belief network
CN111049828A (en) * 2019-12-13 2020-04-21 国网浙江省电力有限公司信息通信分公司 Network attack detection and response method and system
CN111083151A (en) * 2019-12-23 2020-04-28 深圳供电局有限公司 Attack identification method based on deep belief network and wind power management system
CN111144279A (en) * 2019-12-25 2020-05-12 苏州奥易克斯汽车电子有限公司 Method for identifying obstacle in intelligent auxiliary driving
CN111343147A (en) * 2020-02-05 2020-06-26 北京中科研究院 Network attack detection device and method based on deep learning
CN111507385A (en) * 2020-04-08 2020-08-07 中国农业科学院农业信息研究所 Extensible network attack behavior classification method
CN112134873A (en) * 2020-09-18 2020-12-25 国网山东省电力公司青岛供电公司 IoT network abnormal flow real-time detection method and system
CN113132291A (en) * 2019-12-30 2021-07-16 中国科学院沈阳自动化研究所 Heterogeneous terminal feature generation and identification method based on network traffic at edge side
CN114095260A (en) * 2021-11-22 2022-02-25 广东电网有限责任公司 Method, device and equipment for detecting abnormal flow of power grid and computer medium
CN115189939A (en) * 2022-07-08 2022-10-14 国网甘肃省电力公司信息通信公司 HMM model-based power grid network intrusion detection method and system
CN117688558A (en) * 2024-02-01 2024-03-12 杭州海康威视数字技术股份有限公司 Terminal attack lightweight detection method and device based on microstructure abnormal event

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110267964A1 (en) * 2008-12-31 2011-11-03 Telecom Italia S.P.A. Anomaly detection for packet-based networks
CN105956473A (en) * 2016-05-15 2016-09-21 广东技术师范学院 Malicious code detection method based on SDN (Software Defined Networking)
CN106131027A (en) * 2016-07-19 2016-11-16 北京工业大学 A kind of exception flow of network based on software defined network detection system of defense
CN107104951A (en) * 2017-03-29 2017-08-29 国家电网公司 The detection method and device of Attack Source
CN107454039A (en) * 2016-05-31 2017-12-08 北京京东尚科信息技术有限公司 The method of network attack detection system and detection network attack
CN107911346A (en) * 2017-10-31 2018-04-13 天津大学 A kind of intrusion detection method based on extreme learning machine

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110267964A1 (en) * 2008-12-31 2011-11-03 Telecom Italia S.P.A. Anomaly detection for packet-based networks
CN105956473A (en) * 2016-05-15 2016-09-21 广东技术师范学院 Malicious code detection method based on SDN (Software Defined Networking)
CN107454039A (en) * 2016-05-31 2017-12-08 北京京东尚科信息技术有限公司 The method of network attack detection system and detection network attack
CN106131027A (en) * 2016-07-19 2016-11-16 北京工业大学 A kind of exception flow of network based on software defined network detection system of defense
CN107104951A (en) * 2017-03-29 2017-08-29 国家电网公司 The detection method and device of Attack Source
CN107911346A (en) * 2017-10-31 2018-04-13 天津大学 A kind of intrusion detection method based on extreme learning machine

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110149280A (en) * 2019-05-27 2019-08-20 中国科学技术大学 Net flow assorted method and apparatus
CN110149280B (en) * 2019-05-27 2020-08-28 中国科学技术大学 Network traffic classification method and device
CN110266675A (en) * 2019-06-12 2019-09-20 成都积微物联集团股份有限公司 A kind of xss attack automated detection method based on deep learning
CN110636053A (en) * 2019-09-05 2019-12-31 浙江工业大学 Network attack detection method based on local mean decomposition and support vector machine
CN110636053B (en) * 2019-09-05 2021-08-03 浙江工业大学 Network attack detection method based on local mean decomposition and support vector machine
CN110889111A (en) * 2019-10-23 2020-03-17 广东工业大学 Power grid virtual data injection attack detection method based on deep belief network
CN111049828B (en) * 2019-12-13 2021-05-07 国网浙江省电力有限公司信息通信分公司 Network attack detection and response method and system
CN111049828A (en) * 2019-12-13 2020-04-21 国网浙江省电力有限公司信息通信分公司 Network attack detection and response method and system
CN111083151A (en) * 2019-12-23 2020-04-28 深圳供电局有限公司 Attack identification method based on deep belief network and wind power management system
CN111083151B (en) * 2019-12-23 2021-05-25 深圳供电局有限公司 Attack identification method based on deep belief network and wind power management system
CN111144279A (en) * 2019-12-25 2020-05-12 苏州奥易克斯汽车电子有限公司 Method for identifying obstacle in intelligent auxiliary driving
CN113132291B (en) * 2019-12-30 2022-02-18 中国科学院沈阳自动化研究所 Heterogeneous terminal feature generation and identification method based on network traffic at edge side
CN113132291A (en) * 2019-12-30 2021-07-16 中国科学院沈阳自动化研究所 Heterogeneous terminal feature generation and identification method based on network traffic at edge side
CN111343147A (en) * 2020-02-05 2020-06-26 北京中科研究院 Network attack detection device and method based on deep learning
CN111507385A (en) * 2020-04-08 2020-08-07 中国农业科学院农业信息研究所 Extensible network attack behavior classification method
CN111507385B (en) * 2020-04-08 2023-04-28 中国农业科学院农业信息研究所 Extensible network attack behavior classification method
CN112134873A (en) * 2020-09-18 2020-12-25 国网山东省电力公司青岛供电公司 IoT network abnormal flow real-time detection method and system
CN114095260A (en) * 2021-11-22 2022-02-25 广东电网有限责任公司 Method, device and equipment for detecting abnormal flow of power grid and computer medium
CN115189939A (en) * 2022-07-08 2022-10-14 国网甘肃省电力公司信息通信公司 HMM model-based power grid network intrusion detection method and system
CN117688558A (en) * 2024-02-01 2024-03-12 杭州海康威视数字技术股份有限公司 Terminal attack lightweight detection method and device based on microstructure abnormal event
CN117688558B (en) * 2024-02-01 2024-05-07 杭州海康威视数字技术股份有限公司 Terminal attack lightweight detection method and device based on microstructure abnormal event

Also Published As

Publication number Publication date
CN109194612B (en) 2021-05-18

Similar Documents

Publication Publication Date Title
CN109194612A (en) A kind of network attack detecting method based on depth confidence network and SVM
CN109768985B (en) Intrusion detection method based on flow visualization and machine learning algorithm
Hou et al. Automatic detection of welding defects using deep neural network
CN106897738B (en) A kind of pedestrian detection method based on semi-supervised learning
CN110570613A (en) Fence vibration intrusion positioning and mode identification method based on distributed optical fiber system
CN111436944B (en) Falling detection method based on intelligent mobile terminal
CN107153789A (en) The method for detecting Android Malware in real time using random forest grader
CN110580460A (en) Pedestrian re-identification method based on combined identification and verification of pedestrian identity and attribute characteristics
CN109977897A (en) A kind of ship's particulars based on deep learning recognition methods, application method and system again
CN110309744A (en) A kind of suspect's recognition methods and device
CN111259219B (en) Malicious webpage identification model establishment method, malicious webpage identification method and malicious webpage identification system
CN111339165B (en) Mobile user exit characteristic selection method based on Fisher score and approximate Markov blanket
CN107145778B (en) Intrusion detection method and device
CN105139029A (en) Activity recognition method and activity recognition device for persons serving sentences
CN101221623A (en) Object type on-line training and recognizing method and system thereof
CN107832729A (en) A kind of bearing rust intelligent diagnosing method
CN116910662A (en) Passenger anomaly identification method and device based on random forest algorithm
Li et al. Smoking behavior recognition based on a two-level attention fine-grained model and EfficientDet network
CN113722230A (en) Integrated assessment method and device for vulnerability mining capability of fuzzy test tool
WO2021148392A1 (en) Method and device for object identification on the basis of sensor data
CN106530199A (en) Multimedia integrated steganography analysis method based on window hypothesis testing
CN112528893A (en) Abnormal state identification method and device and computer readable storage medium
Wei The construction of piano teaching innovation model based on full-depth learning
CN112435245A (en) Magnetic mark defect automatic identification method based on Internet of things
Tran et al. Detecting network anomalies in mixed-attribute data sets

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant