CN111343147A - Network attack detection device and method based on deep learning - Google Patents

Network attack detection device and method based on deep learning Download PDF

Info

Publication number
CN111343147A
CN111343147A CN202010080797.6A CN202010080797A CN111343147A CN 111343147 A CN111343147 A CN 111343147A CN 202010080797 A CN202010080797 A CN 202010080797A CN 111343147 A CN111343147 A CN 111343147A
Authority
CN
China
Prior art keywords
flow
module
probability
reconstruction
known type
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010080797.6A
Other languages
Chinese (zh)
Other versions
CN111343147B (en
Inventor
陈双武
金东�
杨坚
张勇东
刘新民
王玮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhongke Research Institute
University of Science and Technology of China USTC
Original Assignee
Beijing Zhongke Research Institute
University of Science and Technology of China USTC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Zhongke Research Institute, University of Science and Technology of China USTC filed Critical Beijing Zhongke Research Institute
Priority to CN202010080797.6A priority Critical patent/CN111343147B/en
Publication of CN111343147A publication Critical patent/CN111343147A/en
Application granted granted Critical
Publication of CN111343147B publication Critical patent/CN111343147B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Mathematical Physics (AREA)
  • Computational Linguistics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Biomedical Technology (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Biophysics (AREA)
  • Evolutionary Biology (AREA)
  • Pure & Applied Mathematics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Analysis (AREA)
  • Algebra (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network attack detection device and method based on deep learning, which classify known flow after extracting expression characteristics with more discrimination from flow to be tested, reconstruct the expression characteristics to obtain reconstruction characteristics, and detect unknown attack flow according to the size of reconstruction error between the reconstruction characteristics and the expression characteristics, thereby realizing classification of the known flow and detection of unknown attack.

Description

Network attack detection device and method based on deep learning
Technical Field
The invention relates to the field of network security, in particular to a network attack detection device and method based on deep learning.
Background
With the rapid development of the internet, various network attacks come out endlessly, and the normal operation of a communication system is seriously influenced by the network attacks aiming at various novel network protocols and network system architectures. Conventional network security detection devices rely on static attack features (e.g., IP blacklists) or dynamic attack features (e.g., feature strings) to detect attack behavior in the network. Such detection methods rely on known attack signatures, which typically need to be extracted manually by hand, rely on expertise and experience, require a significant amount of time and manpower, and fail to respond effectively and timely to unknown attacks.
The network attack detection method based on deep learning can realize automatic extraction of flow characteristics, and is a novel security detection method which is widely researched in recent years. The method can be mainly divided into two main methods of unsupervised learning and supervised learning. The method can detect unknown network attacks to a certain extent, but cannot classify the detected known network attacks. The network attack detection method based on supervised learning models normal flow and known attack type flow as training data, and when the model detects the detected flow, the type of the detected flow can be identified.
In summary, most of the existing network attack detection methods based on deep learning cannot classify known type traffic (including normal traffic type and known attack type) and detect unknown attack traffic, and have certain limitations.
Disclosure of Invention
The invention aims to provide a network attack detection device and method based on deep learning, which can classify known type flow and detect unknown attack flow.
The purpose of the invention is realized by the following technical scheme:
a network attack detection device based on deep learning comprises: a deep learning network attack detection module, the deep learning network attack detection module comprising: the system comprises a feature extraction module, a known type classification module, a reconstruction module, an extreme value analysis module and a decision module; wherein:
the characteristic extraction module is used for extracting expression characteristics from the flow to be detected;
the known type classification module is used for evaluating the probability that the flow to be detected is of a certain known type according to the expression characteristics;
the reconstruction module is used for reconstructing the expression characteristics to obtain reconstruction characteristics;
the extreme value analysis module is used for evaluating the probability that the flow to be detected is unknown attack according to the reconstruction error between the reconstruction characteristic and the expression characteristic;
and the decision module is used for predicting the type of the flow to be detected according to the probability that the flow to be detected is of a certain known type and the probability that the flow to be detected is of unknown attack.
According to the technical scheme provided by the invention, after the expression characteristics with more discrimination are extracted from the flow to be tested, the known flow is classified, the expression characteristics are reconstructed to obtain reconstruction characteristics, and the unknown attack flow is detected according to the size of the reconstruction error between the reconstruction characteristics and the expression characteristics, so that the known flow is classified and the unknown attack is detected.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
Fig. 1 is a schematic diagram of a network attack detection apparatus based on deep learning according to an embodiment of the present invention;
fig. 2 is a frame diagram of a deep learning network attack detection module according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a training and testing phase provided by an embodiment of the present invention;
fig. 4 is a flowchart of a network attack detection method based on deep learning according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
The traditional network attack detection method needs to rely on professional knowledge and experience, has low detection accuracy and cannot effectively and timely respond to unknown attacks; although the accuracy rate of classifying known flow is high, the accuracy rate of detecting unknown attack is low, and two functions of classifying known type flow and detecting unknown attack flow cannot be realized at the same time, so that the practical application has certain limitation.
In view of this, embodiments of the present invention provide a network attack detection apparatus based on deep learning, after extracting expression features with more discriminative degrees from traffic to be tested by using a convolutional layer of a convolutional neural network, classifying the known traffic by using a full-link layer of the convolutional neural network, obtaining reconstruction features by using an automatic encoder, and detecting unknown attack traffic according to a size of a reconstruction error between the reconstruction features and the expression features, thereby achieving both classification of the known traffic and detection of unknown attack. In addition, the invention utilizes the Weibull distribution to calculate the probability of the detected flow belonging to the unknown attack, thereby improving the accuracy of the unknown attack detection.
As shown in fig. 1, a schematic diagram of a network attack detection apparatus based on deep learning according to an embodiment of the present invention mainly includes: a deep learning network attack detection module; as shown in fig. 2, the deep learning network attack detection module mainly includes: the system comprises a feature extraction module, a known type classification module, a reconstruction module, an extreme value analysis module and a decision module; wherein:
the characteristic extraction module is used for extracting expression characteristics from the flow to be detected;
the known type classification module is used for evaluating the probability that the flow to be detected is of a certain known type according to the expression characteristics;
the reconstruction module is used for reconstructing the expression characteristics to obtain reconstruction characteristics;
the extreme value analysis module is used for evaluating the probability that the flow to be detected is unknown attack according to the reconstruction error between the reconstruction characteristic and the expression characteristic;
and the decision module is used for predicting the type of the flow to be detected according to the probability that the flow to be detected is of a certain known type and the probability that the flow to be detected is of unknown attack.
As shown in fig. 1, the apparatus further comprises: the flow extraction module and the flow preprocessing module;
the flow extraction module is used for acquiring original flow from a network;
the flow preprocessing module is used for dividing the original flow into different flows to be tested according to quintuple; the quintuple comprises: source IP, destination IP, source port, destination port and protocol number;
and the first d bytes of each flow to be tested, which are divided by the flow preprocessing module, are used as the input of the deep learning network attack detection module. Because the convolutional neural network needs all inputs with uniform size, and each flow has different size, in the embodiment of the present invention, each flow takes the first d bytes, the first d bytes contain all the contents of the quintuple, and the specific value of d can be set according to the actual situation.
In the embodiment of the present invention, a deep learning network attack detection module needs to be trained, and as shown in fig. 3, the training phase mainly includes the following three parts:
1. and training the parameters of the feature extraction module and the known type classification module.
As shown in fig. 2, the feature extraction module and the known type classification module are respectively implemented by a convolutional layer and a fully connected layer of a convolutional neural network.
The training set (containing only normal traffic types and known attack types) can be modeled as: (x, y) { (x)1,y1),(x2,y2)…(xN,yN) The input of the feature extraction module is xi∈RdThe first d bytes of the ith flow are represented, where yi ∈ {1, 2, …, K } is xiAnd corresponding labels, wherein N is the number of training samples, and K is the number of types.
Expression characteristic z with discrimination output of characteristic extraction moduleiObtaining a normalized output vector by a known type classification module
Figure BDA0002380243650000041
Wherein
Figure BDA0002380243650000042
React with xiA probability of belonging to a known type j; j ═ 1,2,. K, a sequence number value of a known type; known types include: normal traffic type and various known attack types.
It can be understood that, in order to distinguish each type, the convolutional neural network trains the original input x to obtain a more differentiated expression feature, where the expression feature z is obtained by performing a function transformation (z ═ F (x)) on the original input x, and the training process is just to find the optimal form of the function F.
The feature extraction module and the known type classification module can be modeled as functions
Figure BDA0002380243650000043
x → z sum function
Figure BDA0002380243650000044
Figure BDA0002380243650000045
Figure BDA0002380243650000046
It is obvious that
Figure BDA0002380243650000047
Can be expressed as
Figure BDA0002380243650000048
Simultaneously training parameters of the feature extraction module and parameters of the known type classification module by using a random gradient descent method, wherein the loss function adopts a cross entropy loss function shown as the following formula:
Figure BDA0002380243650000049
in the above formula, M represents the number of training samples, that is, N training samples are divided into a plurality of batches, and each batch includes M training samples;
Figure BDA00023802436500000410
is label yiThe specific form of the one-hot (one-hot) coding is a vector, and the vector has one and only one element of 1 and the rest elements of 0, wherein the position of 1 represents the real type of the flow, and (j) represents the index, i.e., (j) is
Figure BDA00023802436500000411
The jth element in (a).
2. And (5) parameter training of a reconstruction module.
In the embodiment of the invention, the reconstruction module is composed of an automatic encoderAnd (4) obtaining. Trained feature extraction module for each input xiCorresponding expression characteristics can be obtained
Figure BDA0002380243650000051
The reconstruction module uses the expression features ziGenerating reconstruction features
Figure BDA0002380243650000052
The reconstruction module may be expressed as a function
Figure BDA0002380243650000053
In the embodiment of the invention, the parameters of the reconstruction module are trained by using a random gradient descent method, and the loss function adopts a square error loss function shown as the following formula:
Figure BDA0002380243650000054
in the above formula, M represents the number of training batches.
3. And (5) training parameters of an extreme value fitting module.
The performance of the reconstruction module for reconstructing the expression characteristics of the unknown flow is poorer than that for reconstructing the known flow, namely the reconstruction error represented by the unknown attack flow is larger than that of the known flow.
The extreme value fitting module evaluates the probability that the flow to be measured is unknown attack based on Weibull distribution, wherein the Weibull distribution is a probability distribution model obeying extreme value theory, and the probability distribution function is as follows:
Figure BDA0002380243650000055
when the parameters of the extreme value fitting module are trained, firstly, the reconstruction errors e ═ e (e) of all known flow rates are calculated according to the following formula1,e2,…,eN):
Figure BDA0002380243650000056
All reconstruction errors are sorted from small to large, η (η < N, η is a hyper-parameter, generally η ═ 0.1N) reconstruction errors are selected from the top in the sequence, and the reconstruction errors are used for analyzing the unknown attack and the boundary of the known type.
For η reconstruction errors, parameters (m, tau, sigma) are obtained by a maximum likelihood method, wherein m (m > 0), tau (tau < x) and sigma (sigma > 0) are respectively a shape parameter, a position parameter and a scale parameter.
For the flow to be measured, the reconstruction error e' is brought into PEVT(x) Equation calculation result PEVT(e ') is the probability that the flow to be measured is unknown attack, and the larger the reconstruction error e', the larger PEVTThe larger (e').
After training is completed, detection can be completed for any flow x' to be detected through the deep learning network attack detection module according to the method introduced above. The flow to be detected can be normal flow, known attack flow or unknown attack flow; the first d bytes of the flow to be detected are input into a well-learned deep learning network attack detection module, a feature extraction module outputs corresponding expression features z', and on one hand, a known type classification module outputs a normalized output vector by utilizing the expression features z
Figure BDA0002380243650000061
y′∈{1,2,…,K},
Figure BDA0002380243650000062
The probability that the flow to be detected belongs to each category is included; in another aspect, the reconstruction module obtains the reconstruction feature using the expression feature z
Figure BDA0002380243650000067
The extreme value module is used for reconstructing the feature according to the expression feature z' and the reconstruction feature
Figure BDA0002380243650000068
Obtain P with the reconstruction error e' therebetweenEVT(e'). A final decision module based on
Figure BDA0002380243650000069
And PEVT(e') obtaining the final prediction type.
As shown in fig. 3, the decision module decision process can be expressed as follows:
1) the probability that the flow to be measured is of a known type is recorded
Figure BDA00023802436500000619
The calculation process is expressed as:
Figure BDA0002380243650000063
Figure BDA0002380243650000064
the first expression selects the known type y represented by j corresponding to the probability of the maximum value*J is a serial number value of a known type; the second expression, keeping the flow to be measured as the known type y*The probability of (a) of (b) being,
Figure BDA00023802436500000614
reflects that the measured flow belongs to the type y*The size of the probability of (c).
2) Using probabilities
Figure BDA00023802436500000615
And PEVT(e') updating the probability p that the traffic to be tested belongs to an unknown attacku
Figure BDA00023802436500000616
3) Deciding the type of flow to be measured
Figure BDA00023802436500000611
Figure BDA0002380243650000065
Wherein, y*Indicating a known type, α is a hyper-parameter,
Figure BDA00023802436500000610
is the final prediction type if
Figure BDA00023802436500000617
Then
Figure BDA00023802436500000612
Is of known flow and is y*(ii) a If it is not
Figure BDA00023802436500000618
Figure BDA00023802436500000613
Is an unknown attack (unkonwn attack).
For ease of understanding, the following description is made with reference to examples.
As shown in table 1, the data set contains known traffic types and unknown attack types. Wherein the known traffic types include normal traffic types and known attack types.
Figure BDA0002380243650000066
Figure BDA0002380243650000071
TABLE 1 data set
1. Data set preprocessing
The training set consists of 80% of the known traffic types, and the test set consists of the remaining 20% of the known traffic types and all unknown attack types. As shown in table 1, traffic types are labeled, and there are 10 known types, so that in the solution, K is 10, and it is possible to detect whether an unknown attack is detected during testing, and therefore, the label value of the location type is set to 11.
2. And (5) a training stage.
1) Training by taking a training data set as input to obtain parameters of a feature extraction module and a known type classification module;
2) training the parameters of the reconstruction module by taking the training data set as input;
3) taking a training data set as input, and calculating the reconstruction error e ═ of all training samples (e)1,e2,…,eN) And sequencing the reconstruction errors e from small to large, and taking η reconstruction errors to fit extreme value module parameters.
3. And (5) a testing stage.
1) For each measured flow, the known classification module predicts a known type y to which the measured flow belongs*And outputting the probability of the prediction being correct
Figure BDA0002380243650000072
2) Extremum module output PEVT(e') calculating the probability size of belonging to unknown attacks
Figure BDA0002380243650000073
Figure BDA0002380243650000074
Adjusting the size of the hyper-parameter α according to the test result;
3) comparison of puAnd
Figure BDA0002380243650000075
if it is not
Figure BDA0002380243650000076
The measured flow being of known type y*Otherwise, it is unknown attack type.
Another embodiment of the present invention further provides a network attack detection method based on deep learning, which can be implemented based on the apparatus provided in the foregoing embodiment, as shown in fig. 4, and mainly includes the following steps:
extracting expression characteristics from the flow to be detected;
estimating the probability that the flow to be detected is of a certain known type according to the expression characteristics;
reconstructing the expression characteristics to obtain reconstructed characteristics;
estimating the probability of unknown attack of the flow to be detected according to the reconstruction error between the reconstruction characteristic and the expression characteristic;
and predicting the type of the flow to be detected according to the probability that the flow to be detected is of a certain known type and the probability that the flow to be detected is of unknown attack.
Further, the method further comprises:
acquiring original flow from a network;
dividing the original flow into different flows to be tested according to quintuple; the quintuple comprises: source IP, destination IP, source port, destination port and protocol number;
and taking the divided first d bytes of each flow to be tested as input to extract expression characteristics.
Further, expression feature extraction and probability that the flow to be detected is estimated to be a certain known type according to the expression features are respectively realized through a convolution layer and a full connection layer of a convolution neural network; the convolution layer is used as a feature extraction module, and the full-connection layer is used as a known type classification module;
the training sample during training is (x, y) { (x)1,y1),(x2,y2)…(xN,yN) The input of the feature extraction module is xi∈RdThe first d bytes, y, of the ith flowi∈ {1, 2, …, K } is xiCorresponding labels, wherein N is the number of training samples, and K is the number of types;
output expression feature z of feature extraction moduleiObtaining a normalized output vector by a known type classification module
Figure BDA0002380243650000081
Wherein
Figure BDA0002380243650000082
React with xiA probability of belonging to a known type j; j ═ 1,2,. K; known types of such include: normal traffic type and various known attack types;
simultaneously training parameters of the feature extraction module and parameters of the known type classification module by using a random gradient descent method, wherein the loss function adopts a cross entropy loss function shown as the following formula:
Figure BDA0002380243650000083
in the above formula, M represents the number of training samples, that is, N training samples are divided into a plurality of batches, and each batch includes M training samples;
Figure BDA0002380243650000084
is label yiThe specific form of the one-hot coding is a vector, and the vector has one and only one element of 1 and the rest elements of 0, wherein the position of 1 represents the real type of the flow, and (j) represents the index, i.e. (j) is
Figure BDA0002380243650000085
The jth element in (a).
Furthermore, the reconstruction expression characteristics are realized through a reconstruction module, the reconstruction module is composed of an automatic encoder, and the reconstruction module utilizes the expression characteristics ziGenerating reconstruction features
Figure BDA0002380243650000086
And (3) training parameters of a reconstruction module by using a random gradient descent method, wherein a loss function adopts a square error loss function shown as the following formula:
Figure BDA0002380243650000087
in the above formula, M represents the number of batch trainings;
the probability that the flow to be measured is unknown attack is estimated according to the reconstruction error between the reconstruction characteristic and the expression characteristic is realized through an extreme value fitting module, the extreme value fitting module estimates the probability that the flow to be measured is unknown attack based on Weibull distribution, the Weibull distribution is a probability distribution model obeying extreme value theory, and the probability distribution function is as follows:
Figure BDA0002380243650000091
when the parameters of the extreme value fitting module are trained, firstly, the reconstruction errors e ═ e (e) of all known flow rates are calculated according to the following formula1,e2,…,eN):
Figure BDA0002380243650000092
Sorting all reconstruction errors in a sequence from small to large, and selecting η reconstruction errors in the front sorting;
for η reconstruction errors, obtaining (m, tau, sigma) parameters by a maximum likelihood method, wherein m, tau and sigma are respectively a shape parameter, a position parameter and a scale parameter;
for the flow to be measured, the reconstruction error e' is introduced into PEVT(x) Equation calculation result PEVT(e ') is the probability that the flow to be measured is unknown attack, and the larger the reconstruction error e', the larger PEVTThe larger (e').
Further, predicting the type of the traffic to be measured according to the probability that the traffic to be measured is of a certain known type and the probability that the traffic to be measured is of an unknown attack includes:
the probability that the flow to be measured is of a known type is recorded
Figure BDA0002380243650000095
The probability that the flow to be measured is unknown attack is recorded as PEVT(e′);
Using probabilities
Figure BDA0002380243650000096
And PEVT(e') updating the probability p that the traffic to be tested belongs to an unknown attacku
Figure BDA0002380243650000097
Deciding the type of flow to be measured
Figure BDA0002380243650000093
Figure BDA0002380243650000094
Wherein, y*Indicating a known type, α is a hyperparameter.
Through the above description of the embodiments, it is clear to those skilled in the art that the above embodiments can be implemented by software, and can also be implemented by software plus a necessary general hardware platform. With this understanding, the technical solutions of the embodiments can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the methods according to the embodiments of the present invention.
It will be clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be performed by different functional modules according to needs, that is, the internal structure of the system is divided into different functional modules to perform all or part of the above described functions.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. A network attack detection device based on deep learning is characterized by comprising: a deep learning network attack detection module, the deep learning network attack detection module comprising: the system comprises a feature extraction module, a known type classification module, a reconstruction module, an extreme value analysis module and a decision module; wherein:
the characteristic extraction module is used for extracting expression characteristics from the flow to be detected;
the known type classification module is used for evaluating the probability that the flow to be detected is of a certain known type according to the expression characteristics;
the reconstruction module is used for reconstructing the expression characteristics to obtain reconstruction characteristics;
the extreme value analysis module is used for evaluating the probability that the flow to be detected is unknown attack according to the reconstruction error between the reconstruction characteristic and the expression characteristic;
and the decision module is used for predicting the type of the flow to be detected according to the probability that the flow to be detected is of a certain known type and the probability that the flow to be detected is of unknown attack.
2. The deep learning-based network attack detection device according to claim 1, wherein the device further comprises: the flow extraction module and the flow preprocessing module;
the flow extraction module is used for acquiring original flow from a network;
the flow preprocessing module is used for dividing the original flow into different flows to be tested according to quintuple; the quintuple comprises: source IP, destination IP, source port, destination port and protocol number;
and the first d bytes of each flow to be tested, which are divided by the flow preprocessing module, are used as the input of the deep learning network attack detection module.
3. The network attack detection device based on deep learning of claim 1, wherein the feature extraction module and the known type classification module are respectively realized by a convolutional layer and a full connection layer of a convolutional neural network;
the training sample during training is (x, y) { (x)1,y1),(x2,y2)…(xN,yN) The input of the feature extraction module is xi∈RdThe first d bytes, y, of the ith flowi∈ {1, 2, …, K } is xiCorresponding labels, wherein N is the number of training samples, and K is the number of types;
output expression feature z of feature extraction moduleiObtaining a normalized output vector by a known type classification module
Figure FDA0002380243640000011
Wherein
Figure FDA0002380243640000012
React with xiA probability of belonging to a known type j; j ═ 1,2,. K, a sequence number value of a known type; known types include: normal traffic type and various known attack types;
simultaneously training parameters of the feature extraction module and parameters of the known type classification module by using a random gradient descent method, wherein the loss function adopts a cross entropy loss function shown as the following formula:
Figure FDA0002380243640000021
in the above formula, M represents the number of training samples, that is, N training samples are divided into a plurality of batches, and each batch includes M training samples;
Figure FDA0002380243640000025
is label yiIs a one-hot coded form of (j) is
Figure FDA0002380243640000026
The jth element in (a).
4. The deep learning-based network attack detection apparatus according to claim 1,
the reconstruction module is composed of an automatic encoder and utilizes the expression characteristic ziGenerating reconstruction features
Figure FDA0002380243640000027
And (3) training parameters of a reconstruction module by using a random gradient descent method, wherein a loss function adopts a square error loss function shown as the following formula:
Figure FDA0002380243640000022
in the above formula, M represents the number of batch trainings;
the extreme value fitting module evaluates the probability that the flow to be measured is unknown attack based on Weibull distribution, wherein the Weibull distribution is a probability distribution model obeying extreme value theory, and the probability distribution function is as follows:
Figure FDA0002380243640000023
when the parameters of the extreme value fitting module are trained, firstly, the reconstruction errors e ═ e (e) of all known flow rates are calculated according to the following formula1,e2,…,eN):
Figure FDA0002380243640000024
Sorting all reconstruction errors in a sequence from small to large, and selecting η reconstruction errors in the front sorting;
for η reconstruction errors, obtaining (m, tau, sigma) parameters by a maximum likelihood method, wherein m, tau and sigma are respectively a shape parameter, a position parameter and a scale parameter;
for the flow to be measured, the reconstruction error e' is brought into PEVT(x) Equation calculation result PEVT(e ') is the probability that the flow to be measured is unknown attack, and the larger the reconstruction error e', the larger PEVTThe larger (e').
5. The device according to claim 1, wherein the predicting the type of traffic to be tested according to the probability that the traffic to be tested is a known type and the probability that the traffic to be tested is an unknown attack comprises:
the probability that the flow to be measured is of a known type is recorded
Figure FDA0002380243640000028
The probability that the flow to be measured is unknown attack is recorded as PEVT(e′);
Using probabilities
Figure FDA0002380243640000029
And PEVT(e') calculating and updating the probability p that the traffic to be tested belongs to unknown attacku
Figure FDA0002380243640000031
Deciding the type of flow to be measured
Figure FDA0002380243640000035
Figure FDA0002380243640000032
Wherein, y*Indicating a known type, α is a hyperparameter.
6. A network attack detection method based on deep learning is characterized by comprising the following steps:
extracting expression characteristics from the flow to be detected;
estimating the probability that the flow to be detected is of a certain known type according to the expression characteristics;
reconstructing the expression characteristics to obtain reconstructed characteristics;
estimating the probability of unknown attack of the flow to be detected according to the reconstruction error between the reconstruction characteristic and the expression characteristic;
and predicting the type of the flow to be detected according to the probability that the flow to be detected is of a certain known type and the probability that the flow to be detected is of unknown attack.
7. The method for detecting network attacks based on deep learning of claim 6, wherein the method further comprises:
acquiring original flow from a network;
dividing the original flow into different flows to be tested according to quintuple; the quintuple comprises: source IP, destination IP, source port, destination port and protocol number;
and taking the divided first d bytes of each flow to be tested as input to extract expression characteristics.
8. The method according to claim 6, wherein the network attack detection method based on deep learning,
extracting expression characteristics and evaluating the probability that the flow to be detected is of a certain known type according to the expression characteristics respectively through a convolutional layer and a full connection layer of a convolutional neural network; the convolution layer is used as a feature extraction module, and the full-connection layer is used as a known type classification module;
the training sample during training is (x, y) { (x)1,y1),(x2,y2)…(xN,yN) The input of the feature extraction module is xi∈RdThe first d bytes, y, of the ith flowi∈ {1, 2, …, K } is xiCorresponding labels, wherein N is the number of training samples, and K is the number of types;
output expression feature z of feature extraction moduleiObtaining a normalized output vector by a known type classification module
Figure FDA0002380243640000033
Wherein
Figure FDA0002380243640000034
React with xiA probability of belonging to a known type j; j ═ 1,2,. K; known types of such include: normal traffic type and various known attack types;
simultaneously training parameters of the feature extraction module and parameters of the known type classification module by using a random gradient descent method, wherein the loss function adopts a cross entropy loss function shown as the following formula:
Figure FDA0002380243640000041
in the above formula, M represents the number of training samples, that is, N training samples are divided into a plurality of batches, and each batch includes M training samples;
Figure FDA0002380243640000046
is label yiIs a one-hot coded form of (j) is
Figure FDA0002380243640000047
The jth element in (a).
9. The method according to claim 6, wherein the network attack detection method based on deep learning,
the reconstruction expression characteristic is realized by a reconstruction module, the reconstruction module is composed of an automatic encoder, and the reconstruction module utilizes the expression characteristic ziGenerating reconstruction features
Figure FDA0002380243640000048
And (3) training parameters of a reconstruction module by using a random gradient descent method, wherein a loss function adopts a square error loss function shown as the following formula:
Figure FDA0002380243640000042
in the above formula, M represents the number of batch trainings;
the probability that the flow to be measured is unknown attack is estimated according to the reconstruction error between the reconstruction characteristic and the expression characteristic is realized through an extreme value fitting module, the extreme value fitting module estimates the probability that the flow to be measured is unknown attack based on Weibull distribution, the Weibull distribution is a probability distribution model obeying extreme value theory, and the probability distribution function is as follows:
Figure FDA0002380243640000043
when the parameters of the extreme value fitting module are trained, firstly, the reconstruction errors e ═ e (e) of all known flow rates are calculated according to the following formula1,e2,…,eN):
Figure FDA0002380243640000044
Sorting all reconstruction errors in a sequence from small to large, and selecting η reconstruction errors in the front sorting;
for η reconstruction errors, obtaining (m, tau, sigma) parameters by a maximum likelihood method, wherein m, tau and sigma are respectively a shape parameter, a position parameter and a scale parameter;
for the flow to be measured, the reconstruction error e' is brought into PEVT(x) Equation calculation result PEVT(e ') is the probability that the flow to be measured is unknown attack, and the larger the reconstruction error e', the larger PEVTThe larger (e').
10. The method as claimed in claim 6, wherein predicting the type of traffic to be detected according to the probability that the traffic to be detected is of a known type and the probability that the traffic to be detected is of an unknown attack comprises:
the probability that the flow to be measured is of a known type is recorded
Figure FDA0002380243640000053
The probability that the flow to be measured is unknown attack is recorded as PEVT(e′);
Using probabilities
Figure FDA0002380243640000054
And PEVT(e') calculating and updating the probability p that the traffic to be tested belongs to unknown attacku
Figure FDA0002380243640000051
Deciding the type of flow to be measured
Figure FDA0002380243640000055
Figure FDA0002380243640000052
Wherein, y*Indicating a known type, α is a hyperparameter.
CN202010080797.6A 2020-02-05 2020-02-05 Network attack detection device and method based on deep learning Active CN111343147B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010080797.6A CN111343147B (en) 2020-02-05 2020-02-05 Network attack detection device and method based on deep learning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010080797.6A CN111343147B (en) 2020-02-05 2020-02-05 Network attack detection device and method based on deep learning

Publications (2)

Publication Number Publication Date
CN111343147A true CN111343147A (en) 2020-06-26
CN111343147B CN111343147B (en) 2020-12-11

Family

ID=71186782

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010080797.6A Active CN111343147B (en) 2020-02-05 2020-02-05 Network attack detection device and method based on deep learning

Country Status (1)

Country Link
CN (1) CN111343147B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113259388A (en) * 2021-06-22 2021-08-13 贝壳找房(北京)科技有限公司 Network flow abnormity detection method, electronic equipment and readable storage medium
CN113434684A (en) * 2021-07-01 2021-09-24 北京中科研究院 Rumor detection method, system, equipment and storage medium for self-supervision learning
CN113612786A (en) * 2021-08-09 2021-11-05 上海交通大学宁波人工智能研究院 Intrusion detection system and method for vehicle bus
CN114301629A (en) * 2021-11-26 2022-04-08 北京六方云信息技术有限公司 IP detection method, device, terminal equipment and storage medium
CN116633705A (en) * 2023-07-26 2023-08-22 山东省计算中心(国家超级计算济南中心) Industrial control system abnormality detection method and system based on composite automatic encoder

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018015080A1 (en) * 2016-07-19 2018-01-25 Siemens Healthcare Gmbh Medical image segmentation with a multi-task neural network system
CN108881196A (en) * 2018-06-07 2018-11-23 中国民航大学 The semi-supervised intrusion detection method of model is generated based on depth
CN109194612A (en) * 2018-07-26 2019-01-11 北京计算机技术及应用研究所 A kind of network attack detecting method based on depth confidence network and SVM
CN109831392A (en) * 2019-03-04 2019-05-31 中国科学技术大学 Semi-supervised net flow assorted method
CN110602653A (en) * 2019-10-30 2019-12-20 中国科学技术大学 Pre-caching method based on track prediction
CN110691100A (en) * 2019-10-28 2020-01-14 中国科学技术大学 Hierarchical network attack identification and unknown attack detection method based on deep learning

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018015080A1 (en) * 2016-07-19 2018-01-25 Siemens Healthcare Gmbh Medical image segmentation with a multi-task neural network system
CN108881196A (en) * 2018-06-07 2018-11-23 中国民航大学 The semi-supervised intrusion detection method of model is generated based on depth
CN109194612A (en) * 2018-07-26 2019-01-11 北京计算机技术及应用研究所 A kind of network attack detecting method based on depth confidence network and SVM
CN109831392A (en) * 2019-03-04 2019-05-31 中国科学技术大学 Semi-supervised net flow assorted method
CN110691100A (en) * 2019-10-28 2020-01-14 中国科学技术大学 Hierarchical network attack identification and unknown attack detection method based on deep learning
CN110602653A (en) * 2019-10-30 2019-12-20 中国科学技术大学 Pre-caching method based on track prediction

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113259388A (en) * 2021-06-22 2021-08-13 贝壳找房(北京)科技有限公司 Network flow abnormity detection method, electronic equipment and readable storage medium
CN113434684A (en) * 2021-07-01 2021-09-24 北京中科研究院 Rumor detection method, system, equipment and storage medium for self-supervision learning
CN113612786A (en) * 2021-08-09 2021-11-05 上海交通大学宁波人工智能研究院 Intrusion detection system and method for vehicle bus
CN114301629A (en) * 2021-11-26 2022-04-08 北京六方云信息技术有限公司 IP detection method, device, terminal equipment and storage medium
CN116633705A (en) * 2023-07-26 2023-08-22 山东省计算中心(国家超级计算济南中心) Industrial control system abnormality detection method and system based on composite automatic encoder
CN116633705B (en) * 2023-07-26 2023-10-13 山东省计算中心(国家超级计算济南中心) Industrial control system abnormality detection method and system based on composite automatic encoder

Also Published As

Publication number Publication date
CN111343147B (en) 2020-12-11

Similar Documents

Publication Publication Date Title
CN111343147B (en) Network attack detection device and method based on deep learning
CN111314331B (en) Unknown network attack detection method based on conditional variation self-encoder
CN113792825B (en) Fault classification model training method and device for electricity information acquisition equipment
CN108737406B (en) Method and system for detecting abnormal flow data
CN111626336B (en) Subway fault data classification method based on unbalanced data set
CN110633725B (en) Method and device for training classification model and classification method and device
CN111460250B (en) Image data cleaning method, image data cleaning device, image data cleaning medium, and electronic apparatus
CN110928764A (en) Automated mobile application crowdsourcing test report evaluation method and computer storage medium
CN111368920A (en) Quantum twin neural network-based binary classification method and face recognition method thereof
CN110851176B (en) Clone code detection method capable of automatically constructing and utilizing pseudo-clone corpus
CN107577605A (en) A kind of feature clustering system of selection of software-oriented failure prediction
CN113516228B (en) Network anomaly detection method based on deep neural network
CN112199670B (en) Log monitoring method for improving IFOREST (entry face detection sequence) to conduct abnormity detection based on deep learning
CN111582315B (en) Sample data processing method and device and electronic equipment
Shoohi et al. DCGAN for Handling Imbalanced Malaria Dataset based on Over-Sampling Technique and using CNN.
CN113837266B (en) Software defect prediction method based on feature extraction and Stacking ensemble learning
CN112035345A (en) Mixed depth defect prediction method based on code segment analysis
CN114139931A (en) Enterprise data evaluation method and device, computer equipment and storage medium
CN111863135B (en) False positive structure variation filtering method, storage medium and computing device
CN114139624A (en) Method for mining time series data similarity information based on integrated model
CN109977400B (en) Verification processing method and device, computer storage medium and terminal
CN111737993A (en) Method for extracting health state of equipment from fault defect text of power distribution network equipment
CN113889274B (en) Method and device for constructing risk prediction model of autism spectrum disorder
CN113569957A (en) Object type identification method and device of business object and storage medium
CN113239075A (en) Construction data self-checking method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant