CN111343182B - Abnormal flow detection method based on gray level graph - Google Patents

Abstract

The invention discloses an abnormal flow detection method based on a gray scale map, which comprises the following steps: s1: carrying out visualization processing on the original flow of the network, and converting the original flow into a gray-scale map; s2: carrying out feature extraction on the gray level image; s3: based on an Apache Spark framework, training the characteristics of the gray-scale image by using a distributed extreme learning machine, outputting a weight matrix beta, obtaining a training parameter, and completing the abnormal flow detection of the gray-scale image. The method effectively solves the problem of abnormal flow detection in various network environments, solves the difficulty in extracting the original flow characteristics by visualization processing of the network flow, converts the difficulty in extracting the original flow characteristics into image characteristic extraction, and enables the accuracy of the training result to be higher. The invention effectively solves the problem of abnormal detection of high-speed mass network flow in the big data era and is suitable for the modern actual network environment.

Description

Abnormal flow detection method based on gray level graph

Technical Field

The invention belongs to the technical field of network detection, and particularly relates to an abnormal flow detection method based on a gray-scale map.

Background

In recent years, with the continuous development of internet technology, people have more and more extensive applications to the internet, the frequency and strength of attacks in the network are continuously enhanced, and the network environment is also deteriorated. The network attack is an attack to hardware, software and data of a network system by using network bugs and security defects. From the viewpoint of the destructiveness to information, the attack types can be classified into passive attacks and active attacks. Active attacks can result in the tampering of certain data streams and the creation of spurious data streams. Passive attacks usually include attack modes such as eavesdropping, traffic analysis, and breaking weakly encrypted data streams. In order to protect against these attacks and improve the network environment, intrusion detection systems have been proposed. The traditional intrusion detection system has the defects of low system establishing speed, complex feature extraction, high resource occupancy rate cost and the like. Most critically, most features require long and complete extraction of the flow monitoring scheme. This makes real-time monitoring difficult. In addition, in the face of an increasingly large network and an infinite unknown attack, it is impractical to manually acquire enough marker data to train an intrusion detection system so as to accurately detect an intrusion. Based on the above situation, the invention provides an abnormal flow detection method based on a gray-scale map.

Disclosure of Invention

The invention aims to solve the problem of network intrusion detection and provides an abnormal flow detection method based on a gray-scale map.

The technical scheme of the invention is as follows: an abnormal flow detection method based on a gray scale map comprises the following steps:

s1: carrying out visualization processing on the original flow of the network, and converting the original flow into a gray-scale map;

s2: carrying out feature extraction on the gray level image by using the ambiguity;

s3: based on an Apache Spark framework, training the characteristics of the gray-scale image by using a distributed extreme learning machine, outputting a weight matrix beta, obtaining a training parameter, and completing the abnormal flow detection of the gray-scale image.

The invention has the beneficial effects that: the method effectively solves the problem of abnormal flow detection in various network environments, solves the difficulty in extracting the original flow characteristics by visualization processing of the network flow, converts the difficulty in extracting the original flow characteristics into image characteristic extraction, and enables the accuracy of the training result to be higher. In addition, the detection method of the invention effectively solves the problem of abnormal detection of high-speed mass network traffic in a big data era by using an Apache Spark framework and combining a distributed extreme learning machine, and is suitable for the modern actual network environment. Meanwhile, the invention uses a simple high-speed neural network to replace a complex and hard-to-converge deep neural network, and accords with the existing high-speed massive network flow environment, so that the detection method is simpler and faster.

Further, in step S1, the visualization processing of the original traffic is performed for the top 10KB of the original traffic.

The beneficial effects of the further scheme are as follows: in the invention, the traffic size in the real network is not fixed and single. For the traffic with long duration and large data volume, the invention only converts the first 10KB traffic of the arrival of the traffic. And for the traffic with short duration and small data volume, the acquired data is copied, and the finally converted data is ensured to be close to 10 KB. Different methods are adopted for processing different flow sizes, so that the visual processing of the flow is more accurate.

Further, step S1 includes the following sub-steps:

s11: selecting a CICIIDS 2017 data set as background flow for abnormal flow detection;

s12: based on the CICIIDS 2017 data set, cutting a pcap file of the CICIIDS 2017 data set by using a pcappUssus tool;

s13: carrying out batch processing on the cut pcap files according to the time and size sequence of the pcap files;

s14: and converting the batched pcap file into a gray-scale map to finish the visualization processing of the original network flow.

The beneficial effects of the further scheme are as follows: in the invention, the network flow belongs to binary data, and the visual processing of the network flow solves the difficulty in extracting the characteristics of the original flow, so that the accuracy of the detection result is higher.

Further, S2 includes the following sub-steps:

s21: extracting an image area with important information in the gray-scale image as a sample characteristic object of the gray-scale image, scanning the gray-scale image to obtain a target image area and extracting a target characteristic object of the gray-scale image;

s22: establishing a sample fuzzy set X ═ X } and a target fuzzy set Y ═ Y } of the gray-scale map according to the sample characteristic object and the target characteristic object of the gray-scale map₁,y₂,…y_n}；

S23: according to the sample fuzzy set X ═ X } and the target fuzzy set Y ═ Y₁,y₂,…y_nDescribing a characteristic fuzzy similarity relation of a gray scale image, wherein the characteristic fuzzy similarity relation is as follows:

wherein j is 1,2, … n, n is an ordered pair (x, y)_j) The number of the (c) component(s),

is an ordered pair (x, y)_j) The value of the relationship of (a) to (b),

is a membership function;

s24: determining a similarity set R of the sample characteristic object and the target characteristic object according to the characteristic fuzzy similarity relation of the gray level image_αThe calculation formula is as follows:

R_α＝{(x，y_j)|μ_R(x，y_j)≥α}

wherein, mu_RThe method comprises the following steps of (1) obtaining a characteristic fuzzy similarity relation of a gray scale image, wherein alpha is the similarity of a sample characteristic object and a target characteristic object, and the value of alpha is 1;

s25: extracting a similarity set R_αThe center point of the image pixel of the middle target characteristic object;

s26: and marking the central point of the image pixel of the target characteristic object to complete the characteristic extraction of the gray level image.

The beneficial effects of the further scheme are as follows: in the invention, the feature extraction of the image uses the ambiguity to replace the traditional image feature extraction method, so that the resource occupancy rate is low, and the accuracy of the feature extraction result is higher.

Further, step S3 includes the following sub-steps:

s31: setting the number of hidden layer neurons of the network to be L by using a distributed extreme learning machine, and randomly initializing the input weight W and the bias b of the hidden layer neurons of the network;

s32: calculating a hidden neuron output matrix H of the network, wherein the calculation formula is as follows:

wherein the network contains L hidden layer neurons, W_iInput weights for the i-th hidden neuron of the network, b_iFor the biasing of the ith hidden layer neuron of the network, g (-) is the activation function, i 1,2_jExtracting features of a jth target feature object, wherein j is 1, 2.. times.N, and a network has N target feature objects;

s33: calculating an expected output matrix T of the network based on the hidden neuron output matrix H, wherein the calculation formula is as follows:

wherein, t_iAn output vector of the ith target characteristic object;

s34: calculating an output weight matrix beta of the network according to the hidden neuron output matrix H and the expected output matrix T, wherein the calculation formula is as follows:

β＝(H^TH)^-1H^TT

h is a hidden neuron output matrix, and T is an expected output matrix;

s35: and screening the output weight matrix beta to obtain the training parameters.

The beneficial effects of the further scheme are as follows: in the invention, the simple single-layer network is used for training the network traffic, the network convergence is fast, the method is suitable for the high-speed massive network traffic environment, the speed is deeper, and the detection method is faster. Meanwhile, the distributed extreme learning machine has the advantages of high generalization performance and high learning speed, the number of hidden layer neurons is set, the input weight and the bias are initialized randomly, and the corresponding output weight can be obtained without adjustment in the training process.

Further, in step S3, the detection of abnormal flow is performed by using a model constructed by using the training parameters.

The beneficial effects of the further scheme are as follows: in the invention, the process of obtaining the training parameters is the process of constructing the abnormal flow detection method model, and the abnormal flow detection can be rapidly completed by using the model.

Drawings

FIG. 1 is a flow chart of a gray scale based abnormal flow detection method;

fig. 2 is a flowchart of step S1;

fig. 3 is a flowchart of step S2;

fig. 4 is a flowchart of step S3;

fig. 5 is an exemplary diagram of a network intrusion.

Detailed Description

The embodiments of the present invention will be further described with reference to the accompanying drawings.

As shown in fig. 1, the present invention provides an abnormal flow detection method based on a gray scale map, which includes the following steps:

s1: carrying out visualization processing on the original flow of the network, and converting the original flow into a gray-scale map;

s2: carrying out feature extraction on the gray level image by using the ambiguity;

s3: based on an Apache Spark framework, training the characteristics of the gray-scale image by using a distributed extreme learning machine, outputting a weight matrix beta, obtaining a training parameter, and completing the abnormal flow detection of the gray-scale image.

In the embodiment of the present invention, as shown in fig. 1, in step S1, the visualization process of the original traffic is performed for the first 10KB of the original traffic.

In the invention, the traffic size in the real network is not fixed and single. For the traffic with long duration and large data volume, the invention only converts the first 10KB traffic of the arrival of the traffic. And for the traffic with short duration and small data volume, the acquired data is copied, and the finally converted data is ensured to be close to 10 KB. Different methods are adopted for processing different flow sizes, so that the visual processing of the flow is more accurate.

In the embodiment of the present invention, as shown in fig. 2, step S1 includes the following sub-steps:

s11: selecting a CICIIDS 2017 data set as background flow for abnormal flow detection;

s12: based on the CICIIDS 2017 data set, cutting a pcap file of the CICIIDS 2017 data set by using a pcappUssus tool;

s13: carrying out batch processing on the cut pcap files according to the time and size sequence of the pcap files;

s14: and converting the batched pcap file into a gray-scale map to finish the visualization processing of the original network flow.

In the invention, the network flow belongs to binary data, and the visual processing of the network flow solves the difficulty in extracting the characteristics of the original flow, so that the accuracy of the detection result is higher.

In the embodiment of the present invention, as shown in fig. 3, S2 includes the following sub-steps:

s21: extracting an image area with important information in the gray-scale image as a sample characteristic object of the gray-scale image, scanning the gray-scale image to obtain a target image area and extracting a target characteristic object of the gray-scale image;

s22: establishing a sample fuzzy set X ═ X } and a target fuzzy set Y ═ Y } of the gray-scale map according to the sample characteristic object and the target characteristic object of the gray-scale map₁,y₂,…y_n}；

S23: according to the sample fuzzy set X ═ X } and the target fuzzy set Y ═ Y₁,y₂,…y_nDescribing a characteristic fuzzy similarity relation of a gray scale image, wherein the characteristic fuzzy similarity relation is as follows:

wherein j is 1,2, … n, n is an ordered pair (x, y)_j) The number of the (c) component(s),

is an ordered pair (x, y)_j) The value of the relationship of (a) to (b),

is a membership function;

s24: feature fuzzy similarity from gray scale mapsFormula determines a similarity set R of sample and target feature objects_αThe calculation formula is as follows:

R_α＝{(x，y_j)|μ_R(x，y_j)≥α}

wherein, mu_RThe method comprises the following steps of (1) obtaining a characteristic fuzzy similarity relation of a gray scale image, wherein alpha is the similarity of a sample characteristic object and a target characteristic object, and the value of alpha is 1;

s25: extracting a similarity set R_αThe center point of the image pixel of the middle target characteristic object;

s26: and marking the central point of the image pixel of the target characteristic object to complete the characteristic extraction of the gray level image.

In the invention, important information can be determined according to subjective needs, the feature extraction of the image uses ambiguity to replace the traditional image feature extraction method, the resource occupancy rate is low, and the accuracy of the feature extraction result is higher.

In the embodiment of the present invention, as shown in fig. 4, step S3 includes the following sub-steps:

s31: setting the number of hidden layer neurons of the network to be L by using a distributed extreme learning machine, and randomly initializing the input weight W and the bias b of the hidden layer neurons of the network;

s32: calculating a hidden neuron output matrix H of the network, wherein the calculation formula is as follows:

wherein the network contains L hidden layer neurons, W_iInput weights for the i-th hidden neuron of the network, b_iFor the biasing of the ith hidden layer neuron of the network, g (-) is the activation function, i 1,2_jExtracting features of a jth target feature object, wherein j is 1, 2.. times.N, and a network has N target feature objects;

s33: calculating an expected output matrix T of the network based on the hidden neuron output matrix H, wherein the calculation formula is as follows:

wherein, t_iAn output vector of the ith target characteristic object;

s34: calculating an output weight matrix beta of the network according to the hidden neuron output matrix H and the expected output matrix T, wherein the calculation formula is as follows:

β＝(H^TH)^-1H^TT

h is a hidden neuron output matrix, and T is an expected output matrix;

s35: and screening the output weight matrix beta to obtain the training parameters.

In the invention, the simple single-layer network is used for training the network traffic, the network convergence is fast, the method is suitable for the high-speed massive network traffic environment, the speed is deeper, and the detection method is faster. Meanwhile, the distributed extreme learning machine has the advantages of high generalization performance and high learning speed, the number of hidden layer neurons is set, the input weight and the bias are initialized randomly, and the corresponding output weight can be obtained without adjustment in the training process.

In the embodiment of the present invention, as shown in fig. 1, in step S3, the detection of abnormal flow is performed by using a model constructed by using training parameters.

In the invention, the process of obtaining the training parameters is the process of constructing the abnormal flow detection method model, and the abnormal flow detection can be rapidly completed by using the model.

In the embodiment of the present invention, as shown in fig. 5, an exemplary image detected by using the network intrusion detection method of the present invention is subjected to network attacks, and the network attacks are DoS, DDoS, PortScan, FTP-pointer, and SSH-pointer in sequence. In actual network attacks, not all DoS, DDoS, PortScan, FTP-pointer, and SSH-pointer attacks are shown in FIG. 5, and the example image in FIG. 5 shows only one gray-scale representation of these network attacks.

The working principle and the process of the invention are as follows: in the invention, an abnormal traffic detection system is established based on the processing of the original network traffic. While employing entirely novel methods to characterize and analyze network traffic. Because the network flow is completely or belongs to binary data, the network flow is converted into a gray-scale image, and the detection of abnormal flow is completed in an image processing mode. Secondly, extracting gray image features based on the fuzziness, and converting the feature extraction of the network flow into the feature extraction of the image. And then training a plurality of sub-extreme learning machine classifiers on an Apache Spark framework to detect the network traffic, and constructing a model by utilizing the process of solving a training parameter beta to finish the detection of the abnormal traffic.

The invention has the beneficial effects that: the method effectively solves the problem of abnormal flow detection in various network environments, solves the difficulty in extracting the original flow characteristics by visualization processing of the network flow, converts the difficulty in extracting the original flow characteristics into image characteristic extraction, and enables the accuracy of the training result to be higher. In addition, the detection method of the invention effectively solves the problem of abnormal detection of high-speed mass network traffic in a big data era by using an Apache Spark framework and combining a distributed extreme learning machine, and is suitable for the modern actual network environment. Meanwhile, the invention uses a simple high-speed neural network to replace a complex and hard-to-converge deep neural network, and accords with the existing high-speed massive network flow environment, so that the detection method is simpler and faster.

It will be appreciated by those of ordinary skill in the art that the embodiments described herein are intended to assist the reader in understanding the principles of the invention and are to be construed as being without limitation to such specifically recited embodiments and examples. Those skilled in the art can make various other specific changes and combinations based on the teachings of the present invention without departing from the spirit of the invention, and these changes and combinations are within the scope of the invention.

Claims (5)

1. An abnormal flow detection method based on a gray scale map is characterized by comprising the following steps:

s1: carrying out visualization processing on the original flow of the network, and converting the original flow into a gray-scale map;

s2: carrying out feature extraction on the gray level image by using the ambiguity;

the step S2 includes the following sub-steps:

s21: extracting an image area with important information in the gray-scale image as a sample characteristic object of the gray-scale image, scanning the gray-scale image to obtain a target image area and extracting a target characteristic object of the gray-scale image;

s22: establishing a sample fuzzy set X ═ X } and a target fuzzy set Y ═ Y } of the gray-scale map according to the sample characteristic object and the target characteristic object of the gray-scale map₁,y₂,…y_n}；

S23: according to the sample fuzzy set X ═ X } and the target fuzzy set Y ═ Y₁,y₂,…y_nDescribing a characteristic fuzzy similarity relation of a gray scale image, wherein the characteristic fuzzy similarity relation is as follows:

wherein j is 1,2, … n, n is an ordered pair (x, y)_j) The number of the (c) component(s),

is an ordered pair (x, y)_j) The value of the relationship of (a) to (b),

is a membership function;

s24: determining a similarity set R of the sample characteristic object and the target characteristic object according to the characteristic fuzzy similarity relation of the gray level image_αThe calculation formula is as follows:

R_α＝{(x，y_j)|μ_R(x，y_j)≥α}

wherein, mu_RThe similarity is a characteristic fuzzy similarity relation of a gray scale image, and alpha is the similarity of a sample characteristic object and a target characteristic object;

s25: extracting a similarity set R_αThe center point of the image pixel of the middle target characteristic object;

s26: marking the image pixel center point of the target characteristic object to complete the characteristic extraction of the gray scale image;

s3: based on an Apache Spark framework, training the characteristics of the gray-scale image by using a distributed extreme learning machine, outputting a weight matrix beta, obtaining a training parameter, and completing the abnormal flow detection of the gray-scale image.

2. The method for detecting abnormal flow rate based on gray scale map as claimed in claim 1, wherein in step S1, the visualization process of the original flow rate is performed for the first 10KB of the original flow rate.

3. The abnormal flow detection method based on gray scale map as claimed in claim 1, wherein said step S1 comprises the following sub-steps:

s11: selecting a CICIIDS 2017 data set as background flow for abnormal flow detection;

s12: based on the CICIIDS 2017 data set, cutting a pcap file of the CICIIDS 2017 data set by using a pcappUssus tool;

s13: carrying out batch processing on the cut pcap files according to the time and size sequence of the pcap files;

s14: and converting the batched pcap file into a gray-scale map to finish the visualization processing of the original network flow.

4. The abnormal flow detection method based on gray scale map as claimed in claim 1, wherein said step S3 comprises the following sub-steps:

s31: setting the number of hidden layer neurons of the network to be L by using a distributed extreme learning machine, and randomly initializing the input weight W and the bias b of the hidden layer neurons of the network;

s32: calculating a hidden layer neuron output matrix H of the network, wherein the calculation formula is as follows:

wherein the network contains L hidden layer neurons, W_iInput weights for the i-th hidden neuron of the network, b_iFor the biasing of the ith hidden layer neuron of the network, g (-) is the activation function, i 1,2_jExtracting features of a jth target feature object, wherein j is 1, 2.. times.N, and a network has N target feature objects;

s33: calculating an expected output matrix T of the network based on the hidden layer neuron output matrix H, wherein the calculation formula is as follows:

wherein, t_iAn output vector of the ith target characteristic object;

s34: calculating an output weight matrix beta of the network according to the hidden layer neuron output matrix H and the expected output matrix T, wherein the calculation formula is as follows:

β＝(H^TH)^-1H^TT

wherein H is an implicit neuron output matrix, and T is an expected output matrix;

s35: and screening the output weight matrix beta to obtain the training parameters.

5. The method for detecting abnormal flow based on gray scale map as claimed in claim 1, wherein in step S3, the detection of abnormal flow is performed by using a model constructed by training parameters.

Images