CN111988340A - Small sample DDoS attack detection method based on deep migration learning - Google Patents

Small sample DDoS attack detection method based on deep migration learning Download PDF

Info

Publication number
CN111988340A
CN111988340A CN202010943146.5A CN202010943146A CN111988340A CN 111988340 A CN111988340 A CN 111988340A CN 202010943146 A CN202010943146 A CN 202010943146A CN 111988340 A CN111988340 A CN 111988340A
Authority
CN
China
Prior art keywords
network
migration
ddos attack
neural network
sample
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010943146.5A
Other languages
Chinese (zh)
Other versions
CN111988340B (en
Inventor
王会梅
何佳伟
刘建
鲜明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National University of Defense Technology
Original Assignee
National University of Defense Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National University of Defense Technology filed Critical National University of Defense Technology
Priority to CN202010943146.5A priority Critical patent/CN111988340B/en
Publication of CN111988340A publication Critical patent/CN111988340A/en
Application granted granted Critical
Publication of CN111988340B publication Critical patent/CN111988340B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Biophysics (AREA)
  • Molecular Biology (AREA)
  • Biomedical Technology (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a small sample DDoS attack detection method based on deep migration learning. The method comprises the following steps: selecting a sample data space of DDoS attack with sufficient marked samples as a source domain
Figure DDA0002674356250000011
In the source domain
Figure DDA0002674356250000012
Trained neural network cluster
Figure DDA0002674356250000013
Selecting a sample data space of small sample DDoS attack as a target domain
Figure DDA0002674356250000014
Clustering neural networks
Figure DDA0002674356250000015
In the target domain
Figure DDA0002674356250000016
Performing a mobility comparison experiment; calculating the migratability value, selecting the network N with the highest migratability valuemaxIn the target domain
Figure DDA0002674356250000017
Carrying out migration to obtain a migration network NT(ii) a Fine adjustment of parameters is carried out by utilizing a fine-tuning technology; using a migration network NTIn the target domain
Figure DDA0002674356250000018
And carrying out new small sample DDoS attack detection. According to the invention, by means of deep migration learning, the DDoS attack detection network parameters with sufficient marked samples are migrated to the small sample DDoS attack detection, and fine tuning is carried out by combining with the fine-tuning technology, so that the migration network can better utilize source domain knowledge to detect the novel small sample attack, and the problem of performance deterioration caused by few marked samples in the novel DDoS attack detection is improved.

Description

基于深度迁移学习的小样本DDoS攻击检测方法Small sample DDoS attack detection method based on deep transfer learning

技术领域technical field

本发明涉及DDoS(Distributed Denial of Service,分布式拒绝服务)攻击检测领域,具体地,涉及一种基于深度迁移学习的小样本DDoS攻击检测方法。The invention relates to the field of DDoS (Distributed Denial of Service, distributed denial of service) attack detection, in particular to a small sample DDoS attack detection method based on deep migration learning.

背景技术Background technique

DDoS攻击一般指分布式拒绝服务攻击,是依靠大量被控制的僵尸设备对攻击目标发起频繁请求,从而使其资源消耗殆尽,最终达到服务器崩溃的目的。虽然目前用于维护网络安全的手段与成本不断增加,但是DDoS攻击的方式也在逐渐演变,其对网络生态的破坏性也在逐步加大。一方面,传统的基于拥塞式的DDoS攻击方式,其攻击时的峰值流量逐年增长;另一方面,新型DDoS攻击不再满足于高成本、低收效的洪泛攻击,攻击者通过频繁改变DDoS攻击特征或小样本攻击的方式来躲避深度包检测(Deep Packet Inspection,DPI)在内的传统检测技术。例如,SYN Flood攻击是DDoS攻击的主要手法,然而随着互联网黑产的平台化,SYN Flood攻击的发起载体也从海量僵尸机转变为发包机,这使攻击特点也发生了改变。除洪泛攻击外,DDoS攻击中还出现了大量的基于协议的攻击手段,例如HttpFlood攻击、UDP Flood攻击、TCP Flood攻击等。DDoS attacks generally refer to distributed denial-of-service attacks, which rely on a large number of controlled zombie devices to initiate frequent requests to the attack target, thereby exhausting their resources and eventually crashing the server. Although the means and costs for maintaining network security are increasing, the methods of DDoS attacks are gradually evolving, and their damage to the network ecosystem is also gradually increasing. On the one hand, the peak traffic of traditional congestion-based DDoS attacks increases year by year; on the other hand, new DDoS attacks are no longer satisfied with high-cost, low-efficiency flooding attacks. It can avoid traditional detection techniques including Deep Packet Inspection (DPI) by means of signature or small sample attack. For example, SYN Flood attack is the main method of DDoS attack. However, with the platformization of Internet black production, the launch carrier of SYN Flood attack has also changed from massive zombie machines to charter machines, which has also changed the characteristics of the attack. In addition to flooding attacks, there are a large number of protocol-based attacks in DDoS attacks, such as HttpFlood attacks, UDP flood attacks, and TCP flood attacks.

现有的DDoS攻击检测技术包括两种:基于误用的检测技术和基于异常的检测技术。基于误用的检测也被称为基于规则的检测技术,该方法针对已知的攻击检测准确率高、误检率低,但该方法的缺点是规则的建立需要依赖人来完成,并且无法对0day攻击进行有效检测。基于异常的检测技术是一种能够检测未知DDoS攻击的手段,该方法能够对0day攻击进行检测,但是会有一定的虚警率,且过度依赖于专家经验提取的特征。Existing DDoS attack detection techniques include two types: misuse-based detection techniques and anomaly-based detection techniques. Misuse-based detection is also known as rule-based detection technology. This method has high detection accuracy and low false detection rate for known attacks, but the disadvantage of this method is that the establishment of rules needs to be completed by humans, and it cannot be 0day attacks are effectively detected. Anomaly-based detection technology is a method that can detect unknown DDoS attacks. This method can detect zero-day attacks, but it has a certain false alarm rate and relies too much on the features extracted by expert experience.

近几年,研究人员利用深度学习技术良好的端到端特性,对数据量日益增长的DDoS攻击进行检测。但新型DDoS攻击标注数据样本少,使得依赖于标注数据的深度学习方法检测性能恶化。因此,本发明提出了一种基于深度迁移学习的小样本DDoS攻击检测方法,不仅能够利用深度学习端到端的优势,并且能够克服检测性能恶化的问题,对小样本DDoS攻击的检测技术研究非常有价值。In recent years, researchers have used the good end-to-end characteristics of deep learning technology to detect DDoS attacks with increasing data volumes. However, there are few labeled data samples for new DDoS attacks, which deteriorates the detection performance of deep learning methods that rely on labeled data. Therefore, the present invention proposes a small-sample DDoS attack detection method based on deep transfer learning, which can not only take advantage of the end-to-end advantages of deep learning, but also overcome the problem of detection performance deterioration. value.

发明内容SUMMARY OF THE INVENTION

针对新型DDoS攻击检测标注样本少、基于深度学习方法进行检测时存在性能恶化的问题,本发明提出了一种基于深度迁移学习的小样本DDoS攻击检测方法,具体技术方案如下:Aiming at the problems that the new DDoS attack detection has few labeled samples and the performance deteriorates when detecting based on the deep learning method, the present invention proposes a small sample DDoS attack detection method based on deep migration learning, and the specific technical scheme is as follows:

包含如下步骤:Contains the following steps:

选择标注样本充足的DDoS攻击的网络报文作为源域

Figure BDA0002674356230000021
在所述源域
Figure BDA0002674356230000022
上训练m个性能达标的基础神经网络以形成神经网络簇
Figure BDA0002674356230000023
Select network packets marked with sufficient samples of DDoS attacks as the source domain
Figure BDA0002674356230000021
in the source domain
Figure BDA0002674356230000022
Train m basic neural networks with satisfactory performance to form a neural network cluster
Figure BDA0002674356230000023

选取小样本DDoS攻击的样本数据空间作为目标域

Figure BDA0002674356230000031
Select the sample data space of small sample DDoS attacks as the target domain
Figure BDA0002674356230000031

将所述神经网络簇

Figure BDA0002674356230000032
在所述目标域
Figure BDA0002674356230000033
中进行可迁移性对比实验,随后计算各个基础神经网络Ni,i∈[1,m],m≥2的可迁移性能值;the neural network cluster
Figure BDA0002674356230000032
in the target domain
Figure BDA0002674356230000033
Carry out the transferability comparison experiment in , and then calculate the transferability performance value of each basic neural network N i , i∈[1, m], m≥2;

对比所述可迁移性能值,选择所述可迁移性能值最大的网络Nmax,并在所述目标域

Figure BDA0002674356230000034
进行迁移实验,得到迁移网络NT;Comparing the transferable performance values, select the network N max with the largest transferable performance value
Figure BDA0002674356230000034
Carry out a migration experiment to obtain a migration network NT ;

利用fine-tuning技术对所述迁移网络NT进行参数微调;Use fine-tuning technology to fine-tune the parameters of the migration network NT ;

在所述目标域

Figure BDA0002674356230000035
上训练所述迁移网络NT;in the target domain
Figure BDA0002674356230000035
training the transfer network NT on the above;

利用所述迁移网络NT进行新的小样本DDoS攻击检测,得到检测的性能值。A new small-sample DDoS attack is detected by using the migration network NT , and the detected performance value is obtained.

进一步的,所述基础神经网络性能达标的评判标准为是否达到相关的性能阈值,所述性能阈值设置为95%;所述性能阈值的计算公式如下:Further, the criterion for evaluating the performance of the basic neural network is whether it reaches a relevant performance threshold, and the performance threshold is set to 95%; the calculation formula of the performance threshold is as follows:

Figure BDA0002674356230000036
Figure BDA0002674356230000036

其中,F1表示性能阈值;Pr表示基础神经网络Ni在目标任务检测的准确率;Re表示基础神经网络Ni在目标任务检测的召回率。Among them, F1 represents the performance threshold; Pr represents the accuracy rate of the basic neural network Ni in the target task detection; Re represents the recall rate of the basic neural network Ni in the target task detection.

进一步的,基础神经网络Ni,i∈[1,m],m≥2在目标域

Figure BDA0002674356230000037
的可迁移性能值计算公式:Further, the basic neural network N i , i ∈ [1, m], m ≥ 2 in the target domain
Figure BDA0002674356230000037
The calculation formula of the transferable performance value of :

Figure BDA0002674356230000038
Figure BDA0002674356230000038

Figure BDA0002674356230000039
Figure BDA0002674356230000039

其中

Figure BDA00026743562300000310
表示基础神经网络Ni迁移到目标域
Figure BDA00026743562300000311
中的可迁移性能值;F1j表示j次epoch训练后所得F1性能值,wj表示每次训练所得性能值所赋的权重值;Prj表示j次epoch训练结束后的准确率,Rej表示j次epoch训练结束后的召回率;E代表最后一次epoch训练。in
Figure BDA00026743562300000310
represents the transfer of the base neural network Ni to the target domain
Figure BDA00026743562300000311
The transferable performance value in ; F1 j represents the F1 performance value obtained after j epoch training, w j represents the weight value assigned to the performance value obtained by each training; Pr j represents the accuracy after j epoch training, Re j Represents the recall rate after j epoch training; E represents the last epoch training.

进一步的,所述迁移实验的具体操作为:Further, the specific operations of the migration experiment are:

将所述网络Nmax前l层所包含的参数赋值给所述迁移网络NT的前l层,其

Figure BDA0002674356230000041
其中
Figure BDA0002674356230000042
表示所述迁移网络NT的总层数,
Figure BDA0002674356230000043
表示网络Nmax的总层数。The parameters contained in the first layer of the network Nmax are assigned to the first layer of the migration network NT , which
Figure BDA0002674356230000041
in
Figure BDA0002674356230000042
represents the total number of layers of the migration network NT ,
Figure BDA0002674356230000043
Represents the total number of layers in the network N max .

进一步的,利用fine-tuning技术对所述迁移网络NT进行参数微调具体为:以比正常的学习率低1~2个数量级的学习率微调所述迁移网络NT的前l层参数,其余层参数按照正常学习率更新,所述正常学习率设置为0.01。Further, using the fine-tuning technology to fine-tune the parameters of the transfer network NT is specifically: fine-tuning the parameters of the first layer of the transfer network NT with a learning rate 1 to 2 orders of magnitude lower than the normal learning rate, and the rest of the parameters are fine-tuned. The layer parameters are updated according to the normal learning rate, which is set to 0.01.

优选的,选取SYN型DDoS攻击的网络报文作为源域

Figure BDA0002674356230000044
LDAP型DDoS攻击样本数据空间作为目标域
Figure BDA0002674356230000045
应用效果最好的基础神经网络Ni的神经网络总层数为5,每层神经网络的神经元个数为800,迁移层数l为3。Preferably, the network packet of the SYN DDoS attack is selected as the source domain
Figure BDA0002674356230000044
LDAP-type DDoS attack sample data space as target domain
Figure BDA0002674356230000045
The basic neural network Ni with the best application effect has a total number of neural network layers of 5, the number of neurons in each layer of neural network is 800, and the number of migration layers l is 3.

进一步的,所述基础神经网络Ni的神经网络总层数为5~8层,每层神经网络的神经元个数为100~800,迁移深度为1~4层。Further, the total number of neural network layers of the basic neural network Ni is 5-8 layers, the number of neurons in each layer of the neural network is 100-800 , and the migration depth is 1-4 layers.

本发明还提供一种小样本DDoS攻击检测设备,包括:The present invention also provides a small sample DDoS attack detection device, including:

一个或多个处理器;one or more processors;

存储器,用于存储一个或多个程序;memory for storing one or more programs;

当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现上述的小样本DDoS攻击检测方法。When the one or more programs are executed by the one or more processors, the one or more processors implement the above-mentioned small sample DDoS attack detection method.

另一方面,本发明还提供一种计算机存储介质,所述计算机存储介质上存储有计算机程序指令,所述计算机程序指令被处理器执行时实现上述的小样本DDoS攻击检测方法。In another aspect, the present invention also provides a computer storage medium, where computer program instructions are stored thereon, and when the computer program instructions are executed by a processor, the above-mentioned small-sample DDoS attack detection method is implemented.

与现有技术相比,本发明的有益效果有:Compared with the prior art, the beneficial effects of the present invention are:

利用深度迁移学习,将标注样本充足的DDoS攻击检测网络运用到小样本DDoS攻击检测上,并结合fine-tuning技术进行参数微调,使被迁移网络更好的利用源域知识来对新型小样本攻击进行检测。对比常规的利用深度学习技术对DDoS攻击进行检测的方法,实验证明本发明能够很好的改善新型DDoS攻击检测标注样本少导致的性能恶化问题。此外,本发明直接针对网络报文进行检测,检测粒度细,识别准确率高。Using deep transfer learning, the DDoS attack detection network with sufficient labeled samples is applied to the detection of small-sample DDoS attacks, and the fine-tuning technology is used to fine-tune the parameters, so that the migrated network can better use the source domain knowledge to detect new small-sample attacks. test. Compared with the conventional method for detecting DDoS attacks by using deep learning technology, experiments show that the present invention can well improve the performance deterioration problem caused by less labeled samples in the detection of new DDoS attacks. In addition, the present invention directly detects the network message, the detection granularity is fine, and the identification accuracy is high.

附图说明Description of drawings

为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图,其中:In order to illustrate the technical solutions in the embodiments of the present invention more clearly, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, under the premise of no creative work, other drawings can also be obtained from these drawings, wherein:

图1为本发明所提出的基于深度迁移学习的小样本DDoS攻击检测方法的流程图;1 is a flowchart of a small sample DDoS attack detection method based on deep transfer learning proposed by the present invention;

图2为基础神经网络进行深度迁移的示意图;Fig. 2 is the schematic diagram of the deep migration of the basic neural network;

图3为仿真实验中计算的不同神经网络簇在目标域下的可迁移性能对比示意图;Fig. 3 is a schematic diagram of the transferable performance comparison of different neural network clusters calculated in the simulation experiment under the target domain;

图4为仿真实验中计算的迁移网络结合fine-tuning技术对小样本DDoS攻击检测性能比较示意图。Figure 4 is a schematic diagram showing the comparison of the small sample DDoS attack detection performance of the migration network calculated in the simulation experiment combined with the fine-tuning technology.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅是本发明的一部分实施例,而不是全部的实施例。The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, but not all of the embodiments.

本发明中标注样本充足的意思是指已被标注的样本数据特征分布均匀,数据量大,能够支持构建的神经网络簇完成足够次数的训练(通常为20个epoch),并能够使得神经网络簇在最后几个epoch训练后的性能变化不大。小样本则相反,通常由于已标注的样本数据量少,导致样本特征分布不均匀,无法让神经网络簇训练充分。Ni,i∈[1,m],m≥2,表示在源域上训练好的神经网络,即达到性能阈值的基础神经网络;Nmax表示可迁移性对比实验中,可迁移性能值最大的网络;NT表示迁移实验中,由Nmax迁移得到的网络。In the present invention, the meaning of sufficient labeled samples means that the labeled sample data features are evenly distributed and the data volume is large, which can support the constructed neural network cluster to complete a sufficient number of trainings (usually 20 epochs), and enable the neural network cluster to complete enough training. The performance changes little after the last few epochs of training. Small samples are the opposite. Usually, due to the small amount of labeled sample data, the distribution of sample features is uneven, and the neural network cluster cannot be fully trained. N i , i∈[1, m], m≥2, represents the neural network trained on the source domain, that is, the basic neural network that reaches the performance threshold; N max represents that in the transferability comparison experiment, the transferable performance value is the largest The network; N T represents the network obtained by N max migration in the migration experiment.

下面结合附图对本发明的实施方式进行详细说明。The embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

图1是本发明提供的基于深度迁移学习的小样本DDoS攻击检测方法的流程图。具体步骤包括:FIG. 1 is a flowchart of a small sample DDoS attack detection method based on deep transfer learning provided by the present invention. Specific steps include:

Step1:选择具有代表性的且标注样本充足的DDoS攻击作为源域

Figure BDA0002674356230000061
在所述源域
Figure BDA0002674356230000062
上构建并训练m个性能达标的基础神经网络以形成神经网络簇
Figure BDA0002674356230000063
Step1: Select a representative DDoS attack with sufficient labeled samples as the source domain
Figure BDA0002674356230000061
in the source domain
Figure BDA0002674356230000062
Build and train m basic neural networks with satisfactory performance to form a neural network cluster
Figure BDA0002674356230000063

具体实施例中,可选取SYN型DDoS攻击作为源域

Figure BDA0002674356230000064
因为该型在DDoS攻击中具有代表性,出现时间早且对网络危害性大,同时该攻击的标注样本充足,作为源域数据十分合适。对于每个性能达标的基础神经网络Ni,i∈[1,m],m≥2,表示在源域上训练好的基础神经网络。所述基础神经网络Ni的目标函数可以利用下式表示:In a specific embodiment, a SYN-type DDoS attack can be selected as the source domain
Figure BDA0002674356230000064
Because this type is representative in DDoS attacks, it appears early and is very harmful to the network. At the same time, there are enough labeled samples for this attack, so it is very suitable as the source domain data. For each basic neural network N i , i∈[1, m], m ≥ 2, which means that the basic neural network has been trained on the source domain. The objective function of the basic neural network Ni can be expressed by the following formula:

Figure BDA0002674356230000071
Figure BDA0002674356230000071

Figure BDA0002674356230000072
Figure BDA0002674356230000072

上式中,

Figure BDA0002674356230000073
表示基础神经网络Ni的目标函数;parametersl表示该基础神经网络第l层的参数集;hl表示该基础神经网络第l层隐藏层;L表示该基础神经网络的总层数;x表示输入到该基础神经网络的训练数据;σ(·)表示该基础神经网络所用的激活函数。上两式表示输入的样本x与该基础神经网络第一层的权重相乘,再通过激化函数后输出作为第二层的输入。当输入最终传递到最后一层后,通过softmax(·)函数得到目标函数值。In the above formula,
Figure BDA0002674356230000073
Represents the objective function of the basic neural network Ni; parameters l represents the parameter set of the lth layer of the basic neural network; h l represents the lth hidden layer of the basic neural network; L represents the total number of layers of the basic neural network; x represents The training data input to the basic neural network; σ(·) represents the activation function used by the basic neural network. The above two formulas indicate that the input sample x is multiplied by the weight of the first layer of the basic neural network, and then the output is used as the input of the second layer after passing through the excitation function. When the input is finally passed to the last layer, the objective function value is obtained through the softmax( ) function.

通常情况下,基础神经网络的性能指标最常见的是在目标任务检测准确率和召回率,精确率指的是识别出来的结果有多少个是正确的;召回率指的是正确的结果有多少被识别出来了。但在样本分布不均匀的情况下,两项指标可能出现相互矛盾的情况。本发明为综合评价检测性能,将与准确率和召回率相关的性能阈值F1作为神经网络簇

Figure BDA0002674356230000074
的性能评判指标;如,设定性能阈值F1为90%,以是否达到性能阈值F1来判断网络的检测能力是否合格,检测能力不达标的网络则丢弃。在本发明的最优具体实施例中,设定性能阈值F1为95%。性能阈值F1可用以下公式进行计算:Under normal circumstances, the most common performance indicators of the basic neural network are the detection accuracy and recall rate in the target task. The precision rate refers to how many of the identified results are correct; the recall rate refers to how many correct results are there. been identified. However, in the case of uneven sample distribution, the two indicators may contradict each other. In the present invention, in order to comprehensively evaluate the detection performance, the performance threshold F1 related to the accuracy rate and the recall rate is used as the neural network cluster
Figure BDA0002674356230000074
For example, set the performance threshold F1 to 90%, and judge whether the detection capability of the network is qualified based on whether the performance threshold F1 is reached, and the network whose detection capability does not meet the standard is discarded. In the most preferred embodiment of the present invention, the performance threshold F1 is set to be 95%. The performance threshold F1 can be calculated using the following formula:

Figure BDA0002674356230000081
Figure BDA0002674356230000081

Figure BDA0002674356230000082
Figure BDA0002674356230000082

Figure BDA0002674356230000083
Figure BDA0002674356230000083

其中,F1表示性能阈值;Pr表示神经网络在目标任务检测的准确率;Re表示神经网络在目标任务检测的召回率。TP表示将正类预测为正类数;FP表示将负类预测为正类数误报数;FN表示将正类预测为负类数。由于不同的基础神经网络结构进行迁移的效果不同,所以可以在源域

Figure BDA0002674356230000084
中构建多个基础神经网络形成神经网络簇以供迁移实验选择。Among them, F1 represents the performance threshold; Pr represents the accuracy of the neural network in the target task detection; Re represents the recall rate of the neural network in the target task detection. TP means predicting the positive class as the number of positive classes; FP means predicting the negative class as the number of false positives; FN means predicting the positive class as the number of negative classes. Since different basic neural network structures have different effects of migration, it can be used in the source domain.
Figure BDA0002674356230000084
Multiple basic neural networks are constructed in the neural network cluster to form a neural network cluster for selection in migration experiments.

Step2:选取的小样本DDoS攻击的样本数据空间作为目标域

Figure BDA0002674356230000085
将所述神经网络簇
Figure BDA0002674356230000086
在目标域
Figure BDA0002674356230000087
进行可迁移性对比实验并计算可迁移性能值。Step2: Select the sample data space of the small sample DDoS attack as the target domain
Figure BDA0002674356230000085
the neural network cluster
Figure BDA0002674356230000086
in the target domain
Figure BDA0002674356230000087
Conduct transferability comparison experiments and calculate transferability performance values.

所述可迁移性对比实验为:将在源域

Figure BDA0002674356230000088
上训练好的神经网络簇
Figure BDA0002674356230000089
的各个基础神经网络Ni各自迁移到目标域
Figure BDA00026743562300000810
具体的,所述迁移可理解为将训练好的基础神经网络Ni的权重值赋给新的网络。例如,如果利用基础神经网络Ni,i∈[1,m](源域
Figure BDA00026743562300000811
上训练好的网络)进行迁移,就是将基础神经网络Ni前L-1层所包含的参数固定,只让最后的输出层进行更新。本发明的可迁移性对比实验中,需固定基础神经网络Ni,i∈[1,m]除输出层以外的所有参数,即
Figure BDA00026743562300000812
为可量化的比较不同基础神经网络在目标域
Figure BDA00026743562300000813
的迁移效果,我们随后计算每个基础神经网络Ni的可迁移性能值
Figure BDA0002674356230000091
因为可迁移性能值能够综合的表示某一网络在目标域
Figure BDA0002674356230000092
的迁移效果;且可迁移性能值越大,表示迁移效果越好。基础神经网络Ni的可迁移性能值
Figure BDA0002674356230000093
利用下式计算:The transferability comparison experiment is: will be in the source domain
Figure BDA0002674356230000088
trained neural network cluster
Figure BDA0002674356230000089
Each basic neural network N i of , each migrates to the target domain
Figure BDA00026743562300000810
Specifically, the migration can be understood as assigning the weight value of the trained basic neural network Ni to the new network. For example, if using the base neural network N i , i ∈ [1, m] (source domain
Figure BDA00026743562300000811
The trained network) for migration is to fix the parameters contained in the first L- 1 layer of the basic neural network Ni, and only let the last output layer be updated. In the transferability comparison experiment of the present invention, all parameters of the basic neural network N i , i∈[1, m] except the output layer need to be fixed, namely
Figure BDA00026743562300000812
For quantifiable comparison of different underlying neural networks in the target domain
Figure BDA00026743562300000813
The transfer effect of , we then calculate the transferable performance value of each underlying neural network Ni
Figure BDA0002674356230000091
Because the transferable performance value can comprehensively represent a network in the target domain
Figure BDA0002674356230000092
The migration effect is higher; and the larger the migration performance value, the better the migration effect. The transferable performance value of the underlying neural network Ni
Figure BDA0002674356230000093
Calculate using the following formula:

Figure BDA0002674356230000094
Figure BDA0002674356230000094

Figure BDA0002674356230000095
Figure BDA0002674356230000095

其中

Figure BDA0002674356230000096
表示基础神经网络Ni迁移到目标域
Figure BDA0002674356230000097
中的可迁移性能值。F1j表示j次epoch训练结束后的性能值,wj表示给每次性能值赋的一个权重。Prj表示j次epoch训练结束后的准确率,Rej表示j次epoch训练结束后的召回率,E代表最后一次epoch训练。in
Figure BDA0002674356230000096
represents the transfer of the base neural network Ni to the target domain
Figure BDA0002674356230000097
The transferable performance value in . F1 j represents the performance value after j times of epoch training, and w j represents a weight assigned to each performance value. Pr j represents the accuracy after j epoch training, Re j represents the recall rate after j epoch training, and E represents the last epoch training.

Step3:在目标域

Figure BDA0002674356230000098
上选择可迁移性能值
Figure BDA0002674356230000099
最大的网络Nmax,将网络Nmax在目标域
Figure BDA00026743562300000910
进行迁移,得到迁移网络NT。Step3: in the target domain
Figure BDA0002674356230000098
select the migrateable performance value on
Figure BDA0002674356230000099
the largest network N max , place the network N max in the target domain
Figure BDA00026743562300000910
The migration is performed to obtain the migration network NT .

在可迁移性对比实验后,为在神经网络簇

Figure BDA00026743562300000911
中选出目标域
Figure BDA00026743562300000912
上可迁移性能值最好的网络Nmax,本发明设计一种定量计算可迁移性能的参数
Figure BDA00026743562300000913
即可迁移性能值,最终只需选择可迁移性能值
Figure BDA00026743562300000914
Figure BDA00026743562300000915
最大的网络Nmax,就能筛选出目标域
Figure BDA00026743562300000916
上性能最好的网络。After the transferability comparison experiment, for the neural network cluster
Figure BDA00026743562300000911
target domain
Figure BDA00026743562300000912
The network N max with the best transferable performance value is designed in the present invention, and a parameter for quantitative calculation of transferable performance is designed.
Figure BDA00026743562300000913
performance values can be migrated, and finally only the migrated performance values need to be selected
Figure BDA00026743562300000914
Figure BDA00026743562300000915
The largest network N max can filter out the target domain
Figure BDA00026743562300000916
on the best performing network.

然后,将网络Nmax在目标域

Figure BDA00026743562300000917
进行迁移实验,得到迁移网络NT,迁移公式为:Then, place the network N max in the target domain
Figure BDA00026743562300000917
Carry out the migration experiment to obtain the migration network NT , and the migration formula is:

Figure BDA00026743562300000918
Figure BDA00026743562300000918

其中

Figure BDA00026743562300000919
表示网络Nmax的第k层参数,
Figure BDA00026743562300000920
表示网络NT的第k层参数。in
Figure BDA00026743562300000919
represents the k-th layer parameter of the network N max ,
Figure BDA00026743562300000920
represents the k-th layer parameter of the network NT .

Step4:利用fine-tuning技术对迁移网络NT的参数进行微调,即以小学习率的方式更新迁移网络NT的前l层参数;随后在目标域

Figure BDA00026743562300000921
上训练迁移网络NT。Step4: Use fine-tuning technology to fine-tune the parameters of the transfer network NT , that is, update the first layer parameters of the transfer network NT with a small learning rate; then in the target domain
Figure BDA00026743562300000921
Train the transfer network NT on it.

利用fine-tuning技术对迁移网络NT的参数进行微调用公式表示为:

Figure BDA0002674356230000101
Using the fine-tuning technology to fine-tune the parameters of the migration network NT , the formula is expressed as:
Figure BDA0002674356230000101

其中

Figure BDA0002674356230000102
表示网络NT第k层的参数集;lr′表示fine-tuning中设定的学习率,本发明中该学习率通常比正常的学习率低1到2个数量级,正常的学习率通常设定为0.01。这样不仅保留了迁移后的相关知识,也使得被迁移网络NT更加适应目标域
Figure BDA0002674356230000103
in
Figure BDA0002674356230000102
Represents the parameter set of the k-th layer of the network NT ; lr' represents the learning rate set in fine-tuning. In the present invention, the learning rate is usually 1 to 2 orders of magnitude lower than the normal learning rate, and the normal learning rate is usually set is 0.01. This not only retains the relevant knowledge after migration, but also makes the migrated network NT more adaptable to the target domain
Figure BDA0002674356230000103

在目标域

Figure BDA0002674356230000104
上训练迁移网络NT,得到迁移网络NT第一次和最后一次训练的性能值
Figure BDA0002674356230000105
具体公式表示为:in the target domain
Figure BDA0002674356230000104
Train the transfer network NT on the network, and get the performance values of the first and last training of the transfer network NT
Figure BDA0002674356230000105
The specific formula is expressed as:

Figure BDA0002674356230000106
Figure BDA0002674356230000106

其中

Figure BDA0002674356230000107
表示迁移网络NT在第i次训练时的性能值,E代表最后一次训练;
Figure BDA0002674356230000108
表示迁移网络NT在第i次训练时的准确率;
Figure BDA0002674356230000109
表示迁移网络NT在第i次训练时的召回率。in
Figure BDA0002674356230000107
Represents the performance value of the transfer network NT at the i-th training, and E represents the last training;
Figure BDA0002674356230000108
Indicates the accuracy of the transfer network NT during the i-th training;
Figure BDA0002674356230000109
Represents the recall rate of the transfer network NT at the ith training.

可通过对比第一次训练后的性能值查看迁移网络NT的启动快慢,对比最后一次训练后的性能值查看迁移网络NT的最终性能。You can check the startup speed of the transfer network NT by comparing the performance values after the first training, and check the final performance of the transfer network NT by comparing the performance values after the last training.

Step5:利用训练后的迁移网络NT进行新的小样本DDoS攻击检测,得到检测的性能值。Step 5: Use the trained migration network NT to perform new small-sample DDoS attack detection, and obtain the detection performance value.

在小样本DDoS检测上,通过对比利用单纯的深度学习技术和结合迁移学习的深度迁移技术的每次的性能值。我们可以看出深度迁移学习能够提高网络的初始性能,并且最终检测性能更好,这在本发明最后的迁移实验中结果中得到了验证。In the small sample DDoS detection, the performance value of each time is compared using the pure deep learning technology and the deep transfer technology combined with transfer learning. We can see that deep transfer learning can improve the initial performance of the network, and the final detection performance is better, which is verified in the results of the final transfer experiment of the present invention.

请参阅图2,图2很好的描述了深度迁移学习中源域到目标域迁移的4种方式,包含:冻结网络参数、微调网络参数、初始化网络参数和微调网络结构。同时也描述了fine-tuning技术的两种运用方式:一种是微调被迁移网络的参数;另一种是微调被迁移网络的结构。在迁移学习中,如果将旧的任务(源域)中训练好的神经网络原封不动的运用在新的任务(目标域)上,不改变网络神经元上训练好的参数,则为冻结网络参数,例如图2中迁移网络的黑色圆点部分。如果利用一个较小的学习率使得神经元上的参数能够针对新任务进行更新,则为微调网络参数(这是fine-tuning技术的一种),例如图2迁移网络中的灰色部分。如果完全随机初始化网络神经元参数,不使用网络在旧任务中训练好的参数,则为初始化网络参数,例如图2中迁移网络中白色圆点部分。如果新的任务的最终输出与旧的任务不同,例如旧的任务为一个三分类问题,新的任务为一个四分类问题,则需要微调网络结构(这是fine-tuning技术的另一种)来完成,例如图2中迁移网络中虚线圆点部分。本发明中源域

Figure BDA0002674356230000111
和目标域
Figure BDA0002674356230000112
都是对DDoS攻击检测进行二分类,不需要微调迁移网络的网络结构,所以本发明采用fine-tuning技术中的微调迁移网络的参数进行迁移。Please refer to Figure 2. Figure 2 is a good description of the four ways of transferring from source domain to target domain in deep transfer learning, including: freezing network parameters, fine-tuning network parameters, initializing network parameters and fine-tuning network structure. At the same time, two application methods of fine-tuning technology are also described: one is to fine-tune the parameters of the transferred network; the other is to fine-tune the structure of the transferred network. In transfer learning, if the neural network trained in the old task (source domain) is applied to the new task (target domain) without changing the parameters trained on the network neurons, the network is frozen. parameters, such as the black dotted part of the transfer network in Figure 2. If a small learning rate is used to enable the parameters on the neurons to be updated for new tasks, the network parameters are fine-tuned (this is a type of fine-tuning technique), such as the gray part in the transfer network in Figure 2. If the network neuron parameters are completely randomly initialized, and the parameters trained by the network in the old task are not used, the network parameters are initialized, such as the white dots in the migration network in Figure 2. If the final output of the new task is different from the old task, for example, the old task is a three-class problem and the new task is a four-class problem, you need to fine-tune the network structure (this is another fine-tuning technique) to Completed, for example, the dotted part of the migration network in Figure 2. source domain in the present invention
Figure BDA0002674356230000111
and target domain
Figure BDA0002674356230000112
DDoS attack detection is both classified into two, and it is not necessary to fine-tune the network structure of the migration network, so the present invention uses the fine-tuning technology to fine-tune the parameters of the migration network for migration.

请参阅图3、图4,图3是仿真实验中计算的神经网络簇在四个目标域下的可迁移性能对比示意图;图4是仿真实验中计算的迁移网络结合fine-tuning技术对小样本DDoS攻击检测性能示意图。Please refer to Figure 3 and Figure 4. Figure 3 is a schematic diagram of the migration performance comparison of the neural network cluster calculated in the simulation experiment under four target domains; Figure 4 is the migration network calculated in the simulation experiment combined with fine-tuning technology. DDoS attack detection performance diagram.

仿真实验系统配置为:操作系统是具有64GB内存的Ubuntu16.0464位,软件框架为Pytorch,GPU加速器为NvidiaRTX2080Ti。仿真实验的基本参数设置如下:训练批大小为500,损失函数为交叉熵损失函数。优化函数使用Pytorch中内置的随机梯度下降优化器。训练学习率设为0.01,fine-tuning时的学习率设为0.001。数据集中80%的数据为训练数据集,其余为验证数据集。源域

Figure BDA0002674356230000121
中,数据集为SYN型DDoS攻击;目标域
Figure BDA0002674356230000122
中,数据集为LDAP型DDoS攻击。The simulation experiment system is configured as follows: the operating system is Ubuntu 16.0 464-bit with 64GB memory, the software framework is Pytorch, and the GPU accelerator is Nvidia RTX2080Ti. The basic parameters of the simulation experiment are set as follows: the training batch size is 500, and the loss function is the cross-entropy loss function. The optimization function uses the stochastic gradient descent optimizer built into Pytorch. The training learning rate is set to 0.01, and the learning rate during fine-tuning is set to 0.001. 80% of the data in the dataset are training datasets and the rest are validation datasets. source domain
Figure BDA0002674356230000121
, the dataset is a SYN-type DDoS attack; the target domain
Figure BDA0002674356230000122
, the dataset is an LDAP-type DDoS attack.

请再次参阅图3,图3展现了16种基础神经网络在源域SYN型DDoS攻击检测中训练好后,将该16种基础神经网络各自的前N-1层(除了输出层外)迁移到目标域小样本的DDoS攻击中的检测性能情况。本实验中选择LDAP型DDoS攻击作为目标域数据,因为该型DDoS攻击出现时间较晚,标注的样本数据量少,符合小样本的要求。图3中,横坐标为基础神经网络训练的epoch次数,纵坐标为该网络在当前epoch训练后的性能得分。图3中,展示16个基础神经网络在目标域下的训练性能情况。H5、H6、H7和H8分别表示神经网络总层数为5层、6层、7层和8层。W100、W200、W400和W800表示四种每层神经元个数不同的神经网络,每层神经元个数分别是100、200、400和800。从图3,我们可以看出在LDAP型DDoS攻击目标域中,网络层数为5,网络每层神经元个数为800的神经网络的可迁移性最好;即W800H5型网络可迁移性能值最高,其最终检测性能值也最好。Please refer to Figure 3 again. Figure 3 shows that after the 16 basic neural networks are trained in the source domain SYN DDoS attack detection, the respective first N-1 layers (except the output layer) of the 16 basic neural networks are migrated to Detection performance in DDoS attacks with small samples of target domains. In this experiment, LDAP-type DDoS attack was selected as the target domain data, because this type of DDoS attack appeared late, and the amount of labeled sample data was small, which met the requirements of small samples. In Figure 3, the abscissa is the number of epochs trained by the basic neural network, and the ordinate is the performance score of the network after the current epoch training. In Figure 3, the training performance of 16 basic neural networks in the target domain is shown. H5, H6, H7 and H8 indicate that the total number of neural network layers is 5, 6, 7 and 8 layers, respectively. W100, W200, W400 and W800 represent four kinds of neural networks with different numbers of neurons in each layer, and the number of neurons in each layer is 100, 200, 400 and 800 respectively. From Figure 3, we can see that in the target domain of LDAP-type DDoS attack, the number of network layers is 5 and the number of neurons in each layer of the network is 800, which has the best transferability; the highest, and its final detection performance value is also the best.

请再次参阅图4,表示在LDAP型DDoS攻击的样本数据数量缩小10倍后,迁移网络W800H5型网络在有无fine-tuning的情况下迁移不同层数的训练效果。其中纵坐标是DDoS攻击检测的性能值,横坐标x表示迁移可迁移性最好的W800H5型网络前l层,该图的每个横坐标点(除了0点)上都有10个圆形的点和10个三角形的点。10个圆形点代表在没有fine-tuning的情况下,W800H5型网络前l层后的10次epoch训练的性能值,而10个三角形点则是上诉情况加上了fine-tuning技术。为了避免重叠,我们将圆点和三角点分别进行左右偏移。对比图4和图3中W800H5所代表的性能曲线,我们可以看到当DDoS攻击的训练样本数量减少后,所有网络的检测性能都有了不同程度的下降。这和现实情况中,攻击样本少的DDoS检测准确率低的情况相符。对于所有层的参数全部随机初始化的网络,最终的检测性能从96.8%下降到了75%。通过图4中的三角点可以看出,通过结合fine-tuning技术,目标域上的网络性能都比没有fine-tuning的迁移网络好。而且迁移层数l为3时达到了85.8%的最高检测性能,同时迁移层数l为4时的性能比没有fine-tuning之前提高81.4%。所以本发明利用结合fine-tuning技术的深度迁移网络方法能够更好的改善由于新攻击样本量不足导致的检测性能恶化。Please refer to Figure 4 again, which shows the training effect of migrating different layers of W800H5 network with or without fine-tuning after the sample data of LDAP-type DDoS attack is reduced by 10 times. The ordinate is the performance value of DDoS attack detection, the abscissa x represents the first layer of the W800H5 network with the best migration mobility, and each abscissa point (except 0 point) in the figure has 10 circles. point and 10 triangle points. The 10 circle points represent the performance values of 10 epoch trainings after the first l layer of the W800H5 network without fine-tuning, and the 10 triangle points are the case with fine-tuning technology added. To avoid overlapping, we offset the circle and triangle points to the left and right respectively. Comparing the performance curves represented by W800H5 in Figure 4 and Figure 3, we can see that when the number of training samples for DDoS attacks is reduced, the detection performance of all networks decreases to varying degrees. This is consistent with the fact that the detection accuracy of DDoS with few attack samples is low in reality. The final detection performance drops from 96.8% to 75% for the network where all the parameters of all layers are randomly initialized. It can be seen from the triangular points in Figure 4 that by combining the fine-tuning technology, the network performance on the target domain is better than that of the migration network without fine-tuning. Moreover, when the number of migration layers l is 3, the highest detection performance is 85.8%, and the performance when the number of migration layers is 4 is 81.4% higher than that before fine-tuning. Therefore, the present invention can better improve the detection performance deterioration caused by insufficient new attack samples by using the deep migration network method combined with the fine-tuning technology.

实施本发明的实施例的示例设备可以包括一个或多个中央处理单元(CPU),其可以根据存储在只读存储器(ROM)中的计算机程序指令或者从存储单元加载到随机访问存储器(RAM)中的计算机程序指令,来执行各种适当的动作和处理。在RAM中,还可存储设备操作所需的各种程序和数据。CPU、ROM以及RAM通过总线彼此相连。输入/输出(I/O)接口也连接至总线。Example devices implementing embodiments of the present invention may include one or more central processing units (CPUs) that may be loaded into random access memory (RAM) according to computer program instructions stored in read only memory (ROM) or from storage units computer program instructions in to perform various appropriate actions and processes. In the RAM, various programs and data required for the operation of the device can also be stored. The CPU, ROM, and RAM are connected to each other through a bus. Input/output (I/O) interfaces are also connected to the bus.

设备中的多个部件连接至I/O接口,包括:输入单元,例如键盘、鼠标等;输出单元,例如各种类型的显示器、扬声器等;存储单元,例如磁盘、光盘等;以及通信单元,例如网卡、调制解调器、无线通信收发机等。通信单元允许设备通过诸如因特网的计算机网络和/或各种电信网络与其他设备交换信息/数据。Various components in the device are connected to the I/O interface, including: input units, such as keyboards, mice, etc.; output units, such as various types of displays, speakers, etc.; storage units, such as magnetic disks, optical disks, etc.; and communication units, For example, network cards, modems, wireless communication transceivers, etc. The communication unit allows the device to exchange information/data with other devices through a computer network such as the Internet and/or various telecommunication networks.

上文所描述的方法例如可由设备的处理单元执行。例如,在一些实施例中,方法可被实现为计算机软件程序,其被有形地包含于机器可读介质,例如存储单元。在一些实施例中,计算机程序的部分或者全部可以经由ROM和/或通信单元而被载入和/或安装到设备上。当计算机程序被加载到RAM并由CPU执行时,可以执行上文描述的方法的一个或多个动作。The methods described above may be performed, for example, by a processing unit of a device. For example, in some embodiments, a method may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as a storage unit. In some embodiments, part or all of the computer program may be loaded and/or installed on the device via the ROM and/or the communication unit. One or more acts of the methods described above may be performed when a computer program is loaded into RAM and executed by the CPU.

然而本领域技术人员可以理解,方法的步骤的执行并不局限于图中所示和以上所述的顺序,而是可以以任何其他合理的顺序来执行,或者可以并行执行。此外,设备也不必须包含上述所有组件,其可以仅仅包含执行本发明中所述的功能所必须的其中一些组件,并且这些组件的连接方式也可以形式多样。例如,在设备是诸如手机之类的便携式设备的情况下,可以具有与上述相比不同的结构。However, those skilled in the art will understand that the execution of the steps of the method is not limited to the order shown in the figures and described above, but may be performed in any other reasonable order, or may be performed in parallel. In addition, the device does not necessarily include all the above-mentioned components, it may only include some of the components necessary to perform the functions described in the present invention, and the connection manners of these components may also be in various forms. For example, in the case where the device is a portable device such as a mobile phone, it may have a different structure than the above.

利用本发明的方案,将标注样本充足的DDoS攻击检测网络运用到小样本DDoS攻击检测上,并结合fine-tuning技术进行参数微调,使迁移网络更好的利用源域知识来对新型小样本攻击进行检测。对比常规的利用深度学习技术对DDoS攻击进行检测的方法,实验证明本发明能够很好的改善新型DDoS攻击检测标注样本少导致的性能恶化问题。此外,本发明直接针对网络报文进行检测,检测粒度细,识别准确率高。Using the scheme of the present invention, the DDoS attack detection network with sufficient labeled samples is applied to the detection of small-sample DDoS attacks, and the fine-tuning technology is used to fine-tune the parameters, so that the migration network can better utilize the knowledge of the source domain to detect new small-sample attacks. test. Compared with the conventional method for detecting DDoS attacks by using deep learning technology, experiments show that the present invention can well improve the performance deterioration problem caused by less labeled samples in the detection of new DDoS attacks. In addition, the present invention directly detects the network message, the detection granularity is fine, and the identification accuracy is high.

本发明可以是方法、装置、系统和/或计算机程序产品。计算机程序产品可以包括计算机可读存储介质,其上载有用于执行本发明的各个方面的计算机可读程序指令。The present invention may be a method, apparatus, system and/or computer program product. The computer program product may include a computer-readable storage medium having computer-readable program instructions loaded thereon for carrying out various aspects of the present invention.

计算机可读存储介质可以是可以保持和存储由指令执行设备使用的指令的有形设备。计算机可读存储介质例如可以是――但不限于――电存储设备、磁存储设备、光存储设备、电磁存储设备、半导体存储设备或者上述的任意合适的组合。计算机可读存储介质的更具体的例子(非穷举的列表)包括:便携式计算机盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、静态随机存取存储器(SRAM)、便携式压缩盘只读存储器(CD-ROM)、数字多功能盘(DVD)、记忆棒、软盘、机械编码设备、例如其上存储有指令的打孔卡或凹槽内凸起结构、以及上述的任意合适的组合。这里所使用的计算机可读存储介质不被解释为瞬时信号本身,诸如无线电波或者其他自由传播的电磁波、通过波导或其他传输媒介传播的电磁波(例如,通过光纤电缆的光脉冲)、或者通过电线传输的电信号。A computer-readable storage medium may be a tangible device that can hold and store instructions for use by the instruction execution device. The computer-readable storage medium may be, for example, but not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples (non-exhaustive list) of computer readable storage media include: portable computer disks, hard disks, random access memory (RAM), read only memory (ROM), erasable programmable read only memory (EPROM) or flash memory), static random access memory (SRAM), portable compact disk read only memory (CD-ROM), digital versatile disk (DVD), memory sticks, floppy disks, mechanically coded devices, such as printers with instructions stored thereon Hole cards or raised structures in grooves, and any suitable combination of the above. Computer-readable storage media, as used herein, are not to be construed as transient signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (eg, light pulses through fiber optic cables), or through electrical wires transmitted electrical signals.

这里所描述的计算机可读程序指令可以从计算机可读存储介质下载到各个计算/处理设备,或者通过网络、例如因特网、局域网、广域网和/或无线网下载到外部计算机或外部存储设备。网络可以包括铜传输电缆、光纤传输、无线传输、路由器、防火墙、交换机、网关计算机和/或边缘服务器。每个计算/处理设备中的网络适配卡或者网络接口从网络接收计算机可读程序指令,并转发该计算机可读程序指令,以供存储在各个计算/处理设备中的计算机可读存储介质中。The computer readable program instructions described herein may be downloaded to various computing/processing devices from a computer readable storage medium, or to an external computer or external storage device over a network such as the Internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers, and/or edge servers. A network adapter card or network interface in each computing/processing device receives computer-readable program instructions from a network and forwards the computer-readable program instructions for storage in a computer-readable storage medium in each computing/processing device .

用于执行本发明操作的计算机程序指令可以是汇编指令、指令集架构(ISA)指令、机器指令、机器相关指令、微代码、固件指令、状态设置数据、或者以一种或多种编程语言的任意组合编写的源代码或目标代码,所述编程语言包括面向对象的编程语言-诸如Smalltalk、C++等,以及常规的过程式编程语言-诸如"C"语言或类似的编程语言。计算机可读程序指令可以完全地在用户计算机上执行、部分地在用户计算机上执行、作为一个独立的软件包执行、部分在用户计算机上部分在远程计算机上执行、或者完全在远程计算机或服务器上执行。在涉及远程计算机的情形中,远程计算机可以通过任意种类的网络-包括局域网(LAN)或广域网(WAN)-连接到用户计算机,或者,可以连接到外部计算机(例如利用因特网服务提供商来通过因特网连接)。在一些实施例中,通过利用计算机可读程序指令的状态信息来个性化定制电子电路,例如可编程逻辑电路、现场可编程门阵列(FPGA)或可编程逻辑阵列(PLA),该电子电路可以执行计算机可读程序指令,从而实现本发明的各个方面。The computer program instructions for carrying out the operations of the present invention may be assembly instructions, instruction set architecture (ISA) instructions, machine instructions, machine dependent instructions, microcode, firmware instructions, state setting data, or instructions in one or more programming languages. Source or object code written in any combination, including object-oriented programming languages - such as Smalltalk, C++, etc., and conventional procedural programming languages - such as the "C" language or similar programming languages. The computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer, or entirely on the remote computer or server implement. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network - including a local area network (LAN) or a wide area network (WAN) - or may be connected to an external computer (eg using an Internet service provider via the Internet connect). In some embodiments, custom electronic circuits, such as programmable logic circuits, field programmable gate arrays (FPGAs), or programmable logic arrays (PLAs), can be personalized by utilizing state information of computer readable program instructions. Computer readable program instructions are executed to implement various aspects of the present invention.

这些计算机可读程序指令可以提供给通用计算机、专用计算机或其它可编程数据处理装置的处理单元,从而生产出一种机器,使得这些指令在通过计算机或其它可编程数据处理装置的处理单元执行时,产生了实现流程图和/或框图中的一个或多个方框中规定的功能/动作的装置。也可以把这些计算机可读程序指令存储在计算机可读存储介质中,这些指令使得计算机、可编程数据处理装置和/或其他设备以特定方式工作,从而,存储有指令的计算机可读介质则包括一个制造品,其包括实现流程图和/或框图中的一个或多个方框中规定的功能/动作的各个方面的指令。These computer readable program instructions may be provided to a processing unit of a general purpose computer, special purpose computer or other programmable data processing apparatus to produce a machine that causes the instructions when executed by the processing unit of the computer or other programmable data processing apparatus , resulting in means for implementing the functions/acts specified in one or more blocks of the flowchart and/or block diagrams. These computer readable program instructions can also be stored in a computer readable storage medium, these instructions cause a computer, programmable data processing apparatus and/or other equipment to operate in a specific manner, so that the computer readable medium on which the instructions are stored includes An article of manufacture comprising instructions for implementing various aspects of the functions/acts specified in one or more blocks of the flowchart and/or block diagrams.

也可以把计算机可读程序指令加载到计算机、其它可编程数据处理装置、或其它设备上,使得在计算机、其它可编程数据处理装置或其它设备上执行一系列操作步骤,以产生计算机实现的过程,从而使得在计算机、其它可编程数据处理装置、或其它设备上执行的指令实现流程图和/或框图中的一个或多个方框中规定的功能/动作。Computer readable program instructions can also be loaded onto a computer, other programmable data processing apparatus, or other equipment to cause a series of operational steps to be performed on the computer, other programmable data processing apparatus, or other equipment to produce a computer-implemented process , thereby causing instructions executing on a computer, other programmable data processing apparatus, or other device to implement the functions/acts specified in one or more blocks of the flowcharts and/or block diagrams.

以上所述的本发明实施方式,并不构成对本发明保护范围的限定,任何在本发明精神和原则之内所作的修改、等同替换和改进等,均应包含在本发明的权利要求保护范围之内。The above-mentioned embodiments of the present invention do not constitute a limitation on the protection scope of the present invention. Any modifications, equivalent replacements and improvements made within the spirit and principles of the present invention shall be included in the protection scope of the claims of the present invention. Inside.

Claims (9)

1. A small sample DDoS attack detection method based on deep migration learning is characterized in that: comprises the following steps:
selecting network message of DDoS attack with sufficient labeling samples as source domain
Figure FDA0002674356220000011
In the source domain
Figure FDA0002674356220000012
Training m characteristic standard-reaching basic neural networks to form neural network cluster
Figure FDA0002674356220000013
Selecting a sample data space of small sample DDoS attack as a targetBidding field
Figure FDA0002674356220000014
Clustering the neural network
Figure FDA0002674356220000015
In the target domain
Figure FDA0002674356220000016
Carrying out mobility comparison experiments, and then calculating each basic neural network Ni,i∈[1,m]A migratability value of m.gtoreq.2;
comparing the migratable performance values, and selecting the network N with the largest migratable performance valuemaxAnd in the target domain
Figure FDA0002674356220000017
Carrying out migration experiment to obtain a migration network NT
Migration network N using fine-tuning techniqueTCarrying out parameter fine adjustment;
in the target domain
Figure FDA0002674356220000018
Training the migration network NT
Using said migration network NTAnd carrying out new small sample DDoS attack detection to obtain a detected performance value.
2. The small-sample DDoS attack detection method based on deep migration learning of claim 1, characterized in that: the judgment standard for the performance of the basic neural network reaching the standard is whether a related performance threshold value is reached, and the performance threshold value is set to be 95%; the calculation formula of the performance threshold is as follows:
Figure FDA0002674356220000019
wherein F1 represents a performance threshold; pr denotes the basic neural network NiThe accuracy of the target task detection; re represents the basic neural network NiRecall rate detected at the target task.
3. The small-sample DDoS attack detection method based on deep migration learning of claim 2, characterized in that: basic neural network Ni,i∈[1,m]M is more than or equal to 2 in the target domain
Figure FDA0002674356220000021
The migration performance value calculation formula of (a) is as follows:
Figure FDA0002674356220000022
Figure FDA0002674356220000023
wherein
Figure FDA0002674356220000024
Representing a basic neural network NiMigrating to a target Domain
Figure FDA0002674356220000025
A migratability performance value of; f1jDenotes the F1 Performance value, w, obtained after j epoch trainingjRepresenting the weight value assigned to the performance value obtained by each training; pr (Pr) ofjIndicates the accuracy, Re, after j epoch training sessionsjRepresenting the recall rate after j epoch training is finished; e represents the last epoch training.
4. The small-sample DDoS attack detection method based on deep migration learning of claim 3, characterized in that: the specific operation of the migration experiment is as follows:
the network NmaxAssigning the parameters contained in the first layer to the migration network NTThe first layer of (1), which
Figure FDA0002674356220000026
Wherein
Figure FDA0002674356220000027
Representing the migration network NTThe total number of layers of (a) and (b),
Figure FDA0002674356220000028
representation network NmaxThe total number of layers.
5. The small-sample DDoS attack detection method based on deep migration learning of claim 4, characterized in that: migration network N using fine-tuning techniqueTThe parameter fine tuning is specifically as follows: fine-tuning the migration network N with a learning rate 1-2 orders of magnitude lower than the normal learning rateTThe first layer parameters and the other layer parameters are updated according to the normal learning rate, and the normal learning rate is set to be 0.01.
6. The small-sample DDoS attack detection method based on deep migration learning of claim 5, characterized in that: selecting network message of SYN type DDoS attack as source domain
Figure FDA0002674356220000029
LDAP type DDoS attack sample data space as target domain
Figure FDA0002674356220000031
The number of the total layers of the neural network of the basic neural network with the best application effect is 5, the number of the neurons of each layer of the neural network is 800, and the number l of the migration layers is 3.
7. The small-sample DDoS attack detection method based on deep migration learning of claim 5, characterized in that: the basic neural network NiThe spirit ofThe total number of layers of the neural network is 5-8, the number of neurons of each layer of neural network is 100-800, and the migration depth is 1-4.
8. A small sample DDoS attack detection device is characterized in that: the method comprises the following steps:
one or more processors;
a memory for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the small sample DDoS attack detection method of any one of claims 1-7.
9. A computer storage medium having computer program instructions stored thereon which, when executed by a processor, implement the small-sample DDoS attack detection method of any one of claims 1-7.
CN202010943146.5A 2020-09-09 2020-09-09 Small sample DDoS attack detection method based on deep transfer learning Active CN111988340B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010943146.5A CN111988340B (en) 2020-09-09 2020-09-09 Small sample DDoS attack detection method based on deep transfer learning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010943146.5A CN111988340B (en) 2020-09-09 2020-09-09 Small sample DDoS attack detection method based on deep transfer learning

Publications (2)

Publication Number Publication Date
CN111988340A true CN111988340A (en) 2020-11-24
CN111988340B CN111988340B (en) 2022-04-29

Family

ID=73450425

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010943146.5A Active CN111988340B (en) 2020-09-09 2020-09-09 Small sample DDoS attack detection method based on deep transfer learning

Country Status (1)

Country Link
CN (1) CN111988340B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113900817A (en) * 2021-10-15 2022-01-07 广州电力通信网络有限公司 Mirror image root server processing terminal processing method based on IPV6 energy industry
CN114428960A (en) * 2022-01-24 2022-05-03 东华大学 ARP attack detection method based on single-source domain expansion and prior parameter migration
CN114549476A (en) * 2022-02-24 2022-05-27 上海可明科技有限公司 A transfer learning target detection method for lipstick quality inspection
CN114978720A (en) * 2022-05-26 2022-08-30 沈阳理工大学 An intelligent detection method for visual representation of distributed denial of service attacks
CN116109627A (en) * 2023-04-10 2023-05-12 广东省科技基础条件平台中心 Defect detection method, device and medium based on migration learning and small sample learning

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180152475A1 (en) * 2016-11-30 2018-05-31 Foundation Of Soongsil University-Industry Cooperation Ddos attack detection system based on svm-som combination and method thereof
CN110224987A (en) * 2019-05-08 2019-09-10 西安电子科技大学 The construction method of Internet Intrusion Detection Model based on transfer learning, detection system
CN110401675A (en) * 2019-08-20 2019-11-01 绍兴文理学院 An Uncertain DDoS Attack Defense Method in Sensing Cloud Environment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180152475A1 (en) * 2016-11-30 2018-05-31 Foundation Of Soongsil University-Industry Cooperation Ddos attack detection system based on svm-som combination and method thereof
CN110224987A (en) * 2019-05-08 2019-09-10 西安电子科技大学 The construction method of Internet Intrusion Detection Model based on transfer learning, detection system
CN110401675A (en) * 2019-08-20 2019-11-01 绍兴文理学院 An Uncertain DDoS Attack Defense Method in Sensing Cloud Environment

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113900817A (en) * 2021-10-15 2022-01-07 广州电力通信网络有限公司 Mirror image root server processing terminal processing method based on IPV6 energy industry
CN113900817B (en) * 2021-10-15 2022-09-13 广州电力通信网络有限公司 Mirror image root server processing terminal processing method based on IPV6 energy industry
CN114428960A (en) * 2022-01-24 2022-05-03 东华大学 ARP attack detection method based on single-source domain expansion and prior parameter migration
CN114428960B (en) * 2022-01-24 2024-04-30 东华大学 ARP attack detection method based on single source field expansion and priori parameter migration
CN114549476A (en) * 2022-02-24 2022-05-27 上海可明科技有限公司 A transfer learning target detection method for lipstick quality inspection
CN114978720A (en) * 2022-05-26 2022-08-30 沈阳理工大学 An intelligent detection method for visual representation of distributed denial of service attacks
CN116109627A (en) * 2023-04-10 2023-05-12 广东省科技基础条件平台中心 Defect detection method, device and medium based on migration learning and small sample learning

Also Published As

Publication number Publication date
CN111988340B (en) 2022-04-29

Similar Documents

Publication Publication Date Title
CN111988340B (en) Small sample DDoS attack detection method based on deep transfer learning
CN113408743B (en) Method and device for generating federal model, electronic equipment and storage medium
CN111461226A (en) Adversarial sample generation method, device, terminal and readable storage medium
Ortet Lopes et al. Towards effective detection of recent DDoS attacks: A deep learning approach
CN102571746B (en) Virtual machine deployment method oriented to side channel attack defense of cloud computation environment
US10924418B1 (en) Systems and methods for fast detection of elephant flows in network traffic
CN108347430A (en) Network invasion monitoring based on deep learning and vulnerability scanning method and device
Cinà et al. Energy-latency attacks via sponge poisoning
CN109246027B (en) Network maintenance method and device and terminal equipment
CN114863226A (en) A cyber-physical system intrusion detection method
CN114169409B (en) Method and device for generating countermeasure sample
CN113765928A (en) Internet of things intrusion detection method, system, device and medium
CN112214775A (en) Injection type attack method and device for graph data, medium and electronic equipment
CN113657468A (en) Pre-training model generation method and device, electronic equipment and storage medium
CN117710792A (en) Knowledge distillation method, greening region detection method, electronic device, and storage medium
CN116112278A (en) Q-learning-based network optimal attack path prediction method and system
CN114528081A (en) Task unloading optimization method for privacy protection of mobile edge computing user
CN114581966A (en) Method, electronic device and computer program product for information processing
CN116319003A (en) A Network Security Incident Detection Method Based on Knowledge Graph and Incremental Learning
Javeed et al. Threat detection using machine/deep learning in IOT environments
CN117592550B (en) Black box attack method and device for graphic neural network model
US11763006B1 (en) Comparative real-time end-to-end security vulnerabilities determination and visualization
CN113537383B (en) Method for detecting abnormal flow of wireless network based on deep migration reinforcement learning
CN111935171B (en) Terminal security policy selection method based on machine learning under edge calculation
You Construction of early warning mechanism of university education network based on the Markov model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant