CN111988340A - Small sample DDoS attack detection method based on deep migration learning - Google Patents

Small sample DDoS attack detection method based on deep migration learning Download PDF

Info

Publication number
CN111988340A
CN111988340A CN202010943146.5A CN202010943146A CN111988340A CN 111988340 A CN111988340 A CN 111988340A CN 202010943146 A CN202010943146 A CN 202010943146A CN 111988340 A CN111988340 A CN 111988340A
Authority
CN
China
Prior art keywords
network
migration
ddos attack
neural network
sample
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010943146.5A
Other languages
Chinese (zh)
Other versions
CN111988340B (en
Inventor
王会梅
何佳伟
刘建
鲜明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National University of Defense Technology
Original Assignee
National University of Defense Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National University of Defense Technology filed Critical National University of Defense Technology
Priority to CN202010943146.5A priority Critical patent/CN111988340B/en
Publication of CN111988340A publication Critical patent/CN111988340A/en
Application granted granted Critical
Publication of CN111988340B publication Critical patent/CN111988340B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Biophysics (AREA)
  • Molecular Biology (AREA)
  • Biomedical Technology (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a small sample DDoS attack detection method based on deep migration learning. The method comprises the following steps: selecting a sample data space of DDoS attack with sufficient marked samples as a source domain
Figure DDA0002674356250000011
In the source domain
Figure DDA0002674356250000012
Trained neural network cluster
Figure DDA0002674356250000013
Selecting a sample data space of small sample DDoS attack as a target domain
Figure DDA0002674356250000014
Clustering neural networks
Figure DDA0002674356250000015
In the target domain
Figure DDA0002674356250000016
Performing a mobility comparison experiment; calculating the migratability value, selecting the network N with the highest migratability valuemaxIn the target domain
Figure DDA0002674356250000017
Carrying out migration to obtain a migration network NT(ii) a Fine adjustment of parameters is carried out by utilizing a fine-tuning technology; using a migration network NTIn the target domain
Figure DDA0002674356250000018
And carrying out new small sample DDoS attack detection. According to the invention, by means of deep migration learning, the DDoS attack detection network parameters with sufficient marked samples are migrated to the small sample DDoS attack detection, and fine tuning is carried out by combining with the fine-tuning technology, so that the migration network can better utilize source domain knowledge to detect the novel small sample attack, and the problem of performance deterioration caused by few marked samples in the novel DDoS attack detection is improved.

Description

Small sample DDoS attack detection method based on deep migration learning
Technical Field
The invention relates to the field of DDoS (Distributed Denial of Service) attack detection, in particular to a small sample DDoS attack detection method based on deep migration learning.
Background
DDoS attacks generally refer to distributed denial of service attacks, and rely on a large number of controlled zombie devices to make frequent requests on an attack target, so that resources of the zombie devices are completely consumed, and finally the purpose of server crash is achieved. Although means and cost for maintaining network security are increasing, the manner of DDoS attack is gradually evolving, and the destructiveness of DDoS attack on the network ecology is gradually increased. On one hand, in the traditional congestion type-based DDoS attack mode, the peak flow rate is increased year by year during attack; on the other hand, the new DDoS attack no longer satisfies the flooding attack with high cost and low yield, and an attacker avoids the traditional detection technology including Deep Packet Inspection (DPI) by frequently changing the DDoS attack characteristics or the small sample attack mode. For example, SYN Flood attack is the main method of DDoS attack, however, with the platformization of internet black products, the initiating carrier of SYN Flood attack is also changed from massive zombie machines to a package issuing machine, which changes the attack characteristics. Besides the flooding attack, a great number of protocol-based attack means such as an httplood attack, a UDP Flood attack, a TCP Flood attack, and the like are also presented in the DDoS attack.
The existing DDoS attack detection technology comprises two types: misuse-based detection techniques and anomaly-based detection techniques. The detection based on misuse is also called as a rule-based detection technology, the method has high detection accuracy and low false detection rate for the known attack, but the method has the defects that the establishment of the rule needs to be completed by depending on people and the 0day attack cannot be effectively detected. The detection technology based on the abnormity is a means capable of detecting unknown DDoS attacks, the method can detect 0day attacks, but a certain false alarm rate exists, and characteristics extracted by expert experience are excessively relied on.
In recent years, researchers utilize the good end-to-end characteristics of deep learning technology to detect DDoS attacks with increasing data volume. However, the novel DDoS attack marking data has few samples, so that the detection performance of the deep learning method depending on the marking data is deteriorated. Therefore, the invention provides a small sample DDoS attack detection method based on deep transfer learning, which not only can utilize the end-to-end advantage of deep learning, but also can overcome the problem of detection performance deterioration, and is very valuable for the research on the detection technology of the small sample DDoS attack.
Disclosure of Invention
Aiming at the problems that the novel DDoS attack detection has few labeled samples and the performance is deteriorated when the detection is carried out based on a deep learning method, the invention provides a small sample DDoS attack detection method based on deep transfer learning, and the specific technical scheme is as follows:
comprises the following steps:
selecting network message of DDoS attack with sufficient labeling samples as source domain
Figure BDA0002674356230000021
In the source domain
Figure BDA0002674356230000022
Training m performance achievementsTarget basis neural network to form neural network cluster
Figure BDA0002674356230000023
Selecting a sample data space of small sample DDoS attack as a target domain
Figure BDA0002674356230000031
Clustering the neural network
Figure BDA0002674356230000032
In the target domain
Figure BDA0002674356230000033
Carrying out mobility comparison experiments, and then calculating each basic neural network Ni,i∈[1,m]A migratability value of m.gtoreq.2;
comparing the migratable performance values, and selecting the network N with the largest migratable performance valuemaxAnd in the target domain
Figure BDA0002674356230000034
Carrying out migration experiment to obtain a migration network NT
Migration network N using fine-tuning techniqueTCarrying out parameter fine adjustment;
in the target domain
Figure BDA0002674356230000035
Training the migration network NT
Using said migration network NTAnd carrying out new small sample DDoS attack detection to obtain a detected performance value.
Further, the criterion that the performance of the basic neural network reaches the standard is whether a related performance threshold is reached, and the performance threshold is set to 95%; the calculation formula of the performance threshold is as follows:
Figure BDA0002674356230000036
wherein F1 represents a performance threshold; pr denotes the basic neural network NiThe accuracy of the target task detection; re represents the basic neural network NiRecall rate detected at the target task.
Further, a basic neural network Ni,i∈[1,m]M is more than or equal to 2 in the target domain
Figure BDA0002674356230000037
The migratable performance value calculation formula of (1):
Figure BDA0002674356230000038
Figure BDA0002674356230000039
wherein
Figure BDA00026743562300000310
Representing a basic neural network NiMigrating to a target Domain
Figure BDA00026743562300000311
A migratability performance value of; f1jDenotes the F1 Performance value, w, obtained after j epoch trainingjRepresenting the weight value assigned to the performance value obtained by each training; pr (Pr) ofjIndicates the accuracy, Re, after j epoch training sessionsjRepresenting the recall rate after j epoch training is finished; e represents the last epoch training.
Further, the specific operation of the migration experiment is as follows:
the network NmaxAssigning the parameters contained in the first layer to the migration network NTThe first layer of (1), which
Figure BDA0002674356230000041
Wherein
Figure BDA0002674356230000042
Representing the migration network NTThe total number of layers of (a) and (b),
Figure BDA0002674356230000043
representation network NmaxThe total number of layers.
Further, the migration network N is processed by using the fine-tuning techniqueTThe parameter fine tuning is specifically as follows: fine-tuning the migration network N with a learning rate 1-2 orders of magnitude lower than the normal learning rateTThe first layer parameters and the other layer parameters are updated according to the normal learning rate, and the normal learning rate is set to be 0.01.
Preferably, the network message of SYN type DDoS attack is selected as the source domain
Figure BDA0002674356230000044
LDAP type DDoS attack sample data space as target domain
Figure BDA0002674356230000045
The most effective basic neural network NiThe total number of layers of the neural network is 5, the number of neurons of each layer of the neural network is 800, and the number l of migration layers is 3.
Further, the basic neural network NiThe total number of the neural networks is 5-8, the number of the neurons of each layer of the neural network is 100-800, and the migration depth is 1-4.
The invention also provides a small sample DDoS attack detection device, which comprises:
one or more processors;
a memory for storing one or more programs;
when the one or more programs are executed by the one or more processors, the one or more processors are enabled to implement the small sample DDoS attack detection method described above.
In another aspect, the present invention further provides a computer storage medium, where computer program instructions are stored, and when the computer program instructions are executed by a processor, the method for detecting a small-sample DDoS attack is implemented.
Compared with the prior art, the invention has the beneficial effects that:
by utilizing deep migration learning, the DDoS attack detection network with sufficient marked samples is applied to small sample DDoS attack detection, and fine-tuning of parameters is carried out by combining with a fine-tuning technology, so that the migrated network can better utilize source domain knowledge to detect novel small sample attacks. Compared with the conventional method for detecting the DDoS attack by utilizing the deep learning technology, experiments prove that the method can well solve the problem of performance deterioration caused by few labeled samples in the novel DDoS attack detection. In addition, the invention directly detects the network message, has fine detection granularity and high identification accuracy.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without inventive efforts, wherein:
fig. 1 is a flowchart of a small sample DDoS attack detection method based on deep migration learning according to the present invention;
FIG. 2 is a schematic diagram of deep migration of an underlying neural network;
FIG. 3 is a schematic diagram illustrating comparison of migratable performance of different neural network clusters in a target domain calculated in a simulation experiment;
fig. 4 is a schematic diagram illustrating comparison of performance of detecting small sample DDoS attacks by combining a migration network calculated in a simulation experiment with a fine-tuning technology.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments.
The meaning of sufficient labeled sample in the invention means that the labeled sample is already labeledThe data features are uniformly distributed, the data size is large, the constructed neural network cluster can be supported to finish training for enough times (usually 20 epochs), and the performance of the neural network cluster after the last several epochs of training is not changed greatly. Small samples are opposite, and generally, the labeled sample data amount is small, so that the sample characteristic distribution is not uniform, and the training of the neural network cluster cannot be sufficient. N is a radical ofi,i∈[1,m]M is more than or equal to 2, which represents a well-trained neural network on a source domain, namely a basic neural network reaching a performance threshold; n is a radical ofmaxThe network with the maximum migratability value in the migratability comparison experiment is shown; n is a radical ofTIndicating migration of NmaxThe resulting network is migrated.
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Fig. 1 is a flowchart of a small-sample DDoS attack detection method based on deep migration learning according to the present invention. The method comprises the following specific steps:
step1, selecting representative DDoS attack with sufficient marked samples as a source domain
Figure BDA0002674356230000061
In the source domain
Figure BDA0002674356230000062
The basic neural network with m characteristic performance reaching standards is constructed and trained to form a neural network cluster
Figure BDA0002674356230000063
In particular embodiments, a SYN type DDoS attack may be selected as the source domain
Figure BDA0002674356230000064
Because the type is representative in DDoS attack, the occurrence time is early, the harmfulness to the network is high, and meanwhile, the labeled sample of the attack is sufficient and is very suitable to be used as source domain data. For each performance qualifying basis neural network Ni,i∈[1,m]And m is more than or equal to 2, and represents a well-trained basic neural network on the source domain. The basic neural network NiCan be represented by the following equation:
Figure BDA0002674356230000071
Figure BDA0002674356230000072
in the above formula, the first and second carbon atoms are,
Figure BDA0002674356230000073
representing a basic neural network NiThe objective function of (1); parameterslA parameter set representing a layer l of the basic neural network; h islRepresenting the l layer hidden layer of the basic neural network; l represents the total number of layers of the basic neural network; x represents training data input to the underlying neural network; σ (-) represents the activation function used by the underlying neural network. The above two expressions represent that the sample x of the input is multiplied by the weight of the first layer of the basic neural network, and then the multiplied sample x is output as the input of the second layer through the exciting function. When the input is finally transferred to the last layer, the objective function value is obtained through the softmax (·) function.
In general, the most common performance indexes of the basic neural network are the detection accuracy and recall rate of a target task, wherein the accuracy rate refers to how many of the identified results are correct; recall refers to how many correct results were identified. However, in the case of uneven distribution of samples, the two indexes may be contradictory. In the invention, for comprehensively evaluating the detection performance, a performance threshold F1 related to the accuracy and the recall rate is used as a neural network cluster
Figure BDA0002674356230000074
Performance evaluation indexes of; if the performance threshold F1 is set to 90%, whether the detection capability of the network is qualified is determined by whether the performance threshold F1 is reached, and the network with the detection capability not meeting the standard is discarded. In the most preferred embodiment of the invention, the performance threshold F1 is set at 95%. Performance threshold F1The following formula can be used for calculation:
Figure BDA0002674356230000081
Figure BDA0002674356230000082
Figure BDA0002674356230000083
wherein F1 represents a performance threshold; pr represents the accuracy rate of the neural network in the target task detection; re represents the recall rate of the neural network in the detection of the target task. TP represents the prediction of the positive class as the number of the positive classes; FP represents the false positive of predicting a negative class as a positive class number; FN denotes predicting a positive class as a negative class number. Because the migration effects of different basic neural network structures are different, the migration effect can be different in the source domain
Figure BDA0002674356230000084
A plurality of basic neural networks are constructed to form a neural network cluster for selection of migration experiments.
Step2, selecting the sample data space of small sample DDoS attack as the target domain
Figure BDA0002674356230000085
Clustering the neural network
Figure BDA0002674356230000086
In the target domain
Figure BDA0002674356230000087
A migratability comparison experiment was performed and a migratability value was calculated.
The mobility contrast experiment is that the mobility contrast experiment is to be carried out in the source domain
Figure BDA0002674356230000088
On-trained neural network cluster
Figure BDA0002674356230000089
Of each basic neural network NiEach migrating to a target domain
Figure BDA00026743562300000810
In particular, the migration can be understood as the trained basic neural network NiThe new network is given a weight value of (2). For example, if the basic neural network N is utilizedi,i∈[1,m](Source Domain)
Figure BDA00026743562300000811
Upper trained network) to migrate, i.e., the basic neural network NiThe parameters contained in the first L-1 layer are fixed and only the last output layer is allowed to update. In the mobility comparison experiment of the invention, a fixed basic neural network N is requiredi,i∈[1,m]All parameters except the output layer, i.e.
Figure BDA00026743562300000812
Comparing different basic neural networks in target domain for quantification
Figure BDA00026743562300000813
We then calculate each of the underlying neural networks NiMigratable performance value of
Figure BDA0002674356230000091
Because the migratable performance value can be integrated to indicate that a network is in the target domain
Figure BDA0002674356230000092
The migration effect of (a); and the larger the value of the migratability is, the better the migration effect is. Basic neural network NiMigratable performance value of
Figure BDA0002674356230000093
Calculated using the following formula:
Figure BDA0002674356230000094
Figure BDA0002674356230000095
wherein
Figure BDA0002674356230000096
Representing a basic neural network NiMigrating to a target Domain
Figure BDA0002674356230000097
A migratability performance value of (1). F1jRepresents the performance value after j epoch training sessions, wjRepresenting a weight assigned to each performance value. Pr (Pr) ofjIndicates the accuracy, Re, after j epoch training sessionsjIndicating the recall rate after j epoch trains are completed, and E represents the last epoch train.
Step3 at target Domain
Figure BDA0002674356230000098
Upper selection of migratable performance values
Figure BDA0002674356230000099
Maximum network NmaxNetwork NmaxIn the target domain
Figure BDA00026743562300000910
Carrying out migration to obtain a migration network NT
After the mobility comparison experiment, the data are clustered in the neural network
Figure BDA00026743562300000911
To select a target domain
Figure BDA00026743562300000912
Network N with the best value of upper migratabilitymaxThe invention designs a parameter for quantitatively calculating the migratable performance
Figure BDA00026743562300000913
I.e. migratable performance values, only finally the migratable performance values need to be selected
Figure BDA00026743562300000914
Figure BDA00026743562300000915
Maximum network NmaxThen the target domain can be screened out
Figure BDA00026743562300000916
The network with the best performance.
Then, the network N is connectedmaxIn the target domain
Figure BDA00026743562300000917
Carrying out migration experiment to obtain a migration network NTThe migration formula is:
Figure BDA00026743562300000918
wherein
Figure BDA00026743562300000919
Representation network NmaxThe parameters of the k-th layer of (a),
Figure BDA00026743562300000920
representation network NTThe k-th layer parameter of (1).
Step4 migration network N using fine-tuning techniqueTI.e. updating the migration network N with a small learning rateTThe first l layer parameters of (1); then in the target domain
Figure BDA00026743562300000921
Up-training migration network NT
Migration network N using fine-tuning techniqueTThe parameter making micro-call formula of (a) is expressed as:
Figure BDA0002674356230000101
wherein
Figure BDA0002674356230000102
Representation network NTA parameter set for a k-th layer; lr' represents the learning rate set in the fine-tuning, which is generally 1 to 2 orders of magnitude lower than the normal learning rate in the present invention, which is generally set to 0.01. Therefore, not only the relevant knowledge after the migration is reserved, but also the migrated network N is enabledTMore adaptive to target domain
Figure BDA0002674356230000103
In the target domain
Figure BDA0002674356230000104
Up-training migration network NTTo obtain a migration network NTPerformance values of the first and last training
Figure BDA0002674356230000105
The specific formula is expressed as:
Figure BDA0002674356230000106
wherein
Figure BDA0002674356230000107
Representing a migration network NTPerformance value at the ith training, E represents the last training;
Figure BDA0002674356230000108
representing a migration network NTAccuracy at the ith training;
Figure BDA0002674356230000109
representing a migration network NTRecall at the i-th training.
Can pass throughChecking migration network N by comparing performance values after first trainingTThe starting speed of the network is compared with the performance value after the last training to check the migration network NTThe final properties of (a).
Step5 migration network N after trainingTAnd carrying out new small sample DDoS attack detection to obtain a detected performance value.
On the detection of the small sample DDoS, the performance value of each time of the deep migration technology which utilizes a pure deep learning technology and combines the migration learning technology is compared. We can see that deep migration learning can improve the initial performance of the network and the final detection performance is better, which is verified in the final migration experiment result of the present invention.
Referring to fig. 2, fig. 2 is a diagram better illustrating 4 ways of source domain to target domain migration in deep migration learning, including: freezing network parameters, fine tuning network parameters, initializing network parameters, and fine tuning network structure. Two modes of use of the fine-tuning technique are also described: one is to fine-tune the parameters of the migrated network; the other is to fine-tune the structure of the migrated network. In the migration learning, if the neural network trained in the old task (source domain) is applied to the new task (target domain) without changing the parameters trained on the network neurons, the network parameters are frozen, for example, the black dot part of the migration network in fig. 2. If parameters on neurons can be updated for a new task with a smaller learning rate, then to fine-tune the network parameters (which is one of the fine-tuning techniques), for example, figure 2 migrates the grey part of the network. If the network neuron parameters are initialized completely randomly, parameters trained in the old task by the network are not used, and then the network parameters are initialized, for example, white dots in the migration network in FIG. 2. If the final output of the new task is different from the old task, e.g., the old task is a three-classification problem and the new task is a four-classification problem, the net structure (which is another kind of the fine-tuning technique) needs to be fine-tuned to be completed, e.g., the dotted circle portion in the migration network in fig. 2. Source domain in the invention
Figure BDA0002674356230000111
And a target domain
Figure BDA0002674356230000112
The DDoS attack detection is classified into two categories, and the network structure of the migration network does not need to be finely adjusted, so the parameters of the fine adjustment migration network in the fine-tuning technology are adopted for migration.
Referring to fig. 3 and 4, fig. 3 is a schematic diagram illustrating comparison of migratable performance of a neural network cluster in four target domains calculated in a simulation experiment; fig. 4 is a schematic diagram of performance of detecting a small-sample DDoS attack by a migration network combined with a fine-tuning technology calculated in a simulation experiment.
The simulation experiment system is configured as follows: the operating system is Ubuntu16.0464 bits with 64GB memory, the software framework is Pythrch, and the GPU accelerator is NvidiaRTX2080 Ti. The basic parameter settings of the simulation experiment are as follows: the training batch size is 500 and the loss function is a cross entropy loss function. The optimization function uses a random gradient descent optimizer built into the pytoreh. The training learning rate was set to 0.01, and the learning rate at the time of fine-tuning was set to 0.001. 80% of the data in the dataset are training datasets and the remainder are validation datasets. Source domain
Figure BDA0002674356230000121
In the middle, the data set is SYN type DDoS attack; target domain
Figure BDA0002674356230000122
In the middle, the data set is an LDAP type DDoS attack.
Referring to fig. 3 again, fig. 3 shows the detection performance of DDoS attack in which after 16 basic neural networks are trained in the detection of SYN-type DDoS attack in the source domain, the first N-1 layers (except for the output layer) of the 16 basic neural networks are migrated to small samples in the target domain. In the experiment, the LDAP DDoS attack is selected as target domain data, and because the DDoS attack occurs later, the quantity of marked sample data is small, and the requirement of small samples is met. In fig. 3, the abscissa is the epoch number of training of the basic neural network, and the ordinate is the performance score of the network after the current epoch training. In fig. 3, training performance cases of 16 basic neural networks in the target domain are shown. H5, H6, H7 and H8 indicate that the total number of layers of the neural network is 5, 6, 7 and 8 layers, respectively. W100, W200, W400, and W800 represent four neural networks with different numbers of neurons per layer, which are 100, 200, 400, and 800, respectively. From fig. 3, it can be seen that in the LDAP-type DDoS attack target domain, the number of network layers is 5, and the neural network with the number of neurons in each network layer of 800 has the best migratability; namely, the network of W800H5 type has the highest migratability performance value and the best final detection performance value.
Referring again to fig. 4, the training effect of migrating a W800H5 type network with or without fine-tuning by migrating different numbers of layers after the sample data size of LDAP type DDoS attack is reduced by 10 times is shown. Where the ordinate is the performance value for DDoS attack detection and the abscissa x represents the first l-layer of the W800H5 type network with the best migration mobility, there are 10 circular points and 10 triangular points on each abscissa point (except 0 point) of the graph. The 10 circular points represent performance values for 10 epoch trains after the first l layer of the W800H5 model network without the fine-tuning, while the 10 triangular points are the above-mentioned cases plus the fine-tuning technique. To avoid overlap, we offset the dots and the triangle points left and right, respectively. Comparing the performance curves represented by W800H5 in fig. 4 and fig. 3, we can see that the detection performance of all networks is degraded to different degrees when the number of training samples of DDoS attack is reduced. This is consistent with the low accuracy of DDoS detection with few attack samples in the real situation. For a network with all layer parameters randomly initialized, the final detection performance drops from 96.8% to 75%. As can be seen by the triangle dots in FIG. 4, by incorporating the fine-tuning technique, the network performance on the target domain is better than that of a migration network without fine-tuning. Furthermore, the maximum detection performance of 85.8% was achieved with the number of migration layers l being 3, while the performance was improved by 81.4% with the number of migration layers l being 4 compared to that before the fine-tuning was not present. Therefore, the invention can better improve the detection performance deterioration caused by insufficient sample size of the new attack by using the deep migration network method combined with the fine-tuning technology.
An example device implementing embodiments of the invention may include one or more Central Processing Units (CPUs) that may perform various appropriate actions and processes according to computer program instructions stored in a Read Only Memory (ROM) or loaded from a storage unit into a Random Access Memory (RAM). In the RAM, various programs and data required for the operation of the device can also be stored. The CPU, ROM, and RAM are connected to each other via a bus. An input/output (I/O) interface is also connected to the bus.
A plurality of components in the device are connected to the I/O interface, including: an input unit such as a keyboard, a mouse, etc.; an output unit such as various types of displays, speakers, and the like; storage units such as magnetic disks, optical disks, and the like; and a communication unit such as a network card, modem, wireless communication transceiver, etc. The communication unit allows the device to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The above described method may for example be performed by a processing unit of a device. For example, in some embodiments, the methods may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as a storage unit. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device via ROM and/or the communication unit. When the computer program is loaded into RAM and executed by a CPU, it may perform one or more of the actions of the method described above.
However, it will be appreciated by a person skilled in the art that the execution of the steps of the method is not limited to the order shown in the figures and described above, but may be executed in any other reasonable order or may be executed in parallel. In addition, the device does not necessarily include all the components described above, it may include only some of the components necessary to perform the functions described in the present invention, and the connection manner of the components may also be varied. For example, in the case where the device is a portable device such as a cellular phone, it may have a different structure than that described above.
By using the scheme of the invention, the DDoS attack detection network with sufficient marked samples is applied to the small sample DDoS attack detection, and the fine-tuning technology is combined to carry out parameter fine tuning, so that the migration network can better utilize the source domain knowledge to detect the novel small sample attack. Compared with the conventional method for detecting the DDoS attack by utilizing the deep learning technology, experiments prove that the method can well solve the problem of performance deterioration caused by few labeled samples in the novel DDoS attack detection. In addition, the invention directly detects the network message, has fine detection granularity and high identification accuracy.
The present invention may be methods, apparatus, systems and/or computer program products. The computer program product may include a computer-readable storage medium having computer-readable program instructions embodied therein for carrying out aspects of the present invention.
The computer readable storage medium may be a tangible device that can hold and store the instructions for use by the instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic memory device, a magnetic memory device, an optical memory device, an electromagnetic memory device, a semiconductor memory device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a Static Random Access Memory (SRAM), a portable compact disc read-only memory (CD-ROM), a Digital Versatile Disc (DVD), a memory stick, a floppy disk, a mechanical coding device, such as punch cards or in-groove projection structures having instructions stored thereon, and any suitable combination of the foregoing. Computer-readable storage media as used herein is not to be construed as transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission medium (e.g., optical pulses through a fiber optic cable), or electrical signals transmitted through electrical wires.
The computer-readable program instructions described herein may be downloaded from a computer-readable storage medium to a respective computing/processing device, or to an external computer or external storage device via a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. The network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in a computer-readable storage medium in the respective computing/processing device.
The computer program instructions for carrying out operations of the present invention may be assembler instructions, Instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer-readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, aspects of the present invention are implemented by personalizing an electronic circuit, such as a programmable logic circuit, a Field Programmable Gate Array (FPGA), or a Programmable Logic Array (PLA), with state information of computer-readable program instructions, which can execute the computer-readable program instructions.
These computer-readable program instructions may be provided to a processing unit of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processing unit of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer-readable program instructions may also be stored in a computer-readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer-readable medium storing the instructions comprises an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the present invention should be included in the scope of the claims of the present invention.

Claims (9)

1. A small sample DDoS attack detection method based on deep migration learning is characterized in that: comprises the following steps:
selecting network message of DDoS attack with sufficient labeling samples as source domain
Figure FDA0002674356220000011
In the source domain
Figure FDA0002674356220000012
Training m characteristic standard-reaching basic neural networks to form neural network cluster
Figure FDA0002674356220000013
Selecting a sample data space of small sample DDoS attack as a targetBidding field
Figure FDA0002674356220000014
Clustering the neural network
Figure FDA0002674356220000015
In the target domain
Figure FDA0002674356220000016
Carrying out mobility comparison experiments, and then calculating each basic neural network Ni,i∈[1,m]A migratability value of m.gtoreq.2;
comparing the migratable performance values, and selecting the network N with the largest migratable performance valuemaxAnd in the target domain
Figure FDA0002674356220000017
Carrying out migration experiment to obtain a migration network NT
Migration network N using fine-tuning techniqueTCarrying out parameter fine adjustment;
in the target domain
Figure FDA0002674356220000018
Training the migration network NT
Using said migration network NTAnd carrying out new small sample DDoS attack detection to obtain a detected performance value.
2. The small-sample DDoS attack detection method based on deep migration learning of claim 1, characterized in that: the judgment standard for the performance of the basic neural network reaching the standard is whether a related performance threshold value is reached, and the performance threshold value is set to be 95%; the calculation formula of the performance threshold is as follows:
Figure FDA0002674356220000019
wherein F1 represents a performance threshold; pr denotes the basic neural network NiThe accuracy of the target task detection; re represents the basic neural network NiRecall rate detected at the target task.
3. The small-sample DDoS attack detection method based on deep migration learning of claim 2, characterized in that: basic neural network Ni,i∈[1,m]M is more than or equal to 2 in the target domain
Figure FDA0002674356220000021
The migration performance value calculation formula of (a) is as follows:
Figure FDA0002674356220000022
Figure FDA0002674356220000023
wherein
Figure FDA0002674356220000024
Representing a basic neural network NiMigrating to a target Domain
Figure FDA0002674356220000025
A migratability performance value of; f1jDenotes the F1 Performance value, w, obtained after j epoch trainingjRepresenting the weight value assigned to the performance value obtained by each training; pr (Pr) ofjIndicates the accuracy, Re, after j epoch training sessionsjRepresenting the recall rate after j epoch training is finished; e represents the last epoch training.
4. The small-sample DDoS attack detection method based on deep migration learning of claim 3, characterized in that: the specific operation of the migration experiment is as follows:
the network NmaxAssigning the parameters contained in the first layer to the migration network NTThe first layer of (1), which
Figure FDA0002674356220000026
Wherein
Figure FDA0002674356220000027
Representing the migration network NTThe total number of layers of (a) and (b),
Figure FDA0002674356220000028
representation network NmaxThe total number of layers.
5. The small-sample DDoS attack detection method based on deep migration learning of claim 4, characterized in that: migration network N using fine-tuning techniqueTThe parameter fine tuning is specifically as follows: fine-tuning the migration network N with a learning rate 1-2 orders of magnitude lower than the normal learning rateTThe first layer parameters and the other layer parameters are updated according to the normal learning rate, and the normal learning rate is set to be 0.01.
6. The small-sample DDoS attack detection method based on deep migration learning of claim 5, characterized in that: selecting network message of SYN type DDoS attack as source domain
Figure FDA0002674356220000029
LDAP type DDoS attack sample data space as target domain
Figure FDA0002674356220000031
The number of the total layers of the neural network of the basic neural network with the best application effect is 5, the number of the neurons of each layer of the neural network is 800, and the number l of the migration layers is 3.
7. The small-sample DDoS attack detection method based on deep migration learning of claim 5, characterized in that: the basic neural network NiThe spirit ofThe total number of layers of the neural network is 5-8, the number of neurons of each layer of neural network is 100-800, and the migration depth is 1-4.
8. A small sample DDoS attack detection device is characterized in that: the method comprises the following steps:
one or more processors;
a memory for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the small sample DDoS attack detection method of any one of claims 1-7.
9. A computer storage medium having computer program instructions stored thereon which, when executed by a processor, implement the small-sample DDoS attack detection method of any one of claims 1-7.
CN202010943146.5A 2020-09-09 2020-09-09 Small sample DDoS attack detection method based on deep migration learning Active CN111988340B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010943146.5A CN111988340B (en) 2020-09-09 2020-09-09 Small sample DDoS attack detection method based on deep migration learning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010943146.5A CN111988340B (en) 2020-09-09 2020-09-09 Small sample DDoS attack detection method based on deep migration learning

Publications (2)

Publication Number Publication Date
CN111988340A true CN111988340A (en) 2020-11-24
CN111988340B CN111988340B (en) 2022-04-29

Family

ID=73450425

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010943146.5A Active CN111988340B (en) 2020-09-09 2020-09-09 Small sample DDoS attack detection method based on deep migration learning

Country Status (1)

Country Link
CN (1) CN111988340B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113900817A (en) * 2021-10-15 2022-01-07 广州电力通信网络有限公司 Mirror image root server processing terminal processing method based on IPV6 energy industry
CN114428960A (en) * 2022-01-24 2022-05-03 东华大学 ARP attack detection method based on single-source domain expansion and prior parameter migration
CN114978720A (en) * 2022-05-26 2022-08-30 沈阳理工大学 Intelligent detection method for visual representation of distributed denial of service attack
CN116109627A (en) * 2023-04-10 2023-05-12 广东省科技基础条件平台中心 Defect detection method, device and medium based on migration learning and small sample learning

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180152475A1 (en) * 2016-11-30 2018-05-31 Foundation Of Soongsil University-Industry Cooperation Ddos attack detection system based on svm-som combination and method thereof
CN110224987A (en) * 2019-05-08 2019-09-10 西安电子科技大学 The construction method of Internet Intrusion Detection Model based on transfer learning, detection system
CN110401675A (en) * 2019-08-20 2019-11-01 绍兴文理学院 Uncertain ddos attack defence method under a kind of sensing cloud environment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180152475A1 (en) * 2016-11-30 2018-05-31 Foundation Of Soongsil University-Industry Cooperation Ddos attack detection system based on svm-som combination and method thereof
CN110224987A (en) * 2019-05-08 2019-09-10 西安电子科技大学 The construction method of Internet Intrusion Detection Model based on transfer learning, detection system
CN110401675A (en) * 2019-08-20 2019-11-01 绍兴文理学院 Uncertain ddos attack defence method under a kind of sensing cloud environment

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113900817A (en) * 2021-10-15 2022-01-07 广州电力通信网络有限公司 Mirror image root server processing terminal processing method based on IPV6 energy industry
CN113900817B (en) * 2021-10-15 2022-09-13 广州电力通信网络有限公司 Mirror image root server processing terminal processing method based on IPV6 energy industry
CN114428960A (en) * 2022-01-24 2022-05-03 东华大学 ARP attack detection method based on single-source domain expansion and prior parameter migration
CN114428960B (en) * 2022-01-24 2024-04-30 东华大学 ARP attack detection method based on single source field expansion and priori parameter migration
CN114978720A (en) * 2022-05-26 2022-08-30 沈阳理工大学 Intelligent detection method for visual representation of distributed denial of service attack
CN116109627A (en) * 2023-04-10 2023-05-12 广东省科技基础条件平台中心 Defect detection method, device and medium based on migration learning and small sample learning

Also Published As

Publication number Publication date
CN111988340B (en) 2022-04-29

Similar Documents

Publication Publication Date Title
CN111988340B (en) Small sample DDoS attack detection method based on deep migration learning
Kunang et al. Attack classification of an intrusion detection system using deep learning and hyperparameter optimization
Chen et al. Intrusion detection for wireless edge networks based on federated learning
CN113408743B (en) Method and device for generating federal model, electronic equipment and storage medium
CN115943382A (en) Method and apparatus for defending against adversarial attacks on a federated learning system
Ortet Lopes et al. Towards effective detection of recent DDoS attacks: A deep learning approach
CN110059747B (en) Network traffic classification method
Shi et al. Active deep learning attacks under strict rate limitations for online API calls
CN116523079A (en) Reinforced learning-based federal learning optimization method and system
CN108388969A (en) Inside threat personage's Risk Forecast Method based on personal behavior temporal aspect
JP2023162346A (en) Framework for learning to transfer learn
Kumar et al. Deep residual convolutional neural network: an efficient technique for intrusion detection system
US11882095B2 (en) Firewall insights processing and machine learning
US11914672B2 (en) Method of neural architecture search using continuous action reinforcement learning
Zhao et al. Utility optimization of federated learning with differential privacy
Van et al. Accelerating anomaly-based IDS using neural network on GPU
Chen et al. Certifiably-robust federated adversarial learning via randomized smoothing
CN116431597A (en) Method, electronic device and computer program product for training a data classification model
Golchin et al. Improving ddos attack detection leveraging a multi-aspect ensemble feature selection
Lin et al. Raregan: Generating samples for rare classes
EP3633950B1 (en) Method for evaluating domain name and server using the same
Zhang et al. Many-objective optimization based intrusion detection for in-vehicle network security
CN114708479A (en) Self-adaptive defense method based on graph structure and characteristics
Chow et al. Flare: detection and mitigation of concept drift for federated learning based IoT deployments
US20230035291A1 (en) Generating Authentication Template Filters Using One or More Machine-Learned Models

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant