CN112417446A - Software defined network anomaly detection architecture - Google Patents
Software defined network anomaly detection architecture Download PDFInfo
- Publication number
- CN112417446A CN112417446A CN202011460949.1A CN202011460949A CN112417446A CN 112417446 A CN112417446 A CN 112417446A CN 202011460949 A CN202011460949 A CN 202011460949A CN 112417446 A CN112417446 A CN 112417446A
- Authority
- CN
- China
- Prior art keywords
- layer
- data
- flow
- model
- cnn
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Biophysics (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- Computational Linguistics (AREA)
- Artificial Intelligence (AREA)
- Mathematical Physics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Health & Medical Sciences (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of network completion, in particular to a software defined network anomaly detection framework with better detection effect, which comprises a data acquisition module, a Software Defined Network (SDN), a data transmission module and an anomaly detection module; the data acquisition module acquires flow; the SDN separates a control plane from a data forwarding plane in the SDN network; the data transmission module is mainly used for classifying the flow, finding abnormal flow and acquiring an abnormal detection report; the anomaly detection module is mainly used for carrying out feature extraction and flow classification on the acquired flow; the invention combines the bidirectional gating recursion unit and the convolutional neural network, constructs the software defined network anomaly detection system structure, and continuously optimizes the software defined network anomaly detection system structure, thereby ensuring the network safety as much as possible and improving the reliability of the detection system structure.
Description
Technical Field
The invention relates to the technical field of network completion, in particular to a software defined network anomaly detection framework.
Background
With the increasing popularity of the internet, the degree of informatization is also increasing. In addition, the number of internet users is also rapidly increasing, and more convenient lives can be sought through the internet. Since people's lives depend on the network greatly, the traditional network architecture cannot meet the current network traffic demand. In addition, some abnormal situations may be encountered, such as web attacks, pop-up advertising windows, network outages during online transactions, etc. Once a problem occurs, not only the user experience is affected, but also more serious loss is caused, and even the safety of individuals or countries is threatened. Particularly, in the network information era, the higher the network scale and complexity is, the more common and diversified the abnormal phenomenon of network traffic will be, and how to effectively detect the abnormal situation becomes a hot problem.
Network anomaly detection is a classification process that separates network traffic into normal traffic and abnormal traffic. This process needs to be performed without affecting the normal operation of the user. Once abnormal traffic is detected, it needs to react immediately to ensure a better user experience. The traditional abnormal detection method mainly distinguishes by setting a threshold value, and once the flow is lower than the threshold value, the flow is considered to be normal flow; otherwise, it is determined to be abnormal. Although this approach is simple and low cost, performance is still poor in current and future increasingly complex network environments. The occurrence of the machine learning technology provides an algorithm with higher performance for anomaly detection to a certain extent, particularly the deep learning technology overcomes the defect that the traditional machine learning needs to manually set a related value, and realizes automatic extraction, but the prior art still has the problem that anomaly cannot be effectively detected due to the scale and complexity of a network.
Disclosure of Invention
In view of the above disadvantages, the present invention aims to provide a software-defined network anomaly detection architecture, in which a deep learning technique is used in an anomaly detection module to assist in anomaly classification, and a bidirectional gating recursion unit BGRU and a convolutional neural network CNN technique are combined to improve the performance of a detection architecture.
The technical scheme adopted by the invention for solving the technical problems is as follows:
a software defined network anomaly detection architecture comprises a data acquisition module, a Software Defined Network (SDN), a data transmission module and an anomaly detection module; the data acquisition module is mainly used for acquiring flow; the SDN mainly separates a control plane from a data forwarding plane in the SDN, controls the whole network resource through the control plane and sends an instruction to the data forwarding plane to complete data forwarding, and provides a telescopic and dynamic system structure for the detection work of an abnormality detection module; the data transmission module is mainly used for classifying the flow, finding abnormal flow, acquiring an abnormal detection report, updating the abnormal flow under the condition of not influencing a client and ensuring that the normal flow can be continuously diffused; the anomaly detection module is mainly used for carrying out feature extraction and flow classification on the collected flow.
Further, the data forwarding plane acquires flow information of the data acquisition module through an OpenFlow protocol, then transmits the information to a controller of the control layer to extract features, and finally transmits the information back to the anomaly detection module.
Further, the SDN comprises an application layer, a control layer, and an infrastructure layer; the infrastructure layer forwards the flow in the switch by using the network equipment, collects flow state information and feeds the flow state information back to an upper control layer through an interface; after the information reaches the control layer, the controller at the control layer arranges and processes state information and network resources, interacts with the upper application layer, and realizes control of network exchange through an interface for application programs and deployment of various services, such as cloud computing, intrusion detection systems, intrusion prevention systems, security monitoring and load balancing.
Because the convolutional neural network CNN has higher classification capability, the accuracy of abnormal flow classification can be improved by adding the CNN into the abnormal detection module; in addition, the network traffic anomaly is dynamic, and needs relatively quick response time, so that the time step needs to be considered, and the SDN anomaly detection system structure is optimized by combining the bidirectional gating recursion units BGRU and CNN, and the monitoring precision is improved. The detection model of the abnormality detection module adopts a BGRU-CNN model, and the BGRU-CNN model comprises an input layer, a BGRU layer, a CNN layer and a classifier; the input layer is used for inputting data information; the BGRU layer is mainly used for controlling input data through an update gate and a reset gate to realize time sequence characteristic extraction of flow; the CNN layer mainly extracts the characteristics of the information flow; the classifier is used for classifying the characteristic value information obtained by the CNN.
Specifically, the BGRU model in the BGRU layer is constructed by embedding a gated cyclic unit GRU into a bidirectional cyclic neural network so as to capture information in both positive and negative directions; the GRU comprises an updating gate and a resetting gate, and a gate control mechanism is used for controlling input and information needing to be stored so as to predict at the current time step; the update gate mainly defines the amount of memory previously saved to the current time step, and the reset gate combines the new information with the previous information; the two gating vectors determine which information can be used as the output of the GRU, and the information can be stored in the sequence for a long time, so that the information cannot be eliminated along with the time, and cannot be deleted because of being irrelevant to prediction; the bidirectional recurrent neural network can process information more flexibly by adding a hidden layer for passing information from back to front, and the hidden state of the bidirectional recurrent neural network at each time step depends on subsequences before and after the time step (including the input of the current time step).
Furthermore, the CNN layer selects subdata from the input information, then extracts local features of the subdata, the local features form feature values of all data, and the CNN layer structurally comprises a plurality of convolution layers, a pooling layer and a full-connection layer; the convolution layer is mainly used for local sensing and weight sharing, namely upper layer features are extracted to carry out convolution operation with convolution kernels, so that features after convolution are obtained, the smaller the convolution kernels are, the more complex the model is, and the more comprehensive the extracted feature information is; the pooling layer is used for sampling operations, typically using maximum pooling or average pooling, before which the number of extracted features does not change; the full-connection layer is used for integrating the features after the convolution for many times, then normalization is carried out, a probability is output for various classification conditions, and the classifier classifies the features according to the probability obtained by the full-connection layer. Compared with other networks, the network has the greatest advantages that under the condition that the network depth is the same, the parameters are fewer, and the data are easier to train; meanwhile, as long as the data set is large enough, the precision of the method can be greatly improved.
On this basis, three modules of the SDN network need to be tested, and the detection process is as follows:
s1: preprocessing data; the method comprises the steps of carrying out data conversion on original data, and then carrying out standardization and normalization; because the collected data may have different measurement scales, directly inputting the model increases the processing difficulty, and therefore the data needs to be preprocessed and standardized;
s2, dividing a data set generated after data preprocessing into a training set and a testing set;
s3, inputting the training set into a BGRU-CNN model and a continuous optimization model, and achieving an optimal state through learning training;
and S4, inputting the test set into the BGRU-CNN model, and verifying the detection effect.
When the CNN layer obtains the characteristic value information, classifying the characteristic value information by using a Softmax function, wherein the formula (1) is as follows:
wherein z is the output of the previous layer, Softmax is the input, the dimension is C, S is the probability that the prediction object belongs to the second CCC class, and e is the base number of the natural logarithm function in mathematics.
The performance of the model is then verified by accuracy a, accuracy P, recall R, F1 scores, and the confusion matrix values. The first four indices can be expressed by formula (2), formula (3), formula (4), and formula (5):
in the formula: TP, namely True Positive represents the model to judge the correct attack packet quantity; TN, namely True Negative represents the number of normal data packets judged to be correct by the model; FP, namely False Positive, represents the number of normal data packets which are judged by the model to be wrong; FN, namely False Negative represents the number of attack packets which are judged by the model to be wrong; f1 is scored as the average value of the accuracy and the recall ratio and is used for accurately evaluating the model; the confusion matrix matches the model classification results with the actual situation.
The invention has the technical effects that:
compared with the prior art, the software defined network anomaly detection architecture combines the bidirectional gating recursion unit BGRU and the convolutional neural network CNN to construct a software defined network SDN anomaly detection architecture, and is optimized continuously, network safety is guaranteed as far as possible, and reliability of the detection architecture is improved. The result shows that the network architecture provided by the invention can greatly improve the detection precision, the performance of the network architecture is different due to different CNN layer numbers, when a double-layer CNN structure is selected, the performance of the network architecture is the best in all algorithm models, particularly, the precision of BGRU-CNN-2 reaches 98.7%, and the effectiveness of the method is verified. Under deep learning, the BGRU-CNN model is used for exploring and optimizing SDN abnormity detection, and the method has important significance for future information transmission safety and improvement of network service quality.
Drawings
FIG. 1 is a schematic diagram of the overall architecture of the present invention;
FIG. 2 is a schematic diagram of a Software Defined Network (SDN) architecture of the present invention;
FIG. 3 is a schematic diagram of the BGRU-CNN model architecture of the present invention;
FIG. 4 is a schematic diagram of the CNN architecture of the convolutional neural network of the present invention;
FIG. 5 is a schematic diagram of the anomaly detection process of the present invention;
FIG. 6 is a comparison of accuracy for each algorithm model of the present invention;
FIG. 7 is a graph comparing recall rates of various algorithm models of the present invention;
FIG. 8 is a comparison graph of the overall performance evaluation of the algorithm models of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings of the specification.
Example 1:
as shown in fig. 1, the software defined network anomaly detection architecture according to this embodiment includes a data acquisition module, a software defined network SDN, a data transmission module, and an anomaly detection module; the data acquisition module is mainly used for acquiring flow; the SDN mainly separates a control plane from a data forwarding plane in the SDN, controls the whole network resource through the control plane and sends an instruction to the data forwarding plane to complete data forwarding, and provides a telescopic and dynamic system structure for the detection work of an abnormality detection module; the data transmission module is mainly used for classifying the flow, finding abnormal flow, acquiring an abnormal detection report, updating the abnormal flow under the condition of not influencing a client and ensuring that the normal flow can be continuously diffused; the anomaly detection module is mainly used for carrying out feature extraction and flow classification on the collected flow.
Specifically, the data forwarding plane acquires flow information of the data acquisition module through an OpenFlow protocol, then transmits the information to a controller of the control layer to extract features, and finally transmits the information back to the anomaly detection module.
As shown in fig. 2, the SDN includes an application layer, a control layer, and an infrastructure layer; the infrastructure layer forwards the flow in the switch by using the network equipment, collects flow state information and feeds the flow state information back to an upper control layer through an Application Program Interface (API); after the information reaches the control layer, the controller at the control layer arranges and processes state information and network resources, interacts with the upper application layer, and realizes control of network exchange through an interface for application programs and deployment of various services, such as cloud computing, intrusion detection systems, intrusion prevention systems, security monitoring and load balancing.
Because the convolutional neural network CNN has higher classification capability, the accuracy of abnormal flow classification can be improved by adding the CNN into the abnormal detection module; in addition, the network traffic anomaly is dynamic, and needs relatively quick response time, so that the time step needs to be considered, and the SDN anomaly detection system structure is optimized by combining the bidirectional gating recursion units BGRU and CNN, and the monitoring precision is improved. As shown in fig. 3, the detection model of the abnormality detection module adopts a BGRU-CNN model, which includes an input layer, a BGRU layer, a CNN layer, and a classifier; the input layer is used for inputting data information; the BGRU layer is mainly used for controlling input data through an update gate and a reset gate to realize time sequence characteristic extraction of flow; the CNN layer mainly extracts the characteristics of the information flow; the classifier is used for classifying the characteristic value information obtained by the CNN.
The construction of the BGRU model in the BGRU layer is to embed a gate control cycle unit GRU into a bidirectional cyclic neural network so as to capture information in both positive and negative directions; the GRU comprises an updating gate and a resetting gate, and a gate control mechanism is used for controlling input and information needing to be stored so as to predict at the current time step; the update gate mainly defines the amount of memory previously saved to the current time step, and the reset gate combines the new information with the previous information; the two gating vectors determine which information can be used as the output of the GRU, and the information can be stored in the sequence for a long time, so that the information cannot be eliminated along with the time, and cannot be deleted because of being irrelevant to prediction; the bidirectional recurrent neural network can process information more flexibly by adding a hidden layer for passing information from back to front, and the hidden state of the bidirectional recurrent neural network at each time step depends on subsequences before and after the time step (including the input of the current time step).
As shown in fig. 3 and 4, the CNN layer selects sub-data from the input information, and then extracts local features thereof, where a plurality of local features form feature values of all data, and the structure thereof includes a plurality of convolution layers, a pooling layer, and a full connection layer; in fig. 4, C1 and C3 represent convolutional layers, which are mainly used for local sensing and weight sharing, that is, upper layer features are extracted to perform convolution operation with convolution kernels, so as to obtain convolved features, and the smaller the convolution kernels are, the more complex the model is, and the more comprehensive the extracted feature information is; s2 and S4 are pooling layers, which are used for sampling operations, typically using maximum pooling or average pooling, before which the number of extracted features does not change; the fully-connected layer is used for integrating the features after multiple convolutions, then normalization is carried out, a probability is output for various classification conditions, the classifier is used for classifying according to the probability obtained by the fully-connected layer, and NN in figure 4 represents an output layer and represents output data of the network. Compared with other networks, the network has the greatest advantages that under the condition that the network depth is the same, the parameters are fewer, and the data are easier to train; meanwhile, as long as the data set is large enough, the precision of the method can be greatly improved.
On this basis, three modules of the SDN network need to be tested, as shown in fig. 5, the anomaly detection process is as follows:
s1: preprocessing data; the method comprises the steps of carrying out data conversion on original data, and then carrying out standardization and normalization; because the collected data may have different measurement scales, directly inputting the model increases the processing difficulty, and therefore the data needs to be preprocessed and standardized;
s2, dividing a data set generated after data preprocessing into a training set and a testing set;
s3, inputting the training set into a BGRU-CNN model and a continuous optimization model, and achieving an optimal state through learning training;
and S4, inputting the test set into the BGRU-CNN model, and verifying the detection effect.
When the CNN layer obtains the characteristic value information, classifying the characteristic value information by using a Softmax function, wherein the formula (1) is as follows:
wherein z is the output of the previous layer, Softmax is the input, the dimension is C, S is the probability that the prediction object belongs to the second CCC class, and e is the base number of the natural logarithm function in mathematics.
The performance of the model is then verified by accuracy a, accuracy P, recall R, F1 scores, and the confusion matrix values. The first four indices can be expressed by formula (2), formula (3), formula (4), and formula (5):
in the formula: TP (true Positive) represents the number of attack packets judged by the model correctly; TN (TN negative) represents the number of normal data packets judged by the model to be correct; FP (false positive) represents the number of normal data packets which are judged by the model to be wrong; FN (false negative) represents the number of attack packets which are judged by the model to be wrong; f1 is scored as the average value of the accuracy and the recall ratio and is used for accurately evaluating the model; the confusion matrix is mainly used for matching the model classification result with the actual situation.
The software-defined network anomaly detection architecture of the embodiment is trained and tested on a Windows 10 system with Intel (R) i5-7500, 3.40GHz and 8GB memories, and the learning rate is set to 0.00001. In addition, optimization is carried out by using an optimizer such as SGD, Adam, RMSProp, Adadelta and the like.
Using KDD99 and the KSL-KDD dataset for analysis, the following different algorithmic models were compared: only a BGRU layer; one layer, two layers and three layers of CNN, a BGRU-CNN-1 structure (single-layer CNN), a BGRU-CNN-2 structure (two-layer CNN) and a BGRU-CNN-3 structure (three-layer CNN). When the accuracy, precision, recall rate and F1 score of the data set are evaluated, the accuracy of KDD99 and KSL-KDD data sets are found to reach more than 97%; the accuracy rate reaches more than 99.4 percent, the recall rate is 96.69 percent and 97.31 percent respectively, and the F1 score is 0.9804 and 0.9856 respectively. Thus, while each time the data sets are trained, the results will be different, the two data sets will yield better results when using the BGRU-CNN model. In addition, the overall performance index of KSL-KDD is slightly superior to that of KDD. Thus, the present embodiment uses the KSL-KDD dataset to accomplish subsequent work.
After passing through the Soft-max classifier, the data set can be classified into 5 types: normal, DOS, U2R, R2L, Probe. When the BGRU-CNN model is used for analysis, 5 different abnormal conditions are compared, and the comparison result is as follows:
the accuracy is analyzed, the obtained result is shown in FIG. 6, and as can be seen from FIG. 6, the accuracy of BGRU-CNN-2 is obviously superior to that of other models, and the accuracy of Normal, DOS and Probe is higher than that of other two models; by comparing BGRU-CNN-1, BGRU-CNN-2 and BGRU-CNN-3, more CNN convolution layers are not necessarily helpful for obtaining better results, and the results show that the accuracy of BGRU-CNN-3 is lower than that of BGRU-CNN-2, and the performance of the model after mixing BGRU and CNN is obviously better than that of the model using BGRU and CNN independently;
the recall ratio is analyzed, the result is shown in fig. 7, and as can be seen from fig. 7, the recall ratio of the BGRU-CNN-2 reaches the maximum value in Normal, DOS, U2R and Probe categories, and the recall ratio of the BGRU-CNN hybrid model is higher than that of the simple algorithm.
The algorithm model is tested and evaluated on a test set, the overall performance of the algorithm model is evaluated, and the obtained result is shown in fig. 8, and the result of the structural evaluation of fig. 8 shows that the performance of the BGRU-CNN hybrid algorithm model is superior to that of the simple algorithm model, wherein the BGRU-CNN-2 is superior to the BGRU-CNN-1 and BGRU-CNN-3 models; of all simple algorithms, the two-layer CNN algorithm model is superior to the other algorithms. Therefore, the double-layered CNN structure can exhibit a good classification effect. When combined with BGRU, the test works best in all algorithm models.
In summary, a better effect can be obtained by selecting an appropriate number of CNN layers. In addition, the performance of combining the BGRU and CNN algorithms is obviously superior to that of other algorithms. The BGRU-CNN hybrid algorithm can better perform anomaly detection, the effectiveness of the hybrid algorithm is proved, and the algorithm model is applied to SDN anomaly detection, so that the service quality of network flow is improved.
In the application process, the SDN can rapidly deploy various networks, adapt to different network requirements and meet the updating of service requirements; the SDN can manage the whole network in a centralized way, the global situation is focused, and the change of the whole network environment is controllable; the SDN system structure can realize dynamic programming and configuration, and automatically distribute and process service requests, thereby reducing error rate and optimizing service availability and reliability.
The above embodiments are only specific examples of the present invention, and the protection scope of the present invention includes but is not limited to the product forms and styles of the above embodiments, and any suitable changes or modifications made by those skilled in the art according to the claims of the present invention shall fall within the protection scope of the present invention.
Claims (8)
1. A software-defined network anomaly detection architecture, characterized by: the system comprises a data acquisition module, a Software Defined Network (SDN), a data transmission module and an abnormality detection module; the data acquisition module acquires flow; the SDN separates a control plane from a data forwarding plane in the SDN, controls the whole network resource through the control plane and sends an instruction to the data forwarding plane to complete data forwarding, and provides a telescopic and dynamic system structure for the detection work of an abnormality detection module; the data transmission module classifies the flow, finds abnormal flow, obtains an abnormal detection report, and updates the abnormal flow under the condition of not influencing customers; and the anomaly detection module is used for carrying out feature extraction and flow classification on the acquired flow.
2. The software defined network anomaly detection architecture of claim 1, wherein: the SDN comprises an application layer, a control layer and an infrastructure layer; the infrastructure layer forwards the flow in the switch by using the network equipment, collects flow state information and feeds the flow state information back to an upper control layer through an interface; after the information reaches the control layer, the controller at the control layer will arrange and process the state information and network resources, interact with the upper application layer, and implement the control of network exchange through the interface for the application program and deployment of various services.
3. The software defined network anomaly detection architecture of claim 2, wherein: the data forwarding plane acquires flow information of the data acquisition module through an OpenFlow protocol, then transmits the information to the controller of the control layer to extract characteristics, and finally transmits the information back to the anomaly detection module.
4. The software defined network anomaly detection architecture of any one of claims 1-3, wherein: the detection model of the abnormality detection module adopts a BGRU-CNN model, and the BGRU-CNN model comprises an input layer, a BGRU layer, a CNN layer and a classifier; the input layer is used for inputting data information; the BGRU layer controls input data through an update gate and a reset gate to realize time sequence characteristic extraction of flow; the CNN layer extracts the characteristics of the information flow; the classifier is used for classifying the characteristic value information obtained by the CNN.
5. The software defined network anomaly detection architecture of claim 4, wherein: the CNN layer comprises a plurality of convolution layers, a pooling layer and a full-connection layer; the convolution layer is used for local sensing and weight sharing, namely upper layer features and convolution kernels are extracted for convolution operation, and therefore features after convolution are obtained; the pooling layer is used for sampling operation; the full-connection layer is used for integrating the features after the convolution for multiple times, then normalizing the features and outputting a probability for various classification conditions; and the classifier classifies according to the probability obtained by the full connection layer.
6. The software defined network anomaly detection architecture of claim 5, wherein: when the CNN layer obtains the characteristic value information, classifying the characteristic value information by using a Softmax function, wherein the formula (1) is as follows:
wherein z is the output of the previous layer, Softmax is the input, the dimension is C, S is the probability that the prediction object belongs to the second CCC class, and e is the base number of the natural logarithm function in mathematics.
7. The software defined network anomaly detection architecture of claim 4, 5 or 6, wherein: three modules of the SDN network are tested, and the detection process is as follows:
s1: preprocessing data; the method comprises the steps of carrying out data conversion on original data, and then carrying out standardization and normalization;
s2, dividing a data set generated after data preprocessing into a training set and a testing set;
s3, inputting the training set into a BGRU-CNN model and a continuous optimization model, and achieving an optimal state through learning training;
and S4, inputting the test set into the BGRU-CNN model, and verifying the detection effect.
8. The software defined network anomaly detection architecture of claim 7, wherein: verifying the performance of the model through the accuracy A, the accuracy P, the recall R, F1 score and the confusion matrix value; the first four indices can be expressed by formula (2), formula (3), formula (4), and formula (5):
in the formula: TP, namely True Positive represents the model to judge the correct attack packet quantity; TN, namely True Negative represents the number of normal data packets judged to be correct by the model; FP, namely False Positive, represents the number of normal data packets which are judged by the model to be wrong; FN, namely False Negative represents the number of attack packets which are judged by the model to be wrong; f1 is scored as the average value of the accuracy and the recall ratio and is used for accurately evaluating the model; the confusion matrix matches the model classification results with the actual situation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011460949.1A CN112417446A (en) | 2020-12-12 | 2020-12-12 | Software defined network anomaly detection architecture |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011460949.1A CN112417446A (en) | 2020-12-12 | 2020-12-12 | Software defined network anomaly detection architecture |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112417446A true CN112417446A (en) | 2021-02-26 |
Family
ID=74775643
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011460949.1A Pending CN112417446A (en) | 2020-12-12 | 2020-12-12 | Software defined network anomaly detection architecture |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112417446A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113240098A (en) * | 2021-06-16 | 2021-08-10 | 湖北工业大学 | Fault prediction method and device based on hybrid gated neural network and storage medium |
| CN114675999A (en) * | 2022-03-25 | 2022-06-28 | 苏州浪潮智能科技有限公司 | Data recovery method, data recovery device, electronic device, and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107885999A (en) * | 2017-11-08 | 2018-04-06 | 华中科技大学 | A kind of leak detection method and system based on deep learning |
| CN109376242A (en) * | 2018-10-18 | 2019-02-22 | 西安工程大学 | Text classification algorithm based on Recognition with Recurrent Neural Network variant and convolutional neural networks |
| CN109981691A (en) * | 2019-04-30 | 2019-07-05 | 山东工商学院 | A kind of real-time ddos attack detection system and method towards SDN controller |
| CN110784481A (en) * | 2019-11-04 | 2020-02-11 | 重庆邮电大学 | DDoS detection method and system based on neural network in SDN network |
-
2020
- 2020-12-12 CN CN202011460949.1A patent/CN112417446A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107885999A (en) * | 2017-11-08 | 2018-04-06 | 华中科技大学 | A kind of leak detection method and system based on deep learning |
| CN109376242A (en) * | 2018-10-18 | 2019-02-22 | 西安工程大学 | Text classification algorithm based on Recognition with Recurrent Neural Network variant and convolutional neural networks |
| CN109981691A (en) * | 2019-04-30 | 2019-07-05 | 山东工商学院 | A kind of real-time ddos attack detection system and method towards SDN controller |
| CN110784481A (en) * | 2019-11-04 | 2020-02-11 | 重庆邮电大学 | DDoS detection method and system based on neural network in SDN network |
Non-Patent Citations (1)
| Title |
|---|
| 周枫等: ""基于BGRU池的卷积神经网络文本分类模型"", 《计算机科学》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113240098A (en) * | 2021-06-16 | 2021-08-10 | 湖北工业大学 | Fault prediction method and device based on hybrid gated neural network and storage medium |
| CN114675999A (en) * | 2022-03-25 | 2022-06-28 | 苏州浪潮智能科技有限公司 | Data recovery method, data recovery device, electronic device, and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108520357B (en) | Method and device for judging line loss abnormality reason and server | |
| KR102522005B1 (en) | Apparatus for VNF Anomaly Detection based on Machine Learning for Virtual Network Management and a method thereof | |
| CN109298993B (en) | Method and device for detecting fault and computer readable storage medium | |
| WO2019214309A1 (en) | Model test method and device | |
| CN109034194B (en) | Transaction fraud behavior deep detection method based on feature differentiation | |
| CN107426741B (en) | Wireless sensor network fault diagnosis method based on immune mechanism | |
| CN106845526B (en) | A kind of relevant parameter Fault Classification based on the analysis of big data Fusion of Clustering | |
| JP7116103B2 (en) | Method, Apparatus, and Device for Predicting Optical Module Failure | |
| CN109639734B (en) | Abnormal flow detection method with computing resource adaptivity | |
| EP3475911A1 (en) | Life insurance system with fully automated underwriting process for real-time underwriting and risk adjustment, and corresponding method thereof | |
| CN111191720B (en) | Service scene identification method and device and electronic equipment | |
| WO2022199185A1 (en) | User operation inspection method and program product | |
| CN115237717A (en) | Micro-service abnormity detection method and system | |
| CN108683564A (en) | A kind of network (WSN) emulation system credibility evaluation method based on Multidimensional decision-making attribute | |
| CN112783682A (en) | Abnormal automatic repairing method based on cloud mobile phone service | |
| CN113408548A (en) | Transformer abnormal data detection method and device, computer equipment and storage medium | |
| CN108319672A (en) | Mobile terminal malicious information filtering method and system based on cloud computing | |
| CN111726351B (en) | Bagging-improved GRU parallel network flow abnormity detection method | |
| CN110808995B (en) | Safety protection method and device | |
| CN111970151A (en) | Flow fault positioning method and system for virtual and container network | |
| JP2007243459A (en) | Traffic state extracting apparatus and method, and computer program | |
| CN105516206A (en) | Network intrusion detection method and system based on partial least squares | |
| US11677613B2 (en) | Root-cause analysis and automated remediation for Wi-Fi authentication failures | |
| CN112417446A (en) | Software defined network anomaly detection architecture | |
| CN113343123A (en) | Training method and detection method for generating confrontation multiple relation graph network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210226 |
|
| RJ01 | Rejection of invention patent application after publication |