CN113098910A - Network intrusion detection method and system based on space-time granularity and three-width learning - Google Patents

Abstract

The invention relates to a network intrusion detection method and a system based on space-time granularity and three-width learning. The method comprises the following steps: step S1, collecting flow data from the network data flow, and constructing three characteristic data sets of time granularity, space granularity and data content after space-time granularity division; step S2, inputting the obtained three granularity characteristics into a three-width learning system; step S3, extracting high-dimensional features of each granularity by using a basic unit width learning model, wherein the high-dimensional features mainly comprise mapping features of feature nodes and enhanced nodes; step S4, connecting the three granularity characteristics in parallel to serve as the final extracted total characteristic; step S5, solving a global optimal solution by using a ridge regression generalized inverse algorithm to obtain a weight matrix, and storing the weight matrix; and step S6, inputting the data to be detected into the trained three-width learning model to obtain a classification result. The invention combines the incidence relation between the time-space multidimensional data and detects the network data flow through the granularity fusion of the three-width learning, thereby improving the detection precision.

Description

Network intrusion detection method and system based on space-time granularity and three-width learning

Technical Field

The invention relates to the field of intrusion detection and machine learning, in particular to a network intrusion detection method and a network intrusion detection system based on space-time granularity and three-width learning.

Background

The influence of the internet is continuously increasing and network services are widely used. The user size and economic benefits of online entertainment, online travel and online education have increased dramatically compared to the past. Meanwhile, countless network devices and application programs and explosive network data make the network environment become more and more complex, and great hidden danger is brought to network security. Network criminals are increasingly sophisticated in preempting the benefits of internet openness and are pushing attacks at an alarming rate. Therefore, network security has become an important issue that must be solved in the information-based construction of all departments. Network traffic data contains a large amount of time, space, load and statistics. Data analysis from different granularities may provide different contributions to anomaly detection and analysis results. For anomalous attacks of different protocols or services, anomalies may only be reflected in data related to several protocols or services, while other data is normal. Putting all data together for analysis can affect the judgment of the model on abnormal phenomena. Therefore, it is necessary to extract data features from different temporal and spatial granularities.

Disclosure of Invention

The invention aims to provide a network intrusion detection method based on space-time granularity and three-width learning, which combines the incidence relation among space-time multidimensional data and detects network data streams through granularity fusion, thereby improving the precision of a plurality of detection indexes.

In order to achieve the purpose, the technical scheme of the invention is as follows: a network intrusion detection method based on space-time granularity and three-width learning comprises the following steps:

step S1, collecting flow data from the network data flow, dividing according to the space-time granularity, and constructing three characteristic data sets of time granularity, space granularity and data content;

step S2, improving the BLS to be expanded to a three-width learning structure, and inputting three granularity characteristics;

step S3, extracting high-dimensional features of each granularity respectively by using a width learning basic unit, wherein the high-dimensional features comprise feature node mapping features and enhanced node mapping features;

step S4, connecting the three granularity characteristics in parallel to be used as the final extracted total characteristics;

step S5, solving a global optimal solution by using a ridge regression generalized inverse algorithm to obtain a weight matrix, and storing the weight matrix;

and step S6, inputting the data to be detected into the trained three-width learning model to obtain a classification result.

In an embodiment of the present invention, in step S2, the three-width learning structure is a three-width learning model with BLS as a basic unit, and the three-width learning structure is composed of three BLS units and is used for handling fusion problems with different granularities.

In an embodiment of the present invention, the step S3 specifically includes: assuming that Z and H represent the feature node and the enhancement node, respectively, and subscripts T, S and D represent the temporal granularity, the spatial granularity, and the data content, respectively, the feature expression for the temporal granularity is A_T＝[Z_T|H_T]The characteristic expression of the spatial granularity is A_S＝[Z_S|H_S]The characteristic expression of the data content is A_D＝[Z_D|H_D]。

In an embodiment of the present invention, the step S4 specifically includes: assuming that the number of input samples of the three-width learning model is N, the number of feature nodes is N, the number of enhancement nodes is m, mapping the three granularity features to the same sample space, and extracting the total feature of F^N×3(n+m)＝[A_T ^N×(n+m)|A_S ^N×(n+m)|A_D ^N×(n+m)]。

In an embodiment of the present invention, the feature nodes and the enhanced nodes representing the time granularity may be represented as:

and

representsThe feature nodes and enhancement nodes of spatial granularity may be represented as:

and

the feature nodes and enhancement nodes representing data content may be represented as:

and

wherein z is_i＝δ(X·W_ei+β_ei)，

h_j＝ξ(Zⁿ·W_hj+β_hj)，z_iRepresents the ith characteristic node, h_jRepresenting the jth enhancement node, X being given input data, W_eiRandom initialization using He initialization method, and W_hjAfter He initialization, orthogonal normalization is carried out, beta_eiAnd beta_hjRandom initialization, δ and ξ represent the activation functions.

In an embodiment of the present invention, the step S5 specifically includes: the weight matrix W can be expressed as: w^3(n+m)＝[F^{N ×3(n+m)}]⁺Y, to avoid overfitting, W can be calculated by a ridge regression formula, such that the matrix is nonsingular, the formula being as follows:

W^3(n+m)＝[(F^N×3(n+m))^TF^N×3(n+m)+CI]^-1(F^N×3(n+m))^TY

where Y is the sample label matrix, C is a normal number, and I is an identity matrix, F^N×3(n+m)Is the total feature extracted in step S4.

The invention also provides a network intrusion detection system based on space-time granularity and three-width learning, which comprises a flow data acquisition module, a space-time granularity division module and a three-width learning module;

the flow data acquisition module is used for acquiring flow data from a network data stream;

the space-time granularity division module is used for dividing the acquired flow data according to the space-time granularity and constructing three characteristic data sets of the time granularity, the space granularity and the data content;

the three-width learning module obtains the trained three-width learning model by constructing a three-width learning model based on three BLS as basic units and training three characteristic data sets, and further realizes the classification detection of data to be detected.

Compared with the prior art, the invention has the following beneficial effects: the invention combines the incidence relation between the time-space multidimensional data, detects the network data flow through granularity fusion, and remarkably improves the detection precision compared with a typical width learning algorithm.

Drawings

FIG. 1 is a schematic flow chart of a method according to an embodiment of the present invention.

FIG. 2 is a schematic diagram of spatiotemporal granularity data partitioning according to an embodiment of the present invention.

Fig. 3 is a three-width learning configuration diagram of an embodiment of the present invention.

Fig. 4 is a three-width dimensional model of an embodiment of the invention.

FIG. 5 is a three-width learning two-class detection performance analysis (UNSW-NB15 dataset) of an embodiment of the present invention.

FIG. 6 is a three-width learning two-class detection performance analysis (CIC-IDS2017 dataset) of an embodiment of the present invention.

FIG. 7 is a three-width learning multi-class detection performance analysis (UNSW-NB15 dataset) of an embodiment of the present invention.

FIG. 8 is a three-width learning multi-class detection performance analysis (CIC-IDS2017 dataset) of an embodiment of the present invention.

Detailed Description

The technical scheme of the invention is specifically explained below with reference to the accompanying drawings.

The invention provides a network intrusion detection method based on space-time granularity and three-width learning, which comprises the steps of preprocessing public UNSW-NB15 and CIC-IDS2017 data sets; then, dividing the data into three characteristic data sets, namely time granularity, space granularity and data content; retraining a three-wide learning system (TBLS) to correctly combine the relationship between the spatio-temporal granularities; and finally, carrying out anomaly detection on the real-time flow by adopting a trained three-width anomaly flow detection model. As shown in fig. 1, the method specifically comprises the following steps:

step (1): collecting network flow and preprocessing the network flow;

converting attribute values of the protocol feature, the service feature and the status feature into numerical values for the UNSW-NB15 dataset; for CIC-IDS2017 data set, the data set of the day of Wednesday is selected, and redundant and abnormal feature items are removed, such as: fwd Header Length, Flow Packets/s, and Flow Packets/s.

Step (2): and (3) dividing space-time granularity data:

as shown in fig. 2, for the corresponding meaning of each feature item in the data set, the features belonging to the space-time granularity are extracted, the features belonging to the space granularity are extracted, and the rest are used as the data content;

and (3): learning in three widths;

as shown in fig. 3 and 4, a width learning system (BLS) is modified and expanded to three-width learning, and three granularity features are input; respectively extracting high-dimensional features of each granularity by using a width learning unit, wherein the high-dimensional features mainly comprise feature node mapping features and enhanced node mapping features; connecting three granularity characteristics in parallel to serve as the total characteristics extracted finally; and solving a global optimal solution by using a ridge regression generalized inverse algorithm to obtain a weight matrix, and storing the weight matrix.

Preferably, in this embodiment, the three-width learning structure specifically includes: the three-width learning structure is a three-width learning model taking BLS as a basic unit, mainly comprises three BLS units and is used for processing fusion problems with different granularities.

Preferably, in this embodiment, the feature extraction of each granularity is specifically: assuming that Z and H represent the feature node and the enhancement node, respectively, and subscripts T, S and D represent temporal granularity, spatial granularity, and data content, the feature expression for temporal granularity is A_T＝[Z_T|H_T]The characteristic expression of the spatial granularity is A_S＝[Z_S|H_S]The characteristic expression of the data content is A_D＝[Z_D|H_D]。

Preferably, in this embodiment, the final characteristics are specifically: assuming that the number of input samples of the three-width model is N, the number of feature nodes is N, the number of enhancement nodes is m, mapping the three granularity features to the same sample space, and extracting the total feature as F^N×3(n+m)＝[A_T ^N×(n+m)|A_S ^N×(n+m)|A_D ^N×(n+m)]。

Preferably, in this embodiment, the feature node and the enhanced node representing the time granularity may be respectively represented as:

and

similarly, the spatial granularity and data content may be expressed as:

and

and

wherein z is_i＝δ(X·W_ei+β_ei)，

h_j＝ξ(Zⁿ·W_hj+β_hj)，z_iRepresents the ith characteristic node, h_jRepresenting the jth enhancement node, X being given input data, W_eiRandom initialization using He initialization method, and W_hjAfter He initialization, orthogonal normalization is carried out, beta_eiAnd beta_hjRandom initialization, δ and ξ represent the activation functions.

Preferably, in this embodiment, the weight matrix W is: w^3(n+m)＝[F^N×3(n+m)]⁺Y, to avoid overfitting, W can be calculated by a ridge regression formula, making the matrix non-singular, the formula being: w^3(n+m)＝[(F^N×3(n+m))^TF^N×3(n+m)+CI]^-1(F^N×3(n+m))^TY, where Y is the sample label matrix, C is a normal number, and I is an identity matrix.

And (4): testing flow data;

and performing the same data preprocessing and granularity division on the flow data to be tested, ensuring the characteristic dimension same as that of the training data set, and then transmitting the characteristic dimension into the trained three-width model for detection.

Preferably, in the simulation experiment process of the embodiment, the training set and the test set provided by the UNSW-NB15 data set are adopted; for CIC-IDS2017(Wed.) data set, 20% of training set and 80% of test set were used. All experiments were performed using an Intel Xeon CPU with 2.60GHz and 16GB RAM, Python 3.7 running on a Ubuntu LTS 16.04-64 bit operating system. In addition, to ensure the reliability of the experimental data, the average value and the standard deviation of 20 runs are taken as the final experimental result. Fig. 5 and 6 are detection results of the two classifications, and it can be found that in the two data sets, each evaluation index of the three-width learning is optimal and different, and compared with the typical width learning, the standard deviation is smaller, and the value representing the three-width learning is closer to the average value, i.e. the data is more accurate. Fig. 7 and 8 show the multi-classification detection results, and all the evaluation indexes are optimal, which illustrates that the multi-classification accuracy can be improved well by the three-width learning model.

The above description is only a preferred embodiment of the present invention, and all equivalent changes and modifications made in accordance with the claims of the present invention should be covered by the present invention.

Claims (7)

1. A network intrusion detection method based on space-time granularity and three-width learning is characterized by comprising the following steps:

step S1, collecting flow data from the network data flow, dividing according to the space-time granularity, and constructing three characteristic data sets of time granularity, space granularity and data content;

step S2, improving the BLS to be expanded to a three-width learning structure, and inputting three granularity characteristics;

step S3, extracting high-dimensional features of each granularity respectively by using a width learning basic unit, wherein the high-dimensional features comprise feature node mapping features and enhanced node mapping features;

step S4, connecting the three granularity characteristics in parallel to be used as the final extracted total characteristics;

step S5, solving a global optimal solution by using a ridge regression generalized inverse algorithm to obtain a weight matrix, and storing the weight matrix;

and step S6, inputting the data to be detected into the trained three-width learning model to obtain a classification result.

2. The method of claim 1, wherein in step S2, the three-width learning structure is a three-width learning model with BLS as basic unit, and the three-width learning structure is composed of three BLS units and is used for handling fusion problems with different granularities.

3. The method for detecting network intrusion based on spatio-temporal granularity and three-width learning according to claim 1, wherein the step S3 specifically comprises: let Z and H denote the feature node and the enhancement node, respectively, and subscripts T, S and D denote temporal granularity, space, respectivelyGranularity and data content, the characteristic expression of the time granularity is A_T＝[Z_T|H_T]The characteristic expression of the spatial granularity is A_S＝[Z_S|H_S]The characteristic expression of the data content is A_D＝[Z_D|H_D]。

4. The method for detecting network intrusion based on spatio-temporal granularity and three-width learning according to claim 3, wherein the step S4 specifically comprises: assuming that the number of input samples of the three-width learning model is N, the number of feature nodes is N, the number of enhancement nodes is m, mapping the three granularity features to the same sample space, and extracting the total feature of F^N×3(n+m)＝[A_T ^N×(n+m)|A_S ^N×(n+m)|A_D ^N×(n+m)]。

5. The method of claim 4, wherein the feature nodes and the enhanced nodes representing the time granularity are respectively expressed as:

and

the feature nodes and enhancement nodes representing spatial granularity may be represented as:

and

the feature nodes and enhancement nodes representing data content may be represented as:

and

wherein z is_i＝δ(X·W_ei+β_ei)，

h_j＝ξ(Zⁿ·W_hj+β_hj)，z_iRepresents the ith characteristic node, h_jRepresenting the jth enhancement node, X being given input data, W_eiRandom initialization using He initialization method, and W_hjAfter He initialization, orthogonal normalization is carried out, beta_eiAnd beta_hjRandom initialization, δ and ξ represent the activation functions.

6. The method for detecting network intrusion based on spatio-temporal granularity and three-width learning according to claim 1, wherein the step S5 specifically comprises: the weight matrix W can be expressed as: w^3(n+m)＝[F^N×3(n+m)]⁺Y, to avoid overfitting, W can be calculated by a ridge regression formula, such that the matrix is nonsingular, the formula being as follows:

W^3(n+m)＝[(F^N×3(n+m))^TF^N×3(n+m)+CI]^-1(F^N×3(n+m))^TY

where Y is the sample label matrix, C is a normal number, and I is an identity matrix, F^N×3(n+m)Is the total feature extracted in step S4.

7. A network intrusion detection system based on space-time granularity and three-width learning is characterized by comprising a flow data acquisition module, a space-time granularity division module and a three-width learning module;

the flow data acquisition module is used for acquiring flow data from a network data stream;

the space-time granularity division module is used for dividing the acquired flow data according to the space-time granularity and constructing three characteristic data sets of the time granularity, the space granularity and the data content;

the three-width learning module obtains the trained three-width learning model by constructing a three-width learning model based on three BLS as basic units and training three characteristic data sets, and further realizes the classification detection of data to be detected.

Images