CN113572783A - Network intrusion detection method based on attack sharing loss and deep neural network - Google Patents
Network intrusion detection method based on attack sharing loss and deep neural network Download PDFInfo
- Publication number
- CN113572783A CN113572783A CN202110869744.7A CN202110869744A CN113572783A CN 113572783 A CN113572783 A CN 113572783A CN 202110869744 A CN202110869744 A CN 202110869744A CN 113572783 A CN113572783 A CN 113572783A
- Authority
- CN
- China
- Prior art keywords
- network
- attack
- layer
- deep neural
- neural network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013528 artificial neural network Methods 0.000 title claims abstract description 37
- 238000001514 detection method Methods 0.000 title claims abstract description 32
- 238000000034 method Methods 0.000 claims abstract description 23
- 238000005457 optimization Methods 0.000 claims abstract description 7
- 239000013598 vector Substances 0.000 claims description 29
- 230000004913 activation Effects 0.000 claims description 17
- 238000004364 calculation method Methods 0.000 claims description 13
- 238000012549 training Methods 0.000 claims description 12
- 239000011159 matrix material Substances 0.000 claims description 7
- 210000002569 neuron Anatomy 0.000 claims description 6
- 230000006870 function Effects 0.000 abstract description 42
- 230000008569 process Effects 0.000 abstract description 9
- ORILYTVJVMAKLC-UHFFFAOYSA-N Adamantane Natural products C1C(C2)CC3CC1CC2C3 ORILYTVJVMAKLC-UHFFFAOYSA-N 0.000 abstract description 6
- 238000013135 deep learning Methods 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000012706 support-vector machine Methods 0.000 description 2
- 244000290333 Vanilla fragrans Species 0.000 description 1
- 235000009499 Vanilla fragrans Nutrition 0.000 description 1
- 235000012036 Vanilla tahitensis Nutrition 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013527 convolutional neural network Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000008595 infiltration Effects 0.000 description 1
- 238000001764 infiltration Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Abstract
The invention discloses a network intrusion detection method based on attack sharing loss and a deep neural network, which comprises the following steps: s1: collecting a plurality of network attack type data, inputting the network attack type data into a built deep neural network, and outputting a predicted value of each network attack type; s2: constructing an attack sharing loss function according to the predicted value of each network attack type, classifying the network attack types by using the attack sharing loss function, and taking the network attack types as intrusion detection results; s3: and updating the deep neural network by utilizing gradient optimization according to the network attack type data, and entering next network intrusion detection. The invention aims at the intrusion detection of various networks and realizes high detection precision. And an attack sharing loss function is defined to solve the problem of unbalanced classification, and an Adam optimizer for adaptively updating the learning rate is utilized to accelerate the model learning process.
Description
Technical Field
The invention belongs to the technical field of network monitoring, and particularly relates to a network intrusion detection method based on attack sharing loss and a deep neural network.
Background
Cyber attacks pose a serious threat to computer system security and expose digital wealth to significant risks. There is a strong need for an effective intrusion detection system that can identify intrusion attacks with high accuracy. Classifying intrusion events is challenging due to the wide variety of attacks. Furthermore, in normal network environments, where most connections are initiated by benign behavior, the class imbalance problem in intrusion detection forces the classifier to be biased towards the majority or benign class, leaving many attack events undetected. The traditional intrusion detection technology based on the signature is heavily dependent on a signature database constructed by a security expert, so that a new attack cannot be detected. Various data mining and machine learning models, such as decision trees, Support Vector Machines (SVMs), and graph mining algorithms, are also used to discover anomalies from network monitoring data. However, they are not suitable for representing intrusion detection classification functions with many complex variations, and besides, deep learning, which avoids the need of feature extraction compared to the conventional machine learning model, is used as a method for processing complex input and output mapping, but can only extract inherent or general features in data, and does not have the capability of learning complex classification functions by using the deep learning.
Disclosure of Invention
The invention aims to solve the problems that network attack classification of a network connection example following long tail class distribution is uneven and different types of intrusion attacks are distributed unevenly in practice, and provides a network intrusion detection method based on attack sharing loss and a deep neural network.
The technical scheme of the invention is as follows: a network intrusion detection method based on attack sharing loss and a deep neural network comprises the following steps:
s1: collecting a plurality of network attack type data, inputting the network attack type data into a built deep neural network, and outputting a predicted value of each network attack type;
s2: constructing an attack sharing loss function according to the predicted value of each network attack type, classifying the network attack types by using the attack sharing loss function, and taking the network attack types as intrusion detection results;
s3: and updating the deep neural network by utilizing gradient optimization according to the network attack type data, and entering next network intrusion detection.
Further, in step S1, the deep neural network includes an input layer, a plurality of hidden layers, and an output layer, which are connected in sequence;
in step S1, the specific method for outputting the predicted value of each network attack type is as follows: sequentially inputting a plurality of network attack type data to an input layer and a hidden layer, and adding weights and bias vectors into the hidden layer to be used as hidden layer neurons to obtain characteristic values of the plurality of network attack type data; and entering an activated state through an activation function of the output layer, and calculating the predicted value of each type of network attack type at the output layer.
Further, in the hidden layer of the deep neural network, the firstOutput of i-th hidden layer neuron of layer hidden layerThe calculation formula of (2) is as follows:
wherein g (-) represents a corrected linear unit activation function,indicating the connection layer ofLayer hiding layer andthe ith row in the weight matrix of the layer concealment layer,is shown asA bias vector of a layer concealment layer; g (x) max {0, x };
where r denotes a mask vector composed of Bernoulli random variables,is shown asThe layer is hidden.
Further, the output layer of the deep neural network comprises c activation units, wherein c represents the number of classes;
predicted value of each type of network attack type data belonging to jth type of network attackThe calculation formula of (2) is as follows:
where soft max (. cndot.) represents the activation function, exp (. cndot.) represents the exponential function, zjRepresents the linear activation vector of layer j, zkRepresenting the k-th layer linear activation vector.
Further, in step S2, the shared loss function J is attackedASThe expression of (a) is:
wherein, JCERepresents the cross entropy loss, N represents the number of training samples, λ (-) represents the control parameter function, I (-) represents the indicator function,the predicted value of the ith class of network attack type is shown, c represents the number of classes, and log (-) represents a logarithmic function.
Further, step S3 includes the following sub-steps:
s31: computing a stochastic gradient g in a deep neural networktThe calculation formula is as follows:
wherein, thetat-1Denotes the t-1 th parameter vector, J (theta)t-1) Representing a vector theta with respect to a parametert-1The loss value of (d);
s32: according to a random gradient gtUpdating the first moment s used to store the random gradienttAnd a second moment r for storing the mean of the exponential decay of the squared gradienttThe update formula is as follows:
st=ρ1st-1+(1-ρ1)gt
where ρ is1Representing a hyperparameter in a first moment, st-1First order matrix, p, representing the t-1 st random gradient2Representing a hyperparameter in a second moment, rt-1Represents the t-1 th mask vector;
s33: according to a first moment stAnd second moment rtUpdating the parameter vector thetatAnd finishing gradient updating, wherein the updating formula is as follows:
where ξ denotes the step size, δ denotes the stability factor, θt-1Representing the t-1 th parameter vector.
The invention has the beneficial effects that: the invention aims at the intrusion detection of various networks and realizes high detection precision. And an attack sharing loss function is defined to solve the problem of unbalanced classification, and an Adam optimizer for adaptively updating the learning rate is utilized to accelerate the model learning process.
Drawings
FIG. 1 is a flow chart of a method of network intrusion detection;
FIG. 2 is a block diagram of a deep neural network;
fig. 3 is a flow chart of a training method.
Detailed Description
The embodiments of the present invention will be further described with reference to the accompanying drawings.
As shown in fig. 1, the present invention provides a network intrusion detection method based on attack sharing loss and deep neural network, comprising the following steps:
s1: collecting a plurality of network attack type data, inputting the network attack type data into a built deep neural network, and outputting a predicted value of each network attack type;
s2: constructing an attack sharing loss function according to the predicted value of each network attack type, classifying the network attack types by using the attack sharing loss function, and taking the network attack types as intrusion detection results;
s3: and updating the deep neural network by utilizing gradient optimization according to the network attack type data, and entering next network intrusion detection.
In the embodiment of the present invention, as shown in fig. 2, in step S1, the deep neural network includes an input layer, a plurality of hidden layers, and an output layer, which are connected in sequence;
in step S1, the specific method for outputting the predicted value of each network attack type is as follows: sequentially inputting a plurality of network attack type data to an input layer and a hidden layer, and adding weights and bias vectors into the hidden layer to be used as hidden layer neurons to obtain characteristic values of the plurality of network attack type data; and entering an activated state through an activation function of the output layer, and calculating the predicted value of each type of network attack type at the output layer.
The input layer of the deep neural network consists of d units, each unit representing an input element. Specifically, each input data point is represented as (x, y), where x is the feature set and y is the label.
In an embodiment of the invention, in the hidden layer of the deep neural network, the firstOutput of i-th hidden layer neuron of layer hidden layerThe calculation formula of (2) is as follows:
wherein g (-) represents a corrected linear unit activation function,indicating the connection layer ofLayer hiding layer andthe ith row in the weight matrix of the layer concealment layer,is shown asA bias vector of a layer concealment layer; g (x) max {0, x };
where r denotes a mask vector composed of Bernoulli random variables,is shown asThe layer is hidden.
In an embodiment of the present invention, an output layer of the deep neural network includes c activation units, where c represents the number of classes;
predicted value of each type of network attack type data belonging to jth type of network attackThe calculation formula of (2) is as follows:
where soft max (. cndot.) represents the activation function, exp (. cndot.) represents the exponential function, zjRepresents the linear activation vector of layer j, zkRepresenting the k-th layer linear activation vector.
In the embodiment of the present invention, in step S2, the shared loss function J is attackedASThe expression of (a) is:
wherein, JCERepresents the cross entropy loss, N represents the number of training samples, λ (-) represents the control parameter function, I (-) represents the indicator function,the predicted value of the ith class of network attack type is shown, c represents the number of classes, and log (-) represents a logarithmic function.
For any example (x)(i),y(i)) If it is a benign event, y (i)1, otherwise, y(i)∈{2,...,c}。
Most modern neural networks use a cross-entropy loss of JCETo describe the difference between the ground truth labels and the model predictions. Specifically, JCEThe losses are calculated as follows:
where θ is composed of a weight matrix between successive layers in the neural network, p data is the empirical data distribution in the training set, p (y)(i)|x(i)(ii) a θ) is the neural network to input x(i)Probability of correct classification, N is the number of training samples, c is the number of classes, I (y)(i)J) is an index function,
the parameter θ in the network is optimized to minimize JCE(theta) and a desired classification accuracy is obtained.
One drawback of the cross-entropy loss function is that it does not take into account the type of misclassification, and therefore penalizes equally all classes of classification errors. Intrusion detection systems have two types of error classification: first, intrusion misclassification: intrusion attacks are misclassified as benign events; second, attack classification errors: a class a intrusion attack (e.g., a denial of service attack) is wrongly classified as a class B intrusion attack (e.g., a probe attack).
In practice, intrusion misclassification should be penalized more than attack misclassification, because attack misclassification still triggers alarms to the information technology security team and allows further inspection of the event, while intrusion misclassification allows attack events to bypass the security inspection and cause potentially serious damage. Therefore, intrusion misclassification should be more penalized than attack misclassification. To solve the problem of differential penalties for different types of misclassifications.
Thus, the second step builds the attack sharing loss function, and the invention improves the basic cross-entropy loss function for any instance (x)(i),y(i)) If it is a benign event, y (i)1, otherwise, y(i)E.g.. c.. Meanwhile, the invention designs an attack sharing loss function JASIt is provided with an additional regularization term to penalize intrusion misclassification, i.e. misestimation between benign and attack tags.
In the attack sharing loss function flow, the loss term is added with an additional regularization penalty value, wherein J is less than the control parameter lambdaASSimilar to the Vanilla cross entropy loss function; when the lambda control parameter is large, JASThe method is intended to be used as a target function for solving the binary classification problem, namely benign and attack, so that the benign tag is reduced by a penalty value, the error tag is increased by the penalty value, and the unbalanced classification problem is solved.
In the embodiment of the present invention, step S3 includes the following sub-steps:
s31: computing a stochastic gradient g in a deep neural networktThe calculation formula is as follows:
wherein, thetat-1Denotes the t-1 th parameter vector, J (theta)t-1) Representing a vector theta with respect to a parametert-1The loss value of (d);
s32: according to a random gradient gtUpdating the first moment s used to store the random gradienttAnd a second moment r for storing the mean of the exponential decay of the squared gradienttThe update formula is as follows:
st=ρ1st-1+(1-ρ1)gt
where ρ is1Representing a hyperparameter in a first moment, st-1First order matrix, p, representing the t-1 st random gradient2Representing a hyperparameter in a second moment, rt-1Represents the t-1 th mask vector;
ρ1,ρ2e (0,1) is a hyperparameter that determines decay rate;
s33: according to a first moment stAnd second moment rtUpdate the parameter thetatAnd finishing gradient updating, wherein the updating formula is as follows:
where ξ denotes the step size, δ denotes the stability factor, θt-1Representing the t-1 th parameter vector.
By the above formula, a larger evolution is made in a more gradual slope direction of the parameter space, which contributes to a faster convergence compared to SGD, since another attractive property of the Adam optimizer is that it is robust to the choice of hyper-parameters.
In deep learning, the most widely used optimization algorithm is Stochastic Gradient Descent (SGD). In each round it estimates the gradient using a set of small samples and updates the parameters. Although simple, the progressive convergence speed of the SGD is slow, especially when there are saddle points (i.e., points where one dimension is tilted up and the other dimension is tilted down) and a gentle region (i.e., a region where the gradient remains steadily high). Saddle points and slow down regions are widely present due to the complexity of the intrusion detection classification boundaries.
And in the third step of gradient optimization, in order to accelerate the learning process, an Adam optimizer for adaptively updating the learning rate is adopted. The exponentially decaying averages of the historical and squared gradients are first stored using two variables, s and r, respectively. Initially, set s to 0 and r to 0, in the t-th round of forward and backward propagation, a small batch of m samples was taken from the training set and the random gradient was calculated.
And (3) completing an attack sharing deep network training process through a three-step process, as shown in fig. 3, extracting features of data through a hidden layer in a network, outputting the features through Softmax, performing attack sharing loss calculation with a data tag, and finally updating the gradient of the data tag by an Adam optimizer, namely completing a batch of data iterative training process.
In an embodiment of the invention, the test uses three data sets, namely, KDD99, CICIDS17 and CICIDS18 data sets. In the KDD99 dataset, each connection record is described by 41 elements and 1 tag, and these features include three pieces of information, namely basic connection information (e.g., duration, protocol type (tcp, udp, icmp), number of erroneous segments, number of urgent packets, etc.), content information (e.g., number of failed login attempts, number of shell prompts, number of operations on access control files, etc.), and traffic information (e.g., number of connections to host in the last two seconds, proportion of connections with synchronization errors, etc.). Attacks in the data set are classified into 4 types, namely denial of service, detection, U2R (ordinary users illegally obtain root access authority of the system) and R2L (remote attackers obtain local access authority to the host by using certain bugs); the CICIDS17 data aggregation has 283 ten thousand network connection instances, each instance is described by 81 functions, and the attack types comprise denial of service, penetration and brute force attack; the CICIDS18 data set comprises 630 ten thousand network connection instances, each instance has 77 elements, and the attack types comprise denial of service, data transmission, and the like,Infiltration and botnets. To evaluate the class imbalance level in each data set, we also report a class imbalance metric Ω in the training setimbIt is defined as:where n denotes the number of instances in the dataset, niIndicates the number of instances belonging to class I,Ωimbthe minimum percentage count of data samples required to measure all classes in order to form an overall balanced or evenly distributed, larger ΩimbValues indicate a higher level of grade imbalance.
KDD99 data set, derived the classification accuracy of the invention and baseline approach to KDD99 data set. This patent produced the highest CBA among the test results. This shows that the present invention is effective in detecting intrusion attack events from unbalanced datasets. KNN, DT and MLP + CE focus only on most levels, producing unsatisfactory performance on few levels. For example, KNN and DT fail to capture any U2R and R2L attack instances. In contrast, cost sensitive classifiers associate too much cost for the U2R and R2L classes because they are extremely low in representativeness. This makes the classifier too prone to these classes and underperforms on the KDD99 dataset. Oversampling and undersampling mitigate the side effects of the step imbalance problem, but this improvement is not as relevant as the present invention.
CICIDS17 dataset, tested the accuracy of all classifiers. In addition to brute force attacks, this patent produces similar and satisfactory accuracy and recall across each class, and produces the best CBA across all classifiers. The brute force attack instance only accounts for around 0.5% of the data set, and although the attack sharing penalty function is intended to bring the decision boundary closer to the attack class, it does little to help this class. Second, KNN and MLP + CE perform close to this patent. The cause was further investigated and it was found that most of the attack instances were present in the training set and the test set. The DT simply marks each test case as a benign connection. Similarly, CNN recognizes almost every connection as a DoS attack, and cost sensitive classifiers focus only on benign and DoS classes, with the CBA of these three baselines being naturally lower.
CICIDS18 dataset, the accuracy of the invention was compared to the baseline of CIDS18 dataset. The invention has the second best performance in solving the problem of the order unbalance and shows the effectiveness of the class sharing loss function. No baseline method produced CBA above 30%. Likewise, a cost sensitive baseline focuses all attention to the level representing the least.
The working principle and the process of the invention are as follows: the invention extracts features by deep learning, learns classification boundaries, and designs a new loss function, namely an attack sharing loss function, which eliminates the bias towards most or benign classes by moving decision boundaries to attack classes. The method specifically comprises the following steps: firstly, a deep feedforward network is constructed, complex patterns of benign communication and malicious connection are learned from training data, in order to accelerate the learning process of big data, a new optimization algorithm is adopted to dynamically adjust the learning rate, and the algorithm tracks the exponential decay average values of first-order and second-order moments of past gradients; secondly, in order to solve the class imbalance problem in intrusion detection, a new loss function, namely attack sharing loss, is designed for the deep feedforward network, and the attack sharing loss function adopts different types of misclassification difference punishment, so that intrusion misclassification is carried out with more punishment than attack misclassification.
The invention has the beneficial effects that: the invention aims at the intrusion detection of various networks and realizes high detection precision. And an attack sharing loss function is defined to solve the problem of unbalanced classification, and an Adam optimizer for adaptively updating the learning rate is utilized to accelerate the model learning process.
It will be appreciated by those of ordinary skill in the art that the embodiments of the network intrusion detection method based on attack sharing loss and deep neural networks described herein are intended to assist the reader in understanding the principles of the present invention, and it is to be understood that the scope of the invention is not limited to such specific statements and embodiments. Those skilled in the art can make various other specific changes and combinations based on the teachings of the present invention without departing from the spirit of the invention, and these changes and combinations are within the scope of the invention.
Claims (6)
1. A network intrusion detection method based on attack sharing loss and a deep neural network is characterized by comprising the following steps:
s1: collecting a plurality of network attack type data, inputting the network attack type data into a built deep neural network, and outputting a predicted value of each network attack type;
s2: constructing an attack sharing loss function according to the predicted value of each network attack type, classifying the network attack types by using the attack sharing loss function, and taking the network attack types as intrusion detection results;
s3: and updating the deep neural network by utilizing gradient optimization according to the network attack type data, and entering next network intrusion detection.
2. The method for detecting network intrusion based on attack sharing loss and deep neural network of claim 1, wherein in step S1, the deep neural network comprises an input layer, a plurality of hidden layers and an output layer which are connected in sequence;
in step S1, the specific method for outputting the predicted value of each network attack type is as follows: sequentially inputting a plurality of network attack type data to an input layer and a hidden layer, and adding weights and bias vectors into the hidden layer to be used as hidden layer neurons to obtain characteristic values of the plurality of network attack type data; and entering an activated state through an activation function of the output layer, and calculating the predicted value of each type of network attack type at the output layer.
3. The method of claim 2, wherein the output of the i-th hidden layer neuron in the l-th hidden layer among the hidden layers of the deep neural network is output from the i-th hidden layer neuronThe calculation formula of (2) is as follows:
wherein g (-) represents a corrected linear unit activation function,represents the ith row in the weight matrix connecting the l-1 layer hidden layer and the l-th layer hidden layer,a bias vector representing the l-th layer hidden layer;
sparse output h of l-1 hidden layer(l-1)The calculation formula of (2) is as follows:
h(l-1)=h(l-1)*r
where r denotes a mask vector composed of Bernoulli random variables, h(l-1)Indicating the l-1 th hidden layer.
4. The method according to claim 2, wherein the output layer of the deep neural network comprises c active units, wherein c represents the number of classes;
predicted value of each type of network attack type data belonging to jth type of network attackThe calculation formula of (2) is as follows:
wherein softmax (. cndot.) represents an activation function, exp (. cndot.) represents an exponential function, zjRepresents the linear activation vector of layer j, zkRepresenting the k-th layer linear activation vector.
5. The method for detecting network intrusion based on attack sharing loss and deep neural network of claim 1, wherein in the step S2, the attack sharing loss function JASThe expression of (a) is:
wherein, JCERepresents the cross entropy loss, N represents the number of training samples, λ (-) represents the control parameter function, I (-) represents the indicator function,the predicted value of the ith class of network attack type is shown, c represents the number of classes, and log (-) represents a logarithmic function.
6. The method for detecting network intrusion based on attack sharing loss and deep neural network of claim 1, wherein the step S3 includes the following sub-steps:
s31: computing a stochastic gradient g in a deep neural networktThe calculation formula is as follows:
wherein, thetat-1Denotes the t-1 th parameter vector, J (theta)t-1) Representing a vector theta with respect to a parametert-1The loss value of (d);
s32: according to a random gradient gtUpdating the first moment s used to store the random gradienttAnd a second moment r for storing the mean of the exponential decay of the squared gradienttThe update formula is as follows:
st=ρ1st-1+(1-ρ1)gt
where ρ is1Representing a hyperparameter in a first moment, st-1First order matrix, p, representing the t-1 st random gradient2Representing a hyperparameter in a second moment, rt-1Represents the t-1 th mask vector;
s33: according to a first moment stAnd second moment rtUpdating the parameter vector thetatAnd finishing gradient updating, wherein the updating formula is as follows:
where ξ denotes the step size, δ denotes the stability factor, θt-1Representing the t-1 th parameter vector.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110869744.7A CN113572783A (en) | 2021-07-30 | 2021-07-30 | Network intrusion detection method based on attack sharing loss and deep neural network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110869744.7A CN113572783A (en) | 2021-07-30 | 2021-07-30 | Network intrusion detection method based on attack sharing loss and deep neural network |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113572783A true CN113572783A (en) | 2021-10-29 |
Family
ID=78169324
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110869744.7A Pending CN113572783A (en) | 2021-07-30 | 2021-07-30 | Network intrusion detection method based on attack sharing loss and deep neural network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113572783A (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20200106788A1 (en) * | 2018-01-23 | 2020-04-02 | Hangzhou Dianzi University | Method for detecting malicious attacks based on deep learning in traffic cyber physical system |
CN112491854A (en) * | 2020-11-19 | 2021-03-12 | 郑州迪维勒普科技有限公司 | Multi-azimuth security intrusion detection method and system based on FCNN |
-
2021
- 2021-07-30 CN CN202110869744.7A patent/CN113572783A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20200106788A1 (en) * | 2018-01-23 | 2020-04-02 | Hangzhou Dianzi University | Method for detecting malicious attacks based on deep learning in traffic cyber physical system |
CN112491854A (en) * | 2020-11-19 | 2021-03-12 | 郑州迪维勒普科技有限公司 | Multi-azimuth security intrusion detection method and system based on FCNN |
Non-Patent Citations (1)
Title |
---|
BOXIANG DONG: "Cyber Intrusion Detection by Using Deep Neural Networks with Attack-sharing Loss", 《ARXIV》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109670302B (en) | SVM-based classification method for false data injection attacks | |
CN111598179B (en) | Power monitoring system user abnormal behavior analysis method, storage medium and equipment | |
Jia et al. | Network intrusion detection based on IE-DBN model | |
Anil et al. | A hybrid method based on genetic algorithm, self-organised feature map, and support vector machine for better network anomaly detection | |
CN114139155A (en) | Malicious software detection model and generation method of enhanced countermeasure sample thereof | |
Musa et al. | A review on intrusion detection system using machine learning techniques | |
Almarshdi et al. | Hybrid Deep Learning Based Attack Detection for Imbalanced Data Classification. | |
Borisenko et al. | Intrusion detection using multilayer perceptron and neural networks with long short-term memory | |
Zhang et al. | An improved LSTM network intrusion detection method | |
CN116633682B (en) | Intelligent identification method and system based on security product risk threat | |
Sandhya et al. | Enhancing the Performance of an Intrusion Detection System Using Spider Monkey Optimization in IoT. | |
Habib et al. | Performance evaluation of machine learning models for distributed denial of service attack detection using improved feature selection and hyper‐parameter optimization techniques | |
Huynh et al. | On the performance of intrusion detection systems with hidden multilayer neural network using DSD training | |
Yang et al. | Dualnet: Locate then detect effective payload with deep attention network | |
CN116996272A (en) | Network security situation prediction method based on improved sparrow search algorithm | |
CN113572783A (en) | Network intrusion detection method based on attack sharing loss and deep neural network | |
Dong et al. | Cyber intrusion detection by using deep neural networks with attack-sharing loss | |
Gohari et al. | DEEP LEARNING-BASED INTRUSION DETECTION SYSTEMS: A COMPREHENSIVE SURVEY OF FOUR MAIN FIELDS OF CYBER SECURITY. | |
Papadopoulos | Thornewill von Essen | |
Vibhute et al. | Deep learning-based network anomaly detection and classification in an imbalanced cloud environment | |
Mohammed | Hybrid CNN-SMOTE-BGMM deep learning framework for network intrusion detection using unbalanced dataset | |
Vibhute et al. | An LSTM‐based novel near‐real‐time multiclass network intrusion detection system for complex cloud environments | |
Babu et al. | Improved Monarchy Butterfly Optimization Algorithm (IMBO): Intrusion Detection Using Mapreduce Framework Based Optimized ANU-Net. | |
Farahnakian et al. | Anomaly-based intrusion detection using deep neural networks | |
Zenden et al. | On the Resilience of Machine Learning-Based IDS for Automotive Networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211029 |