CN113746813B - Network attack detection system and method based on two-stage learning model - Google Patents
Network attack detection system and method based on two-stage learning model Download PDFInfo
- Publication number
- CN113746813B CN113746813B CN202110938301.9A CN202110938301A CN113746813B CN 113746813 B CN113746813 B CN 113746813B CN 202110938301 A CN202110938301 A CN 202110938301A CN 113746813 B CN113746813 B CN 113746813B
- Authority
- CN
- China
- Prior art keywords
- network
- network data
- feature
- model
- data set
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Abstract
The invention discloses a network attack detection system and a network attack detection method based on a two-stage learning model, wherein the method comprises the following steps: step 1: evaluating the feature combination of the feature subset of the network data set as an indivisible unit to realize feature dimension reduction of the network data set; and 2, step: and taking the reduced network data set as training data and realizing a network attack real-time detection model by utilizing a deep learning technology. According to the two-stage network attack detection technical scheme, the feature combination effect of network high-risk data is fully considered, the accuracy and timeliness which need to be guaranteed in network attack detection are guaranteed, and the feature selection technology, the evolutionary search technology and the deep learning model are combined to improve the identification accuracy of the network attack detection and shorten the model training time by doctors.
Description
Technical Field
The invention belongs to the technical field of network attack detection, and particularly relates to a two-stage detection system and a two-stage detection method for network attack data preprocessing and network attack data identification.
Background
How to effectively realize network attack detection in the background of the era of everything interconnection is one of the key problems in a big data environment, and in recent years, various identification methods based on a deep neural network are widely applied to a network attack detection system. Compared with the traditional machine learning method, the deep neural network model can obtain higher detection precision. The most key factor influencing various network attack detection models is the use of data characteristics of high-dimensional network attacks, so that the primary basic task of extracting value information from large-scale high-dimensional network attack data is to find the key characteristics of the network attack data.
With the continuous expansion of the data scale in the network field, a large amount of redundant, useless and noisy data is also generated in the large-scale data existing in the network, and the performance and the speed of the detection learning algorithm on the network attack detection are seriously influenced by the data. The overlarge data size is only one of the problems in analyzing network attacks, and when high-dimensional data is faced, the problem of 'dimension disaster' of the data can be faced even if the data size is small. And a large amount of data characteristics seriously affect the identification efficiency of the network attack detection method, so that the structure of a detection model becomes complex. Although the occurrence of the deep learning technology enables the recognition accuracy of the network attack detection to reach a higher level, the recognition efficiency is reduced because the deep learning model is more complex than the traditional machine learning network attack detection model.
Dimensionality reduction is required to be performed on high-dimensionality network data, and a network attack efficient real-time detection method is constructed based on the reduced network data feature subset. In the process of feature dimension reduction, different evaluation modes have corresponding advantages, calculation is faster due to distance evaluation, the method based on the information theory has strong capability of resisting noise data sets, the interpretability of data is friendly due to consistency evaluation, and the like, but the feature subset of network feature attack data is generally lack of overall measurement by taking as a unit. Meanwhile, the existing network attack detection deep learning model is usually considered to be strong in learning model capability, and feature preprocessing work is not performed, so that model training time is too long, and deployment difficulty of the network attack detection model and the system is increased.
In 2016, the inventor of the present application has published a feature selection method based on the associated information entropy measure in "computer research and development", which uses the associated information entropy to search the feature set, fully considers the multivariate relationship among different features in the feature subset, and can perform the overall evaluation by using the feature subset as an independent element. Through the verification of combining the multi-class common measurement data set with the traditional machine learning classification model, the training time and the classification precision are well improved. However, the method does not combine the deep learning model to perform performance analysis, and therefore how to form the network attack detection facing the ultra-high dimensional network data is an urgent problem to be solved.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a network attack detection system and method based on a two-stage learning model, so as to verify the performance advantages of a feature selection technology based on a combined effect and a deep learning model in network attack detection. In the invention, in the first stage, the feature subset of the network data set is used as an indivisible unit to evaluate the feature combination, so as to realize the feature dimension reduction of the network data set; and in the second stage, the reduced network data set is used as training data, and a deep learning technology is utilized to realize a network attack real-time detection model, so that a complete general detection technical scheme combining low-order feature combination effect evaluation and high-order deep feature combination extraction of the network data is formed.
Based on this, the invention adopts the following technical scheme:
a network attack detection method based on a two-stage learning model is carried out according to the following steps:
stage 1: a feature dimension reduction of the network data set; in the stage, the feature subset of the network data set is used as an indivisible unit to evaluate feature combination, so as to realize feature dimension reduction of the network data set; the method comprises the following specific steps:
step 1.1, preprocessing mass network data. Firstly, removing and primarily screening data examples which exceed the limit of a characteristic missing threshold; deleting the characteristics of low information quantity, such as sequence numbers, timestamps and the like, in the initially screened network data set; finally, one-hot coding mapping is carried out on the characteristics of the non-numerical type in the network data set to form binary vectors;
and 1.2, constructing a characteristic subset evaluation function of the network data set. A measurable multivariate network intrusion detection analysis model F is constructed based on network data characteristics and Mutual Information (MI) of network attack types.
Wherein, the concrete data of the network data sample with n-dimensional characteristics is not taken as input, but mutual information I of each dimensional network data characteristic and each type of network attack category is calculatedijAs input, I (f)i,Cj)=H(fi)+H(Cj)-H(fi,Cj) Representing mutual information of the ith dimension feature and the jth class, wherein H is the information entropy of the variable, H (f)i,Cj)=-∑p((fi,Cj))log2p((fi,Cj)). After centering and normalizing the matrix F, by R ═ PTAnd P, calculating to obtain a correlation matrix Rel. Then calculating from the characteristic value lambdaAndthereby obtaining the associated information entropy HRelAndto avoid using only the entropy of the associated information, the system tends to choose a feature with a small amount of information itself, i.e. naturally also without redundant information when the system itself does not contain information, while introducing average mutual informationRepresenting the average useful information size within the system,based on maximum HRelAndweighting to obtain the final evaluation function k1And k2Is a non-negative constant for controlling the magnitude of the influence of the entropy of the associated information and the average mutual information on the selected feature.
Step 1.3, use Binary Particle swarm optimization (BPS)O) the evolutionary search strategy determines a subset of features. Particle h is a string of bits consisting of 0 and 1, which is a mapping of the n-dimensional feature, which is selected when the corresponding bit is 1. In the binary particle swarm optimization, each particle moves in the solution space of the feature subset, and the self optimal solution (Pbest) and the group optimal solution (Gbest) are recorded to update the self position. Pbest refers to the position searched by an individual and including the position with the best fitness value searched once, and Gbest refers to the position with the best fitness calculated from the positions experienced by all particles in the whole particle swarm. The particle update is as follows: wherein c1 and c2 are learning factors, omega is an inertia factor,represents the speed of the h-th particle in the t-th generation,indicates the position of the t-th generation of the h-th particle. The BPSO algorithm converts the continuous velocity values into binary vectors of 0 or 1 by Sigmoid function, and thus the position of the particle is also represented by the binary vector of 0 or 1. And repeating the process, and carrying out evolutionary algebra and optimal convergence limitation on the BPSO evolutionary search until the final network data feature subset is determined.
And (2) stage: detecting a deep model network attack based on the network data feature subset; the reduced network data set is used as training data, and a network attack real-time detection model is realized by utilizing a deep learning technology; the method comprises the following specific steps:
and 2.1, training a deep network attack detection model. And obtaining the optimal feature subset of the network data after the first stage is finished, and taking the optimal subset as the input of the deep learning model of the second stage. The invention adopts Deep Belief Networks (DBN). The input network feature subset data is input by an input layer X, calculated by a hidden layer H and finally output by an output layer Y. The same feature vector can be mapped in different feature spaces by pre-training (pre-training) so as to more keep feature information; a classifier is obtained by training the whole in a supervised manner by fine-tuning (fine-tuning). The deep learning model output layer activation function is set to be a linear function, and the hidden layer neuron activation function is set to be a Sigmoid function. The number of the neuron layers and the number of each layer are specifically set according to the data scale of the network feature subset, and in order to ensure the timeliness of the test, the invention is set to be 7 layers of networks, and the number of the neuron is [50,40,35,30,26,22,22 ].
And 2.2, detecting the deep network attack detection model in real time. The detection model system firstly collects network data, reduces the network data according to the feature preprocessing and the optimal feature subset, inputs the data into the trained deep learning network model, and obtains the network attack type or the current attack-free state by the model.
And 2.3, optimizing an offline system model. And carrying out manual recheck according to real-time monitoring data of network attack detection, carrying out manual error correction marking on the error example when the detected error example exceeds a limited threshold delta, fusing all network incremental data and original network data, and reentering the first stage and the second stage to carry out offline optimization of the network attack detection system model.
The invention also discloses a network attack detection system based on the two-stage learning model, which comprises the following modules:
a feature dimension reduction module of the network data set: the module evaluates the feature combination by taking the feature subset of the network data set as an indivisible unit to realize the feature dimension reduction of the network data set; the method specifically comprises the following sub-modules:
the preprocessing module of the mass network data comprises: and preprocessing mass network data. Firstly, removing and primarily screening data examples which exceed the limit of a characteristic missing threshold; deleting the characteristics of low information quantity, such as sequence numbers, timestamps and the like, in the initially screened network data set; finally, one-hot coding mapping is carried out on the characteristics of the non-numerical type in the network data set to form binary vectors;
a feature subset evaluation function construction module of the network data set: a feature subset evaluation function of the network data set is constructed. A measurable multivariate network intrusion detection analysis model F is constructed based on network data characteristics and Mutual Information (MI) of network attack types.
Wherein, the concrete data of the network data sample with n-dimensional characteristics is not taken as input, but mutual information I of each dimensional network data characteristic and each type of network attack category is calculatedijAs input, I (f)i,Cj)=H(fi)+H(Cj)-H(fi,Cj) Representing the mutual information of the ith dimension feature and the jth class, wherein H (f)i,Cj)=-∑p((fi,Cj))log2p((fi,Cj)). After centering and normalizing the matrix F, by R ═ PTAnd P, calculating to obtain a correlation matrix Rel. Then byAndcalculating to obtain associated information entropy HRelAndto avoid using only the entropy of the associated information, the system tends to choose the characteristic with small information amount, i.e. when the system does not contain information, the system naturally does not contain redundant information, and average mutual information is introducedRepresenting the average useful information size within the system,based on maximum HRelAndweighting to obtain the final evaluation functionk1And k2Is a non-negative constant for controlling the magnitude of the influence of the entropy of the associated information and the average mutual information on the selected feature.
Determining a feature subset module using a binary particle swarm evolutionary search strategy: feature subsets were determined using a Binary Particle Swarm Optimization (BPSO) evolutionary search strategy. Particle h is a string of bits consisting of 0 and 1, which is a mapping of the n-dimensional feature, which is selected when the corresponding bit is 1. In the binary particle swarm optimization, each particle moves in the solution space of the feature subset, and the self optimal solution (Pbest) and the group optimal solution (Gbest) are recorded to update the self position. Pbest refers to the position searched by an individual and including the position with the best fitness value searched once, and Gbest refers to the position with the best fitness calculated from the positions experienced by all particles in the whole particle swarm. The particle update is as follows: the BPSO algorithm converts the continuous velocity values into binary vectors of 0 or 1 by Sigmoid function, and thus the position of the particle is also represented by the binary vector of 0 or 1. And repeating the process, and carrying out evolutionary algebra and optimal convergence limitation on the BPSO evolutionary search until the final network data feature subset is determined.
The depth model network attack detection module: detecting a deep model network attack based on the network data feature subset; the reduced network data set is used as training data, and a network attack real-time detection model is realized by utilizing a deep learning technology; the method specifically comprises the following sub-modules:
the deep network attack detection model training module comprises: and (5) training a deep network attack detection model. And after the feature dimension reduction module of the network data set is finished, obtaining the optimal feature subset of the network data, and taking the optimal subset as the input of the deep learning model of the deep model network attack detection module. The invention adopts Deep Belief Networks (DBN). The input network feature subset data is input by an input layer X, calculated by a hidden layer H and finally output by an output layer Y. The same feature vector can be mapped in different feature spaces by pre-training (pre-training) so as to more keep feature information; a classifier is obtained by training the whole in a supervised manner by fine-tuning (fine-tuning). The deep learning model output layer activation function is set to be a linear function, and the hidden layer neuron activation function is set to be a Sigmoid function. The number of the neuron layers and the number of each layer are specifically set according to the data scale of the network feature subset, and in order to ensure the timeliness of the test, the invention is set to be 7 layers of networks, and the number of the neuron is [50,40,35,30,26,22,22 ].
The real-time detection module of the deep network attack detection model comprises: and (5) real-time detection of the deep network attack detection model. The detection model system firstly collects network data, reduces the network data according to the feature preprocessing and the optimal feature subset, inputs the data into the trained deep learning network model, and obtains the network attack type or the current attack-free state by the model.
An offline model optimization module: and (5) optimizing an offline system model. And carrying out manual rechecking according to real-time monitoring data of network attack detection, carrying out manual error correction marking on the error example when the detected error example exceeds a limited threshold delta, fusing all network incremental data and original network data, and reentering a characteristic dimension reduction module and a depth model network attack detection module of a network data set to carry out offline optimization of a network attack detection system model.
The two-stage network attack detection system fully considers the characteristic combination effect of network high-risk data, and combines a characteristic selection technology, an evolutionary search technology and a deep learning model aiming at the accuracy and timeliness which need to be ensured in network attack detection so as to improve the identification accuracy of the network attack detection and shorten the model training time by doctors.
Compared with the prior art, the invention has the following beneficial effects:
1. the correlation information entropy is introduced, and the correlation between the network characteristics and the attack categories is considered, wherein the correlation comprises linear correlation and nonlinear correlation; in a multi-base high-dimensional space, the method greatly reduces the volume of a network attack detection multivariable model.
2. In order to avoid that the system tends to select the characteristic with small information amount by only using the associated information entropy, the system naturally does not contain redundant information when the system does not contain information, and the average mutual information is introduced to represent the average useful information size in the system.
3. The selection of the Deep learning model is not limited by a specific model, and Deep learning models such as Deep Belief Networks (DBN), Stacked Automatic Encoders (SAE), Recurrent Neural Networks (RNN), Elman Networks and the like can be selected.
Drawings
Fig. 1 is a schematic flow chart of a network attack detection method of a two-stage learning model.
Fig. 2 is a comparison graph of the recognition accuracy of the network attack detection system of the two-stage learning model and the single-stage network attack learning model in three network data sets. CMI-DL is an example of the system of the invention, and DBN is an example of a single-stage network attack learning model.
Fig. 3 is a comparison graph (in seconds) of real-time detection time of the network attack detection system of the two-stage learning model and the learning model of the single-stage network attack learning model in different network data sets. CMI-DL is an example of the system of the invention, and DBN is an example of a single-stage network attack learning model.
Fig. 4 is a block diagram of a network attack detection system of a two-stage learning model.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Example 1
As shown in fig. 1, the network attack detection method based on the two-stage learning model according to the present embodiment is performed according to the following steps:
stage 1: a feature dimension reduction of the network data set; in the stage, the feature subset of the network data set is used as an indivisible unit to evaluate feature combination, so as to realize feature dimension reduction of the network data set; the method comprises the following specific steps:
step 1.1, preprocessing mass network data. Firstly, performing primary screening on data examples exceeding the limit of a characteristic missing threshold; deleting the characteristics of low information quantity, such as sequence numbers, timestamps and the like, in the initially screened network data set; finally, one-hot coding mapping is carried out on the characteristics of the non-numerical type in the network data set to form binary vectors;
and 1.2, constructing a characteristic subset evaluation function of the network data set. A measurable multivariate network intrusion detection analysis model F is constructed based on network data characteristics and Mutual Information (MI) of network attack types.
Wherein, the concrete data of the network data sample with n-dimensional characteristics is not taken as input, but mutual information I of each dimensional network data characteristic and each type of network attack category is calculatedijAs input, I (f)i,Cj)=H(fi)+H(Cj)-H(fi,Cj) Representing the mutual information of the ith dimension feature and the jth class, wherein H (f)i,Cj)=-∑p((fi,Cj))log2p((fi,Cj)). After centering and normalizing the matrix F, by R ═ PTAnd P, calculating to obtain a correlation matrix Rel. Then byAndcalculating to obtain associated information entropy HRelAndto avoid using only the entropy of the associated information, the system tends to choose the characteristic with small information amount, i.e. when the system does not contain information, the system naturally does not contain redundant information, and average mutual information is introducedRepresenting the average useful information size within the system,based on maximum HRelAndweighting to obtain the final evaluation functionk1And k2Is a non-negative constant for controlling the magnitude of the influence of the entropy of the associated information and the average mutual information on the selected feature.
Step 1.3, determining feature subsets by using a Binary Particle Swarm Optimization (BPSO) evolutionary search strategy. Particle h is a string of bits consisting of 0 and 1, which is a mapping of the n-dimensional feature, which is selected when the corresponding bit is 1. In the binary particle swarm algorithm, each particle moves in the solution space of the feature subset, and the self optimal solution (Pbest) and the group optimal solution (Gbest) are recorded to update the self position. Pbest refers to the position searched by an individual and including the position with the best fitness value searched once, and Gbest refers to the position with the best fitness calculated from the positions experienced by all particles in the whole particle swarm. The particle renewal was as follows: the BPSO algorithm converts the continuous velocity values into binary vectors of 0 or 1 through Sigmoid function, so the bits of the particlesA setting is also represented by a binary vector of 0 or 1. And repeating the process, and carrying out evolutionary algebra and optimal convergence limitation on the BPSO evolutionary search until the final network data feature subset is determined.
And (2) stage: detecting a deep model network attack based on the network data feature subset; the reduced network data set is used as training data, and a network attack real-time detection model is realized by utilizing a deep learning technology; the method comprises the following specific steps:
and 2.1, training a deep network attack detection model. And obtaining the optimal feature subset of the network data after the first stage is finished, and taking the optimal subset as the input of the deep learning model of the second stage. The invention adopts Deep Belief Networks (DBN). The input network feature subset data is input by an input layer X, calculated by a hidden layer H and finally output by an output layer Y. The same feature vector can be mapped in different feature spaces by pre-training (pre-training) so as to more keep feature information; a classifier is obtained by training the whole in a supervised manner by fine-tuning (fine-tuning). The deep learning model output layer activation function is set to be a linear function, and the hidden layer neuron activation function is set to be a Sigmoid function. The number of the neuron layers and the number of each layer are specifically set according to the data scale of the network feature subset, and in order to ensure the timeliness of the test, the invention is set to be 7 layers of networks, and the number of the neuron is [50,40,35,30,26,22,22 ].
And 2.2, detecting the deep network attack detection model in real time. The detection model system firstly collects network data, reduces the network data according to the feature preprocessing and the optimal feature subset, inputs the data into the trained deep learning network model, and obtains the network attack type or the current attack-free state by the model.
And 2.3, optimizing an offline system model. And carrying out manual recheck according to real-time monitoring data of network attack detection, carrying out manual error correction marking on the error example when the detected error example exceeds a limited threshold delta, fusing all network incremental data and original network data, and reentering the first stage and the second stage to carry out offline optimization of the network attack detection system model.
Example 2
As shown in fig. 4, the network attack detection system based on the two-stage learning model of the present embodiment includes the following modules:
a feature dimension reduction module of the network data set: the module evaluates the feature combination by taking the feature subset of the network data set as an indivisible unit to realize the feature dimension reduction of the network data set; the method specifically comprises the following sub-modules:
the preprocessing module of the mass network data comprises: and preprocessing mass network data. Firstly, removing and primarily screening data examples which exceed the limit of a characteristic missing threshold; deleting the characteristics of low information quantity, such as sequence numbers, timestamps and the like, in the initially screened network data set; finally, one-hot coding mapping is carried out on the characteristics of the non-numerical type in the network data set to form binary vectors;
a feature subset evaluation function construction module of the network data set: a feature subset evaluation function of the network data set is constructed. A measurable multivariate network intrusion detection analysis model F is constructed based on network data characteristics and Mutual Information (MI) of network attack types.
Wherein, the concrete data of the network data sample with n-dimensional characteristics is not taken as input, but mutual information I of each dimensional network data characteristic and each type of network attack category is calculatedijAs input, I (f)i,Cj)=H(fi)+H(Cj)-H(fi,Cj) Representing mutual information of the ith dimension feature and the jth class, wherein H (f)i,Cj)=-∑p((fi,Cj))log2p((fi,Cj)). After centering and normalizing the matrix F, by R ═ PTAnd P, calculating to obtain a correlation matrix Rel. Then is provided withAndcalculating to obtain associated information entropy HRelAndto avoid using only the entropy of the associated information, the system tends to choose the characteristic with small information amount, i.e. when the system does not contain information, the system naturally does not contain redundant information, and average mutual information is introducedRepresenting the average useful information size within the system,based on maximum HRelAndweighting to obtain the final evaluation functionk1And k2Is a non-negative constant for controlling the magnitude of the influence of the entropy of the associated information and the average mutual information on the selected feature.
Determining a feature subset module using a binary particle swarm evolutionary search strategy: feature subsets were determined using a Binary Particle Swarm Optimization (BPSO) evolutionary search strategy. Particle h is a string of bits consisting of 0 and 1, which is a mapping of the n-dimensional feature, which is selected when the corresponding bit is 1. In the binary particle swarm optimization, each particle moves in the solution space of the feature subset, and the self optimal solution (Pbest) and the group optimal solution (Gbest) are recorded to update the self position. Pbest refers to the position searched by an individual and including the position with the best fitness value searched once, and Gbest refers to the position with the best fitness calculated from the positions experienced by all particles in the whole particle swarm. The particle update is as follows: the BPSO algorithm converts the continuous velocity values into binary vectors of 0 or 1 by Sigmoid function, and thus the position of the particle is also represented by the binary vector of 0 or 1. And repeating the process, and carrying out evolutionary algebra and optimal convergence limitation on the BPSO evolutionary search until the final network data feature subset is determined.
The depth model network attack detection module: detecting a deep model network attack based on the network data feature subset; the reduced network data set is used as training data, and a network attack real-time detection model is realized by utilizing a deep learning technology; the method specifically comprises the following sub-modules:
the deep network attack detection model training module comprises: and (5) training a deep network attack detection model. And after the feature dimension reduction module of the network data set is finished, obtaining the optimal feature subset of the network data, and taking the optimal subset as the input of the deep learning model of the deep model network attack detection module. The invention adopts Deep Belief Networks (DBN). The input network feature subset data is input by an input layer X, calculated by a hidden layer H and finally output by an output layer Y. The same feature vector can be mapped in different feature spaces by pre-training (pre-training) so as to more keep feature information; a classifier is obtained by training the whole in a supervised manner by fine-tuning (fine-tuning). The deep learning model output layer activation function is set to be a linear function, and the hidden layer neuron activation function is set to be a Sigmoid function. The number of the neuron layers and the number of each layer are specifically set according to the data scale of the network feature subset, and in order to ensure the timeliness of the test, the invention is set to be 7 layers of networks, and the number of the neuron is [50,40,35,30,26,22,22 ].
The real-time detection module of the deep network attack detection model comprises: and (4) real-time detection of the deep network attack detection model. The detection model system firstly collects network data, reduces the network data according to the feature preprocessing and the optimal feature subset, inputs the data into the trained deep learning network model, and obtains the network attack type or the current attack-free state by the model.
An offline model optimization module: and (5) optimizing an offline system model. And carrying out manual rechecking according to real-time monitoring data of network attack detection, carrying out manual error correction marking on the error example when the detected error example exceeds a limited threshold delta, fusing all network incremental data and original network data, and reentering a characteristic dimension reduction module and a depth model network attack detection module of a network data set to carry out offline optimization of a network attack detection system model.
The above embodiments are merely illustrative of the technical ideas and features of the present invention, and the purpose thereof is to enable those skilled in the art to understand the contents of the present invention and implement the present invention, and not to limit the protection scope of the present invention. All equivalent changes and modifications made according to the spirit of the present invention should be covered within the protection scope of the present invention.
Claims (4)
1. A network attack detection method based on a two-stage learning model is characterized by comprising the following steps:
step 1: evaluating the feature combination by taking the feature subset of the network data set as an indivisible unit to realize feature dimension reduction of the network data set;
step 2: the reduced network data set is used as training data, and a deep network attack detection model is realized by utilizing a deep learning technology;
the step 1 is as follows:
step 1.1, preprocessing mass network data; firstly, removing and primarily screening data examples which are limited by a characteristic missing threshold value, deleting characteristics with low information quantity in a primarily screened network data set, and finally carrying out one-hot coding mapping on characteristics of non-numerical types in the network data set to obtain binary vectors;
step 1.2, constructing a characteristic subset evaluation function of a network data set; constructing a measurable multivariate network intrusion detection analysis model F based on the network data characteristics and the mutual information of the network attack types;
wherein, the concrete data of the network data sample with n-dimensional characteristics is not taken as input, but mutual information I of each dimensional network data characteristic and each type of network attack category is calculatedijAs input, I (f)i,Cj)=H(fi)+H(Cj)-H(fi,Cj) Mutual information representing ith dimension network data characteristic and jth network attack category, wherein H (f)i,Cj)=-∑p((fi,Cj))log2p((fi,Cj) ); after centering and normalizing the matrix F, by R ═ PTP, calculating to obtain an incidence matrix Rel; then byAndcalculating to obtain associated information entropy HRelAndintroducing average mutual informationWhich represents the average useful information size, is,based on maximum HRelAndweighting to obtain final evaluation functionk1And k2The non-negative constant is used for controlling the influence of the associated information entropy and the average mutual information on the selected characteristics;
step 1Determining a feature subset of the network data set by using a binary particle swarm evolutionary search strategy; the particle h is a bit string consisting of a string of 0 s and a string of 1 s, is a mapping of n-dimensional features, and represents that the dimensional features are selected when the corresponding bit is 1 s; in the binary particle swarm algorithm, each particle moves in a solution space of a feature subset of a network data set, and the self optimal solution Pbest and the group optimal solution Gbest are recorded to update the self position; the self optimal solution refers to a position which is searched by an individual and comprises the optimal fitness value, and the group optimal solution refers to a position which is calculated to have the optimal fitness from positions which are experienced by all particles in the whole particle swarm; the particle update is as follows: wherein, c1And c2To learn the factors, ω is the inertia factor,represents the speed of the h-th particle in the t-th generation,represents the position of the t generation of the h particle; the binary particle swarm algorithm converts the continuous speed value into a binary vector of 0 or 1 through a Sigmoid function, so that the position of the particle is also represented by the binary vector of 0 or 1; and repeating the process of updating the self optimal solution Pbest and the group optimal solution Gbest _ and limiting the evolution algebra and the optimal convergence of the binary particle swarm evolutionary search until the characteristic subset of the final network data set is determined.
2. The network attack detection method based on the two-stage learning model as claimed in claim 1, wherein: the step 2 is as follows:
step 2.1, training a deep network attack detection model; after the step 1 is finished, obtaining an optimal feature subset of the network data, and taking the optimal feature subset of the network data as the input of the deep learning network model in the step 2; inputting the feature subset data of the input network data set by an input layer X, calculating by a hidden layer H, and finally outputting by an output layer Y; the same feature vector can be mapped in different feature spaces by pre-training to keep more feature information; training the whole body in a supervision mode through fine adjustment to obtain a classifier; the deep learning network model output layer activation function is set as a linear function, and the hidden layer neuron activation function is set as a Sigmoid function; the number of the neuron layers and the number of each neuron layer are specifically set according to the characteristic subset data scale of the network data set;
step 2.2, real-time detection of the deep network attack detection model; the detection model firstly collects network data, reduces the network data according to the feature preprocessing and the optimal feature subset of the network data, inputs the data into the trained deep learning network model, and obtains the network attack type or the current attack-free state;
step 2.3, optimizing an off-line model; and (3) carrying out manual rechecking according to real-time monitoring data of network attack detection, carrying out manual error correction marking on the error case when the detected error case exceeds a limited threshold delta, fusing all network incremental data and original network data, and reentering the step 1 and the step 2 to carry out offline optimization of the deep network attack detection model.
3. A network attack detection system based on a two-stage learning model is characterized by comprising the following modules:
a feature dimension reduction module of the network data set: evaluating the feature combination by taking the feature subset of the network data set as an indivisible unit to realize feature dimension reduction of the network data set;
the depth model network attack detection module: the method comprises the steps that a network data set reduced by a feature dimension reduction module of the network data set is used as training data, and a deep network attack detection model is realized by utilizing a deep learning technology;
the characteristic dimension reduction module of the network data set specifically comprises the following sub-modules:
the preprocessing module of the mass network data comprises: preprocessing mass network data; firstly, removing and primarily screening data examples which are limited by a characteristic missing threshold value, deleting characteristics with low information quantity in a primarily screened network data set, and finally carrying out one-hot coding mapping on characteristics of non-numerical types in the network data set to obtain binary vectors;
a feature subset evaluation function construction module of the network data set: constructing a characteristic subset evaluation function of the network data set; constructing a measurable multivariate network intrusion detection analysis model F based on the network data characteristics and the mutual information of the network attack types;
wherein, the concrete data of the network data sample with n-dimensional characteristics is not taken as input, but mutual information I of each dimensional network data characteristic and each type of network attack category is calculatedijAs input, I (f)i,Cj)=H(fi)+H(Cj)-H(fi,Cj) Mutual information representing ith dimension network data characteristic and jth network attack category, wherein H (f)i,Cj)=-∑p((fi,Cj))log2p((fi,Cj) ); after centering and normalizing the matrix F, by R ═ PTP, calculating to obtain an incidence matrix Rel; then byAndcalculating to obtain associated information entropy HRelAndintroducing average mutual informationWhich represents the average useful information size, is,based on maximum HRelAndweighting to obtain final evaluation functionk1And k2The non-negative constant is used for controlling the influence of the associated information entropy and the average mutual information on the selected characteristics;
determining a feature subset module of a network data set using a binary particle swarm evolutionary search strategy: determining a feature subset of a network data set by using a binary particle swarm evolutionary search strategy; the particle h is a bit string consisting of a string of 0 s and a string of 1 s, is a mapping of n-dimensional features, and represents that the dimensional features are selected when the corresponding bit is 1 s; in the binary particle swarm algorithm, each particle moves in a solution space of a feature subset of a network data set, and the self optimal solution Pbest and the group optimal solution Gbest are recorded to update the self position; the self optimal solution refers to a position which is searched by an individual and comprises the optimal fitness value, and the group optimal solution refers to a position which is calculated to have the optimal fitness from positions which are experienced by all particles in the whole particle swarm; the particle update is as follows: wherein, c1And c2To learn the factors, ω is the inertia factor,denotes the tth generation of the h particleThe speed of the motor vehicle is set to be,represents the position of the t generation of the h particle; the binary particle swarm algorithm converts the continuous speed value into a binary vector of 0 or 1 through a Sigmoid function, so that the position of the particle is also represented by the binary vector of 0 or 1; and repeating the process of updating the self optimal solution Pbest and the group optimal solution Gbest _ and limiting the evolution algebra and the optimal convergence of the binary particle swarm evolutionary search until the characteristic subset of the final network data set is determined.
4. The two-stage learning model-based cyber attack detection system according to claim 3, wherein: the depth model network attack detection module specifically comprises the following sub-modules:
the deep network attack detection model training module comprises: training a deep network attack detection model; obtaining an optimal feature subset of the network data after the reduction of the feature dimension reduction module of the network data set is finished, and taking the optimal feature subset of the network data as the input of a deep learning network model; inputting the feature subset data of the input network data set by an input layer X, calculating by a hidden layer H, and finally outputting by an output layer Y; the same feature vector can be mapped in different feature spaces by pre-training to keep more feature information; training the whole body in a supervision mode through fine adjustment to obtain a classifier; the deep learning network model output layer activation function is set as a linear function, and the hidden layer neuron activation function is set as a Sigmoid function; the number of the neuron layers and the number of each neuron layer are specifically set according to the characteristic subset data scale of the network data set;
the real-time detection module of the deep network attack detection model comprises: real-time detection of a deep network attack detection model; the detection model firstly collects network data, reduces the network data according to the feature preprocessing and the optimal feature subset of the network data, inputs the data into the trained deep learning network model, and obtains the network attack type or the current attack-free state;
an offline model optimization module: optimizing an offline model; and carrying out manual rechecking according to real-time monitoring data of network attack detection, carrying out manual error correction marking on the error example when the detected error example exceeds a limited threshold delta, fusing all network incremental data and original network data, and reentering a characteristic dimension reduction module and a depth model network attack detection module of a network data set to carry out offline optimization of a depth network attack detection model.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110938301.9A CN113746813B (en) | 2021-08-16 | 2021-08-16 | Network attack detection system and method based on two-stage learning model |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110938301.9A CN113746813B (en) | 2021-08-16 | 2021-08-16 | Network attack detection system and method based on two-stage learning model |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113746813A CN113746813A (en) | 2021-12-03 |
CN113746813B true CN113746813B (en) | 2022-05-10 |
Family
ID=78731273
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110938301.9A Active CN113746813B (en) | 2021-08-16 | 2021-08-16 | Network attack detection system and method based on two-stage learning model |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113746813B (en) |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104361393B (en) * | 2014-09-06 | 2018-02-27 | 华北电力大学 | Data predication method is used for based on the improved neural network model of particle swarm optimization algorithm |
CN108040073A (en) * | 2018-01-23 | 2018-05-15 | 杭州电子科技大学 | Malicious attack detection method based on deep learning in information physical traffic system |
CN110619292B (en) * | 2019-08-31 | 2021-05-11 | 浙江工业大学 | Countermeasure defense method based on binary particle swarm channel optimization |
CN110889111A (en) * | 2019-10-23 | 2020-03-17 | 广东工业大学 | Power grid virtual data injection attack detection method based on deep belief network |
CN111404911B (en) * | 2020-03-11 | 2022-10-14 | 国网新疆电力有限公司电力科学研究院 | Network attack detection method and device and electronic equipment |
-
2021
- 2021-08-16 CN CN202110938301.9A patent/CN113746813B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN113746813A (en) | 2021-12-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN115618296B (en) | Dam monitoring time sequence data anomaly detection method based on graph attention network | |
CN113723010B (en) | Bridge damage early warning method based on LSTM temperature-displacement correlation model | |
CN112087442B (en) | Time sequence related network intrusion detection method based on attention mechanism | |
CN112733447B (en) | Underwater sound source positioning method and system based on domain adaptive network | |
CN113806746A (en) | Malicious code detection method based on improved CNN network | |
CN116448419A (en) | Zero sample bearing fault diagnosis method based on depth model high-dimensional parameter multi-target efficient optimization | |
CN112949821B (en) | Network security situation awareness method based on dual-attention mechanism | |
CN111598179A (en) | Power monitoring system user abnormal behavior analysis method, storage medium and equipment | |
CN112464996A (en) | Intelligent power grid intrusion detection method based on LSTM-XGboost | |
CN115811440B (en) | Real-time flow detection method based on network situation awareness | |
CN111709577B (en) | RUL prediction method based on long-range correlation GAN-LSTM | |
CN115456044A (en) | Equipment health state assessment method based on knowledge graph multi-set pooling | |
CN113887694A (en) | Click rate estimation model based on characteristic representation under attention mechanism | |
CN116894180B (en) | Product manufacturing quality prediction method based on different composition attention network | |
CN115438897A (en) | Industrial process product quality prediction method based on BLSTM neural network | |
CN114299305A (en) | Salient object detection algorithm for aggregating dense and attention multi-scale features | |
CN113746813B (en) | Network attack detection system and method based on two-stage learning model | |
CN113033898A (en) | Electrical load prediction method and system based on K-means clustering and BI-LSTM neural network | |
CN112528554A (en) | Data fusion method and system suitable for multi-launch multi-source rocket test data | |
CN111310974A (en) | Short-term water demand prediction method based on GA-ELM | |
CN116720095A (en) | Electrical characteristic signal clustering method for optimizing fuzzy C-means based on genetic algorithm | |
CN115600134A (en) | Bearing transfer learning fault diagnosis method based on domain dynamic impedance self-adaption | |
CN114841778A (en) | Commodity recommendation method based on dynamic graph neural network | |
CN110728292A (en) | Self-adaptive feature selection algorithm under multi-task joint optimization | |
Jin et al. | Research on multi-sensor information fusion algorithm of fan detection robot based on improved BP neural network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |