CN113746813B - Network attack detection system and method based on two-stage learning model - Google Patents

Network attack detection system and method based on two-stage learning model Download PDF

Info

Publication number
CN113746813B
CN113746813B CN202110938301.9A CN202110938301A CN113746813B CN 113746813 B CN113746813 B CN 113746813B CN 202110938301 A CN202110938301 A CN 202110938301A CN 113746813 B CN113746813 B CN 113746813B
Authority
CN
China
Prior art keywords
network
network data
feature
model
data set
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110938301.9A
Other languages
Chinese (zh)
Other versions
CN113746813A (en
Inventor
滕旭阳
张云啸
何美霖
毕美华
仇兆炀
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dianzi University
Original Assignee
Hangzhou Dianzi University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dianzi University filed Critical Hangzhou Dianzi University
Priority to CN202110938301.9A priority Critical patent/CN113746813B/en
Publication of CN113746813A publication Critical patent/CN113746813A/en
Application granted granted Critical
Publication of CN113746813B publication Critical patent/CN113746813B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Abstract

The invention discloses a network attack detection system and a network attack detection method based on a two-stage learning model, wherein the method comprises the following steps: step 1: evaluating the feature combination of the feature subset of the network data set as an indivisible unit to realize feature dimension reduction of the network data set; and 2, step: and taking the reduced network data set as training data and realizing a network attack real-time detection model by utilizing a deep learning technology. According to the two-stage network attack detection technical scheme, the feature combination effect of network high-risk data is fully considered, the accuracy and timeliness which need to be guaranteed in network attack detection are guaranteed, and the feature selection technology, the evolutionary search technology and the deep learning model are combined to improve the identification accuracy of the network attack detection and shorten the model training time by doctors.

Description

Network attack detection system and method based on two-stage learning model
Technical Field
The invention belongs to the technical field of network attack detection, and particularly relates to a two-stage detection system and a two-stage detection method for network attack data preprocessing and network attack data identification.
Background
How to effectively realize network attack detection in the background of the era of everything interconnection is one of the key problems in a big data environment, and in recent years, various identification methods based on a deep neural network are widely applied to a network attack detection system. Compared with the traditional machine learning method, the deep neural network model can obtain higher detection precision. The most key factor influencing various network attack detection models is the use of data characteristics of high-dimensional network attacks, so that the primary basic task of extracting value information from large-scale high-dimensional network attack data is to find the key characteristics of the network attack data.
With the continuous expansion of the data scale in the network field, a large amount of redundant, useless and noisy data is also generated in the large-scale data existing in the network, and the performance and the speed of the detection learning algorithm on the network attack detection are seriously influenced by the data. The overlarge data size is only one of the problems in analyzing network attacks, and when high-dimensional data is faced, the problem of 'dimension disaster' of the data can be faced even if the data size is small. And a large amount of data characteristics seriously affect the identification efficiency of the network attack detection method, so that the structure of a detection model becomes complex. Although the occurrence of the deep learning technology enables the recognition accuracy of the network attack detection to reach a higher level, the recognition efficiency is reduced because the deep learning model is more complex than the traditional machine learning network attack detection model.
Dimensionality reduction is required to be performed on high-dimensionality network data, and a network attack efficient real-time detection method is constructed based on the reduced network data feature subset. In the process of feature dimension reduction, different evaluation modes have corresponding advantages, calculation is faster due to distance evaluation, the method based on the information theory has strong capability of resisting noise data sets, the interpretability of data is friendly due to consistency evaluation, and the like, but the feature subset of network feature attack data is generally lack of overall measurement by taking as a unit. Meanwhile, the existing network attack detection deep learning model is usually considered to be strong in learning model capability, and feature preprocessing work is not performed, so that model training time is too long, and deployment difficulty of the network attack detection model and the system is increased.
In 2016, the inventor of the present application has published a feature selection method based on the associated information entropy measure in "computer research and development", which uses the associated information entropy to search the feature set, fully considers the multivariate relationship among different features in the feature subset, and can perform the overall evaluation by using the feature subset as an independent element. Through the verification of combining the multi-class common measurement data set with the traditional machine learning classification model, the training time and the classification precision are well improved. However, the method does not combine the deep learning model to perform performance analysis, and therefore how to form the network attack detection facing the ultra-high dimensional network data is an urgent problem to be solved.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a network attack detection system and method based on a two-stage learning model, so as to verify the performance advantages of a feature selection technology based on a combined effect and a deep learning model in network attack detection. In the invention, in the first stage, the feature subset of the network data set is used as an indivisible unit to evaluate the feature combination, so as to realize the feature dimension reduction of the network data set; and in the second stage, the reduced network data set is used as training data, and a deep learning technology is utilized to realize a network attack real-time detection model, so that a complete general detection technical scheme combining low-order feature combination effect evaluation and high-order deep feature combination extraction of the network data is formed.
Based on this, the invention adopts the following technical scheme:
a network attack detection method based on a two-stage learning model is carried out according to the following steps:
stage 1: a feature dimension reduction of the network data set; in the stage, the feature subset of the network data set is used as an indivisible unit to evaluate feature combination, so as to realize feature dimension reduction of the network data set; the method comprises the following specific steps:
step 1.1, preprocessing mass network data. Firstly, removing and primarily screening data examples which exceed the limit of a characteristic missing threshold; deleting the characteristics of low information quantity, such as sequence numbers, timestamps and the like, in the initially screened network data set; finally, one-hot coding mapping is carried out on the characteristics of the non-numerical type in the network data set to form binary vectors;
and 1.2, constructing a characteristic subset evaluation function of the network data set. A measurable multivariate network intrusion detection analysis model F is constructed based on network data characteristics and Mutual Information (MI) of network attack types.
Figure BDA0003213724350000021
Wherein, the concrete data of the network data sample with n-dimensional characteristics is not taken as input, but mutual information I of each dimensional network data characteristic and each type of network attack category is calculatedijAs input, I (f)i,Cj)=H(fi)+H(Cj)-H(fi,Cj) Representing mutual information of the ith dimension feature and the jth class, wherein H is the information entropy of the variable, H (f)i,Cj)=-∑p((fi,Cj))log2p((fi,Cj)). After centering and normalizing the matrix F, by R ═ PTAnd P, calculating to obtain a correlation matrix Rel. Then calculating from the characteristic value lambda
Figure BDA0003213724350000022
And
Figure BDA0003213724350000023
thereby obtaining the associated information entropy HRelAnd
Figure BDA0003213724350000024
to avoid using only the entropy of the associated information, the system tends to choose a feature with a small amount of information itself, i.e. naturally also without redundant information when the system itself does not contain information, while introducing average mutual information
Figure BDA0003213724350000025
Representing the average useful information size within the system,
Figure BDA0003213724350000026
based on maximum HRelAnd
Figure BDA0003213724350000027
weighting to obtain the final evaluation function
Figure BDA0003213724350000028
Figure BDA0003213724350000029
k1And k2Is a non-negative constant for controlling the magnitude of the influence of the entropy of the associated information and the average mutual information on the selected feature.
Step 1.3, use Binary Particle swarm optimization (BPS)O) the evolutionary search strategy determines a subset of features. Particle h is a string of bits consisting of 0 and 1, which is a mapping of the n-dimensional feature, which is selected when the corresponding bit is 1. In the binary particle swarm optimization, each particle moves in the solution space of the feature subset, and the self optimal solution (Pbest) and the group optimal solution (Gbest) are recorded to update the self position. Pbest refers to the position searched by an individual and including the position with the best fitness value searched once, and Gbest refers to the position with the best fitness calculated from the positions experienced by all particles in the whole particle swarm. The particle update is as follows:
Figure BDA0003213724350000031
Figure BDA0003213724350000032
wherein c1 and c2 are learning factors, omega is an inertia factor,
Figure BDA0003213724350000033
represents the speed of the h-th particle in the t-th generation,
Figure BDA0003213724350000034
indicates the position of the t-th generation of the h-th particle. The BPSO algorithm converts the continuous velocity values into binary vectors of 0 or 1 by Sigmoid function, and thus the position of the particle is also represented by the binary vector of 0 or 1. And repeating the process, and carrying out evolutionary algebra and optimal convergence limitation on the BPSO evolutionary search until the final network data feature subset is determined.
And (2) stage: detecting a deep model network attack based on the network data feature subset; the reduced network data set is used as training data, and a network attack real-time detection model is realized by utilizing a deep learning technology; the method comprises the following specific steps:
and 2.1, training a deep network attack detection model. And obtaining the optimal feature subset of the network data after the first stage is finished, and taking the optimal subset as the input of the deep learning model of the second stage. The invention adopts Deep Belief Networks (DBN). The input network feature subset data is input by an input layer X, calculated by a hidden layer H and finally output by an output layer Y. The same feature vector can be mapped in different feature spaces by pre-training (pre-training) so as to more keep feature information; a classifier is obtained by training the whole in a supervised manner by fine-tuning (fine-tuning). The deep learning model output layer activation function is set to be a linear function, and the hidden layer neuron activation function is set to be a Sigmoid function. The number of the neuron layers and the number of each layer are specifically set according to the data scale of the network feature subset, and in order to ensure the timeliness of the test, the invention is set to be 7 layers of networks, and the number of the neuron is [50,40,35,30,26,22,22 ].
And 2.2, detecting the deep network attack detection model in real time. The detection model system firstly collects network data, reduces the network data according to the feature preprocessing and the optimal feature subset, inputs the data into the trained deep learning network model, and obtains the network attack type or the current attack-free state by the model.
And 2.3, optimizing an offline system model. And carrying out manual recheck according to real-time monitoring data of network attack detection, carrying out manual error correction marking on the error example when the detected error example exceeds a limited threshold delta, fusing all network incremental data and original network data, and reentering the first stage and the second stage to carry out offline optimization of the network attack detection system model.
The invention also discloses a network attack detection system based on the two-stage learning model, which comprises the following modules:
a feature dimension reduction module of the network data set: the module evaluates the feature combination by taking the feature subset of the network data set as an indivisible unit to realize the feature dimension reduction of the network data set; the method specifically comprises the following sub-modules:
the preprocessing module of the mass network data comprises: and preprocessing mass network data. Firstly, removing and primarily screening data examples which exceed the limit of a characteristic missing threshold; deleting the characteristics of low information quantity, such as sequence numbers, timestamps and the like, in the initially screened network data set; finally, one-hot coding mapping is carried out on the characteristics of the non-numerical type in the network data set to form binary vectors;
a feature subset evaluation function construction module of the network data set: a feature subset evaluation function of the network data set is constructed. A measurable multivariate network intrusion detection analysis model F is constructed based on network data characteristics and Mutual Information (MI) of network attack types.
Figure BDA0003213724350000041
Wherein, the concrete data of the network data sample with n-dimensional characteristics is not taken as input, but mutual information I of each dimensional network data characteristic and each type of network attack category is calculatedijAs input, I (f)i,Cj)=H(fi)+H(Cj)-H(fi,Cj) Representing the mutual information of the ith dimension feature and the jth class, wherein H (f)i,Cj)=-∑p((fi,Cj))log2p((fi,Cj)). After centering and normalizing the matrix F, by R ═ PTAnd P, calculating to obtain a correlation matrix Rel. Then by
Figure BDA0003213724350000042
And
Figure BDA0003213724350000043
calculating to obtain associated information entropy HRelAnd
Figure BDA0003213724350000044
to avoid using only the entropy of the associated information, the system tends to choose the characteristic with small information amount, i.e. when the system does not contain information, the system naturally does not contain redundant information, and average mutual information is introduced
Figure BDA0003213724350000045
Representing the average useful information size within the system,
Figure BDA0003213724350000046
based on maximum HRelAnd
Figure BDA0003213724350000047
weighting to obtain the final evaluation function
Figure BDA0003213724350000048
k1And k2Is a non-negative constant for controlling the magnitude of the influence of the entropy of the associated information and the average mutual information on the selected feature.
Determining a feature subset module using a binary particle swarm evolutionary search strategy: feature subsets were determined using a Binary Particle Swarm Optimization (BPSO) evolutionary search strategy. Particle h is a string of bits consisting of 0 and 1, which is a mapping of the n-dimensional feature, which is selected when the corresponding bit is 1. In the binary particle swarm optimization, each particle moves in the solution space of the feature subset, and the self optimal solution (Pbest) and the group optimal solution (Gbest) are recorded to update the self position. Pbest refers to the position searched by an individual and including the position with the best fitness value searched once, and Gbest refers to the position with the best fitness calculated from the positions experienced by all particles in the whole particle swarm. The particle update is as follows:
Figure BDA0003213724350000049
Figure BDA00032137243500000410
the BPSO algorithm converts the continuous velocity values into binary vectors of 0 or 1 by Sigmoid function, and thus the position of the particle is also represented by the binary vector of 0 or 1. And repeating the process, and carrying out evolutionary algebra and optimal convergence limitation on the BPSO evolutionary search until the final network data feature subset is determined.
The depth model network attack detection module: detecting a deep model network attack based on the network data feature subset; the reduced network data set is used as training data, and a network attack real-time detection model is realized by utilizing a deep learning technology; the method specifically comprises the following sub-modules:
the deep network attack detection model training module comprises: and (5) training a deep network attack detection model. And after the feature dimension reduction module of the network data set is finished, obtaining the optimal feature subset of the network data, and taking the optimal subset as the input of the deep learning model of the deep model network attack detection module. The invention adopts Deep Belief Networks (DBN). The input network feature subset data is input by an input layer X, calculated by a hidden layer H and finally output by an output layer Y. The same feature vector can be mapped in different feature spaces by pre-training (pre-training) so as to more keep feature information; a classifier is obtained by training the whole in a supervised manner by fine-tuning (fine-tuning). The deep learning model output layer activation function is set to be a linear function, and the hidden layer neuron activation function is set to be a Sigmoid function. The number of the neuron layers and the number of each layer are specifically set according to the data scale of the network feature subset, and in order to ensure the timeliness of the test, the invention is set to be 7 layers of networks, and the number of the neuron is [50,40,35,30,26,22,22 ].
The real-time detection module of the deep network attack detection model comprises: and (5) real-time detection of the deep network attack detection model. The detection model system firstly collects network data, reduces the network data according to the feature preprocessing and the optimal feature subset, inputs the data into the trained deep learning network model, and obtains the network attack type or the current attack-free state by the model.
An offline model optimization module: and (5) optimizing an offline system model. And carrying out manual rechecking according to real-time monitoring data of network attack detection, carrying out manual error correction marking on the error example when the detected error example exceeds a limited threshold delta, fusing all network incremental data and original network data, and reentering a characteristic dimension reduction module and a depth model network attack detection module of a network data set to carry out offline optimization of a network attack detection system model.
The two-stage network attack detection system fully considers the characteristic combination effect of network high-risk data, and combines a characteristic selection technology, an evolutionary search technology and a deep learning model aiming at the accuracy and timeliness which need to be ensured in network attack detection so as to improve the identification accuracy of the network attack detection and shorten the model training time by doctors.
Compared with the prior art, the invention has the following beneficial effects:
1. the correlation information entropy is introduced, and the correlation between the network characteristics and the attack categories is considered, wherein the correlation comprises linear correlation and nonlinear correlation; in a multi-base high-dimensional space, the method greatly reduces the volume of a network attack detection multivariable model.
2. In order to avoid that the system tends to select the characteristic with small information amount by only using the associated information entropy, the system naturally does not contain redundant information when the system does not contain information, and the average mutual information is introduced to represent the average useful information size in the system.
3. The selection of the Deep learning model is not limited by a specific model, and Deep learning models such as Deep Belief Networks (DBN), Stacked Automatic Encoders (SAE), Recurrent Neural Networks (RNN), Elman Networks and the like can be selected.
Drawings
Fig. 1 is a schematic flow chart of a network attack detection method of a two-stage learning model.
Fig. 2 is a comparison graph of the recognition accuracy of the network attack detection system of the two-stage learning model and the single-stage network attack learning model in three network data sets. CMI-DL is an example of the system of the invention, and DBN is an example of a single-stage network attack learning model.
Fig. 3 is a comparison graph (in seconds) of real-time detection time of the network attack detection system of the two-stage learning model and the learning model of the single-stage network attack learning model in different network data sets. CMI-DL is an example of the system of the invention, and DBN is an example of a single-stage network attack learning model.
Fig. 4 is a block diagram of a network attack detection system of a two-stage learning model.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Example 1
As shown in fig. 1, the network attack detection method based on the two-stage learning model according to the present embodiment is performed according to the following steps:
stage 1: a feature dimension reduction of the network data set; in the stage, the feature subset of the network data set is used as an indivisible unit to evaluate feature combination, so as to realize feature dimension reduction of the network data set; the method comprises the following specific steps:
step 1.1, preprocessing mass network data. Firstly, performing primary screening on data examples exceeding the limit of a characteristic missing threshold; deleting the characteristics of low information quantity, such as sequence numbers, timestamps and the like, in the initially screened network data set; finally, one-hot coding mapping is carried out on the characteristics of the non-numerical type in the network data set to form binary vectors;
and 1.2, constructing a characteristic subset evaluation function of the network data set. A measurable multivariate network intrusion detection analysis model F is constructed based on network data characteristics and Mutual Information (MI) of network attack types.
Figure BDA0003213724350000061
Wherein, the concrete data of the network data sample with n-dimensional characteristics is not taken as input, but mutual information I of each dimensional network data characteristic and each type of network attack category is calculatedijAs input, I (f)i,Cj)=H(fi)+H(Cj)-H(fi,Cj) Representing the mutual information of the ith dimension feature and the jth class, wherein H (f)i,Cj)=-∑p((fi,Cj))log2p((fi,Cj)). After centering and normalizing the matrix F, by R ═ PTAnd P, calculating to obtain a correlation matrix Rel. Then by
Figure BDA0003213724350000062
And
Figure BDA0003213724350000063
calculating to obtain associated information entropy HRelAnd
Figure BDA0003213724350000064
to avoid using only the entropy of the associated information, the system tends to choose the characteristic with small information amount, i.e. when the system does not contain information, the system naturally does not contain redundant information, and average mutual information is introduced
Figure BDA0003213724350000065
Representing the average useful information size within the system,
Figure BDA0003213724350000066
based on maximum HRelAnd
Figure BDA0003213724350000067
weighting to obtain the final evaluation function
Figure BDA0003213724350000068
k1And k2Is a non-negative constant for controlling the magnitude of the influence of the entropy of the associated information and the average mutual information on the selected feature.
Step 1.3, determining feature subsets by using a Binary Particle Swarm Optimization (BPSO) evolutionary search strategy. Particle h is a string of bits consisting of 0 and 1, which is a mapping of the n-dimensional feature, which is selected when the corresponding bit is 1. In the binary particle swarm algorithm, each particle moves in the solution space of the feature subset, and the self optimal solution (Pbest) and the group optimal solution (Gbest) are recorded to update the self position. Pbest refers to the position searched by an individual and including the position with the best fitness value searched once, and Gbest refers to the position with the best fitness calculated from the positions experienced by all particles in the whole particle swarm. The particle renewal was as follows:
Figure BDA0003213724350000071
Figure BDA0003213724350000072
the BPSO algorithm converts the continuous velocity values into binary vectors of 0 or 1 through Sigmoid function, so the bits of the particlesA setting is also represented by a binary vector of 0 or 1. And repeating the process, and carrying out evolutionary algebra and optimal convergence limitation on the BPSO evolutionary search until the final network data feature subset is determined.
And (2) stage: detecting a deep model network attack based on the network data feature subset; the reduced network data set is used as training data, and a network attack real-time detection model is realized by utilizing a deep learning technology; the method comprises the following specific steps:
and 2.1, training a deep network attack detection model. And obtaining the optimal feature subset of the network data after the first stage is finished, and taking the optimal subset as the input of the deep learning model of the second stage. The invention adopts Deep Belief Networks (DBN). The input network feature subset data is input by an input layer X, calculated by a hidden layer H and finally output by an output layer Y. The same feature vector can be mapped in different feature spaces by pre-training (pre-training) so as to more keep feature information; a classifier is obtained by training the whole in a supervised manner by fine-tuning (fine-tuning). The deep learning model output layer activation function is set to be a linear function, and the hidden layer neuron activation function is set to be a Sigmoid function. The number of the neuron layers and the number of each layer are specifically set according to the data scale of the network feature subset, and in order to ensure the timeliness of the test, the invention is set to be 7 layers of networks, and the number of the neuron is [50,40,35,30,26,22,22 ].
And 2.2, detecting the deep network attack detection model in real time. The detection model system firstly collects network data, reduces the network data according to the feature preprocessing and the optimal feature subset, inputs the data into the trained deep learning network model, and obtains the network attack type or the current attack-free state by the model.
And 2.3, optimizing an offline system model. And carrying out manual recheck according to real-time monitoring data of network attack detection, carrying out manual error correction marking on the error example when the detected error example exceeds a limited threshold delta, fusing all network incremental data and original network data, and reentering the first stage and the second stage to carry out offline optimization of the network attack detection system model.
Example 2
As shown in fig. 4, the network attack detection system based on the two-stage learning model of the present embodiment includes the following modules:
a feature dimension reduction module of the network data set: the module evaluates the feature combination by taking the feature subset of the network data set as an indivisible unit to realize the feature dimension reduction of the network data set; the method specifically comprises the following sub-modules:
the preprocessing module of the mass network data comprises: and preprocessing mass network data. Firstly, removing and primarily screening data examples which exceed the limit of a characteristic missing threshold; deleting the characteristics of low information quantity, such as sequence numbers, timestamps and the like, in the initially screened network data set; finally, one-hot coding mapping is carried out on the characteristics of the non-numerical type in the network data set to form binary vectors;
a feature subset evaluation function construction module of the network data set: a feature subset evaluation function of the network data set is constructed. A measurable multivariate network intrusion detection analysis model F is constructed based on network data characteristics and Mutual Information (MI) of network attack types.
Figure BDA0003213724350000081
Wherein, the concrete data of the network data sample with n-dimensional characteristics is not taken as input, but mutual information I of each dimensional network data characteristic and each type of network attack category is calculatedijAs input, I (f)i,Cj)=H(fi)+H(Cj)-H(fi,Cj) Representing mutual information of the ith dimension feature and the jth class, wherein H (f)i,Cj)=-∑p((fi,Cj))log2p((fi,Cj)). After centering and normalizing the matrix F, by R ═ PTAnd P, calculating to obtain a correlation matrix Rel. Then is provided with
Figure BDA0003213724350000082
And
Figure BDA0003213724350000083
calculating to obtain associated information entropy HRelAnd
Figure BDA0003213724350000084
to avoid using only the entropy of the associated information, the system tends to choose the characteristic with small information amount, i.e. when the system does not contain information, the system naturally does not contain redundant information, and average mutual information is introduced
Figure BDA0003213724350000085
Representing the average useful information size within the system,
Figure BDA0003213724350000086
based on maximum HRelAnd
Figure BDA0003213724350000087
weighting to obtain the final evaluation function
Figure BDA0003213724350000088
k1And k2Is a non-negative constant for controlling the magnitude of the influence of the entropy of the associated information and the average mutual information on the selected feature.
Determining a feature subset module using a binary particle swarm evolutionary search strategy: feature subsets were determined using a Binary Particle Swarm Optimization (BPSO) evolutionary search strategy. Particle h is a string of bits consisting of 0 and 1, which is a mapping of the n-dimensional feature, which is selected when the corresponding bit is 1. In the binary particle swarm optimization, each particle moves in the solution space of the feature subset, and the self optimal solution (Pbest) and the group optimal solution (Gbest) are recorded to update the self position. Pbest refers to the position searched by an individual and including the position with the best fitness value searched once, and Gbest refers to the position with the best fitness calculated from the positions experienced by all particles in the whole particle swarm. The particle update is as follows:
Figure BDA0003213724350000089
Figure BDA00032137243500000810
the BPSO algorithm converts the continuous velocity values into binary vectors of 0 or 1 by Sigmoid function, and thus the position of the particle is also represented by the binary vector of 0 or 1. And repeating the process, and carrying out evolutionary algebra and optimal convergence limitation on the BPSO evolutionary search until the final network data feature subset is determined.
The depth model network attack detection module: detecting a deep model network attack based on the network data feature subset; the reduced network data set is used as training data, and a network attack real-time detection model is realized by utilizing a deep learning technology; the method specifically comprises the following sub-modules:
the deep network attack detection model training module comprises: and (5) training a deep network attack detection model. And after the feature dimension reduction module of the network data set is finished, obtaining the optimal feature subset of the network data, and taking the optimal subset as the input of the deep learning model of the deep model network attack detection module. The invention adopts Deep Belief Networks (DBN). The input network feature subset data is input by an input layer X, calculated by a hidden layer H and finally output by an output layer Y. The same feature vector can be mapped in different feature spaces by pre-training (pre-training) so as to more keep feature information; a classifier is obtained by training the whole in a supervised manner by fine-tuning (fine-tuning). The deep learning model output layer activation function is set to be a linear function, and the hidden layer neuron activation function is set to be a Sigmoid function. The number of the neuron layers and the number of each layer are specifically set according to the data scale of the network feature subset, and in order to ensure the timeliness of the test, the invention is set to be 7 layers of networks, and the number of the neuron is [50,40,35,30,26,22,22 ].
The real-time detection module of the deep network attack detection model comprises: and (4) real-time detection of the deep network attack detection model. The detection model system firstly collects network data, reduces the network data according to the feature preprocessing and the optimal feature subset, inputs the data into the trained deep learning network model, and obtains the network attack type or the current attack-free state by the model.
An offline model optimization module: and (5) optimizing an offline system model. And carrying out manual rechecking according to real-time monitoring data of network attack detection, carrying out manual error correction marking on the error example when the detected error example exceeds a limited threshold delta, fusing all network incremental data and original network data, and reentering a characteristic dimension reduction module and a depth model network attack detection module of a network data set to carry out offline optimization of a network attack detection system model.
The above embodiments are merely illustrative of the technical ideas and features of the present invention, and the purpose thereof is to enable those skilled in the art to understand the contents of the present invention and implement the present invention, and not to limit the protection scope of the present invention. All equivalent changes and modifications made according to the spirit of the present invention should be covered within the protection scope of the present invention.

Claims (4)

1. A network attack detection method based on a two-stage learning model is characterized by comprising the following steps:
step 1: evaluating the feature combination by taking the feature subset of the network data set as an indivisible unit to realize feature dimension reduction of the network data set;
step 2: the reduced network data set is used as training data, and a deep network attack detection model is realized by utilizing a deep learning technology;
the step 1 is as follows:
step 1.1, preprocessing mass network data; firstly, removing and primarily screening data examples which are limited by a characteristic missing threshold value, deleting characteristics with low information quantity in a primarily screened network data set, and finally carrying out one-hot coding mapping on characteristics of non-numerical types in the network data set to obtain binary vectors;
step 1.2, constructing a characteristic subset evaluation function of a network data set; constructing a measurable multivariate network intrusion detection analysis model F based on the network data characteristics and the mutual information of the network attack types;
Figure FDA0003545056590000011
wherein, the concrete data of the network data sample with n-dimensional characteristics is not taken as input, but mutual information I of each dimensional network data characteristic and each type of network attack category is calculatedijAs input, I (f)i,Cj)=H(fi)+H(Cj)-H(fi,Cj) Mutual information representing ith dimension network data characteristic and jth network attack category, wherein H (f)i,Cj)=-∑p((fi,Cj))log2p((fi,Cj) ); after centering and normalizing the matrix F, by R ═ PTP, calculating to obtain an incidence matrix Rel; then by
Figure FDA0003545056590000012
And
Figure FDA00035450565900000112
calculating to obtain associated information entropy HRelAnd
Figure FDA0003545056590000013
introducing average mutual information
Figure FDA0003545056590000014
Which represents the average useful information size, is,
Figure FDA0003545056590000015
based on maximum HRelAnd
Figure FDA0003545056590000016
weighting to obtain final evaluation function
Figure FDA0003545056590000017
k1And k2The non-negative constant is used for controlling the influence of the associated information entropy and the average mutual information on the selected characteristics;
step 1Determining a feature subset of the network data set by using a binary particle swarm evolutionary search strategy; the particle h is a bit string consisting of a string of 0 s and a string of 1 s, is a mapping of n-dimensional features, and represents that the dimensional features are selected when the corresponding bit is 1 s; in the binary particle swarm algorithm, each particle moves in a solution space of a feature subset of a network data set, and the self optimal solution Pbest and the group optimal solution Gbest are recorded to update the self position; the self optimal solution refers to a position which is searched by an individual and comprises the optimal fitness value, and the group optimal solution refers to a position which is calculated to have the optimal fitness from positions which are experienced by all particles in the whole particle swarm; the particle update is as follows:
Figure FDA0003545056590000018
Figure FDA0003545056590000019
wherein, c1And c2To learn the factors, ω is the inertia factor,
Figure FDA00035450565900000110
represents the speed of the h-th particle in the t-th generation,
Figure FDA00035450565900000111
represents the position of the t generation of the h particle; the binary particle swarm algorithm converts the continuous speed value into a binary vector of 0 or 1 through a Sigmoid function, so that the position of the particle is also represented by the binary vector of 0 or 1; and repeating the process of updating the self optimal solution Pbest and the group optimal solution Gbest _ and limiting the evolution algebra and the optimal convergence of the binary particle swarm evolutionary search until the characteristic subset of the final network data set is determined.
2. The network attack detection method based on the two-stage learning model as claimed in claim 1, wherein: the step 2 is as follows:
step 2.1, training a deep network attack detection model; after the step 1 is finished, obtaining an optimal feature subset of the network data, and taking the optimal feature subset of the network data as the input of the deep learning network model in the step 2; inputting the feature subset data of the input network data set by an input layer X, calculating by a hidden layer H, and finally outputting by an output layer Y; the same feature vector can be mapped in different feature spaces by pre-training to keep more feature information; training the whole body in a supervision mode through fine adjustment to obtain a classifier; the deep learning network model output layer activation function is set as a linear function, and the hidden layer neuron activation function is set as a Sigmoid function; the number of the neuron layers and the number of each neuron layer are specifically set according to the characteristic subset data scale of the network data set;
step 2.2, real-time detection of the deep network attack detection model; the detection model firstly collects network data, reduces the network data according to the feature preprocessing and the optimal feature subset of the network data, inputs the data into the trained deep learning network model, and obtains the network attack type or the current attack-free state;
step 2.3, optimizing an off-line model; and (3) carrying out manual rechecking according to real-time monitoring data of network attack detection, carrying out manual error correction marking on the error case when the detected error case exceeds a limited threshold delta, fusing all network incremental data and original network data, and reentering the step 1 and the step 2 to carry out offline optimization of the deep network attack detection model.
3. A network attack detection system based on a two-stage learning model is characterized by comprising the following modules:
a feature dimension reduction module of the network data set: evaluating the feature combination by taking the feature subset of the network data set as an indivisible unit to realize feature dimension reduction of the network data set;
the depth model network attack detection module: the method comprises the steps that a network data set reduced by a feature dimension reduction module of the network data set is used as training data, and a deep network attack detection model is realized by utilizing a deep learning technology;
the characteristic dimension reduction module of the network data set specifically comprises the following sub-modules:
the preprocessing module of the mass network data comprises: preprocessing mass network data; firstly, removing and primarily screening data examples which are limited by a characteristic missing threshold value, deleting characteristics with low information quantity in a primarily screened network data set, and finally carrying out one-hot coding mapping on characteristics of non-numerical types in the network data set to obtain binary vectors;
a feature subset evaluation function construction module of the network data set: constructing a characteristic subset evaluation function of the network data set; constructing a measurable multivariate network intrusion detection analysis model F based on the network data characteristics and the mutual information of the network attack types;
Figure FDA0003545056590000031
wherein, the concrete data of the network data sample with n-dimensional characteristics is not taken as input, but mutual information I of each dimensional network data characteristic and each type of network attack category is calculatedijAs input, I (f)i,Cj)=H(fi)+H(Cj)-H(fi,Cj) Mutual information representing ith dimension network data characteristic and jth network attack category, wherein H (f)i,Cj)=-∑p((fi,Cj))log2p((fi,Cj) ); after centering and normalizing the matrix F, by R ═ PTP, calculating to obtain an incidence matrix Rel; then by
Figure FDA0003545056590000032
And
Figure FDA0003545056590000033
calculating to obtain associated information entropy HRelAnd
Figure FDA0003545056590000034
introducing average mutual information
Figure FDA0003545056590000035
Which represents the average useful information size, is,
Figure FDA0003545056590000036
based on maximum HRelAnd
Figure FDA0003545056590000037
weighting to obtain final evaluation function
Figure FDA0003545056590000038
k1And k2The non-negative constant is used for controlling the influence of the associated information entropy and the average mutual information on the selected characteristics;
determining a feature subset module of a network data set using a binary particle swarm evolutionary search strategy: determining a feature subset of a network data set by using a binary particle swarm evolutionary search strategy; the particle h is a bit string consisting of a string of 0 s and a string of 1 s, is a mapping of n-dimensional features, and represents that the dimensional features are selected when the corresponding bit is 1 s; in the binary particle swarm algorithm, each particle moves in a solution space of a feature subset of a network data set, and the self optimal solution Pbest and the group optimal solution Gbest are recorded to update the self position; the self optimal solution refers to a position which is searched by an individual and comprises the optimal fitness value, and the group optimal solution refers to a position which is calculated to have the optimal fitness from positions which are experienced by all particles in the whole particle swarm; the particle update is as follows:
Figure FDA0003545056590000039
Figure FDA00035450565900000310
Figure FDA00035450565900000311
wherein, c1And c2To learn the factors, ω is the inertia factor,
Figure FDA00035450565900000312
denotes the tth generation of the h particleThe speed of the motor vehicle is set to be,
Figure FDA00035450565900000313
represents the position of the t generation of the h particle; the binary particle swarm algorithm converts the continuous speed value into a binary vector of 0 or 1 through a Sigmoid function, so that the position of the particle is also represented by the binary vector of 0 or 1; and repeating the process of updating the self optimal solution Pbest and the group optimal solution Gbest _ and limiting the evolution algebra and the optimal convergence of the binary particle swarm evolutionary search until the characteristic subset of the final network data set is determined.
4. The two-stage learning model-based cyber attack detection system according to claim 3, wherein: the depth model network attack detection module specifically comprises the following sub-modules:
the deep network attack detection model training module comprises: training a deep network attack detection model; obtaining an optimal feature subset of the network data after the reduction of the feature dimension reduction module of the network data set is finished, and taking the optimal feature subset of the network data as the input of a deep learning network model; inputting the feature subset data of the input network data set by an input layer X, calculating by a hidden layer H, and finally outputting by an output layer Y; the same feature vector can be mapped in different feature spaces by pre-training to keep more feature information; training the whole body in a supervision mode through fine adjustment to obtain a classifier; the deep learning network model output layer activation function is set as a linear function, and the hidden layer neuron activation function is set as a Sigmoid function; the number of the neuron layers and the number of each neuron layer are specifically set according to the characteristic subset data scale of the network data set;
the real-time detection module of the deep network attack detection model comprises: real-time detection of a deep network attack detection model; the detection model firstly collects network data, reduces the network data according to the feature preprocessing and the optimal feature subset of the network data, inputs the data into the trained deep learning network model, and obtains the network attack type or the current attack-free state;
an offline model optimization module: optimizing an offline model; and carrying out manual rechecking according to real-time monitoring data of network attack detection, carrying out manual error correction marking on the error example when the detected error example exceeds a limited threshold delta, fusing all network incremental data and original network data, and reentering a characteristic dimension reduction module and a depth model network attack detection module of a network data set to carry out offline optimization of a depth network attack detection model.
CN202110938301.9A 2021-08-16 2021-08-16 Network attack detection system and method based on two-stage learning model Active CN113746813B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110938301.9A CN113746813B (en) 2021-08-16 2021-08-16 Network attack detection system and method based on two-stage learning model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110938301.9A CN113746813B (en) 2021-08-16 2021-08-16 Network attack detection system and method based on two-stage learning model

Publications (2)

Publication Number Publication Date
CN113746813A CN113746813A (en) 2021-12-03
CN113746813B true CN113746813B (en) 2022-05-10

Family

ID=78731273

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110938301.9A Active CN113746813B (en) 2021-08-16 2021-08-16 Network attack detection system and method based on two-stage learning model

Country Status (1)

Country Link
CN (1) CN113746813B (en)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104361393B (en) * 2014-09-06 2018-02-27 华北电力大学 Data predication method is used for based on the improved neural network model of particle swarm optimization algorithm
CN108040073A (en) * 2018-01-23 2018-05-15 杭州电子科技大学 Malicious attack detection method based on deep learning in information physical traffic system
CN110619292B (en) * 2019-08-31 2021-05-11 浙江工业大学 Countermeasure defense method based on binary particle swarm channel optimization
CN110889111A (en) * 2019-10-23 2020-03-17 广东工业大学 Power grid virtual data injection attack detection method based on deep belief network
CN111404911B (en) * 2020-03-11 2022-10-14 国网新疆电力有限公司电力科学研究院 Network attack detection method and device and electronic equipment

Also Published As

Publication number Publication date
CN113746813A (en) 2021-12-03

Similar Documents

Publication Publication Date Title
CN115618296B (en) Dam monitoring time sequence data anomaly detection method based on graph attention network
CN113723010B (en) Bridge damage early warning method based on LSTM temperature-displacement correlation model
CN112087442B (en) Time sequence related network intrusion detection method based on attention mechanism
CN112733447B (en) Underwater sound source positioning method and system based on domain adaptive network
CN113806746A (en) Malicious code detection method based on improved CNN network
CN116448419A (en) Zero sample bearing fault diagnosis method based on depth model high-dimensional parameter multi-target efficient optimization
CN112949821B (en) Network security situation awareness method based on dual-attention mechanism
CN111598179A (en) Power monitoring system user abnormal behavior analysis method, storage medium and equipment
CN112464996A (en) Intelligent power grid intrusion detection method based on LSTM-XGboost
CN115811440B (en) Real-time flow detection method based on network situation awareness
CN111709577B (en) RUL prediction method based on long-range correlation GAN-LSTM
CN115456044A (en) Equipment health state assessment method based on knowledge graph multi-set pooling
CN113887694A (en) Click rate estimation model based on characteristic representation under attention mechanism
CN116894180B (en) Product manufacturing quality prediction method based on different composition attention network
CN115438897A (en) Industrial process product quality prediction method based on BLSTM neural network
CN114299305A (en) Salient object detection algorithm for aggregating dense and attention multi-scale features
CN113746813B (en) Network attack detection system and method based on two-stage learning model
CN113033898A (en) Electrical load prediction method and system based on K-means clustering and BI-LSTM neural network
CN112528554A (en) Data fusion method and system suitable for multi-launch multi-source rocket test data
CN111310974A (en) Short-term water demand prediction method based on GA-ELM
CN116720095A (en) Electrical characteristic signal clustering method for optimizing fuzzy C-means based on genetic algorithm
CN115600134A (en) Bearing transfer learning fault diagnosis method based on domain dynamic impedance self-adaption
CN114841778A (en) Commodity recommendation method based on dynamic graph neural network
CN110728292A (en) Self-adaptive feature selection algorithm under multi-task joint optimization
Jin et al. Research on multi-sensor information fusion algorithm of fan detection robot based on improved BP neural network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant