CN114257517B - Method for generating training set for detecting state of network node - Google Patents

Method for generating training set for detecting state of network node Download PDF

Info

Publication number
CN114257517B
CN114257517B CN202111382366.6A CN202111382366A CN114257517B CN 114257517 B CN114257517 B CN 114257517B CN 202111382366 A CN202111382366 A CN 202111382366A CN 114257517 B CN114257517 B CN 114257517B
Authority
CN
China
Prior art keywords
network
samples
abnormal
node
state
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111382366.6A
Other languages
Chinese (zh)
Other versions
CN114257517A (en
Inventor
梁志民
孟绪颖
王淼
张玉军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Computing Technology of CAS
Original Assignee
Institute of Computing Technology of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Computing Technology of CAS filed Critical Institute of Computing Technology of CAS
Priority to CN202111382366.6A priority Critical patent/CN114257517B/en
Publication of CN114257517A publication Critical patent/CN114257517A/en
Application granted granted Critical
Publication of CN114257517B publication Critical patent/CN114257517B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/10Pre-processing; Data cleansing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2415Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on parametric or probabilistic models, e.g. based on likelihood ratio or false acceptance rate versus a false rejection rate
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • H04L45/04Interdomain routing, e.g. hierarchical routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The invention provides a method for generating a training set for detecting the state of a network node, which comprises the following steps: constructing a plurality of network structures which are different from each other in terms of network scale and/or network topology; performing state simulation based on an IS-IS routing protocol according to each constructed network structure, wherein various abnormal states are simulated in a preset time period by various means for causing abnormality, and normal states are simulated in other time periods; the method comprises the steps of obtaining data packets collected from corresponding network nodes during simulation of each state, constructing a plurality of samples and labels thereof based on a specified time window, and obtaining a training set, wherein input features of the samples comprise basic features and statistical features, and the labels indicate whether the state of the network nodes corresponding to the samples is abnormal or not. According to the invention, the detection effect is effectively improved by the node abnormity detection model obtained by training the training set.

Description

Method for generating training set for detecting state of network node
Technical Field
The present invention relates to the field of intradomain routing protocol security, and in particular, to a method of generating a training set for detecting the state of network nodes.
Background
The IS-IS routing protocol IS a routing protocol in a backbone network domain, IS one of internal gateway protocols widely used by operators, has a layered structure, reliable flooding, verification authentication and other security mechanisms, and guarantees the security of the protocol during operation.
However, the IS-IS routing protocol still has vulnerability in design, and for the IS-IS routing protocol, the abnormal behavior of the routing mainly includes: partial Sequence Number Packet (PSNP) request attack, remaining Time (Remaining Time) 0 attack, sequence number plus one attack, invalid route injection attack, maximum sequence number attack, misconfiguration abnormal behavior, and the like. In summary, these anomalies can cause the computational resources of the routing nodes to be consumed, or generate false links, routing loops, etc., thereby affecting the efficiency of normal forwarding; in severe cases, this can result in downtime of the router, which can be exploited to interfere with normal network routing behavior and thereby affect the use experience and even cause property damage. Therefore, it is necessary to fully mine the abnormal behavior of the intra-domain route and design a detection mechanism in a targeted manner to improve the vulnerability of the routing system and improve the reliability of the network environment.
At present, the abnormal behavior detection method aiming at the intra-domain routing protocol, particularly the IS-IS routing protocol, has limitations. For example, the routing table is obtained by periodically sniffing the routing node to analyze the node state and the network information, but the method has the risk of exposing the routing key information, and the open interface is easy to cause the router to be attacked; in addition, the external protocols, such as the network control message protocol (ICMP protocol) and the simple network management protocol (SNMP protocol), can count the network link duration and the interface traffic information to infer the operation status of the routing system, which, however, increases the overhead of additional configuration protocol and also brings a large load to the network performance.
In addition, protocol data packets in the network can be collected and abnormal feature distribution can be learned by using a machine learning method, although the method is simpler and more efficient than the method, the method does not have a network structure based on different constructed network scales or different network topologies, the data packets obtained by various means causing abnormity can not be fully collected, enough multi-type sample data can not be collected, abnormal features which can be learned by the model are limited, and the detection range of the model is limited; and only the basic characteristics are considered, and the corresponding basic characteristics and statistical characteristics extracted by aiming at a network structure adopting an IS-IS routing protocol are not designed, so that the model detection IS not accurate enough, and the like.
Therefore, it IS highly desirable to obtain a model with better detection effect for the IS-IS routing protocol by obtaining a training set with diversity, sufficiency and accurate label.
Disclosure of Invention
It is therefore an object of the present invention to overcome the above-mentioned drawbacks of the prior art and to provide a method for generating a training set for detecting the status of a network node.
The purpose of the invention is realized by the following technical scheme:
according to a first aspect of the present invention, there is provided a method of generating a training set for detecting a state of a network node, comprising:
constructing a plurality of network structures which are different from each other in terms of network scale and/or network topology; performing state simulation based on an IS-IS routing protocol according to each constructed network structure, wherein various abnormal states are simulated in a preset time period by various means for causing abnormality, and normal states are simulated in other time periods; the method comprises the steps of obtaining data packets collected from corresponding network nodes during simulation of each state, constructing a plurality of samples and labels thereof based on a specified time window, and obtaining a training set, wherein input features of the samples comprise basic features and statistical features, and the labels indicate whether the state of the network nodes corresponding to the samples is abnormal or not.
In some embodiments of the present invention, the step of simulating various abnormal conditions over a predetermined period of time by a plurality of means for inducing an abnormality comprises:
simulating a configuration error state by various network configuration error means; and
the state of the network node is simulated by various means of attacking the network node.
In some embodiments of the invention, the step of generating the base feature and the statistical feature based on the data packets within the specified time window by the input features of the sample comprises:
analyzing the data packet to obtain configuration information and message information of a specified time window;
extracting the characteristics of the configuration information and the message information to obtain the network configuration and the basic characteristics of various messages;
counting the characteristics of various message information according to the specified counting items to obtain the counting characteristics of the key fields of various messages;
and splicing the configuration characteristics, the basic characteristics of the various messages and the statistical characteristics of the key fields of the various messages to obtain the input characteristics.
In some embodiments of the invention, the basic features of the network configuration include: the total number of network nodes and the total number of links;
the basic features of each type of message include: the quantity of heartbeat messages of different levels, the quantity of link state messages, the quantity of full time sequence protocol data messages and the quantity of partial time sequence data messages;
the statistical characteristics of the key fields of various messages include: the variance and range of the sequence number field of the link state message, the number of the maximum sequence number field, the number of each sequence number field, the total number of the recorded links, the total number of the link state messages with the residual time field of 0, the variance and range of the sequence number field of partial time sequence data messages, and the number of different maximum transmission unit values in all heartbeat messages.
In some embodiments of the present invention, the method for generating a training set further comprises performing label washing on the plurality of samples, including screening out samples labeled as normal that may be mislabeled.
In some embodiments of the invention, label washing the plurality of samples with a reference model comprises:
obtaining a plurality of samples, including a positive sample with a normal label and a negative sample with an abnormal label;
and performing multiple rounds of iteration on the reference model by using a plurality of samples, obtaining abnormal probability values of the plurality of samples after each round of iteration is finished, updating parameters of the reference model based on the abnormal probability values and first total loss calculated by the sample labels, cleaning error labels of the positive samples based on the abnormal probability values and the dynamic threshold value until standard deviation obtained by the round based on the abnormal probability values of all the positive samples is smaller than a preset threshold value, stopping updating and obtaining a training set.
In some embodiments of the present invention, the step of washing the error label of the positive sample based on the anomaly probability value and the dynamic threshold comprises:
screening out a positive sample with the abnormal probability value higher than the corresponding dynamic threshold value according to the comparison result of the abnormal probability value and the dynamic threshold value;
and re-labeling the label of the positive sample with the anomaly probability value higher than the dynamic threshold as the anomaly.
In some embodiments of the present invention, the dynamic threshold dynamically changes as the number of iterations increases and the number of samples with wrong labels in the plurality of samples decreases, wherein the dynamic threshold is calculated as follows:
φ=μ+ησ,
wherein phi is a dynamic threshold value, eta is more than or equal to 0,
Figure BDA0003366054590000031
is the average value of the probability values of the abnormality of the current round sample,
Figure BDA0003366054590000032
is the standard deviation, P i Indicating the abnormal probability value of the ith positive sample of the current wheel, and N indicating the total number of the positive samples of the current wheel.
According to a second aspect of the present invention, there is provided a training method for a node anomaly detection model, including iteratively training the node anomaly detection model until the model converges in the following manner:
judging whether the state of a corresponding network node is abnormal or not according to the input characteristics by utilizing a training set training node abnormality detection model obtained by the method of the first aspect of the invention, and obtaining the abnormality probability value of each sample;
calculating a second total loss by using the abnormal probability values of all the samples and the corresponding sample labels;
updating the node anomaly detection model parameters based on the second total loss to obtain a trained node anomaly detection model.
According to a third aspect of the present invention, there is provided a method for detecting network node abnormality, including:
acquiring input features extracted from corresponding network nodes in a detected network, wherein the input features are constructed from all data packets sniffed by the network nodes according to a time period and comprise basic features and statistical features;
and judging whether the state of the corresponding network node is abnormal or not by using the node abnormality detection model obtained by the training method according to the second aspect of the invention according to the input characteristics to obtain a detection result.
According to a fourth aspect of the present invention there is provided a computer readable storage medium having embodied thereon a computer program executable by a processor to perform the steps of the methods of the first, second and third aspects of the present invention.
According to a fifth aspect of the present invention, there is provided an electronic apparatus comprising: one or more processors; and a memory, wherein the memory is to store one or more executable instructions; the one or more processors are configured to implement the steps of the methods in the first, second and third aspects via execution of the one or more executable instructions.
Compared with the prior art, the invention has the advantages that:
1. in the method for generating the training set, a plurality of network structures with different network scales and/or network topologies are fully constructed, various abnormal states and normal states are simulated in a preset time period by various means for causing the abnormality, data packets for simulating the various states are obtained, enough and abundant samples are generated based on the corresponding data packets, the diversity of the samples in the training set can be improved, a node abnormality detection model obtained by training the training set is utilized, and the detection range and the detection effect of the model are greatly improved.
2. The method for generating the training set comprises the steps of simulating various abnormal states in a preset time period by various means for causing the abnormality, simulating the normal states, analyzing the acquired data packets in the normal and abnormal states, and designing statistical characteristics in a targeted manner, wherein the statistical characteristics comprise network configuration in a specified time window, basic characteristics of various messages and statistical characteristics of key fields of various messages, so that the range and the effect of the node abnormality detection model on the detection of the abnormal behaviors of the network nodes are improved.
3. The method comprises the steps of carrying out label cleaning on samples, utilizing a reference model to evaluate the abnormal probability value of the samples in a self-training mode, screening out the samples which are labeled as normal and possibly wrongly labeled in the samples by combining a Cantelli's Inequality, reversing the labels of the samples, updating the labels, and repeating the process until all the samples which possibly have the wrong labels are processed to obtain a high-quality training set with more accurate labels, so that the detection effect of the trained node abnormal detection model is correspondingly improved, and the detection effect of the model is prevented from being greatly reduced due to the fact that the samples are polluted by the wrong labels.
Drawings
Embodiments of the invention are further described below with reference to the accompanying drawings, in which:
FIG. 1 is a flow chart of a method of generating a training set according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a network structure constructed using simulation of a network simulator in accordance with an embodiment of the present invention;
FIG. 3 is a flowchart of a method for training a node anomaly detection model according to an embodiment of the present invention;
fig. 4 is a flowchart of a method for detecting network node anomaly according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail by embodiments with reference to the accompanying drawings. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As mentioned in the background section, the node detection model obtained by the conventional technical means cannot acquire a data packet when abnormal means are caused by multiple means based on the constructed network structures with different network scales or different network topologies, and cannot sufficiently acquire enough sample data, so that abnormal features which can be learned by the model are limited, and the detection range of the model is limited; and only the basic characteristics are considered, and corresponding basic characteristics and statistical characteristics extracted aiming at a network structure adopting an IS-IS routing protocol are not designed, so that the model detection IS not accurate enough.
Aiming at the defects of the existing method, the invention carries out state simulation based on the IS-IS routing protocol in the corresponding network structure by constructing a plurality of network structures with different network scales and different network topologies, for example, by attacking a certain network node, the abnormal state of the network node when being attacked IS simulated, the data packet IS collected, the characteristics of the data packet are analyzed and obtained, the input characteristics and the label of the sample are constructed according to the appointed time window, and a plurality of samples are obtained. Wherein, the label of the sample is marked as abnormal when simulating the abnormal state, and the label of the sample is marked as normal when simulating the normal state; and finally, based on various network structures and a plurality of data packets acquired when various abnormal states and normal states of network nodes are simulated in the network structures, the obtained samples are rich and various.
Furthermore, the invention also cleans labels of a plurality of samples, screens and corrects the samples which are possibly wrongly labeled to obtain a training set with more accurate labels, and the node abnormity detection model obtained by training the training set has better detection effect when detecting whether the state of the network node is abnormal, thereby avoiding the phenomenon that the abnormity detection effect of the model is greatly reduced due to the error of label mistake.
According to an embodiment of the invention, when the labels of the samples in the training set are cleaned, a reference model is adopted to clean the labels of the samples in the training set, the reference model adopts a logistic regression classification model, and the node anomaly detection model trained by using the training set after label cleaning can adopt machine learning models such as a logistic regression classification model, a Support Vector Machine (SVM) or an extreme gradient boost (XGboost) model.
Based on the above research, according to an embodiment of the present invention, a method for generating a training set for detecting a state of a network node is provided, so as to obtain the training set, referring to fig. 1, the method includes steps S1, S2, S3, and S4, and for better understanding of the present invention, each step is described in detail below with reference to a specific embodiment.
Step S1: a plurality of network architectures are constructed that differ from each other in terms of network size and/or network topology.
According to an embodiment of the present invention, a plurality of Network structures may be constructed by using a Network Simulator (for example, a graphic Network Simulator (gns 3 platform) or a Network Simulator (Mininet platform)), first randomly generating a plurality of Network nodes (also referred to as virtual routers) by using the Network Simulator, where each Network node corresponds to a virtual port number, and establishing connections with other Network nodes based on an IS-IS routing protocol to form a Network structure. The number of the randomly generated network nodes is controlled to be between 3 and 50, that is, network structures with different network scales are formed in the range, and in addition, different network topologies can be formed among the network nodes according to different connection modes, such as a network topology forming a 'tian' or 'mu' word structure, or other irregular-shaped network topologies.
Referring to fig. 2, a plurality of Network structures having different topologies or node counts are generated using a Graphical Network Simulator (gns 3). To ensure the diversity of the sample data, first randomly select the network size parameter, for example, the total number of network nodes selected here is 13, and the total number of links is 15. And simulating 13 network nodes on the GNS3 platform to construct a network structure with the total number of links being 15. One network Node in the network structure IS selected as a virtual host Node (Node 1-1) to install and run a routing software suite (routing), so that the host has an IS-IS routing protocol stack, data transmission of the network based on the IS-IS routing protocol IS realized, and connection IS established for each network Node. Each of the network nodes other than the virtual host node corresponds to a virtual port number, for example, 5000, 5001, 5002, 5003, 5004, 5005, 5006, 5007, 5008, 5009, 5010, and 5011.
Step S2: and performing state simulation based on the IS-IS routing protocol according to each constructed network structure, wherein various abnormal states are simulated in a preset time period by various means for inducing abnormality, and normal states are simulated in the rest time periods.
According to one embodiment of the present invention, various abnormal conditions are simulated over a predetermined period of time by a variety of means for causing an abnormality, including:
the simulation method 1 simulates a configuration error state, such as an adjacency fault caused by a configuration error of a specific field parameter (such as a System ID and a Level parameter in an IS-IS routing protocol) between network nodes, and an abnormal state such as a disconnection in a network, by using various network configuration error means.
And 2, simulating the state when the network node is attacked by various means of attacking the network node, namely, attacking other network nodes by various means of attacking by using a certain network node in a corresponding network structure as an attack router, and simulating various abnormal states generated after the attack. Referring to fig. 3, a virtual host Node (Node 1-1) in a network structure is used as an attack router, and at this time, the attack router is used to attack other network nodes by various attack means, and various abnormal states generated after the attack are simulated, such as: (1) Carrying out request attack on partial time sequence data messages (PSNP) so that other network nodes continuously reply the requests and consume computing resources; (2) Carrying out attack of setting the Remaining Time field (Remaining Time) to 0, and re-flooding the specific link after the Remaining Time of the specific link of the attacker tampering the specific link state message (LSP message) is 0, so that other nodes delete the abnormal state of the routing table entry when considering that the Remaining survival Time of the link is 0; (3) Adding an attack to the serial number, wherein an attacker tampers the serial number of a specific link of a specific LSP message, adds one or more serial numbers and then floods the serial number out again, so that an abnormal state that a counterattack mechanism of a victim network node is triggered to consume computing resources is caused; (4) Invalid routing injection attack, wherein an attacker constructs false link information with complex topology and numerous network nodes to inject the false link information into the network nodes, so that an abnormal state consuming network node computing resources is caused; (5) And (3) attack of the maximum serial number, namely, an attacker tampering the serial number of the specific link of the specific LSP message to be the maximum 0 xfffffffff and then flooding the specific link again, so that the target network node triggers an early maturing mechanism to cause an abnormal state of short downtime and the like.
According to one embodiment of the invention, the remaining period simulates a normal state, including:
the simulation mode 3 simulates a normal state by performing normal data transmission between each network node in the network structure.
And step S3: the method comprises the steps of obtaining data packets collected from corresponding network nodes during simulation of each state, constructing a plurality of samples and labels thereof based on a specified time window, and obtaining a training set, wherein input features of the samples comprise basic features and statistical features, and the labels indicate whether the state of the network nodes corresponding to the samples is abnormal or not.
According to an embodiment of the present invention, when the simulation mode 1, the simulation mode 2, or the simulation mode 3 is implemented in a corresponding network structure, a packet capturing tool (such as a Wireshark or tcpdump image) integrated by a GNS3 platform or a Mininet platform is used to acquire data packets corresponding to all ports of a corresponding network node, and the data packets are dumped into a pcap format file.
According to an embodiment of the present invention, a plurality of samples and labels thereof are constructed based on a specified time window, for example, 10. Wherein the input features of the sample generate base features and statistical features based on a time window specified in the data packet, further comprising:
analyzing the data packet to obtain configuration information and message information of a specified time window;
and extracting the characteristics of the configuration information and the message information to obtain the network configuration and the basic characteristics of various messages. Wherein, the basic characteristics of the network configuration comprise: the total number of network nodes and the total number of links; the basic characteristics of each type of message include: the number of heartbeat messages (Hello messages) of different levels, the number of link state messages (LSP messages), the number of full timing protocol data messages (CSNP messages), and the number of partial timing protocol data messages (PSNP messages).
And counting the characteristics of various message information according to the specified counting items to obtain the counting characteristics of the key fields of various messages. The statistical characteristics of the key fields of various messages comprise: the variance and range of the sequence number field of the link state packet (LSP packet), the number of the maximum sequence number field, the number of each sequence number field, the total number of recorded links, the total number of link state packets whose remaining time field is 0, the variance and range of the sequence number field of a partial time series data packet (PSNP packet), and the number of different maximum transmission unit values (MTU values) in all heartbeat packets (Hello packets). The invention expands the specific statistical characteristics aiming at the abnormal behavior characteristics of the IS-IS routing protocol, for example, under the condition of serial number attack, an attacker continuously sends serial numbers plus one or more link state messages, therefore, the statistical characteristics of the serial number variance of the link state messages, the number of different serial numbers of the link state messages and the like are beneficial to more accurately detecting the abnormal state of the network node.
And splicing the network configuration characteristics, the basic characteristics of various messages and the statistical characteristics of key fields of various messages to obtain the input characteristics of the sample. For example, the input features in a certain time window are <13,15,1,0,0,3,0,0,0,15,0,0,0,0,0>, and correspond to the features shown in table 1 below.
Table 1: characteristic summary table
Figure BDA0003366054590000091
Figure BDA0003366054590000101
According to the LSP Entry sequence number field variance of the PSNP packet in the above table, the specific obtaining manner is as follows (similarly, the variance or range of other packet sequence number fields is obtained in the following similar manner):
if 100 PSNP messages are received in a corresponding time window, each PSNP message is provided with a plurality of LSP Entry fields, each LSP Entry is provided with an LSP-ID field, such as 0000.0000.0001.00-00, 0000.0000.0010.00-01 and the like, and 12 different LSP-IDs are assumed, the LSP entries are divided into 12 groups according to the LSP-IDs, then the variance of the serial number fields in each group is respectively calculated, and finally the maximum value of the 12 values is taken as the variance of the LSP Entry serial number field of the message.
And step S4: and performing label washing on the plurality of samples, wherein the label washing comprises screening out samples which are possibly wrongly labeled in the samples labeled as normal.
According to one embodiment of the invention, after a sample which is possibly labeled by errors is screened out, the label of the sample can be reversed, and the originally labeled normal label is labeled as an abnormal label again; or to reject the sample. Thereby, a more accurate training set of labels is obtained.
According to one embodiment of the invention, label washing of a plurality of samples using a reference model comprises:
a plurality of exemplars are acquired, including positive exemplars labeled normal and negative exemplars labeled abnormal.
And performing multiple rounds of iteration on the reference model by using a plurality of samples, obtaining abnormal probability values of the plurality of samples after each round of iteration is finished, updating parameters of the reference model based on the abnormal probability values and first total loss calculated by the sample labels, cleaning error labels of the positive samples based on the abnormal probability values and the dynamic threshold value until standard deviation obtained by the round based on the abnormal probability values of all the positive samples is smaller than a preset threshold value, stopping updating and obtaining a label training set.
According to one embodiment of the invention, the reference model adopts a logistic regression classification model, the logistic regression classification model is trained by using a plurality of current samples, the samples comprise labels and input features, and the anomaly probability values of all positive samples are obtained based on the input features of the samples, wherein the anomaly probability values of the samples can be calculated in the following way:
Figure BDA0003366054590000111
where w represents a weight parameter of the reference model, b represents a bias parameter of the reference model, and P (y = 1|x) i ) Is as followsi samples are the anomaly probability value of the anomaly, x i Is the input characteristic of the ith sample.
The first total loss can be calculated by adopting a cross entropy loss function, and the calculation method is as follows:
Figure BDA0003366054590000112
wherein N is the total number of samples, y i For sample i the label at this time, x i For the input features of the ith sample, the parameters of the reference model are updated based on the first total loss and by a gradient descent method.
Because the number of the data packets obtained in the normal state is large and the states of the network nodes are complex and changeable, there are likely to be samples which are labeled as normal and may be labeled by mistake in a plurality of samples formed based on the data packets in the normal state, and the data packets obtained in the abnormal state can clearly observe the influence caused by the attack, so that the labels of the abnormal samples are usually accurate, and therefore, only the error labels in the positive samples need to be cleaned.
According to one embodiment of the present invention, the error label of the positive sample is cleaned based on the abnormal probability value and the dynamic threshold, further comprising the following steps:
screening out a positive sample with the abnormal probability value higher than the dynamic threshold value according to the comparison result of the abnormal probability value and the dynamic threshold value;
and re-labeling the label of the positive sample with the anomaly probability value higher than the dynamic threshold as the anomaly.
According to an embodiment of the invention, the dynamic threshold value is dynamically changed along with the increase of the iteration times and the decrease of the sample number of the error label in a plurality of samples, wherein the dynamic threshold value obtained based on the thought of the Kantaili inequality is adopted, and the upper limit of the false positive of the abnormal label is judged to be 1/(1 + eta) based on the dynamic threshold value 2 ) I.e. the probability that a true normal sample is incorrectly relabeled as an anomaly is less than 1/(1 + η) 2 ) Therefore, the dynamic threshold may be calculated as follows:
φ=μ+ησ (3);
wherein phi is a dynamic threshold value, eta is more than or equal to 0,
Figure BDA0003366054590000113
is the average value of the probability values of the abnormality of the current round sample,
Figure BDA0003366054590000114
is the standard deviation, P i Indicating the abnormal probability value of the ith positive sample of the current wheel, and N indicating the total number of the positive samples of the current wheel. The dynamic threshold value calculated in such a way can more accurately screen out the samples which are possibly wrongly labeled from the samples labeled as normal, so as to avoid re-labeling the real normal samples as abnormal.
According to one embodiment of the invention, the list is based on P Obtaining | list according to the abnormal probability values of all the positive samples P If | =11976, mean μ =0.1124, standard deviation σ =0.006865, and η is 100, the label of the positive sample with the anomaly probability value greater than 0.1124+100 × 0.006865=0.7989 needs to be re-labeled as an anomaly. The total number of new negative samples is 12176, and the total number of positive samples is 11845. Retraining the logistic regression classification model by using new label data, and calculating to obtain a new abnormal probability value list of all positive samples P And calculating to obtain | list P I =11845, mean μ = 0.10914, standard deviation σ =0.005143, then the positive sample with anomaly probability value greater than 0.10914+100 + 0.005143=0.62344 needs to be re-labeled as anomalous. This process is repeated until the standard deviation of the anomaly probability value P is less than the preset threshold value (0.005). The total number of final negative samples is 12679, and the total number of positive samples is 11342.
The training set obtained based on the method is based on data packets when the states of various network nodes are simulated in a plurality of network structures, enough and abundant samples are generated based on the corresponding data packets, and a high-quality training set with more accurate labels is obtained through label cleaning, so that the detection range and the detection effect of the model can be greatly improved by training the node abnormality detection model by using the training set.
According to an embodiment of the present invention, the present invention further provides a training method for a node anomaly detection model by using a training set obtained by the method for generating a training set, including performing iterative training until the model converges according to the following steps, see fig. 3, including steps a1, a2, and a3:
step a1, judging whether the state of the corresponding network node is abnormal or not by using a training set training node abnormality detection model obtained by the method for generating the training set according to the invention according to the input characteristics, and obtaining the abnormality probability value of each sample.
According to an embodiment of the present invention, the node anomaly detection model may use the same logistic regression classification model as the reference model, or may use a logistic regression classification model different from the reference model. The anomaly probability value of each sample is obtained based on the corresponding logistic regression classification model, and the computation of the anomaly probability value is the same as the above equation (1).
And a2, calculating a second total loss by using the abnormal probability values of all the samples and the corresponding sample labels.
According to an embodiment of the present invention, the second total loss may be calculated using a cross-entropy loss function, as follows:
Figure BDA0003366054590000121
wherein N is the total number of samples, y' i Label washing-treated label, x, for sample i i Is the input characteristic of the ith sample.
And a3, updating the node anomaly detection model parameters based on the second total loss to obtain a trained node anomaly detection model.
According to one embodiment of the invention, the parameters of the node anomaly detection model are updated by a gradient descent method based on the second total loss until the second total loss is within a preset threshold or the node anomaly detection model reaches a preset iteration turn, and the updating is stopped.
Based on the node anomaly detection model obtained by the training set and the training method, the abnormal state of the network node is detected to achieve a good detection effect, so that according to one embodiment of the invention, the node anomaly detection model obtained in the invention is used for providing a node anomaly detection method, and the method is shown in fig. 4 and comprises the following steps of b1 and b2:
step b1: the method comprises the steps of obtaining input features extracted from corresponding network nodes in a detected network, wherein the input features are constructed from all data packets sniffed by the network nodes according to a time period, and the input features comprise basic features and statistical features.
Step b2: the node anomaly detection model obtained by the training method of the node anomaly detection model judges whether the state of the corresponding network node is abnormal according to the input characteristics to obtain a detection result.
In order to correct the abnormal state of the network node, the abnormal state of the corresponding network node needs to be further analyzed, and the node abnormality detection method may further include step b3: and when the detection result shows that the state of the corresponding network node is abnormal, performing abnormal report.
In order to verify that the node anomaly detection model is obtained by training the training set, the model is tested by the test set, the acquired data packet is detected by the trained model, and the final test effect achieves good effects in various aspects, as follows:
the accuracy is as follows: 0.9547, recall: 0.9764, harmonic mean of precision and recall 0.9654, classification accuracy: 0.9603.
it should be noted that, although the steps are described in a specific order, the steps are not necessarily performed in the specific order, and in fact, some of the steps may be performed concurrently or even in a changed order as long as the required functions are achieved.
The present invention may be a system, method and/or computer program product. The computer program product may include a computer-readable storage medium having computer-readable program instructions embodied therewith for causing a processor to implement various aspects of the present invention.
The computer readable storage medium may be a tangible device that retains and stores instructions for use by an instruction execution device. The computer readable storage medium may include, for example, but is not limited to, an electronic memory device, a magnetic memory device, an optical memory device, an electromagnetic memory device, a semiconductor memory device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a Static Random Access Memory (SRAM), a portable compact disc read-only memory (CD-ROM), a Digital Versatile Disc (DVD), a memory stick, a floppy disk, a mechanical coding device, such as punch cards or in-groove projection structures having instructions stored thereon, and any suitable combination of the foregoing.
Having described embodiments of the present invention, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen in order to best explain the principles of the embodiments, the practical application, or improvements made to the technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

Claims (11)

1. A method of generating a training set for detecting a state of a network node, comprising:
constructing a plurality of network structures so that the network structures are different from each other in terms of network scale and/or network topology;
performing state simulation based on an IS-IS routing protocol according to each constructed network structure, wherein various abnormal states are simulated in a preset time period by various means for causing abnormality, and normal states are simulated in other time periods;
acquiring data packets acquired from corresponding network nodes during simulation of each state, constructing a plurality of samples and labels thereof based on a specified time window, and acquiring a training set, wherein input features of the samples comprise basic features and statistical features, and the labels indicate whether the state of the network nodes corresponding to the samples is abnormal or not;
the basic characteristics comprise basic characteristics of network configuration and basic characteristics of various messages, and the statistical characteristics comprise statistical characteristics of key fields of various messages;
the basic features of the network configuration include: the total number of network nodes and the total number of links;
the basic features of each type of message include: the quantity of heartbeat messages of different levels, the quantity of link state messages, the quantity of full time sequence protocol data messages and the quantity of partial time sequence data messages;
the statistical characteristics of the key fields of various messages include: the variance and range of the sequence number field of the link state message, the number of the maximum sequence number field, the number of each sequence number field, the total number of the recorded links, the total number of the link state messages with the remaining time field of 0, the variance and range of the sequence number field of part of the time sequence data messages, and the number of different maximum transmission unit values in all the heartbeat messages.
2. The method of claim 1, wherein said step of simulating various abnormal conditions over a predetermined period of time by a plurality of means for inducing an abnormality comprises:
simulating a configuration error state by various network configuration error means; and
the state of the network node is simulated by various means of attacking the network node.
3. The method of claim 1, wherein the step of generating the base features and statistical features based on the data packets within the specified time window from the input features of the samples comprises:
analyzing the data packet to obtain configuration information and message information of a specified time window;
extracting the characteristics of the configuration information and the message information to obtain the network configuration and the basic characteristics of various messages;
counting the characteristics of various message information according to the specified counting items to obtain the counting characteristics of the key fields of various messages;
and splicing the basic characteristics of network configuration, the basic characteristics of the various messages and the statistical characteristics of the key fields of the various messages to obtain the input characteristics.
4. The method of any one of claims 1 to 3, further comprising performing label washing on the plurality of samples, including screening out samples that are labeled as normal for possible mislabeling.
5. The method of claim 4, wherein label washing the plurality of specimens using the reference model comprises:
obtaining a plurality of samples, including a positive sample with a normal label and a negative sample with an abnormal label;
and performing multiple rounds of iteration on the reference model by using a plurality of samples, obtaining abnormal probability values of the plurality of samples after each round of iteration is finished, updating parameters of the reference model based on the abnormal probability values and first total loss calculated by the sample labels, cleaning error labels of the positive samples based on the abnormal probability values and the dynamic threshold value until standard deviation obtained by the round based on the abnormal probability values of all the positive samples is smaller than a preset threshold value, stopping updating and obtaining a training set.
6. The method of claim 5, wherein the step of washing false tags of positive samples based on anomaly probability values and dynamic thresholds comprises:
screening out a positive sample with the abnormal probability value higher than the dynamic threshold value according to the comparison result of the abnormal probability value and the dynamic threshold value;
and re-labeling the label of the positive sample with the anomaly probability value higher than the dynamic threshold as the anomaly.
7. The method of claim 5, wherein the dynamic threshold dynamically changes as the number of iterations increases and the number of error labeled samples in the plurality of samples decreases, wherein the dynamic threshold is calculated as follows:
φ=μ+ησ,
wherein phi is a dynamic threshold value, eta is more than or equal to 0,
Figure FDA0003878017010000021
is the average value of the probability values of the abnormality of the current round sample,
Figure FDA0003878017010000022
is standard deviation, P i Indicating the abnormal probability value of the ith positive sample of the current round, and N indicating the total number of the positive samples of the current round.
8. A training method of a node anomaly detection model is characterized by comprising the following steps of carrying out iterative training on the node anomaly detection model until the model converges:
training a node abnormality detection model by using a training set obtained according to any one of claims 1 to 7, judging whether the state of a corresponding network node is abnormal according to input characteristics, and obtaining an abnormality probability value of each sample;
calculating a second total loss by using the abnormal probability values of all the samples and the corresponding sample labels;
updating the node anomaly detection model parameters based on the second total loss to obtain a trained node anomaly detection model.
9. A method for detecting network node abnormity is characterized by comprising the following steps:
acquiring input features extracted from corresponding network nodes in a detected network, wherein the input features are constructed from all data packets sniffed by the network nodes according to a time period, and the input features comprise basic features and statistical features;
and judging whether the state of the corresponding network node is abnormal or not according to the input characteristics by using the node abnormality detection model obtained by the training method according to claim 8 to obtain a detection result.
10. A computer-readable storage medium, having embodied thereon a computer program, the computer program being executable by a processor to perform the steps of the method of any one of claims 1 to 9.
11. An electronic device, comprising:
one or more processors; and
a memory, wherein the memory is to store one or more executable instructions;
the one or more processors are configured to implement the steps of the method of any one of claims 1-9 via execution of the one or more executable instructions.
CN202111382366.6A 2021-11-22 2021-11-22 Method for generating training set for detecting state of network node Active CN114257517B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111382366.6A CN114257517B (en) 2021-11-22 2021-11-22 Method for generating training set for detecting state of network node

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111382366.6A CN114257517B (en) 2021-11-22 2021-11-22 Method for generating training set for detecting state of network node

Publications (2)

Publication Number Publication Date
CN114257517A CN114257517A (en) 2022-03-29
CN114257517B true CN114257517B (en) 2022-11-29

Family

ID=80792872

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111382366.6A Active CN114257517B (en) 2021-11-22 2021-11-22 Method for generating training set for detecting state of network node

Country Status (1)

Country Link
CN (1) CN114257517B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114785879A (en) * 2022-05-06 2022-07-22 中国科学院计算技术研究所 Method and system for identifying OSPF protocol abnormal behavior
CN117313900B (en) * 2023-11-23 2024-03-08 全芯智造技术有限公司 Method, apparatus and medium for data processing

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113408609A (en) * 2021-06-17 2021-09-17 武汉卓尔信息科技有限公司 Network attack detection method and system
CN113572771A (en) * 2021-07-26 2021-10-29 深圳供电局有限公司 Power grid CPS network attack identification method and system

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2235910B1 (en) * 2007-12-28 2016-12-14 Telecom Italia S.p.A. Anomaly detection for link-state routing protocols
WO2017147472A1 (en) * 2016-02-24 2017-08-31 Verodin, Inc. Systems and methods for attack simulation on a production network
CN106874926A (en) * 2016-08-04 2017-06-20 阿里巴巴集团控股有限公司 Service exception detection method and device based on characteristics of image
CN108737406B (en) * 2018-05-10 2020-08-04 北京邮电大学 Method and system for detecting abnormal flow data
CN112398779B (en) * 2019-08-12 2022-11-01 中国科学院国家空间科学中心 Network traffic data analysis method and system
CN111770069B (en) * 2020-06-17 2022-02-15 北京航空航天大学 Vehicle-mounted network simulation data set generation method based on intrusion attack
CN113206824B (en) * 2021-03-23 2022-06-24 中国科学院信息工程研究所 Dynamic network abnormal attack detection method and device, electronic equipment and storage medium
CN113660129A (en) * 2021-08-30 2021-11-16 内蒙古奥创科技有限公司 Emergency drilling platform topological structure

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113408609A (en) * 2021-06-17 2021-09-17 武汉卓尔信息科技有限公司 Network attack detection method and system
CN113572771A (en) * 2021-07-26 2021-10-29 深圳供电局有限公司 Power grid CPS network attack identification method and system

Also Published As

Publication number Publication date
CN114257517A (en) 2022-03-29

Similar Documents

Publication Publication Date Title
CN114257517B (en) Method for generating training set for detecting state of network node
US10091218B2 (en) System and method to detect attacks on mobile wireless networks based on network controllability analysis
US8490196B2 (en) System and method for extending automated penetration testing to develop an intelligent and cost efficient security strategy
Roy et al. Scalable optimal countermeasure selection using implicit enumeration on attack countermeasure trees
Munoz-Gonzalez et al. Efficient attack graph analysis through approximate inference
JP4786908B2 (en) Fault detection and diagnosis
US10684935B2 (en) Deriving the shortest steps to reproduce a device failure condition
US10218729B2 (en) Specializing unsupervised anomaly detection systems using genetic programming
JP2018512823A (en) Integrated discovery of communities and roles in corporate networks
CN109194684B (en) Method and device for simulating denial of service attack and computing equipment
Aparicio-Navarro et al. Multi-stage attack detection using contextual information
Tertytchny et al. Classifying network abnormalities into faults and attacks in IoT-based cyber physical systems using machine learning
CN111628900A (en) Fuzzy test method and device based on network protocol and computer readable medium
Li et al. Dlog: diagnosing router events with syslogs for anomaly detection
US11743105B2 (en) Extracting and tagging text about networking entities from human readable textual data sources and using tagged text to build graph of nodes including networking entities
Lutu et al. Separating wheat from chaff: Winnowing unintended prefixes using machine learning
Bouillard et al. Hidden anomaly detection in telecommunication networks
Sukhwani et al. A survey of anomaly detection techniques and hidden markov model
Rezvani et al. Provenance-aware security risk analysis for hosts and network flows
Debnath et al. CVSS-based vulnerability and risk assessment for high performance computing networks
Wang et al. Generation and analysis of attack graphs
CN107251519B (en) Systems, methods, and media for detecting attacks of fake information on a communication network
US20220303290A1 (en) Systems and methods for utilizing a machine learning model to detect anomalies and security attacks in software-defined networking
Li et al. Improved automated graph and FCM based DDoS attack detection mechanism in software defined networks
Intana et al. Adding value to WSN simulation through formal modelling and analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant