CN114710325A - Method, device, equipment and storage medium for constructing network intrusion detection model - Google Patents
Method, device, equipment and storage medium for constructing network intrusion detection model Download PDFInfo
- Publication number
- CN114710325A CN114710325A CN202210263547.5A CN202210263547A CN114710325A CN 114710325 A CN114710325 A CN 114710325A CN 202210263547 A CN202210263547 A CN 202210263547A CN 114710325 A CN114710325 A CN 114710325A
- Authority
- CN
- China
- Prior art keywords
- feature map
- simulation
- intrusion detection
- network intrusion
- initial
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 87
- 238000000034 method Methods 0.000 title claims abstract description 64
- 238000004088 simulation Methods 0.000 claims abstract description 103
- 238000005070 sampling Methods 0.000 claims abstract description 38
- 238000007781 pre-processing Methods 0.000 claims abstract description 15
- 238000013136 deep learning model Methods 0.000 claims abstract description 14
- 230000002194 synthesizing effect Effects 0.000 claims abstract description 14
- 238000000605 extraction Methods 0.000 claims abstract description 13
- 238000012549 training Methods 0.000 claims abstract description 13
- 238000010586 diagram Methods 0.000 claims description 29
- 238000004590 computer program Methods 0.000 claims description 24
- 239000013598 vector Substances 0.000 claims description 20
- 238000012216 screening Methods 0.000 claims description 13
- 238000010276 construction Methods 0.000 claims description 3
- 230000006872 improvement Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 239000011159 matrix material Substances 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000013527 convolutional neural network Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/16—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Artificial Intelligence (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Databases & Information Systems (AREA)
- Evolutionary Computation (AREA)
- Medical Informatics (AREA)
- Software Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method, a device, equipment and a storage medium for constructing a network intrusion detection model, wherein the method comprises the following steps: acquiring a first traffic data set of network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods; preprocessing the first traffic data set to obtain a second traffic data set; performing feature extraction on the second traffic data set through EfficientNet to obtain an initial feature map; synthesizing a plurality of simulation feature maps based on a domain randomization method and the initial feature map to form a simulation feature map set; and training a pre-constructed deep learning model through the initial feature map and the simulation feature map set to obtain a network intrusion detection model. By adopting the embodiment of the invention, the accuracy rate of detecting the network attack with less data volume can be improved.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and an apparatus for constructing a network intrusion detection model, a terminal device, and a computer-readable storage medium.
Background
In recent years, with the rapid development of internet technology and the change of network environment, the network security problem is receiving public attention, and the existing network intrusion detection method based on machine learning mainly judges whether the network is attacked or not through the traffic data in the network, and machine learning needs to be performed by relying on a large amount of marked traffic data. However, the intrusion data in the network traffic detection data is deficient, so that the existing network intrusion detection model has a poor detection effect on network attacks with small data volume.
Disclosure of Invention
Embodiments of the present invention provide a method and an apparatus for constructing a network intrusion detection model, a terminal device, and a computer-readable storage medium, which can improve accuracy of detecting a network attack with a small data volume.
The embodiment of the invention provides a method for constructing a network intrusion detection model, which comprises the following steps:
acquiring a first traffic data set of network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods;
preprocessing the first traffic data set to obtain a second traffic data set;
performing feature extraction on the second traffic data set through EfficientNet to obtain an initial feature map;
synthesizing a plurality of simulation feature maps based on a domain randomization method and the initial feature map to form a simulation feature map set;
and training a pre-constructed deep learning model through the initial feature map and the simulation feature map set to obtain a network intrusion detection model.
As an improvement of the above, the method further comprises:
acquiring flow time sequence data acquired in real time by network intrusion detection;
and updating the model parameters of the network intrusion detection model through an incremental learning method and the flow time sequence data acquired in real time to obtain the updated network intrusion detection model.
As an improvement of the above scheme, the preprocessing is performed on the first traffic data set to obtain a second traffic data set, and specifically:
from the flow time sequence data of the nth sampling period, integrating the flow time sequence data of each sampling period with the flow time sequence data of n-1 sampling periods before the sampling period to obtain a second flow data set; wherein n is greater than 1.
As an improvement of the above solution, the synthesizing a plurality of simulated feature maps based on the domain randomization method and the initial feature map to form a simulated feature map set includes:
extracting the characteristics of the initial characteristic diagram based on a domain randomization method, abstracting semantic information of the initial characteristic diagram into variable parameters, and synthesizing a plurality of simulation characteristic diagrams based on the variable parameters;
calculating the similarity of each simulation feature map and the initial feature map;
and screening out the simulation feature graphs similar to the initial feature graph according to the similarity of each simulation feature graph and the initial feature graph to form a simulation feature graph set.
As an improvement of the above solution, the calculating the similarity between each simulated feature map and the initial feature map includes:
extracting feature vectors of each simulation feature map and the initial feature map;
calculating the cosine value of the included angle between the feature vector of each simulated feature map and the feature vector of the initial feature map;
and taking the cosine value of the included angle corresponding to each simulation feature map as the similarity of each simulation feature map and the initial feature map.
As an improvement of the above solution, the step of screening out a simulation feature map similar to the initial feature map according to the similarity between each simulation feature map and the initial feature map to form a simulation feature map set specifically includes:
judging whether the similarity of each simulation feature map and the initial feature map is greater than a preset threshold, judging that the simulation feature maps are similar to the initial feature map when the similarity corresponding to the simulation feature maps is greater than the preset threshold, and screening the simulation feature maps to form a simulation feature map set.
As an improvement of the scheme, the value range of the preset threshold is 0.5-1.
Accordingly, another embodiment of the present invention provides a device for constructing a network intrusion detection model, including:
the data acquisition module is used for acquiring a first traffic data set of network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods;
the data preprocessing module is used for preprocessing the first traffic data set to obtain a second traffic data set;
the characteristic extraction module is used for extracting the characteristics of the second traffic data set through EfficientNet to obtain an initial characteristic diagram;
the data simulation module is used for synthesizing a plurality of simulation feature maps based on a domain randomization method and the initial feature map to form a simulation feature map set;
and the model construction module is used for training a pre-constructed deep learning model through the initial feature map and the simulation feature map set to obtain a network intrusion detection model.
Another embodiment of the present invention provides a terminal device, which includes a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, and when the processor executes the computer program, the processor implements the method for constructing the network intrusion detection model according to any one of the above items.
Another embodiment of the present invention provides a computer-readable storage medium, where the computer-readable storage medium includes a stored computer program, where when the computer program runs, the apparatus where the computer-readable storage medium is located is controlled to execute the method for constructing a network intrusion detection model as described in any one of the above.
Compared with the prior art, the method, the device, the equipment and the storage medium for constructing the network intrusion detection model disclosed by the embodiment of the invention have the following beneficial effects:
firstly, acquiring a first traffic data set of network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods; secondly, preprocessing the first traffic data set to obtain a second traffic data set; performing feature extraction on the second traffic data set through EfficientNet to obtain an initial feature map; then, synthesizing a plurality of simulation feature maps based on a domain randomization method and the initial feature maps to form a simulation feature map set; and finally, training a pre-constructed deep learning model through the initial feature map and the simulation feature map set to obtain a network intrusion detection model. On one hand, the features of the first flow data set are extracted through EfficientNet, so that the deep learning model can learn the features of the detected flow time sequence data; on the other hand, on the basis of the initial feature map, a large number of simulation feature maps are synthesized by combining the distribution characteristics and semantic features of the samples through a domain randomization method, so that a large number of training sample data can be generated by relying on a small amount of traffic time sequence data, the problem of lack of intrusion data in the existing network traffic detection data is solved, and the accuracy of network attack with less detection data volume is improved.
Drawings
Fig. 1 is a schematic flowchart of a method for constructing a network intrusion detection model according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of incremental learning provided by an embodiment of the present invention;
FIG. 3 is a flow chart of a domain randomization method for generating a simulation feature map according to an embodiment of the present invention;
fig. 4 is a block diagram of a device for constructing a network intrusion detection model according to an embodiment of the present invention;
fig. 5 is a block diagram of a terminal device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, fig. 1 is a schematic flowchart of a method for constructing a network intrusion detection model according to an embodiment of the present invention.
The method for constructing the network intrusion detection model provided by the embodiment of the invention comprises the following steps:
s11, acquiring a first traffic data set of network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods;
s12, preprocessing the first flow data set to obtain a second flow data set;
s13, performing feature extraction on the second traffic data set through EfficientNet to obtain an initial feature map;
s14, synthesizing a plurality of simulation feature maps based on a domain randomization method and the initial feature maps to form a simulation feature map set;
and S15, training a pre-constructed deep learning model through the initial feature map and the simulation feature map set to obtain a network intrusion detection model.
In particular, the first traffic data set comprises in particular traffic timing data for a plurality of consecutive sampling periods of a plurality of data sources.
Referring to fig. 2, fig. 2 is a schematic flowchart of incremental learning according to an embodiment of the present invention.
As an optional embodiment, the method further comprises:
acquiring flow time sequence data acquired in real time by network intrusion detection;
and updating the model parameters of the network intrusion detection model through an incremental learning method and the flow time sequence data acquired in real time to obtain the updated network intrusion detection model.
Illustratively, assuming that one of the parameters learned by the trained deep learning model (i.e., the network intrusion detection model) is 5, learning the traffic time series data acquired in real time through incremental learning, where the learned parameter is 4, the weight occupied by the parameter 5 defining the trained deep learning model is 0.9, and the weight occupied by the parameter 4 defining the incremental learning is 0.1, and then the last parameter is updated to be 5 × 0.9+4 × 0.1 — 4.9.
The network intrusion detection model can be understood as a deep neural network model, which inputs feature maps and outputs labels of 1 or 0. The invention obtains the network intrusion detection model through deep learning mode training, and adds the parameter result of incremental learning adjustment to adjust the model parameters of the network intrusion detection model, thereby forming a continuously updated model. For example: an updated network intrusion detection model is arranged at the time t and is used for detecting the flow data at the time t +1 to obtain a detection result at the time t + 1; then at the time t +2, the network intrusion detection model at the time t is not adopted, but the network intrusion detection model at the time t is updated by adopting the traffic data at the time t +1 for training/detecting the traffic data at the time t +2, and the iteration is repeated.
It can be understood that, since the network intrusion manner and the network attack approach may change greatly with the passage of time, it is necessary to dynamically train the model update, that is, to update the model by using the incremental learning method. In the invention, on one hand, the incremental learning keeps the knowledge learned by a deep learning model through an initial feature map and a simulation feature map; on the other hand, the real-time collected flow time sequence data is learned, and the learned content is adopted to update the network intrusion detection model, so that the capacity of analyzing new data and learning new knowledge of the network intrusion detection model is improved.
It should be noted that, in the incremental learning process, the processing process of the flow rate time series data collected in real time may refer to relevant contents of steps S12, S13, and S14, which is not limited herein.
In some preferred embodiments, the preprocessing is performed on the first traffic data set to obtain a second traffic data set, specifically:
from the flow time sequence data of the nth sampling period, integrating the flow time sequence data of each sampling period with the flow time sequence data of n-1 sampling periods before the sampling period to obtain a second flow data set; wherein n is greater than 1.
It should be noted that there are many data acquisition methods for network intrusion detection, and the common data acquisition methods include: 1. intrusion Detection Systems (IDS); 2. a network security monitoring system; 3. open source host intrusion detection systems (OSSEC for short), and the like. Each acquisition mode has corresponding event sequence data, and the event sequence data acquired by a certain data acquisition mode is represented as:
where x (T) is the measured value at time T, and T is the time series with length T, it can be understood that each sampling period needs to acquire the time series with length T. In the actual operation process, m data acquisition modes, namely m data sources exist, so that m multiplied by T flow data can be detected in one sampling period, and X is used for detecting X flow datam×TThe flow time sequence data in one sampling period is detected, and the flow data in the ith row and the jth column of X is represented as Xij. To let Xm×TTaking n equal to 3 as an example, the traffic timing data of the 1 st, 2 nd and 3 rd sampling periods of the invention are integrated to form a network traffic space-time dimension with a "wider time dimension", so that the timing matrix becomes "m × T × 3", considering the data processability, T ═ m, that is, m data sources are migrated by adjusting the sampling frequency of the data. Then, the flow rate timing data of a single sampling period becomes a "m × m × 3" timing matrix.
It is to be understood that, in addition to the above-mentioned manner, the first traffic data set may be preprocessed to obtain the second traffic data set, and the traffic time series data of each sampling period may be integrated with the traffic time series data of the next adjacent n-1 sampling periods from the traffic time series data of the 1 st sampling period to obtain the second traffic data set. Furthermore, the flow time series data of each sampling period and the flow time series data of two adjacent sampling periods before and after the flow time series data of the 2 nd sampling period can be integrated to obtain a second flow data set.
Preferably, in step S13, feature extraction is performed on the second traffic data set through EfficientNet-B0 to obtain an initial feature map.
In this embodiment, the present invention preprocesses the first traffic data set by means of data integration to obtain a second traffic data set, and processes the second traffic data set by means of EfficientNet-B0 to obtain an initial feature map, where the feature map is different from the traditional CNN feature extraction by 3 points: 1. the network depth is increased through a data integration mode, so that the initial characteristic diagram obtains richer and more complex characteristics; 2. the more extensive network enables the initial feature map to capture features of finer granularity; 3. and through data input with higher resolution, the initial feature map obtains features with finer granularity. It can be appreciated that since the acquisition frequency of many acquisition devices is low, low frequency acquisition data tends to result in lower feature extraction accuracy. The initial characteristic diagram obtained based on the mode has the characteristics of multiple scales, time span and fine granularity.
Referring to fig. 3, fig. 3 is a schematic flowchart of a domain randomization method for generating a simulation feature map according to an embodiment of the present invention.
In some preferred embodiments, the synthesizing a plurality of simulated feature maps based on the domain randomization method and the initial feature map to form a simulated feature atlas includes:
extracting the characteristics of the initial characteristic diagram based on a domain randomization method, abstracting semantic information of the initial characteristic diagram into variable parameters, and synthesizing a plurality of simulation characteristic diagrams based on the variable parameters;
calculating the similarity of each simulation feature map and the initial feature map;
and screening out the simulation feature graphs similar to the initial feature graph according to the similarity of each simulation feature graph and the initial feature graph to form a simulation feature graph set.
Preferably, the variable parameters include: based on the number of connections of the same destination address, the number of connections with SYN errors, the number of connections with REJ errors, the number of connections with the same service, the number of connections with different services, and the number of connections with different hosts.
In the invention, the structural information of the characteristic diagram is considered, 6 different connection rules are designed, which are respectively based on the connection times of the same destination address, the connection times of SYN error, the connection times of REJ error, the connection times of the same service, the connection times of different services and the connection times of different hosts, and the 6 types of connection randomization can reduce the calculated amount caused by randomization and ensure the diversity of the synthetic simulation characteristic diagram. Wherein, these 6 different connection rules are variable parameters, and by randomizing these 6 parameters, a large number of simulated feature maps can be synthesized.
In a specific embodiment, the calculating the similarity between each simulated feature map and the initial feature map includes:
extracting feature vectors of each simulation feature map and the initial feature map;
calculating the cosine value of the included angle between the feature vector of each simulated feature map and the feature vector of the initial feature map;
and taking the cosine value of the included angle corresponding to each simulation feature map as the similarity of each simulation feature map and the initial feature map.
It can be understood that due to the lack of label information, the quality of the network intrusion detection model cannot be quantified, and therefore, in order to prevent the influence of complete randomization on the algorithm precision, the training set is screened by combining the similarity of the initial feature map and the simulation feature map. Specifically, the similarity of the two characteristic graphs is measured by using the cosine value of the included angle.
Specifically, an included angle cosine value cos θ between the feature vector of each simulated feature map and the feature vector of the initial feature map is calculated according to the following formula:
wherein a is a characteristic vector of the initial characteristic diagram, b is a characteristic vector of the simulation characteristic diagram, cos is a cosine function, and theta is an included angle between the characteristic vector a and the characteristic vector b.
Note that, the feature vector a of the k-dimensional initial feature map is (x)11,x12,…,x1k) And (y) the feature vector b of the k-dimensional simulation feature map11,y12,…,y1k),x1kAnd y1kAnd respectively the data of the variable parameters corresponding to the initial characteristic diagram and the simulation characteristic diagram.
Further, the step of screening out a simulation feature map similar to the initial feature map according to the similarity between each simulation feature map and the initial feature map to form a simulation feature map set specifically includes:
judging whether the similarity of each simulation feature map and the initial feature map is greater than a preset threshold, judging that the simulation feature maps are similar to the initial feature map when the similarity corresponding to the simulation feature maps is greater than the preset threshold, and screening the simulation feature maps to form a simulation feature map set.
Specifically, the value range of the preset threshold is 0.5-1.
Preferably, the preset threshold is 0.8.
It can be understood that the invention screens the synthesized simulation characteristic diagram through the similarity, and can prevent the influence of complete randomization on the algorithm precision of the network intrusion detection model.
Fig. 4 is a block diagram of a device for constructing a network intrusion detection model according to an embodiment of the present invention.
The device for constructing the network intrusion detection model provided by the embodiment of the invention comprises the following components:
a data acquisition module 21, configured to acquire a first traffic data set for network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods;
a data preprocessing module 22, configured to preprocess the first traffic data set to obtain a second traffic data set;
the feature extraction module 23 is configured to perform feature extraction on the second traffic data set through EfficientNet to obtain an initial feature map;
a data simulation module 24, configured to synthesize a plurality of simulation feature maps based on a domain randomization method and the initial feature map to form a simulation feature map set;
and the model construction module 25 is configured to train a pre-constructed deep learning model through the initial feature map and the simulation feature map set to obtain a network intrusion detection model.
As an improvement of the above, the apparatus further comprises: a parameter update module 26;
the data acquisition module 21 is further configured to acquire flow time sequence data acquired in real time by network intrusion detection;
and the parameter updating module 26 is configured to update the model parameters of the network intrusion detection model through an incremental learning method and the flow time sequence data acquired in real time, so as to obtain an updated network intrusion detection model.
As one optional implementation, the data preprocessing module 22 is specifically configured to:
from the flow time sequence data of the nth sampling period, integrating the flow time sequence data of each sampling period with the flow time sequence data of n-1 sampling periods before the sampling period to obtain a second flow data set; wherein n is greater than 1.
Preferably, the data simulation module 24 includes:
a randomization unit, configured to extract features of the initial feature map based on a domain randomization method, abstract semantic information of the initial feature map into variable parameters, and synthesize a plurality of simulation feature maps based on the variable parameters;
the data operation unit is used for calculating the similarity between each simulation feature map and the initial feature map;
and the data screening unit is used for screening out simulation feature maps similar to the initial feature map according to the similarity between each simulation feature map and the initial feature map to form a simulation feature map set.
As one optional implementation, the data operation unit is specifically configured to:
extracting feature vectors of each simulation feature map and the initial feature map;
calculating the cosine value of an included angle between the characteristic vector of each simulated characteristic diagram and the characteristic vector of the initial characteristic diagram;
and taking the cosine value of the included angle corresponding to each simulation feature map as the similarity of each simulation feature map and the initial feature map.
As one preferred embodiment, the data screening unit is specifically configured to:
judging whether the similarity of each simulation feature map and the initial feature map is larger than a preset threshold value, judging that the simulation feature maps are similar to the initial feature map when the similarity corresponding to the simulation feature maps is larger than the preset threshold value, and screening the simulation feature maps to form a simulation feature map set.
Preferably, the value range of the preset threshold in the data screening unit is 0.5-1.
It should be noted that, for the specific description and the beneficial effects related to each embodiment of the apparatus for constructing a network intrusion detection model in this embodiment, reference may be made to the specific description and the beneficial effects related to each embodiment of the method for constructing a network intrusion detection model, which are not described herein again.
Fig. 5 is a block diagram of a terminal device according to an embodiment of the present invention.
The terminal device provided by the embodiment of the present invention includes a processor 10, a memory 20, and a computer program stored in the memory 20 and configured to be executed by the processor 10, where the processor 10 implements the method for constructing the network intrusion detection model according to any one of the above embodiments when executing the computer program.
The processor 10, when executing the computer program, implements the steps in the above-mentioned embodiment of the method for constructing the network intrusion detection model, for example, all the steps of the method for constructing the network intrusion detection model shown in fig. 1. Alternatively, the processor 10, when executing the computer program, implements the functions of each module/unit in the embodiment of the apparatus for constructing a network intrusion detection model, for example, the functions of each module of the apparatus for constructing a network intrusion detection model shown in fig. 4.
Illustratively, the computer program may be partitioned into one or more modules that are stored in the memory 20 and executed by the processor 10 to implement the present invention. The one or more modules may be a series of computer program instruction segments capable of performing certain functions, which are used to describe the execution of the computer program in the terminal device.
The terminal device can be a desktop computer, a notebook, a palm computer, a cloud server and other computing devices. The terminal device may include, but is not limited to, a processor 10, a memory 20. It will be appreciated by those skilled in the art that the schematic diagram is merely an example of a terminal device and does not constitute a limitation of a terminal device, and may include more or less components than those shown, or combine certain components, or different components, for example, the terminal device may also include input output devices, network access devices, buses, etc.
The Processor 10 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, or the like. The general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like, and the processor 10 is the control center of the terminal device and connects the various parts of the whole terminal device by various interfaces and lines.
The memory 20 can be used for storing the computer programs and/or modules, and the processor 10 implements various functions of the terminal device by running or executing the computer programs and/or modules stored in the memory 20 and calling data stored in the memory 20. The memory 20 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the terminal device, and the like. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.
Wherein, the terminal device integrated module/unit can be stored in a computer readable storage medium if it is implemented in the form of software functional unit and sold or used as an independent product. Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may also be implemented by a computer program, which may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments may be implemented. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like.
It should be noted that the above-described device embodiments are merely illustrative, where the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. In addition, in the drawings of the embodiment of the apparatus provided by the present invention, the connection relationship between the modules indicates that there is a communication connection between them, and may be specifically implemented as one or more communication buses or signal lines. One of ordinary skill in the art can understand and implement it without inventive effort.
Accordingly, an embodiment of the present invention further provides a computer-readable storage medium, where the computer-readable storage medium includes a stored computer program; when the computer program runs, the apparatus on which the computer readable storage medium is located is controlled to execute the method for constructing a network intrusion detection model according to any of the embodiments.
To sum up, according to the method, the apparatus, the terminal device and the computer-readable storage medium for constructing a network intrusion detection model provided by the embodiments of the present invention, a first traffic data set for network intrusion detection is first obtained; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods; secondly, preprocessing the first traffic data set to obtain a second traffic data set; performing feature extraction on the second traffic data set through EfficientNet to obtain an initial feature map; then, synthesizing a plurality of simulation feature maps based on a domain randomization method and the initial feature maps to form a simulation feature map set; and finally, training a pre-constructed deep learning model through the initial feature map and the simulation feature map set to obtain a network intrusion detection model. On one hand, the features of the first flow data set are extracted through EfficientNet, so that the deep learning model can learn the features of the detected flow time sequence data; on the other hand, on the basis of the initial feature map, the invention synthesizes a large amount of simulation feature maps by combining the distribution characteristics and semantic features of the samples through a domain randomization method, thereby generating a large amount of training sample data depending on a small amount of flow time sequence data, solving the problem of the lack of intrusion data in the existing network flow detection data, and further improving the reliability of a network intrusion detection model and the accuracy of detecting network attacks with less data amount.
While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention.
Claims (10)
1. A method for constructing a network intrusion detection model is characterized by comprising the following steps:
acquiring a first traffic data set of network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods;
preprocessing the first traffic data set to obtain a second traffic data set;
performing feature extraction on the second traffic data set through EfficientNet to obtain an initial feature map;
synthesizing a plurality of simulation feature maps based on a domain randomization method and the initial feature map to form a simulation feature map set;
and training a pre-constructed deep learning model through the initial feature map and the simulation feature map set to obtain a network intrusion detection model.
2. The method of constructing a network intrusion detection model according to claim 1, the method further comprising:
acquiring flow time sequence data acquired in real time by network intrusion detection;
and updating the model parameters of the network intrusion detection model through an incremental learning method and the flow time sequence data acquired in real time to obtain the updated network intrusion detection model.
3. The method for constructing a network intrusion detection model according to claim 1, wherein the preprocessing is performed on the first traffic data set to obtain a second traffic data set, and specifically:
from the flow time sequence data of the nth sampling period, integrating the flow time sequence data of each sampling period with the flow time sequence data of n-1 sampling periods before the sampling period to obtain a second flow data set; wherein n is greater than 1.
4. The method of constructing a network intrusion detection model according to claim 1, wherein the synthesizing a plurality of simulated feature maps based on a domain randomization method and the initial feature map to form a simulated feature map set comprises:
extracting the characteristics of the initial characteristic diagram based on a domain randomization method, abstracting semantic information of the initial characteristic diagram into variable parameters, and synthesizing a plurality of simulation characteristic diagrams based on the variable parameters;
calculating the similarity of each simulation feature map and the initial feature map;
and screening out the simulation feature graphs similar to the initial feature graph according to the similarity of each simulation feature graph and the initial feature graph to form a simulation feature graph set.
5. The method of constructing a network intrusion detection model according to claim 4, wherein the calculating the similarity between each simulated feature map and the initial feature map comprises:
extracting feature vectors of each simulation feature map and the initial feature map;
calculating the cosine value of an included angle between the characteristic vector of each simulated characteristic diagram and the characteristic vector of the initial characteristic diagram;
and taking the cosine value of the included angle corresponding to each simulation feature map as the similarity of each simulation feature map and the initial feature map.
6. The method for constructing a network intrusion detection model according to claim 4, wherein the simulation feature maps similar to the initial feature map are screened out according to the similarity between each simulation feature map and the initial feature map to form a simulation feature map set, specifically:
judging whether the similarity of each simulation feature map and the initial feature map is greater than a preset threshold, judging that the simulation feature maps are similar to the initial feature map when the similarity corresponding to the simulation feature maps is greater than the preset threshold, and screening the simulation feature maps to form a simulation feature map set.
7. The method of claim 6, wherein the predetermined threshold value ranges from 0.5 to 1.
8. An apparatus for constructing a network intrusion detection model, comprising:
the data acquisition module is used for acquiring a first traffic data set of network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods;
the data preprocessing module is used for preprocessing the first traffic data set to obtain a second traffic data set;
the characteristic extraction module is used for extracting the characteristics of the second traffic data set through EfficientNet to obtain an initial characteristic diagram;
the data simulation module is used for synthesizing a plurality of simulation feature maps based on a domain randomization method and the initial feature map to form a simulation feature map set;
and the model construction module is used for training a pre-constructed deep learning model through the initial feature map and the simulation feature map set to obtain a network intrusion detection model.
9. A terminal device comprising a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, the processor implementing the method of constructing a network intrusion detection model according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, comprising a stored computer program, wherein the computer program, when executed, controls an apparatus in which the computer-readable storage medium is located to perform the method for constructing the network intrusion detection model according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210263547.5A CN114710325B (en) | 2022-03-17 | 2022-03-17 | Method, device, equipment and storage medium for constructing network intrusion detection model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210263547.5A CN114710325B (en) | 2022-03-17 | 2022-03-17 | Method, device, equipment and storage medium for constructing network intrusion detection model |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114710325A true CN114710325A (en) | 2022-07-05 |
| CN114710325B CN114710325B (en) | 2023-09-15 |
Family
ID=82168368
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210263547.5A Active CN114710325B (en) | 2022-03-17 | 2022-03-17 | Method, device, equipment and storage medium for constructing network intrusion detection model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114710325B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116527329A (en) * | 2023-04-12 | 2023-08-01 | 广东工贸职业技术学院 | Intrusion detection method and system based on machine learning |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108347430A (en) * | 2018-01-05 | 2018-07-31 | 国网山东省电力公司济宁供电公司 | Network invasion monitoring based on deep learning and vulnerability scanning method and device |
| US20190050567A1 (en) * | 2017-08-10 | 2019-02-14 | AO Kaspersky Lab | System and method of managing computing resources for detection of malicious files based on machine learning model |
| CN111553381A (en) * | 2020-03-23 | 2020-08-18 | 北京邮电大学 | Network intrusion detection method and device based on multiple network models and electronic equipment |
| CN112653675A (en) * | 2020-12-12 | 2021-04-13 | 海南师范大学 | Intelligent intrusion detection method and device based on deep learning |
| US20210193175A1 (en) * | 2019-12-18 | 2021-06-24 | Lg Electronics Inc. | Training data generating method for training filled pause detecting model and device therefor |
| CN113192175A (en) * | 2021-04-14 | 2021-07-30 | 武汉联影智融医疗科技有限公司 | Model training method and device, computer equipment and readable storage medium |
| CN113989583A (en) * | 2021-09-03 | 2022-01-28 | 中电积至(海南)信息技术有限公司 | Method and system for detecting malicious traffic of internet |
-
2022
- 2022-03-17 CN CN202210263547.5A patent/CN114710325B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190050567A1 (en) * | 2017-08-10 | 2019-02-14 | AO Kaspersky Lab | System and method of managing computing resources for detection of malicious files based on machine learning model |
| CN108347430A (en) * | 2018-01-05 | 2018-07-31 | 国网山东省电力公司济宁供电公司 | Network invasion monitoring based on deep learning and vulnerability scanning method and device |
| US20210193175A1 (en) * | 2019-12-18 | 2021-06-24 | Lg Electronics Inc. | Training data generating method for training filled pause detecting model and device therefor |
| CN111553381A (en) * | 2020-03-23 | 2020-08-18 | 北京邮电大学 | Network intrusion detection method and device based on multiple network models and electronic equipment |
| CN112653675A (en) * | 2020-12-12 | 2021-04-13 | 海南师范大学 | Intelligent intrusion detection method and device based on deep learning |
| CN113192175A (en) * | 2021-04-14 | 2021-07-30 | 武汉联影智融医疗科技有限公司 | Model training method and device, computer equipment and readable storage medium |
| CN113989583A (en) * | 2021-09-03 | 2022-01-28 | 中电积至(海南)信息技术有限公司 | Method and system for detecting malicious traffic of internet |
Non-Patent Citations (1)
| Title |
|---|
| 陈曦;姜亚光;李建彬;闫靖晨;刘曙元;李坤昌;: "基于SIMI模型的S7协议的实时异常流量检测方法", 电子技术应用, no. 08, pages 101 - 106 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116527329A (en) * | 2023-04-12 | 2023-08-01 | 广东工贸职业技术学院 | Intrusion detection method and system based on machine learning |
| CN116527329B (en) * | 2023-04-12 | 2023-11-17 | 广东工贸职业技术学院 | Intrusion detection method and system based on machine learning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114710325B (en) | 2023-09-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110033026B (en) | Target detection method, device and equipment for continuous small sample images | |
| CN111461168A (en) | Training sample expansion method and device, electronic equipment and storage medium | |
| CN109840413B (en) | Phishing website detection method and device | |
| CN110046622B (en) | Targeted attack sample generation method, device, equipment and storage medium | |
| CN112035549B (en) | Data mining method, device, computer equipment and storage medium | |
| CN110070115A (en) | A kind of single pixel attack sample generating method, device, equipment and storage medium | |
| CN110705585A (en) | Network fraud identification method and device, computer device and storage medium | |
| CN113610069B (en) | Knowledge distillation-based target detection model training method | |
| CN113298152B (en) | Model training method, device, terminal equipment and computer readable storage medium | |
| CN111353600A (en) | Abnormal behavior detection method and device | |
| CN111798047A (en) | Wind control prediction method and device, electronic equipment and storage medium | |
| CN109685805A (en) | A kind of image partition method and device | |
| CN114710325B (en) | Method, device, equipment and storage medium for constructing network intrusion detection model | |
| CN115222443A (en) | Client group division method, device, equipment and storage medium | |
| CN112184059A (en) | Scoring analysis method and device, electronic equipment and storage medium | |
| CN111161789B (en) | Analysis method and device for key areas of model prediction | |
| CN115037790B (en) | Abnormal registration identification method, device, equipment and storage medium | |
| CN111191238A (en) | Webshell detection method, terminal device and storage medium | |
| CN108830302B (en) | Image classification method, training method, classification prediction method and related device | |
| CN110830515A (en) | Flow detection method and device and electronic equipment | |
| CN116319065A (en) | Threat situation analysis method and system applied to business operation and maintenance | |
| CN113516205B (en) | Employee stability classification method based on artificial intelligence and related equipment | |
| CN113850632B (en) | User category determination method, device, equipment and storage medium | |
| CN115758336A (en) | Asset identification method and device | |
| CN114416462A (en) | Machine behavior identification method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: No.95, Yingbin Avenue, Huadu District, Guangzhou, Guangdong 510000 Patentee after: CLP Science and Technology Co.,Ltd. Patentee after: GUANGZHOU JIESAI COMMUNICATION PLANNING AND DESIGN INSTITUTE Co.,Ltd. Address before: 510310 No. 381 middle Xingang Road, Guangzhou, Guangdong, Haizhuqu District Patentee before: GCI SCIENCE & TECHNOLOGY Co.,Ltd. Patentee before: GUANGZHOU JIESAI COMMUNICATION PLANNING AND DESIGN INSTITUTE Co.,Ltd. |
|
| CP03 | Change of name, title or address | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231016 Address after: No.95, Yingbin Avenue, Huadu District, Guangzhou, Guangdong 510000 Patentee after: CLP Science and Technology Co.,Ltd. Patentee after: GUANGZHOU JIESAI COMMUNICATION PLANNING AND DESIGN INSTITUTE Co.,Ltd. Patentee after: Jiangxi military civilian integration Research Institute Address before: No.95, Yingbin Avenue, Huadu District, Guangzhou, Guangdong 510000 Patentee before: CLP Science and Technology Co.,Ltd. Patentee before: GUANGZHOU JIESAI COMMUNICATION PLANNING AND DESIGN INSTITUTE Co.,Ltd. |
|
| TR01 | Transfer of patent right |