Disclosure of Invention
The embodiment of the invention provides a method, a device, terminal equipment and a computer readable storage medium for constructing a network intrusion detection model, which can improve the accuracy of detecting network attacks with smaller data quantity.
The embodiment of the invention provides a method for constructing a network intrusion detection model, which comprises the following steps:
acquiring a first traffic data set of network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods;
preprocessing the first flow data set to obtain a second flow data set;
extracting features of the second flow data set through EfficientNet to obtain an initial feature map;
synthesizing a plurality of simulation feature graphs based on a domain randomization method and the initial feature graphs to form a simulation feature graph set;
training a pre-constructed deep learning model through the initial feature map and the simulation feature map set to obtain a network intrusion detection model.
As an improvement of the above solution, the method further includes:
acquiring flow time sequence data acquired in real time by network intrusion detection;
and updating the model parameters of the network intrusion detection model through an incremental learning method and the flow time sequence data acquired in real time to obtain an updated network intrusion detection model.
As an improvement of the above solution, the preprocessing the first flow data set to obtain a second flow data set specifically includes:
integrating the flow time sequence data of each sampling period with the flow time sequence data of n-1 sampling periods in front of the sampling period from the flow time sequence data of the nth sampling period to obtain a second flow data set; wherein n is greater than 1.
As an improvement of the above solution, the synthesizing a plurality of simulated feature maps based on the domain randomization method and the initial feature map to construct a simulated feature map set includes:
extracting features of the initial feature map based on a domain randomization method, abstracting semantic information of the initial feature map into variable parameters, and synthesizing a plurality of simulation feature maps based on the variable parameters;
calculating the similarity between each simulation feature map and the initial feature map;
and screening out the simulation feature images similar to the initial feature images according to the similarity between each simulation feature image and the initial feature images to form a simulation feature image set.
As an improvement of the above solution, the calculating the similarity between each of the simulated feature maps and the initial feature map includes:
extracting feature vectors of each simulation feature map and each initial feature map;
calculating an included angle cosine value of the feature vector of each simulation feature map and the feature vector of the initial feature map;
and taking the cosine value of the included angle corresponding to each simulation feature map as the similarity between each simulation feature map and the initial feature map.
As an improvement of the above solution, the method includes screening out a simulated feature map similar to the initial feature map according to the similarity between each simulated feature map and the initial feature map, so as to form a simulated feature map set, specifically:
judging whether the similarity between each simulation feature map and the initial feature map is larger than a preset threshold, judging that the simulation feature map is similar to the initial feature map when the similarity between the simulation feature maps is larger than the preset threshold, and screening out the simulation feature maps to form a simulation feature map set.
As an improvement of the scheme, the value range of the preset threshold value is 0.5-1.
Correspondingly, another embodiment of the present invention provides a device for constructing a network intrusion detection model, including:
the data acquisition module is used for acquiring a first flow data set for network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods;
the data preprocessing module is used for preprocessing the first flow data set to obtain a second flow data set;
the feature extraction module is used for carrying out feature extraction on the second flow data set through the EfficientNet to obtain an initial feature map;
the data simulation module is used for synthesizing a plurality of simulation feature graphs based on a domain randomization method and the initial feature graphs so as to form a simulation feature graph set;
and the model construction module is used for training a pre-constructed deep learning model through the initial feature map and the simulation feature map set to obtain a network intrusion detection model.
Another embodiment of the present invention provides a terminal device, including a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, where the processor implements the method for constructing a network intrusion detection model according to any one of the above.
Another embodiment of the present invention provides a computer readable storage medium, where the computer readable storage medium includes a stored computer program, where when the computer program runs, the device where the computer readable storage medium is controlled to execute the method for constructing the network intrusion detection model according to any one of the foregoing.
Compared with the prior art, the method, the device, the equipment and the storage medium for constructing the network intrusion detection model disclosed by the embodiment of the invention have the following beneficial effects:
firstly, acquiring a first flow data set of network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods; secondly, preprocessing the first flow data set to obtain a second flow data set; extracting features of the second flow data set through EfficientNet to obtain an initial feature map; then, synthesizing a plurality of simulation feature graphs based on a domain randomization method and the initial feature graphs to form a simulation feature graph set; and finally, training a pre-constructed deep learning model through the initial feature map and the simulation feature map set to obtain a network intrusion detection model. In one aspect of the invention, features of the first flow data set are extracted by the EfficientNet, so that the deep learning model can learn the features of the detected flow time sequence data; on the other hand, on the basis of the initial feature map, a large number of simulation feature maps are synthesized by combining the distribution characteristics and semantic features of the samples through a domain randomization method, so that a large number of training sample data can be generated by relying on a small amount of flow time sequence data, the problem of lack of intrusion data in the existing network flow detection data is solved, and the accuracy of network attack with a small detection data quantity is improved.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, fig. 1 is a flow chart of a method for constructing a network intrusion detection model according to an embodiment of the present invention.
The method for constructing the network intrusion detection model provided by the embodiment of the invention comprises the following steps:
s11, acquiring a first flow data set of network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods;
s12, preprocessing the first flow data set to obtain a second flow data set;
s13, extracting features of the second flow data set through the EfficientNet to obtain an initial feature map;
s14, synthesizing a plurality of simulation feature graphs based on a domain randomization method and the initial feature graphs to form a simulation feature graph set;
and S15, training a pre-constructed deep learning model through the initial feature map and the simulation feature map set to obtain a network intrusion detection model.
In particular, the first traffic data set comprises traffic timing data of a plurality of consecutive sampling periods of a plurality of data sources.
Referring to fig. 2, fig. 2 is a schematic flow chart of incremental learning according to an embodiment of the present invention.
As one of the alternative embodiments, the method further comprises:
acquiring flow time sequence data acquired in real time by network intrusion detection;
and updating the model parameters of the network intrusion detection model through an incremental learning method and the flow time sequence data acquired in real time to obtain an updated network intrusion detection model.
For example, assuming that a certain parameter learned by the trained deep learning model (i.e., the network intrusion detection model) is 5, the flow time series data acquired in real time is learned by incremental learning, the learned parameter is 4, the weight occupied by the parameter 5 defining the trained deep learning model is 0.9, the weight occupied by the parameter 4 of incremental learning is 0.1, and the final parameter is updated to 5×0.9+4×0.1=4.9.
The network intrusion detection model can be understood as a deep neural network model, which is input with a feature map and output with a label of 1 or 0. According to the invention, the network intrusion detection model is obtained through training in a deep learning mode, and the parameter results of incremental learning adjustment are added to adjust the model parameters of the network intrusion detection model, so that a continuously updated model is formed. For example: an updated network intrusion detection model is arranged at the time t and is used for detecting flow data at the time t+1 to obtain a detection result at the time t+1; then the network intrusion detection model at the time t+2 is not adopted, but the network intrusion detection model at the time t+1 is adopted to update the traffic data at the time t+2 for training/detecting the traffic data at the time t+2, so that the iteration is repeated.
It will be appreciated that since the network intrusion patterns and the means of network attack will vary greatly over time, it is necessary to train the model update dynamically, i.e. to update the model using incremental learning. In the invention, incremental learning keeps knowledge learned by a deep learning model through an initial feature map and a simulation feature map on one hand; on the other hand, the network intrusion detection model is updated by learning flow time sequence data acquired in real time and adopting the learned content, so that the capability of the network intrusion detection model for analyzing new data and learning new knowledge is improved.
It should be noted that, in the incremental learning process, the processing process of the flow time series data collected in real time may refer to the relevant content of steps S12, S13, and S14, which is not limited herein.
In some preferred embodiments, the preprocessing the first flow data set to obtain a second flow data set, specifically:
integrating the flow time sequence data of each sampling period with the flow time sequence data of n-1 sampling periods in front of the sampling period from the flow time sequence data of the nth sampling period to obtain a second flow data set; wherein n is greater than 1.
It should be noted that, there are many data acquisition modes for network intrusion detection, and common data acquisition modes include: 1. intrusion detection system (simple)Weighing: IDS); 2. a network security monitoring system; 3. an open source host intrusion detection system (abbreviated as OSSEC), and the like. Each acquisition mode has corresponding event sequence data, and the event sequence data acquired by a certain data acquisition mode is expressed as:where x (T) is denoted as a measurement at time T, and T is denoted as a time series of length T, it is understood that each sampling period requires acquisition of a time series of length T. Since m data acquisition modes, namely m data sources exist in the actual operation process, m×T flow data can be detected in one sampling period by X m×T The flow time series data in the detected one sampling period, the flow data in the ith row and the jth column of X are expressed as X ij . To give X m×T The algorithm is more suitable for the EfficientNet network, taking n as 3 as an example, integrating the flow time sequence data of the 1 st, 2 nd and 3 rd sampling periods to form a network flow time space dimension with a wider time dimension, then the time sequence matrix is changed into m multiplied by T multiplied by 3, and considering the processibility of the data, T multiplied by m, namely, m data sources are migrated by adjusting the sampling frequency of the data. Then the traffic timing data for a single sampling period becomes the "mxmxmx 3" timing matrix.
It will be appreciated that the preprocessing of the first traffic data set to obtain the second traffic data set may also be performed by integrating the traffic time series data of each sampling period with the traffic time series data of n-1 sampling periods next to each other, starting from the traffic time series data of the 1 st sampling period, in addition to the above-mentioned manner, to obtain the second traffic data set. Furthermore, from the flow time sequence data of the 2 nd sampling period, the flow time sequence data of each sampling period and the flow time sequence data of the two adjacent sampling periods are integrated to obtain a second flow data set.
Preferably, in step S13, feature extraction is performed on the second traffic data set by the EfficientNet-B0, resulting in an initial feature map.
In this embodiment, the present invention performs preprocessing on the first traffic data set by means of data integration to obtain a second traffic data set, and performs processing on the second traffic data set by using an afflicientnet-B0 to obtain an initial feature map, where the feature map is 3 points different from the traditional CNN feature extraction: 1. the network depth is increased in a data integration mode, so that the initial feature map is enabled to obtain richer and more complex features; 2. a wider network captures the initial feature map to finer granularity features; 3. the initial feature map is enabled to obtain finer granularity features through higher resolution data input. It will be appreciated that since the acquisition frequency of many acquisition devices is low, low frequency acquisition data tends to result in lower feature extraction accuracy. The initial feature map obtained based on the mode can have the characteristics of multiple scales, time span and fine granularity.
Referring to fig. 3, fig. 3 is a flow chart illustrating a domain randomization method for generating a simulation feature map according to an embodiment of the present invention.
In some preferred embodiments, the synthesizing a plurality of simulated feature maps based on the domain randomization method and the initial feature map to form a simulated feature map set includes:
extracting features of the initial feature map based on a domain randomization method, abstracting semantic information of the initial feature map into variable parameters, and synthesizing a plurality of simulation feature maps based on the variable parameters;
calculating the similarity between each simulation feature map and the initial feature map;
and screening out the simulation feature images similar to the initial feature images according to the similarity between each simulation feature image and the initial feature images to form a simulation feature image set.
Preferably, the variable parameter includes: the number of connections based on the same destination address, the number of connections with SYN errors, the number of connections with REJ errors, the number of connections to establish the same service, the number of connections to establish different services, the number of connections to connect different hosts.
The invention designs 6 different connection rules by considering the structural information of the feature map, namely the connection times based on the same destination address, the connection times with SYN error, the connection times with REJ error, the connection times for establishing the same service, the connection times for establishing different services and the connection times for connecting different hosts, wherein the 6 types of connection randomization ensures the diversity of the synthesized simulation feature map while reducing the calculation amount caused by randomization. The 6 different connection rules are variable parameters, and by randomizing the 6 parameters, a large number of simulated simulation feature graphs can be synthesized.
In a specific embodiment, said calculating the similarity between each of said simulated feature images and said initial feature image includes:
extracting feature vectors of each simulation feature map and each initial feature map;
calculating an included angle cosine value of the feature vector of each simulation feature map and the feature vector of the initial feature map;
and taking the cosine value of the included angle corresponding to each simulation feature map as the similarity between each simulation feature map and the initial feature map.
It can be understood that, due to the lack of tag information, the quality of the network intrusion detection model effect cannot be quantified, so that in order to prevent the influence of complete randomization on algorithm accuracy, the training set is screened by combining the similarity of the initial feature map and the simulation feature map. Specifically, the similarity of two feature maps is measured by adopting an included angle cosine value in the invention.
Specifically, an included angle cosine value cos θ of the feature vector of each simulation feature map and the feature vector of the initial feature map is calculated according to the following formula:
wherein a is the feature vector of the initial feature map, b is the feature vector of the simulated feature map, cos is the cosine function, and θ is the angle between the feature vector a and the feature vector b.
Note that, the feature vector a= (x) of the k-dimensional initial feature map 11 ,x 12 ,…,x 1k ) And feature vector b= (y) of k-dimensional simulation feature map 11 ,y 12 ,…,y 1k ),x 1k And y 1k And the data of variable parameters corresponding to the initial characteristic diagram and the simulation characteristic diagram are respectively obtained.
Further, according to the similarity between each simulation feature map and the initial feature map, screening out simulation feature maps similar to the initial feature map to form a simulation feature map set, which specifically includes:
judging whether the similarity between each simulation feature map and the initial feature map is larger than a preset threshold, judging that the simulation feature map is similar to the initial feature map when the similarity between the simulation feature maps is larger than the preset threshold, and screening out the simulation feature maps to form a simulation feature map set.
Specifically, the value range of the preset threshold is 0.5-1.
Preferably, the preset threshold is 0.8.
It can be understood that the invention screens the synthesized simulation feature map through the similarity, and can prevent the influence of complete randomization on the algorithm precision of the network intrusion detection model.
Referring to fig. 4, a block diagram of a device for constructing a network intrusion detection model according to an embodiment of the present invention is shown.
The device for constructing the network intrusion detection model provided by the embodiment of the invention comprises the following components:
a data acquisition module 21, configured to acquire a first traffic data set for network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods;
a data preprocessing module 22, configured to preprocess the first traffic data set to obtain a second traffic data set;
a feature extraction module 23, configured to perform feature extraction on the second traffic data set through the afflicientnet, so as to obtain an initial feature map;
a data simulation module 24 for synthesizing a plurality of simulated feature maps based on a domain randomization method and the initial feature map to construct a simulated feature map set;
the model construction module 25 is configured to train a pre-constructed deep learning model through the initial feature map and the simulated feature map set, so as to obtain a network intrusion detection model.
As an improvement of the above solution, the apparatus further comprises: a parameter update module 26;
the data acquisition module 21 is further configured to acquire flow time sequence data acquired in real time by network intrusion detection;
the parameter updating module 26 is configured to update the model parameters of the network intrusion detection model by using the incremental learning method and the flow time sequence data acquired in real time, so as to obtain an updated network intrusion detection model.
As one of the alternative embodiments, the data preprocessing module 22 is specifically configured to:
integrating the flow time sequence data of each sampling period with the flow time sequence data of n-1 sampling periods in front of the sampling period from the flow time sequence data of the nth sampling period to obtain a second flow data set; wherein n is greater than 1.
Preferably, the data simulation module 24 includes:
the randomizing unit is used for extracting the characteristics of the initial characteristic diagram based on a domain randomizing method, abstracting semantic information of the initial characteristic diagram into variable parameters, and synthesizing a plurality of simulation characteristic diagrams based on the variable parameters;
the data operation unit is used for calculating the similarity between each simulation feature map and the initial feature map;
and the data screening unit is used for screening out the simulation feature images similar to the initial feature images according to the similarity between each simulation feature image and the initial feature images to form a simulation feature image set.
As one of the optional embodiments, the data operation unit is specifically configured to:
extracting feature vectors of each simulation feature map and each initial feature map;
calculating an included angle cosine value of the feature vector of each simulation feature map and the feature vector of the initial feature map;
and taking the cosine value of the included angle corresponding to each simulation feature map as the similarity between each simulation feature map and the initial feature map.
As one of the preferred embodiments, the data screening unit is specifically configured to:
judging whether the similarity between each simulation feature map and the initial feature map is larger than a preset threshold, judging that the simulation feature map is similar to the initial feature map when the similarity between the simulation feature maps is larger than the preset threshold, and screening out the simulation feature maps to form a simulation feature map set.
Preferably, the value range of the preset threshold value in the data screening unit is 0.5-1.
It should be noted that, the relevant detailed description and the beneficial effects of each embodiment of the device for constructing a network intrusion detection model in this embodiment may refer to the relevant detailed description and the beneficial effects of each embodiment of the method for constructing a network intrusion detection model described above, which are not described herein again.
Referring to fig. 5, a block diagram of a terminal device according to an embodiment of the present invention is provided.
The terminal device provided by the embodiment of the invention comprises a processor 10, a memory 20 and a computer program stored in the memory 20 and configured to be executed by the processor 10, wherein the method for constructing the network intrusion detection model according to any one of the embodiments is realized when the processor 10 executes the computer program.
The steps of the above embodiment of the method for constructing a network intrusion detection model, for example, all the steps of the method for constructing a network intrusion detection model shown in fig. 1, are implemented when the processor 10 executes the computer program. Alternatively, the processor 10 may implement the functions of each module/unit in the embodiment of the apparatus for constructing a network intrusion detection model, for example, the functions of each module of the apparatus for constructing a network intrusion detection model shown in fig. 4, when executing the computer program.
Illustratively, the computer program may be partitioned into one or more modules that are stored in the memory 20 and executed by the processor 10 to perform the present invention. The one or more modules may be a series of computer program instruction segments capable of performing specific functions for describing the execution of the computer program in the terminal device.
The terminal equipment can be computing equipment such as a desktop computer, a notebook computer, a palm computer, a cloud server and the like. The terminal device may include, but is not limited to, a processor 10, a memory 20. It will be appreciated by those skilled in the art that the schematic diagram is merely an example of a terminal device and does not constitute a limitation of the terminal device, and may include more or less components than illustrated, or may combine certain components, or different components, e.g., the terminal device may further include an input-output device, a network access device, a bus, etc.
The processor 10 may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. The general purpose processor may be a microprocessor or the processor may be any conventional processor or the like, and the processor 10 is the control center of the terminal device, and connects the various parts of the entire terminal device using various interfaces and lines.
The memory 20 may be used to store the computer program and/or module, and the processor 10 implements various functions of the terminal device by running or executing the computer program and/or module stored in the memory 20 and invoking data stored in the memory 20. The memory 20 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the terminal device, etc. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as a hard disk, memory, plug-in hard disk, smart Media Card (SMC), secure Digital (SD) Card, flash Card (Flash Card), at least one disk storage device, flash memory device, or other volatile solid-state storage device.
Wherein the terminal device integrated modules/units may be stored in a computer readable storage medium if implemented in the form of software functional units and sold or used as stand alone products. Based on such understanding, the present invention may implement all or part of the flow of the method of the above embodiment, or may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer readable storage medium, and when the computer program is executed by a processor, the computer program may implement the steps of each of the method embodiments described above. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth.
It should be noted that the above-described apparatus embodiments are merely illustrative, and the units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. In addition, in the drawings of the embodiment of the device provided by the invention, the connection relation between the modules represents that the modules have communication connection, and can be specifically implemented as one or more communication buses or signal lines. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
Accordingly, embodiments of the present invention also provide a computer-readable storage medium including a stored computer program; the computer program controls the device where the computer readable storage medium is located to execute the method for constructing the network intrusion detection model according to any one of the above embodiments when running.
In summary, a method, an apparatus, a terminal device, and a computer readable storage medium for constructing a network intrusion detection model provided by the embodiments of the present invention acquire a first traffic data set of network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods; secondly, preprocessing the first flow data set to obtain a second flow data set; extracting features of the second flow data set through EfficientNet to obtain an initial feature map; then, synthesizing a plurality of simulation feature graphs based on a domain randomization method and the initial feature graphs to form a simulation feature graph set; and finally, training a pre-constructed deep learning model through the initial feature map and the simulation feature map set to obtain a network intrusion detection model. On one hand, the method extracts the characteristics of the first flow data set through the EfficientNet, so that the deep learning model can learn the characteristics of the detected flow time sequence data; on the other hand, the invention synthesizes a large number of simulation feature images by combining the distribution characteristics and semantic features of the samples by a domain randomization method on the basis of the initial feature images, thereby generating a large number of training sample data depending on a small amount of flow time sequence data, solving the problem of lack of intrusion data in the existing network flow detection data, and improving the reliability of the network intrusion detection model and the accuracy of network attack with less detection data quantity.
While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that changes and modifications may be made without departing from the principles of the invention, such changes and modifications are also intended to be within the scope of the invention.