CN114710325B - Method, device, equipment and storage medium for constructing network intrusion detection model - Google Patents
Method, device, equipment and storage medium for constructing network intrusion detection model Download PDFInfo
- Publication number
- CN114710325B CN114710325B CN202210263547.5A CN202210263547A CN114710325B CN 114710325 B CN114710325 B CN 114710325B CN 202210263547 A CN202210263547 A CN 202210263547A CN 114710325 B CN114710325 B CN 114710325B
- Authority
- CN
- China
- Prior art keywords
- feature map
- simulation
- intrusion detection
- network intrusion
- initial
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 89
- 238000000034 method Methods 0.000 title claims abstract description 63
- 238000004088 simulation Methods 0.000 claims abstract description 107
- 238000005070 sampling Methods 0.000 claims abstract description 38
- 238000007781 pre-processing Methods 0.000 claims abstract description 17
- 230000002194 synthesizing effect Effects 0.000 claims abstract description 17
- 238000013136 deep learning model Methods 0.000 claims abstract description 14
- 238000012549 training Methods 0.000 claims abstract description 13
- 238000004590 computer program Methods 0.000 claims description 25
- 239000013598 vector Substances 0.000 claims description 20
- 238000012216 screening Methods 0.000 claims description 15
- 238000000605 extraction Methods 0.000 claims description 9
- 238000010276 construction Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 10
- 230000006872 improvement Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 239000011159 matrix material Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013527 convolutional neural network Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005303 weighing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/16—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention discloses a method, a device, equipment and a storage medium for constructing a network intrusion detection model, wherein the method comprises the following steps: acquiring a first traffic data set of network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods; preprocessing the first flow data set to obtain a second flow data set; extracting features of the second flow data set through EfficientNet to obtain an initial feature map; synthesizing a plurality of simulation feature graphs based on a domain randomization method and the initial feature graphs to form a simulation feature graph set; training a pre-constructed deep learning model through the initial feature map and the simulation feature map set to obtain a network intrusion detection model. The embodiment of the invention can improve the accuracy of detecting the network attack with less data quantity.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and apparatus for constructing a network intrusion detection model, a terminal device, and a computer readable storage medium.
Background
In recent years, with rapid development of internet technology and change of network environment, network security problems are attracting attention of the public, and existing network intrusion detection methods based on machine learning mainly judge whether the network is attacked through traffic data in the network, and the existing network intrusion detection methods need to rely on a large amount of marked traffic data for machine learning. However, the existing network intrusion detection model has poor detection effect on network attacks with smaller data volume due to lack of intrusion data in the network traffic detection data.
Disclosure of Invention
The embodiment of the invention provides a method, a device, terminal equipment and a computer readable storage medium for constructing a network intrusion detection model, which can improve the accuracy of detecting network attacks with smaller data quantity.
The embodiment of the invention provides a method for constructing a network intrusion detection model, which comprises the following steps:
acquiring a first traffic data set of network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods;
preprocessing the first flow data set to obtain a second flow data set;
extracting features of the second flow data set through EfficientNet to obtain an initial feature map;
synthesizing a plurality of simulation feature graphs based on a domain randomization method and the initial feature graphs to form a simulation feature graph set;
training a pre-constructed deep learning model through the initial feature map and the simulation feature map set to obtain a network intrusion detection model.
As an improvement of the above solution, the method further includes:
acquiring flow time sequence data acquired in real time by network intrusion detection;
and updating the model parameters of the network intrusion detection model through an incremental learning method and the flow time sequence data acquired in real time to obtain an updated network intrusion detection model.
As an improvement of the above solution, the preprocessing the first flow data set to obtain a second flow data set specifically includes:
integrating the flow time sequence data of each sampling period with the flow time sequence data of n-1 sampling periods in front of the sampling period from the flow time sequence data of the nth sampling period to obtain a second flow data set; wherein n is greater than 1.
As an improvement of the above solution, the synthesizing a plurality of simulated feature maps based on the domain randomization method and the initial feature map to construct a simulated feature map set includes:
extracting features of the initial feature map based on a domain randomization method, abstracting semantic information of the initial feature map into variable parameters, and synthesizing a plurality of simulation feature maps based on the variable parameters;
calculating the similarity between each simulation feature map and the initial feature map;
and screening out the simulation feature images similar to the initial feature images according to the similarity between each simulation feature image and the initial feature images to form a simulation feature image set.
As an improvement of the above solution, the calculating the similarity between each of the simulated feature maps and the initial feature map includes:
extracting feature vectors of each simulation feature map and each initial feature map;
calculating an included angle cosine value of the feature vector of each simulation feature map and the feature vector of the initial feature map;
and taking the cosine value of the included angle corresponding to each simulation feature map as the similarity between each simulation feature map and the initial feature map.
As an improvement of the above solution, the method includes screening out a simulated feature map similar to the initial feature map according to the similarity between each simulated feature map and the initial feature map, so as to form a simulated feature map set, specifically:
judging whether the similarity between each simulation feature map and the initial feature map is larger than a preset threshold, judging that the simulation feature map is similar to the initial feature map when the similarity between the simulation feature maps is larger than the preset threshold, and screening out the simulation feature maps to form a simulation feature map set.
As an improvement of the scheme, the value range of the preset threshold value is 0.5-1.
Correspondingly, another embodiment of the present invention provides a device for constructing a network intrusion detection model, including:
the data acquisition module is used for acquiring a first flow data set for network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods;
the data preprocessing module is used for preprocessing the first flow data set to obtain a second flow data set;
the feature extraction module is used for carrying out feature extraction on the second flow data set through the EfficientNet to obtain an initial feature map;
the data simulation module is used for synthesizing a plurality of simulation feature graphs based on a domain randomization method and the initial feature graphs so as to form a simulation feature graph set;
and the model construction module is used for training a pre-constructed deep learning model through the initial feature map and the simulation feature map set to obtain a network intrusion detection model.
Another embodiment of the present invention provides a terminal device, including a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, where the processor implements the method for constructing a network intrusion detection model according to any one of the above.
Another embodiment of the present invention provides a computer readable storage medium, where the computer readable storage medium includes a stored computer program, where when the computer program runs, the device where the computer readable storage medium is controlled to execute the method for constructing the network intrusion detection model according to any one of the foregoing.
Compared with the prior art, the method, the device, the equipment and the storage medium for constructing the network intrusion detection model disclosed by the embodiment of the invention have the following beneficial effects:
firstly, acquiring a first flow data set of network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods; secondly, preprocessing the first flow data set to obtain a second flow data set; extracting features of the second flow data set through EfficientNet to obtain an initial feature map; then, synthesizing a plurality of simulation feature graphs based on a domain randomization method and the initial feature graphs to form a simulation feature graph set; and finally, training a pre-constructed deep learning model through the initial feature map and the simulation feature map set to obtain a network intrusion detection model. In one aspect of the invention, features of the first flow data set are extracted by the EfficientNet, so that the deep learning model can learn the features of the detected flow time sequence data; on the other hand, on the basis of the initial feature map, a large number of simulation feature maps are synthesized by combining the distribution characteristics and semantic features of the samples through a domain randomization method, so that a large number of training sample data can be generated by relying on a small amount of flow time sequence data, the problem of lack of intrusion data in the existing network flow detection data is solved, and the accuracy of network attack with a small detection data quantity is improved.
Drawings
Fig. 1 is a flow chart of a method for constructing a network intrusion detection model according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of incremental learning according to an embodiment of the present invention;
FIG. 3 is a schematic flow chart of generating a simulation feature map by using a domain randomization method according to an embodiment of the present invention;
FIG. 4 is a block diagram of a device for constructing a network intrusion detection model according to an embodiment of the present invention;
fig. 5 is a block diagram of a terminal device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, fig. 1 is a flow chart of a method for constructing a network intrusion detection model according to an embodiment of the present invention.
The method for constructing the network intrusion detection model provided by the embodiment of the invention comprises the following steps:
s11, acquiring a first flow data set of network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods;
s12, preprocessing the first flow data set to obtain a second flow data set;
s13, extracting features of the second flow data set through the EfficientNet to obtain an initial feature map;
s14, synthesizing a plurality of simulation feature graphs based on a domain randomization method and the initial feature graphs to form a simulation feature graph set;
and S15, training a pre-constructed deep learning model through the initial feature map and the simulation feature map set to obtain a network intrusion detection model.
In particular, the first traffic data set comprises traffic timing data of a plurality of consecutive sampling periods of a plurality of data sources.
Referring to fig. 2, fig. 2 is a schematic flow chart of incremental learning according to an embodiment of the present invention.
As one of the alternative embodiments, the method further comprises:
acquiring flow time sequence data acquired in real time by network intrusion detection;
and updating the model parameters of the network intrusion detection model through an incremental learning method and the flow time sequence data acquired in real time to obtain an updated network intrusion detection model.
For example, assuming that a certain parameter learned by the trained deep learning model (i.e., the network intrusion detection model) is 5, the flow time series data acquired in real time is learned by incremental learning, the learned parameter is 4, the weight occupied by the parameter 5 defining the trained deep learning model is 0.9, the weight occupied by the parameter 4 of incremental learning is 0.1, and the final parameter is updated to 5×0.9+4×0.1=4.9.
The network intrusion detection model can be understood as a deep neural network model, which is input with a feature map and output with a label of 1 or 0. According to the invention, the network intrusion detection model is obtained through training in a deep learning mode, and the parameter results of incremental learning adjustment are added to adjust the model parameters of the network intrusion detection model, so that a continuously updated model is formed. For example: an updated network intrusion detection model is arranged at the time t and is used for detecting flow data at the time t+1 to obtain a detection result at the time t+1; then the network intrusion detection model at the time t+2 is not adopted, but the network intrusion detection model at the time t+1 is adopted to update the traffic data at the time t+2 for training/detecting the traffic data at the time t+2, so that the iteration is repeated.
It will be appreciated that since the network intrusion patterns and the means of network attack will vary greatly over time, it is necessary to train the model update dynamically, i.e. to update the model using incremental learning. In the invention, incremental learning keeps knowledge learned by a deep learning model through an initial feature map and a simulation feature map on one hand; on the other hand, the network intrusion detection model is updated by learning flow time sequence data acquired in real time and adopting the learned content, so that the capability of the network intrusion detection model for analyzing new data and learning new knowledge is improved.
It should be noted that, in the incremental learning process, the processing process of the flow time series data collected in real time may refer to the relevant content of steps S12, S13, and S14, which is not limited herein.
In some preferred embodiments, the preprocessing the first flow data set to obtain a second flow data set, specifically:
integrating the flow time sequence data of each sampling period with the flow time sequence data of n-1 sampling periods in front of the sampling period from the flow time sequence data of the nth sampling period to obtain a second flow data set; wherein n is greater than 1.
It should be noted that, there are many data acquisition modes for network intrusion detection, and common data acquisition modes include: 1. intrusion detection system (simple)Weighing: IDS); 2. a network security monitoring system; 3. an open source host intrusion detection system (abbreviated as OSSEC), and the like. Each acquisition mode has corresponding event sequence data, and the event sequence data acquired by a certain data acquisition mode is expressed as:where x (T) is denoted as a measurement at time T, and T is denoted as a time series of length T, it is understood that each sampling period requires acquisition of a time series of length T. Since m data acquisition modes, namely m data sources exist in the actual operation process, m×T flow data can be detected in one sampling period by X m×T The flow time series data in the detected one sampling period, the flow data in the ith row and the jth column of X are expressed as X ij . To give X m×T The algorithm is more suitable for the EfficientNet network, taking n as 3 as an example, integrating the flow time sequence data of the 1 st, 2 nd and 3 rd sampling periods to form a network flow time space dimension with a wider time dimension, then the time sequence matrix is changed into m multiplied by T multiplied by 3, and considering the processibility of the data, T multiplied by m, namely, m data sources are migrated by adjusting the sampling frequency of the data. Then the traffic timing data for a single sampling period becomes the "mxmxmx 3" timing matrix.
It will be appreciated that the preprocessing of the first traffic data set to obtain the second traffic data set may also be performed by integrating the traffic time series data of each sampling period with the traffic time series data of n-1 sampling periods next to each other, starting from the traffic time series data of the 1 st sampling period, in addition to the above-mentioned manner, to obtain the second traffic data set. Furthermore, from the flow time sequence data of the 2 nd sampling period, the flow time sequence data of each sampling period and the flow time sequence data of the two adjacent sampling periods are integrated to obtain a second flow data set.
Preferably, in step S13, feature extraction is performed on the second traffic data set by the EfficientNet-B0, resulting in an initial feature map.
In this embodiment, the present invention performs preprocessing on the first traffic data set by means of data integration to obtain a second traffic data set, and performs processing on the second traffic data set by using an afflicientnet-B0 to obtain an initial feature map, where the feature map is 3 points different from the traditional CNN feature extraction: 1. the network depth is increased in a data integration mode, so that the initial feature map is enabled to obtain richer and more complex features; 2. a wider network captures the initial feature map to finer granularity features; 3. the initial feature map is enabled to obtain finer granularity features through higher resolution data input. It will be appreciated that since the acquisition frequency of many acquisition devices is low, low frequency acquisition data tends to result in lower feature extraction accuracy. The initial feature map obtained based on the mode can have the characteristics of multiple scales, time span and fine granularity.
Referring to fig. 3, fig. 3 is a flow chart illustrating a domain randomization method for generating a simulation feature map according to an embodiment of the present invention.
In some preferred embodiments, the synthesizing a plurality of simulated feature maps based on the domain randomization method and the initial feature map to form a simulated feature map set includes:
extracting features of the initial feature map based on a domain randomization method, abstracting semantic information of the initial feature map into variable parameters, and synthesizing a plurality of simulation feature maps based on the variable parameters;
calculating the similarity between each simulation feature map and the initial feature map;
and screening out the simulation feature images similar to the initial feature images according to the similarity between each simulation feature image and the initial feature images to form a simulation feature image set.
Preferably, the variable parameter includes: the number of connections based on the same destination address, the number of connections with SYN errors, the number of connections with REJ errors, the number of connections to establish the same service, the number of connections to establish different services, the number of connections to connect different hosts.
The invention designs 6 different connection rules by considering the structural information of the feature map, namely the connection times based on the same destination address, the connection times with SYN error, the connection times with REJ error, the connection times for establishing the same service, the connection times for establishing different services and the connection times for connecting different hosts, wherein the 6 types of connection randomization ensures the diversity of the synthesized simulation feature map while reducing the calculation amount caused by randomization. The 6 different connection rules are variable parameters, and by randomizing the 6 parameters, a large number of simulated simulation feature graphs can be synthesized.
In a specific embodiment, said calculating the similarity between each of said simulated feature images and said initial feature image includes:
extracting feature vectors of each simulation feature map and each initial feature map;
calculating an included angle cosine value of the feature vector of each simulation feature map and the feature vector of the initial feature map;
and taking the cosine value of the included angle corresponding to each simulation feature map as the similarity between each simulation feature map and the initial feature map.
It can be understood that, due to the lack of tag information, the quality of the network intrusion detection model effect cannot be quantified, so that in order to prevent the influence of complete randomization on algorithm accuracy, the training set is screened by combining the similarity of the initial feature map and the simulation feature map. Specifically, the similarity of two feature maps is measured by adopting an included angle cosine value in the invention.
Specifically, an included angle cosine value cos θ of the feature vector of each simulation feature map and the feature vector of the initial feature map is calculated according to the following formula:
wherein a is the feature vector of the initial feature map, b is the feature vector of the simulated feature map, cos is the cosine function, and θ is the angle between the feature vector a and the feature vector b.
Note that, the feature vector a= (x) of the k-dimensional initial feature map 11 ,x 12 ,…,x 1k ) And feature vector b= (y) of k-dimensional simulation feature map 11 ,y 12 ,…,y 1k ),x 1k And y 1k And the data of variable parameters corresponding to the initial characteristic diagram and the simulation characteristic diagram are respectively obtained.
Further, according to the similarity between each simulation feature map and the initial feature map, screening out simulation feature maps similar to the initial feature map to form a simulation feature map set, which specifically includes:
judging whether the similarity between each simulation feature map and the initial feature map is larger than a preset threshold, judging that the simulation feature map is similar to the initial feature map when the similarity between the simulation feature maps is larger than the preset threshold, and screening out the simulation feature maps to form a simulation feature map set.
Specifically, the value range of the preset threshold is 0.5-1.
Preferably, the preset threshold is 0.8.
It can be understood that the invention screens the synthesized simulation feature map through the similarity, and can prevent the influence of complete randomization on the algorithm precision of the network intrusion detection model.
Referring to fig. 4, a block diagram of a device for constructing a network intrusion detection model according to an embodiment of the present invention is shown.
The device for constructing the network intrusion detection model provided by the embodiment of the invention comprises the following components:
a data acquisition module 21, configured to acquire a first traffic data set for network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods;
a data preprocessing module 22, configured to preprocess the first traffic data set to obtain a second traffic data set;
a feature extraction module 23, configured to perform feature extraction on the second traffic data set through the afflicientnet, so as to obtain an initial feature map;
a data simulation module 24 for synthesizing a plurality of simulated feature maps based on a domain randomization method and the initial feature map to construct a simulated feature map set;
the model construction module 25 is configured to train a pre-constructed deep learning model through the initial feature map and the simulated feature map set, so as to obtain a network intrusion detection model.
As an improvement of the above solution, the apparatus further comprises: a parameter update module 26;
the data acquisition module 21 is further configured to acquire flow time sequence data acquired in real time by network intrusion detection;
the parameter updating module 26 is configured to update the model parameters of the network intrusion detection model by using the incremental learning method and the flow time sequence data acquired in real time, so as to obtain an updated network intrusion detection model.
As one of the alternative embodiments, the data preprocessing module 22 is specifically configured to:
integrating the flow time sequence data of each sampling period with the flow time sequence data of n-1 sampling periods in front of the sampling period from the flow time sequence data of the nth sampling period to obtain a second flow data set; wherein n is greater than 1.
Preferably, the data simulation module 24 includes:
the randomizing unit is used for extracting the characteristics of the initial characteristic diagram based on a domain randomizing method, abstracting semantic information of the initial characteristic diagram into variable parameters, and synthesizing a plurality of simulation characteristic diagrams based on the variable parameters;
the data operation unit is used for calculating the similarity between each simulation feature map and the initial feature map;
and the data screening unit is used for screening out the simulation feature images similar to the initial feature images according to the similarity between each simulation feature image and the initial feature images to form a simulation feature image set.
As one of the optional embodiments, the data operation unit is specifically configured to:
extracting feature vectors of each simulation feature map and each initial feature map;
calculating an included angle cosine value of the feature vector of each simulation feature map and the feature vector of the initial feature map;
and taking the cosine value of the included angle corresponding to each simulation feature map as the similarity between each simulation feature map and the initial feature map.
As one of the preferred embodiments, the data screening unit is specifically configured to:
judging whether the similarity between each simulation feature map and the initial feature map is larger than a preset threshold, judging that the simulation feature map is similar to the initial feature map when the similarity between the simulation feature maps is larger than the preset threshold, and screening out the simulation feature maps to form a simulation feature map set.
Preferably, the value range of the preset threshold value in the data screening unit is 0.5-1.
It should be noted that, the relevant detailed description and the beneficial effects of each embodiment of the device for constructing a network intrusion detection model in this embodiment may refer to the relevant detailed description and the beneficial effects of each embodiment of the method for constructing a network intrusion detection model described above, which are not described herein again.
Referring to fig. 5, a block diagram of a terminal device according to an embodiment of the present invention is provided.
The terminal device provided by the embodiment of the invention comprises a processor 10, a memory 20 and a computer program stored in the memory 20 and configured to be executed by the processor 10, wherein the method for constructing the network intrusion detection model according to any one of the embodiments is realized when the processor 10 executes the computer program.
The steps of the above embodiment of the method for constructing a network intrusion detection model, for example, all the steps of the method for constructing a network intrusion detection model shown in fig. 1, are implemented when the processor 10 executes the computer program. Alternatively, the processor 10 may implement the functions of each module/unit in the embodiment of the apparatus for constructing a network intrusion detection model, for example, the functions of each module of the apparatus for constructing a network intrusion detection model shown in fig. 4, when executing the computer program.
Illustratively, the computer program may be partitioned into one or more modules that are stored in the memory 20 and executed by the processor 10 to perform the present invention. The one or more modules may be a series of computer program instruction segments capable of performing specific functions for describing the execution of the computer program in the terminal device.
The terminal equipment can be computing equipment such as a desktop computer, a notebook computer, a palm computer, a cloud server and the like. The terminal device may include, but is not limited to, a processor 10, a memory 20. It will be appreciated by those skilled in the art that the schematic diagram is merely an example of a terminal device and does not constitute a limitation of the terminal device, and may include more or less components than illustrated, or may combine certain components, or different components, e.g., the terminal device may further include an input-output device, a network access device, a bus, etc.
The processor 10 may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. The general purpose processor may be a microprocessor or the processor may be any conventional processor or the like, and the processor 10 is the control center of the terminal device, and connects the various parts of the entire terminal device using various interfaces and lines.
The memory 20 may be used to store the computer program and/or module, and the processor 10 implements various functions of the terminal device by running or executing the computer program and/or module stored in the memory 20 and invoking data stored in the memory 20. The memory 20 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the terminal device, etc. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as a hard disk, memory, plug-in hard disk, smart Media Card (SMC), secure Digital (SD) Card, flash Card (Flash Card), at least one disk storage device, flash memory device, or other volatile solid-state storage device.
Wherein the terminal device integrated modules/units may be stored in a computer readable storage medium if implemented in the form of software functional units and sold or used as stand alone products. Based on such understanding, the present invention may implement all or part of the flow of the method of the above embodiment, or may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer readable storage medium, and when the computer program is executed by a processor, the computer program may implement the steps of each of the method embodiments described above. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth.
It should be noted that the above-described apparatus embodiments are merely illustrative, and the units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. In addition, in the drawings of the embodiment of the device provided by the invention, the connection relation between the modules represents that the modules have communication connection, and can be specifically implemented as one or more communication buses or signal lines. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
Accordingly, embodiments of the present invention also provide a computer-readable storage medium including a stored computer program; the computer program controls the device where the computer readable storage medium is located to execute the method for constructing the network intrusion detection model according to any one of the above embodiments when running.
In summary, a method, an apparatus, a terminal device, and a computer readable storage medium for constructing a network intrusion detection model provided by the embodiments of the present invention acquire a first traffic data set of network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods; secondly, preprocessing the first flow data set to obtain a second flow data set; extracting features of the second flow data set through EfficientNet to obtain an initial feature map; then, synthesizing a plurality of simulation feature graphs based on a domain randomization method and the initial feature graphs to form a simulation feature graph set; and finally, training a pre-constructed deep learning model through the initial feature map and the simulation feature map set to obtain a network intrusion detection model. On one hand, the method extracts the characteristics of the first flow data set through the EfficientNet, so that the deep learning model can learn the characteristics of the detected flow time sequence data; on the other hand, the invention synthesizes a large number of simulation feature images by combining the distribution characteristics and semantic features of the samples by a domain randomization method on the basis of the initial feature images, thereby generating a large number of training sample data depending on a small amount of flow time sequence data, solving the problem of lack of intrusion data in the existing network flow detection data, and improving the reliability of the network intrusion detection model and the accuracy of network attack with less detection data quantity.
While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that changes and modifications may be made without departing from the principles of the invention, such changes and modifications are also intended to be within the scope of the invention.
Claims (9)
1. The method for constructing the network intrusion detection model is characterized by comprising the following steps of:
acquiring a first traffic data set of network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods;
preprocessing the first flow data set to obtain a second flow data set;
extracting features of the second flow data set through EfficientNet to obtain an initial feature map;
synthesizing a plurality of simulated feature maps based on a domain randomization method and the initial feature map to form a simulated feature map set, wherein the synthesizing the plurality of simulated feature maps based on the domain randomization method and the initial feature map to form the simulated feature map set comprises: extracting features of the initial feature map based on a domain randomization method, abstracting semantic information of the initial feature map into variable parameters, synthesizing a plurality of simulation feature maps based on the variable parameters, calculating the similarity between each simulation feature map and the initial feature map, and screening out simulation feature maps similar to the initial feature map according to the similarity between each simulation feature map and the initial feature map to form a simulation feature map set;
training a pre-constructed deep learning model through the initial feature map and the simulation feature map set to obtain a network intrusion detection model.
2. The method for constructing a network intrusion detection model according to claim 1, wherein the method further comprises:
acquiring flow time sequence data acquired in real time by network intrusion detection;
and updating the model parameters of the network intrusion detection model through an incremental learning method and the flow time sequence data acquired in real time to obtain an updated network intrusion detection model.
3. The method for constructing a network intrusion detection model according to claim 1, wherein the preprocessing the first traffic data set to obtain a second traffic data set comprises:
integrating the flow time sequence data of each sampling period with the flow time sequence data of n-1 sampling periods in front of the sampling period from the flow time sequence data of the nth sampling period to obtain a second flow data set; wherein n is greater than 1.
4. The method for constructing a network intrusion detection model according to claim 1, wherein said calculating a similarity between each of said simulated feature maps and said initial feature map comprises:
extracting feature vectors of each simulation feature map and each initial feature map;
calculating an included angle cosine value of the feature vector of each simulation feature map and the feature vector of the initial feature map;
and taking the cosine value of the included angle corresponding to each simulation feature map as the similarity between each simulation feature map and the initial feature map.
5. The method for constructing a network intrusion detection model according to claim 1, wherein the step of screening out the simulation feature graphs similar to the initial feature graphs according to the similarity between each simulation feature graph and the initial feature graph to form a simulation feature graph set comprises the following steps:
judging whether the similarity between each simulation feature map and the initial feature map is larger than a preset threshold, judging that the simulation feature map is similar to the initial feature map when the similarity between the simulation feature maps is larger than the preset threshold, and screening out the simulation feature maps to form a simulation feature map set.
6. The method for constructing a network intrusion detection model according to claim 5, wherein the preset threshold value is in a range of 0.5-1.
7. A device for constructing a network intrusion detection model, comprising:
the data acquisition module is used for acquiring a first flow data set for network intrusion detection; wherein the first traffic data set comprises traffic timing data for a plurality of consecutive sampling periods;
the data preprocessing module is used for preprocessing the first flow data set to obtain a second flow data set;
the feature extraction module is used for carrying out feature extraction on the second flow data set through the EfficientNet to obtain an initial feature map;
the data simulation module is configured to synthesize a plurality of simulation feature graphs based on a domain randomization method and the initial feature graphs to form a simulation feature graph set, where the synthesizing the plurality of simulation feature graphs based on the domain randomization method and the initial feature graphs to form the simulation feature graph set includes: extracting features of the initial feature map based on a domain randomization method, abstracting semantic information of the initial feature map into variable parameters, synthesizing a plurality of simulation feature maps based on the variable parameters, calculating the similarity between each simulation feature map and the initial feature map, and screening out simulation feature maps similar to the initial feature map according to the similarity between each simulation feature map and the initial feature map to form a simulation feature map set;
and the model construction module is used for training a pre-constructed deep learning model through the initial feature map and the simulation feature map set to obtain a network intrusion detection model.
8. A terminal device comprising a processor, a memory and a computer program stored in the memory and configured to be executed by the processor, the processor implementing the method of constructing a network intrusion detection model according to any one of claims 1 to 6 when executing the computer program.
9. A computer readable storage medium, characterized in that the computer readable storage medium comprises a stored computer program, wherein the computer program when run controls a device in which the computer readable storage medium is located to execute the method for constructing the network intrusion detection model according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210263547.5A CN114710325B (en) | 2022-03-17 | 2022-03-17 | Method, device, equipment and storage medium for constructing network intrusion detection model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210263547.5A CN114710325B (en) | 2022-03-17 | 2022-03-17 | Method, device, equipment and storage medium for constructing network intrusion detection model |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114710325A CN114710325A (en) | 2022-07-05 |
| CN114710325B true CN114710325B (en) | 2023-09-15 |
Family
ID=82168368
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210263547.5A Active CN114710325B (en) | 2022-03-17 | 2022-03-17 | Method, device, equipment and storage medium for constructing network intrusion detection model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114710325B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116527329B (en) * | 2023-04-12 | 2023-11-17 | 广东工贸职业技术学院 | Intrusion detection method and system based on machine learning |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108347430A (en) * | 2018-01-05 | 2018-07-31 | 国网山东省电力公司济宁供电公司 | Network invasion monitoring based on deep learning and vulnerability scanning method and device |
| CN111553381A (en) * | 2020-03-23 | 2020-08-18 | 北京邮电大学 | Network intrusion detection method and device based on multiple network models and electronic equipment |
| CN112653675A (en) * | 2020-12-12 | 2021-04-13 | 海南师范大学 | Intelligent intrusion detection method and device based on deep learning |
| CN113192175A (en) * | 2021-04-14 | 2021-07-30 | 武汉联影智融医疗科技有限公司 | Model training method and device, computer equipment and readable storage medium |
| CN113989583A (en) * | 2021-09-03 | 2022-01-28 | 中电积至(海南)信息技术有限公司 | Method and system for detecting malicious traffic of internet |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| RU2659737C1 (en) * | 2017-08-10 | 2018-07-03 | Акционерное общество "Лаборатория Касперского" | System and method of managing computing resources for detecting malicious files |
| KR20210078133A (en) * | 2019-12-18 | 2021-06-28 | 엘지전자 주식회사 | Training data generating method for training filled pause detecting model and device therefor |
-
2022
- 2022-03-17 CN CN202210263547.5A patent/CN114710325B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108347430A (en) * | 2018-01-05 | 2018-07-31 | 国网山东省电力公司济宁供电公司 | Network invasion monitoring based on deep learning and vulnerability scanning method and device |
| CN111553381A (en) * | 2020-03-23 | 2020-08-18 | 北京邮电大学 | Network intrusion detection method and device based on multiple network models and electronic equipment |
| CN112653675A (en) * | 2020-12-12 | 2021-04-13 | 海南师范大学 | Intelligent intrusion detection method and device based on deep learning |
| CN113192175A (en) * | 2021-04-14 | 2021-07-30 | 武汉联影智融医疗科技有限公司 | Model training method and device, computer equipment and readable storage medium |
| CN113989583A (en) * | 2021-09-03 | 2022-01-28 | 中电积至(海南)信息技术有限公司 | Method and system for detecting malicious traffic of internet |
Non-Patent Citations (1)
| Title |
|---|
| 陈曦 ; 姜亚光 ; 李建彬 ; 闫靖晨 ; 刘曙元 ; 李坤昌 ; .基于SIMI模型的S7协议的实时异常流量检测方法.电子技术应用.2020,(08),第101-106页. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114710325A (en) | 2022-07-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111401516B (en) | Searching method for neural network channel parameters and related equipment | |
| CN110046622B (en) | Targeted attack sample generation method, device, equipment and storage medium | |
| CN108229591A (en) | Neural network adaptive training method and apparatus, equipment, program and storage medium | |
| CN110070115B (en) | Single-pixel attack sample generation method, device, equipment and storage medium | |
| Gouveia-Oliveira et al. | Finding coevolving amino acid residues using row and column weighting of mutual information and multi-dimensional amino acid representation | |
| CN111461168A (en) | Training sample expansion method and device, electronic equipment and storage medium | |
| CN112085056B (en) | Target detection model generation method, device, equipment and storage medium | |
| CN111739016A (en) | Target detection model training method and device, electronic equipment and storage medium | |
| CN111192313A (en) | Method for robot to construct map, robot and storage medium | |
| CN114710325B (en) | Method, device, equipment and storage medium for constructing network intrusion detection model | |
| CN107480621B (en) | Age identification method based on face image | |
| CN109685805A (en) | A kind of image partition method and device | |
| CN112420125A (en) | Molecular attribute prediction method and device, intelligent equipment and terminal | |
| CN115222443A (en) | Client group division method, device, equipment and storage medium | |
| CN112184059A (en) | Scoring analysis method and device, electronic equipment and storage medium | |
| CN115037790B (en) | Abnormal registration identification method, device, equipment and storage medium | |
| CN113850632B (en) | User category determination method, device, equipment and storage medium | |
| CN110428012A (en) | Brain method for establishing network model, brain image classification method, device and electronic equipment | |
| WO2022126917A1 (en) | Deep learning-based face image evaluation method and apparatus, device, and medium | |
| TWI803243B (en) | Method for expanding images, computer device and storage medium | |
| CN113516205B (en) | Employee stability classification method based on artificial intelligence and related equipment | |
| CN113010687B (en) | Exercise label prediction method and device, storage medium and computer equipment | |
| CN114416462A (en) | Machine behavior identification method and device, electronic equipment and storage medium | |
| CN111767710A (en) | Indonesia emotion classification method, device, equipment and medium | |
| CN111882415A (en) | Training method and related device of quality detection model |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: No.95, Yingbin Avenue, Huadu District, Guangzhou, Guangdong 510000 Patentee after: CLP Science and Technology Co.,Ltd. Patentee after: GUANGZHOU JIESAI COMMUNICATION PLANNING AND DESIGN INSTITUTE Co.,Ltd. Address before: 510310 No. 381 middle Xingang Road, Guangzhou, Guangdong, Haizhuqu District Patentee before: GCI SCIENCE & TECHNOLOGY Co.,Ltd. Patentee before: GUANGZHOU JIESAI COMMUNICATION PLANNING AND DESIGN INSTITUTE Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231016 Address after: No.95, Yingbin Avenue, Huadu District, Guangzhou, Guangdong 510000 Patentee after: CLP Science and Technology Co.,Ltd. Patentee after: GUANGZHOU JIESAI COMMUNICATION PLANNING AND DESIGN INSTITUTE Co.,Ltd. Patentee after: Jiangxi military civilian integration Research Institute Address before: No.95, Yingbin Avenue, Huadu District, Guangzhou, Guangdong 510000 Patentee before: CLP Science and Technology Co.,Ltd. Patentee before: GUANGZHOU JIESAI COMMUNICATION PLANNING AND DESIGN INSTITUTE Co.,Ltd. |