CN114785605A - Method, device and equipment for determining network anomaly detection model and storage medium - Google Patents
Method, device and equipment for determining network anomaly detection model and storage medium Download PDFInfo
- Publication number
- CN114785605A CN114785605A CN202210462739.9A CN202210462739A CN114785605A CN 114785605 A CN114785605 A CN 114785605A CN 202210462739 A CN202210462739 A CN 202210462739A CN 114785605 A CN114785605 A CN 114785605A
- Authority
- CN
- China
- Prior art keywords
- parameters
- submodel
- model
- client
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 148
- 238000000034 method Methods 0.000 title claims abstract description 73
- 230000002776 aggregation Effects 0.000 claims abstract description 89
- 238000004220 aggregation Methods 0.000 claims abstract description 89
- 230000005856 abnormality Effects 0.000 claims abstract description 6
- 239000013598 vector Substances 0.000 claims description 51
- 238000012549 training Methods 0.000 claims description 36
- 230000006870 function Effects 0.000 claims description 31
- 238000012545 processing Methods 0.000 claims description 20
- 230000002159 abnormal effect Effects 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 12
- 230000009467 reduction Effects 0.000 claims description 7
- 230000002547 anomalous effect Effects 0.000 claims description 2
- 230000008569 process Effects 0.000 description 19
- 238000010586 diagram Methods 0.000 description 18
- 238000004891 communication Methods 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 238000003062 neural network model Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000007781 pre-processing Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000013135 deep learning Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000006116 polymerization reaction Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000013178 mathematical model Methods 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer Hardware Design (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Computation (AREA)
- Health & Medical Sciences (AREA)
- Computational Linguistics (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Biophysics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Biomedical Technology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure provides a method, a device, equipment and a storage medium for determining a network anomaly detection model. The method is applied to a first client, and comprises the following steps: receiving an aggregation model parameter sent by a server side; the aggregation model parameter is determined by the server according to the current parameters of the network anomaly detection model of the first client and the network anomaly detection model of the second client; determining an updating parameter of the network abnormality detection model of the first client according to the aggregation model parameter and the current parameter of the network abnormality detection model of the first client; and sending the update parameters of the network anomaly detection model of the first client to the server so that the server updates the aggregation model parameters. The method can avoid the problem of data isolated island under the condition of ensuring data privacy and data safety, and can improve the generalization capability of heterogeneous data.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method and an apparatus for determining a network anomaly detection model, an electronic device, and a storage medium.
Background
With the continuous development of machine learning and deep learning algorithm technologies, it is possible to introduce the machine learning and deep learning algorithm technologies into the field of network anomaly detection.
In the related art, a network model is usually trained by using local data, and the network model obtained by the method has a data islanding problem.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The invention aims to provide a method, a device, electronic equipment and a storage medium for determining a network anomaly detection model, which can avoid the problem of data islanding under the condition of ensuring data privacy and data safety and can improve the generalization capability of heterogeneous data.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
The embodiment of the disclosure provides a method for determining a network anomaly detection model, which is applied to a first client, and the method comprises the following steps: receiving an aggregation model parameter sent by a server side; the aggregation model parameters are determined by the server side according to current parameters of respective network anomaly detection models of the first client side and the at least one second client side; determining an updating parameter of the network abnormity detection model of the first client according to the aggregation model parameter and the current parameter of the network abnormity detection model of the first client; and sending the update parameters of the network anomaly detection model of the first client to the server so that the server updates the aggregation model parameters.
In an exemplary embodiment, before receiving the aggregation model parameters sent by the server, the method further includes: determining initialization parameters of a first submodel and a second submodel in a network anomaly detection model of the first client; the input layer of the first submodel is used for inputting the network flow data of the first client, the output layer of the first submodel is connected with the second submodel, and the second submodel is used for outputting the abnormal category label of the network flow data.
In an exemplary embodiment, determining the update parameters of the network anomaly detection model of the first client according to the aggregation model parameters and the current parameters of the network anomaly detection model of the first client includes: determining an updating parameter of the first submodel according to the aggregation model parameter, the current parameter of the first submodel and the current parameter of the second submodel; determining the updating parameters of the second submodel according to the parameters of the aggregation model and the current parameters of the second submodel; sending the update parameters of the network anomaly detection model of the first client to the server, wherein the update parameters comprise: and sending the update parameters of the first sub-model to the server side.
In an exemplary embodiment, determining the update parameters for the first submodel from the aggregated model parameters, the current parameters for the first submodel, and the current parameters for the second submodel comprises: determining a current loss function of the first sub-model according to the aggregation model parameter and the current parameter of the second sub-model; determining a current descending gradient of the first submodel according to the current loss function of the first submodel, the current parameters of the first submodel and a first learning rate; determining an updating parameter of the first submodel according to the current descending gradient of the first submodel; determining an update parameter of the second submodel according to the aggregation model parameter and the current parameter of the second submodel, wherein the determining the update parameter of the second submodel comprises: determining a current loss function of the second submodel according to the aggregation model parameters and the current parameters of the second submodel; determining the current descending gradient of the second submodel according to the current loss function of the second submodel, the current parameters of the second submodel and a second learning rate; and determining the updating parameters of the second submodel according to the current descending gradient of the second submodel.
In an exemplary embodiment, determining initialization parameters of a first sub-model in a network anomaly detection model of the first client comprises: acquiring a network flow data training set; coding the network traffic data training set through the first sub-model to obtain a feature vector; decoding the characteristic vector to obtain a reduction data set; and adjusting the encoder parameters of the first submodel according to the relative error between the reduction data set and the network flow data training set until the relative error converges to a minimum value, and determining the currently adjusted encoder parameters as the initialization parameters of the first submodel.
In an exemplary embodiment, the encoding the network traffic data training set by the first submodel to obtain a feature vector includes: performing first coding processing on the network traffic data training set based on the attention encoder parameters of the first submodel to obtain a first feature vector; performing second coding processing on the first feature vector based on the automatic coder parameters of the first sub-model to obtain a second feature vector; decoding the feature vector to obtain a reduced data set, including: performing first decoding processing on the second feature vector through an automatic decoder to obtain a third feature vector; and performing second decoding processing on the third feature vector through an attention decoder to obtain the restored data set.
The embodiment of the disclosure provides a network anomaly detection method, which is applied to a first client, and the method comprises the following steps: acquiring real-time network flow data; and detecting abnormal flow data in the real-time network flow data based on the network abnormal detection model determined by any one of the methods.
The embodiment of the present disclosure provides a device for determining a network anomaly detection model, including: the receiving module is used for receiving the aggregation model parameters sent by the server side; the aggregation model parameter is determined by the server according to the current parameters of the network anomaly detection model of the first client and the network anomaly detection model of the second client; the determining module is used for determining the updating parameters of the network abnormity detection model of the first client according to the aggregation model parameters and the current parameters of the network abnormity detection model of the first client; and the sending module is used for sending the update parameters of the network anomaly detection model of the first client to the server so that the server updates the aggregation model parameters.
An embodiment of the present disclosure provides an electronic device, including: at least one processor; and the storage terminal device is used for storing at least one program, and when the at least one program is executed by at least one processor, the at least one processor is enabled to realize the determination method of any network anomaly detection model.
The disclosed embodiment provides a computer-readable storage medium, on which a computer program is stored, wherein the computer program, when executed by a processor, implements any one of the above-mentioned determination methods for a network anomaly detection model.
According to the method for determining the network anomaly detection model, the server side can determine the parameters of the aggregation model according to the current parameters of the network anomaly detection models of the first client side and the at least one second client side respectively, and send the parameters of the aggregation model to the first client side, and the first client side can determine the update parameters of the network anomaly detection model according to the parameters of the aggregation model and the current parameters of the network anomaly detection model of the first client side; the first client sends the update parameters of the network anomaly detection model to the server so that the server updates the aggregation model parameters; because the aggregation model parameters are determined according to the current parameters of the respective network anomaly detection models of the first client and the at least one second client, when the first client updates the parameters of the network anomaly detection model of the first client, the aggregation model parameters are combined with the data of other clients, the problem of data islanding is avoided under the condition of ensuring data privacy and data safety, and the generalization capability of heterogeneous data can be improved; in addition, the network anomaly detection model obtained by the method is used for network anomaly detection, so that the accuracy of network anomaly detection can be improved, and the false alarm rate can be reduced.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It should be apparent that the drawings in the following description are merely examples of the disclosure and that other drawings may be derived by those of ordinary skill in the art without inventive effort.
Fig. 1 shows a schematic diagram of an exemplary system architecture to which the determination method of the network anomaly detection model of the embodiment of the present disclosure can be applied.
Fig. 2 is a flow chart illustrating a method of determining a network anomaly detection model according to an exemplary embodiment.
Fig. 3 is a schematic diagram illustrating a structure of a network anomaly detection model of each client according to an example.
FIG. 4 is a schematic diagram illustrating a first sub-model training process according to an example.
Fig. 5 is a flow chart illustrating a method of network anomaly detection according to an exemplary embodiment.
FIG. 6 is an overall block diagram illustrating a network anomaly detection method according to an exemplary embodiment.
Fig. 7 is a block diagram illustrating a network anomaly detection model determination apparatus according to an exemplary embodiment.
Fig. 8 is a schematic structural diagram of an electronic device according to an example embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor terminal devices and/or microcontroller terminal devices.
In addition, in the description of the present disclosure, "a plurality" means at least two, e.g., two, three, etc., unless explicitly specified otherwise. The terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature.
Fig. 1 shows a schematic diagram of an exemplary system architecture to which the determination method of the network anomaly detection model of the embodiment of the present disclosure can be applied.
Referring to fig. 1, the system architecture may include a server side (also referred to as a cloud side), a client side 1, a client side 2, … …, and a client side n, where n is an integer greater than 2.
In the embodiment of the disclosure, the clients 1 to n may respectively receive the aggregation model parameter ps sent by the servertWherein the aggregation model parameter is detected according to the respective network abnormality of the client 1 to the client nMeasuring the current parameters of the model
And determining, wherein t represents the current time, i represents the label of the client, and i is an integer greater than or equal to 1 and less than or equal to n.
In the embodiment of the present disclosure, the client 1 may obtain the aggregation model parameter ps according totAnd current parameters of network anomaly detection model of client 1
Determining update parameters of network anomaly detection model of client 1
The client 2 may be based on the aggregation model parameters pstAnd current parameters of the network anomaly detection model of the client 2
Determining update parameters of a network anomaly detection model for client 2
By analogy, the client n can be based on the aggregation model parameters pstAnd current parameters of network anomaly detection model of client n
Determining update parameters of network anomaly detection model of client 1
In the embodiment of the present disclosure, the clients 1 to n may send the update parameters of the respective network anomaly detection models to the server respectively
In the embodiment of the disclosure, the server side can be based on the client side 1-the client sideUpdating parameters of n respective network anomaly detection models
Updating the aggregation model parameters of the server side to obtain updated aggregation model parameters pst+1。
In the embodiment of the disclosure, the server side updates the aggregation model parameter pst+1Respectively sending the parameters to the client 1 to the client n so that the client 1 to the client n can obtain the updated aggregation model parameters pst+1Updating current parameters of respective network anomaly detection models
In the embodiment of the disclosure, data interaction is performed between the client and the server through a personalized federal learning method, and encrypted interaction can be performed by using Paillier (homomorphic encryption algorithm) in the data interaction process, so that data security is ensured.
It should be understood that the client side and the server side in fig. 1 are only illustrative, and any number of client sides and server sides can be provided according to actual needs.
It should be noted that the above application scenarios are only illustrated for the convenience of understanding the spirit and principles of the present disclosure, and the embodiments of the present disclosure are not limited in any way in this respect. Rather, embodiments of the present disclosure may be applied to any scenario where applicable.
Hereinafter, each step of the determination method of the network anomaly detection model in the exemplary embodiment of the present disclosure will be described in more detail with reference to the drawings and the embodiments.
Fig. 2 is a flow chart illustrating a method of determining a network anomaly detection model according to an exemplary embodiment. The method provided in the embodiment of the present disclosure may be applied to a first client, where the first client may be any one of the clients in the embodiment of fig. 1, and in the following example, the client 1 in the embodiment of fig. 1 is taken as a first client, and the clients 2 to n are taken as second clients for example, but the present disclosure is not limited thereto.
As shown in fig. 2, a method for determining a network anomaly detection model provided by an embodiment of the present disclosure may include the following steps.
In step S202, receiving an aggregation model parameter sent by a server; the aggregation model parameters are determined by the server side according to current parameters of respective network anomaly detection models of the first client side and the at least one second client side.
In the embodiment of the present disclosure, the client 1 may receive the aggregation model parameter ps sent by the servertThe polymerization model parameter pstThe server side detects the current parameters of the model according to the respective network abnormity of the client side 1 and the client sides 2-n
And (4) determining.
In the embodiment of the present disclosure, the aggregation model parameter of the server may be a parameter of an aggregation model of the server, and the aggregation model of the server may be a neural network model or a mathematical model, and is used to aggregate parameters in a network anomaly detection model of each client.
The network anomaly detection model may be a model of each client for detecting network traffic data to obtain an anomaly class label, which may be a neural network model.
In an exemplary embodiment, before receiving the aggregation model parameters sent by the server side, the method may further include: determining initialization parameters of a first submodel and a second submodel in a network anomaly detection model of a first client; the input layer of the first submodel is used for inputting network flow data of a first client, the output layer of the first submodel is connected with the second submodel, and the second submodel is used for outputting an abnormal category label of the network flow data.
Fig. 3 is a schematic diagram illustrating a structure of a network anomaly detection model of each client according to an example.
In the embodiment of the present disclosure, the network anomaly detection model of each client may include a first submodel and a second submodel; the first sub-model may be a first neural network model, which may also be referred to as a local Share model (PS Net, Part Share Net); the second sub-model may be a second neural network model, also referred to as a head model.
Referring to fig. 3, for example, the network anomaly detection model of the client 1 may include a local sharing model 11 and a header model 12, the network anomaly detection model of the client 2 may include a local sharing model 21 and a header model 22, and so on, and the network anomaly detection model of the client n may include a local sharing model 31 and a header model 32.
In the embodiment of the present disclosure, an input layer of the local sharing model 11 of the network anomaly detection model of the client 1 is used to input the network traffic data of the client 1, an input of the local sharing model 11 is connected to the header model 12, and the header model 12 may output an anomaly category tag of the network traffic data.
In the embodiment of the present disclosure, the abnormal category label may include normal traffic and abnormal traffic.
In the embodiment of the present disclosure, before receiving the aggregation model parameter sent by the server, each client determines the initialization parameter of the first submodel and the initialization parameter of the second submodel in the network anomaly detection model of each client.
In the embodiment of the present disclosure, the initialization parameters of the first submodel and the second submodel may be configured in advance.
In an exemplary embodiment, initialization parameters for a first sub-model in a network anomaly detection model of a first client may be determined by: acquiring a network flow data training set; coding the network traffic data training set through a first submodel to obtain a feature vector; decoding the characteristic vector to obtain a reduction data set; and adjusting the encoder parameters of the first submodel according to the relative error between the reduction data set and the network flow data training set until the relative error converges to the minimum value, and determining the currently adjusted encoder parameters as the initialization parameters of the first submodel.
In the embodiment of the present disclosure, taking a network anomaly detection model of the client 1 as an example, a network traffic data training set may be obtained, the network traffic data training set is input to the local sharing model 11, and the network traffic data training set is encoded by the local sharing model 11 to obtain a feature vector; and then decoding the feature vector to obtain a reduced data set of the network traffic data training set, adjusting the encoder parameters of the local shared model 11 according to the relative error between the reduced data set and the network traffic data training set until the relative error converges to a minimum value, and determining the currently adjusted encoder parameters as the initialization parameters of the local shared model 11.
The relative Error between the above-mentioned reduced data set and the network traffic data training set can be determined by RMSE (Root Mean Squared Error) loss function:
wherein x isiRepresenting the data in the training set of network traffic,
representing the data in the reduced data set, and m represents the number of data.
In an exemplary embodiment, the encoding the network traffic data training set by the first submodel to obtain the feature vector includes: performing first coding processing on the network traffic data training set based on the attention encoder parameters of the first sub-model to obtain a first feature vector; performing second coding processing on the first characteristic vector based on the automatic coder parameters of the first sub-model to obtain a second characteristic vector; wherein, decode the characteristic vector, receive and reduce the data set, include: performing first decoding processing on the second feature vector through an automatic decoder to obtain a third feature vector; and performing second decoding processing on the third feature vector through an attention decoder to obtain a restored data set.
In an embodiment of the present disclosure, the first submodel may include an attention Encoder (also referred to as a transform-Encoder) and an auto-Encoder (aeencor); in the training process of the first submodel, the feature vectors output by the first submodel can be restored through an automatic decoder (AEdnoder) and an attention decoder (also called a conversion-decoder (Transfomer-Dncoder)) to train the first submodel; after the first sub-model is trained (model convergence), in practical application, referring to fig. 3, the network traffic data is processed by the attention encoder and the automatic encoder in the first sub-model, and the data output by the first sub-model is input into the second sub-model to output the abnormal category label of the network traffic data.
FIG. 4 is a schematic diagram illustrating a first sub-model training process according to an example.
Referring to FIG. 4, data x in a network traffic training set may be trainediInput to the transform-encoder 401 for a first encoding process to obtain a first feature vector ti(ii) a The first feature vector tiVector e is obtained by vector dimensionality reduction through an Encoder-hidden layer (Encoder-hidden)402iVector e is aligned by the auto-encoder 403iPerforming a second encoding process to obtain a second feature vector ai(which may correspond to hidden vector (late) 404 in fig. 4); second feature vector a by auto-decoder 405iPerforming a first decoding process to obtain a third eigenvector di(ii) a The third feature vector diVector upscaling is performed by an Encoder-hidden layer (Encoder-hidden)406, which is subjected to a second decoding process by a transform-decoder 407, resulting in a restored data set
In the embodiment of the present disclosure, the network structure shown in fig. 4 is trained by an unsupervised model, and after the model converges, the encoder portion (including the transformer-Dncoder and the AEdncoder) in fig. 4 is used as the first sub-model.
In the embodiment of the present disclosure, before processing the network traffic training set, the network traffic training set may be preprocessed.
Specifically, the data preprocessing process may include: in the case where the intrusion detection dataset includes symbol feature data, it is difficult for the model to directly process the symbol data, such as TCP (Transmission Control Protocol), UDP (user datagram Protocol), ICMP (Internet Control Message Protocol), and the like, and one-hot (one-hot coding) may be performed on such data. For the category label, the normal traffic data in the data set may be labeled as 0, and the abnormal traffic data may be labeled as 1; the training data set labeled with the class label may be used in a training process for the second submodel.
Specifically, the data preprocessing process may further include: the numerical data in two or more data sets are subjected to normalization processing, numerical standardization is carried out through Z-score, data with different magnitudes can be uniformly converted into the same magnitude, and the problem that dimensionality difference between different characteristic data is large can be solved.
In step S204, according to the aggregation model parameter and the current parameter of the network anomaly detection model of the first client, an update parameter of the network anomaly detection model of the first client is determined.
In the embodiment of the present disclosure, the client 1 may send the aggregation model parameter ps according to the servertAnd current parameters of network anomaly detection model of client 1
Determining update parameters of network anomaly detection model of client 1
The client 2 may be based on the aggregation model parameters pstAnd current parameters of network anomaly detection model of client 2
Determining update parameters of a network anomaly detection model for a client 2
By analogy, the client n can be based on the aggregation model parameter pstAnd current parameters of network anomaly detection model of client n
Determining update parameters of network anomaly detection model of client 1
In an exemplary embodiment, the current parameter of the network anomaly detection model may be a current parameter of a first sub-model in the network anomaly detection model.
In an exemplary embodiment, an update parameter of the first submodel may be determined from the aggregate model parameter, the current parameter of the first submodel, and the current parameter of the second submodel; determining an updating parameter of the second submodel according to the aggregation model parameter and the current parameter of the second submodel;
in an exemplary embodiment, the updated parameters of the first submodel may be determined by the steps comprising: determining a current loss function of the first sub-model according to the aggregation model parameter and the current parameter of the second sub-model; determining the current descending gradient of the first submodel according to the current loss function of the first submodel, the current parameters of the first submodel and the first learning rate; and determining the updating parameters of the first submodel according to the current descending gradient of the first submodel.
With reference to fig. 3, assuming that the number of clients is n, the participation rate is r, and the learning rate is α, according to the aggregation model parameter ps corresponding to the time ttAnd current parameters of the second submodel
(
Current parameters of a second submodel representing the ith client at time t), determining a current loss function for the first submodel
According to the current loss function of the first sub-model and the current parameters of the first sub-model
And a first learning rate α, determining a current descending gradient of the first submodel (SGD in equation (2)); and determining the update parameters of the first submodel according to the current descending gradient of the first submodel
Specifically, formula (2) can be referred to:
in an exemplary embodiment, the update parameters of the second submodel may be determined by: determining a current loss function of the second submodel according to the aggregation model parameter and the current parameter of the second submodel; determining the current descending gradient of the second submodel according to the current loss function of the second submodel and the current parameters of the second submodel; and determining the updating parameters of the second submodel according to the current descending gradient of the second submodel.
In the embodiment of the disclosure, the aggregation model parameter ps corresponding to the time ttAnd current parameters of the second submodel
Determining a current loss function for a second submodel
Determining a current descending gradient (SGD in the formula (3)) of the second submodel according to a current loss function of the second submodel, current parameters of the second submodel and a second learning rate alpha (the second learning rate and the first learning rate can be the same or different); determining update parameters of the second submodel according to the current falling gradient of the second submodel
Specifically, formula (3) can be referred to:
in the embodiment of the present disclosure, the local user of the client may adopt different loss functions according to different traffic data distributions, which is not limited by the present disclosure.
In step S206, the update parameters of the network anomaly detection model of the first client are sent to the server, so that the server updates the aggregation model parameters.
With reference to fig. 1 and fig. 3, in the embodiment of the present disclosure, the clients 1 to n may send the update parameters of the respective network anomaly detection models to the server respectively
The server side can detect the update parameters of the models according to the respective network abnormity of the client sides 1 to n
Updating the aggregation model parameters of the server side to obtain updated aggregation model parameters pst+1。
For example, the server side may update the aggregation model parameters according to the following formula:
in the embodiment of the present disclosure, the server may update the updated aggregation model parameter pst+1Respectively sending the parameters to the client 1 to the client n so that the client 1 to the client n can obtain the updated polymerization model parameters pst+1Updating current parameters of respective network anomaly detection models
In an exemplary embodiment, in the case that the current parameter of the network anomaly detection model is the current parameter of a first sub-model in the network anomaly detection model, the client may send the update parameter of the first sub-model to the server.
In the embodiment of the present disclosure, with reference to fig. 1 and fig. 3, when a new client (for example, a client n +1) is added, the new client may send current parameters of a network anomaly detection model thereof to a server, the server may determine update parameters of the network anomaly detection model according to the current parameters of the network anomaly detection model of each of the clients 1 to n +1, and send the update parameters that determine the network anomaly detection model to each of the clients 1 to n +1, and the clients 1 to n +1 update their respective network anomaly detection models according to the update parameters; therefore, the method provided by the embodiment of the disclosure can be quickly supported when a new client (e.g., client n +1) is added, and can improve the expandability and robustness of the whole system to heterogeneous data under the condition of ensuring mass data and data privacy.
According to the method for determining the network anomaly detection model provided by the embodiment of the disclosure, the server side can determine the aggregation model parameters according to the current parameters of the respective network anomaly detection models of the first client side and the at least one second client side, and send the aggregation model parameters to the first client side, and the first client side can determine the update parameters of the network anomaly detection model according to the aggregation model parameters and the current parameters of the network anomaly detection model of the first client side; the first client sends the update parameters of the network anomaly detection model to the server so that the server updates the aggregation model parameters; because the aggregation model parameters are determined according to the current parameters of the respective network anomaly detection models of the first client and the at least one second client, when the first client updates the parameters of the network anomaly detection model of the first client, the aggregation model parameters are combined with the data of other clients, the problem of data islanding is avoided under the condition of ensuring data privacy and data safety, and the generalization capability of heterogeneous data can be improved; in addition, the network anomaly detection model obtained by the method is used for network anomaly detection, so that the accuracy of network anomaly detection can be improved, and the false alarm rate is reduced.
Fig. 5 is a flow chart illustrating a method of network anomaly detection according to an exemplary embodiment. The method provided by the embodiment of the present disclosure may be applied to a first client, where the first client may be any one of the clients in the embodiment of fig. 1, for example, but the present disclosure is not limited thereto.
As shown in fig. 5, a network anomaly detection method provided in the embodiments of the present disclosure may include the following steps.
In step S502, real-time network traffic data is acquired.
In the embodiment of the present disclosure, taking the client 1 as an example, after the network anomaly detection model of the client 1 is trained, in practical application, the client 1 may obtain real-time network traffic data and input the real-time network traffic data into the trained network anomaly detection model.
In step S504, abnormal traffic data in the real-time network traffic data is detected based on the network abnormality detection model.
The network anomaly detection model can be obtained by using the determination method of the network anomaly detection model.
In the embodiment of the present disclosure, referring to fig. 3, taking the client 1 as an example, the network anomaly detection model of the client 1 may include a first sub-model 11 and a second sub-model 12, and may input the real-time network traffic data into the trained first sub-model 11 for feature extraction, and then input the extracted real-time network traffic data into the second sub-model 12, and output an anomaly category label corresponding to the real-time network traffic data, that is, whether the real-time network traffic data is normal or abnormal, thereby detecting the anomalous traffic data from the real-time network traffic data and determining whether a network intrusion behavior exists in the system running in real time.
According to the network anomaly detection method provided by the embodiment of the disclosure, the network anomaly detection model obtained by the method is used for network anomaly detection, so that the accuracy rate of network anomaly detection can be improved, and the false alarm rate can be reduced.
Fig. 6 is an overall block diagram illustrating a network anomaly detection method according to an exemplary embodiment.
Referring to fig. 6, in the embodiment of the present disclosure, data of different places, for example, data of local a, local B, and local C (may also be referred to as client a, client B, and client C) may be obtained respectively, and the data of local a, local B, and local C is preprocessed by a data preprocessing module 601; the model training module 602 performs training of a local sharing model on the preprocessed data, and the model is uploaded to a cloud parameter aggregation module 603 of a cloud (also called a server) for parameter aggregation after the local sharing model converges; after parameter aggregation is completed, parameters of an aggregation model are respectively issued to a local A, a local B and a local C, the local A, the local B and the local C respectively use respective local data to add partial personalized shallow classifiers on the basis of a local sharing model for model retraining (the local A, the local B and the local C can be selected by users according to different requirements of the users), an A personalized model, a B personalized model and a C personalized model are obtained, gradient and parameter interaction is carried out on the model and an aggregation model on a cloud side, and the models are mutually perfected; after the model is trained, whether a network intrusion behavior exists in the real-time operation system can be judged according to the obtained network anomaly detection model.
It should also be understood that the above description is intended only to assist those skilled in the art in better understanding the embodiments of the present disclosure, and is not intended to limit the scope of the embodiments of the present disclosure. Various equivalent modifications or changes will be apparent to those skilled in the art in light of the above examples given, for example, some steps in the above methods may not be necessary or some steps may be added newly. Or a combination of any two or more of the above embodiments. Such modifications, variations, or combinations are also within the scope of the embodiments of the present disclosure.
It should also be understood that the foregoing descriptions of the embodiments of the present disclosure have been provided with an emphasis on differences between the various embodiments, and the same or similar components that are not mentioned may be referenced with each other and will not be repeated here for the sake of brevity.
It should also be understood that the sequence numbers of the above processes do not imply any order of execution, and the order of execution of the processes should be determined by their functions and inherent logic, and should not limit the implementation process of the embodiments of the present disclosure.
It is also to be understood that the terminology and/or the description of the various embodiments are consistent and mutually exclusive, and that the technical features of the various embodiments may be combined to form a new embodiment according to their inherent logical relationships, unless otherwise specified or logically conflicting, in the various embodiments of the present disclosure.
An example of the determination method of the network anomaly detection model provided by the present disclosure is described in detail above. It is understood that the computer device comprises hardware structures and/or software modules for performing the functions in order to realize the functions. Those of skill in the art will readily appreciate that the present disclosure is capable of being implemented in hardware or a combination of hardware and computer software for performing the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
The following are embodiments of the disclosed apparatus that may be used to perform embodiments of the disclosed methods. For details not disclosed in the embodiments of the apparatus of the present disclosure, refer to the embodiments of the method of the present disclosure.
Fig. 7 is a block diagram illustrating a network anomaly detection model determination apparatus according to an exemplary embodiment.
As shown in fig. 7, the apparatus 700 for determining a network anomaly detection model may include: a receiving module 702, a determining module 704, and a sending module 706.
The receiving module 702 is configured to receive aggregation model parameters sent by a server; the aggregation model parameter is determined by the server according to the current parameters of the network anomaly detection model of the first client and the network anomaly detection model of the second client; the determining module 704 is configured to determine, according to the aggregation model parameter and a current parameter of the network anomaly detection model of the first client, an update parameter of the network anomaly detection model of the first client; the sending module 706 is configured to send the update parameter of the network anomaly detection model of the first client to the server, so that the server updates the aggregation model parameter.
In an exemplary embodiment, the determining module 704 is further configured to determine initialization parameters of a first sub-model and a second sub-model in the network anomaly detection model of the first client; the input layer of the first submodel is used for inputting the network traffic data of the first client, the output layer of the first submodel is connected with the second submodel, and the second submodel is used for outputting the abnormal category label of the network traffic data.
In an exemplary embodiment, the determining module 704 is further configured to determine an update parameter of the first submodel according to the aggregation model parameter, the current parameter of the first submodel and the current parameter of the second submodel; determining the updating parameters of the second submodel according to the parameters of the aggregation model and the current parameters of the second submodel; sending the update parameters of the network anomaly detection model of the first client to the server, wherein the update parameters comprise: and sending the update parameters of the first submodel to the server side.
In an exemplary embodiment, the determining module 704 is further configured to determine a current loss function of the first submodel according to the aggregation model parameters and current parameters of the second submodel; determining a current descending gradient of the first submodel according to the current loss function of the first submodel, the current parameters of the first submodel and a first learning rate; determining an updating parameter of the first submodel according to the current descending gradient of the first submodel; wherein the determining module 704 is further configured to determine a current loss function of the second submodel according to the aggregation model parameter and the current parameter of the second submodel; determining the current descending gradient of the second submodel according to the current loss function of the second submodel, the current parameters of the second submodel and a second learning rate; and determining the updating parameters of the second submodel according to the current descending gradient of the second submodel.
In an exemplary embodiment, the determining module 704 is further configured to obtain a training set of network traffic data; coding the network traffic data training set through the first sub-model to obtain a feature vector; decoding the characteristic vector to obtain a reduction data set; and adjusting the encoder parameters of the first submodel according to the relative error between the reduced data set and the network flow data training set until the relative error converges to a minimum value, and determining the currently adjusted encoder parameters as the initialization parameters of the first submodel.
In an exemplary embodiment, the determining module 704 is further configured to perform a first encoding process on the network traffic data training set based on the attention encoder parameter of the first sub-model, so as to obtain a first feature vector; performing second coding processing on the first feature vector based on the automatic coder parameters of the first sub-model to obtain a second feature vector; the determining module 704 is further configured to perform a first decoding process on the second feature vector through an automatic decoder to obtain a third feature vector; and performing second decoding processing on the third feature vector through an attention decoder to obtain the restored data set.
The embodiment of the present disclosure further provides a network anomaly detection apparatus, applied to a first client, including: the data acquisition module is used for acquiring real-time network flow data; and the data detection module is used for detecting abnormal flow data in the real-time network flow data based on the network abnormal detection model determined by any method.
It is noted that the block diagrams shown in the above figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor terminal devices and/or microcontroller terminal devices.
Fig. 8 is a schematic structural diagram of an electronic device according to an example embodiment. It should be noted that the electronic device shown in fig. 8 is only an example, and should not bring any limitation to the functions and the application scope of the embodiment of the present disclosure.
As shown in fig. 8, the electronic apparatus 800 includes a Central Processing Unit (CPU)801 that can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. In the RAM803, various programs and data necessary for the operation of the electronic apparatus 800 are also stored. The CPU 801, ROM 802, and RAM803 are connected to each other via a bus 804. An input/output (I/O) interface 805 is also connected to bus 804.
The following components are connected to the I/O interface 805: an input portion 806 including a keyboard, a mouse, and the like; an output section 807 including components such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage portion 808 including a hard disk and the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. A drive 810 is also connected to the I/O interface 805 as needed. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as necessary, so that the computer program read out therefrom is mounted on the storage section 808 as necessary.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 809 and/or installed from the removable medium 811. The above-described functions defined in the system of the present disclosure are performed when the computer program is executed by the Central Processing Unit (CPU) 801.
It should be noted that the computer readable medium shown in the present disclosure may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, terminal device, or apparatus, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, terminal device, or apparatus. In contrast, in the present disclosure, a computer-readable signal medium may include a propagated data signal with computer-readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, terminal device, or apparatus. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software or hardware. The described units may also be provided in a processor, and may be described as: a processor includes a transmitting unit, an obtaining unit, a determining unit, and a first processing unit. The names of these units do not in some cases constitute a limitation to the unit itself, and for example, the sending unit may also be described as a "unit sending a picture acquisition request to a connected server".
As another aspect, the present disclosure also provides a computer-readable storage medium, which may be included in the electronic device described in the above embodiments; or may exist separately without being assembled into the electronic device. The computer-readable storage medium carries one or more programs that, when executed by one of the electronic devices, cause the electronic device to implement the method as described in the embodiments below. For example, the electronic device may implement the steps shown in fig. 2.
According to an aspect of the present disclosure, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the method provided in the various alternative implementations of the embodiments described above.
It is to be understood that any number of elements in the drawings of the present disclosure are by way of example and not by way of limitation, and any nomenclature is used for differentiation only and not by way of limitation.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This disclosure is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice in the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements that have been described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.
Claims (10)
1. A method for determining a network anomaly detection model is applied to a first client, and the method comprises the following steps:
receiving an aggregation model parameter sent by a server; the aggregation model parameters are determined by the server side according to current parameters of respective network anomaly detection models of the first client side and the at least one second client side;
determining an updating parameter of the network abnormality detection model of the first client according to the aggregation model parameter and the current parameter of the network abnormality detection model of the first client;
and sending the update parameters of the network anomaly detection model of the first client to the server so that the server updates the aggregation model parameters.
2. The method according to claim 1, wherein before receiving the server-side transmitted aggregation model parameters, the method further comprises:
determining initialization parameters of a first submodel and a second submodel in a network anomaly detection model of the first client; the input layer of the first submodel is used for inputting the network traffic data of the first client, the output layer of the first submodel is connected with the second submodel, and the second submodel is used for outputting the abnormal category label of the network traffic data.
3. The method of claim 2, wherein determining the updated parameters of the network anomaly detection model of the first client according to the aggregated model parameters and the current parameters of the network anomaly detection model of the first client comprises:
determining an updating parameter of the first submodel according to the aggregation model parameter, the current parameter of the first submodel and the current parameter of the second submodel; and
determining an updating parameter of the second submodel according to the aggregation model parameter and the current parameter of the second submodel;
sending the update parameters of the network anomaly detection model of the first client to the server, wherein the update parameters comprise:
and sending the update parameters of the first submodel to the server side.
4. The method of claim 3, wherein determining updated parameters for the first sub-model from the aggregated model parameters, the current parameters for the first sub-model, and the current parameters for the second sub-model comprises:
determining a current loss function of the first sub-model according to the aggregation model parameter and the current parameter of the second sub-model;
determining a current descending gradient of the first submodel according to a current loss function of the first submodel, current parameters of the first submodel and a first learning rate; and
determining an updating parameter of the first submodel according to the current descending gradient of the first submodel;
determining an update parameter of the second submodel according to the aggregation model parameter and the current parameter of the second submodel, wherein the determining the update parameter of the second submodel comprises:
determining a current loss function of the second submodel according to the aggregation model parameter and the current parameter of the second submodel;
determining the current descending gradient of the second submodel according to the current loss function of the second submodel, the current parameters of the second submodel and a second learning rate;
and determining the updating parameters of the second submodel according to the current descending gradient of the second submodel.
5. The method of claim 2, wherein determining initialization parameters for a first sub-model in the network anomaly detection model for the first client comprises:
acquiring a network flow data training set;
coding the network traffic data training set through the first submodel to obtain a feature vector;
decoding the characteristic vector to obtain a reduction data set;
and adjusting the encoder parameters of the first submodel according to the relative error between the reduced data set and the network flow data training set until the relative error converges to a minimum value, and determining the currently adjusted encoder parameters as the initialization parameters of the first submodel.
6. The method of claim 5, wherein encoding the training set of network traffic data by the first submodel to obtain a feature vector comprises:
performing first coding processing on the network traffic data training set based on the attention encoder parameters of the first submodel to obtain a first feature vector;
performing second coding processing on the first feature vector based on the automatic coder parameters of the first sub-model to obtain a second feature vector;
decoding the feature vector to obtain a restored data set, including:
performing first decoding processing on the second feature vector through an automatic decoder to obtain a third feature vector;
and performing second decoding processing on the third feature vector through an attention decoder to obtain the restored data set.
7. A network anomaly detection method is applied to a first client, and comprises the following steps:
acquiring real-time network flow data;
detecting anomalous traffic data in the real-time network traffic data based on a network anomaly detection model determined according to the method of any of claims 1-6.
8. An apparatus for determining a network anomaly detection model, comprising:
the receiving module is used for receiving the aggregation model parameters sent by the server side; the aggregation model parameters are determined by the server side according to current parameters of respective network anomaly detection models of a first client and at least one second client;
the determining module is used for determining the updating parameters of the network abnormity detection model of the first client according to the aggregation model parameters and the current parameters of the network abnormity detection model of the first client;
and the sending module is used for sending the update parameters of the network anomaly detection model of the first client to the server so that the server updates the aggregation model parameters.
9. An electronic device, comprising:
at least one processor;
storage means for storing at least one program which, when executed by the at least one processor, causes the at least one processor to carry out the method of any one of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210462739.9A CN114785605B (en) | 2022-04-28 | 2022-04-28 | Determination method, device, equipment and storage medium of network anomaly detection model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210462739.9A CN114785605B (en) | 2022-04-28 | 2022-04-28 | Determination method, device, equipment and storage medium of network anomaly detection model |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114785605A true CN114785605A (en) | 2022-07-22 |
| CN114785605B CN114785605B (en) | 2023-12-12 |
Family
ID=82435943
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210462739.9A Active CN114785605B (en) | 2022-04-28 | 2022-04-28 | Determination method, device, equipment and storage medium of network anomaly detection model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114785605B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112906903A (en) * | 2021-01-11 | 2021-06-04 | 北京源堡科技有限公司 | Network security risk prediction method and device, storage medium and computer equipment |
| WO2021184836A1 (en) * | 2020-03-20 | 2021-09-23 | 深圳前海微众银行股份有限公司 | Method and apparatus for training recognition model, device, and readable storage medium |
| CN113469234A (en) * | 2021-06-24 | 2021-10-01 | 成都卓拙科技有限公司 | Network flow abnormity detection method based on model-free federal meta-learning |
| CN113962402A (en) * | 2021-10-29 | 2022-01-21 | 中国工商银行股份有限公司 | Federal learning defense method and device, computer equipment and computer storage medium |
| CN114358912A (en) * | 2021-11-17 | 2022-04-15 | 北京交通大学 | Risk weight fusion anomaly detection method based on federal learning |
-
2022
- 2022-04-28 CN CN202210462739.9A patent/CN114785605B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021184836A1 (en) * | 2020-03-20 | 2021-09-23 | 深圳前海微众银行股份有限公司 | Method and apparatus for training recognition model, device, and readable storage medium |
| CN112906903A (en) * | 2021-01-11 | 2021-06-04 | 北京源堡科技有限公司 | Network security risk prediction method and device, storage medium and computer equipment |
| CN113469234A (en) * | 2021-06-24 | 2021-10-01 | 成都卓拙科技有限公司 | Network flow abnormity detection method based on model-free federal meta-learning |
| CN113962402A (en) * | 2021-10-29 | 2022-01-21 | 中国工商银行股份有限公司 | Federal learning defense method and device, computer equipment and computer storage medium |
| CN114358912A (en) * | 2021-11-17 | 2022-04-15 | 北京交通大学 | Risk weight fusion anomaly detection method based on federal learning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114785605B (en) | 2023-12-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108427939B (en) | Model generation method and device | |
| CN109583332B (en) | Face recognition method, face recognition system, medium, and electronic device | |
| CN111046027B (en) | Missing value filling method and device for time series data | |
| CN108108743B (en) | Abnormal user identification method and device for identifying abnormal user | |
| CN110659657B (en) | Method and device for training model | |
| CN108111399B (en) | Message processing method, device, terminal and storage medium | |
| WO2019245006A1 (en) | Detecting device and detecting method | |
| CN111915480A (en) | Method, apparatus, device and computer readable medium for generating feature extraction network | |
| CN114612688B (en) | Countermeasure sample generation method, model training method, processing method and electronic equipment | |
| CN113627536A (en) | Model training method, video classification method, device, equipment and storage medium | |
| CN114785605B (en) | Determination method, device, equipment and storage medium of network anomaly detection model | |
| CN115934484B (en) | Diffusion model data enhancement-based anomaly detection method, storage medium and apparatus | |
| CN115205089B (en) | Image encryption method, training method and device of network model and electronic equipment | |
| CN114237962B (en) | Alarm root cause judging method, model training method, device, equipment and medium | |
| CN115953849A (en) | Training method of in-vivo detection model, in-vivo detection method and system | |
| CN111062468B (en) | Training method and system for generating network, and image generation method and device | |
| CN114611143A (en) | Data decryption sharing method, device, equipment and medium | |
| CN110490245B (en) | Identity verification model training method and device, storage medium and electronic equipment | |
| CN113961962A (en) | Model training method and system based on privacy protection and computer equipment | |
| CN112989501B (en) | Balance car safety evaluation method and device and terminal equipment | |
| CN115941357B (en) | Industrial safety-based flow log detection method and device and electronic equipment | |
| WO2023207360A1 (en) | Image segmentation method and apparatus, electronic device, and storage medium | |
| CN114612689B (en) | Countermeasure sample generation method, model training method, processing method and electronic equipment | |
| CN115988100B (en) | Gateway management method for intelligent perception of Internet of things of equipment based on multi-protocol self-adaption | |
| CN113705594B (en) | Image identification method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |