CN114785605B - Determination method, device, equipment and storage medium of network anomaly detection model - Google Patents
Determination method, device, equipment and storage medium of network anomaly detection model Download PDFInfo
- Publication number
- CN114785605B CN114785605B CN202210462739.9A CN202210462739A CN114785605B CN 114785605 B CN114785605 B CN 114785605B CN 202210462739 A CN202210462739 A CN 202210462739A CN 114785605 B CN114785605 B CN 114785605B
- Authority
- CN
- China
- Prior art keywords
- model
- sub
- parameters
- current
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 136
- 238000000034 method Methods 0.000 title claims abstract description 69
- 230000002776 aggregation Effects 0.000 claims abstract description 58
- 238000004220 aggregation Methods 0.000 claims abstract description 58
- 239000013598 vector Substances 0.000 claims description 51
- 238000012549 training Methods 0.000 claims description 36
- 230000006870 function Effects 0.000 claims description 33
- 238000012545 processing Methods 0.000 claims description 24
- 230000002159 abnormal effect Effects 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 13
- 230000005856 abnormality Effects 0.000 claims description 3
- 238000004378 air conditioning Methods 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 18
- 230000008569 process Effects 0.000 description 17
- 238000004891 communication Methods 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 238000003062 neural network model Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000007781 pre-processing Methods 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 238000013135 deep learning Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000004931 aggregating effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 239000004816 latex Substances 0.000 description 1
- 229920000126 latex Polymers 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000013178 mathematical model Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Data Mining & Analysis (AREA)
- Computer Hardware Design (AREA)
- Evolutionary Computation (AREA)
- Artificial Intelligence (AREA)
- General Physics & Mathematics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Biomedical Technology (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Evolutionary Biology (AREA)
- Bioinformatics & Computational Biology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure provides a method, a device, equipment and a storage medium for determining a network anomaly detection model. The method is applied to a first client, and comprises the following steps: receiving an aggregation model parameter sent by a server side; the aggregation model parameters are determined by the server according to the current parameters of the network anomaly detection models of the first client and the at least one second client; determining updated parameters of the network anomaly detection model of the first client according to the aggregation model parameters and the current parameters of the network anomaly detection model of the first client; and sending the updated parameters of the network anomaly detection model of the first client to the server so as to enable the server to update the aggregated model parameters. The method can avoid the problem of data island under the condition of ensuring data privacy and data safety, and can improve the generalization capability of heterogeneous data.
Description
Technical Field
The disclosure relates to the field of computer technology, and in particular, to a method and device for determining a network anomaly detection model, an electronic device and a storage medium.
Background
With the continuous development of machine learning and deep learning algorithm technology, the introduction of machine learning and deep learning algorithm technology into the field of network anomaly detection is called possible.
In the related art, a network model is usually trained by using local data, and thus the obtained network model has a data island problem.
It should be noted that the information disclosed in the above background section is only for enhancing understanding of the background of the present disclosure and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The invention aims to provide a method, a device, electronic equipment and a storage medium for determining a network anomaly detection model, which can avoid the problem of data island under the condition of ensuring data privacy and data safety and can improve the generalization capability of heterogeneous data.
Other features and advantages of the present disclosure will be apparent from the following detailed description, or may be learned in part by the practice of the disclosure.
The embodiment of the disclosure provides a method for determining a network anomaly detection model, which is applied to a first client, and comprises the following steps: receiving an aggregation model parameter sent by a server side; the aggregation model parameters are determined by the server according to the current parameters of the network anomaly detection models of the first client and the at least one second client; determining updated parameters of the network anomaly detection model of the first client according to the aggregation model parameters and the current parameters of the network anomaly detection model of the first client; and sending the updated parameters of the network anomaly detection model of the first client to the server so as to enable the server to update the aggregated model parameters.
In an exemplary embodiment, before receiving the aggregation model parameters sent by the server side, the method further includes: determining initialization parameters of a first sub-model and a second sub-model in a network anomaly detection model of the first client; the input layer of the first sub-model is used for inputting network traffic data of the first client, the output layer of the first sub-model is connected with the second sub-model, and the second sub-model is used for outputting abnormal class labels of the network traffic data.
In an exemplary embodiment, determining the updated parameters of the network anomaly detection model of the first client according to the aggregated model parameters and the current parameters of the network anomaly detection model of the first client comprises: determining updated parameters of the first sub-model according to the aggregate model parameters, the current parameters of the first sub-model and the current parameters of the second sub-model; determining updating parameters of the second sub-model according to the aggregation model parameters and the current parameters of the second sub-model; the sending, to the server, the updated parameters of the network anomaly detection model of the first client includes: and sending the updated parameters of the first sub-model to the server side.
In an exemplary embodiment, determining updated parameters of the first sub-model based on the aggregate model parameters, current parameters of the first sub-model, and current parameters of the second sub-model comprises: determining a current loss function of the first sub-model according to the aggregation model parameters and the current parameters of the second sub-model; determining a current gradient of descent of the first sub-model according to the current loss function of the first sub-model, the current parameter of the first sub-model and a first learning rate; determining updating parameters of the first sub-model according to the current descending gradient of the first sub-model; wherein determining updated parameters of the second sub-model based on the aggregate model parameters and current parameters of the second sub-model comprises: determining a current loss function of the second sub-model according to the aggregation model parameters and the current parameters of the second sub-model; determining a current gradient of descent of the second sub-model according to the current loss function of the second sub-model, the current parameter of the second sub-model and a second learning rate; and determining updating parameters of the second sub-model according to the current descending gradient of the second sub-model.
In an exemplary embodiment, determining initialization parameters of a first sub-model in a network anomaly detection model of the first client comprises: acquiring a network traffic data training set; encoding the network flow data training set through the first sub-model to obtain a feature vector; decoding the feature vector to obtain a restored data set; and adjusting the encoder parameters of the first sub-model according to the relative error between the restored data set and the network flow data training set until the relative error converges to the minimum value, and determining the encoder parameters obtained by current adjustment as the initialization parameters of the first sub-model.
In an exemplary embodiment, the encoding processing is performed on the network traffic data training set through the first sub-model to obtain a feature vector, which includes: performing first coding processing on the network flow data training set based on the attention coder parameters of the first sub-model to obtain a first feature vector; performing second coding processing on the first feature vector based on the automatic encoder parameters of the first sub-model to obtain a second feature vector; the decoding processing is carried out on the feature vector to obtain a restored data set, which comprises the following steps: performing first decoding processing on the second feature vector through an automatic decoder to obtain a third feature vector; and performing second decoding processing on the third feature vector through an attention decoder to obtain the restored data set.
The embodiment of the disclosure provides a network anomaly detection method applied to a first client, the method comprising: acquiring real-time network traffic data; and detecting abnormal flow data in the real-time network flow data based on the network abnormal detection model determined by any one of the methods.
The embodiment of the disclosure provides a determining device of a network anomaly detection model, comprising: the receiving module is used for receiving the aggregation model parameters sent by the server side; the aggregation model parameters are determined by the server according to the current parameters of the network anomaly detection models of the first client and the at least one second client; the determining module is used for determining updated parameters of the network anomaly detection model of the first client according to the aggregation model parameters and the current parameters of the network anomaly detection model of the first client; and the sending module is used for sending the updated parameters of the network anomaly detection model of the first client to the server side so as to enable the server side to update the aggregated model parameters.
An embodiment of the present disclosure provides an electronic device, including: at least one processor; and the storage terminal equipment is used for storing at least one program, and when the at least one program is executed by the at least one processor, the at least one processor is enabled to realize the determination method of any network anomaly detection model.
The embodiment of the disclosure provides a computer readable storage medium having a computer program stored thereon, wherein the computer program when executed by a processor implements any one of the above methods for determining a network anomaly detection model.
According to the method for determining the network anomaly detection model, the server side can determine the aggregation model parameters according to the current parameters of the network anomaly detection models of the first client side and the at least one second client side, and send the aggregation model parameters to the first client side, and the first client side can determine the update parameters of the network anomaly detection model according to the aggregation model parameters and the current parameters of the network anomaly detection model of the first client side; the first client sends the updated parameters of the network anomaly detection model to the server so that the server updates the aggregated model parameters; because the aggregation model parameters are determined according to the current parameters of the network anomaly detection model of each of the first client and the at least one second client, when the first client updates the parameters of the network anomaly detection model, the data of other clients are combined, the problem of data island is avoided under the condition of ensuring the data privacy and the data safety, and the generalization capability of heterogeneous data can be improved; in addition, the network anomaly detection model obtained by the method is used for detecting the network anomalies, so that the accuracy of the network anomaly detection can be improved, and the false alarm rate can be reduced.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure. It will be apparent to those of ordinary skill in the art that the drawings in the following description are merely examples of the disclosure and that other drawings may be derived from them without undue effort.
Fig. 1 shows a schematic diagram of an exemplary system architecture to which a determination method of a network anomaly detection model of an embodiment of the present disclosure may be applied.
Fig. 2 is a flow chart illustrating a method of determining a network anomaly detection model, according to an example embodiment.
Fig. 3 is a schematic diagram showing the structure of a network anomaly detection model of each client according to an example.
FIG. 4 is a schematic diagram illustrating a first sub-model training process, according to one example.
Fig. 5 is a flowchart illustrating a method of network anomaly detection, according to an example embodiment.
Fig. 6 is an overall frame diagram illustrating a network anomaly detection method according to an exemplary embodiment.
Fig. 7 is a block diagram of a determination apparatus of a network anomaly detection model according to an exemplary embodiment.
Fig. 8 is a schematic diagram of an electronic device according to an exemplary embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments may be embodied in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in software or in one or more hardware modules or integrated circuits or in different networks and/or processor terminals and/or microcontroller terminals.
Furthermore, in the description of the present disclosure, the meaning of "a plurality" is at least two, such as two, three, etc., unless specifically defined otherwise. The terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature.
Fig. 1 shows a schematic diagram of an exemplary system architecture to which a determination method of a network anomaly detection model of an embodiment of the present disclosure may be applied.
Referring to fig. 1, the system architecture may include a server side (also referred to as a cloud), a client 1, clients 2, … …, and a client n, where n is an integer greater than 2.
In the embodiment of the disclosure, the clients 1 to n may respectively receive the aggregate model parameters ps sent by the server t Wherein the aggregate model parameters are current parameters of the network anomaly detection model according to each of the clients 1 to nAnd determining, wherein t represents the current moment, i represents the label of the client, and i is an integer which is greater than or equal to 1 and less than or equal to n.
In the embodiment of the disclosure, the client 1 may be based on the aggregation model parameter ps t And current parameters of the network anomaly detection model of client 1Determining update parameters of the network anomaly detection model of client 1 +.>Client 2 may rely on aggregate model parameters ps t And the current parameter of the network anomaly detection model of client 2 +.>Determining update parameters of the network anomaly detection model of client 2 +.>By analogy, client n may be based on the aggregate model parameters ps t And the current parameter of the network anomaly detection model of client n +.>Determining update parameters of the network anomaly detection model of client 1 +.>
In the embodiment of the disclosure, the clients 1 to n may respectively send updated parameters of respective network anomaly detection models to the server
In the embodiment of the disclosure, the server may update parameters according to the network anomaly detection model of each of the clients 1 to nUpdating the aggregation model parameters of the server side to obtain updated aggregation model parameters ps t+1 。
In the embodiment of the disclosure, the server side updates the aggregation model parameter ps t+1 Respectively sending the data to the clients 1 to n so that the clients 1 to n can update the aggregation model parameters ps according to the updated aggregation model parameters ps t+1 Updating current parameters of respective network anomaly detection models
In the embodiment of the disclosure, data interaction is performed between the client and the server by a personalized federal learning method, and Paillier (homomorphic encryption algorithm) can be adopted for encryption interaction in the data interaction process so as to ensure data security.
It should be understood that the clients and servers in fig. 1 are merely illustrative, and any number of clients and servers may be provided as desired.
It should be noted that the above application scenario is only shown for the convenience of understanding the spirit and principles of the present disclosure, and the embodiments of the present disclosure are not limited in any way in this respect. Rather, embodiments of the present disclosure may be applied to any scenario where applicable.
Hereinafter, each step of the determination method of the network anomaly detection model in the exemplary embodiment of the present disclosure will be described in more detail with reference to the accompanying drawings and embodiments.
Fig. 2 is a flow chart illustrating a method of determining a network anomaly detection model, according to an example embodiment. The method provided in the embodiment of the present disclosure may be applied to a first client, where the first client may be, for example, any one of the clients in the embodiment of fig. 1, and in the following illustration, the client 1 in the embodiment of fig. 1 is taken as a first client, and the clients 2 to n are taken as second clients, which are not limited thereto.
As shown in fig. 2, the method for determining a network anomaly detection model provided by an embodiment of the disclosure may include the following steps.
In step S202, an aggregation model parameter sent by a server is received; the aggregation model parameters are determined by the server according to the current parameters of the network anomaly detection model of each of the first client and the at least one second client.
In the embodiment of the present disclosure, the client 1 may receive the aggregate model parameter ps sent by the server t The aggregate model parameter ps t The server side detects the current parameters of the model according to the network abnormality of the client side 1 and the client sides 2 to n respectivelyAnd (3) determining.
In the embodiment of the disclosure, the aggregation model parameters of the server may be parameters of an aggregation model of the server, and the aggregation model of the server may be a neural network model or a mathematical model, which is used for aggregating parameters in a network anomaly detection model of each client.
The network anomaly detection model may be a model for detecting network traffic data of each client to obtain anomaly class labels, and may be a neural network model.
In an exemplary embodiment, before receiving the aggregation model parameters sent by the server side, the method may further include: determining initialization parameters of a first sub-model and a second sub-model in a network anomaly detection model of a first client; the input layer of the first sub-model is used for inputting network traffic data of the first client, the output layer of the first sub-model is connected with the second sub-model, and the second sub-model is used for outputting abnormal class labels of the network traffic data.
Fig. 3 is a schematic diagram showing the structure of a network anomaly detection model of each client according to an example.
In the embodiment of the disclosure, the network anomaly detection model of each client may include a first sub-model and a second sub-model; wherein the first sub-model may be a first neural network model, which may also be referred to as a local sharing model (PS Net); the second sub-model may be a second neural network model, which may also be referred to as a head (head) model.
Referring to fig. 3, for example, the network anomaly detection model of the client 1 may include a local share model 11 and a header model 12, the network anomaly detection model of the client 2 may include a local share model 21 and a header model 22, and the network anomaly detection model of the client n may include a local share model 31 and a header model 32.
In the embodiment of the disclosure, the input layer of the local sharing model 11 of the network anomaly detection model of the client 1 is used for inputting network traffic data of the client 1, the input of the local sharing model 11 is connected with the header model 12, and the header model 12 can output anomaly class labels of the network traffic data.
In the embodiment of the disclosure, the abnormal category label may include normal traffic and abnormal traffic.
In the embodiment of the disclosure, before receiving the aggregate model parameters sent by the server, each client determines initialization parameters of a first sub-model and a second sub-model in the network anomaly detection model of each client.
In the embodiment of the disclosure, the initialization parameters of the first sub-model and the second sub-model may be preconfigured.
In an exemplary embodiment, the initialization parameters of the first sub-model in the network anomaly detection model of the first client may be determined by: acquiring a network traffic data training set; encoding the network traffic data training set through a first sub-model to obtain a feature vector; decoding the feature vector to obtain a restored data set; and adjusting the encoder parameters of the first sub-model according to the relative error between the restored data set and the network flow data training set until the relative error converges to the minimum value, and determining the encoder parameters obtained by current adjustment as the initialization parameters of the first sub-model.
Taking a network anomaly detection model of a client 1 as an example, the disclosed embodiment can acquire a network traffic data training set, input the network traffic data training set into a local sharing model 11, and encode the network traffic data training set through the local sharing model 11 to obtain feature vectors; and then decoding the feature vector to obtain a restored data set of the network flow data training set, and adjusting the encoder parameters of the local sharing model 11 according to the relative error between the restored data set and the network flow data training set until the relative error converges to the minimum value, and determining the encoder parameters obtained by current adjustment as the initialization parameters of the local sharing model 11.
The relative error between the recovery dataset and the training set of network traffic data described above may be determined by RMSE (Root Mean Squared Error, root mean square error) loss function:
wherein x is i Representing data in a training set of network traffic,represents the data in the restored data set, and m represents the number of data.
In an exemplary embodiment, encoding the training set of network traffic data through a first sub-model to obtain a feature vector includes: performing first coding processing on the network flow data training set based on the attention coder parameters of the first sub-model to obtain a first feature vector; performing second coding processing on the first feature vector based on the automatic encoder parameters of the first sub-model to obtain a second feature vector; the decoding processing is carried out on the feature vector to obtain a restored data set, which comprises the following steps: performing first decoding processing on the second feature vector through an automatic decoder to obtain a third feature vector; and performing second decoding processing on the third feature vector through the attention decoder to obtain a restored data set.
In embodiments of the present disclosure, the first sub-model may include an attention Encoder (also referred to as a transform-Encoder) and an automatic Encoder (AEencoder); during the training of the first sub-model, feature vectors output by the first sub-model may be restored by an automatic decoder (AEdncoder) and an attention decoder (also referred to as a transform-decoder (tranfomer-Dncoder)) to train the first sub-model; after the training of the first sub-model is completed (model convergence), in practical application, referring to fig. 3, the attention encoder and the automatic encoder in the first sub-model process the network traffic data, and the data output by the first sub-model is input into the second sub-model to output an abnormal type label of the network traffic data.
FIG. 4 is a schematic diagram illustrating a first sub-model training process, according to one example.
Referring to fig. 4, data x in a training set of network traffic may be stored i Input to the transform-encoder 401 for first encodingCode processing to obtain a first feature vector t i The method comprises the steps of carrying out a first treatment on the surface of the Let the first eigenvector t i Vector dimension reduction by Encoder-hidden layer (Encoder-hidden) 402 results in vector e i Vector e is encoded by auto encoder 403 i Performing a second encoding process to obtain a second feature vector a i (which may correspond to the hidden vector (latex) 404 in fig. 4); for the second feature vector a by the auto decoder 405 i Performing a first decoding process to obtain a third feature vector d i The method comprises the steps of carrying out a first treatment on the surface of the By a third feature vector d i Vector up-scaling by Encoder-hidden layer (Encoder-hidden) 406 and second decoding by transform-decoder 407 to obtain a restored data set
In the embodiment of the disclosure, the network structure shown in fig. 4 is trained through an unsupervised model, and after the model converges, the encoder part (including the Transfomer-Dncoder and the AEdncoder) in fig. 4 is taken as a first sub-model.
In the disclosed embodiments, the network traffic training set may be preprocessed prior to processing it.
Specifically, the data preprocessing process may include: in the case where the intrusion detection dataset contains symbol characteristic data, it is difficult for the model to directly process the symbol data, such as TCP (Transmission Control Protocol ), UDP (UserDatagram Protocol, user datagram protocol), ICMP (Internet Control Message Protocol ), etc., for which such data can be encoded by one-hot (single hot). For category labels, normal traffic data in the dataset may be marked as 0 and abnormal traffic data as 1; the training data set of labeled class labels may be used in the training process of the second sub-model.
Specifically, the data preprocessing process may further include: the numerical data in two or more data sets are normalized, and the numerical data is normalized through the Z-score, so that the data in different orders can be uniformly converted into the same order, and the problem of larger dimension difference between different characteristic data can be solved.
In step S204, the updated parameters of the network anomaly detection model of the first client are determined according to the aggregate model parameters and the current parameters of the network anomaly detection model of the first client.
In the embodiment of the present disclosure, the client 1 may send the aggregate model parameter ps according to the server side t And current parameters of the network anomaly detection model of client 1Determining updated parameters of the network anomaly detection model of client 1Client 2 may rely on aggregate model parameters ps t And current parameters of the network anomaly detection model of client 2Determining update parameters of the network anomaly detection model of client 2 +.>By analogy, client n may be based on the aggregate model parameters ps t And the current parameter of the network anomaly detection model of client n +.>Determining update parameters of the network anomaly detection model of client 1 +.>
In an exemplary embodiment, the current parameters of the network anomaly detection model may be current parameters of a first sub-model in the network anomaly detection model.
In an exemplary embodiment, the updated parameters of the first sub-model may be determined from the aggregated model parameters, the current parameters of the first sub-model, and the current parameters of the second sub-model; determining updated parameters of the second sub-model according to the aggregate model parameters and the current parameters of the second sub-model;
in an exemplary embodiment, the update parameters of the first sub-model may be determined by the steps comprising: determining a current loss function of the first sub-model according to the aggregation model parameters and the current parameters of the second sub-model; determining a current gradient of the first sub-model according to the current loss function of the first sub-model, the current parameter of the first sub-model and the first learning rate; and determining the update parameters of the first sub-model according to the current descent gradient of the first sub-model.
With reference to fig. 3, assuming that the number of clients is n, the participation rate is r, the learning rate is α, and the aggregation model parameters ps corresponding to the time t are calculated t And current parameters of the second sub-model(/>Representing the current parameters of the second sub-model of the ith client at time t), determining the current loss function of the first sub-model +.>According to the current loss function of the first sub-model and the current parameters of the first sub-model +. >And a first learning rate α, determining a current falling gradient (SGD in formula (2)) of the first sub-model; and determining updated parameters of the first sub-model based on the current falling gradient of the first sub-modelFor details reference can be made to formula (2):
in an exemplary embodiment, the update parameters of the second sub-model may be determined by: determining a current loss function of the second sub-model according to the aggregate model parameters and the current parameters of the second sub-model; determining the current gradient of the second sub-model according to the current loss function of the second sub-model and the current parameters of the second sub-model; and determining the updating parameters of the second sub-model according to the current descending gradient of the second sub-model.
In the embodiment of the disclosure, according to the aggregation model parameter ps corresponding to the time t t And current parameters of the second sub-modelDetermining the current loss function of the second sub-model +.>Determining a current falling gradient (SGD in formula (3)) of the second sub-model according to a current loss function of the second sub-model, a current parameter of the second sub-model and a second learning rate alpha (the second learning rate and the first learning rate may be the same or different); determining an update parameter of the second sub-model based on the current falling gradient of the second sub-model +. >For details reference can be made to formula (3):
in the embodiment of the present disclosure, a local user of a client may use different loss functions according to different traffic data distributions, which is not limited in the present disclosure.
In step S206, the update parameters of the network anomaly detection model of the first client are sent to the server side, so that the server side updates the aggregation model parameters.
With reference to fig. 1 and fig. 3, in an embodiment of the disclosure, a client 1 to a client n may respectively send update parameters of respective network anomaly detection models to a serverThe server side can update parameters of the network anomaly detection model according to the client side 1 to the client side n>Updating the aggregation model parameters of the server side to obtain updated aggregation model parameters ps t+1 。
For example, the server side may update the aggregate model parameters according to the following formula:
in the embodiment of the disclosure, the server side may update the updated aggregate model parameter ps t+1 Respectively sending the data to the clients 1 to n so that the clients 1 to n can update the aggregation model parameters ps according to the updated aggregation model parameters ps t+1 Updating current parameters of respective network anomaly detection models
In an exemplary embodiment, in the case where the current parameter of the network anomaly detection model is the current parameter of the first sub-model in the network anomaly detection model, the client may send the updated parameter of the first sub-model to the server side.
In the embodiment of the disclosure, referring to fig. 1 and fig. 3, when a new client (e.g., client n+1) is added, the new client may send current parameters of its network anomaly detection model to the server, and the server may determine update parameters of the network anomaly detection model according to the current parameters of the network anomaly detection models of each of clients 1 to n+1, and send the update parameters determined of the network anomaly detection model to each of clients 1 to n+1, where each of clients 1 to n+1 updates its own network anomaly detection model according to the update parameters; therefore, when a new client (for example, client n+1) is added, the method provided by the embodiment of the disclosure can be rapidly supported, and the expandability and robustness of the whole system to heterogeneous data can be improved under the condition of guaranteeing mass data and data privacy.
According to the method for determining the network anomaly detection model, the server side can determine the aggregation model parameters according to the current parameters of the network anomaly detection models of the first client side and the at least one second client side, and send the aggregation model parameters to the first client side, and the first client side can determine the update parameters of the network anomaly detection model according to the aggregation model parameters and the current parameters of the network anomaly detection model of the first client side; the first client sends the updated parameters of the network anomaly detection model to the server so that the server updates the aggregated model parameters; because the aggregation model parameters are determined according to the current parameters of the network anomaly detection model of each of the first client and the at least one second client, when the first client updates the parameters of the network anomaly detection model, the data of other clients are combined, the problem of data island is avoided under the condition of ensuring the data privacy and the data safety, and the generalization capability of heterogeneous data can be improved; in addition, the network anomaly detection model obtained by the method is used for detecting the network anomalies, so that the accuracy of the network anomaly detection can be improved, and the false alarm rate can be reduced.
Fig. 5 is a flowchart illustrating a method of network anomaly detection, according to an example embodiment. The method provided by the embodiment of the present disclosure may be applied to the first client, where the first client may be, for example, any one of the clients in the embodiment of fig. 1, but the present disclosure is not limited thereto.
As shown in fig. 5, the network anomaly detection method provided by the embodiment of the present disclosure may include the following steps.
In step S502, real-time network traffic data is acquired.
In the embodiment of the disclosure, taking the client 1 as an example, after the network anomaly detection model of the client 1 is trained, in practical application, the client 1 may acquire real-time network traffic data and input the real-time network traffic data into the trained network anomaly detection model.
In step S504, abnormal traffic data in the real-time network traffic data is detected based on the network abnormality detection model.
The network anomaly detection model may be obtained by using the determination method of the network anomaly detection model.
In this disclosure, referring to fig. 3, taking the client 1 as an example, the network anomaly detection model of the client 1 may include a first sub-model 11 and a second sub-model 12, and real-time network traffic data may be input into the trained first sub-model 11 to perform feature extraction, and then input into the second sub-model 12, and an anomaly type tag corresponding to the real-time network traffic data is output, that is, whether the real-time network traffic data is normal or abnormal, so as to detect the abnormal traffic data from the real-time network traffic data, and determine whether a network intrusion behavior exists in the system running in real time.
According to the network anomaly detection method provided by the embodiment of the disclosure, the network anomaly detection is performed by using the network anomaly detection model obtained by the method, so that the accuracy of network anomaly detection can be improved, and the false alarm rate can be reduced.
Fig. 6 is an overall frame diagram illustrating a network anomaly detection method according to an exemplary embodiment.
Referring to fig. 6, in the embodiment of the present disclosure, data in different places, for example, data in local a, local B, and local C (may also be referred to as client a, client B, and client C) may be acquired respectively, and the data in local a, local B, and local C are preprocessed by a data preprocessing module 601 respectively; training a local sharing model by the model training module 602, and converging the local sharing model to upload the model to a cloud parameter aggregation module 603 of a cloud (also called a server side) for parameter aggregation; after parameter aggregation is completed, the aggregation model parameters are respectively issued to a local A, a local B and a local C, the local A, the local B and the local C respectively use their own local data to add partial personalized shallow layer classifiers on the basis of a local sharing model to conduct model retraining (the model can be selected according to different requirements of users) so as to obtain an A personalized model, a B personalized model and a C personalized model, and meanwhile gradient and parameter interaction are conducted on the aggregation model at the cloud side, and the models are mutually perfect; after the model is trained, whether the real-time operation system has network intrusion behavior can be judged according to the acquired network anomaly detection model.
It should also be understood that the above is only intended to assist those skilled in the art in better understanding the embodiments of the present disclosure, and is not intended to limit the scope of the embodiments of the present disclosure. It will be apparent to those skilled in the art from the foregoing examples that various equivalent modifications or variations can be made, for example, some steps of the methods described above may not be necessary, or some steps may be newly added, etc. Or a combination of any two or more of the above. Such modifications, variations, or combinations thereof are also within the scope of the embodiments of the present disclosure.
It should also be understood that the foregoing description of the embodiments of the present disclosure focuses on highlighting differences between the various embodiments and that the same or similar elements not mentioned may be referred to each other and are not repeated here for brevity.
It should also be understood that the sequence numbers of the above processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present disclosure.
It is also to be understood that in the various embodiments of the disclosure, terms and/or descriptions of the various embodiments are consistent and may be referenced to one another in the absence of a particular explanation or logic conflict, and that the features of the various embodiments may be combined to form new embodiments in accordance with their inherent logic relationships.
Examples of the method for determining the network anomaly detection model provided by the present disclosure are described in detail above. It will be appreciated that the computer device, in order to carry out the functions described above, comprises corresponding hardware structures and/or software modules that perform the respective functions. Those of skill in the art will readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is implemented as hardware or computer software driven hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
The following are device embodiments of the present disclosure that may be used to perform method embodiments of the present disclosure. For details not disclosed in the embodiments of the apparatus of the present disclosure, please refer to the embodiments of the method of the present disclosure.
Fig. 7 is a block diagram of a determination apparatus of a network anomaly detection model according to an exemplary embodiment.
As shown in fig. 7, the determining apparatus 700 of the network anomaly detection model may include: a receiving module 702, a determining module 704 and a transmitting module 706.
The receiving module 702 is configured to receive an aggregation model parameter sent by a server; the aggregation model parameters are determined by the server according to the current parameters of the network anomaly detection models of the first client and the at least one second client; the determining module 704 is configured to determine, according to the aggregate model parameter and a current parameter of the network anomaly detection model of the first client, an update parameter of the network anomaly detection model of the first client; the sending module 706 is configured to send, to the server, an update parameter of the network anomaly detection model of the first client, so that the server updates the aggregate model parameter.
In an exemplary embodiment, the determining module 704 is further configured to determine initialization parameters of a first sub-model and a second sub-model in the network anomaly detection model of the first client; the input layer of the first sub-model is used for inputting network traffic data of the first client, the output layer of the first sub-model is connected with the second sub-model, and the second sub-model is used for outputting abnormal class labels of the network traffic data.
In an exemplary embodiment, the determining module 704 is further configured to determine updated parameters of the first sub-model according to the aggregate model parameters, current parameters of the first sub-model, and current parameters of the second sub-model; determining updating parameters of the second sub-model according to the aggregation model parameters and the current parameters of the second sub-model; the sending, to the server, the updated parameters of the network anomaly detection model of the first client includes: and sending the updated parameters of the first sub-model to the server side.
In an exemplary embodiment, the determining module 704 is further configured to determine a current loss function of the first sub-model according to the aggregate model parameter and a current parameter of the second sub-model; determining a current gradient of descent of the first sub-model according to the current loss function of the first sub-model, the current parameter of the first sub-model and a first learning rate; determining updating parameters of the first sub-model according to the current descending gradient of the first sub-model; wherein the determining module 704 is further configured to determine a current loss function of the second sub-model according to the aggregate model parameter and the current parameter of the second sub-model; determining a current gradient of descent of the second sub-model according to the current loss function of the second sub-model, the current parameter of the second sub-model and a second learning rate; and determining updating parameters of the second sub-model according to the current descending gradient of the second sub-model.
In an exemplary embodiment, the determining module 704 is further configured to obtain a training set of network traffic data; encoding the network flow data training set through the first sub-model to obtain a feature vector; decoding the feature vector to obtain a restored data set; and adjusting the encoder parameters of the first sub-model according to the relative error between the restored data set and the network flow data training set until the relative error converges to the minimum value, and determining the encoder parameters obtained by current adjustment as the initialization parameters of the first sub-model.
In an exemplary embodiment, the determining module 704 is further configured to perform a first encoding process on the network traffic data training set based on the attention encoder parameter of the first sub-model, to obtain a first feature vector; performing second coding processing on the first feature vector based on the automatic encoder parameters of the first sub-model to obtain a second feature vector; the determining module 704 is further configured to perform a first decoding process on the second feature vector through an automatic decoder, so as to obtain a third feature vector; and performing second decoding processing on the third feature vector through an attention decoder to obtain the restored data set.
The embodiment of the disclosure also provides a network anomaly detection device, which is applied to a first client and comprises: the data acquisition module is used for acquiring real-time network flow data; and the data detection module is used for detecting abnormal flow data in the real-time network flow data based on the network abnormal detection model determined by any one of the methods.
It should be noted that the block diagrams shown in the above figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in software or in one or more hardware modules or integrated circuits or in different networks and/or processor terminals and/or microcontroller terminals.
Fig. 8 is a schematic diagram of an electronic device according to an exemplary embodiment. It should be noted that the electronic device shown in fig. 8 is only an example, and should not impose any limitation on the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 8, the electronic device 800 includes a Central Processing Unit (CPU) 801 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. In the RAM803, various programs and data required for the operation of the electronic device 800 are also stored. The CPU 801, ROM 802, and RAM803 are connected to each other by a bus 804. An input/output (I/O) interface 805 is also connected to the bus 804.
The following components are connected to the I/O interface 805: an input portion 806 including a keyboard, mouse, etc.; an output portion 807 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage section 808 including a hard disk or the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. The drive 810 is also connected to the I/O interface 805 as needed. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as needed so that a computer program read out therefrom is mounted into the storage section 808 as needed.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via the communication section 809, and/or installed from the removable media 811. The above-described functions defined in the system of the present disclosure are performed when the computer program is executed by a Central Processing Unit (CPU) 801.
It should be noted that the computer readable medium shown in the present disclosure may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, terminal device, or apparatus, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, terminal device, or apparatus. In the present disclosure, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, terminal device, or apparatus. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units involved in the embodiments of the present disclosure may be implemented by means of software, or may be implemented by means of hardware. The described units may also be provided in a processor, for example, described as: a processor includes a transmitting unit, an acquiring unit, a determining unit, and a first processing unit. The names of these units do not constitute a limitation on the unit itself in some cases, and for example, the transmitting unit may also be described as "a unit that transmits a picture acquisition request to a connected server".
As another aspect, the present disclosure also provides a computer-readable storage medium that may be included in the electronic device described in the above embodiments; or may exist alone without being incorporated into the electronic device. The computer-readable storage medium carries one or more programs which, when executed by the electronic device, cause the electronic device to implement the methods described in the embodiments below. For example, the electronic device may implement the steps shown in fig. 2.
According to one aspect of the present disclosure, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the methods provided in the various alternative implementations of the above-described embodiments.
It should be understood that any number of elements in the drawings of the present disclosure are for illustration and not limitation, and that any naming is used for distinction only and not for limitation.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This disclosure is intended to cover any adaptations, uses, or adaptations of the disclosure following the general principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It is to be understood that the present disclosure is not limited to the precise arrangements and instrumentalities shown in the drawings, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.
Claims (8)
1. A method for determining a network anomaly detection model, applied to a first client, the method comprising:
determining initialization parameters of a first sub-model and a second sub-model in a network anomaly detection model of the first client; the input layer of the first sub-model is used for inputting network traffic data of the first client, the output layer of the first sub-model is connected with the second sub-model, and the second sub-model is used for outputting abnormal class labels of the network traffic data;
Receiving an aggregation model parameter sent by a server side; the aggregation model parameters are determined by the server according to the current parameters of the network anomaly detection models of the first client and the at least one second client;
determining updated parameters of the first sub-model according to the aggregate model parameters, the current parameters of the first sub-model and the current parameters of the second sub-model;
determining updated parameters of the second sub-model according to the aggregate model parameters and the current parameters of the second sub-model;
sending the update parameters of the first sub-model to the server side so that the server side updates the aggregation model parameters;
wherein determining updated parameters of the first sub-model based on the aggregate model parameters, the current parameters of the first sub-model, and the current parameters of the second sub-model comprises:
determining a current loss function of the first sub-model according to the aggregation model parameters and the current parameters of the second sub-model;
determining a current gradient of descent of the first sub-model according to the current loss function of the first sub-model, the current parameter of the first sub-model and a first learning rate; a kind of electronic device with high-pressure air-conditioning system
And determining the updating parameters of the first sub-model according to the current descending gradient of the first sub-model.
2. The method of claim 1, wherein determining updated parameters for the second sub-model based on the aggregate model parameters and current parameters for the second sub-model comprises:
determining a current loss function of the second sub-model according to the aggregation model parameters and the current parameters of the second sub-model;
determining a current gradient of descent of the second sub-model according to the current loss function of the second sub-model, the current parameter of the second sub-model and a second learning rate;
and determining updating parameters of the second sub-model according to the current descending gradient of the second sub-model.
3. The method of claim 1, wherein determining initialization parameters for a first sub-model in a network anomaly detection model for the first client comprises:
acquiring a network traffic data training set;
encoding the network flow data training set through the first sub-model to obtain a feature vector;
decoding the feature vector to obtain a restored data set;
And adjusting the encoder parameters of the first sub-model according to the relative error between the restored data set and the network flow data training set until the relative error converges to the minimum value, and determining the encoder parameters obtained by current adjustment as the initialization parameters of the first sub-model.
4. A method according to claim 3, wherein encoding the training set of network traffic data by the first sub-model to obtain feature vectors comprises:
performing first coding processing on the network flow data training set based on the attention coder parameters of the first sub-model to obtain a first feature vector;
performing second coding processing on the first feature vector based on the automatic encoder parameters of the first sub-model to obtain a second feature vector;
the decoding processing is carried out on the feature vector to obtain a restored data set, which comprises the following steps:
performing first decoding processing on the second feature vector through an automatic decoder to obtain a third feature vector;
and performing second decoding processing on the third feature vector through an attention decoder to obtain the restored data set.
5. A method for detecting network anomalies, applied to a first client, comprising:
Acquiring real-time network traffic data;
abnormal traffic data in the real-time network traffic data is detected based on a network abnormality detection model determined according to the method of any one of claims 1-4.
6. A determination apparatus for a network anomaly detection model, comprising:
the determining module is used for determining initialization parameters of a first sub-model and a second sub-model in the network anomaly detection model of the first client; the input layer of the first sub-model is used for inputting network traffic data of the first client, the output layer of the first sub-model is connected with the second sub-model, and the second sub-model is used for outputting abnormal class labels of the network traffic data;
the receiving module is used for receiving the aggregation model parameters sent by the server side; the aggregation model parameters are determined by the server according to the current parameters of the network anomaly detection model of each of the first client and the at least one second client;
the determining module is further configured to determine an update parameter of the first sub-model according to the aggregate model parameter, the current parameter of the first sub-model, and the current parameter of the second sub-model; determining updated parameters of the second sub-model according to the aggregate model parameters and the current parameters of the second sub-model;
The sending module is used for sending the update parameters of the first sub-model to the server side so as to enable the server side to update the aggregation model parameters;
determining a current loss function of the first sub-model according to the aggregation model parameters and the current parameters of the second sub-model; determining a current gradient of descent of the first sub-model according to the current loss function of the first sub-model, the current parameter of the first sub-model and a first learning rate; and determining the updating parameters of the first sub-model according to the current descending gradient of the first sub-model.
7. An electronic device, comprising:
at least one processor;
storage means for storing at least one program which, when executed by the at least one processor, causes the at least one processor to implement the method of any one of claims 1 to 5.
8. A computer readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, implements the method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210462739.9A CN114785605B (en) | 2022-04-28 | 2022-04-28 | Determination method, device, equipment and storage medium of network anomaly detection model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210462739.9A CN114785605B (en) | 2022-04-28 | 2022-04-28 | Determination method, device, equipment and storage medium of network anomaly detection model |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114785605A CN114785605A (en) | 2022-07-22 |
| CN114785605B true CN114785605B (en) | 2023-12-12 |
Family
ID=82435943
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210462739.9A Active CN114785605B (en) | 2022-04-28 | 2022-04-28 | Determination method, device, equipment and storage medium of network anomaly detection model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114785605B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112906903A (en) * | 2021-01-11 | 2021-06-04 | 北京源堡科技有限公司 | Network security risk prediction method and device, storage medium and computer equipment |
| WO2021184836A1 (en) * | 2020-03-20 | 2021-09-23 | 深圳前海微众银行股份有限公司 | Method and apparatus for training recognition model, device, and readable storage medium |
| CN113469234A (en) * | 2021-06-24 | 2021-10-01 | 成都卓拙科技有限公司 | Network flow abnormity detection method based on model-free federal meta-learning |
| CN113962402A (en) * | 2021-10-29 | 2022-01-21 | 中国工商银行股份有限公司 | Federal learning defense method and device, computer equipment and computer storage medium |
| CN114358912A (en) * | 2021-11-17 | 2022-04-15 | 北京交通大学 | Risk weight fusion anomaly detection method based on federal learning |
-
2022
- 2022-04-28 CN CN202210462739.9A patent/CN114785605B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021184836A1 (en) * | 2020-03-20 | 2021-09-23 | 深圳前海微众银行股份有限公司 | Method and apparatus for training recognition model, device, and readable storage medium |
| CN112906903A (en) * | 2021-01-11 | 2021-06-04 | 北京源堡科技有限公司 | Network security risk prediction method and device, storage medium and computer equipment |
| CN113469234A (en) * | 2021-06-24 | 2021-10-01 | 成都卓拙科技有限公司 | Network flow abnormity detection method based on model-free federal meta-learning |
| CN113962402A (en) * | 2021-10-29 | 2022-01-21 | 中国工商银行股份有限公司 | Federal learning defense method and device, computer equipment and computer storage medium |
| CN114358912A (en) * | 2021-11-17 | 2022-04-15 | 北京交通大学 | Risk weight fusion anomaly detection method based on federal learning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114785605A (en) | 2022-07-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107766940B (en) | Method and apparatus for generating a model | |
| CN108427939B (en) | Model generation method and device | |
| CN108491805B (en) | Identity authentication method and device | |
| CN107609506B (en) | Method and apparatus for generating image | |
| CN108460365B (en) | Identity authentication method and device | |
| CN111523413B (en) | Method and device for generating face image | |
| CN110659657B (en) | Method and device for training model | |
| CN108229313B (en) | Face recognition method and apparatus, electronic device, computer program, and storage medium | |
| CN113128419B (en) | Obstacle recognition method and device, electronic equipment and storage medium | |
| CN108111399B (en) | Message processing method, device, terminal and storage medium | |
| CN111915480A (en) | Method, apparatus, device and computer readable medium for generating feature extraction network | |
| CN116862012A (en) | Machine learning model training method, business data processing method, device and system | |
| CN114785605B (en) | Determination method, device, equipment and storage medium of network anomaly detection model | |
| CN113537512A (en) | Model training method, device, system, equipment and medium based on federal learning | |
| CN115114329A (en) | Method and device for detecting data stream abnormity, electronic equipment and storage medium | |
| US20220148290A1 (en) | Method, device and computer storage medium for data analysis | |
| CN115757933A (en) | Recommendation information generation method, device, equipment, medium and program product | |
| CN115168827A (en) | Two-dimensional code generating method and two-dimensional code reading method containing identity information | |
| CN111369468B (en) | Image processing method, image processing device, electronic equipment and computer readable medium | |
| CN112784990A (en) | Training method of member inference model | |
| US20200286221A1 (en) | Training a Neural Network Adapter | |
| CN113705594B (en) | Image identification method and device | |
| CN114722061B (en) | Data processing method and device, equipment and computer readable storage medium | |
| CN113946758B (en) | Data identification method, device, equipment and readable storage medium | |
| CN111062468B (en) | Training method and system for generating network, and image generation method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |