CN115242544B - Network security situation awareness method and system based on improved Res2net - Google Patents

Network security situation awareness method and system based on improved Res2net Download PDF

Info

Publication number
CN115242544B
CN115242544B CN202210935115.4A CN202210935115A CN115242544B CN 115242544 B CN115242544 B CN 115242544B CN 202210935115 A CN202210935115 A CN 202210935115A CN 115242544 B CN115242544 B CN 115242544B
Authority
CN
China
Prior art keywords
data
layer
res2net
global
feature map
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210935115.4A
Other languages
Chinese (zh)
Other versions
CN115242544A (en
Inventor
赵冬梅
宿梦月
吴亚星
孙明伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hebei Normal University
Original Assignee
Hebei Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hebei Normal University filed Critical Hebei Normal University
Priority to CN202210935115.4A priority Critical patent/CN115242544B/en
Publication of CN115242544A publication Critical patent/CN115242544A/en
Application granted granted Critical
Publication of CN115242544B publication Critical patent/CN115242544B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a network security situation awareness method and a system based on an improved Res2net, wherein the method comprises the following steps: acquiring network traffic data and preprocessing the network traffic data; introducing a first global-local feature extraction module between a first hierarchy and a second hierarchy of a Res2net model, and introducing a second global-local feature extraction module between the second hierarchy and a third hierarchy of the Res2net model to obtain an improved Res2net model; and inputting the preprocessed network traffic data into the improved Res2net model for feature classification, and analyzing the network security situation according to classification results. The network traffic data can be extracted in depth space-time characteristics by improving the Res2net model, and the accuracy of network security situation awareness can be improved.

Description

基于改进Res2net的网络安全态势感知方法及系统Network security situation awareness method and system based on improved Res2net

技术领域technical field

本发明涉及网络安全态势感知技术领域,特别是涉及一种基于改进Res2net的网络安全态势感知方法及系统。The invention relates to the technical field of network security situational awareness, in particular to a network security situational awareness method and system based on improved Res2net.

背景技术Background technique

随着5G技术、互联网的蓬勃发展以及当今国际局势的不断震荡,各种网络安全威胁问题层出不穷。针对网络数据量庞大、数据格式多样、特征维数多、特征非线性关系复杂的特点,网络安全态势感知技术相应的提出了更高的要求。早期研究中,学者们大多采用传统网络安全态势感知方法,使用数学模型、概率统计等方法对网络态势情况进行分析,但是传统方法面对高数量、高维数据时存在运行速度慢,分类鲁棒性较差的缺点。因此,本发明提出一种基于改进Res2net的网络安全态势感知方法及系统。With the vigorous development of 5G technology, the Internet and the continuous turmoil of today's international situation, various network security threats emerge in endlessly. In view of the characteristics of huge amount of network data, various data formats, many feature dimensions, and complex nonlinear relationship of features, network security situational awareness technology puts forward higher requirements accordingly. In the early research, most scholars used the traditional network security situational awareness method, using mathematical models, probability statistics and other methods to analyze the network situation. However, the traditional method has slow operation speed and robust classification in the face of high-volume and high-dimensional data. The disadvantage of poor sex. Therefore, the present invention proposes a network security situation awareness method and system based on improved Res2net.

发明内容Contents of the invention

本发明的目的是提供一种基于改进Res2net的网络安全态势感知方法及系统,基于改进Res2net模型能够对网络流量数据进行深度时空特征提取,能够提高网络安全态势感知的准确性。The purpose of the present invention is to provide a network security situational awareness method and system based on the improved Res2net, based on the improved Res2net model, deep spatio-temporal feature extraction can be performed on network traffic data, and the accuracy of network security situational awareness can be improved.

为实现上述目的,本发明提供了如下方案:To achieve the above object, the present invention provides the following scheme:

一种基于改进Res2net的网络安全态势感知方法,包括:A network security situation awareness method based on improved Res2net, including:

获取网络流量数据并对所述网络流量数据进行预处理;Obtaining network traffic data and preprocessing the network traffic data;

在Res2net模型的第一分层与第二分层之间引入第一全局-局部特征提取模块,在所述第二分层和所述Res2net模型的第三分层之间引入第二全局-局部特征提取模块,得到改进Res2net模型;所述第一全局-局部特征提取模块和所述第二全局-局部特征提取模块均用于提取所述网络流量数据中的深度时空特征;A first global-local feature extraction module is introduced between the first layer and the second layer of the Res2net model, and a second global-local feature is introduced between the second layer and the third layer of the Res2net model The feature extraction module obtains an improved Res2net model; the first global-local feature extraction module and the second global-local feature extraction module are all used to extract deep spatio-temporal features in the network traffic data;

利用预处理后的网络流量数据训练所述改进Res2net模型,得到训练后的模型,利用所述训练后的模型对待测网络流量数据进行网络安全态势感知。Using the preprocessed network traffic data to train the improved Res2net model to obtain a trained model, and using the trained model to perform network security situation awareness on the network traffic data to be tested.

一种基于改进Res2net的网络安全态势感知系统,包括:A network security situation awareness system based on improved Res2net, including:

数据处理模块,用于获取网络流量数据并对所述网络流量数据进行预处理;A data processing module, configured to acquire network traffic data and preprocess the network traffic data;

模型构建模块,用于在Res2net模型的第一分层与第二分层之间引入第一全局-局部特征提取模块,在所述第二分层和所述Res2net模型的第三分层之间引入第二全局-局部特征提取模块,得到改进Res2net模型;所述第一全局-局部特征提取模块和所述第二全局-局部特征提取模块均用于提取所述网络流量数据中的深度时空特征;A model building block for introducing a first global-local feature extraction module between the first layer and the second layer of the Res2net model, between the second layer and the third layer of the Res2net model Introducing a second global-local feature extraction module to obtain an improved Res2net model; both the first global-local feature extraction module and the second global-local feature extraction module are used to extract deep spatiotemporal features in the network traffic data ;

网络安全态势感知模块,用于利用预处理后的网络流量数据训练所述改进Res2net模型,得到训练后的模型,利用所述训练后的模型对待测网络流量数据进行网络安全态势感知。The network security situation awareness module is used to train the improved Res2net model by using the preprocessed network traffic data to obtain a trained model, and use the trained model to perform network security situation awareness on the network traffic data to be tested.

根据本发明提供的具体实施例,本发明公开了以下技术效果:According to the specific embodiments provided by the invention, the invention discloses the following technical effects:

本发明涉及一种基于改进Res2net的网络安全态势感知方法及系统,包括:获取网络流量数据并对所述网络流量数据进行预处理;在Res2net模型的第一分层与第二分层之间引入第一全局-局部特征提取模块,在所述第二分层和所述Res2net模型的第三分层之间引入第二全局-局部特征提取模块,得到改进Res2net模型;将预处理后的网络流量数据输入到所述改进Res2net模型中,得到网络安全态势感知结果。通过改进Res2net模型对网络流量数据进行深度时空特征提取,能够提高网络安全态势感知的准确性。The present invention relates to a network security situation awareness method and system based on improved Res2net, comprising: acquiring network traffic data and preprocessing the network traffic data; introducing The first global-local feature extraction module introduces a second global-local feature extraction module between the second layer and the third layer of the Res2net model to obtain an improved Res2net model; preprocessed network traffic The data is input into the improved Res2net model to obtain the result of network security situational awareness. By improving the Res2net model to extract deep spatiotemporal features of network traffic data, the accuracy of network security situational awareness can be improved.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the accompanying drawings required in the embodiments. Obviously, the accompanying drawings in the following description are only some of the present invention. Embodiments, for those of ordinary skill in the art, other drawings can also be obtained based on these drawings without any creative effort.

图1为本发明实施例1提供的一种基于改进Res2net的网络安全态势感知方法流程图;Fig. 1 is a flow chart of a network security situation awareness method based on improved Res2net provided by Embodiment 1 of the present invention;

图2为本发明实施例1提供的改进Res2net模型的结构图;Fig. 2 is the structural diagram of the improved Res2net model provided by Embodiment 1 of the present invention;

图3为本发明实施例1提供的全局-局部特征提取模块的结构图;FIG. 3 is a structural diagram of the global-local feature extraction module provided by Embodiment 1 of the present invention;

图4为本发明实施例1提供的残差模块的结构图;FIG. 4 is a structural diagram of a residual module provided by Embodiment 1 of the present invention;

图5为本发明实施例1提供的改进Res2net模型的训练流程图;Fig. 5 is the training flowchart of the improved Res2net model provided by Embodiment 1 of the present invention;

图6为本发明实施例2提供的一种基于改进Res2net的网络安全态势感知系统框图。FIG. 6 is a block diagram of a network security situation awareness system based on improved Res2net provided by Embodiment 2 of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

本发明的目的是提供一种基于改进Res2net的网络安全态势感知方法及系统,从时间和空间角度出发,通过构建改进的Res2net模型,挖掘时间和空间维度的特征关联信息,提取层次更高、表达性更强、具有类别代表性的分类特征,进而提高网络安全态势感知的准确度及鲁棒性。The purpose of the present invention is to provide a network security situation awareness method and system based on improved Res2net. From the perspective of time and space, by constructing an improved Res2net model, mining the feature correlation information of time and space dimensions, the extraction level is higher, and the expression Classification features that are more specific and representative of categories, thereby improving the accuracy and robustness of network security situational awareness.

为使本发明的上述目的、特征和优点能够更加明显易懂,下面结合附图和具体实施方式对本发明作进一步详细的说明。In order to make the above objects, features and advantages of the present invention more comprehensible, the present invention will be further described in detail below in conjunction with the accompanying drawings and specific embodiments.

实施例1Example 1

如图1所示,本实施例提供一种基于改进Res2net的网络安全态势感知方法,包括:As shown in Figure 1, the present embodiment provides a network security situation awareness method based on improved Res2net, including:

S1:获取网络流量数据并对所述网络流量数据进行预处理;本实施例中对UNSW-NB15数据集进行处理,处理操作包括:数据的空白值删减与填充、数据归一化、字符型特征进行独热编码和数据切片操作。S1: Obtain network traffic data and preprocess the network traffic data; in this embodiment, the UNSW-NB15 data set is processed, and the processing operations include: data blank value deletion and filling, data normalization, character type Features undergo one-hot encoding and data slicing operations.

具体的,步骤S1具体包括:Specifically, step S1 specifically includes:

S11:对所述网络流量数据进行清洗,去除空白值占有率高于预设值的数据行;比如ct_flw_http_mthd、is_ftp_login和ct_ftp_cmd三列数据空白值较多,影响分类效果。将数据集中srcip、sport、dstip、dsport等无意义列进行删除。S11: Clean the network traffic data, and remove the data rows whose blank value occupancy rate is higher than the preset value; for example, the three columns of ct_flw_http_mthd, is_ftp_login and ct_ftp_cmd have more blank values, which affects the classification effect. Delete meaningless columns such as srcip, sport, dstip, and dsport in the dataset.

S12:对清洗后的数据中的数值型数据进行标准化处理;S12: standardize the numerical data in the cleaned data;

S13:对标准化处理后的数据中的字符型数据进行独热编码操作;S13: performing a one-hot encoding operation on the character data in the standardized data;

S14:对独热编码后的数据进行切片处理,得到多个数据片;每一所述数据片包括N个特征变量。S14: Perform slice processing on the one-hot encoded data to obtain multiple data slices; each of the data slices includes N characteristic variables.

步骤S14具体包括:Step S14 specifically includes:

设置滑动窗口超参数T,参数T可以设置为4,也可取任意值。Set the sliding window hyperparameter T. The parameter T can be set to 4 or any value.

利用滑动窗口以预设步长(可设置为1或其它任意值)的距离移动窗口,将所述独热编码后的数据切分成多个数据片(数据片大小为T×N);例如:Use the sliding window to move the window with a preset step size (can be set to 1 or other arbitrary values), and divide the one-hot encoded data into multiple data slices (the size of the data slice is T×N); for example:

Figure BDA0003783184290000041
Figure BDA0003783184290000041

其中,X表示的是预处理后的网络流量数据;Xt表示第t个数据片;t=1,2,...,T;n=1,2,...,N。Wherein, X represents the preprocessed network traffic data; X t represents the tth data piece; t=1, 2, . . . , T; n=1, 2, . . . , N.

以参数T为4,步长为1、特征变量数N为199为例,得到4×199大小的数据片。Taking the parameter T as 4, the step size as 1, and the number of characteristic variables N as 199 as an example, a data slice with a size of 4×199 is obtained.

对每一数据片进行维度调整,得到调整后的数据片;具体指将切分完的每个数据片转换为(1×T×N)的张量大小,所述调整后的数据片的数据格式适用于所述改进Res2net模型,即所述调整后的数据片为所述改进Res2net模型(深度学习框架)所需的数据张量。Adjust the dimension of each data slice to obtain the adjusted data slice; specifically, convert each split data slice into a tensor size of (1×T×N), and the data of the adjusted data slice The format is suitable for the improved Res2net model, that is, the adjusted data slice is the data tensor required by the improved Res2net model (deep learning framework).

S2:在Res2net模型的第一分层Layer1与第二分层Layer2之间引入第一全局-局部特征提取模块GLM1,在所述第二分层Layer2和所述Res2net模型的第三分层Layer3之间引入第二全局-局部特征提取模块GLM2,得到改进Res2net模型。如图2所示,构建网络安全态势感知模型时以Res2Net模型为基础模型,重点在于在传统的Res2Net模型结构基础上引入两个全局-局部特征提取模块。其中,Res2net模型的每一分层包含固定数目的残差模块,残差模块结构如图3所示。在Res2net模型中共包含四层,提出的全局-局部特征提取模块则是在第一层和第二层的中间串联一个模块,第二层和第三层的中间串联一个模块。S2: Introduce the first global-local feature extraction module GLM1 between the first layer Layer1 and the second layer Layer2 of the Res2net model, between the second layer Layer2 and the third layer Layer3 of the Res2net model The second global-local feature extraction module GLM2 is introduced to obtain an improved Res2net model. As shown in Figure 2, the Res2Net model is used as the basic model when constructing the network security situational awareness model, and the key point is to introduce two global-local feature extraction modules on the basis of the traditional Res2Net model structure. Among them, each layer of the Res2net model contains a fixed number of residual modules, and the structure of the residual modules is shown in Figure 3. The Res2net model contains four layers, and the proposed global-local feature extraction module is a module connected in series between the first layer and the second layer, and a module connected in the middle of the second layer and the third layer.

所述第一全局-局部特征提取模块GLM1和所述第二全局-局部特征提取模块GLM2均用于提取所述网络流量数据中的深度时空特征。具体的,如图4所示,所述第一全局-局部特征提取模块GLM1包括全局分支单元、局部分支单元、特征合并操作层和第一卷积层Conv1;所述第二全局-局部特征提取模块GLM2与所述第一全局-局部特征提取模块GLM1的结构相同;Both the first global-local feature extraction module GLM1 and the second global-local feature extraction module GLM2 are used to extract deep spatiotemporal features in the network traffic data. Specifically, as shown in Figure 4, the first global-local feature extraction module GLM1 includes a global branch unit, a local branch unit, a feature merging operation layer and a first convolutional layer Conv1; the second global-local feature extraction Module GLM2 has the same structure as the first global-local feature extraction module GLM1;

所述全局分支单元包括第二卷积层Conv2、纵向池化层、横向池化层和哈达玛积操作层;The global branch unit includes a second convolutional layer Conv2, a vertical pooling layer, a horizontal pooling layer, and a Hadamard product operation layer;

所述第二卷积层Conv2的输入端连接所述第一分层Layer1或所述第二分层Layer2的输出端,所述第二卷积层Conv2的输出端连接所述纵向池化层的输入端和所述横向池化层的输入端;所述纵向池化层的输出端和所述横向池化层的输出端连接所述哈达玛积操作层;The input end of the second convolutional layer Conv2 is connected to the output end of the first layered Layer1 or the second layered Layer2, and the output end of the second convolutional layer Conv2 is connected to the vertical pooling layer. The input terminal and the input terminal of the horizontal pooling layer; the output terminal of the vertical pooling layer and the output terminal of the horizontal pooling layer are connected to the Hadamard product operation layer;

所述局部分支单元包括串联连接的第三卷积层Conv3和第四卷积层Conv4;The local branch unit includes a third convolutional layer Conv3 and a fourth convolutional layer Conv4 connected in series;

所述第三卷积层Conv3的输入端连接所述第一分层Layer1或所述第二分层Layer2的输出端,所述第四卷积层Conv4的输出端和所述哈达玛积操作层的输出端均连接所述特征合并操作层;所述特征合并操作层的输出端连接所述第二分层Layer2的输入端或所述第三分层Layer3的输入端。The input end of the third convolutional layer Conv3 is connected to the output end of the first layered Layer1 or the second layered Layer2, and the output end of the fourth convolutional layer Conv4 is connected to the Hadamard product operation layer The output terminals of the feature combination operation layer are all connected to the feature combination operation layer; the output terminals of the feature combination operation layer are connected to the input terminal of the second layer Layer2 or the input terminal of the third layer Layer3.

在构建改进Res2net模型时,还在模型之前设置卷积层+归一化层+激活函数层。卷积核大小为1×1,输出通道数为16,实施原因为将输入特征图通道扩充为16通道,从而更好匹配Res2net网络模型。When building an improved Res2net model, a convolution layer + normalization layer + activation function layer is also set before the model. The size of the convolution kernel is 1×1, and the number of output channels is 16. The reason for the implementation is to expand the input feature map channel to 16 channels, so as to better match the Res2net network model.

S3:利用预处理后的网络流量数据训练所述改进Res2net模型,得到训练后的模型,利用所述训练后的模型对待测网络流量数据进行网络安全态势感知。S3: Using the preprocessed network traffic data to train the improved Res2net model to obtain a trained model, and using the trained model to perform network security situation awareness on the network traffic data to be tested.

步骤S3中,利用所述训练后的模型对待测网络流量数据进行网络安全态势感知具体包括:In step S3, using the trained model to perform network security situational awareness on the network traffic data to be tested specifically includes:

(1)将所述待测网络流量数据输入到所述训练后的模型的所述第一分层Layer1中进行处理,得到第一特征图;(1) inputting the network traffic data to be tested into the first layered Layer1 of the trained model for processing to obtain a first feature map;

(2)将所述第一特征图输入到所述第一全局-局部特征提取模块GLM1进行特征提取,得到第二特征图。(2) Input the first feature map to the first global-local feature extraction module GLM1 for feature extraction to obtain a second feature map.

其中,如图4所示,所述将所述第一特征图输入到所述第一全局-局部特征提取模块GLM1进行特征提取,得到第二特征图,具体包括:Wherein, as shown in FIG. 4, the first feature map is input to the first global-local feature extraction module GLM1 for feature extraction to obtain a second feature map, which specifically includes:

将所述第一特征图输入到所述第二卷积层Conv2进行降维处理;Inputting the first feature map to the second convolutional layer Conv2 for dimensionality reduction;

对第一降维处理后的特征图经所述纵向池化层和所述横向池化层进行纵向条带池化(对特征图每列包含的特征变量信息进行全局提取)和横向条带池化(对特征图每行包含的时间特征信息进行全局提取),得到第一分支特征图和第二分支特征图;Perform vertical stripe pooling on the feature map after the first dimension reduction process through the vertical pooling layer and the horizontal pooling layer (global extraction of the feature variable information contained in each column of the feature map) and horizontal stripe pooling (global extraction of the time feature information contained in each row of the feature map) to obtain the first branch feature map and the second branch feature map;

将所述第一分支特征图和所述第二分支特征图经所述哈达玛积操作层进行哈达玛积操作,得到全局分支输出的特征图;Performing a Hadamard product operation on the first branch feature map and the second branch feature map through the Hadamard product operation layer to obtain a feature map output by the global branch;

将所述第一特征图经所述第三卷积层Conv3进行降维处理,并将第二降维处理后的特征图经所述第四卷积层Conv4进行局部特征提取,得到局部分支输出的特征图;The first feature map is subjected to dimensionality reduction processing through the third convolutional layer Conv3, and the feature map after the second dimensionality reduction processing is subjected to local feature extraction through the fourth convolutional layer Conv4 to obtain a local branch output feature map;

将所述全局分支输出的特征图和所述局部分支输出的特征图经所述特征合并操作层进行特征合并后再经所述第一卷积层Conv1进行降维处理,得到所述第二特征图。The feature map output by the global branch and the feature map output by the local branch are combined through the feature merging operation layer, and then dimensionality reduction is performed through the first convolutional layer Conv1 to obtain the second feature picture.

(3)将所述第二特征图输入到所述第二分层Layer2进行处理后输入到所述第二全局-局部特征提取模块GLM2进行特征提取,得到第三特征图;(3) input the second feature map to the second layered Layer2 for processing and then input it to the second global-local feature extraction module GLM2 for feature extraction to obtain a third feature map;

(4)将所述第三特征图依次经过所述第三分层Layer3和所述Res2net模型的第四分层Layer4后再依次输入至全连接层(FCLayer)和Softmax层进行特征分类,并根据分类结果对所述网络安全态势进行分析。(4) The third feature map is sequentially input to the fully connected layer (FCLayer) and Softmax layer after passing through the third layered Layer3 and the fourth layered Layer4 of the Res2net model for feature classification, and according to The classification results analyze the network security situation.

步骤S3中,如图5所示,利用预处理后的网络流量数据训练所述改进Res2net模型(图5中的神经网络模型)时,将预处理后的网络流量数据划分成训练集和测试集;将训练集输入改进Res2net模型进行训练,设置优化器、损失函数、学习率和Batchsize等参数,本实施例中,设置优化器为Adam,损失函数为交叉熵损失函数,学习率设置为0.0001,batchsize设置为512,参数的设置可以根据需求调整,这里不做任何限定,之后训练改进Res2net模型的参数。训练完成后,将测试集输入训练完成的模型中,进行网络安全态势的分析评估。In step S3, as shown in Figure 5, when using the preprocessed network traffic data to train the improved Res2net model (the neural network model in Figure 5), the preprocessed network traffic data is divided into a training set and a test set The improved Res2net model is trained by the training set input, parameters such as optimizer, loss function, learning rate and Batchsize are set, in the present embodiment, the optimizer is set as Adam, the loss function is a cross-entropy loss function, and the learning rate is set to 0.0001, The batchsize is set to 512, and the parameter settings can be adjusted according to the needs. There is no limitation here, and the parameters of the Res2net model will be improved after training. After the training is completed, input the test set into the trained model to analyze and evaluate the network security situation.

本实施例中,构建的全局-局部特征提取模块能够有效提取数据时间、空间维度特征信息,能够深度挖掘数据特征空间信息的同时,能够有效保留数据的时间特征信息,相比现有的使用CNN提取数据空间特征和使用LSTM提取时间特征的混合模型,更加简洁、高效。并且能够使用纯卷积网络替代LSTM的时间特征提取过程,有效提高了模型的准确度和鲁棒性。In this embodiment, the constructed global-local feature extraction module can effectively extract data time and space dimension feature information, and can deeply mine data feature space information while effectively retaining data time feature information. The hybrid model of extracting data spatial features and using LSTM to extract temporal features is more concise and efficient. And it can use pure convolutional network to replace the temporal feature extraction process of LSTM, which effectively improves the accuracy and robustness of the model.

实施例2Example 2

如图6所示,本实施例提供一种基于改进Res2net的网络安全态势感知系统,包括:As shown in Figure 6, the present embodiment provides a network security situational awareness system based on improved Res2net, including:

数据处理模块M1,用于获取网络流量数据并对所述网络流量数据进行预处理;A data processing module M1, configured to acquire network traffic data and preprocess the network traffic data;

所述数据处理模块M1具体包括:The data processing module M1 specifically includes:

清洗子模块M11,用于对所述网络流量数据进行清洗,去除空白值占有率高于预设值的数据行;The cleaning sub-module M11 is used to clean the network traffic data, and remove the data rows whose blank value occupancy rate is higher than the preset value;

标准化处理子模块M12,用于对清洗后的数据中的数值型数据进行标准化处理;The standardization processing sub-module M12 is used to standardize the numerical data in the cleaned data;

编码子模块M13,用于对标准化处理后的数据中的字符型数据进行独热编码操作;The encoding sub-module M13 is used to perform one-hot encoding operation on the character data in the standardized processed data;

切片子模块M14,用于对独热编码后的数据进行切片处理,得到多个数据片;每一所述数据片包括N个特征变量。The slicing sub-module M14 is configured to perform slicing processing on the one-hot encoded data to obtain multiple data slices; each of the data slices includes N characteristic variables.

所述切片子模块M14具体包括:The slicing sub-module M14 specifically includes:

超参设置单元,用于设置滑动窗口超参数T;The hyperparameter setting unit is used to set the sliding window hyperparameter T;

切分单元,用于利用滑动窗口以预设步长的距离移动窗口,将所述独热编码后的数据切分成多个数据片;A segmentation unit, configured to use a sliding window to move the window at a preset step distance, and segment the one-hot encoded data into multiple data slices;

维度调整单元,用于对每一数据片进行维度调整,得到调整后的数据片;所述调整后的数据片为所述改进Res2net模型所需的数据张量。A dimension adjustment unit, configured to perform dimension adjustment on each data slice to obtain an adjusted data slice; the adjusted data slice is the data tensor required by the improved Res2net model.

模型构建模块M2,用于在Res2net模型的第一分层Layer1与第二分层Layer2之间引入第一全局-局部特征提取模块GLM1,在所述第二分层Layer2和所述Res2net模型的第三分层Layer3之间引入第二全局-局部特征提取模块GLM2,得到改进Res2net模型;The model construction module M2 is used to introduce the first global-local feature extraction module GLM1 between the first layer Layer1 and the second layer Layer2 of the Res2net model, and the second layer Layer2 and the first layer of the Res2net model The second global-local feature extraction module GLM2 is introduced between the three layers of Layer3 to obtain an improved Res2net model;

网络安全态势感知模块M3,用于利用预处理后的网络流量数据训练所述改进Res2net模型,得到训练后的模型,利用所述训练后的模型对待测网络流量数据进行网络安全态势感知。The network security situation awareness module M3 is used to use the preprocessed network traffic data to train the improved Res2net model to obtain a trained model, and use the trained model to perform network security situation awareness on the network traffic data to be tested.

所述网络安全态势感知模块M3具体包括:The network security situation awareness module M3 specifically includes:

第一特征图获取子模块,用于将所述待测网络流量数据输入到所述训练后的模型的所述第一分层Layer1中进行处理,得到第一特征图;A first feature map acquisition submodule, configured to input the network traffic data to be tested into the first layer Layer1 of the trained model for processing to obtain a first feature map;

第二特征图获取子模块,用于将所述第一特征图输入到所述第一全局-局部特征提取模块GLM1进行特征提取,得到第二特征图;The second feature map acquisition submodule is used to input the first feature map to the first global-local feature extraction module GLM1 for feature extraction to obtain a second feature map;

第三特征图获取子模块,用于将所述第二特征图输入到所述第二分层Layer2进行处理后输入到所述第一全局-局部特征提取模块GLM2进行特征提取,得到第三特征图;The third feature map acquisition sub-module is used to input the second feature map to the second layer Layer2 for processing and then input it to the first global-local feature extraction module GLM2 for feature extraction to obtain a third feature picture;

网络安全态势感知子模块,用于将所述第三特征图依次经过所述第三分层Layer3和所述Res2net模型的第四分层Layer4后再依次输入至全连接层和Softmax层进行特征分类,并根据分类结果对所述网络安全态势进行分析。The network security situation awareness sub-module is used to sequentially input the third feature map through the third layer Layer3 and the fourth layer Layer4 of the Res2net model to the fully connected layer and the Softmax layer for feature classification , and analyze the network security situation according to the classification results.

对于实施例公开的系统而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。As for the system disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and for the related information, please refer to the description of the method part.

本文中应用了具体个例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思想;同时,对于本领域的一般技术人员,依据本发明的思想,在具体实施方式及应用范围上均会有改变之处。综上所述,本说明书内容不应理解为对本发明的限制。In this paper, specific examples have been used to illustrate the principle and implementation of the present invention. The description of the above embodiments is only used to help understand the method of the present invention and its core idea; meanwhile, for those of ordinary skill in the art, according to the present invention Thoughts, there will be changes in specific implementation methods and application ranges. In summary, the contents of this specification should not be construed as limiting the present invention.

Claims (6)

1. A network security situation awareness method based on an improved Res2net, comprising:
acquiring network traffic data and preprocessing the network traffic data;
introducing a first global-local feature extraction module between a first hierarchy and a second hierarchy of a Res2net model, and introducing a second global-local feature extraction module between the second hierarchy and a third hierarchy of the Res2net model to obtain an improved Res2net model; the first global-local feature extraction module and the second global-local feature extraction module are both used for extracting depth space-time features in the network traffic data;
training the improved Res2net model by using the preprocessed network traffic data to obtain a trained model, and sensing network security situation of the network traffic data to be tested by using the trained model;
preprocessing the network traffic data, specifically including:
cleaning the network flow data, and removing data lines with blank value occupation ratio higher than a preset value;
carrying out standardization processing on numerical data in the cleaned data;
performing single-heat encoding operation on character data in the standardized data;
slicing the data subjected to the single-heat coding to obtain a plurality of data sheets; each data slice comprises N characteristic variables;
slicing the data subjected to the single-heat encoding to obtain a plurality of data pieces, wherein the slicing comprises the following steps:
setting a sliding window super parameter T;
moving a window by utilizing a sliding window at a distance of a preset step length, and dividing the data subjected to the single-heat coding into a plurality of data pieces;
performing dimension adjustment on each data sheet to obtain adjusted data sheets; the adjusted data slice is the data tensor required by the improved Res2net model.
2. The method of claim 1, wherein the first global-local feature extraction module comprises a global branching unit, a local branching unit, a feature merge operation layer, and a first convolution layer; the second global-local feature extraction module has the same structure as the first global-local feature extraction module;
the global branch unit comprises a second convolution layer, a longitudinal pooling layer, a transverse pooling layer and a Hadamard product operation layer;
the input end of the second convolution layer is connected with the output end of the first layering or the second layering, and the output end of the second convolution layer is connected with the input end of the longitudinal pooling layer and the input end of the transverse pooling layer; the output end of the longitudinal pooling layer and the output end of the transverse pooling layer are connected with the Hadamard product operation layer;
the local branch unit comprises a third convolution layer and a fourth convolution layer which are connected in series;
the input end of the third convolution layer is connected with the output end of the first layering or the second layering, and the output end of the fourth convolution layer and the output end of the Hadamard product operation layer are both connected with the characteristic merging operation layer; and the output end of the characteristic merging operation layer is connected with the input end of the second layer or the input end of the third layer.
3. The method according to claim 2, wherein the network security situation awareness for the network traffic data to be tested by using the trained model specifically includes:
inputting the network traffic data to be tested into the first layering of the trained model for processing to obtain a first feature map;
inputting the first feature map to the first global-local feature extraction module for feature extraction to obtain a second feature map;
inputting the second feature map to the second hierarchical layer for processing, and then inputting the second feature map to the second global-local feature extraction module for feature extraction to obtain a third feature map;
and sequentially inputting the third feature map to a full-connection layer and a Softmax layer after sequentially passing through the third layering and a fourth layering of the Res2net model to perform feature classification, and analyzing the network security situation according to classification results.
4. A method according to claim 3, wherein the inputting the first feature map into the first global-local feature extraction module performs feature extraction to obtain a second feature map, specifically includes:
inputting the first feature map to the second convolution layer for dimension reduction;
performing longitudinal strip pooling and transverse strip pooling on the feature map subjected to the first dimension reduction treatment through the longitudinal pooling layer and the transverse pooling layer to obtain a first branch feature map and a second branch feature map;
carrying out Hadamard product operation on the first branch characteristic diagram and the second branch characteristic diagram through the Hadamard product operation layer to obtain a characteristic diagram of global branch output;
performing dimension reduction processing on the first feature map through the third convolution layer, and performing local feature extraction on the feature map subjected to the second dimension reduction processing through the fourth convolution layer to obtain a feature map of local branch output;
and carrying out feature combination on the feature map of the global branch output and the feature map of the local branch output through the feature combination operation layer, and then carrying out dimension reduction processing through the first convolution layer to obtain the second feature map.
5. A network security posture awareness system based on an improved Res2net, comprising:
the data processing module is used for acquiring network flow data and preprocessing the network flow data;
the data processing module specifically comprises:
the cleaning submodule is used for cleaning the network flow data and removing data lines with the blank value occupancy rate higher than a preset value;
the standardized processing submodule is used for carrying out standardized processing on numerical data in the cleaned data;
the coding sub-module is used for performing single-heat coding operation on character type data in the standardized data;
the slicing submodule is used for slicing the data subjected to the single-heat coding to obtain a plurality of data slices; each data slice comprises N characteristic variables;
the slicing submodule specifically comprises:
the super parameter setting unit is used for setting a sliding window super parameter T;
the splitting unit is used for moving the window by utilizing the sliding window at a distance of a preset step length and splitting the data subjected to the single-heat coding into a plurality of data pieces;
the dimension adjustment unit is used for carrying out dimension adjustment on each data sheet to obtain adjusted data sheets; the adjusted data sheet is the data tensor required by the improved Res2net model;
the model construction module is used for introducing a first global-local feature extraction module between a first layering and a second layering of the Res2net model, and introducing a second global-local feature extraction module between the second layering and a third layering of the Res2net model to obtain an improved Res2net model; the first global-local feature extraction module and the second global-local feature extraction module are both used for extracting depth space-time features in the network traffic data;
the network security situation awareness module is used for training the improved Res2net model by utilizing the preprocessed network traffic data to obtain a trained model, and performing network security situation awareness on the network traffic data to be detected by utilizing the trained model.
6. The system of claim 5, wherein the network security posture awareness module specifically comprises:
the first feature map acquisition sub-module is used for inputting the network traffic data to be tested into the first layering of the trained model for processing to obtain a first feature map;
the second feature map acquisition sub-module is used for inputting the first feature map to the first global-local feature extraction module for feature extraction to obtain a second feature map;
the third feature map obtaining sub-module is used for inputting the second feature map into the second hierarchical layer for processing and then inputting the second feature map into the second global-local feature extraction module for feature extraction to obtain a third feature map;
and the network security situation awareness submodule is used for sequentially inputting the third characteristic diagram to the full-connection layer and the Softmax layer after sequentially passing through the third layering and the fourth layering of the Res2net model to conduct characteristic classification, and analyzing the network security situation according to classification results.
CN202210935115.4A 2022-08-05 2022-08-05 Network security situation awareness method and system based on improved Res2net Active CN115242544B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210935115.4A CN115242544B (en) 2022-08-05 2022-08-05 Network security situation awareness method and system based on improved Res2net

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210935115.4A CN115242544B (en) 2022-08-05 2022-08-05 Network security situation awareness method and system based on improved Res2net

Publications (2)

Publication Number Publication Date
CN115242544A CN115242544A (en) 2022-10-25
CN115242544B true CN115242544B (en) 2023-05-30

Family

ID=83678868

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210935115.4A Active CN115242544B (en) 2022-08-05 2022-08-05 Network security situation awareness method and system based on improved Res2net

Country Status (1)

Country Link
CN (1) CN115242544B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116318907B (en) * 2023-02-28 2023-12-08 上海熙宥信息科技有限公司 Method and system for analyzing computer network situation based on big data and neural network

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106953862B (en) * 2017-03-23 2020-09-25 全球能源互联网研究院有限公司 Sensing method and device for network security situation and sensing model training method and device
CN112287931B (en) * 2020-12-30 2021-03-19 浙江万里学院 A scene text detection method and system
CN112949821B (en) * 2021-01-28 2024-02-02 河北师范大学 Network security situation awareness method based on dual-attention mechanism
CN114547608A (en) * 2022-01-28 2022-05-27 大连大学 Network security situation assessment method based on noise reduction self-coding kernel density estimation
CN114821069B (en) * 2022-05-27 2024-04-26 昆明理工大学 Construction semantic segmentation method for remote sensing image of double-branch network fused with rich-scale features

Also Published As

Publication number Publication date
CN115242544A (en) 2022-10-25

Similar Documents

Publication Publication Date Title
CN108805002B (en) Anomaly detection method for surveillance video based on deep learning and dynamic clustering
CN110222784B (en) Solar cell defect detection method integrating short-term and long-term depth features
CN106650674B (en) A kind of action identification method of the depth convolution feature based on mixing pit strategy
CN111565318A (en) Video compression method based on sparse samples
CN110580704A (en) Automatic segmentation method and system of ET cell image based on convolutional neural network
CN110288535B (en) Image rain removing method and device
CN111738044B (en) Campus violence assessment method based on deep learning behavior recognition
CN111369565A (en) Digital pathological image segmentation and classification method based on graph convolution network
CN113192076B (en) MRI Brain Tumor Image Segmentation Using Combined Classification Prediction and Multiscale Feature Extraction
CN108009629A (en) A kind of station symbol dividing method based on full convolution station symbol segmentation network
CN117056863B (en) Big data processing method based on multi-mode data fusion
CN112597985A (en) Crowd counting method based on multi-scale feature fusion
CN114897884B (en) A reference-free screen content image quality assessment method based on multi-scale edge feature fusion
CN115242544B (en) Network security situation awareness method and system based on improved Res2net
CN110992374A (en) Hair refined segmentation method and system based on deep learning
CN116823627A (en) A fast denoising method for super-large images based on image complexity evaluation
CN110958417B (en) A method for removing compression noise from video call video based on voice cues
CN110796058A (en) Video behavior identification method based on key frame extraction and hierarchical expression
CN111652238B (en) Multi-model integration method and system
CN110991219B (en) Behavior identification method based on two-way 3D convolution network
CN115987730B (en) Signal modulation identification method based on tree-like perception fusion convolutional network
CN106530300A (en) Flame identification algorithm of low-rank analysis
CN116563938A (en) Dynamic gesture recognition method based on dynamic space-time convolution
CN113591789B (en) Expression recognition method based on progressive grading
CN116978115A (en) Lip language identification method based on partial convolution and multi-scale feature extraction

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant