CN115277258B - Network attack detection method and system based on temporal-spatial feature fusion - Google Patents

Network attack detection method and system based on temporal-spatial feature fusion Download PDF

Info

Publication number
CN115277258B
CN115277258B CN202211180250.9A CN202211180250A CN115277258B CN 115277258 B CN115277258 B CN 115277258B CN 202211180250 A CN202211180250 A CN 202211180250A CN 115277258 B CN115277258 B CN 115277258B
Authority
CN
China
Prior art keywords
data set
network
data
node
detected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211180250.9A
Other languages
Chinese (zh)
Other versions
CN115277258A (en
Inventor
郑伟发
肖岩军
尤扬
程培宇
蔡梓涛
谢少群
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong University of Business Studies
Nsfocus Technologies Group Co Ltd
Original Assignee
Guangdong University of Business Studies
Nsfocus Technologies Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong University of Business Studies, Nsfocus Technologies Group Co Ltd filed Critical Guangdong University of Business Studies
Priority to CN202211180250.9A priority Critical patent/CN115277258B/en
Publication of CN115277258A publication Critical patent/CN115277258A/en
Application granted granted Critical
Publication of CN115277258B publication Critical patent/CN115277258B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/16Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Software Systems (AREA)
  • Medical Informatics (AREA)
  • Evolutionary Computation (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Artificial Intelligence (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a network attack detection method and a system based on space-time feature fusion, wherein the method comprises the following steps: preprocessing network traffic data to be detected to serve as input of a trained GCN-BiGRU neural network model, extracting spatial features of the network traffic data through a GCN neural network module, extracting time features of the network traffic data through a BiGRU neural network module, and performing feature fusion on the time features and the spatial features in a feature fusion module to obtain a classification label of the network traffic data to be detected. The system comprises: the device comprises an acquisition module, a preprocessing module and an analysis module. The invention combines the space-time characteristics to detect the network attack by extracting the space characteristics and the time characteristics of the network flow data and performing characteristic fusion, thereby effectively improving the reliability of the algorithm.

Description

Network attack detection method and system based on temporal-spatial feature fusion
Technical Field
The invention relates to the field of network security, in particular to a network attack detection method and system based on space-time feature fusion.
Background
With the development of information technology, network security is receiving more and more attention. In recent years, as the network attack mode is changing, the network attack is developing to a new type and a more intelligent direction. However, the conventional network attack detection method is usually only analyzed from a time sequence, does not involve analysis by combining space and time, and seriously depends on manual feature selection, so that a large amount of false reports or missing reports can be generated, the accuracy rate needs to be improved, and the method is not enough to cope with complex network attack modes.
GCN (Graph relational Network, GCN) provides a method for extracting features from Graph data, and it is currently common to apply GCN to extract Graph data features to perform node classification (node classification), graph classification (Graph classification), edge prediction (link prediction), and obtain an embedded representation of a Graph (Graph embedding) on Graph data.
BiGRU (BiGRU) is a classical Recurrent Neural Network (RNN) that is commonly used to solve the gradient problem in long-term memory and back-propagation.
Disclosure of Invention
The invention aims to overcome at least one defect (deficiency) of the prior art and provides a network attack detection method and system based on space-time feature fusion.
The technical scheme adopted by the invention is as follows:
in a first aspect, a network attack detection method based on spatio-temporal feature fusion is provided, which includes:
acquiring network flow data as a sample set, and preprocessing the network flow data to obtain a preprocessed sample set;
presetting classification labels, wherein the classification labels comprise a normal flow label, a victim flow label and an attack flow label;
labeling the preprocessed sample set according to preset classification labels to obtain a corresponding classification label set;
constructing a GCN-BiGRU neural network model, wherein the GCN-BiGRU neural network model comprises a GCN neural network module, a BiGRU neural network module and a characteristic fusion module for performing characteristic fusion on the outputs of the GCN neural network module and the BiGRU neural network module; training and testing the GCN-BiGRU neural network model by utilizing the preprocessed sample set and the corresponding classification label set to obtain a final GCN-BiGRU neural network model;
preprocessing network traffic data to be detected to serve as the input of a final GCN-BiGRU neural network model, extracting the spatial characteristics of the network traffic data to be detected through a GCN neural network module, extracting the time characteristics of the network traffic data to be detected through a BiGRU neural network module, and performing characteristic fusion on the time characteristics and the spatial characteristics in a characteristic fusion module to obtain a classification label of the network traffic data to be detected.
According to the invention, the GCN-BiGRU neural network model is constructed by combining the GCN neural network model and the BiGRU neural network model, the spatial characteristics and the temporal characteristics of the network flow data are extracted, and the characteristics are fused, so that the accuracy of the network attack detection by using the GCN-BiGRU neural network model is higher than that of the network attack detection by using the GCN-BiGRU neural network model alone or using the BiGRU neural network model alone, and the accuracy of the detection algorithm of the network attack is effectively improved.
Further, the acquiring network traffic data as a sample set and preprocessing the sample set to obtain a preprocessed sample set specifically includes:
acquiring network flow data as a sample set, and initializing the sample set to form an initialized data set;
acquiring a node data set and an edge data set according to the initialization data set;
carrying out normalization processing and coding processing according to the initialization data set, and constructing an edge feature data set according to the node data set, the edge data set and the normalized and coded data;
and/or the presence of a gas in the gas,
preprocessing network traffic data to be detected, specifically comprising:
initializing network traffic data to be detected to form a corresponding data set to be detected;
acquiring a corresponding node data set and a corresponding edge data set according to the corresponding data set to be detected;
and carrying out normalization processing and coding processing according to the corresponding data set to be detected, and constructing an edge characteristic data set corresponding to the data set to be detected according to the node data set, the edge data set and the normalized and coded data corresponding to the data set to be detected.
Preprocessing network flow data is an indispensable link before analyzing the network flow data, and can accurately extract data and adjust the format of the data, so that high-quality data meeting the standards of accuracy, completeness, conciseness and the like can be obtained, required data can be more accurately extracted and input into a corresponding neural network model for analysis, and the data can be better served for data analysis.
Further, initializing the sample set to form an initialized data set, and initializing the network traffic data to be detected to form a corresponding data set to be detected, which are all implemented by adopting the following steps:
initializing network traffic data to form an initialization data set RawDataSet, wherein the initialization data set RawDataSet comprises: connecting the first occurring time Date first seen, duration, protocol type Proto, source node address Src IP Addr, destination node address Dst IP Addr, source node port Src Pt, destination node port Dst Pt, packet number Packets, byte number Bytes, data flow, identifier Flags, and service type Tos;
acquiring a node data set and an edge data set according to an initialization data set or a data set to be detected, specifically comprising:
traversing the initialization data set RawDataSet, extracting a source node address Src IP Addr and a source node port Src Pt of each record, and generating a source network node dictionary SrcDict according to the principle of 'Src = Src IP Addr + Src Pt', wherein the source network node dictionary SrcDict comprises two fields of SrcID and Src;
traversing the initialized data set RawDataSet, extracting a destination node address Dst IP Addr and a destination node port Dst Pt of each record, and generating a destination network node dictionary DstDict according to the principle of 'Dst = Dst IP Addr + Dst Pt', wherein the destination network node dictionary DstDict comprises two fields of DstID and Dst;
newly building a node data set NodeSet and an edge data set EdgeSet;
traversing the initialized data set RawDataSet, looking up a source network node dictionary SrcDict and a destination network node dictionary DstDict, and inserting 'Src IP Addr + Src Pt' in the initialized data set RawDataSet into the node data set NodeSet at the SrcID and Src corresponding to the source network node dictionary SrcDict;
inserting 'Dst IP Addr + Dst Pt' in the initialization data set RawDataSet into the node data set NodeSet at DstID and Dst corresponding to the destination network node dictionary DstDict;
and inserting the SrcID corresponding to the source network node dictionary SrcDict and the DstID corresponding to the destination network node dictionary DstDict into the edge data set EdgeSet respectively as the starting point and the end point of the edge.
SrcID and DstID ensure global uniqueness of the IDs of the source network node dictionary SrcDict and the destination network node dictionary DstDict data. The obtained node data set NodeSet and the edge data set EdgeSet serve for a network node graph constructed subsequently and are used for inputting into a GCN neural network module to extract spatial features.
Further, the method for constructing the edge feature data set corresponding to the sample set and/or the data set to be detected includes:
carrying out normalization processing on Duration, the number of Packets, the number of Bytes Bytes and the data flow in the initialized data set RawDataSet;
encoding a protocol type Proto, an identifier Flags and a service type Tos in an initialization data set RawDataSet;
traversing an initialization data set RawDataSet, taking the corresponding SrcID of the 'Src IP Addr + Src Pt' in SrcDict as the starting point of an edge, taking the corresponding DstID of the 'dstIP Addr + DstPt' in DstDict as the end point of the edge, and combining the normalized data and the encoded data as the characteristic data of the edge to form an edge characteristic data set EdftSet.
Further, labeling the preprocessed sample set according to preset classification labels to obtain a corresponding classification label set, specifically comprising:
labeling the sample set according to a preset classification label to obtain label labeling information;
carrying out numerical value coding on label marking information corresponding to the sample set;
traversing an initialization data set RawDataSet, taking the SrcID corresponding to the Src IP Addr + Src Pt in SrcDict as a starting point, taking the DstID corresponding to the DstIP Addr + Dst Pt in DstDict as an end point, and combining numerical value coding information corresponding to label marking information corresponding to a sample set as side classification label data to form a classification label set LabelSet.
More specifically, the network traffic data has three classification label types, namely a normal traffic label normal, a victim traffic label victim and an attack traffic label attecker. The type of the classification label is coded, the coding rule can be that the normal flow label normal code is 0, the victim flow label victim code is 1, the attack flow label attacker code is 2, and the coded classification label is converted from text data to numerical data.
Further, training and testing the GCN-BiGRU neural network model by using the preprocessed network traffic data and the corresponding classification label set to obtain the trained GCN-BiGRU neural network model, which specifically comprises the following steps:
associating a node data set NodeSet, an edge data set EdgeSet, an edge characteristic data set EdftSet and a classification label data set LabelSet corresponding to the sample set through SrcID and DstID;
combining a node data set NodeSet, an edge data set EdgeSet, an edge feature data set EdftSet and a classification label set LabelSet corresponding to a part of network traffic data in a sample set into a training set, and respectively naming the training set as a training node data set TrainNodeSet, a training edge data set TrainEdgeSet, a training edge feature data set TrainEdftSet and a training classification label set TrainLabelSet;
forming a test set by a node data set NodeSet, an edge data set EdgeSet, an edge characteristic data set EdftSet and a classification label set LabelSet corresponding to the network traffic data of the rest part in the sample set, and respectively naming the test set as a test node data set TestNodeSet, a test edge data set TestEdgeSet, a test edge characteristic data set TestEdftSet and a test classification label set TestLabelSet;
a training process, wherein a training node data set TrainNodeSet and a training side data set TrainEdgeSet are used as the input of a GCN neural network module, a training side feature data set TrainEdftSet is used as the input of a BiGRU neural network module, a training classification label set TrainLabelSet, the output of the GCN neural network module and the output of the BiGRU neural network module are used as the input of a feature fusion module, and the GCN-BiGRU neural network model is trained to obtain a trained network;
and in the testing process, the testing node data set TestNodeSet, the testing edge data set TestEdgeSet, the testing edge characteristic data set TestEdftSet and the testing classification label set TestLabelSet are input into the trained GCN-BiGRU neural network model for testing, and the final network model is obtained.
And training the GCN-BiGRU neural network model by using the training set, verifying the training result by using the test set, wherein the GCN-BiGRU neural network model passing the test is the trained GCN-BiGRU neural network model, and can be used for carrying out formal network security detection. The method for training the neural network model is used for network security detection, and compared with manual detection, the accuracy and reliability of network attack discovery can be improved.
Further, extracting the spatial characteristics of the network traffic data to be detected through a GCN neural network module specifically includes:
acquiring network nodes for constructing a network node graph according to a node data set corresponding to the to-be-detected network traffic data, acquiring edges for constructing the network node graph according to an edge data set corresponding to the to-be-detected network traffic data, and constructing the network node graph according to the acquired network nodes and edges;
acquiring neighbor nodes of the network nodes according to the network node graph, and calculating an adjacency matrix of the network node graph according to the neighbor nodes; acquiring the number of edges associated with the network nodes according to the network node graph, and defining the number as the degree of the network nodes;
calculating a degree matrix of the network node graph according to the degree of the network node;
and obtaining a characteristic matrix of the network node map according to the adjacency matrix and the degree matrix of the network node map, wherein the characteristic matrix is used as the spatial characteristic of the network traffic data to be detected.
More specifically, because of the connections and Data transmission between network nodes, a network node map is spatially constructed, which is a Non-Euclidean Data Structure (Non-Euclidean Data Structure), and the nodes are irregularly arranged, and the number of neighbor nodes is different for different nodes. The GCN neural network can effectively analyze the neighbor nodes through small-range network nodes and is suitable for extracting the spatial characteristics of the network nodes.
Further, extracting the time characteristics of the network traffic data to be detected through the BiGRU neural network module specifically includes:
acquiring a network flow time sequence according to a side feature data set of the network flow data to be detected;
the BiGRU neural network is composed of two unidirectional GRUs in opposite directions, the forward GRU is used for capturing the characteristics of the next moment, the reverse GRU is used for capturing the characteristics of the previous moment, and the two GRUs simultaneously process the input of a network flow time sequence to jointly obtain the output of the current moment;
and according to the output of the current moment, obtaining a time characteristic vector of the network traffic data containing the historical information through an activation function, and using the time characteristic vector as the time characteristic of the network traffic data to be detected.
More specifically, because a traffic time sequence is formed in time due to connection and data transmission among network nodes, and the network traffic time sequence has strong relevance between the upper time and the lower time, the unidirectional GRU model can only acquire the characteristics of the forward time, and in a network attack recognition task, the model is required to fully learn the characteristics of the upper time and the lower time and extract the long-time distance dependency relationship, so that the BiGRU neural network capable of capturing the characteristics of the upper time and the lower time in a bidirectional mode is used for extracting the time characteristics of the network nodes.
Further, the feature fusion of the network traffic data includes a feature fusion step, where the feature fusion step is: spatial feature O of GCN neural network output GCN And temporal characteristics O of the output of the BiGRU neural network BiGRU Performing fusion to obtain a fusion feature matrix
Figure 288950DEST_PATH_IMAGE001
Wherein n is the network traffic data volume;
and processing the obtained fusion characteristic matrix E through an activation function to obtain a classification label of the network traffic data.
The fused feature matrix E absorbs the features of network traffic data space and time, and has rich key feature information, so that the GCN-BiGRU neural network model can be helped to make more accurate detection.
In a second aspect, a network attack detection system based on spatiotemporal feature fusion is provided, which includes:
the acquisition module is used for acquiring network traffic data as a sample set and acquiring the network traffic data to be detected;
the system comprises a preprocessing module, a classification module and a processing module, wherein the preprocessing module is used for preprocessing a sample set to obtain a preprocessed sample set and a corresponding classification label set, and the classification labels comprise a normal flow label, a victim flow label and an attack flow label; the system is used for preprocessing the network traffic data to be detected;
the model building module is used for building a GCN-BiGRU neural network model, and the GCN-BiGRU neural network model comprises a GCN neural network module, a BiGRU neural network module and a feature fusion module for performing feature fusion on the outputs of the GCN neural network module and the BiGRU neural network module; training and testing the GCN-BiGRU neural network model by utilizing the preprocessed sample set and the corresponding classification label set to obtain a final GCN-BiGRU neural network model;
the detection module is used for inputting the preprocessed network traffic data to be detected as a final GCN-BiGRU neural network model, extracting the spatial characteristics of the network traffic data to be detected through the GCN neural network model, extracting the time characteristics of the network traffic data to be detected through the BiGRU neural network model, and performing characteristic fusion on the time characteristics and the spatial characteristics in the characteristic fusion module to obtain the classification label of the network traffic data to be detected.
Compared with the prior art, the invention has the beneficial effects that:
(1) The GCN neural network is used for extracting the spatial features of the network traffic data, and neighbor nodes of the GCN neural network can be effectively analyzed through a small-range network node;
(2) The BiGRU neural network is used for extracting the time characteristics of the network traffic data, so that the characteristics of the upper moment and the lower moment can be captured in two directions;
(3) The GCN-BiGRU neural network model is constructed to extract the spatial characteristics and the time characteristics of the network flow data, and the characteristics are fused, so that the network security detection is performed, the accuracy is higher than that of a GCN neural network model or a BiGRU neural network model which is used alone, and the accuracy of a detection algorithm of network attack is effectively improved.
Drawings
FIG. 1 is a flowchart of the method steps of example 1 of the present invention.
Fig. 2 is a diagram of a GCN network node according to embodiment 1 of the present invention.
Fig. 3 is a structural diagram of a GRU unit model in embodiment 1 of the present invention.
FIG. 4 is a graph comparing experimental results of the GCN-BiGRU neural network model, the GCN neural network model alone and the BiGRU neural network model alone in example 1 of the present invention.
Fig. 5 is a system diagram of embodiment 2 of the present invention.
Detailed Description
The drawings are only for purposes of illustration and are not to be construed as limiting the invention. For a better understanding of the following embodiments, certain features of the drawings may be omitted, enlarged or reduced, and do not represent the size of an actual product; it will be understood by those skilled in the art that certain well-known structures in the drawings and descriptions thereof may be omitted.
Example 1
As shown in fig. 1, the present embodiment provides a network attack detection method based on spatio-temporal feature fusion, including:
s1, acquiring network flow data as a sample set, and preprocessing the sample set to obtain a preprocessed sample set;
s2, presetting classification labels, wherein the classification labels comprise a normal flow label, a victim flow label and an attack flow label;
s3, labeling the preprocessed sample set according to preset classification labels to obtain a corresponding classification label set;
s4, constructing a GCN-BiGRU neural network model, wherein the GCN-BiGRU neural network model comprises a GCN neural network module, a BiGRU neural network module and a characteristic fusion module for performing characteristic fusion on the outputs of the GCN neural network module and the BiGRU neural network module;
s5, training and testing the GCN-BiGRU neural network model by utilizing the preprocessed sample set and the corresponding classification label set to obtain a final GCN-BiGRU neural network model;
s6, preprocessing the network traffic data to be detected to serve as the input of a final GCN-BiGRU neural network model, extracting the spatial characteristics of the network traffic data to be detected through a GCN neural network module, extracting the time characteristics of the network traffic data to be detected through a BiGRU neural network module, and performing characteristic fusion on the time characteristics and the spatial characteristics in a characteristic fusion module to obtain the classification label of the network traffic data to be detected.
Illustratively, the network traffic Data sample set used in this embodiment is a CIDDS-01 (cowurg Intrusion Detection Data Sets) public Data set, the CIDDS-01 Data set is captured in a simulated enterprise environment, the duration is four weeks, the acquired network traffic includes network attack behaviors such as SSH brute force attack, doS, port scanning and the like, and the GCN-BiGRU neural network model of the present invention can be effectively trained.
In this embodiment, the step S1 of obtaining network traffic data as a sample set, and preprocessing the sample set to obtain a preprocessed sample set specifically includes:
s101, acquiring network traffic data as a sample set, and initializing the sample set to form an initialized data set;
s102, acquiring a node data set and an edge data set according to the initialization data set;
s103, normalization processing and coding processing are carried out according to the initialization data set, and an edge feature data set is constructed according to the node data set, the edge data set and the normalized and coded data.
In this embodiment S101, initializing the sample set to form an initialized data set is implemented by the following steps: initializing network traffic data in a sample set to form an initialization data set RawDataSet corresponding to the sample set, wherein the initialization data set RawDataSet comprises: the first occurring time of connection Date first seen, duration, protocol type Proto used, source node address Src IP Addr, destination node address Dst IP Addr, source node port Src Pt, destination node port Dst Pt, number of Packets packet, byte number Bytes, data flow, identifier Flags, service type Tos. Specifically, the 12 network traffics mentioned above are extracted from the CIDDS-01 (Coburg Intrusion Detection Data Sets) public Data set.
In this embodiment S102, the acquiring a node data set and an edge data set according to an initialization data set specifically includes:
traversing an initialization data set RawDataSet corresponding to the sample set, extracting a source node address Src IP Addr and a source node port Src Pt of each record, and generating a source network node dictionary SrcDict according to the principle that 'Src = Src IP Addr + Src Pt', wherein the source network node dictionary SrcDict comprises two fields of SrcID and Src;
traversing the initialized data set RawDataSet, extracting a destination node address Dst IP Addr and a destination node port Dst Pt of each record, and generating a destination network node dictionary DstDict according to the principle of 'Dst = Dst IP Addr + Dst Pt', wherein the destination network node dictionary DstDict comprises two fields of DstID and Dst;
a node data set NodeSet and an edge data set EdgeSet corresponding to the sample set are newly established;
traversing the initialized data set RawDataSet corresponding to the sample set, looking up a source network node dictionary SrcDict and a destination network node dictionary DstDict, and inserting 'Src IP Addr + Src Pt' in the initialized data set RawDataSet corresponding to the sample set into the node data set NodeSet at the corresponding Src ID and Src of the source network node dictionary SrcDict; inserting 'Dst IP Addr + dstPt' in an initialization data set RawDataSet corresponding to the sample set into a node data set NodeSet corresponding to the sample set at DstID and Dst corresponding to a destination network node dictionary DstDict; and inserting the SrcID corresponding to the source network node dictionary SrcDict and the DstID corresponding to the destination network node dictionary DstDict into the edge data set EdgeSet corresponding to the sample set respectively as the starting point and the ending point of the edge.
In this embodiment S103, the method for constructing the edge feature data set corresponding to the sample set includes:
carrying out normalization processing on Duration, packet number Packets, byte number Bytes and data flow in an initialized data set RawDataSet corresponding to the sample set;
encoding a protocol type Proto, an identifier Flags and a service type Tos in an initialized data set RawDataSet corresponding to a sample set; the encoding can be realized by one-hot encoding.
Traversing the initialized data set RawDataSet corresponding to the sample set, taking the SrcID corresponding to the 'Src IP Addr + Src Pt' in SrcDict as the starting point of the edge, taking the DstID corresponding to the 'Dst IP Addr + Dst Pt' in DstDict as the end point of the edge, and combining the normalized data and the encoded data as the feature data of the edge to form an edge feature data set EdftSet.
In this embodiment S3, labeling the preprocessed sample set according to the preset classification label to obtain a corresponding classification label set specifically includes:
labeling the sample set according to a preset classification label to obtain label labeling information;
carrying out numerical value coding on label marking information corresponding to the sample set;
traversing an initialization data set RawDataSet, taking the SrcID corresponding to the Src IP Addr + Src Pt in SrcDict as a starting point, taking the DstID corresponding to the DstIP Addr + Dst Pt in DstDict as an end point, and combining numerical value coding information corresponding to label marking information corresponding to a sample set as side classification label data to form a classification label set LabelSet.
Exemplarily, a normalization process is described by taking the connection time Duration as an example, and an initialization data set RawDataSet corresponding to the sample set is traversed to find a maximum value D of the Duration max And a minimum value D min Current Duration time
Figure 170318DEST_PATH_IMAGE002
To obtain the normalized continuous time
Figure 932738DEST_PATH_IMAGE003
The present embodiment may use sklern tool of Python language to perform One-Hot encoding on the protocol type Proto, identifier Flags, and service type Tos in the raw dataset RawDataSet.
The network traffic data in this embodiment has three classification tag types, which are a normal traffic tag normal, a victim traffic tag victim, and an attack traffic tag identifier. And coding the label marking information, wherein the coding rule can be that the normal flow label normal code is 0, the victim flow label victim code is 1, and the attack flow label attack code is 2.
In this embodiment S5, training and testing the GCN-BiGRU neural network model by using the preprocessed network traffic data and the corresponding classification label set to obtain the trained GCN-BiGRU neural network model, specifically including:
associating the node data set NodeSet, the edge data set EdgeSet, the edge characteristic data set EdftSet and the classification label data set LabelSet corresponding to the sample set through SrcID and DstID;
combining a node data set NodeSet, an edge data set EdgeSet, an edge feature data set EdftSet and a classification label set LabelSet corresponding to a part of network traffic data in a sample set into a training set, and respectively naming the training set as a training node data set TrainNodeSet, a training edge data set TrainEdgeSet, a training edge feature data set TrainEdftSet and a training classification label set TrainLabelSet;
forming a test set by a node data set NodeSet, an edge data set EdgeSet, an edge characteristic data set EdftSet and a classification label set LabelSet corresponding to the rest network traffic data in the sample set, and respectively naming the test set as a test node data set TestNodeSet, a test edge data set TestEdgeSet, a test edge characteristic data set TestEdftSet and a test classification label set TestLabelSet;
a training process, wherein a training node data set TrainNodeSet and a training side data set TrainEdgeSet are used as the input of a GCN neural network module, a training side feature data set TrainEdftSet is used as the input of a BiGRU neural network module, a training classification label set TrainLabelSet, the output of the GCN neural network module and the output of the BiGRU neural network module are used as the input of a feature fusion module, and the GCN-BiGRU neural network model is trained to obtain a trained network;
and in the testing process, the testing node data set TestNodeSet, the testing edge data set TestEdgeSet, the testing edge characteristic data set TestEdftSet and the testing classification label set TestLabelSet are input into the trained GCN-BiGRU neural network model for testing, and the final network model is obtained.
Illustratively, a node data set NodeSet, an edge data set EdgeSet, an edge feature data set EdftSet and a category label set LabelSet corresponding to 80% of network traffic data constitute a training set, and a node data set NodeSet, an edge data set EdgeSet, an edge feature data set EdftSet and a category label set LabelSet corresponding to the remaining 20% of network traffic data constitute a test set.
Specifically, the step S6 of preprocessing the network traffic data to be detected includes:
s601, initializing the network traffic data to be detected to form a corresponding data set to be detected;
s602, acquiring a corresponding node data set and a corresponding side data set according to a corresponding data set to be detected;
s603, normalization processing and coding processing are carried out according to the corresponding data set to be detected, and an edge characteristic data set corresponding to the data set to be detected is constructed according to the node data set, the edge data set and the normalized and coded data corresponding to the data set to be detected.
In step S601, initializing the network traffic data to be detected to form a corresponding data set to be detected, which specifically includes:
initializing the network traffic data to be detected to form an initialized data set RawDataSet corresponding to the network traffic data to be detected, wherein information included in the initialized data set RawDataSet is the same as information included in the initialized data set corresponding to the sample set, and both the information and the information include: the first occurring time of connection Date first seen, duration, protocol type Proto, source node address Src IP Addr, destination node address Dst IP Addr, source node port Src Pt, destination node port Dst Pt, number of Packets, byte number Bytes, data flow, identifier Flags, and service type Tos.
In this embodiment S6, extracting spatial features of the network traffic data to be detected through a GCN neural network module in the GCN-BiGRU neural network model specifically includes:
s6021, acquiring a network node for constructing a network node graph according to a node data set corresponding to-be-detected network flow data, acquiring an edge for constructing the network node graph according to an edge data set corresponding to-be-detected network flow data, and constructing the network node graph according to the acquired network node and the edge;
s6022, acquiring neighbor nodes of the network nodes according to the network node graph, and calculating an adjacency matrix of the network node graph according to the neighbor nodes;
s6023, acquiring the number of edges associated with the network nodes according to the network node graph, and defining the number as the degree of the network nodes;
s6024, calculating a degree matrix of the network node graph according to the degree of the network node;
and S6025, obtaining a characteristic matrix of the network node map according to the adjacency matrix and the degree matrix of the network node map, and taking the characteristic matrix as a spatial characteristic of the to-be-detected network flow data.
As shown in fig. 2, assume that network node v a Neighbor node of (2)
Figure 973375DEST_PATH_IMAGE004
P represents the set of edges in the graph of network nodes, if network node v a Is a network node v b Is then the network node v b Also network node v a Of the network. Network node v a Degree d (v) of a ) Indicating the number of edges associated with the node. The degree matrix D is a diagonal matrix, the elements on the diagonal are degrees of each network node, and the network node v in the undirected graph is ordered a Degree of (v) a )=N(v a ) A = 1.. And n, n is the number of network nodes in the network node map, the degree matrix of the network node map is:
Figure 897468DEST_PATH_IMAGE005
a is the adjacency matrix of the network node map,
Figure 531712DEST_PATH_IMAGE006
then network node v a And v b Adjacent matrix A of ab Comprises the following steps:
Figure 832243DEST_PATH_IMAGE007
x is a characteristic matrix, and X is a characteristic matrix,
Figure 133912DEST_PATH_IMAGE008
n is the number of network nodes in the network node diagram, k represents the characteristic dimension, and the input of the L +1 th layer of the GCN neural network is the characteristic matrix X output by the L th layer L And an adjacent matrix A, and the output is an updated characteristic matrix X L . Then the feature matrix of the L +1 th layer is:
Figure 104273DEST_PATH_IMAGE009
wherein L represents the Lth layer map convolutional layer,
Figure 225813DEST_PATH_IMAGE010
i is the identity matrix of the network node map,
Figure 330035DEST_PATH_IMAGE011
is a matrix
Figure 220631DEST_PATH_IMAGE012
The degree matrix of (c) is,
Figure 752106DEST_PATH_IMAGE013
is a normalization process of the adjacency matrix A as an approximate graph convolution filter, W L The weight matrix is a weight matrix of the L-th layer and is obtained through neural network training; and function of
Figure 219997DEST_PATH_IMAGE014
Is an activation function.
Exemplarily, in this embodiment, V is generated according to a training node data set, the training node data set is a trainordeset, and there are 165080 network nodes, so that V is a row vector with a dimension of 165080, that is, z =165080; generating according to the training edge data set TrainEdgeSet
Figure 127910DEST_PATH_IMAGE015
400000 sides, i.e., m =400000; an adjacency matrix a is generated according to the adjacency matrix definition,
Figure 873012DEST_PATH_IMAGE016
and obtaining a characteristic matrix of the initialization time with L =0
Figure 840968DEST_PATH_IMAGE017
Generating X according to the test edge feature data set TestEdftSet 0 The normalized features in the test edge feature data set TestEdftSet have 40 features, i.e. feature dimension k =40, so that the test edge feature data set TestEdftSet has a normalized feature size k =40
Figure 671521DEST_PATH_IMAGE018
。W L Is the result of neural network model training.
In this embodiment, a ReLU activation function is used, and to improve the calculation efficiency, the GCN neural network module uses two graph convolution layers, i.e., L =1. After two layers of graph convolution layers are processed, the output result is input into a linear connection layer, higher-order features are extracted through the linear connection layer, meanwhile, the feature dimension k =40 is reduced to k =5, and the output result is made to be O GCN And sending the data to a feature fusion module to perform feature fusion with the output result of the BiGRU network. Illustratively, the linear connection layer is created using the torch.
In this embodiment S6, extracting, by using the BiGRU neural network module in the GCN-BiGRU neural network model, the time characteristic of the network traffic data to be detected specifically includes:
s6031, acquiring a network traffic time sequence according to the edge feature data set corresponding to the to-be-detected network traffic data;
s6032, the BiGRU neural network is composed of two unidirectional GRUs in opposite directions, the forward GRU is used for capturing characteristics of the next moment, the reverse GRU is used for capturing characteristics of the previous moment, and the two GRUs simultaneously process input of a network flow time sequence to jointly obtain output of the current moment;
and S6033, obtaining a time characteristic vector of the network traffic data containing the historical information through an activation function according to the output of the current moment, and using the time characteristic vector as the time characteristic of the network traffic data.
In the embodiment, a Sigmoid function is selected as an activation function, a hidden state at time t is input, and a feature vector containing historical information is output.
Specifically, in the step S4, in the process of training and testing the GCN-BiGRU neural network model, the processing procedures of the GCN neural network module and the BiGRU neural network module may be implemented with reference to S6021-S6025 and S6031-S6033.
For example, in this embodiment, a training edge feature data set TrainEdftSet data set is used as training data of BiGRU, where each record of the edge feature data set is both an edge feature and feature fusion of network traffic data includes feature fusionStep (b), the characteristic fusion step is as follows: spatial feature O of GCN neural network output GCN And temporal characteristics O of the output of the BiGRU neural network BiGRU Performing fusion to obtain a fusion feature matrix
Figure 494376DEST_PATH_IMAGE019
Wherein n is the network traffic data volume; obtaining a classification label of the network traffic data through activation function processing according to the obtained fusion characteristic matrix E; and completing the feature fusion of the network traffic data in the sample set and the network traffic data to be detected by adopting the feature fusion step. The feature vector of each record is the feature vector at the time t
Figure 93985DEST_PATH_IMAGE020
So the input network traffic feature vector dimension k =40. Setting the bidirectional parameter of nn of the Pyorch to true, setting the GRU layer number to 1, inputting an initial dimension k =40, and calculating to obtain the output result of the BiGRU neural network with a characteristic dimension q =5
Figure 967263DEST_PATH_IMAGE021
And h t . Let the output result be
Figure 285112DEST_PATH_IMAGE022
And sending the data to a characteristic fusion layer to perform characteristic fusion with the output result of the GCN neural network.
In this embodiment S4 and S6, the feature fusion of the network traffic data includes a feature fusion step, and the feature fusion is completed by the feature fusion step on the network traffic data in the sample set and the network traffic data to be detected, where the feature fusion step is:
s6041, and outputting spatial characteristics O of GCN neural network GCN And temporal characteristics O of the output of the BiGRU neural network BiGRU Performing fusion to obtain a fusion feature matrix
Figure 534828DEST_PATH_IMAGE023
Wherein n is the network traffic data volume;
and S6042, carrying out normalization processing on the obtained fusion characteristic matrix E to obtain a classification label of the network traffic data.
The characteristic matrix E of the embodiment is spliced and fused by adopting a cat function in PyTorch, so that the characteristics in space and time are absorbed, and the characteristic matrix E has rich key characteristic information, thereby helping a model to make more accurate prediction, and then inputting the obtained fused characteristic matrix E into a softmax function, thereby outputting a classification label of network traffic data.
The present embodiment also optimizes the loss value using a cross entropy loss function, and optimizes the GCN-BiGRU neural network model by iteratively solving the loss value and a random gradient descent, so that the value of the loss function converges to a minimum. Considering the complexity of the model, avoiding overfitting of the model in the training process, the present embodiment uses an L2 regular term to constrain the parameters, so the final loss function of the model is:
Figure 379156DEST_PATH_IMAGE024
wherein m is the data volume of the training set; y is i Classifying labels of ith network traffic data of the training set;
Figure 423335DEST_PATH_IMAGE025
the predicted probability of the ith network traffic data of the training set is obtained;
Figure 228480DEST_PATH_IMAGE026
is an L2 regularization term;
Figure 281887DEST_PATH_IMAGE027
is the set of all parameters of the model.
The software environment used in this example was Python3.8, pytroch 1.8, and the experimental hardware conditions were Intel (R) Core (TM) i7-9750H, NVIDIA GeForce GTX1650, 16G RAM. An Adam optimizer is adopted to train the GCN-BiGRU neural network model, the Adam learning rate is 0.1, the epoch is 100, and the Sigmoid function is adopted as an activation function.
The embodiment adopts the classification Accuracy (Accuracy), precision (Precision), recall (Recall) and comprehensive evaluation index (F-Measure) to judge the classification effect of the model. Let TP denote the number of samples correctly identified as the attack class, FP denote the number of samples incorrectly identified as the attack class, TN denote the number of samples correctly identified as the normal class, and FN denote the number of samples incorrectly identified as the normal class.
Precision represents the proportion of the actual attack class in the network data classified into the attack class, and the calculation formula is as follows:
Figure 856088DEST_PATH_IMAGE028
recall represents the proportion of the network data classified into the attack class to all the attack class data, and the calculation formula is as follows:
Figure 946535DEST_PATH_IMAGE029
F-Measure is a weighted average of Precision and Recall, is used for integrating the scores of Precision and Recall, and has the calculation formula as follows:
Figure 973396DEST_PATH_IMAGE030
Figure 564915DEST_PATH_IMAGE031
specific gravity for adjusting accuracy and recall
Figure 259201DEST_PATH_IMAGE032
F-Measure was scored for F1.
The experimental result is shown in fig. 4, where normal represents normal network traffic, victim represents victim traffic, and attester represents attack traffic, and it can be seen that the accuracy of the GCN-BiGRU neural network model is higher than that of the GCN neural network model alone or the BiGRU neural network model alone.
Example 2
As shown in fig. 5, the present embodiment provides a network attack detection system based on spatiotemporal feature fusion, including:
the acquisition module 101 is configured to acquire network traffic data as a sample set and acquire network traffic data to be detected, and specifically includes:
forming an initialization data set RawDataSet, the initialization data set RawDataSet comprising: connecting the first occurring time Date first seen, duration, protocol type Proto, source node address Src IP Addr, destination node address Dst IP Addr, source node port Src Pt, destination node port Dst Pt, packet number Packets, byte number Bytes, data flow, identifier Flags, and service type Tos;
the preprocessing module 102 is configured to preprocess a sample set to obtain a preprocessed sample set and a corresponding classification tag set, where the classification tags include a normal traffic tag, a victim traffic tag, and an attack traffic tag; the system is used for preprocessing the network traffic data to be detected;
the model building module 103 is used for building a GCN-BiGRU neural network model, and the GCN-BiGRU neural network model comprises a GCN neural network module, a BiGRU neural network module and a feature fusion module for performing feature fusion on the outputs of the GCN neural network module and the BiGRU neural network module; and training and testing the GCN-BiGRU neural network model by utilizing the preprocessed sample set and the corresponding classification label set to obtain the final GCN-BiGRU neural network model.
The detection module 104 is configured to use the preprocessed network traffic data to be detected as an input of a final GCN-BiGRU neural network model, extract a spatial feature of the network traffic data to be detected through the GCN neural network model, extract a temporal feature of the network traffic data to be detected through the BiGRU neural network model, and perform feature fusion on the temporal feature and the spatial feature in the feature fusion module to obtain a classification tag of the network traffic data to be detected.
It should be understood that the above-mentioned embodiments of the present invention are only examples for clearly illustrating the technical solutions of the present invention, and are not intended to limit the specific embodiments of the present invention. Any modification, equivalent replacement, and improvement made within the spirit and principle of the claims of the present invention should be included in the protection scope of the claims of the present invention.

Claims (7)

1. A network attack detection method based on space-time feature fusion is characterized by comprising the following steps:
acquiring network flow data as a sample set, and preprocessing the sample set to obtain a preprocessed sample set;
presetting classification labels, wherein the classification labels comprise a normal flow label, a victim flow label and an attack flow label;
labeling the preprocessed sample set according to preset classification labels to obtain a corresponding classification label set;
constructing a GCN-BiGRU neural network model, wherein the GCN-BiGRU neural network model comprises a GCN neural network module, a BiGRU neural network module and a feature fusion module for performing feature fusion on the outputs of the GCN neural network module and the BiGRU neural network module;
training and testing the GCN-BiGRU neural network model by utilizing the preprocessed sample set and the corresponding classification label set to obtain a final GCN-BiGRU neural network model;
preprocessing network flow data to be detected to serve as the input of a final GCN-BiGRU neural network model, extracting the spatial characteristics of the network flow data to be detected through a GCN neural network module, extracting the time characteristics of the network flow data to be detected through a BiGRU neural network module, and performing characteristic fusion on the time characteristics and the spatial characteristics in a characteristic fusion module to obtain a classification label of the network flow data to be detected;
acquiring network traffic data as a sample set, and preprocessing the sample set to obtain a preprocessed sample set, specifically comprising:
acquiring network flow data as a sample set, and initializing the sample set to form an initialized data set;
acquiring a node data set and an edge data set according to the initialization data set;
carrying out normalization processing and coding processing according to the initialization data set, and constructing an edge feature data set according to the node data set, the edge data set and the normalized and coded data;
and/or the presence of a gas in the atmosphere,
preprocessing network traffic data to be detected, specifically comprising:
initializing network traffic data to be detected to form a corresponding data set to be detected;
acquiring a corresponding node data set and a corresponding edge data set according to a corresponding data set to be detected;
carrying out normalization processing and coding processing according to the corresponding data set to be detected, and constructing an edge characteristic data set corresponding to the data set to be detected according to the node data set, the edge data set and the normalized and coded data corresponding to the data set to be detected;
the method comprises the following steps of initializing a sample set to form an initialized data set, and initializing network traffic data to be detected to form a corresponding data set to be detected, wherein the steps are as follows:
initializing network traffic data to form an initialization data set RawDataSet, wherein the initialization data set RawDataSet comprises: connecting the first occurring time Date first seen, duration, protocol type Proto, source node address Src IP Addr, destination node address Dst IP Addr, source node port Src Pt, destination node port Dst Pt, packet number Packets, byte number Bytes, data flow, identifier Flags, and service type Tos;
acquiring a node data set and an edge data set according to the initialization data set or the data set to be detected, which specifically comprises the following steps:
traversing the initialization data set RawDataSet, extracting a source node address Src IP Addr and a source node port Src Pt of each record, and generating a source network node dictionary SrcDict according to the principle of 'Src = Src IP Addr + Src Pt', wherein the source network node dictionary SrcDict comprises two fields of SrcID and Src;
traversing the initialized data set RawDataSet, extracting a destination node address Dst IP Addr and a destination node port Dst Pt of each record, and generating a destination network node dictionary DstDict according to the principle of 'Dst = Dst IP Addr + Dst Pt', wherein the destination network node dictionary DstDict comprises two fields of DstID and Dst;
newly building a node data set NodeSet and an edge data set EdgeSet;
traversing an initialization data set RawDataSet, looking up a source network node dictionary SrcDict and a destination network node dictionary DstDict, inserting 'Src IP Addr + Src Pt' in the initialization data set RawDataSet into a node data set NodeSet at the SrcID and Src corresponding to the source network node dictionary SrcDict, and inserting 'dstIP Addr + dstPt' in the initialization data set RawDataSet into a node data set NodeSet at the DstID and Dst corresponding to the destination network node dictionary DstDict;
inserting an edge data set EdgeSet by respectively taking the SrcID corresponding to the source network node dictionary SrcDict and the DstID corresponding to the destination network node dictionary DstDict as a starting point and an end point of an edge;
extracting the spatial characteristics of the network traffic data to be detected through a GCN neural network module, which specifically comprises the following steps:
acquiring network nodes for constructing a network node graph according to a node data set corresponding to the to-be-detected network flow data, acquiring edges for constructing the network node graph according to an edge data set corresponding to the to-be-detected network flow data, and constructing the network node graph according to the acquired network nodes and edges;
acquiring neighbor nodes of the network nodes according to the network node graph, and calculating an adjacency matrix of the network node graph according to the neighbor nodes;
acquiring the number of edges associated with the network nodes according to the network node graph, and defining the number as the degree of the network nodes;
calculating a degree matrix of the network node graph according to the degree of the network nodes;
and obtaining a characteristic matrix of the network node map according to the adjacency matrix and the degree matrix of the network node map, wherein the characteristic matrix is used as the spatial characteristic of the network traffic data to be detected.
2. The method for detecting the network attack based on the spatio-temporal feature fusion according to claim 1, wherein the method for constructing the edge feature data set corresponding to the sample set and/or the data set to be detected comprises the following steps:
carrying out normalization processing on Duration, the number of Packets, the number of Bytes Bytes and the data flow in the initialized data set RawDataSet;
encoding a protocol type Proto, an identifier Flags and a service type Tos in an initialization data set RawDataSet;
traversing an initialization data set RawDataSet, taking the corresponding SrcID of the 'Src IP Addr + Src Pt' in SrcDict as the starting point of an edge, taking the corresponding DstID of the 'dstIP Addr + DstPt' in DstDict as the end point of the edge, and combining the normalized data and the encoded data as the characteristic data of the edge to form an edge characteristic data set EdftSet.
3. The method for detecting network attack based on spatio-temporal feature fusion according to claim 2, wherein labeling the preprocessed sample set according to a preset classification label to obtain a corresponding classification label set specifically comprises:
labeling the sample set according to a preset classification label to obtain label labeling information;
carrying out numerical value coding on label marking information corresponding to the sample set;
traversing an initialization data set RawDataSet, taking the SrcID corresponding to the Src IP Addr + Src Pt in SrcDict as a starting point, taking the DstID corresponding to the DstIP Addr + Dst Pt in DstDict as an end point, and combining numerical value coding information corresponding to label marking information corresponding to a sample set as side classification label data to form a classification label set LabelSet.
4. The method for detecting cyber attack based on spatio-temporal feature fusion according to claim 3, wherein the trained GCN-BiGRU neural network model is obtained by training and testing the GCN-BiGRU neural network model by using the preprocessed cyber traffic data and the corresponding classification label set, which specifically comprises:
associating a node data set NodeSet, an edge data set EdgeSet, an edge characteristic data set EdftSet and a classification label set LabelSet corresponding to the sample set through SrcID and DstID;
a node data set NodeSet, an edge data set EdgeSet, an edge characteristic data set EdftSet and a classification label set LabelSet corresponding to a part of network traffic data in a sample set form a training set which is named as a training node data set TrainNodeSet, a training edge data set TrainEdgeSet, a training edge characteristic data set TrainEdftSet and a training classification label set TrainLabelSet respectively;
forming a test set by a node data set NodeSet, an edge data set EdgeSet, an edge characteristic data set EdftSet and a classification label set LabelSet corresponding to the network traffic data of the rest part in the sample set, and respectively naming the test set as a test node data set TestNodeSet, a test edge data set TestEdgeSet, a test edge characteristic data set TestEdftSet and a test classification label set TestLabelSet;
in the training process, a training node data set TrainNodeSet and a training side data set TrainEdgeSet are used as the input of a GCN neural network module, a training side feature data set TrainEdftSet is used as the input of a BiGRU neural network module, a training classification label set TrainLabelSet, the output of the GCN neural network module and the output of the BiGRU neural network module are used as the input of a feature fusion module, and the GCN-BiGRU neural network model is trained to obtain a trained network;
and in the testing process, inputting the testing node data set TestNodeSet, the testing edge data set TestEdgeSet, the testing edge characteristic data set TestEdftSet and the testing classification label set TestLabelSet into the trained GCN-BiGRU neural network model for testing to obtain a final network model.
5. The method for detecting network attack based on spatio-temporal feature fusion according to claim 1, wherein the extracting the temporal features of the network traffic data to be detected through a BiGRU neural network module specifically comprises:
acquiring a network traffic time sequence according to an edge feature data set of the network traffic data to be detected;
the BiGRU neural network is composed of two unidirectional GRUs in opposite directions, the forward GRU is used for capturing the characteristics of the next moment, the reverse GRU is used for capturing the characteristics of the previous moment, and the two GRUs simultaneously process the input of a network flow time sequence to jointly obtain the output of the current moment;
and according to the output of the current moment, obtaining a time characteristic vector of the network traffic data containing the historical information through an activation function, and using the time characteristic vector as the time characteristic of the network traffic data to be detected.
6. The method for detecting network attack based on spatio-temporal feature fusion as claimed in claim 5, wherein the feature fusion of the network traffic data comprises a feature fusion step, and the feature fusion step is: spatial feature O of GCN neural network output GCN And temporal characteristics O of the output of the BiGRU neural network BiGRU Performing fusion to obtain a fusion feature matrix
Figure 439125DEST_PATH_IMAGE001
Wherein n is the network traffic data volume;
and processing the obtained fusion characteristic matrix E through an activation function to obtain a classification label of the network traffic data.
7. A network attack detection system based on spatio-temporal feature fusion comprises:
the acquisition module is used for acquiring network traffic data as a sample set and acquiring the network traffic data to be detected;
the system comprises a preprocessing module, a classification module and a processing module, wherein the preprocessing module is used for preprocessing a sample set to obtain a preprocessed sample set and a corresponding classification label set, and the classification labels comprise a normal flow label, a victim flow label and an attack flow label; the system is used for preprocessing the network traffic data to be detected;
preprocessing a sample set to obtain a preprocessed sample set, which specifically comprises:
acquiring network flow data as a sample set, and initializing the sample set to form an initialized data set;
acquiring a node data set and an edge data set according to the initialization data set;
carrying out normalization processing and coding processing according to the initialization data set, and constructing an edge feature data set according to the node data set, the edge data set and the normalized and coded data;
and/or the presence of a gas in the gas,
the method for preprocessing the network traffic data to be detected specifically comprises the following steps:
initializing network flow data to be detected to form a corresponding data set to be detected;
acquiring a corresponding node data set and a corresponding edge data set according to the corresponding data set to be detected;
carrying out normalization processing and coding processing according to the corresponding data set to be detected, and constructing an edge characteristic data set corresponding to the data set to be detected according to the node data set, the edge data set and the normalized and coded data corresponding to the data set to be detected;
the method comprises the following steps of initializing a sample set to form an initialized data set, and initializing network traffic data to be detected to form a corresponding data set to be detected, wherein the steps are as follows:
initializing network flow data to form an initialization data set RawDataSet, wherein the initialization data set RawDataSet comprises: connecting the first occurring time Date first seen, duration, protocol type Proto, source node address Src IP Addr, destination node address Dst IP Addr, source node port Src Pt, destination node port Dst Pt, packet number Packets, byte number Bytes, data flow, identifier Flags, and service type Tos;
acquiring a node data set and an edge data set according to an initialization data set or a data set to be detected, specifically comprising:
traversing the initialization data set RawDataSet, extracting a source node address Src IP Addr and a source node port Src Pt of each record, and generating a source network node dictionary SrcDict according to the principle of 'Src = Src IP Addr + Src Pt', wherein the source network node dictionary SrcDict comprises two fields of SrcID and Src;
traversing an initialization data set RawDataSet, extracting a destination node address Dst IP Addr and a destination node port Dst Pt of each record, and generating a destination network node dictionary DstDict according to the principle of 'Dst = Dst IP Addr + Dst Pt', wherein the destination network node dictionary DstDict comprises two fields of DstID and Dst;
newly building a node data set NodeSet and an edge data set EdgeSet;
traversing an initialization data set RawDataSet, looking up a source network node dictionary SrcDict and a destination network node dictionary DstDict, inserting 'Src IP Addr + Src Pt' in the initialization data set RawDataSet into a node data set NodeSet at the SrcID and Src corresponding to the source network node dictionary SrcDict, and inserting 'dstIP Addr + dstPt' in the initialization data set RawDataSet into a node data set NodeSet at the DstID and Dst corresponding to the destination network node dictionary DstDict;
inserting an edge data set EdgeSet by respectively taking the SrcID corresponding to the source network node dictionary SrcDict and the DstID corresponding to the destination network node dictionary DstDict as a starting point and an end point of an edge;
the model building module is used for building a GCN-BiGRU neural network model, and the GCN-BiGRU neural network model comprises a GCN neural network module, a BiGRU neural network module and a characteristic fusion module for performing characteristic fusion on the outputs of the GCN neural network module and the BiGRU neural network module; training and testing the GCN-BiGRU neural network model by utilizing the preprocessed sample set and the corresponding classification label set to obtain a final GCN-BiGRU neural network model;
the detection module is used for inputting the preprocessed network traffic data to be detected as a final GCN-BiGRU neural network model, extracting the spatial characteristics of the network traffic data to be detected through the GCN neural network model, extracting the time characteristics of the network traffic data to be detected through the BiGRU neural network model, and performing characteristic fusion on the time characteristics and the spatial characteristics in the characteristic fusion module to obtain a classification label of the network traffic data to be detected;
extracting the spatial characteristics of the network traffic data to be detected through a GCN neural network module, which specifically comprises the following steps:
acquiring network nodes for constructing a network node graph according to a node data set corresponding to the to-be-detected network traffic data, acquiring edges for constructing the network node graph according to an edge data set corresponding to the to-be-detected network traffic data, and constructing the network node graph according to the acquired network nodes and edges;
acquiring neighbor nodes of the network nodes according to the network node graph, and calculating an adjacency matrix of the network node graph according to the neighbor nodes;
acquiring the number of edges associated with the network nodes according to the network node graph, and defining the number as the degree of the network nodes;
calculating a degree matrix of the network node graph according to the degree of the network nodes;
and obtaining a characteristic matrix of the network node map according to the adjacency matrix and the degree matrix of the network node map, wherein the characteristic matrix is used as the spatial characteristic of the network traffic data to be detected.
CN202211180250.9A 2022-09-27 2022-09-27 Network attack detection method and system based on temporal-spatial feature fusion Active CN115277258B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211180250.9A CN115277258B (en) 2022-09-27 2022-09-27 Network attack detection method and system based on temporal-spatial feature fusion

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211180250.9A CN115277258B (en) 2022-09-27 2022-09-27 Network attack detection method and system based on temporal-spatial feature fusion

Publications (2)

Publication Number Publication Date
CN115277258A CN115277258A (en) 2022-11-01
CN115277258B true CN115277258B (en) 2022-12-20

Family

ID=83757553

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211180250.9A Active CN115277258B (en) 2022-09-27 2022-09-27 Network attack detection method and system based on temporal-spatial feature fusion

Country Status (1)

Country Link
CN (1) CN115277258B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115664860B (en) * 2022-12-26 2023-03-31 广东财经大学 Network security threat assessment method and system
CN117714193A (en) * 2023-12-28 2024-03-15 中国电子技术标准化研究院 Diagnostic method, diagnostic device, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112839034A (en) * 2020-12-29 2021-05-25 湖北大学 Network intrusion detection method based on CNN-GRU hierarchical neural network
CN114760098A (en) * 2022-03-16 2022-07-15 南京邮电大学 CNN-GRU-based power grid false data injection detection method and device
CN114944939A (en) * 2022-04-26 2022-08-26 武汉大学 Network attack situation prediction model construction method, device, equipment and storage medium
CN115086029A (en) * 2022-06-15 2022-09-20 河海大学 Network intrusion detection method based on two-channel space-time feature fusion

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2018101513A4 (en) * 2018-10-11 2018-11-15 Hui, Bo Mr Comprehensive Stock Prediction GRU Model: Emotional Index and Volatility Based
CN112350899B (en) * 2021-01-07 2021-04-06 南京信息工程大学 Network flow prediction method based on graph convolution network fusion multi-feature input
CN113518063B (en) * 2021-03-01 2022-11-22 广东工业大学 Network intrusion detection method and system based on data enhancement and BilSTM
CN114553475A (en) * 2022-01-10 2022-05-27 国网浙江省电力有限公司杭州供电公司 Network attack detection method based on network flow attribute directed topology
CN114978613B (en) * 2022-04-29 2023-06-02 南京信息工程大学 Network intrusion detection method based on data enhancement and self-supervision feature enhancement

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112839034A (en) * 2020-12-29 2021-05-25 湖北大学 Network intrusion detection method based on CNN-GRU hierarchical neural network
CN114760098A (en) * 2022-03-16 2022-07-15 南京邮电大学 CNN-GRU-based power grid false data injection detection method and device
CN114944939A (en) * 2022-04-26 2022-08-26 武汉大学 Network attack situation prediction model construction method, device, equipment and storage medium
CN115086029A (en) * 2022-06-15 2022-09-20 河海大学 Network intrusion detection method based on two-channel space-time feature fusion

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于时空图神经网络的网络异常检测与流量分类;苏永才;《中国优秀硕士学位论文全文数据库信息科技辑I139-49》;20220615;正文第2章-第5章 *

Also Published As

Publication number Publication date
CN115277258A (en) 2022-11-01

Similar Documents

Publication Publication Date Title
CN115277258B (en) Network attack detection method and system based on temporal-spatial feature fusion
CN110808945B (en) Network intrusion detection method in small sample scene based on meta-learning
CN108921051B (en) Pedestrian attribute identification network and technology based on cyclic neural network attention model
CN111563557B (en) Method for detecting target in power cable tunnel
CN110881037A (en) Network intrusion detection method and training method and device of model thereof, and server
CN113645232B (en) Intelligent flow monitoring method, system and storage medium for industrial Internet
CN111008337B (en) Deep attention rumor identification method and device based on ternary characteristics
CN112367303B (en) Distributed self-learning abnormal flow collaborative detection method and system
CN115277888B (en) Method and system for analyzing message type of mobile application encryption protocol
CN113642403B (en) Crowd abnormal intelligent safety detection system based on edge calculation
CN114462520A (en) Network intrusion detection method based on traffic classification
CN114915575B (en) Network flow detection device based on artificial intelligence
CN113554094A (en) Network anomaly detection method and device, electronic equipment and storage medium
CN115600128A (en) Semi-supervised encrypted traffic classification method and device and storage medium
CN116488915A (en) Deep learning-based Web attack detection and classification recognition method and device
CN109728977B (en) JAP anonymous flow detection method and system
CN116310922A (en) Petrochemical plant area monitoring video risk identification method, system, electronic equipment and storage medium
CN113762144A (en) Deep learning-based black smoke vehicle detection method
CN112308066A (en) License plate recognition system
CN116545944A (en) Network traffic classification method and system
CN114358177B (en) Unknown network traffic classification method and system based on multidimensional feature compact decision boundary
CN115240271A (en) Video behavior identification method and system based on space-time modeling
CN114550197A (en) Terminal strip image detection information matching method
CN115631530B (en) Fair facial expression recognition method based on face action unit
CN109740858A (en) Automation aid decision-making system and method based on deep learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant