CN116016289A - Mobile terminal-based data center detection method - Google Patents
Mobile terminal-based data center detection method Download PDFInfo
- Publication number
- CN116016289A CN116016289A CN202310289270.8A CN202310289270A CN116016289A CN 116016289 A CN116016289 A CN 116016289A CN 202310289270 A CN202310289270 A CN 202310289270A CN 116016289 A CN116016289 A CN 116016289A
- Authority
- CN
- China
- Prior art keywords
- convolution
- convolution layer
- mobile terminal
- layer
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 26
- 208000037170 Delayed Emergence from Anesthesia Diseases 0.000 claims abstract description 42
- 238000012549 training Methods 0.000 claims abstract description 27
- 238000007781 pre-processing Methods 0.000 claims abstract description 7
- 238000013527 convolutional neural network Methods 0.000 claims abstract description 6
- 230000007246 mechanism Effects 0.000 claims abstract description 6
- 230000006870 function Effects 0.000 claims description 49
- 230000004913 activation Effects 0.000 claims description 39
- 238000011176 pooling Methods 0.000 claims description 19
- 230000005856 abnormality Effects 0.000 claims description 6
- 230000009467 reduction Effects 0.000 claims description 5
- 238000001914 filtration Methods 0.000 claims description 3
- 238000011478 gradient descent method Methods 0.000 claims description 3
- 230000001502 supplementing effect Effects 0.000 claims description 3
- 230000008014 freezing Effects 0.000 claims description 2
- 238000007710 freezing Methods 0.000 claims description 2
- 238000012423 maintenance Methods 0.000 claims description 2
- 230000002159 abnormal effect Effects 0.000 abstract description 4
- 239000006185 dispersion Substances 0.000 abstract description 2
- 238000000034 method Methods 0.000 description 12
- 238000012544 monitoring process Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 7
- 241000700605 Viruses Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a mobile terminal-based data center detection method, which comprises the following steps: setting the mirror image port in the foundation switch, and mirroring at least one port of the foundation switch to at least one mobile terminal to capture flow data of the at least one mobile terminal; preprocessing flow data of the mobile terminal; establishing a flow anomaly identification network model based on a convolutional neural network, inputting the preprocessed flow data into the flow anomaly identification network model, performing iterative training, stopping training when the identification precision meets a preset value or the loss value reaches the minimum value, and outputting an identification result; responding according to the identification result, and triggering an early warning mechanism if the identification result is the intrusion flow. According to the invention, the number of model parameters can be reduced, meanwhile, the problem of gradient dispersion is solved by arranging the residual block, and the model training speed is accelerated, so that the abnormal condition of mass flow data can be rapidly and accurately monitored.
Description
Technical Field
The invention relates to the technical field of mobile terminals, in particular to a mobile terminal-based data center detection method.
Background
With the development of mobile communication technology, people use data services of mobile terminals to obtain more information more and more generally, but the health of the mobile internet is affected by the occurrence of malicious software and mobile phone viruses, and the key to solve the problem is to study network traffic monitoring technology, so that the network traffic monitoring technology and traffic monitoring technology applicable to the mobile terminals in the mobile internet environment are widely discussed by the industry scholars at home and abroad.
The flow monitoring technology in the traditional network is mainly realized by technologies such as flow mirroring, machine learning-based flow monitoring, hardware probe-based distributed monitoring and the like, but the monitoring technical means of mobile terminal flow data in a mobile internet environment are fewer, the monitoring of the mobile terminal flow data is mainly realized by technologies such as a port number classification method based on a network server, feature matching and the like, the data condition can be monitored in real time when the data quantity is smaller, but the occupied resources are gradually increased along with the increase of the data quantity, and the abnormal condition of the data is difficult to monitor rapidly and accurately.
Disclosure of Invention
The present invention has been made in view of the above-described problems occurring in the prior art.
Therefore, the invention provides a mobile terminal-based data center detection method, which can solve the problem that the abnormal condition of data is difficult to monitor rapidly and accurately when the data volume is large.
In order to solve the technical problems, the invention provides the following technical scheme that: the data center detection method based on the mobile terminal is characterized by comprising the following steps of: setting the mirror image port in the foundation switch, and mirroring at least one port of the foundation switch to at least one mobile terminal to capture flow data of the at least one mobile terminal; preprocessing the flow data; establishing a flow anomaly identification network model based on a convolutional neural network, inputting the preprocessed flow data into the flow anomaly identification network model, performing iterative training, stopping training when the identification precision meets a preset value or the loss value reaches the minimum value, and outputting an identification result; responding according to the identification result, and triggering an early warning mechanism if the identification result is the intrusion flow.
As a preferred scheme of the mobile terminal-based data center detection method of the present invention, the method comprises: the mirror port includes: setting mirrored traffic egress ports in a configuration mode, and modifying traffic egress port configuration to designate mirrored different ports to correspond to different traffic, including received traffic, sent traffic, and bi-directional traffic, thereby creating a many-to-many mirrored port.
As a preferred scheme of the mobile terminal-based data center detection method of the present invention, the method comprises: the pretreatment comprises the following steps: dividing the traffic data of the mobile terminal into a plurality of data blocks S according to the attribute of the traffic data of the mobile terminal n Marking as intrusion traffic or non-intrusion traffic according to actual conditions, wherein n is the attribute number of traffic data of the mobile terminal; block S of data n The source IP address and the target IP address are replaced by random IP numbers; setting a preset length, if the data block S n If the length of the data block S is greater than the preset length n The length of the front section, i.e. the rear section, is identical to the preset length if the data block S n Is smaller than the preset length, then in the data block S n 0 is added before, so that the data block S n Is identical to the preset length.
As a preferred scheme of the mobile terminal-based data center detection method of the present invention, the method comprises: the pretreatment comprises the following steps: dividing the traffic data of the mobile terminal into a plurality of data blocks S according to the attribute of the traffic data of the mobile terminal n And marking as intrusion traffic or non-intrusion traffic according to actual conditions, wherein n is the genus of traffic data of the mobile terminalA sex number; respectively divide the data block S n The MAC address and the IP address in the data block are replaced by random IP numbers, and the repeated data block is cleaned; setting a preset length to be m bytes, and performing data block S according to the preset length n Cutting, if the data block S n Is shorter than the preset length, then in the data block S n And 1, later supplementing.
As a preferred scheme of the mobile terminal-based data center detection method of the present invention, the method comprises: the method comprises the steps that a flow anomaly identification network model is established, wherein the flow anomaly identification network model comprises a first convolution layer, a second convolution layer, a first residual block, a second residual block, a third convolution layer, a pooling layer and a full connection layer; reLU6 activation functions are adopted between the first convolution layer and the second convolution layer, reLU6 activation functions are adopted between the second convolution layer and the first residual block, a leakage ReLU activation function is adopted between the first residual block and the second residual block, a leakage ReLU activation function is adopted between the second residual block and the third convolution layer, and a hard-Sigmoid activation function is adopted between the third convolution layer and the pooling layer.
As a preferred scheme of the mobile terminal-based data center detection method of the present invention, the method comprises: further comprises: the first convolution layer is PW convolution, the convolution kernel is 1*1, and the liter-to-liter-maintenance coefficient is set to be 6; the second convolution layer is DW convolution, and the convolution kernel is 3*3; the third convolution layer is PW convolution, the convolution kernel is 1*1, and the dimension reduction coefficient is set to be 6; the pooling layer adopts average pooling, and the pooling window is 7*7.
As a preferred scheme of the mobile terminal-based data center detection method of the present invention, the method comprises: the first and second residual blocks include: the step length of the first residual block is 1, and the first residual block comprises a first input layer, a fourth convolution layer, a fifth convolution layer, a sixth convolution layer, a first output layer and a Shortcut structure, and the input and the output are overlapped through the Shortcut structure; the fourth convolution layer is PW convolution, and the convolution kernel is 1*1; the fifth convolution layer is DW convolution, the convolution kernel is 3*3, and a ReLU6 activation function is adopted between the fourth convolution layer and the fifth convolution layer; the sixth convolution layer is PW convolution, the convolution kernel is 1*1, a ReLU6 activation function is adopted between the fifth convolution layer and the sixth convolution layer, and a hard-Sigmoid activation function is adopted between the sixth convolution layer and the first output layer; the step length of the second residual block is 2, and the second residual block comprises a second input layer, a seventh convolution layer, an eighth convolution layer, a ninth convolution layer and a second output layer; the seventh convolution layer is PW convolution, and the convolution kernel is 1*1; the eighth convolution layer is DW convolution, the convolution kernel is 3*3, and a ReLU6 activation function is adopted between the seventh convolution layer and the eighth convolution layer; the ninth convolution layer is PW convolution, the convolution kernel is 1*1, a ReLU6 activation function is adopted between the eighth convolution layer and the ninth convolution layer, and a hard-Sigmoid activation function is adopted between the ninth convolution layer and the second output layer.
As a preferred scheme of the mobile terminal-based data center detection method of the present invention, the method comprises: the iterative training includes: inputting 40% of preprocessed flow data into the flow anomaly identification network model, training by a random gradient descent method, and freezing the first convolution layer, the second convolution layer, the third convolution layer, the pooling layer and the full-connection layer when training times reach 50 times; training the first residual block and the second residual block by using the residual 60% of the preprocessed flow data, and stopping training when the identification precision reaches a preset value or the loss value reaches the minimum value.
As a preferred scheme of the mobile terminal-based data center detection method of the present invention, the method comprises: the loss value includes: setting a learning rate, and constructing a loss function based on the cross entropy function:
wherein, loss is a Loss value,
for the expected output value of the flow abnormality identification network model, Y is the actual output value of the flow abnormality identification network model, gamma is the learning rate, L ls N is the weight of the traffic anomaly identification network model for the multi-class cross entropy function.
As a preferred scheme of the mobile terminal-based data center detection method of the present invention, the method comprises: the early warning mechanism comprises: and notifying a network manager to cut off the network with the intrusion flow, and carrying out port filtering and blacklist setting on the intrusion flow.
The invention has the beneficial effects that: according to the invention, a flow anomaly identification network model is established based on a convolutional neural network, the number of parameters is reduced by combining PW convolution and DW convolution, occupied resources are reduced, meanwhile, the problem of gradient dispersion is solved by setting a residual block, and the model training speed is accelerated, so that the anomaly condition of mass flow data can be rapidly and accurately monitored.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art. Wherein:
fig. 1 is a schematic diagram of traffic data cutting and filling of a mobile terminal according to a first embodiment of the present invention.
Detailed Description
So that the manner in which the above recited objects, features and advantages of the present invention can be understood in detail, a more particular description of the invention, briefly summarized above, may be had by reference to the embodiments, some of which are illustrated in the appended drawings. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways other than those described herein, and persons skilled in the art will readily appreciate that the present invention is not limited to the specific embodiments disclosed below.
Further, reference herein to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic can be included in at least one implementation of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
While the embodiments of the present invention have been illustrated and described in detail in the drawings, the cross-sectional view of the device structure is not to scale in the general sense for ease of illustration, and the drawings are merely exemplary and should not be construed as limiting the scope of the invention. In addition, the three-dimensional dimensions of length, width and depth should be included in actual fabrication.
Also in the description of the present invention, it should be noted that the orientation or positional relationship indicated by the terms "upper, lower, inner and outer", etc. are based on the orientation or positional relationship shown in the drawings, are merely for convenience of describing the present invention and simplifying the description, and do not indicate or imply that the apparatus or elements referred to must have a specific orientation, be constructed and operated in a specific orientation, and thus should not be construed as limiting the present invention. Furthermore, the terms "first, second, or third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
The terms "mounted, connected, and coupled" should be construed broadly in this disclosure unless otherwise specifically indicated and defined, such as: can be fixed connection, detachable connection or integral connection; it may also be a mechanical connection, an electrical connection, or a direct connection, or may be indirectly connected through an intermediate medium, or may be a communication between two elements. The specific meaning of the above terms in the present invention will be understood in specific cases by those of ordinary skill in the art.
Example 1
Referring to fig. 1, a first embodiment of the present invention provides a mobile terminal-based data center detection method, including:
s1: and setting the mirror image port in the foundation switch, and mirroring at least one port of the foundation switch to at least one mobile terminal so as to capture the flow data of the at least one mobile terminal.
Setting mirrored traffic egress ports in a configuration mode, and modifying traffic egress port configuration to designate mirrored different ports to correspond to different traffic, including received traffic, sent traffic, and bi-directional traffic, thereby creating a many-to-many mirrored port.
S2: and preprocessing the flow data.
Dividing the traffic data of the mobile terminal into a plurality of data blocks S according to the attribute of the traffic data of the mobile terminal n Marking as intrusion traffic or non-intrusion traffic according to actual conditions, wherein n is the attribute number of traffic data of the mobile terminal; the attributes of the traffic data are, for example, source host IP address, destination IP address, source port number, destination port number, IP protocol, direction of data flow, packet size, packet time interval, number of secondary links, etc.
Block S of data n The source IP address and the target IP address are replaced by random IP numbers;
as shown in fig. 1, a preset length is set to k bytes (dotted line in fig. 1), assuming that the data block S n I bytes (solid line in fig. 1), if the data block S n If the length of (a) is greater than the preset length, cutting the data block S n The length of the front section, i.e. the rear section, of the block is identical to the predetermined length, if the data block S n The length of (2) is smaller than the preset length, then in the data block S n Front complement 0, so that data block S n The length of which is consistent with the preset length.
S3: and establishing a flow anomaly identification network model based on the convolutional neural network, inputting the preprocessed flow data into the flow anomaly identification network model, performing iterative training, stopping training when the identification accuracy meets a preset value or the loss value reaches the minimum value, and outputting an identification result.
The traffic anomaly identification network model comprises a first convolution layer, a second convolution layer, a first residual block, a second residual block, a third convolution layer, a pooling layer and a full connection layer; reLU6 activation functions are adopted between the first convolution layer and the second convolution layer, reLU6 activation functions are adopted between the second convolution layer and the first residual block, leakage ReLU activation functions are adopted between the first residual block and the second residual block, leakage ReLU activation functions are adopted between the second residual block and the third convolution layer, and hard-Sigmoid activation functions are adopted between the third convolution layer and the pooling layer.
Specifically, the ReLU6 activation function is:
y=ReLU6(x)=min(max(x,0),6)
where x is the input and y is the output.
The first convolution layer is PW (Point-wise) convolution, the convolution kernel is 1*1, and the liter-to-liter is set to 6; the second convolution layer is DW (Depth-wise) convolution, and the convolution kernel is 3*3; the third convolution layer is PW convolution, the convolution kernel is 1*1, and the dimension reduction coefficient is set to be 6; the pooling layer adopts average pooling, and the pooling window is 7*7.
The step length of the first residual block is 1, and the first residual block comprises a first input layer, a fourth convolution layer, a fifth convolution layer, a sixth convolution layer, a first output layer and a Shortcut structure, and the input and the output are overlapped through the Shortcut structure; the fourth convolution layer is PW convolution, and the convolution kernel is 1*1; the fifth convolution layer is DW convolution, the convolution kernel is 3*3, and a ReLU6 activation function is adopted between the fourth convolution layer and the fifth convolution layer; the sixth convolution layer is PW convolution, the convolution kernel is 1*1, a ReLU6 activation function is adopted between the fifth convolution layer and the sixth convolution layer, and a hard-Sigmoid activation function is adopted between the sixth convolution layer and the first output layer;
the step length of the second residual block is 2, and the second residual block comprises a second input layer, a seventh convolution layer, an eighth convolution layer, a ninth convolution layer and a second output layer; the seventh convolution layer is PW convolution, and the convolution kernel is 1*1; the eighth convolution layer is DW convolution, the convolution kernel is 3*3, and a ReLU6 activation function is adopted between the seventh convolution layer and the eighth convolution layer; the ninth convolution layer is PW convolution, the convolution kernel is 1*1, a ReLU6 activation function is adopted between the eighth convolution layer and the ninth convolution layer, and a hard-Sigmoid activation function is adopted between the ninth convolution layer and the second output layer.
The traditional convolutional neural network generally adopts DW convolution of 3*3 to perform feature extraction, and then adopts a 1*1 convolution expansion channel, but more empty convolution kernels exist during training; in order to solve the problem, the invention adds 1*1 PW convolution before 3*3 DW convolution to reduce the dimension, so that the DW convolution can better extract the characteristics, further, the residual block compresses the characteristics, the third convolution layer (namely 1*1 PW convolution) is used for reducing the dimension, and meanwhile, the ReLU is replaced by a linear ReLU6 activation function and a leakage ReLU activation function, and finally, the recognition result is output through the average pooling and full connection layer, so that the information loss is greatly reduced.
Since the activation function can effectively increase nonlinearity in a high-dimensional space, but destroy characteristics in a low-dimensional space, the main functions of the third convolution layer, the sixth convolution layer and the ninth convolution layer are dimension reduction, and nonlinear activation functions, such as hard-Sigmoid activation functions, are preferably used after dimension reduction.
Further, in order to improve the recognition accuracy of the flow anomaly recognition network model, iterative training is required to be performed on the flow anomaly recognition network model, specifically, 40% of preprocessed flow data is input into the flow anomaly recognition network model, training is performed through a random gradient descent method, and when the training times reach 50 times, the first convolution layer, the second convolution layer, the third convolution layer, the pooling layer and the full connection layer are frozen;
and training the first residual block and the second residual block by using the residual 60% of the preprocessed flow data, and stopping training when the recognition accuracy reaches a preset value.
Or stopping training when the loss value of the flow anomaly identification network model reaches the minimum, and constructing a loss function based on the cross entropy function by setting the learning rate:
wherein, loss is a Loss value,
for the expected output value of the flow abnormality recognition network model, Y is the actual output value of the flow abnormality recognition network model, gamma is the learning rate, the learning rate is set to 0.01, L ls N is the weight of the traffic anomaly identification network model for the multi-classification cross entropy function。
The trained abnormal recognition network model can be directly input into the captured flow data of the mobile terminal for recognition, and the recognition result is directly output.
S4: responding according to the identification result, and triggering an early warning mechanism if the identification result is the intrusion flow.
Responding according to the identification result, and if the identification result is the intrusion flow, notifying a network manager to cut off the network with the intrusion flow, and carrying out port filtering and blacklist setting on the intrusion flow.
Example 2
The present embodiment is different from the first embodiment in that another method for preprocessing traffic data of a mobile terminal is provided, including,
s1: dividing the traffic data of the mobile terminal into a plurality of data blocks S according to the attribute of the traffic data of the mobile terminal n And marking as intrusion traffic or non-intrusion traffic according to actual conditions, wherein n is the attribute number of traffic data of the mobile terminal.
n is the attribute number of the flow data of the mobile terminal; the attributes of the traffic data are, for example, source host IP address, destination IP address, source port number, destination port number, IP protocol, direction of data flow, packet size, packet time interval, number of secondary links, etc.
S2: respectively divide the data block S n The MAC address and the IP address in (a) are replaced with randomly generated addresses and the duplicate data block is cleaned up.
S3: setting the preset length as m bytes, and comparing the data block S according to the preset length n Cutting, if the data block S n The length of (2) is shorter than the preset length, then in the data block S n And 1, later supplementing.
It should be noted that the above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that the technical solution of the present invention may be modified or substituted without departing from the spirit and scope of the technical solution of the present invention, which is intended to be covered in the scope of the claims of the present invention.
Claims (10)
1. The data center detection method based on the mobile terminal is characterized by comprising the following steps of:
setting the mirror image port in the foundation switch, and mirroring at least one port of the foundation switch to at least one mobile terminal to capture flow data of the at least one mobile terminal;
preprocessing the flow data of the mobile terminal;
establishing a flow anomaly identification network model based on a convolutional neural network, inputting the preprocessed flow data into the flow anomaly identification network model, performing iterative training, stopping training when the identification precision meets a preset value or the loss value reaches the minimum value, and outputting an identification result;
responding according to the identification result, and triggering an early warning mechanism if the identification result is the intrusion flow.
2. The mobile terminal based data center detection method of claim 1, wherein the mirror port comprises:
setting mirrored traffic egress ports in a configuration mode, and modifying traffic egress port configuration to designate mirrored different ports to correspond to different traffic, including received traffic, sent traffic, and bi-directional traffic, thereby creating a many-to-many mirrored port.
3. The mobile terminal based data center detection method of claim 2, wherein the preprocessing comprises:
dividing the traffic data of the mobile terminal into a plurality of data blocks S according to the attribute of the traffic data of the mobile terminal n Marking as intrusion traffic or non-intrusion traffic according to actual conditions, wherein n is the attribute number of traffic data of the mobile terminal;
block S of data n The source IP address and the target IP address are replaced by random IP numbers;
setting a preset length, if the data blockS n If the length of the data block S is greater than the preset length n The length of the front section, i.e. the rear section, is identical to the preset length if the data block S n Is smaller than the preset length, then in the data block S n 0 is added before, so that the data block S n Is identical to the preset length.
4. The mobile terminal based data center detection method of claim 2, wherein the preprocessing comprises:
dividing the traffic data of the mobile terminal into a plurality of data blocks S according to the attribute of the traffic data of the mobile terminal n Marking as intrusion traffic or non-intrusion traffic according to actual conditions, wherein n is the attribute number of traffic data of the mobile terminal;
respectively divide the data block S n The MAC address and the IP address in the data block are replaced by random IP numbers, and the repeated data block is cleaned;
setting a preset length to be m bytes, and performing data block S according to the preset length n Cutting, if the data block S n Is shorter than the preset length, then in the data block S n And 1, later supplementing.
5. The mobile terminal based data center detection method of claim 3 or 4, wherein the establishing a traffic anomaly identification network model includes a first convolution layer, a second convolution layer, a first residual block, a second residual block, a third convolution layer, a pooling layer, and a full connection layer;
ReLU6 activation functions are adopted between the first convolution layer and the second convolution layer, reLU6 activation functions are adopted between the second convolution layer and the first residual block, a leakage ReLU activation function is adopted between the first residual block and the second residual block, a leakage ReLU activation function is adopted between the second residual block and the third convolution layer, and a hard-Sigmoid activation function is adopted between the third convolution layer and the pooling layer.
6. The mobile terminal-based data center detection method of claim 5, further comprising:
the first convolution layer is PW convolution, the convolution kernel is 1*1, and the liter-to-liter-maintenance coefficient is set to be 6; the second convolution layer is DW convolution, and the convolution kernel is 3*3; the third convolution layer is PW convolution, the convolution kernel is 1*1, and the dimension reduction coefficient is set to be 6; the pooling layer adopts average pooling, and the pooling window is 7*7.
7. The mobile terminal based data center detection method of claim 6, wherein the first residual block and the second residual block comprise:
the step length of the first residual block is 1, and the first residual block comprises a first input layer, a fourth convolution layer, a fifth convolution layer, a sixth convolution layer, a first output layer and a Shortcut structure, and the input and the output are overlapped through the Shortcut structure; the fourth convolution layer is PW convolution, and the convolution kernel is 1*1; the fifth convolution layer is DW convolution, the convolution kernel is 3*3, and a ReLU6 activation function is adopted between the fourth convolution layer and the fifth convolution layer; the sixth convolution layer is PW convolution, the convolution kernel is 1*1, a ReLU6 activation function is adopted between the fifth convolution layer and the sixth convolution layer, and a hard-Sigmoid activation function is adopted between the sixth convolution layer and the first output layer;
the step length of the second residual block is 2, and the second residual block comprises a second input layer, a seventh convolution layer, an eighth convolution layer, a ninth convolution layer and a second output layer; the seventh convolution layer is PW convolution, and the convolution kernel is 1*1; the eighth convolution layer is DW convolution, the convolution kernel is 3*3, and a ReLU6 activation function is adopted between the seventh convolution layer and the eighth convolution layer; the ninth convolution layer is PW convolution, the convolution kernel is 1*1, a ReLU6 activation function is adopted between the eighth convolution layer and the ninth convolution layer, and a hard-Sigmoid activation function is adopted between the ninth convolution layer and the second output layer.
8. The mobile terminal based data center detection method of claim 7, wherein the iterative training comprises:
inputting 40% of preprocessed flow data into the flow anomaly identification network model, training by a random gradient descent method, and freezing the first convolution layer, the second convolution layer, the third convolution layer, the pooling layer and the full-connection layer when training times reach 50 times;
training the first residual block and the second residual block by using the residual 60% of the preprocessed flow data, and stopping training when the identification precision reaches a preset value or the loss value reaches the minimum value.
9. The mobile terminal based data center detection method of claim 8, wherein the loss value comprises:
setting a learning rate, and constructing a loss function based on the cross entropy function:
wherein, loss is a Loss value,
for the expected output value of the flow abnormality identification network model, Y is the actual output value of the flow abnormality identification network model, gamma is the learning rate, L ls N is the weight of the traffic anomaly identification network model for the multi-class cross entropy function.
10. The mobile terminal-based data center detection method of claim 1, wherein the early warning mechanism comprises:
and notifying a network manager to cut off the network with the intrusion flow, and carrying out port filtering and blacklist setting on the intrusion flow.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310289270.8A CN116016289A (en) | 2023-03-23 | 2023-03-23 | Mobile terminal-based data center detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310289270.8A CN116016289A (en) | 2023-03-23 | 2023-03-23 | Mobile terminal-based data center detection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116016289A true CN116016289A (en) | 2023-04-25 |
Family
ID=86035804
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310289270.8A Withdrawn CN116016289A (en) | 2023-03-23 | 2023-03-23 | Mobile terminal-based data center detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116016289A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109949235A (en) * | 2019-02-26 | 2019-06-28 | 浙江工业大学 | A kind of chest x-ray piece denoising method based on depth convolutional neural networks |
| CN112491643A (en) * | 2020-11-11 | 2021-03-12 | 北京马赫谷科技有限公司 | Deep packet inspection method, device, equipment and storage medium |
| CN112543176A (en) * | 2020-10-22 | 2021-03-23 | 新华三信息安全技术有限公司 | Abnormal network access detection method, device, storage medium and terminal |
| CN113807231A (en) * | 2021-09-14 | 2021-12-17 | 西安电子科技大学 | X-ray contraband detection method based on UNET (UNET) downsampling convolutional neural network |
| US20220207299A1 (en) * | 2020-12-24 | 2022-06-30 | Beijing Baidu Netcom Science And Technology Co., Ltd. | Method and apparatus for building image enhancement model and for image enhancement |
-
2023
- 2023-03-23 CN CN202310289270.8A patent/CN116016289A/en not_active Withdrawn
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109949235A (en) * | 2019-02-26 | 2019-06-28 | 浙江工业大学 | A kind of chest x-ray piece denoising method based on depth convolutional neural networks |
| CN112543176A (en) * | 2020-10-22 | 2021-03-23 | 新华三信息安全技术有限公司 | Abnormal network access detection method, device, storage medium and terminal |
| CN112491643A (en) * | 2020-11-11 | 2021-03-12 | 北京马赫谷科技有限公司 | Deep packet inspection method, device, equipment and storage medium |
| US20220207299A1 (en) * | 2020-12-24 | 2022-06-30 | Beijing Baidu Netcom Science And Technology Co., Ltd. | Method and apparatus for building image enhancement model and for image enhancement |
| CN113807231A (en) * | 2021-09-14 | 2021-12-17 | 西安电子科技大学 | X-ray contraband detection method based on UNET (UNET) downsampling convolutional neural network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2022011977A1 (en) | Network anomaly detection method and system, terminal and storage medium | |
| CN111541661A (en) | Power information network attack scene reconstruction method and system based on causal knowledge | |
| US20210273865A1 (en) | Method, device, and system for network traffic analysis | |
| EP3048539A1 (en) | Method and apparatus for recognizing junk messages | |
| CN103135524B (en) | Power distribution station monitoring system | |
| US11706114B2 (en) | Network flow measurement method, network measurement device, and control plane device | |
| JP5673805B2 (en) | Network device, communication system, abnormal traffic detection method and program | |
| CN106973319A (en) | A kind of virtual gift display method and system | |
| CN104753760A (en) | Instant messaging group message control method and control device | |
| CN104660552A (en) | Wireless local area network (WLAN) intrusion detection system | |
| WO2017128712A1 (en) | Alarm processing method and device | |
| CN114422207B (en) | C & C communication flow detection method and device based on multiple modes | |
| CN116016289A (en) | Mobile terminal-based data center detection method | |
| CN107357821A (en) | Method for managing system, device and storage medium | |
| CN113645181B (en) | Distributed protocol attack detection method and system based on isolated forest | |
| US11343376B1 (en) | Computerized system and method for robocall steering | |
| CN105991509A (en) | Session processing method and apparatus | |
| CN110048905B (en) | Internet of things equipment communication mode identification method and device | |
| CN107124410A (en) | Network safety situation feature clustering method based on machine deep learning | |
| CN113946483A (en) | Computer hardware state information real-time monitoring system | |
| US20230171264A1 (en) | Method, Apparatus, System, Device, and Storage Medium for Implementing Terminal Verification | |
| CN116546545A (en) | Method and device for detecting signaling storm, electronic equipment and storage medium | |
| CN107690055A (en) | The control method of video calling, apparatus and system | |
| CN115865423A (en) | Electric power Internet of things detection system and method based on deep convolutional neural network | |
| CN107819761A (en) | Data processing method, device and readable storage medium storing program for executing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20230425 |