CN116366319A - Method and system for detecting network security - Google Patents
Method and system for detecting network security Download PDFInfo
- Publication number
- CN116366319A CN116366319A CN202310280503.8A CN202310280503A CN116366319A CN 116366319 A CN116366319 A CN 116366319A CN 202310280503 A CN202310280503 A CN 202310280503A CN 116366319 A CN116366319 A CN 116366319A
- Authority
- CN
- China
- Prior art keywords
- network
- training
- model
- neural network
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 238000012549 training Methods 0.000 claims abstract description 47
- 238000013528 artificial neural network Methods 0.000 claims abstract description 38
- 125000004122 cyclic group Chemical group 0.000 claims abstract description 15
- 238000013527 convolutional neural network Methods 0.000 claims abstract description 12
- 238000012216 screening Methods 0.000 claims abstract description 6
- 230000006870 function Effects 0.000 claims description 17
- 238000012545 processing Methods 0.000 claims description 12
- 238000007781 pre-processing Methods 0.000 claims description 7
- 238000012544 monitoring process Methods 0.000 claims description 6
- 238000010276 construction Methods 0.000 claims description 4
- 238000011161 development Methods 0.000 claims description 3
- 238000001514 detection method Methods 0.000 abstract description 11
- 230000002159 abnormal effect Effects 0.000 abstract description 5
- 230000000694 effects Effects 0.000 abstract description 4
- 230000008569 process Effects 0.000 description 7
- 238000004458 analytical method Methods 0.000 description 5
- 238000013461 design Methods 0.000 description 4
- 230000001360 synchronised effect Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000013135 deep learning Methods 0.000 description 3
- 230000007123 defense Effects 0.000 description 3
- 238000001914 filtration Methods 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000006798 recombination Effects 0.000 description 2
- 238000005215 recombination Methods 0.000 description 2
- 230000000306 recurrent effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000003384 imaging method Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 210000002569 neuron Anatomy 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 239000002245 particle Substances 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/16—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mathematical Analysis (AREA)
- Pure & Applied Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Probability & Statistics with Applications (AREA)
- Algebra (AREA)
- Artificial Intelligence (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Databases & Information Systems (AREA)
- Evolutionary Computation (AREA)
- Medical Informatics (AREA)
- Software Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application discloses a method and a system for detecting network security, which relate to the technical field of network security and comprise the following steps: step S1, obtaining network flow data in NIDS; step S2, screening and training a network traffic public data set suffering from an attack event in the network traffic data, and taking the trained network traffic public data set as a training set; s3, constructing a network model, wherein the network model combines a convolutional neural network, a cyclic neural network, a deep belief network and a probability neural network; s4, guiding the network model to learn by using the loss function; s5, training a network model is completed; and S6, detecting network security by using the trained network model. According to the method and the device, the false alarm rate of abnormal network traffic can be effectively reduced, the network security event prediction effect with higher accuracy can be obtained, and the problems of information redundancy, long training time and the like in intrusion detection can be solved.
Description
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method and system for detecting network security.
Background
Today network security has become one of the most important problems in network space, which has a tremendous impact on various critical infrastructure. Traditional security relies on static control of security devices deployed on special edges or nodes, such as firewalls, intrusion detection systems and intrusion prevention systems, to conduct network security monitoring according to predefined rules. However, this passive defense approach is not sufficiently effective in protecting systems and defending against new network security threats, such as Advanced Persistent Threats (APT) and zero-day attacks. In addition, network threats can occur anytime and anywhere, and the cost of network attack deployment is reduced by diversified attack entry points, advanced intrusion patterns and system attack tools. To maximize the security level of core system assets, there is an urgent need to develop innovative and intelligent security defense approaches to address diverse and sustainable threats. The new network security defense and protection system should acquire historical and current security state data and make intelligent decisions that can adapt to security management and control.
With the increasing importance of network security and artificial intelligence in recent years, research on Intrusion Detection Systems (IDS) is actively studying how to combine the advantages of deep learning. Network Intrusion Detection Systems (NIDS) are created to effectively defend against various types of network attacks and to further protect the network system from normal operation. Currently, NIDS identify malicious attack behaviors mainly by analyzing network traffic of network critical nodes. In the past few years, deep learning has made significant progress in solving artificial intelligence problems in application scenarios such as speech image recognition, object detection, and semantic translation. Many studies have shown that deep learning can perform better than traditional methods in terms of anomaly detection classification and prediction. However, IDS performance is highly dependent on functional design, while exception-based IDS has a high false positive rate and is not well-behaved in practical applications.
In order to solve the above problems, the present invention provides a method and a system for detecting network security, which can effectively reduce the false alarm rate of abnormal network traffic, and obtain a network security event prediction effect with higher accuracy.
Disclosure of Invention
The embodiment of the application provides a method for detecting network security.
In order to achieve the above purpose, the embodiments of the present application adopt the following technical solutions:
in a first aspect, a method of detecting network security is provided, the method comprising the steps of:
step S1, obtaining network flow data in NIDS;
step S2, screening and training a network traffic public data set suffering from an attack event in the network traffic data, and taking the trained network traffic public data set as a training set;
s3, constructing a network model, wherein the network model combines a convolutional neural network, a cyclic neural network, a deep confidence network and a probability neural network, and the convolutional neural network, the cyclic neural network, the deep confidence network and the probability neural network are sequentially connected;
s4, guiding the network model to learn by using the loss function;
and S5, presetting relevant super parameters, achieving the aim of optimizing the network parameter weight by continuously iterating the attenuation loss value until the iteration times are equal to the maximum iteration times, stopping training the training set, and finishing training the network model.
In one possible embodiment, the step S1 includes:
network traffic data in the NIDS is acquired using the libpcap development packet.
In one possible implementation manner, the step S2 includes:
the network traffic common data set is constructed by data preprocessing into a time series containing a plurality of continuous traffic data, and each training sample consists of two time series of adjacent time stamps.
In one possible implementation manner, the step S3 includes:
firstly, carrying out time sequence preprocessing on network flow data in an NIDS, and learning time characteristics by using a cyclic neural network;
then using the deep confidence network to learn the spatial characteristics of the network traffic;
the low-dimensional data is then classified using a probabilistic neural network.
In one possible implementation manner, the step S4 includes:
and guiding the network model to learn by adopting the category loss function and the positioning regression loss function.
In one possible implementation manner, the step S5 includes:
the trained network model is used to predict the network traffic time series in the subsequent time stamp.
In one possible implementation manner, the step S6 includes:
and classifying the security events of the network traffic time sequence by using the trained network model to estimate the occurrence probability of the network security events in the next time period so as to detect the network security.
In a second aspect, the present invention further provides a system for detecting network security, including an acquisition unit, a model building unit, a model training unit, and a processing unit, where:
the acquisition unit is used for acquiring network traffic data in the NIDS, screening and training a network traffic public data set suffering from an attack event in the network traffic data, and taking the trained network traffic public data set as a training set;
the model construction unit is used for constructing a network model, wherein the network model combines a convolutional neural network, a cyclic neural network, a deep confidence network and a probability neural network, and the convolutional neural network, the cyclic neural network, the deep confidence network and the probability neural network are sequentially connected;
the model training unit is used for guiding the network model to learn by using the loss function; the method is used for presetting relevant super parameters, achieving the aim of optimizing the network parameter weight by continuously iterating the attenuation loss value until the iteration times are equal to the maximum iteration times, stopping training the training set, and finishing training the network model;
and the processing unit is used for detecting network security by using the trained network model.
In a third aspect, the present invention also provides an electronic device comprising a processor and a memory; the processor comprises the system for intelligent monitoring based on image recognition according to the second aspect.
In a fourth aspect, the present invention also provides a computer-readable storage medium comprising instructions; when the instructions are executed on the electronic device described in the third aspect, the electronic device is caused to perform the method described in the first aspect,
drawings
Fig. 1 is a schematic structural diagram of a network model in a method and a system for detecting network security according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a system in a method and a system for detecting network security according to an embodiment of the present application;
the invention provides a method and a system for detecting network security, which can effectively reduce the false alarm rate of abnormal network traffic and obtain the network security event prediction effect with higher accuracy.
The invention predicts and identifies the current network flow, and realizes the network flow abnormality prediction function of real-time automatic monitoring NIDS. The method can also solve the problems of redundant information, long training time, easy sinking into local optimum and the like in intrusion detection.
Detailed Description
It should be noted that the terms "first," "second," and the like in the embodiments of the present application are used for distinguishing between the same type of feature, and not to be construed as indicating a relative importance, quantity, order, or the like.
The terms "exemplary" or "such as" and the like, as used in connection with embodiments of the present application, are intended to be exemplary, or descriptive. Any embodiment or design described herein as "exemplary" or "for example" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.
The terms "coupled" and "connected" in connection with embodiments of the present application are to be construed broadly, and may refer, for example, to a physical direct connection, or to an indirect connection via electronic devices, such as, for example, a connection via electrical resistance, inductance, capacitance, or other electronic devices.
Example 1:
as shown in FIG. 1, a Deep Belief Network (DBN) is a neural network for machine learning, and can be used for both unsupervised learning and supervised learning. The DBN is a probability generation model, and the generation model is used for establishing a joint distribution between observation data and labels, opposite to a neural network of a traditional discriminant model. By training the weights between its neurons, the entire neural network can be made to generate training data with maximum probability.
Probabilistic Neural Networks (PNNs) belong to a class of supervised network classifiers.
In this embodiment, a network model is constructed that combines a recurrent neural network, a deep belief network, and a probabilistic neural network. Network traffic data in NIDS is first time-series preprocessed and time features are learned using a recurrent neural network (LSTM). And then, the spatial characteristics of the network traffic are learned by using a deep belief network, wherein the deep belief network has nonlinear learning capability, can extract essential characteristics from the original data, and optimizes the number of hidden layer nodes of each layer by using a particle swarm optimization algorithm. And classifying the low-dimensional data by using a Probability Neural Network (PNN), obtaining a trained network model based on the previous steps for predicting a network traffic time sequence in a subsequent time stamp, and finally classifying the security event by using the trained network model for estimating the occurrence probability of the network security event in the next time period.
According to the method for detecting network security, firstly, the Libpcap development packet is used for acquiring network flow data in the NIDS, the advantage of the convolutional neural network on the spatial feature extraction of image data is utilized before the convolutional neural network, the spatial feature training and the security event identification are carried out after the network flow data are subjected to imaging processing, and the problem of high false alarm rate of abnormal network flow in the NIDS is solved; then combining a training scene of the cyclic neural network on the time sequence, and processing the network traffic prediction into a time sequence prediction process to perform time feature training and traffic data trend prediction, thereby providing the feasibility of predicting the network traffic by the NIDS; and finally, combining the convolutional neural network, the cyclic neural network, the deep confidence network and the probabilistic neural network, and predicting and identifying the current network flow to realize the network flow abnormality prediction function of the real-time automatic monitoring NIDS. The method can also solve the problems of redundant information, long training time, easy sinking into local optimum and the like in intrusion detection.
Example 2:
the embodiment is further optimized based on embodiment 1, the data acquisition is the basis of intrusion detection, the data acquisition module needs to monitor network data packets, perform IP recombination, perform TCP/UDP protocol analysis, and perform application layer protocol data stream analysis. The efficiency of intrusion detection depends to a large extent on the reliability and correctness of the information collected. In a network-based intrusion detection system, a data acquisition module needs to monitor network traffic of a certain network segment or a certain host of a protected network, and obtain state and behavior information of network, system, user and application activities after preprocessing. Data acquisition needs to be done at several key points in the network. The NIDS detects all traffic of the network segment as its data source and in an ethernet environment, the NIDS grabs the hybrid data packets within the monitored network segment by setting the network card to promiscuous mode. The network data acquisition is realized by utilizing the broadcasting characteristic of the Ethernet, the Ethernet data transmission is realized by broadcasting, but when the system works normally, the application program can only receive the data packet with the host as the target host, and other data packets are discarded. In order to collect all data flowing through the network segment, the network card needs to be set into a hybrid mode firstly, so that the network card can receive data packets with target MAC addresses which are not the own MAC addresses, then the data link layer is directly accessed, related data are intercepted, and an application program filters the data, so that all the data flowing through the network card can be monitored. To improve efficiency, packet filtering should be implemented in the system kernel, and the packets should be developed using libpcap. The libpcap is a packet capturing function library which is irrelevant to the realization and is used for accessing a data link layer and is used for accessing a packet capturing mechanism provided by an operating system, a BPF filtering mechanism realized by a kernel layer and a plurality of interface functions are built in the library, and a C function interface provided by the library can be used for developing a system which needs to capture a data packet passing through a network interface. The library provides consistent programming interfaces for different platforms, and programs written by taking the Libpcap as interfaces on the platform provided with the Libpcap can be used freely across the platforms. The Libpcap captures the data frame on the network, and protocol analysis is needed for the data frame.
The protocol analysis processing process is as follows: firstly, data packets on a monitored subnet are obtained from a network according to a predefined filtering rule, then, a processing process of TCP/IP stack from bottom to top is carried out, mainly IP recombination and TCP/UDP layer protocol processing are carried out, and finally, application layer protocol analysis is carried out.
Other portions of this embodiment are the same as those of embodiment 1, and thus will not be described in detail.
Example 3:
this embodiment is further optimized based on the above embodiments 1 or 2, and is used to predict the occurrence probability of a typical abnormal attack event from a network traffic signal by training a large-scale network traffic public data set from a NIDS suffering from a typical attack event.
Example 4:
the present embodiment is further optimized based on any one of the above embodiments 1 to 3, where the LSTM neural network adds a hidden layer LSTM unit to the original RNN, for learning a temporal feature based on a network packet vector sequence.
In the time sequence preprocessing of network traffic data in NIDS, the time sequence is an ordered sequence of a certain class of variables at equal time intervals, and has autocorrelation and timeliness. The sequence prediction utilizes the characteristics of time sequences, and the training model keeps the learning results according to the time sequence and sorts the learning results, so that the future change behavior and occurrence probability of the data stream can be estimated from a group of time sequences.
The network traffic data set of the NIDS is structured by data preprocessing into a time series containing a plurality of consecutive traffic data, each training sample consisting of two time series of adjacent time stamps. And obtaining a time sequence predictor capable of predicting the next time stamp through the constructed LSTM neural network model. The prediction method can be used for predicting the next time stamp network traffic data for the observation of NIDS real-time traffic.
Other portions of this embodiment are the same as any of embodiments 1 to 3 described above, and thus will not be described again.
Example 5:
the present embodiment is further optimized based on any one of the above embodiments 1 to 4, as shown in fig. 2, and further provides a system for detecting network security, including an acquisition unit, a model building unit, a model training unit, and a processing unit, where: the acquisition unit is used for acquiring network traffic data in the NIDS, screening and training a network traffic public data set suffering from an attack event in the network traffic data, and taking the trained network traffic public data set as a training set; the model construction unit is used for constructing a network model, wherein the network model combines a cyclic neural network, a deep confidence network and a probability neural network, and the cyclic neural network, the deep confidence network and the probability neural network are sequentially connected; the model training unit is used for guiding the network model to learn by using the loss function; the method is used for presetting relevant super parameters, achieving the aim of optimizing the network parameter weight by continuously iterating the attenuation loss value until the iteration times are equal to the maximum iteration times, stopping training the training set, and finishing training the network model; and the processing unit is used for detecting network security by using the trained network model.
Other portions of this embodiment are the same as any of embodiments 1 to 4 described above, and thus will not be described again.
Example 6:
the invention also provides an electronic device, which comprises a processor and a memory; the processor comprises the system for intelligent monitoring based on image recognition described in the embodiment.
Example 7:
the present invention also provides a computer-readable storage medium comprising instructions; when the instructions are executed on the electronic device described in the above embodiment, the electronic device is caused to perform the method described in the above embodiment. In the alternative, the computer readable storage medium may be a memory.
The processor referred to in the embodiments of the present application may be a chip. For example, the device may be a field programmable gate array (field programmablegatearray, FPGA), an application specific integrated chip (applicationspecificintegrated circuit, ASIC), a system on a chip (SoC), a central processing unit (central processorunit, CPU), a Network Processor (NP), a Digital Signal Processor (DSP), a microcontroller (microcontroller unit, MCU), a programmable controller (PLD) or other integrated chips.
The memory to which embodiments of the present application relate may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The non-volatile memory may be a read-only memory (ROM), a programmable read-only memory (programmableROM, PROM), an erasable programmable read-only memory (erasablePROM, EPROM), an electrically erasable programmable read-only memory (electricallyEPROM, EEPROM), or a flash memory, among others. The volatile memory may be Random Access Memory (RAM) which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic random access memory (dynamicRAM, DRAM), synchronous dynamic random access memory (synchronousDRAM, SDRAM), double data rate synchronous dynamic random access memory (doubledatarateSDRAM, DDRSDRAM), enhanced synchronous dynamic random access memory (enhancedSDRAM, ESDRAM), synchronous link dynamic random access memory (synchlinkDRAM, SLDRAM), and direct memory bus random access memory (directrambusRAM, DRRAM). It should be noted that the memory of the systems and methods described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.
Those of ordinary skill in the art will appreciate that the various illustrative modules and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described system, apparatus and module may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other ways. For example, the above-described device embodiments are merely illustrative, e.g., the division of the modules is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple modules or components may be combined or integrated into another device, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interface, indirect coupling or communication connection of devices or modules, electrical, mechanical, or other form.
The modules described as separate components may or may not be physically separate, and components shown as modules may or may not be physically separate, i.e., may be located in one device, or may be distributed over multiple devices. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in each embodiment of the present application may be integrated in one device, or each module may exist alone physically, or two or more modules may be integrated in one device.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using a software program, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line (DigitalSubscriberLine, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device including one or more servers, data centers, etc. that can be integrated with the medium. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid state disk (SolidStateDisk, SSD)), etc.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A method for detecting network security, comprising the steps of:
step S1, obtaining network flow data in NIDS;
step S2, screening and training a network traffic public data set suffering from an attack event in the network traffic data, and taking the trained network traffic public data set as a training set;
s3, constructing a network model, wherein the network model combines a convolutional neural network, a cyclic neural network, a deep confidence network and a probability neural network, and the convolutional neural network, the cyclic neural network, the deep confidence network and the probability neural network are sequentially connected;
s4, guiding the network model to learn by using the loss function;
step S5, presetting relevant super parameters, achieving the aim of optimizing the network parameter weight by continuously iterating the attenuation loss value until the iteration times are equal to the maximum iteration times, stopping training the training set, and finishing training the network model;
and S6, detecting network security by using the trained network model.
2. The method for detecting network security according to claim 1, wherein the step S1 includes:
network traffic data in the NIDS is acquired using the libpcap development packet.
3. The method for detecting network security according to claim 1, wherein the step S2 includes:
the network traffic common data set is constructed by data preprocessing into a time series containing a plurality of continuous traffic data, and each training sample consists of two time series of adjacent time stamps.
4. The method for detecting network security according to claim 1, wherein the step S3 includes:
firstly, carrying out time sequence preprocessing on network flow data in an NIDS, and learning time characteristics by using a cyclic neural network;
then using the deep confidence network to learn the spatial characteristics of the network traffic;
the low-dimensional data is then classified using a probabilistic neural network.
5. The method for detecting network security according to claim 1, wherein the step S4 includes:
and guiding the network model to learn by adopting the category loss function and the positioning regression loss function.
6. The method for detecting network security according to claim 1, wherein the step S5 includes:
the trained network model is used to predict the network traffic time series in the subsequent time stamp.
7. The method for detecting network security according to claim 1, wherein the step S6 includes:
and classifying the security events of the network traffic time sequence by using the trained network model to estimate the occurrence probability of the network security events in the next time period so as to detect the network security.
8. A system for detecting network security, comprising an acquisition unit, a model construction unit, a model training unit and a processing unit, wherein:
the acquisition unit is used for acquiring network traffic data in the NIDS, screening and training a network traffic public data set suffering from an attack event in the network traffic data, and taking the trained network traffic public data set as a training set;
the model construction unit is used for constructing a network model, wherein the network model combines a convolutional neural network, a cyclic neural network, a deep confidence network and a probability neural network, and the convolutional neural network, the cyclic neural network, the deep confidence network and the probability neural network are sequentially connected;
the model training unit is used for guiding the network model to learn by using the loss function; the method is used for presetting relevant super parameters, achieving the aim of optimizing the network parameter weight by continuously iterating the attenuation loss value until the iteration times are equal to the maximum iteration times, stopping training the training set, and finishing training the network model;
and the processing unit is used for detecting network security by using the trained network model.
9. An electronic device comprising a processor and a memory; the processor comprises the system for intelligent monitoring based on image recognition as claimed in claim 8.
10. A computer-readable storage medium, the computer-readable storage medium comprising instructions; the instructions, when run on an electronic device as claimed in claim 9, cause the electronic device to perform the method as claimed in any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310280503.8A CN116366319A (en) | 2023-03-22 | 2023-03-22 | Method and system for detecting network security |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310280503.8A CN116366319A (en) | 2023-03-22 | 2023-03-22 | Method and system for detecting network security |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116366319A true CN116366319A (en) | 2023-06-30 |
Family
ID=86935725
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310280503.8A Pending CN116366319A (en) | 2023-03-22 | 2023-03-22 | Method and system for detecting network security |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116366319A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117176466A (en) * | 2023-09-28 | 2023-12-05 | 安徽万链科技有限公司 | Information communication technology safety monitoring system and monitoring method thereof |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111428789A (en) * | 2020-03-25 | 2020-07-17 | 广东技术师范大学 | Network traffic anomaly detection method based on deep learning |
| CN112770323A (en) * | 2021-01-19 | 2021-05-07 | 济南大学 | Mobile malicious application family classification method based on network traffic space time characteristics |
| CN113378990A (en) * | 2021-07-07 | 2021-09-10 | 西安电子科技大学 | Traffic data anomaly detection method based on deep learning |
| CN113949549A (en) * | 2021-10-08 | 2022-01-18 | 东北大学 | Real-time traffic anomaly detection method for intrusion and attack defense |
| CN114124420A (en) * | 2020-08-28 | 2022-03-01 | 哈尔滨理工大学 | Network flow abnormity detection method based on deep neural network |
| CN115174168A (en) * | 2022-06-22 | 2022-10-11 | 方盈金泰科技(北京)有限公司 | Malicious encrypted flow detection method based on time-space characteristic combination |
-
2023
- 2023-03-22 CN CN202310280503.8A patent/CN116366319A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111428789A (en) * | 2020-03-25 | 2020-07-17 | 广东技术师范大学 | Network traffic anomaly detection method based on deep learning |
| CN114124420A (en) * | 2020-08-28 | 2022-03-01 | 哈尔滨理工大学 | Network flow abnormity detection method based on deep neural network |
| CN112770323A (en) * | 2021-01-19 | 2021-05-07 | 济南大学 | Mobile malicious application family classification method based on network traffic space time characteristics |
| CN113378990A (en) * | 2021-07-07 | 2021-09-10 | 西安电子科技大学 | Traffic data anomaly detection method based on deep learning |
| CN113949549A (en) * | 2021-10-08 | 2022-01-18 | 东北大学 | Real-time traffic anomaly detection method for intrusion and attack defense |
| CN115174168A (en) * | 2022-06-22 | 2022-10-11 | 方盈金泰科技(北京)有限公司 | Malicious encrypted flow detection method based on time-space characteristic combination |
Non-Patent Citations (2)
| Title |
|---|
| GUANGZHEN ZHAO; CUIXIAO ZHANG; LIJUAN ZHENG: "Intrusion Detection Using Deep Belief Network and Probalistic Neural Network", 《2017 IEEE INTERNATIONAL CONFERENCE ON COMPUTATIONAL SCIENCE AND ENGINEERING (CSE) AND IEEE INTERNATIONAL CONFERENCE ON EMBEDDED AND UBIQUITOUS COMPUTING (EUC)》, pages 639 - 642 * |
| 孔令爽: "基于深度学习和迁移学习的入侵检测研究", 《CNKI中国优秀硕士学位论文》, pages 1 - 70 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117176466A (en) * | 2023-09-28 | 2023-12-05 | 安徽万链科技有限公司 | Information communication technology safety monitoring system and monitoring method thereof |
| CN117176466B (en) * | 2023-09-28 | 2024-05-10 | 广东民新通信科技有限公司 | Information communication technology safety monitoring system and monitoring method thereof |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Awotunde et al. | Intrusion Detection in Industrial Internet of Things Network‐Based on Deep Learning Model with Rule‐Based Feature Selection | |
| CN110011999B (en) | IPv6 network DDoS attack detection system and method based on deep learning | |
| Hodo et al. | Threat analysis of IoT networks using artificial neural network intrusion detection system | |
| Li et al. | Data fusion for network intrusion detection: a review | |
| CN111541661A (en) | Power information network attack scene reconstruction method and system based on causal knowledge | |
| CN109981583B (en) | Industrial control network situation assessment method | |
| Hodo et al. | Anomaly detection for simulated iec-60870-5-104 trafiic | |
| CN111049680A (en) | Intranet transverse movement detection system and method based on graph representation learning | |
| Farhan et al. | Performance analysis of intrusion detection for deep learning model based on CSE-CIC-IDS2018 dataset | |
| Dairi et al. | Semi-supervised deep learning-driven anomaly detection schemes for cyber-attack detection in smart grids | |
| Chen et al. | An effective metaheuristic algorithm for intrusion detection system | |
| Perez et al. | Forget the myth of the air gap: Machine learning for reliable intrusion detection in SCADA systems | |
| Razak | A study on IDS for preventing Denial of Service attack using outliers techniques | |
| CN115396204A (en) | Industrial control network flow abnormity detection method and device based on sequence prediction | |
| CN112165484A (en) | Network encryption traffic identification method and device based on deep learning and side channel analysis | |
| CN116366319A (en) | Method and system for detecting network security | |
| He et al. | [Retracted] Research on DoS Traffic Detection Model Based on Random Forest and Multilayer Perceptron | |
| CN117675274A (en) | Data center system based on SOAR | |
| CN117134938A (en) | GOOSE data intrusion detection method, device and intrusion detection system | |
| CN104580087A (en) | Immune network system | |
| Larriva-Novo et al. | Dynamic risk management architecture based on heterogeneous data sources for enhancing the cyber situational awareness in organizations | |
| CN115643086A (en) | Unknown threat detection method based on deep neural network | |
| Sapozhnikova et al. | Intrusion detection system based on data mining technics for industrial networks | |
| CN114006719B (en) | AI verification method, device and system based on situation awareness | |
| RU2737229C1 (en) | Protection method of vehicle control systems against intrusions |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20230630 |