CN116827666A - Malicious network traffic detection method based on graph attention network - Google Patents

Malicious network traffic detection method based on graph attention network Download PDF

Info

Publication number
CN116827666A
CN116827666A CN202310950685.5A CN202310950685A CN116827666A CN 116827666 A CN116827666 A CN 116827666A CN 202310950685 A CN202310950685 A CN 202310950685A CN 116827666 A CN116827666 A CN 116827666A
Authority
CN
China
Prior art keywords
network traffic
network
graph
malicious
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310950685.5A
Other languages
Chinese (zh)
Inventor
蔡赛华
赵文军
陈锦富
吕天翔
唐晗
张子康
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu University
Original Assignee
Jiangsu University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu University filed Critical Jiangsu University
Priority to CN202310950685.5A priority Critical patent/CN116827666A/en
Publication of CN116827666A publication Critical patent/CN116827666A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a malicious network traffic detection method based on a graph attention network. Comprising the following steps: step 1, constructing a graph structure of a relation between flow nodes by using address information of network flow, and extracting features of the constructed network flow graph structure information by using a graph convolution neural network; step 2, using a self-attention mechanism to perform feature screening on the network traffic vector to obtain relevant node features with stronger importance; and step 3, classifying the filtered association features by using a decision tree classifier to realize detection of malicious network traffic.

Description

Malicious network traffic detection method based on graph attention network
Technical Field
The invention belongs to the field of network traffic detection, and relates to a malicious network traffic detection method based on a graph attention network.
Background
With advances in technology and the development of the internet, the role of networks has evolved from initially delivering mail, browsing web pages to today's real-time communications, online gaming, edge computing, etc. The network increases the quantity of generated traffic at geometric speed while making the life style of people convenient and quick. Annual internet reports from cisco show that mobile data traffic generated in 2022 has exceeded 1 (Zettabyte). However, with the increase of internet users and network traffic data volumes, malicious attacks and network intrusion behaviors also show an increasing trend, and part of network attackers perform hidden attacks to avoid detection by disguising intrusion traffic as normal traffic, so that the identification of malicious traffic by the traditional detection method becomes more difficult. In the face of such huge network traffic and increasing attack behaviors, intrusion detection ensures the safety of network space by identifying the attack behaviors causing network traffic data abnormality, and has become an important research direction in the field of network safety. Therefore, the method has important significance for carrying out efficient detection work on malicious network traffic.
In recent years, with the rapid development of deep learning technology, deep learning is also being applied to leak detection in a large number. Compared with the traditional machine learning method, the deep learning can automatically extract advanced features from structural data, so that the workload of feature extraction is reduced. In addition, the abstract feature representation automatically extracted by the deep learning method has better generalization capability than the manually extracted features. Regarding the relevance of network traffic data, scholars detect malicious network traffic using a graph neural network (Graph Neural Networks, GNN) capable of handling edge-to-edge, point-to-point relationships. GNNs form graph topologies by utilizing the relationships between edges between each data sample and other samples. For the relevance among network flow nodes, students propose a graph convolution network by popularizing convolution operation on a graph. With the rapid development of deep learning in malicious network traffic detection, convolutional neural networks have also been attempted for use in intrusion detection.
However, the existing malicious network traffic detection method based on the graph neural network only utilizes the self information of the network traffic and ignores the association characteristics among the network traffic, so that the extracted network traffic characteristics are incomplete, and the recognition accuracy of the constructed network traffic detection model is further affected; furthermore, these methods often employ fixed neighbor aggregation policies and lack fine node relationship modeling capabilities, resulting in reduced performance in processing network traffic correlation features. Based on the above, the invention provides a malicious network traffic detection method (Graph ATtention with Decision Tree, GAT-DT) based on a graph attention network. The GAT-DT firstly uses the graph neural network to form a graph topological structure aiming at the network structure generated by the irregular graph association data and the association relation between edges between each data sample and other samples, and then uses the attention mechanism to screen more important association information, thereby solving the problem of information overload. A large number of comparison experiments prove that the malicious network traffic detection method provided by the invention can obtain higher detection performance and can more accurately identify different types of malicious network traffic.
Disclosure of Invention
The invention aims to solve the problem of information overload, obtain higher detection performance and more accurately identify different types of malicious network traffic. Therefore, the invention provides a malicious network traffic detection method based on a graph attention network.
The present invention achieves the above technical object by the following means.
A malicious network traffic detection method based on a graph attention network, comprising:
step 1, constructing a graph structure by using address information of network traffic and relationships among traffic nodes, and extracting features of the constructed network traffic graph topological structure information by using a graph convolution neural network;
step 2, using a self-attention mechanism to perform feature screening on the network traffic vector to obtain relevant node features with stronger importance;
and step 3, classifying the filtered association features by using a decision tree classifier to realize detection of malicious network traffic.
In a first aspect, the specific steps of the step 1 are as follows:
step 1.1, constructing a preprocessed network flow table to obtain a flow topological graph, connecting different nodes by taking a source IP address as a starting point and a destination IP address as an end point, numbering each different IP node, and constructing a topological structure of a network;
and 1.2, learning association relations to obtain characteristic information of different nodes, neighbor nodes and edges of the nodes, and realizing graph association relation expression of network traffic. Meanwhile, by sharing the structural information of the same network node, the characteristics of each node to all the neighbor nodes are obtained under the effect of multi-layer convolution, and further the spatial structural characteristics of the network traffic are obtained.
In a second aspect, the specific steps of the step 2 are as follows:
step 2.1, performing Attention coefficient calculation on different relevant inputs in a full-connection layer through a self-Attention mechanism, so as to obtain the relevance of different network flow inputs;
and 2.2, focusing attention on local network flow information, giving low weight to irrelevant features, and reserving important flow vector features, so as to perform redundancy elimination operation on the network flow features and acquire key network flow features.
In a third aspect, the specific steps of the step 3 are as follows:
step 3.1, classifying the network traffic by selecting a Decision Tree (DT) for the feature vector of the network traffic obtained by the feature screening;
and 3.2, inputting the correlation characteristics of the network traffic obtained by screening, calculating a loss value in the network traffic training process through a cross entropy loss function, and adjusting the model according to the loss value to obtain training parameters of the model so as to detect malicious network traffic.
Aiming at the existing malicious network traffic detection method based on the graph neural network, the related characteristics among the network traffic are ignored only by utilizing the self information characteristics of the network traffic, so that the extracted network traffic characteristics are incomplete; and the lack of sophisticated node relationship modeling capability, typically with fixed neighbor aggregation policies, leads to performance degradation issues when handling network traffic-related features. Compared with the prior art, the invention has the beneficial effects that:
1. the proposed graph attention network model adds a self-attention mechanism into the graph convolution neural network model, utilizes limited resources to screen out more important characteristic information from a large amount of node data, solves the problem of information overload, improves the efficiency of model processing, and enables a constructed network to detect malicious network traffic in a graph topological structure more accurately.
2. Aiming at the problem that the network flow feature vector obtained after feature screening is large and complex, the method has the advantages of small calculated amount, easiness in transformation of classification rules, high accuracy and stronger generalization by means of a decision tree algorithm, takes the network flow associated features obtained by screening as the input of the decision tree algorithm, calculates the loss value in the training process through a cross entropy loss function, trains a model by utilizing a strategy of selecting a better loss value and obtains training parameters (such as 42 for random seeds, 30 for iteration times, 0.01 for initial learning rate, 0.0005 for weight attenuation and 16 for hidden units) in the model, thereby improving the detection efficiency of malicious network flow.
Drawings
FIG. 1 is a flow chart of detection based on the GAT-DT model.
Fig. 2 is a general flow chart of a malicious network traffic detection method based on a graph attention network.
Fig. 3 is information of a malicious network traffic data set USTC-TFC2016 used in the experimental link of the present invention.
FIG. 4 is a plot of the information of the encrypted hybrid dataset Stratosphere used in the experimental procedure of the present invention.
FIG. 5 is a comparison of accuracy, precision, recall and F1 values of a GAT-DT model and a graph convolution neural network-based detection model GCN-ETA, a K nearest neighbor algorithm-based detection model KNN, and a gradient boost decision tree algorithm-based integrated learning detection model XGBoost on a USTC-TFC2016 data set.
FIG. 6 is a comparison of accuracy, precision, recall and F1 values on the Stratosphere dataset for the GAT-DT model and the GCN-ETA, KNN, XGBoost model.
FIG. 7 is a box plot comparison of Accuracy (Accuracy) of the GAT-DT model and the GCN-ETA, KNN, XGBoost model over two data sets.
FIG. 8 is a box plot comparison of accuracy (Precision) of the GAT-DT model and the GCN-ETA, KNN, XGBoost model over two data sets.
FIG. 9 is a box plot comparison of Recall (Recall) on two datasets for the GAT-DT model and the GCN-ETA, KNN, XGBoost model.
FIG. 10 is a box plot comparison of the F1 value (F1-measure) of the GAT-DT model and the GCN-ETA, KNN, XGBoost model over two data sets.
Detailed Description
The invention is further described in connection with the accompanying drawings and the embodiments, it being noted that the described embodiments are only intended to facilitate an understanding of the invention and are not intended to limit the invention in any way.
Aiming at malicious network traffic, the invention provides a malicious network traffic detection method based on a graph attention network so as to effectively identify malicious network attack behaviors. The invention provides a perfect malicious network flow detection framework, and full experiments are carried out, so that the feasibility and effectiveness of the method are proved.
As shown in fig. 1, the malicious network traffic detection method based on a graph attention network of the present invention includes:
step 201 constructs a graph structure by using address information of network traffic and relationships between traffic nodes, and then performs feature extraction on the constructed network traffic graph topology structure information by using a graph convolution neural network.
In the embodiment of the invention, the topological structure of the graph is constructed for the network traffic, wherein more or less association relation exists between the network traffic, and the problem of low detection efficiency caused by losing a large number of hidden features among nodes is caused by neglecting the association relation. Therefore, a graph relation structure of the network traffic is constructed, and the associated characteristic information of different nodes, neighbor nodes and edges of the nodes is obtained, so that the spatial structure characteristic of the network traffic is obtained.
Step 2011, constructing a network flow table after preprocessing operation to obtain a flow topological graph, connecting different nodes by taking a source IP address as a starting point and a destination IP address as an end point, numbering each different IP node, and constructing a network topological structure;
step 2012, learning the association relation among nodes of the network traffic to obtain the characteristic information of different nodes and the neighbor nodes and edges thereof, and realizing the graph association relation expression of the network traffic; by sharing the structural information of the same network node, the characteristics of each node to each global neighbor node are obtained under the effect of multi-layer convolution, and the spatial structural characteristics of the network traffic are further obtained.
Step 202 uses a self-attention mechanism to screen the characteristic vector of the network traffic, and obtains the relevant node characteristic with stronger importance.
Step 2021 uses a self-attention mechanism to focus "attention" on local traffic information that causes network traffic to be determined to be malicious, and filters out some unimportant network traffic features, thereby performing a redundancy elimination operation on the network traffic features, and finally obtaining key features of the network traffic.
The process of weighting the characteristics of the network traffic by using the attention mechanism comprises the following steps:
(1) N feature vectors H obtained through the graphic neural network processing are input into a self-attention model, and the obtained network flow features are spliced through an input layer to obtain a network flow feature matrix I.
I=[h 1 ,h 2 ,...,h n ]
In the formula, h n Representation ofAnd a feature sequence consisting of feature vectors.
(2) Inputting the characteristic matrix I into the embading layer to map the characteristic matrix I into three different spaces respectively to obtain the required Q, K and V matrixes, wherein W Q ,W K ,W V Representing randomly derived spatial matrices, respectively.
Q=W Q *I
K=W K *I
V=W V *I
(3) After three different spatial matrices are obtained, each query vector q is calculated i Similarity relation between the network traffic vectors and each different network traffic vector, and further obtaining a contact Score between each vector i . The similarity measure adopted in the invention is dot product method, and q among vectors is calculated i And key vector k i And summing them to obtain Score i . Finally by putting Score i And splicing to obtain a weight relation matrix A of the I.
A=[Score 1 ,Score 2 ,Score 3 ]
(4) And (3) carrying out normalization operation on the A by using the Softmax activation function to obtain a similarity matrix A' of the normalization matrix, thereby reducing the calculation difficulty.
Wherein S is i 、S j J represents the contact score of vector i, the contact score of vector j, and sequence number j, respectively.
(5) And carrying out weighted summation on the key value matrix V through the obtained normalized weight matrix A', and calculating an attention output matrix O obtained by each input vector.
O=V*A'
Step 203 classifies the filtered association features by using a decision tree classifier to realize detection of malicious network traffic.
Step 2031 is to classify the feature vector of the network traffic obtained by the feature screening, by selecting and using Decision Tree (DT) to classify the network traffic.
Step 2032, inputting the correlation characteristics of the network traffic obtained by screening, calculating a loss value in the network traffic training process through a cross entropy loss function, and adjusting the model according to the loss value to obtain training parameters of the model.
Decision Tree (DT) is a model based on an attribute structure, and represents a mapping model of the correspondence between the attribute of an object and its label, where an internal node represents a characteristic attribute of network traffic, and a leaf node represents a classification label of network traffic. Compared with other classification models, the decision tree has the advantages of relatively small calculated amount, easy classification rule conversion, high accuracy and stronger generalization, so that a decision tree algorithm is selected to classify network traffic. The decision tree classification stage comprises the following steps:
(1) Inputting the network traffic correlation characteristics obtained by screening in step 2031, calculating a loss value in the network traffic training process by using a cross entropy loss function, predefining a threshold value, and selecting an optimal loss value smaller than the threshold value in the continuous calculation training process to obtain training parameters (the random seed is 42, the iteration number is 30, the initial learning rate is 0.01, the weight attenuation is 0.0005, and the hidden unit number is 16) in the model. The Loss function Loss is shown below, where p i Probability vector, y representing prediction classification result i The tag class representing the actual sample. And finally, updating corresponding parameters through reverse derivative.
(2) The coefficient Gini (D) is used as a feature selection function. The classification result of the network traffic data set is measured by the use of the coefficient of kunning, the smaller the coefficient of kunning represents the greater the purity of the data set. Wherein,,k represents the number of data categories in the network traffic, p i Is the probability that the sample belongs to class i.
Step 2033, inputting the obtained network traffic map data with the association relationship into a neural network model for training, thereby obtaining a final malicious network traffic detection model.
The invention mainly detects malicious network traffic, and uses a network traffic data set USTC-TFC2016 and an encrypted network traffic data set Stratosphere to perform effect test. Figures 3 and 4 show the distribution of data sets used for the experiments. The USTC-TFC2016 flow data set comprises ten malicious network flows and ten normal network flows which are collected from 2011 to 2015, wherein the file format in the data set is pcap and the flow types are marked; the Stratosphere traffic dataset comprises a series of network traffic data such as Zeus, botnet, etc.
In order to verify the detection effect of the malicious network traffic detection method GAT-DT based on the graph attention network, three different methods of GCN-ETA, KNN and XGBoost are respectively used for experimental comparison on the two network traffic data sets, and experimental results are shown in fig. 5 and 6. By observing fig. 5 and 6, the detection accuracy (accuracy), precision (precision), recall (recovery) and F1-measure of the GAT-DT model of the invention are higher than those of GCN-ETA, KNN and XGBoost models. The experimental result not only proves that the use of the attention mechanism can better learn the associated characteristic information in the network traffic, but also proves that the detection of the malicious network traffic by combining the decision tree algorithm in the GAT model is very effective. In addition to comparison of detection effect, the experiment also tests the detection stability of four different models, and specific experimental results are shown in fig. 7, 8, 9 and 10. From the experimental results of fig. 7-10, it can be seen that the malicious network traffic detection method GAT-DT based on the graph attention network provided by the invention has better stability.

Claims (4)

1. The malicious network traffic detection method based on the graph attention network is characterized by comprising the following steps of:
step 1, constructing a graph structure by using address information of network traffic and relationships among traffic nodes, and extracting features of the constructed network traffic graph topological structure information by using a graph convolution neural network;
step 2, using a self-attention mechanism to perform feature screening on the network traffic vector to obtain relevant node features with stronger importance;
and step 3, classifying the filtered association features by using a decision tree classifier to realize detection of malicious network traffic.
2. A method according to claim 1, wherein the specific implementation of step 1 comprises the steps of:
step 1.1, constructing a network flow table after preprocessing operation to obtain a flow topological graph, connecting different nodes by taking a source IP address as a starting point and a destination IP address as an end point, numbering each different IP node, and constructing a network topological structure;
step 1.2, learning the association relation among nodes of the network traffic to obtain the characteristic information of different nodes and neighbor nodes and edges thereof, and realizing the graph association relation expression of the network traffic; by sharing the structural information of the same network node, the characteristics of each node to each global neighbor node are obtained under the effect of multi-layer convolution, and the spatial structural characteristics of the network traffic are further obtained.
3. The method according to claim 1, wherein the implementation of step 2 comprises the steps of:
the self-attention mechanism is used for focusing attention on local network traffic information and screening out partial unimportant information, so that redundancy removal operation is carried out on the network traffic characteristics, and key network traffic characteristics are obtained.
4. The method according to claim 1, wherein the implementation of step 3 comprises the steps of:
taking the network flow characteristic vector obtained by characteristic screening as the input of a Decision Tree algorithm (Decision Tree) which is abbreviated as DT, calculating a loss value in a training process through a cross entropy loss function, predefining a threshold value, selecting an optimal loss value smaller than the threshold value in the continuous calculation training process, training a model, and obtaining training parameters in the model: the method comprises the steps of detecting malicious network traffic by using a random seed of 42, iteration times of 30, initial learning rate of 0.01, weight attenuation of 0.0005 and hidden unit number of 16.
CN202310950685.5A 2023-07-31 2023-07-31 Malicious network traffic detection method based on graph attention network Pending CN116827666A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310950685.5A CN116827666A (en) 2023-07-31 2023-07-31 Malicious network traffic detection method based on graph attention network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310950685.5A CN116827666A (en) 2023-07-31 2023-07-31 Malicious network traffic detection method based on graph attention network

Publications (1)

Publication Number Publication Date
CN116827666A true CN116827666A (en) 2023-09-29

Family

ID=88143028

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310950685.5A Pending CN116827666A (en) 2023-07-31 2023-07-31 Malicious network traffic detection method based on graph attention network

Country Status (1)

Country Link
CN (1) CN116827666A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117579324A (en) * 2023-11-14 2024-02-20 湖北华中电力科技开发有限责任公司 Intrusion detection method based on gating time convolution network and graph

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117579324A (en) * 2023-11-14 2024-02-20 湖北华中电力科技开发有限责任公司 Intrusion detection method based on gating time convolution network and graph
CN117579324B (en) * 2023-11-14 2024-04-16 湖北华中电力科技开发有限责任公司 Intrusion detection method based on gating time convolution network and graph

Similar Documents

Publication Publication Date Title
CN112087447B (en) Rare attack-oriented network intrusion detection method
CN114172688B (en) Method for automatically extracting key nodes of network threat of encrypted traffic based on GCN-DL (generalized traffic channel-DL)
CN112884204B (en) Network security risk event prediction method and device
CN113269228B (en) Method, device and system for training graph network classification model and electronic equipment
WO2023155508A1 (en) Graph convolutional neural network and knowledge base-based paper correlation analysis method
CN112597993A (en) Confrontation defense model training method based on patch detection
CN116827666A (en) Malicious network traffic detection method based on graph attention network
CN114913379B (en) Remote sensing image small sample scene classification method based on multitasking dynamic contrast learning
CN113901448A (en) Intrusion detection method based on convolutional neural network and lightweight gradient elevator
CN116010813A (en) Community detection method based on influence degree of fusion label nodes of graph neural network
CN118709064A (en) User abnormal comment detection method based on spectral domain graph neural network
CN116318925A (en) Multi-CNN fusion intrusion detection method, system, medium, equipment and terminal
CN116647844A (en) Vehicle-mounted network intrusion detection method based on stacking integration algorithm
CN114884704B (en) Network traffic abnormal behavior detection method and system based on involution and voting
CN114547601B (en) Random forest intrusion detection method based on multi-layer classification strategy
Fan et al. DDoS Attack detection system based on RF-SVM-IL Model Under SDN
CN115643153A (en) Alarm correlation analysis method based on graph neural network
CN114722920A (en) Deep map convolution model phishing account identification method based on map classification
CN114997378A (en) Inductive graph neural network pruning method, system, device and storage medium
CN115130663A (en) Heterogeneous network attribute completion method based on graph neural network and attention mechanism
CN115965466A (en) Sub-graph comparison-based Ethernet room account identity inference method and system
CN114124565A (en) Network intrusion detection method based on graph embedding
CN113962748A (en) Method for aligning users of heterogeneous e-commerce platform by using holomorphic information representation based on meta-path
Yang et al. User Log Anomaly Detection System Based on Isolation Forest
CN112445939A (en) Social network group discovery system, method and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination