CN116827666A - Malicious network traffic detection method based on graph attention network - Google Patents
Malicious network traffic detection method based on graph attention network Download PDFInfo
- Publication number
- CN116827666A CN116827666A CN202310950685.5A CN202310950685A CN116827666A CN 116827666 A CN116827666 A CN 116827666A CN 202310950685 A CN202310950685 A CN 202310950685A CN 116827666 A CN116827666 A CN 116827666A
- Authority
- CN
- China
- Prior art keywords
- network traffic
- network
- graph
- malicious
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 44
- 239000013598 vector Substances 0.000 claims abstract description 21
- 238000003066 decision tree Methods 0.000 claims abstract description 20
- 238000012216 screening Methods 0.000 claims abstract description 12
- 238000013528 artificial neural network Methods 0.000 claims abstract description 11
- 230000007246 mechanism Effects 0.000 claims abstract description 11
- 238000000034 method Methods 0.000 claims description 19
- 238000012549 training Methods 0.000 claims description 14
- 230000006870 function Effects 0.000 claims description 8
- 230000008569 process Effects 0.000 claims description 8
- 230000000694 effects Effects 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 4
- 238000007781 pre-processing Methods 0.000 claims description 2
- 239000011159 matrix material Substances 0.000 description 9
- 238000013135 deep learning Methods 0.000 description 5
- 238000002474 experimental method Methods 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 239000005437 stratosphere Substances 0.000 description 4
- 238000011161 development Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000002776 aggregation Effects 0.000 description 2
- 238000004220 aggregation Methods 0.000 description 2
- 230000008030 elimination Effects 0.000 description 2
- 238000003379 elimination reaction Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 238000003062 neural network model Methods 0.000 description 2
- 238000010606 normalization Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000013145 classification model Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013527 convolutional neural network Methods 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000011524 similarity measure Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a malicious network traffic detection method based on a graph attention network. Comprising the following steps: step 1, constructing a graph structure of a relation between flow nodes by using address information of network flow, and extracting features of the constructed network flow graph structure information by using a graph convolution neural network; step 2, using a self-attention mechanism to perform feature screening on the network traffic vector to obtain relevant node features with stronger importance; and step 3, classifying the filtered association features by using a decision tree classifier to realize detection of malicious network traffic.
Description
Technical Field
The invention belongs to the field of network traffic detection, and relates to a malicious network traffic detection method based on a graph attention network.
Background
With advances in technology and the development of the internet, the role of networks has evolved from initially delivering mail, browsing web pages to today's real-time communications, online gaming, edge computing, etc. The network increases the quantity of generated traffic at geometric speed while making the life style of people convenient and quick. Annual internet reports from cisco show that mobile data traffic generated in 2022 has exceeded 1 (Zettabyte). However, with the increase of internet users and network traffic data volumes, malicious attacks and network intrusion behaviors also show an increasing trend, and part of network attackers perform hidden attacks to avoid detection by disguising intrusion traffic as normal traffic, so that the identification of malicious traffic by the traditional detection method becomes more difficult. In the face of such huge network traffic and increasing attack behaviors, intrusion detection ensures the safety of network space by identifying the attack behaviors causing network traffic data abnormality, and has become an important research direction in the field of network safety. Therefore, the method has important significance for carrying out efficient detection work on malicious network traffic.
In recent years, with the rapid development of deep learning technology, deep learning is also being applied to leak detection in a large number. Compared with the traditional machine learning method, the deep learning can automatically extract advanced features from structural data, so that the workload of feature extraction is reduced. In addition, the abstract feature representation automatically extracted by the deep learning method has better generalization capability than the manually extracted features. Regarding the relevance of network traffic data, scholars detect malicious network traffic using a graph neural network (Graph Neural Networks, GNN) capable of handling edge-to-edge, point-to-point relationships. GNNs form graph topologies by utilizing the relationships between edges between each data sample and other samples. For the relevance among network flow nodes, students propose a graph convolution network by popularizing convolution operation on a graph. With the rapid development of deep learning in malicious network traffic detection, convolutional neural networks have also been attempted for use in intrusion detection.
However, the existing malicious network traffic detection method based on the graph neural network only utilizes the self information of the network traffic and ignores the association characteristics among the network traffic, so that the extracted network traffic characteristics are incomplete, and the recognition accuracy of the constructed network traffic detection model is further affected; furthermore, these methods often employ fixed neighbor aggregation policies and lack fine node relationship modeling capabilities, resulting in reduced performance in processing network traffic correlation features. Based on the above, the invention provides a malicious network traffic detection method (Graph ATtention with Decision Tree, GAT-DT) based on a graph attention network. The GAT-DT firstly uses the graph neural network to form a graph topological structure aiming at the network structure generated by the irregular graph association data and the association relation between edges between each data sample and other samples, and then uses the attention mechanism to screen more important association information, thereby solving the problem of information overload. A large number of comparison experiments prove that the malicious network traffic detection method provided by the invention can obtain higher detection performance and can more accurately identify different types of malicious network traffic.
Disclosure of Invention
The invention aims to solve the problem of information overload, obtain higher detection performance and more accurately identify different types of malicious network traffic. Therefore, the invention provides a malicious network traffic detection method based on a graph attention network.
The present invention achieves the above technical object by the following means.
A malicious network traffic detection method based on a graph attention network, comprising:
step 1, constructing a graph structure by using address information of network traffic and relationships among traffic nodes, and extracting features of the constructed network traffic graph topological structure information by using a graph convolution neural network;
step 2, using a self-attention mechanism to perform feature screening on the network traffic vector to obtain relevant node features with stronger importance;
and step 3, classifying the filtered association features by using a decision tree classifier to realize detection of malicious network traffic.
In a first aspect, the specific steps of the step 1 are as follows:
step 1.1, constructing a preprocessed network flow table to obtain a flow topological graph, connecting different nodes by taking a source IP address as a starting point and a destination IP address as an end point, numbering each different IP node, and constructing a topological structure of a network;
and 1.2, learning association relations to obtain characteristic information of different nodes, neighbor nodes and edges of the nodes, and realizing graph association relation expression of network traffic. Meanwhile, by sharing the structural information of the same network node, the characteristics of each node to all the neighbor nodes are obtained under the effect of multi-layer convolution, and further the spatial structural characteristics of the network traffic are obtained.
In a second aspect, the specific steps of the step 2 are as follows:
step 2.1, performing Attention coefficient calculation on different relevant inputs in a full-connection layer through a self-Attention mechanism, so as to obtain the relevance of different network flow inputs;
and 2.2, focusing attention on local network flow information, giving low weight to irrelevant features, and reserving important flow vector features, so as to perform redundancy elimination operation on the network flow features and acquire key network flow features.
In a third aspect, the specific steps of the step 3 are as follows:
step 3.1, classifying the network traffic by selecting a Decision Tree (DT) for the feature vector of the network traffic obtained by the feature screening;
and 3.2, inputting the correlation characteristics of the network traffic obtained by screening, calculating a loss value in the network traffic training process through a cross entropy loss function, and adjusting the model according to the loss value to obtain training parameters of the model so as to detect malicious network traffic.
Aiming at the existing malicious network traffic detection method based on the graph neural network, the related characteristics among the network traffic are ignored only by utilizing the self information characteristics of the network traffic, so that the extracted network traffic characteristics are incomplete; and the lack of sophisticated node relationship modeling capability, typically with fixed neighbor aggregation policies, leads to performance degradation issues when handling network traffic-related features. Compared with the prior art, the invention has the beneficial effects that:
1. the proposed graph attention network model adds a self-attention mechanism into the graph convolution neural network model, utilizes limited resources to screen out more important characteristic information from a large amount of node data, solves the problem of information overload, improves the efficiency of model processing, and enables a constructed network to detect malicious network traffic in a graph topological structure more accurately.
2. Aiming at the problem that the network flow feature vector obtained after feature screening is large and complex, the method has the advantages of small calculated amount, easiness in transformation of classification rules, high accuracy and stronger generalization by means of a decision tree algorithm, takes the network flow associated features obtained by screening as the input of the decision tree algorithm, calculates the loss value in the training process through a cross entropy loss function, trains a model by utilizing a strategy of selecting a better loss value and obtains training parameters (such as 42 for random seeds, 30 for iteration times, 0.01 for initial learning rate, 0.0005 for weight attenuation and 16 for hidden units) in the model, thereby improving the detection efficiency of malicious network flow.
Drawings
FIG. 1 is a flow chart of detection based on the GAT-DT model.
Fig. 2 is a general flow chart of a malicious network traffic detection method based on a graph attention network.
Fig. 3 is information of a malicious network traffic data set USTC-TFC2016 used in the experimental link of the present invention.
FIG. 4 is a plot of the information of the encrypted hybrid dataset Stratosphere used in the experimental procedure of the present invention.
FIG. 5 is a comparison of accuracy, precision, recall and F1 values of a GAT-DT model and a graph convolution neural network-based detection model GCN-ETA, a K nearest neighbor algorithm-based detection model KNN, and a gradient boost decision tree algorithm-based integrated learning detection model XGBoost on a USTC-TFC2016 data set.
FIG. 6 is a comparison of accuracy, precision, recall and F1 values on the Stratosphere dataset for the GAT-DT model and the GCN-ETA, KNN, XGBoost model.
FIG. 7 is a box plot comparison of Accuracy (Accuracy) of the GAT-DT model and the GCN-ETA, KNN, XGBoost model over two data sets.
FIG. 8 is a box plot comparison of accuracy (Precision) of the GAT-DT model and the GCN-ETA, KNN, XGBoost model over two data sets.
FIG. 9 is a box plot comparison of Recall (Recall) on two datasets for the GAT-DT model and the GCN-ETA, KNN, XGBoost model.
FIG. 10 is a box plot comparison of the F1 value (F1-measure) of the GAT-DT model and the GCN-ETA, KNN, XGBoost model over two data sets.
Detailed Description
The invention is further described in connection with the accompanying drawings and the embodiments, it being noted that the described embodiments are only intended to facilitate an understanding of the invention and are not intended to limit the invention in any way.
Aiming at malicious network traffic, the invention provides a malicious network traffic detection method based on a graph attention network so as to effectively identify malicious network attack behaviors. The invention provides a perfect malicious network flow detection framework, and full experiments are carried out, so that the feasibility and effectiveness of the method are proved.
As shown in fig. 1, the malicious network traffic detection method based on a graph attention network of the present invention includes:
step 201 constructs a graph structure by using address information of network traffic and relationships between traffic nodes, and then performs feature extraction on the constructed network traffic graph topology structure information by using a graph convolution neural network.
In the embodiment of the invention, the topological structure of the graph is constructed for the network traffic, wherein more or less association relation exists between the network traffic, and the problem of low detection efficiency caused by losing a large number of hidden features among nodes is caused by neglecting the association relation. Therefore, a graph relation structure of the network traffic is constructed, and the associated characteristic information of different nodes, neighbor nodes and edges of the nodes is obtained, so that the spatial structure characteristic of the network traffic is obtained.
Step 2011, constructing a network flow table after preprocessing operation to obtain a flow topological graph, connecting different nodes by taking a source IP address as a starting point and a destination IP address as an end point, numbering each different IP node, and constructing a network topological structure;
step 2012, learning the association relation among nodes of the network traffic to obtain the characteristic information of different nodes and the neighbor nodes and edges thereof, and realizing the graph association relation expression of the network traffic; by sharing the structural information of the same network node, the characteristics of each node to each global neighbor node are obtained under the effect of multi-layer convolution, and the spatial structural characteristics of the network traffic are further obtained.
Step 202 uses a self-attention mechanism to screen the characteristic vector of the network traffic, and obtains the relevant node characteristic with stronger importance.
Step 2021 uses a self-attention mechanism to focus "attention" on local traffic information that causes network traffic to be determined to be malicious, and filters out some unimportant network traffic features, thereby performing a redundancy elimination operation on the network traffic features, and finally obtaining key features of the network traffic.
The process of weighting the characteristics of the network traffic by using the attention mechanism comprises the following steps:
(1) N feature vectors H obtained through the graphic neural network processing are input into a self-attention model, and the obtained network flow features are spliced through an input layer to obtain a network flow feature matrix I.
I=[h 1 ,h 2 ,...,h n ]
In the formula, h n Representation ofAnd a feature sequence consisting of feature vectors.
(2) Inputting the characteristic matrix I into the embading layer to map the characteristic matrix I into three different spaces respectively to obtain the required Q, K and V matrixes, wherein W Q ,W K ,W V Representing randomly derived spatial matrices, respectively.
Q=W Q *I
K=W K *I
V=W V *I
(3) After three different spatial matrices are obtained, each query vector q is calculated i Similarity relation between the network traffic vectors and each different network traffic vector, and further obtaining a contact Score between each vector i . The similarity measure adopted in the invention is dot product method, and q among vectors is calculated i And key vector k i And summing them to obtain Score i . Finally by putting Score i And splicing to obtain a weight relation matrix A of the I.
A=[Score 1 ,Score 2 ,Score 3 ]
(4) And (3) carrying out normalization operation on the A by using the Softmax activation function to obtain a similarity matrix A' of the normalization matrix, thereby reducing the calculation difficulty.
Wherein S is i 、S j J represents the contact score of vector i, the contact score of vector j, and sequence number j, respectively.
(5) And carrying out weighted summation on the key value matrix V through the obtained normalized weight matrix A', and calculating an attention output matrix O obtained by each input vector.
O=V*A'
Step 203 classifies the filtered association features by using a decision tree classifier to realize detection of malicious network traffic.
Step 2031 is to classify the feature vector of the network traffic obtained by the feature screening, by selecting and using Decision Tree (DT) to classify the network traffic.
Step 2032, inputting the correlation characteristics of the network traffic obtained by screening, calculating a loss value in the network traffic training process through a cross entropy loss function, and adjusting the model according to the loss value to obtain training parameters of the model.
Decision Tree (DT) is a model based on an attribute structure, and represents a mapping model of the correspondence between the attribute of an object and its label, where an internal node represents a characteristic attribute of network traffic, and a leaf node represents a classification label of network traffic. Compared with other classification models, the decision tree has the advantages of relatively small calculated amount, easy classification rule conversion, high accuracy and stronger generalization, so that a decision tree algorithm is selected to classify network traffic. The decision tree classification stage comprises the following steps:
(1) Inputting the network traffic correlation characteristics obtained by screening in step 2031, calculating a loss value in the network traffic training process by using a cross entropy loss function, predefining a threshold value, and selecting an optimal loss value smaller than the threshold value in the continuous calculation training process to obtain training parameters (the random seed is 42, the iteration number is 30, the initial learning rate is 0.01, the weight attenuation is 0.0005, and the hidden unit number is 16) in the model. The Loss function Loss is shown below, where p i Probability vector, y representing prediction classification result i The tag class representing the actual sample. And finally, updating corresponding parameters through reverse derivative.
(2) The coefficient Gini (D) is used as a feature selection function. The classification result of the network traffic data set is measured by the use of the coefficient of kunning, the smaller the coefficient of kunning represents the greater the purity of the data set. Wherein,,k represents the number of data categories in the network traffic, p i Is the probability that the sample belongs to class i.
Step 2033, inputting the obtained network traffic map data with the association relationship into a neural network model for training, thereby obtaining a final malicious network traffic detection model.
The invention mainly detects malicious network traffic, and uses a network traffic data set USTC-TFC2016 and an encrypted network traffic data set Stratosphere to perform effect test. Figures 3 and 4 show the distribution of data sets used for the experiments. The USTC-TFC2016 flow data set comprises ten malicious network flows and ten normal network flows which are collected from 2011 to 2015, wherein the file format in the data set is pcap and the flow types are marked; the Stratosphere traffic dataset comprises a series of network traffic data such as Zeus, botnet, etc.
In order to verify the detection effect of the malicious network traffic detection method GAT-DT based on the graph attention network, three different methods of GCN-ETA, KNN and XGBoost are respectively used for experimental comparison on the two network traffic data sets, and experimental results are shown in fig. 5 and 6. By observing fig. 5 and 6, the detection accuracy (accuracy), precision (precision), recall (recovery) and F1-measure of the GAT-DT model of the invention are higher than those of GCN-ETA, KNN and XGBoost models. The experimental result not only proves that the use of the attention mechanism can better learn the associated characteristic information in the network traffic, but also proves that the detection of the malicious network traffic by combining the decision tree algorithm in the GAT model is very effective. In addition to comparison of detection effect, the experiment also tests the detection stability of four different models, and specific experimental results are shown in fig. 7, 8, 9 and 10. From the experimental results of fig. 7-10, it can be seen that the malicious network traffic detection method GAT-DT based on the graph attention network provided by the invention has better stability.
Claims (4)
1. The malicious network traffic detection method based on the graph attention network is characterized by comprising the following steps of:
step 1, constructing a graph structure by using address information of network traffic and relationships among traffic nodes, and extracting features of the constructed network traffic graph topological structure information by using a graph convolution neural network;
step 2, using a self-attention mechanism to perform feature screening on the network traffic vector to obtain relevant node features with stronger importance;
and step 3, classifying the filtered association features by using a decision tree classifier to realize detection of malicious network traffic.
2. A method according to claim 1, wherein the specific implementation of step 1 comprises the steps of:
step 1.1, constructing a network flow table after preprocessing operation to obtain a flow topological graph, connecting different nodes by taking a source IP address as a starting point and a destination IP address as an end point, numbering each different IP node, and constructing a network topological structure;
step 1.2, learning the association relation among nodes of the network traffic to obtain the characteristic information of different nodes and neighbor nodes and edges thereof, and realizing the graph association relation expression of the network traffic; by sharing the structural information of the same network node, the characteristics of each node to each global neighbor node are obtained under the effect of multi-layer convolution, and the spatial structural characteristics of the network traffic are further obtained.
3. The method according to claim 1, wherein the implementation of step 2 comprises the steps of:
the self-attention mechanism is used for focusing attention on local network traffic information and screening out partial unimportant information, so that redundancy removal operation is carried out on the network traffic characteristics, and key network traffic characteristics are obtained.
4. The method according to claim 1, wherein the implementation of step 3 comprises the steps of:
taking the network flow characteristic vector obtained by characteristic screening as the input of a Decision Tree algorithm (Decision Tree) which is abbreviated as DT, calculating a loss value in a training process through a cross entropy loss function, predefining a threshold value, selecting an optimal loss value smaller than the threshold value in the continuous calculation training process, training a model, and obtaining training parameters in the model: the method comprises the steps of detecting malicious network traffic by using a random seed of 42, iteration times of 30, initial learning rate of 0.01, weight attenuation of 0.0005 and hidden unit number of 16.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310950685.5A CN116827666A (en) | 2023-07-31 | 2023-07-31 | Malicious network traffic detection method based on graph attention network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310950685.5A CN116827666A (en) | 2023-07-31 | 2023-07-31 | Malicious network traffic detection method based on graph attention network |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116827666A true CN116827666A (en) | 2023-09-29 |
Family
ID=88143028
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310950685.5A Pending CN116827666A (en) | 2023-07-31 | 2023-07-31 | Malicious network traffic detection method based on graph attention network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116827666A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117579324A (en) * | 2023-11-14 | 2024-02-20 | 湖北华中电力科技开发有限责任公司 | Intrusion detection method based on gating time convolution network and graph |
-
2023
- 2023-07-31 CN CN202310950685.5A patent/CN116827666A/en active Pending
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117579324A (en) * | 2023-11-14 | 2024-02-20 | 湖北华中电力科技开发有限责任公司 | Intrusion detection method based on gating time convolution network and graph |
CN117579324B (en) * | 2023-11-14 | 2024-04-16 | 湖北华中电力科技开发有限责任公司 | Intrusion detection method based on gating time convolution network and graph |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112087447B (en) | Rare attack-oriented network intrusion detection method | |
CN114172688B (en) | Method for automatically extracting key nodes of network threat of encrypted traffic based on GCN-DL (generalized traffic channel-DL) | |
CN112884204B (en) | Network security risk event prediction method and device | |
CN113269228B (en) | Method, device and system for training graph network classification model and electronic equipment | |
WO2023155508A1 (en) | Graph convolutional neural network and knowledge base-based paper correlation analysis method | |
CN112597993A (en) | Confrontation defense model training method based on patch detection | |
CN116827666A (en) | Malicious network traffic detection method based on graph attention network | |
CN114913379B (en) | Remote sensing image small sample scene classification method based on multitasking dynamic contrast learning | |
CN113901448A (en) | Intrusion detection method based on convolutional neural network and lightweight gradient elevator | |
CN116010813A (en) | Community detection method based on influence degree of fusion label nodes of graph neural network | |
CN118709064A (en) | User abnormal comment detection method based on spectral domain graph neural network | |
CN116318925A (en) | Multi-CNN fusion intrusion detection method, system, medium, equipment and terminal | |
CN116647844A (en) | Vehicle-mounted network intrusion detection method based on stacking integration algorithm | |
CN114884704B (en) | Network traffic abnormal behavior detection method and system based on involution and voting | |
CN114547601B (en) | Random forest intrusion detection method based on multi-layer classification strategy | |
Fan et al. | DDoS Attack detection system based on RF-SVM-IL Model Under SDN | |
CN115643153A (en) | Alarm correlation analysis method based on graph neural network | |
CN114722920A (en) | Deep map convolution model phishing account identification method based on map classification | |
CN114997378A (en) | Inductive graph neural network pruning method, system, device and storage medium | |
CN115130663A (en) | Heterogeneous network attribute completion method based on graph neural network and attention mechanism | |
CN115965466A (en) | Sub-graph comparison-based Ethernet room account identity inference method and system | |
CN114124565A (en) | Network intrusion detection method based on graph embedding | |
CN113962748A (en) | Method for aligning users of heterogeneous e-commerce platform by using holomorphic information representation based on meta-path | |
Yang et al. | User Log Anomaly Detection System Based on Isolation Forest | |
CN112445939A (en) | Social network group discovery system, method and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |