CN117113262A - Network traffic identification method and system - Google Patents
Network traffic identification method and system Download PDFInfo
- Publication number
- CN117113262A CN117113262A CN202311367868.0A CN202311367868A CN117113262A CN 117113262 A CN117113262 A CN 117113262A CN 202311367868 A CN202311367868 A CN 202311367868A CN 117113262 A CN117113262 A CN 117113262A
- Authority
- CN
- China
- Prior art keywords
- network traffic
- time sequence
- sequence
- network
- vector
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 239000013598 vector Substances 0.000 claims abstract description 93
- 230000002159 abnormal effect Effects 0.000 claims abstract description 36
- 238000006243 chemical reaction Methods 0.000 claims abstract description 22
- 238000012549 training Methods 0.000 claims description 53
- 238000010586 diagram Methods 0.000 claims description 45
- 239000011159 matrix material Substances 0.000 claims description 20
- 238000013527 convolutional neural network Methods 0.000 claims description 19
- 230000011218 segmentation Effects 0.000 claims description 15
- 238000000605 extraction Methods 0.000 claims description 8
- 238000005457 optimization Methods 0.000 claims description 7
- 238000010606 normalization Methods 0.000 claims description 4
- 238000012545 processing Methods 0.000 claims description 4
- 230000004913 activation Effects 0.000 claims description 2
- 230000005856 abnormality Effects 0.000 abstract description 13
- 238000001514 detection method Methods 0.000 description 39
- 230000008859 change Effects 0.000 description 9
- 238000004458 analytical method Methods 0.000 description 5
- 238000013528 artificial neural network Methods 0.000 description 5
- 238000010801 machine learning Methods 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 238000013459 approach Methods 0.000 description 3
- 238000013136 deep learning model Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000007796 conventional method Methods 0.000 description 2
- 238000013135 deep learning Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000000306 recurrent effect Effects 0.000 description 2
- 230000002787 reinforcement Effects 0.000 description 2
- 238000005728 strengthening Methods 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000011176 pooling Methods 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000001932 seasonal effect Effects 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000013526 transfer learning Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/243—Classification techniques relating to the number of classes
- G06F18/2433—Single-class perspective, e.g. one-against-all classification; Novelty detection; Outlier detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/044—Recurrent networks, e.g. Hopfield networks
- G06N3/0442—Recurrent networks, e.g. Hopfield networks characterised by memory or gating, e.g. long short-term memory [LSTM] or gated recurrent units [GRU]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/092—Reinforcement learning
Abstract
The application discloses a network flow identification method and a system thereof, which acquire network flow values at a plurality of preset time points in a preset time period; arranging the network traffic values of the plurality of preset time points into network traffic time sequence input vectors according to a time dimension; performing image conversion on the network traffic time sequence input vector to obtain a sequence of network traffic local time sequence images; extracting network traffic time sequence characteristics in the sequence of the network traffic local time sequence images; and determining whether the network traffic is abnormal based on the network traffic timing characteristics. Therefore, the network flow abnormality can be accurately identified, and abnormal fluctuation of the network flow value in a short time is avoided.
Description
Technical Field
The application relates to the technical field of intelligent network traffic identification, in particular to a network traffic identification method and a system thereof.
Background
The network traffic anomaly detection is an important research direction in the field of network security, and aims to discover the attack behavior or the fault phenomenon in the network in time and ensure the normal operation of the network. The traditional network flow abnormality detection method is mainly based on the theory of statistics or machine learning, and performs abnormality judgment by utilizing the statistical characteristics or manually extracted characteristics of the network flow.
However, these methods have several problems: firstly, the time sequence characteristics of the network traffic are difficult to capture, and the change rule of the network traffic in the time dimension is ignored; secondly, the network traffic diversity is difficult to adapt, and the network traffic in different types or different scenes cannot be effectively processed.
Thus, an optimized solution is desired.
Disclosure of Invention
The embodiment of the application provides a network flow identification method and a system thereof, which acquire network flow values at a plurality of preset time points in a preset time period; arranging the network traffic values of the plurality of preset time points into network traffic time sequence input vectors according to a time dimension; performing image conversion on the network traffic time sequence input vector to obtain a sequence of network traffic local time sequence images; extracting network traffic time sequence characteristics in the sequence of the network traffic local time sequence images; and determining whether the network traffic is abnormal based on the network traffic timing characteristics. Therefore, the network flow abnormality can be accurately identified, and abnormal fluctuation of the network flow value in a short time is avoided.
The embodiment of the application also provides a network traffic identification method, which comprises the following steps:
acquiring network flow values at a plurality of preset time points in a preset time period;
arranging the network traffic values of the plurality of preset time points into network traffic time sequence input vectors according to a time dimension;
performing image conversion on the network traffic time sequence input vector to obtain a sequence of network traffic local time sequence images;
extracting network traffic time sequence characteristics in the sequence of the network traffic local time sequence images; and
and determining whether the network traffic is abnormal or not based on the time sequence characteristics of the network traffic.
The embodiment of the application also provides a network traffic identification system, which comprises:
the network flow value acquisition module is used for acquiring network flow values of a plurality of preset time points in a preset time period;
the vector arrangement module is used for arranging the network traffic values of the plurality of preset time points into network traffic time sequence input vectors according to the time dimension;
the image conversion module is used for carrying out image conversion on the network traffic time sequence input vector so as to obtain a sequence of network traffic local time sequence images;
the time sequence feature extraction module is used for extracting the time sequence features of the network traffic in the sequence of the local time sequence images of the network traffic; and
and the network traffic determining module is used for determining whether the network traffic is abnormal or not based on the network traffic time sequence characteristics.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art. In the drawings:
fig. 1 is a flowchart of a network traffic identification method according to an embodiment of the present application.
Fig. 2 is a schematic diagram of a system architecture of a network traffic identification method according to an embodiment of the present application.
Fig. 3 is a block diagram of a network traffic identification system according to an embodiment of the present application.
Fig. 4 is an application scenario diagram of a network traffic identification method provided in an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the embodiments of the present application will be described in further detail with reference to the accompanying drawings. The exemplary embodiments of the present application and their descriptions herein are for the purpose of explaining the present application, but are not to be construed as limiting the application.
Unless defined otherwise, all technical and scientific terms used in the embodiments of the application have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used in the present application is for the purpose of describing particular embodiments only and is not intended to limit the scope of the present application.
In describing embodiments of the present application, unless otherwise indicated and limited thereto, the term "connected" should be construed broadly, for example, it may be an electrical connection, or may be a communication between two elements, or may be a direct connection, or may be an indirect connection via an intermediate medium, and it will be understood by those skilled in the art that the specific meaning of the term may be interpreted according to circumstances.
It should be noted that, the term "first\second\third" related to the embodiment of the present application is merely to distinguish similar objects, and does not represent a specific order for the objects, it is to be understood that "first\second\third" may interchange a specific order or sequence where allowed. It is to be understood that the "first\second\third" distinguishing objects may be interchanged where appropriate such that embodiments of the application described herein may be practiced in sequences other than those illustrated or described herein.
Network traffic anomaly detection is a technique for monitoring and identifying abnormal traffic in a network. The aim is to detect the attack, fault or abnormal event in the network, so as to take corresponding measures in time to protect the safety and normal operation of the network. The importance of network traffic anomaly detection is that malicious attackers may utilize the anomaly traffic to conduct network attacks, such as distributed denial of service attacks (DDoS), intrusion behavior, malware propagation, and the like. In addition, network failures or abnormal events may also cause problems such as network performance degradation, service interruption, or data leakage. Thus, timely discovery and identification of network traffic anomalies is critical to network security and normal operation.
Conventional network traffic anomaly detection methods are generally based on statistical or machine learning principles that analyze statistical or manually extracted features of network traffic data to determine if anomalies are present. Common features include bandwidth of traffic, number of packets, packet size, protocol distribution, etc. By comparing with normal traffic behavior, the anomaly detection algorithm can identify traffic patterns that do not match normal behavior.
In recent years, with the development of deep learning and artificial intelligence, a method based on deep learning has also made remarkable progress in network traffic anomaly detection. The deep learning model may learn complex patterns and feature representations in the network traffic data to more accurately detect abnormal traffic. For example, the time-ordered network traffic data may be modeled and analyzed using a Convolutional Neural Network (CNN) or a Recurrent Neural Network (RNN) or the like model.
Benefits of network traffic anomaly detection include: the method can discover the attack, fault or abnormal event in the network early, so as to take corresponding measures to protect the safety and normal operation of the network. By detecting and identifying abnormal traffic, the security of the network may be enhanced, reducing potential threats and risks. The abnormal traffic can be found and processed in time, so that the loss caused by the problems of network service interruption, data leakage and the like can be reduced. The network flow anomaly detection technology can automatically monitor the network flow, and reduce the burden of manual monitoring and analysis.
However, the conventional network traffic anomaly detection method has some limitations in capturing the timing characteristics of network traffic and adapting to the diversity of network traffic. First, conventional methods are based mainly on statistical or machine learning theory, typically using fixed feature extraction methods and model structures. This approach often fails to adequately capture the law of change in the time dimension of network traffic. Network traffic often has significant periodic, trending, seasonal, etc. characteristics, and conventional approaches often fail to handle these changes effectively. For example, in a DDoS attack, an attacker may adjust the attack strength and frequency such that network traffic exhibits a significant pattern of variation over time. The conventional method often cannot accurately capture the time sequence characteristic, so that the problem of missing report or false report is caused.
Second, conventional approaches also present challenges in accommodating the diversity of network traffic. The type and characteristics of network traffic may vary widely from network environment to network environment and scenario to scenario. For example, there may be significant differences between the network traffic inside the enterprise and the network traffic of the cloud service provider, and different types of attack may also result in different network traffic patterns. The traditional method is difficult to adapt to the diversity, and cannot accurately detect the abnormality of the network traffic in different types or different scenes.
In response to these problems, methods incorporating intelligent algorithms have been proposed in recent years to improve the accuracy and adaptability of network traffic anomaly detection. These methods mainly include studies of the following aspects: the deep learning model has strong expressive power and self-adaptability, and can learn complex modes and time sequence characteristics in network traffic data. For example, using a Recurrent Neural Network (RNN) or long-short-term memory network (LSTM) may effectively capture the timing dependencies of network traffic, thereby improving the accuracy of anomaly detection. The graph neural network is a deep learning model capable of processing graph data, can be used for representing network traffic data into a graph structure and detecting abnormality by utilizing the graph neural network, can better capture the topological structure and time sequence relation of the network traffic, and is suitable for complex network environments and scenes. Reinforcement learning is a machine learning method that learns optimal strategies by interacting with the environment. In network traffic anomaly detection, the anomaly detection problem can be regarded as a reinforcement learning problem, and the optimal anomaly detection strategy is learned by interaction with the environment, so that the method can adapt to the diversity of network traffic and has certain self-adaptability and generalization capability. Transfer learning is a machine learning method that transfers learned knowledge into a new task. In network traffic anomaly detection, pre-training can be performed by using existing network traffic data and models, and then learned knowledge is migrated to a new network environment and scene.
The method can effectively improve the accuracy and adaptability of network traffic anomaly detection by combining an intelligent algorithm, can better capture the time sequence characteristic of the network traffic and adapt to the diversity of the network traffic, improves the anomaly detection effect, and provides more reliable guarantee for network security.
In one embodiment of the present application, fig. 1 is a flowchart of a network traffic identification method provided in the embodiment of the present application. Fig. 2 is a schematic diagram of a system architecture of a network traffic identification method according to an embodiment of the present application. As shown in fig. 1 and 2, a network traffic identification method according to an embodiment of the present application includes: 110, acquiring network flow values of a plurality of preset time points in a preset time period; 120, arranging the network traffic values of the plurality of preset time points into network traffic time sequence input vectors according to a time dimension; 130, performing image conversion on the network traffic time sequence input vector to obtain a sequence of network traffic local time sequence images; 140, extracting network traffic time sequence characteristics in the sequence of the network traffic local time sequence images; and 150, determining whether the network traffic is abnormal based on the network traffic time sequence characteristics.
In the step 110, it is ensured that the selected time point can sufficiently represent the change situation of the network traffic, and different time periods such as peak period, low peak period, working day, weekend and the like can be selected. Acquiring network flow values at multiple points in time may provide more comprehensive data, making subsequent analysis more accurate. In the step 120, the time dimension order is ensured to be correct, and the time dimension order is arranged according to time sequence. The network flow values are arranged into time sequence input vectors according to time dimension, so that the change rule of the network flow in time can be reserved, and ordered data can be provided for subsequent analysis. In said step 130, a suitable image conversion method is selected, for example converting the time series data into pixel values or color intensities of the image. The time sequence characteristics of the network traffic can be displayed more intuitively by converting the time sequence input vector of the network traffic into the image sequence, so that the subsequent characteristic extraction and analysis are facilitated. In step 140, an appropriate feature extraction method is selected, for example, a convolutional neural network, a cyclic neural network, or a time-frequency analysis method is used. The extraction of the time sequence characteristics of the network traffic can capture the key change modes of the network traffic, and is helpful for distinguishing normal traffic from abnormal traffic. In said step 150, a suitable anomaly detection model is built, for example using supervised learning or unsupervised learning methods. By detecting the abnormality through the time sequence characteristics of the network traffic, whether the network traffic is abnormal or not can be accurately judged, and corresponding safety measures can be timely taken.
Aiming at the technical problems, the technical concept of the application is to capture the time sequence characteristics of the network traffic by combining an intelligent algorithm so as to realize the accurate identification of the abnormality of the network traffic. It should be appreciated that the occurrence of abnormal traffic may result in a dramatic increase or decrease in network traffic values over a short period of time. Such abnormal fluctuations may be caused by network attacks, large-scale data transmission, or other abnormal situations. At the same time, such abnormal fluctuations may also be reflected in the timing characteristics of the network traffic.
Based on this, in the technical scheme of the application, firstly, network flow values of a plurality of preset time points in a preset time period are obtained; and arranging the network traffic values at the plurality of preset time points into a network traffic time sequence input vector according to a time dimension so as to better represent the dynamic evolution process of the network traffic.
And then, carrying out image conversion on the network traffic time sequence input vector to obtain a sequence of network traffic local time sequence images. The conversion can be better adapted to the diversity of the network traffic, and the time sequence vector representation of the network traffic is converted into the form of an image, so that the local correlation of the network traffic is considered. That is, for image data, the timing characteristics of network traffic at different time spans can be captured.
In a specific example of the present application, the image conversion of the network traffic timing input vector to obtain a sequence of network traffic local timing images includes: vector segmentation is carried out on the network traffic time sequence input vector so as to obtain a sequence of network traffic local time sequence input vectors; and passing the sequence of network traffic local time sequence input vectors through a vector-image format converter to obtain the sequence of network traffic local time sequence images.
Further, passing the sequence of network traffic local time sequence input vectors through a vector-to-image format converter to obtain the sequence of network traffic local time sequence images, comprising: vector segmentation is carried out on the sequence of the network traffic local time sequence input vectors to obtain a sequence of network traffic local input sub-vectors; arranging the sequence of the local network traffic input sub-vectors into a local network traffic time sequence input matrix; normalizing the network traffic local time sequence input matrix to obtain a sequence of the network traffic local time sequence images; wherein the range of values for each position in the sequence of network traffic local time sequence images is 0-255.
The sequence of the network traffic time sequence input vector is divided into a sequence of local time sequence input vectors, so that the time sequence characteristics of the network traffic can be subdivided into smaller time windows. Thus, short-term changes and fluctuations of network traffic can be captured more accurately, thereby improving the accuracy of anomaly detection. Through the sequence of the local time sequence input vector, the dynamic change condition of the network traffic can be better observed, and the abnormal behavior hidden in the fine fluctuation can be found.
The sequence of network traffic local time sequence input vectors is converted into the sequence of network traffic local time sequence images through a vector-image format converter, and time sequence characteristics can be expressed in the form of images. The image has visual characteristics, and the time sequence change condition of the network flow can be displayed more intuitively. By observing the sequence of the local time sequence images of the network traffic, the abnormal mode, the abnormal fluctuation or the abnormal trend can be more easily found, so that the effect of abnormality detection is improved.
The network traffic is segmented into a sequence of local time sequence input vectors, and the sequence is converted into an image sequence through a vector-image format converter, so that the adaptability of the anomaly detection method to network traffic in different types or different scenes can be enhanced. Different types of network traffic may have different timing characteristics and patterns of variation, which may be better captured and represented by converting the network traffic into a sequence of images, thereby enabling the anomaly detection method to operate effectively in different types or different scenarios.
The network traffic time sequence input vector is segmented into a sequence of local time sequence input vectors, and the sequence of local time sequence images of the network traffic is converted into the sequence of local time sequence images of the network traffic through a vector-image format converter, so that the accuracy and the adaptability of network traffic abnormality detection can be improved. The method can capture the time sequence characteristics in a finer granularity, enhance the visual representation of the time sequence characteristics, and improve the adaptability of the anomaly detection method to network traffic in different types or different scenes, thereby better ensuring the safe operation of the network.
And then, the sequence of the network traffic local time sequence images is passed through a network traffic time sequence feature extractor based on a three-dimensional convolutional neural network model to obtain a network traffic time sequence feature map. That is, network traffic timing features in the sequence of network traffic local timing images are extracted.
In a specific embodiment of the present application, extracting the network traffic timing feature in the sequence of the network traffic local timing images includes: and the sequence of the network traffic local time sequence images passes through a network traffic time sequence feature extractor based on a three-dimensional convolutional neural network model to obtain the network traffic time sequence feature map.
A three-dimensional convolutional neural network (3D CNN) may consider both temporal and spatial information in a sequence of time-sequential images. By performing three-dimensional convolution operation on the local time sequence image sequence of the network flow, the time-space relationship between different time points and different positions can be captured, so that the time sequence characteristics of the network flow, including the time sequence change mode, the time sequence associated region and the like, can be more comprehensively understood, and the accuracy of anomaly detection is improved. The feature extractor based on the three-dimensional convolutional neural network can learn complex features in the network traffic time sequence image. Network traffic data often contains rich timing patterns and variation rules, and conventional feature extraction methods often have difficulty capturing these complex features. The three-dimensional convolutional neural network-based feature extractor can automatically learn abstract features in the network traffic time sequence image through multi-layer convolution and pooling operation, so that the time sequence features of the network traffic are better represented.
The network traffic timing feature diagram may be viewed as an abstract and compressed representation of a sequence of local timing images of network traffic. By using a feature extractor based on a three-dimensional convolutional neural network, the original local time-series image sequence can be converted into a lower-dimensional time-series feature map. Therefore, the dimension of the features can be reduced, the complexity of the data is reduced, and meanwhile, the important time sequence features are reserved, so that the efficiency and the instantaneity of anomaly detection are improved. The generalization capability of the anomaly detection method can be enhanced by extracting a time sequence feature map of the network traffic based on a feature extractor of the three-dimensional convolutional neural network. The time sequence characteristic diagram can better represent the time sequence mode and the change rule of the network traffic, is not influenced by specific network environments and scenes, so that the anomaly detection method can be suitable for the network traffic in different types and different scenes, and has wider applicability.
The sequence of the network flow local time sequence image is passed through the network flow time sequence feature extractor based on the three-dimensional convolution neural network model to obtain the network flow time sequence feature image, which can capture the space-time relationship, extract complex features, reduce feature dimension, enhance generalization capability of the anomaly detection method, be beneficial to improving accuracy, efficiency and adaptability of network flow anomaly detection and provide more reliable guarantee for network security.
Further, the network traffic timing characteristic diagram passes through a channel attention layer to obtain a channel-salified network traffic timing characteristic diagram. Here, the channel attention layer is introduced to perform channel feature distribution saliency on the network traffic time sequence feature graph so as to further improve the expression capability of the network traffic time sequence feature. Specifically, the channel attention layer can adaptively adjust the importance of different channels, highlight key information, suppress noise and redundant information. And then, the channel-salified network traffic time sequence characteristic diagram is passed through a classifier to obtain a classification result, wherein the classification result is used for indicating whether the network traffic is abnormal or not.
In a specific embodiment of the present application, determining whether there is an anomaly in the network traffic based on the network traffic timing characteristics includes: the network flow time sequence characteristic diagram passes through a channel attention layer to obtain a channel-salified network flow time sequence characteristic diagram; and the time sequence characteristic diagram of the channel-salified network traffic is passed through a classifier to obtain a classification result, wherein the classification result is used for indicating whether the network traffic is abnormal or not.
Wherein, pass the said network traffic time sequence characteristic map through the channel attention layer in order to get the channel and show the network traffic time sequence characteristic map, include: inputting the network flow time sequence characteristic diagram into a plurality of convolution layers of the channel attention layer to obtain a convolution characteristic diagram; calculating the global average value of each feature matrix of the convolution feature diagram along the channel dimension to obtain a channel feature vector; inputting the channel feature vector into a Sigmoid activation function to obtain a channel attention weight vector; and respectively weighting each feature matrix of the convolution feature map along the channel dimension by taking the feature value of each position in the channel attention weight vector as a weight to obtain the channel saliency network flow time sequence feature map.
The channel attention layer may adaptively learn the importance weights of each channel in the network traffic timing feature map. By weighting each channel, important characteristic channels can be highlighted, unimportant characteristic channels are restrained, the expression capability of the network traffic time sequence characteristics is improved, the abnormality detection is focused on the important time sequence characteristics, and the accuracy of the abnormality detection is improved. The channel-salient network traffic timing sequence feature diagram can better capture key features of network traffic and reduce interference of irrelevant features. By strengthening the important characteristic channel, the perception capability of the anomaly detection method on key information in network traffic can be improved, so that the robustness of anomaly detection is enhanced, the anomaly detection method can be better adapted to network traffic in different types and different scenes, and the anomaly detection method has stronger generalization capability.
Network traffic can be classified into normal and abnormal categories by inputting the channel-salified network traffic timing feature diagram into a classifier. The classifier can learn patterns and features in the network traffic timing feature map and map them to corresponding classification results. Therefore, whether the network traffic is abnormal or not can be judged, and the abnormal classification result can be used for timely finding and responding to the network security event, so that the early warning and responding capability of the network security can be improved.
The network flow time sequence feature diagram is processed through the channel attention layer to obtain the channel-salified network flow time sequence feature diagram, and is input into the classifier to obtain the classification result, so that the important feature channel can be enhanced, the robustness of anomaly detection is enhanced, the anomaly classification of the network flow is realized, the accuracy, the robustness and the practicability of the anomaly detection of the network flow are improved, and more reliable guarantee is provided for network safety.
In one embodiment of the present application, the network traffic identification method further includes a training step: training the vector-image format converter, the network flow time sequence feature extractor based on the three-dimensional convolutional neural network model, the channel attention layer and the classifier; wherein the training step comprises: acquiring training data, wherein the training data comprises training network flow values at a plurality of preset time points in a preset time period and a true value of whether the network flow is abnormal or not; arranging the training network flow values of the plurality of preset time points into training network flow time sequence input vectors according to the time dimension; vector segmentation is carried out on the training network flow time sequence input vector so as to obtain a sequence of training network flow local time sequence input vector; passing the sequence of training network traffic local time sequence input vectors through the vector-image format converter to obtain a sequence of training network traffic local time sequence images; passing the sequence of training network traffic local time sequence images through the network traffic time sequence feature extractor based on the three-dimensional convolutional neural network model to obtain a training network traffic time sequence feature map; the training network flow time sequence feature diagram passes through the channel attention layer to obtain a training channel saliency network flow time sequence feature diagram; performing feature distribution optimization on the training channel saliency network flow time sequence feature map to obtain an optimized channel saliency network flow time sequence feature map; the optimized channel saliency network flow time sequence feature diagram passes through a classifier to obtain a classification loss function value; and training the vector-image format converter, the three-dimensional convolutional neural network model-based network traffic timing feature extractor, the channel attention layer, and the classifier with the classification loss function values.
In the technical scheme of the application, for the training network flow time sequence input vector, local time domain-based distribution in the global time domain can be obtained through vector segmentation, and sub-division time domain-based distribution in the local time domain can be further obtained through vector-image format conversion, so that each feature matrix of the training network flow time sequence feature diagram expresses sub-division time domain time sequence association features in sub-division time domain of network flow values through a network flow time sequence feature extractor based on a three-dimensional convolutional neural network model, and each feature matrix accords with local time domain time sequence association in the global time domain, and thus, after passing through a channel attention layer, sub-division overall time domain time sequence distribution in the local time domain can be further strengthened, and the training channel is strengthened to express the network flow time sequence feature diagram. At the same time, however, the training channel emphasizes the network traffic timing feature map as a whole, which may be unbalanced for the local time domain timing correlation expression of the training network traffic values in the global time domain, and the applicant of the present application further finds that such unbalance is largely related to the feature expression scale, i.e. the timing correlation feature expression scale in the local time domain space division dimension of the feature matrix, and the timing correlation scale in the local time domain space division dimension in the global time domain in the channel dimension between the respective feature matrices, for example, it may be understood that the more unbalanced the distribution of the feature values in the respective dimension with respect to the corresponding scale distribution is, the more unbalanced the overall expression of the feature map is. Therefore, when the training channel is used for highlighting the time sequence characteristic diagram of the network flow to pass through the classifier, the convergence effect of the probability density distribution domain of the classifier is affected, and the accuracy of the obtained classification result is affected.
Thus, it is preferable to emphasize the respective feature matrices of the network traffic timing feature map for the training channels, e.g. denoted asProbability of feature scale constraintsRate density convergence optimization, expressed as: performing probability density convergence optimization of feature scale constraint on each feature matrix of the training channel saliency network flow time sequence feature map by using the following optimization formula; wherein, the optimization formula is:
wherein,is the channel number of the training channel saliency network flow time sequence characteristic diagram,/for the training channel saliency network flow time sequence characteristic diagram>Is the feature matrix of each training channel saliency network flow time sequence feature diagram>Global feature mean,/, of>Is->Component feature vector, < >>Representing feature vector +.>Square of the two norms of +.>Is each feature matrix of training channel saliency network flow time sequence feature diagramIs the dimension of (i.e. width multiplied by height) and +.>Representing a feature matrix->Is the square of the Frobenius norm, < >>Is the feature matrix of each training channel saliency network flow time sequence feature diagram, < >>Representing feature vector +.>Weight coefficient of>Is the weight coefficient of the training channel saliency network flow time sequence characteristic diagram.
Here, the probability density convergence optimization of the feature scale constraint can perform correlation constraint of a multi-level distribution structure on the feature probability density distribution in the high-dimensional feature space based on the feature scale through a tail distribution strengthening mechanism of a quasi-standard cauchy distribution type, so that the probability density distribution of the high-dimensional features with different scales is uniformly unfolded in the whole probability density space, and probability density convergence heterogeneity caused by feature scale deviation is compensated. Thus, during the training process, the weight is givenWeighting the feature vectors along the channel and weighting them with the weights +.>Highlighting each feature matrix of the network traffic timing feature map for the training channel>Weighting is carried out, so that the predetermined probability density division of the optimized channel saliency network flow time sequence characteristic diagram in the classifier can be improvedThe convergence of the distribution domain, thereby improving the accuracy of the obtained classification result.
In summary, the network traffic identification method according to the embodiment of the present application is illustrated, which combines with an intelligent algorithm to capture the time sequence characteristics of the network traffic, so as to realize accurate identification of the network traffic abnormality. It should be appreciated that the occurrence of abnormal traffic may result in a dramatic increase or decrease in network traffic values over a short period of time. Such abnormal fluctuations may be caused by network attacks, large-scale data transmission, or other abnormal situations.
Fig. 3 is a block diagram of a network traffic identification system according to an embodiment of the present application. As shown in fig. 3, the network traffic identification system 200 includes: a network flow value obtaining module 210, configured to obtain network flow values at a plurality of predetermined time points within a predetermined period of time; a vector arrangement module 220, configured to arrange the network traffic values at the plurality of predetermined time points into a network traffic timing input vector according to a time dimension; the image conversion module 230 is configured to perform image conversion on the network traffic timing input vector to obtain a sequence of local timing images of network traffic; a timing feature extraction module 240, configured to extract a network traffic timing feature in the sequence of the network traffic local timing images; and a network traffic determining module 250 configured to determine whether there is an anomaly in the network traffic based on the network traffic timing characteristics.
In the network traffic identification system, the image conversion module includes: the vector segmentation unit is used for carrying out vector segmentation on the network traffic time sequence input vector so as to obtain a sequence of network traffic local time sequence input vector; and a vector-image format conversion unit, configured to pass the sequence of network traffic local time sequence input vectors through a vector-image format converter to obtain the sequence of network traffic local time sequence images.
In the network traffic identification system, the vector-image format conversion unit includes: the local vector segmentation subunit is used for carrying out vector segmentation on the sequence of the network traffic local time sequence input vectors so as to obtain the sequence of the network traffic local input sub-vectors; a matrixing subunit, configured to arrange the sequence of local network traffic input subvectors into a local network traffic timing input matrix; the normalization subunit is used for performing normalization processing on the network traffic local time sequence input matrix to obtain a sequence of the network traffic local time sequence image; wherein the range of values for each position in the sequence of network traffic local time sequence images is 0-255.
It will be appreciated by those skilled in the art that the specific operation of the respective steps in the above-described network traffic identification system has been described in detail in the above description of the network traffic identification method with reference to fig. 1 to 2, and thus, repetitive descriptions thereof will be omitted.
As described above, the network traffic identification system 200 according to the embodiment of the present application may be implemented in various terminal devices, such as a server or the like for network traffic identification. In one example, the network traffic identification system 200 according to embodiments of the present application may be integrated into the terminal device as a software module and/or hardware module. For example, the network traffic identification system 200 may be a software module in the operating system of the terminal device or may be an application developed for the terminal device; of course, the network traffic identification system 200 could equally be one of a number of hardware modules of the terminal device.
Alternatively, in another example, the network traffic identification system 200 and the terminal device may be separate devices, and the network traffic identification system 200 may be connected to the terminal device through a wired and/or wireless network and transmit the interaction information in a agreed data format.
Fig. 4 is an application scenario diagram of a network traffic identification method provided in an embodiment of the present application. As shown in fig. 4, in the application scenario, first, network flow values (e.g., C as illustrated in fig. 4) at a plurality of predetermined time points within a predetermined period of time are acquired; the acquired network traffic values are then input to a server (e.g., S as illustrated in fig. 4) that is deployed with a network traffic identification algorithm, wherein the server is capable of processing the network traffic values based on the network traffic identification algorithm to determine whether there is an anomaly in the network traffic.
The foregoing description of the embodiments has been provided for the purpose of illustrating the general principles of the application, and is not meant to limit the scope of the application, but to limit the application to the particular embodiments, and any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the application are intended to be included within the scope of the application.
Claims (10)
1. A method for identifying network traffic, comprising:
acquiring network flow values at a plurality of preset time points in a preset time period;
arranging the network traffic values of the plurality of preset time points into network traffic time sequence input vectors according to a time dimension;
performing image conversion on the network traffic time sequence input vector to obtain a sequence of network traffic local time sequence images;
extracting network traffic time sequence characteristics in the sequence of the network traffic local time sequence images; and
and determining whether the network traffic is abnormal or not based on the time sequence characteristics of the network traffic.
2. The network traffic identification method of claim 1, wherein image converting the network traffic timing input vector to obtain a sequence of network traffic local timing images comprises:
vector segmentation is carried out on the network traffic time sequence input vector so as to obtain a sequence of network traffic local time sequence input vectors; and
and passing the sequence of network traffic local time sequence input vectors through a vector-image format converter to obtain the sequence of network traffic local time sequence images.
3. The network traffic identification method of claim 2, wherein passing the sequence of network traffic local time series input vectors through a vector-to-image format converter to obtain the sequence of network traffic local time series images comprises:
vector segmentation is carried out on the sequence of the network traffic local time sequence input vectors to obtain a sequence of network traffic local input sub-vectors;
arranging the sequence of the local network traffic input sub-vectors into a local network traffic time sequence input matrix; and
normalizing the network traffic local time sequence input matrix to obtain a sequence of the network traffic local time sequence images; wherein the range of values for each position in the sequence of network traffic local time sequence images is 0-255.
4. A network traffic identification method according to claim 3, wherein extracting network traffic timing features in the sequence of network traffic local timing images comprises:
and the sequence of the network traffic local time sequence images passes through a network traffic time sequence feature extractor based on a three-dimensional convolutional neural network model to obtain the network traffic time sequence feature map.
5. The network traffic identification method of claim 4, wherein determining whether there is an anomaly in network traffic based on the network traffic timing characteristics comprises:
the network flow time sequence characteristic diagram passes through a channel attention layer to obtain a channel-salified network flow time sequence characteristic diagram; and
and the time sequence characteristic diagram of the channel-salified network traffic is passed through a classifier to obtain a classification result, wherein the classification result is used for indicating whether the network traffic is abnormal or not.
6. The network traffic identification method of claim 5, wherein passing the network traffic timing profile through a channel attention layer to obtain a channel-salient network traffic timing profile comprises:
inputting the network flow time sequence characteristic diagram into a plurality of convolution layers of the channel attention layer to obtain a convolution characteristic diagram;
calculating the global average value of each feature matrix of the convolution feature diagram along the channel dimension to obtain a channel feature vector;
inputting the channel feature vector into a Sigmoid activation function to obtain a channel attention weight vector; and
and respectively weighting each characteristic matrix of the convolution characteristic diagram along the channel dimension by taking the characteristic value of each position in the channel attention weight vector as a weight to obtain the channel saliency network flow time sequence characteristic diagram.
7. The network traffic identification method of claim 6, further comprising the training step of: training the vector-image format converter, the network flow time sequence feature extractor based on the three-dimensional convolutional neural network model, the channel attention layer and the classifier;
wherein the training step comprises:
acquiring training data, wherein the training data comprises training network flow values at a plurality of preset time points in a preset time period and a true value of whether the network flow is abnormal or not;
arranging the training network flow values of the plurality of preset time points into training network flow time sequence input vectors according to the time dimension;
vector segmentation is carried out on the training network flow time sequence input vector so as to obtain a sequence of training network flow local time sequence input vector;
passing the sequence of training network traffic local time sequence input vectors through the vector-image format converter to obtain a sequence of training network traffic local time sequence images;
passing the sequence of training network traffic local time sequence images through the network traffic time sequence feature extractor based on the three-dimensional convolutional neural network model to obtain a training network traffic time sequence feature map;
the training network flow time sequence feature diagram passes through the channel attention layer to obtain a training channel saliency network flow time sequence feature diagram;
performing feature distribution optimization on the training channel saliency network flow time sequence feature map to obtain an optimized channel saliency network flow time sequence feature map;
the optimized channel saliency network flow time sequence feature diagram passes through a classifier to obtain a classification loss function value; and
training the vector-image format converter, the three-dimensional convolutional neural network model-based network traffic timing feature extractor, the channel attention layer, and the classifier with the classification loss function values.
8. A network traffic identification system, comprising:
the network flow value acquisition module is used for acquiring network flow values of a plurality of preset time points in a preset time period;
the vector arrangement module is used for arranging the network traffic values of the plurality of preset time points into network traffic time sequence input vectors according to the time dimension;
the image conversion module is used for carrying out image conversion on the network traffic time sequence input vector so as to obtain a sequence of network traffic local time sequence images;
the time sequence feature extraction module is used for extracting the time sequence features of the network traffic in the sequence of the local time sequence images of the network traffic; and
and the network traffic determining module is used for determining whether the network traffic is abnormal or not based on the network traffic time sequence characteristics.
9. The network traffic identification system of claim 8, wherein the image conversion module comprises:
the vector segmentation unit is used for carrying out vector segmentation on the network traffic time sequence input vector so as to obtain a sequence of network traffic local time sequence input vector; and
and the vector-image format conversion unit is used for enabling the sequence of the network traffic local time sequence input vectors to pass through a vector-image format converter so as to obtain the sequence of the network traffic local time sequence images.
10. The network traffic identification system of claim 9, wherein the vector-image format conversion unit comprises:
the local vector segmentation subunit is used for carrying out vector segmentation on the sequence of the network traffic local time sequence input vectors so as to obtain the sequence of the network traffic local input sub-vectors;
a matrixing subunit, configured to arrange the sequence of local network traffic input subvectors into a local network traffic timing input matrix; and
the normalization subunit is used for carrying out normalization processing on the local time sequence input matrix of the network traffic to obtain a sequence of the local time sequence image of the network traffic; wherein the range of values for each position in the sequence of network traffic local time sequence images is 0-255.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311367868.0A CN117113262B (en) | 2023-10-23 | 2023-10-23 | Network traffic identification method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311367868.0A CN117113262B (en) | 2023-10-23 | 2023-10-23 | Network traffic identification method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117113262A true CN117113262A (en) | 2023-11-24 |
| CN117113262B CN117113262B (en) | 2024-02-02 |
Family
ID=88813204
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311367868.0A Active CN117113262B (en) | 2023-10-23 | 2023-10-23 | Network traffic identification method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117113262B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117319090A (en) * | 2023-11-28 | 2023-12-29 | 江苏云网数智信息技术有限公司 | Intelligent network safety protection system |
| CN117575485A (en) * | 2024-01-12 | 2024-02-20 | 深圳比特耐特信息技术股份有限公司 | Intelligent scheduling method, system and storage medium based on visualization |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111428789A (en) * | 2020-03-25 | 2020-07-17 | 广东技术师范大学 | Network traffic anomaly detection method based on deep learning |
| CN112367334A (en) * | 2020-11-23 | 2021-02-12 | 中国科学院信息工程研究所 | Network traffic identification method and device, electronic equipment and storage medium |
| CN114118622A (en) * | 2021-12-08 | 2022-03-01 | 北京北大软件工程股份有限公司 | Data trend prediction method and system based on time series |
| CN114615093A (en) * | 2022-05-11 | 2022-06-10 | 南京信息工程大学 | Anonymous network traffic identification method and device based on traffic reconstruction and inheritance learning |
| US20220269258A1 (en) * | 2020-09-15 | 2022-08-25 | Zhejiang University | Method for anomaly classification of industrial control system communication network |
| CN116545944A (en) * | 2023-05-30 | 2023-08-04 | 广东技术师范大学 | Network traffic classification method and system |
| CN116781430A (en) * | 2023-08-24 | 2023-09-19 | 克拉玛依市燃气有限责任公司 | Network information security system and method for gas pipe network |
-
2023
- 2023-10-23 CN CN202311367868.0A patent/CN117113262B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111428789A (en) * | 2020-03-25 | 2020-07-17 | 广东技术师范大学 | Network traffic anomaly detection method based on deep learning |
| US20220269258A1 (en) * | 2020-09-15 | 2022-08-25 | Zhejiang University | Method for anomaly classification of industrial control system communication network |
| CN112367334A (en) * | 2020-11-23 | 2021-02-12 | 中国科学院信息工程研究所 | Network traffic identification method and device, electronic equipment and storage medium |
| CN114118622A (en) * | 2021-12-08 | 2022-03-01 | 北京北大软件工程股份有限公司 | Data trend prediction method and system based on time series |
| CN114615093A (en) * | 2022-05-11 | 2022-06-10 | 南京信息工程大学 | Anonymous network traffic identification method and device based on traffic reconstruction and inheritance learning |
| CN116545944A (en) * | 2023-05-30 | 2023-08-04 | 广东技术师范大学 | Network traffic classification method and system |
| CN116781430A (en) * | 2023-08-24 | 2023-09-19 | 克拉玛依市燃气有限责任公司 | Network information security system and method for gas pipe network |
Non-Patent Citations (2)
| Title |
|---|
| ZHOU TIANQI: "A twin support vector regression algorithm for network flow prediction", INTERNATIONAL JOURNAL OF DIGITAL CONTENT TECHNOLOGY AND ITS APPLICATIONS, vol. 7, no. 5, pages 788 - 794 * |
| 王宝安;: "基于信息结构的支持向量机二值分类算法在网络异常检测中的应用研究", 长春教育学院学报, vol. 29, no. 15, pages 65 - 66 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117319090A (en) * | 2023-11-28 | 2023-12-29 | 江苏云网数智信息技术有限公司 | Intelligent network safety protection system |
| CN117575485A (en) * | 2024-01-12 | 2024-02-20 | 深圳比特耐特信息技术股份有限公司 | Intelligent scheduling method, system and storage medium based on visualization |
| CN117575485B (en) * | 2024-01-12 | 2024-05-03 | 深圳比特耐特信息技术股份有限公司 | Intelligent scheduling method, system and storage medium based on visualization |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117113262B (en) | 2024-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN117113262B (en) | Network traffic identification method and system | |
| CN112491796B (en) | Intrusion detection and semantic decision tree quantitative interpretation method based on convolutional neural network | |
| CN109787979B (en) | Method for detecting electric power network event and invasion | |
| CN111107102A (en) | Real-time network flow abnormity detection method based on big data | |
| CN111600919B (en) | Method and device for constructing intelligent network application protection system model | |
| CN111783442A (en) | Intrusion detection method, device, server and storage medium | |
| CN112738014B (en) | Industrial control flow anomaly detection method and system based on convolution time sequence network | |
| CN112087442A (en) | Time sequence related network intrusion detection method based on attention mechanism | |
| KR20210115991A (en) | Method and apparatus for detecting network anomaly using analyzing time-series data | |
| EP4352656A1 (en) | Unsupervised gan-based intrusion detection system using temporal convolutional networks, self-attention, and transformers | |
| CN114372530A (en) | Abnormal flow detection method and system based on deep self-coding convolutional network | |
| CN117220920A (en) | Firewall policy management method based on artificial intelligence | |
| CN114697096A (en) | Intrusion detection method based on space-time characteristics and attention mechanism | |
| CN113901448A (en) | Intrusion detection method based on convolutional neural network and lightweight gradient elevator | |
| CN115706671A (en) | Network security defense method, device and storage medium | |
| Li et al. | Research on intrusion detection based on neural network optimized by genetic algorithm | |
| Laptiev et al. | Algorithm for Recognition of Network Traffic Anomalies Based on Artificial Intelligence | |
| Shen et al. | Prior knowledge based advanced persistent threats detection for IoT in a realistic benchmark | |
| CN115659135A (en) | Anomaly detection method for multi-source heterogeneous industrial sensor data | |
| CN111343205B (en) | Industrial control network security detection method and device, electronic equipment and storage medium | |
| CN115175192A (en) | Vehicle networking intrusion detection method based on graph neural network | |
| Hu et al. | Classification of Abnormal Traffic in Smart Grids Based on GACNN and Data Statistical Analysis | |
| CN113328986A (en) | Network flow abnormity detection method based on combination of convolutional neural network and LSTM | |
| CN113542222A (en) | Zero-day multi-step threat identification method based on dual-domain VAE | |
| de Souza et al. | Multiclass decomposition and Artificial Neural Networks for intrusion detection and identification in Internet of Things environments |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |