CN117176433A - Abnormal behavior detection system and method for network data - Google Patents
Abnormal behavior detection system and method for network data Download PDFInfo
- Publication number
- CN117176433A CN117176433A CN202311155130.8A CN202311155130A CN117176433A CN 117176433 A CN117176433 A CN 117176433A CN 202311155130 A CN202311155130 A CN 202311155130A CN 117176433 A CN117176433 A CN 117176433A
- Authority
- CN
- China
- Prior art keywords
- feature
- vector
- dimensional
- classification
- feature vector
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 206010000117 Abnormal behaviour Diseases 0.000 title claims abstract description 56
- 238000000034 method Methods 0.000 title claims abstract description 31
- 238000001514 detection method Methods 0.000 title claims description 30
- 239000013598 vector Substances 0.000 claims description 345
- 239000011159 matrix material Substances 0.000 claims description 102
- 238000013507 mapping Methods 0.000 claims description 41
- 230000006399 behavior Effects 0.000 claims description 29
- 238000000605 extraction Methods 0.000 claims description 22
- 238000012545 processing Methods 0.000 claims description 13
- 230000011218 segmentation Effects 0.000 claims description 10
- 230000004927 fusion Effects 0.000 claims description 8
- 230000004913 activation Effects 0.000 claims description 7
- 238000010276 construction Methods 0.000 claims description 3
- 230000002159 abnormal effect Effects 0.000 description 16
- 238000010586 diagram Methods 0.000 description 10
- 238000013135 deep learning Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 9
- 238000007635 classification algorithm Methods 0.000 description 6
- 238000009826 distribution Methods 0.000 description 6
- 238000003062 neural network model Methods 0.000 description 6
- 238000011161 development Methods 0.000 description 4
- 230000018109 developmental process Effects 0.000 description 4
- 238000013528 artificial neural network Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 238000005457 optimization Methods 0.000 description 3
- 238000012549 training Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000001419 dependent effect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000009467 reduction Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000003860 storage Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000003058 natural language processing Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The application relates to the technical field of intelligent production, and particularly discloses a system and a method for detecting abnormal behaviors of network data.
Description
Technical Field
The application relates to the technical field of intelligent detection, in particular to a system and a method for detecting abnormal behaviors of network data.
Background
With the development of networks and information technologies, especially the wide popularization and application of the internet, the importance of information security is also continuously increasing. In recent years, security problems faced by network information systems have become more complex, security threats have grown rapidly, and in particular network intrusions have become more serious, where an unauthorized person or organization penetrates a computer system or network of another person or organization through the network to acquire, modify, or destroy data. Network intruders often use various techniques and tools to find vulnerabilities of the system, such as vulnerabilities, password cracking, social engineering, etc., to gain illegal access rights. The security problems caused by the method such as system damage, information leakage, data damage, illegal control and the like cause great threat to the development of the network. To ensure network security, various network security technologies have evolved.
Network intruders may generate abnormal network traffic during the intrusion process. This may include a large number of data transfers, very frequent connection attempts, a large number of unauthorized data transfers, etc. These abnormal traffic patterns may not be consistent with normal network communication patterns and may be used to detect potential intrusion behavior.
Therefore, a system and method for detecting abnormal behavior of network data are desired. And utilizing a deep neural network model based on deep learning as a feature extractor to carry out multi-source data coding on flow data and log files generated by a network security system so as to fully mine internal hidden information and associated features of the flow data and log files, thereby detecting whether network intrusion acts.
Disclosure of Invention
The present application has been made to solve the above-mentioned technical problems. The embodiment of the application provides a system and a method for detecting abnormal behavior of network data, which firstly acquire flow data and log files from a network server, then utilize a deep neural network model based on deep learning as a feature extractor to carry out multi-source data coding on the flow data and the log files generated by a network security system so as to fully mine internal hidden information and associated features of the flow data and the log files, and enable the mined features to be represented by a classifier so as to obtain a classification result for representing whether network intrusion behaviors exist or not, thereby improving the management and control capability of network data security.
According to an aspect of the present application, there is provided an abnormal behavior detection system of network data, including:
the scanning data acquisition module is used for acquiring flow data and log files acquired from the network server;
the time sequence coding module is used for arranging the network flow data into flow input vectors according to time dimensions and then obtaining flow characteristic vectors through a time sequence coder comprising a one-dimensional convolution layer;
the context coding module is used for enabling the log file to pass through a context coder comprising an embedded layer to obtain a one-dimensional feature vector;
the one-dimensional association coding module is used for enabling the one-dimensional feature vector to pass through the multi-scale neighborhood feature extraction module to obtain a multi-scale neighborhood feature vector;
the feature vector fusion module is used for fusing the flow feature vector and the multi-scale neighborhood feature vector to obtain a classification feature matrix;
the optimizing module is used for carrying out low-dimensional density domain mapping on the classification characteristic matrix to obtain an optimized classification characteristic matrix;
and the classification result generation module is used for enabling the optimized classification characteristic matrix to pass through a classifier to obtain a classification result, wherein the classification result is used for indicating whether potential network intrusion behaviors exist or not.
In the above system for detecting abnormal behavior of network data, the timing encoding module includes: an input vector construction unit, configured to arrange the network traffic data at the plurality of predetermined time points into input vectors according to time dimensions, respectively; a full-connection encoding unit for full-connection encoding the input vector by using the full-connection layer of the time sequence encoder to extract each position in the input vectorThe high-dimensional implicit characteristic of the characteristic value, wherein the formula is as follows:wherein X is the input vector, Y is the output vector, W is the weight matrix, B is the bias vector, +.>Representing a matrix multiplication; the one-dimensional convolution coding unit is used for carrying out one-dimensional convolution coding on the input vector by using a one-dimensional convolution layer of the timing encoder to extract associated high-dimensional implicit association features among feature values of each position in the input vector, wherein the formula is as follows:
wherein a is the width of a convolution kernel in the X direction, F is a convolution kernel parameter vector, G is a local vector matrix calculated by a convolution kernel function, w is the size of the convolution kernel, X represents an input vector, and Cov (X) represents one-dimensional convolution encoding of the input vector.
In the above system for detecting abnormal behavior of network data, the context encoding module includes: the word segmentation unit is used for carrying out word segmentation processing on the log file to obtain a word sequence; a word embedding unit, configured to input each word in the word sequence into an embedding layer of the context encoder, so that the embedding layer converts each word into a word embedding vector to obtain a word embedding vector sequence; a context semantic understanding unit for inputting the sequence of word embedding vectors into a converter-based Bert model of the context encoder to obtain a plurality of word semantic feature vectors; and the cascading unit is used for cascading the plurality of word sense feature vectors to obtain the one-dimensional feature vector.
In the above system for detecting abnormal behavior of network data, the one-dimensional association coding module includes: the first neighborhood scale coding unit is used for inputting the one-dimensional feature vector into a first convolution layer of the multi-scale neighborhood feature extraction module, wherein the first convolution layer performs one-dimensional convolution coding on the one-dimensional feature vector by using a one-dimensional convolution check with a first length to obtain a first scale neighborhood associated feature vector; a second neighborhood scale encoding unit, configured to input the one-dimensional feature vector into a second convolution layer of the multi-scale neighborhood feature extraction module, where the second convolution layer performs one-dimensional convolution encoding on the one-dimensional feature vector by using a one-dimensional convolution check having a second length to obtain a second scale neighborhood associated feature vector; and the multi-scale cascading unit is used for cascading the first scale neighborhood associated feature vector and the second scale neighborhood associated feature vector to obtain the multi-scale neighborhood associated feature vector.
In the above system for detecting abnormal behavior of network data, the feature vector fusion module includes: jointly encoding the flow feature vector and the multi-scale neighborhood feature vector to generate the classification feature matrix according to the following formula; wherein, the formula is:
wherein the method comprises the steps ofRepresenting vector multiplication, M representing the classification feature matrix, V 1 Representing the flow characteristic vector, V 2 Representing the multi-scale neighborhood feature vector, ++>Representing a transpose of the multi-scale neighborhood feature vector.
In the above system for detecting abnormal behavior of network data, the optimizing module includes: the characteristic expansion unit is used for carrying out characteristic expansion processing on each row vector of the classification characteristic matrix to obtain a plurality of classification local characteristic vectors; the feature domain density value unit is used for calculating the feature domain density value of each classified local feature vector aiming at each classified local feature vector in the classified local feature vectors, wherein the feature domain density value of each classified local feature vector is the reciprocal of the minimum distance value in the distance values of each classified local feature vector and other classified local feature vectors in the classified local feature vectors, and the feature domain density value of each classified local feature vector is the Euclidean distance between each classified local feature vector and the other classified feature vectors in the classified local feature vectors; the Sigmoid activation unit is used for arranging the feature domain density values of the classified local feature vectors into feature domain density input vectors and obtaining feature domain density mapping feature vectors through a Sigmoid activation function; and the matrix multiplication unit is used for respectively multiplying the feature domain density mapping feature vector with the multiple classification local feature vectors in a matrix manner and respectively mapping the multiple classification local feature vectors into a high-dimensional feature space where the feature domain density mapping feature vector is positioned so as to obtain the optimized classification feature matrix.
In the above system for detecting abnormal behavior of network data, the classification result generating module includes: the full-connection coding unit is used for carrying out full-connection coding on the optimized classification characteristic matrix by using a full-connection layer of the classifier so as to obtain a full-connection coding characteristic matrix; the probability obtaining unit is used for obtaining a first probability of attributing to the existence of network intrusion and a second probability of attributing to the absence of network intrusion through a Softmax classification function of the classifier; and a classification result determining unit configured to determine the classification result based on a comparison between the first probability and the second probability.
According to another aspect of the present application, there is provided a method for detecting abnormal behavior of network data, including:
acquiring flow data and log files acquired from a network server;
arranging the network flow data into flow input vectors according to time dimension, and then passing through a time sequence encoder comprising a one-dimensional convolution layer to obtain flow characteristic vectors;
passing the log file through a context encoder comprising an embedded layer to obtain a one-dimensional feature vector;
passing the one-dimensional feature vector through a multi-scale neighborhood feature extraction module to obtain a multi-scale neighborhood feature vector;
Fusing the flow characteristic vector and the multi-scale neighborhood characteristic vector to obtain a classification characteristic matrix;
performing low-dimensional density domain mapping on the classification feature matrix to obtain an optimized classification feature matrix;
and the optimized classification feature matrix passes through a classifier to obtain a classification result, wherein the classification result is used for indicating whether potential network intrusion behaviors exist or not.
In the above method for detecting abnormal behavior of network data, the step of arranging the network traffic data into traffic input vectors according to time dimension and then obtaining traffic feature vectors by a time sequence encoder comprising a one-dimensional convolution layer includes: respectively arranging the network flow data of the plurality of preset time points into input vectors according to the time dimension; and performing full-connection coding on the input vector by using a full-connection layer of the time sequence coder to extract high-dimensional implicit characteristics of characteristic values of all positions in the input vector, wherein the formula is as follows:wherein X is the input vector, Y is the output vector, W is the weight matrix, B is the bias vector, +.>Representing a matrix multiplication; performing one-dimensional convolution encoding on the input vector by using a one-dimensional convolution layer of a time sequence encoder to extract associated high-dimensional implicit association features among feature values of each position in the input vector, wherein the formula is as follows:
Wherein a is the width of a convolution kernel in the X direction, F is a convolution kernel parameter vector, G is a local vector matrix calculated by a convolution kernel function, w is the size of the convolution kernel, X represents an input vector, and Cov (X) represents one-dimensional convolution encoding of the input vector.
In the above method for detecting abnormal behavior of network data, the step of passing the log file through a context encoder including an embedded layer to obtain a one-dimensional feature vector includes: word segmentation processing is carried out on the log file to obtain a word sequence; respectively inputting each word in the word sequence into an embedding layer of the context encoder to convert each word into a word embedding vector by the embedding layer to obtain a word embedding vector sequence; inputting the sequence of word embedding vectors into a converter-based Bert model of the context encoder to obtain a plurality of word sense feature vectors; and cascading the plurality of word sense feature vectors to obtain the one-dimensional feature vector.
Compared with the prior art, the abnormal behavior detection system and method for the network data firstly acquire flow data and log files from a network server, then utilize a deep neural network model based on deep learning as a feature extractor to carry out multi-source data coding on the flow data and the log files generated by a network security system so as to fully mine internal hidden information and associated features of the flow data and the log files, and enable the mined features to be expressed through a classifier so as to obtain a classification result for indicating whether network intrusion behaviors exist or not, so that the management and control capability of network data security is improved.
Drawings
The above and other objects, features and advantages of the present application will become more apparent by describing embodiments of the present application in more detail with reference to the attached drawings. The accompanying drawings are included to provide a further understanding of embodiments of the application and are incorporated in and constitute a part of this specification, illustrate the application and together with the embodiments of the application, and not constitute a limitation to the application. In the drawings, like reference numerals generally refer to like parts or steps.
Fig. 1 is a block diagram schematically illustrating an abnormal behavior detection system for network data according to an embodiment of the present application.
Fig. 2 is a block diagram of a timing encoding module in a system for detecting abnormal behavior of network data according to an embodiment of the present application.
Fig. 3 is a block diagram of a context encoding module in a system for detecting abnormal behavior of network data according to an embodiment of the present application.
Fig. 4 is a block diagram of a one-dimensional association coding module in the abnormal behavior detection system of network data according to an embodiment of the present application.
Fig. 5 is a flowchart of a method for detecting abnormal behavior of network data according to an embodiment of the present application.
Fig. 6 is a schematic diagram of an architecture of a method for detecting abnormal behavior of network data according to an embodiment of the present application.
Detailed Description
Hereinafter, exemplary embodiments according to the present application will be described in detail with reference to the accompanying drawings. It should be apparent that the described embodiments are only some embodiments of the present application and not all embodiments of the present application, and it should be understood that the present application is not limited by the example embodiments described herein.
Summary of the application
As described above, the security problems faced by the current network information system are more and more complex, especially the network intrusion is more and more serious, and the security problems caused by the network information system such as system damage, information leakage, data damage, illegal control and the like pose a great threat to the development of the network. Therefore, a system and method for detecting abnormal behavior of network data are desired. And utilizing a deep neural network model based on deep learning as a feature extractor to carry out multi-source data coding on flow data and log files generated by a network security system so as to fully mine internal implicit information and associated features.
At present, deep learning and neural networks have been widely used in the fields of computer vision, natural language processing, speech signal processing, and the like. In addition, deep learning and neural networks have also shown levels approaching and even exceeding humans in the fields of image classification, object detection, semantic segmentation, text translation, and the like.
The development of deep learning and neural networks provides new solutions and schemes for abnormal behavior detection of network data. Those of ordinary skill in the art will appreciate that deep learning based deep neural network models can be tuned by appropriate training strategies, such as by gradient descent back-propagation algorithms, to enable modeling complex nonlinear associations between things, which is obviously suitable for modeling and building complex mappings between traffic data and log files.
Specifically, in the technical scheme of the application, firstly, the flow data and the log file collected from the network server are obtained. By analyzing and processing the traffic data, abnormal network behavior can be found, such as a large number of unauthorized connection attempts, abnormal data traffic, illegal protocol use, etc. Web servers typically log various operations and events, including user login, file access, system configuration changes, and the like. By analyzing these log files, abnormal operational behavior, such as abnormal login attempts, unauthorized file access, abnormal system configuration changes, etc., may be detected. Comprehensively analyzing the traffic data and log files can provide a more comprehensive view to help identify potential network intrusion behavior. The traffic data may reveal abnormal patterns and characteristics of network traffic, while the log file may provide contextual information of system operation and events, and by acquiring and analyzing these data, an integrated network intrusion detection system may be constructed, thereby identifying and preventing potential network intrusion behavior, protecting the security and reliability of the network.
And then, arranging the network flow data into flow input vectors according to time dimensions, and then, passing through a time sequence encoder comprising a one-dimensional convolution layer to obtain flow characteristic vectors. That is, high-dimensional implicit features of the traffic data in the time dimension are extracted using a timing encoder comprising a one-dimensional convolutional layer. By training the timing encoder, it can learn the patterns and characteristics of normal network traffic. The one-dimensional convolution layer can effectively capture a local mode and a global mode in the flow data, so that the difference between normal flow and abnormal flow can be identified. By comparing the traffic feature vector to the pattern of normal traffic, potential network intrusion behavior can be detected.
The log file is then passed through a context encoder comprising an embedded layer to obtain a one-dimensional feature vector. It will be appreciated that log files are often high-latitude and contain a large amount of textual information, including event descriptions, error information, time stamps, etc., which can be converted to a continuous vector representation by using an embedded layer, and that high-dimensional textual data can be mapped into a low-dimensional continuous vector space. The embedded layer can learn useful features in the text data, and the text sequences in the log file are input into the embedded layer, so that similarity and correlation between words can be captured, which is helpful for better understanding the events and information in the log file and encoding the events and information into one-dimensional feature vectors.
And simultaneously, the one-dimensional feature vector passes through a multi-scale neighborhood feature extraction module to obtain a multi-scale neighborhood feature vector. It should be appreciated that the one-dimensional feature vector, while having the advantage of being able to extract long-dependent semantic information, represents a relatively weak performance in the extraction of local semantic-related features, as it is generated by a context encoder based on a converter. Therefore, the multi-scale neighborhood feature extraction module comprising a plurality of one-dimensional convolution layers is further used for carrying out multi-scale one-dimensional convolution encoding on the one-dimensional feature vectors so as to extract local semantic association information of different scales, namely high-dimensional implicit association information between partial data items in the system log and partial data items in the vulnerability data. Specifically, multiscale neighborhood feature extraction can expand the receptive field of the model, so that the receptive field can simultaneously consider information on different scales, and the diversity and the richness of the features can be captured on different scales through multiscale neighborhood feature extraction. Neighborhood features of different scales may provide different levels of information, such as local detail and global structure. By fusing the characteristics of multiple scales, more comprehensive and richer characteristic expression can be obtained, and the characteristic expression capability is improved.
Further, the flow characteristic vector and the multi-scale neighborhood characteristic vector are fused to obtain a classification characteristic matrix. It should be understood that the fusion flow feature vector and the multi-scale neighborhood feature vector can comprehensively utilize different information contained in the flow feature vector and the multi-scale neighborhood feature vector, enrich feature representation, integrate different information sources and improve the performance of classification tasks. By fusing them into the classification feature matrix, more comprehensive and representative feature information can be provided, which is helpful for better detecting whether potential network intrusion behavior exists.
In particular, considering that a classification feature matrix is typically composed of a plurality of features, each feature may have a high dimension. By low-dimensional density domain mapping, high-dimensional features can be mapped to a low-dimensional space, thereby reducing the dimensions of the features. This helps reduce computational complexity, reduces storage space, and may better visualize and understand the data. Meanwhile, in the classification feature matrix, there may be some noise or outliers, which may interfere with the performance of the classification algorithm. By low-dimensional density domain mapping, we can map noisy data points to low-density regions, filtering out this noise. This helps to improve the robustness and accuracy of the classification algorithm. Moreover, the method of low-dimensional density domain mapping can maintain the distribution structure of data and maintain the local relation among data points as much as possible. This means that in a low dimensional space, similar data points remain a closer distance and dissimilar data points remain a farther distance. This helps preserve important features of the data while reducing the impact of irrelevant features on the classification results. By low-dimensional density domain mapping of the classification feature matrix, a more compact and optimized feature representation can be obtained, which helps to improve the performance and effectiveness of the classification algorithm.
Specifically, performing low-dimensional density domain mapping on the classification feature matrix to obtain an optimized classification feature matrix, including: performing feature expansion processing on each row vector of the classification feature matrix to obtain a plurality of classification local feature vectors; calculating a feature domain density value of each classified local feature vector aiming at each classified local feature vector in the classified local feature vectors, wherein the feature domain density value of each classified local feature vector is the reciprocal of the minimum distance value in the distance values of each classified local feature vector and other classified local feature vectors in the classified local feature vectors, and the feature domain density value of each classified local feature vector is the Euclidean distance between each classified local feature vector and other classified feature vectors in the classified local feature vectors; the feature domain density values of the classified local feature vectors are arranged to be feature domain density input vectors, and then a Sigmoid activation function is used for obtaining feature domain density mapping feature vectors; and respectively multiplying the feature domain density mapping feature vector with the plurality of classification local feature vectors by a matrix to respectively map the plurality of classification local feature vectors into a high-dimensional feature space where the feature domain density mapping feature vector is located so as to obtain the optimized classification feature matrix.
In the technical scheme of the application, the classification feature matrix is a feature set of each row vector, and in order to improve intra-class consistency among the classification local features of the classification feature matrix and strengthen inter-class heterogeneity among the classification local features, in the technical scheme of the application, a low-dimensional feature homography mapping domain (namely, the feature domain density mapping feature vector) is constructed based on feature distribution characteristics among global classification local features of the classification feature matrix by calculating feature domain density values of the classification local feature vectors, and then, the feature domain density mapping feature vector is respectively subjected to matrix multiplication with the plurality of classification local feature vectors to respectively map the plurality of classification local feature vectors into a high-dimensional feature space in which the feature domain density mapping feature vector is located so as to obtain the optimized classification feature matrix, that is, the classification local features of the classification feature matrix are mapped from the high-dimensional feature space to the low-dimensional density domain so as to realize data dimension reduction and clustering, thus, the distribution structure of data can be ensured not to be destroyed, and the dimension of data can be reduced.
And finally, the optimized classification feature matrix passes through a classifier to obtain a classification result, wherein the classification result is used for indicating whether potential network intrusion behaviors exist or not. It should be understood that whether potential network intrusion behavior exists can be judged by passing the optimized classification feature matrix through the classifier to obtain a classification result, so that an automatic intrusion detection and early warning system is realized, and the security and response capability of the network are improved. The classification results may provide useful information and decision support to help network security teams take timely action to cope with potential network intrusion behavior.
Having described the basic principles of the present application, various non-limiting embodiments of the present application will now be described in detail with reference to the accompanying drawings.
Exemplary System
Fig. 1 illustrates a block diagram schematic of a system for abnormal behavior detection of network data according to an embodiment of the present application. As shown in fig. 1, the abnormal behavior detection system 100 of network data according to an embodiment of the present application includes: a scan data acquisition module 110 for acquiring flow data and log files acquired from a web server; the time sequence encoding module 120 is configured to arrange the network traffic data into a traffic input vector according to a time dimension, and then obtain a traffic feature vector through a time sequence encoder including a one-dimensional convolution layer; a context encoding module 130, configured to pass the log file through a context encoder including an embedded layer to obtain a one-dimensional feature vector; the one-dimensional association encoding module 140 is configured to pass the one-dimensional feature vector through a multi-scale neighborhood feature extraction module to obtain a multi-scale neighborhood feature vector; the feature vector fusion module 150 is configured to fuse the flow feature vector and the multi-scale neighborhood feature vector to obtain a classification feature matrix; an optimization module 160, configured to perform low-dimensional density domain mapping on the classification feature matrix to obtain an optimized classification feature matrix; the classification result generating module 170 is configured to pass the optimized classification feature matrix through a classifier to obtain a classification result, where the classification result is used to indicate whether a potential network intrusion behavior exists.
In an embodiment of the present application, the scan data collection module 110 is configured to obtain the traffic data and the log file collected from the web server. It should be appreciated that through analysis and processing of the traffic data, abnormal network behavior may be discovered, such as a large number of unauthorized connection attempts, abnormal amounts of data transmission, illegal protocol use, etc. Web servers typically log various operations and events, including user login, file access, system configuration changes, and the like. By analyzing these log files, abnormal operational behavior, such as abnormal login attempts, unauthorized file access, abnormal system configuration changes, etc., may be detected. Comprehensively analyzing the traffic data and log files can provide a more comprehensive view to help identify potential network intrusion behavior. The traffic data may reveal abnormal patterns and characteristics of network traffic, while the log file may provide contextual information of system operation and events, and by acquiring and analyzing these data, an integrated network intrusion detection system may be constructed, thereby identifying and preventing potential network intrusion behavior, protecting the security and reliability of the network.
In the embodiment of the present application, the timing encoding module 120 is configured to arrange the network traffic data into a traffic input vector according to a time dimension, and then obtain a traffic feature vector through a timing encoder including a one-dimensional convolution layer. That is, high-dimensional implicit features of the traffic data in the time dimension are extracted using a timing encoder comprising a one-dimensional convolutional layer. It should be appreciated that by training the timing encoder, it is possible to learn the patterns and characteristics of normal network traffic. The one-dimensional convolution layer can effectively capture a local mode and a global mode in the flow data, so that the difference between normal flow and abnormal flow can be identified. By comparing the traffic feature vector to the pattern of normal traffic, potential network intrusion behavior can be detected.
In one embodiment of the present application, fig. 2 illustrates a block diagram of a timing encoding module in a system for detecting abnormal behavior of network data according to an embodiment of the present application. As shown in fig. 2, in the abnormal behavior detection system 100 of network data, the timing encoding module 120 includes: an input vector construction unit 121, configured to arrange the network traffic data at the plurality of predetermined time points into input vectors according to time dimensions, respectively; full connection coding unit 122, for Performing full-connection coding on the input vector by using a full-connection layer of the time sequence coder to extract high-dimensional implicit characteristics of characteristic values of all positions in the input vector, wherein the formula is as follows:wherein X is the input vector, Y is the output vector, W is the weight matrix, B is the bias vector, +.>Representing a matrix multiplication; a one-dimensional convolutional encoding unit 123, configured to perform one-dimensional convolutional encoding on the input vector using a one-dimensional convolutional layer of a timing encoder to extract high-dimensional implicit correlation features of correlations between feature values of respective positions in the input vector, where the formula is:
wherein a is the width of a convolution kernel in the X direction, F is a convolution kernel parameter vector, G is a local vector matrix calculated by a convolution kernel function, w is the size of the convolution kernel, X represents an input vector, and Cov (X) represents one-dimensional convolution encoding of the input vector.
In an embodiment of the present application, the context encoding module 130 is configured to pass the log file through a context encoder including an embedded layer to obtain a one-dimensional feature vector. It will be appreciated that log files are often high-latitude and contain a large amount of textual information, including event descriptions, error information, time stamps, etc., which can be converted to a continuous vector representation by using an embedded layer, and that high-dimensional textual data can be mapped into a low-dimensional continuous vector space. The embedded layer can learn useful features in the text data, and the text sequences in the log file are input into the embedded layer, so that similarity and correlation between words can be captured, which is helpful for better understanding the events and information in the log file and encoding the events and information into one-dimensional feature vectors.
In one embodiment of the present application, FIG. 3 illustrates a block diagram of a context encoding module in a network data abnormal behavior detection system according to an embodiment of the present application. As shown in fig. 3, in the abnormal behavior detection system 100 of network data, the context encoding module 130 includes: a word segmentation unit 131, configured to perform word segmentation processing on the log file to obtain a word sequence; a word embedding unit 132, configured to input each word in the word sequence into an embedding layer of the context encoder, respectively, so that the embedding layer converts the each word into a word embedding vector to obtain a word embedding vector sequence; a context semantic understanding unit 133 for inputting the sequence of word embedding vectors into a converter-based Bert model of the context encoder to obtain a plurality of word sense feature vectors; a concatenation unit 134, configured to concatenate the plurality of word sense feature vectors to obtain the one-dimensional feature vector.
In the embodiment of the present application, the one-dimensional association encoding module 140 is configured to pass the one-dimensional feature vector through the multi-scale neighborhood feature extraction module to obtain a multi-scale neighborhood feature vector. It should be appreciated that the one-dimensional feature vector, while having the advantage of being able to extract long-dependent semantic information, represents a relatively weak performance in the extraction of local semantic-related features, as it is generated by a context encoder based on a converter. Therefore, the multi-scale neighborhood feature extraction module comprising a plurality of one-dimensional convolution layers is further used for carrying out multi-scale one-dimensional convolution encoding on the one-dimensional feature vectors so as to extract local semantic association information of different scales, namely high-dimensional implicit association information between partial data items in the system log and partial data items in the vulnerability data. Specifically, multiscale neighborhood feature extraction can expand the receptive field of the model, so that the receptive field can simultaneously consider information on different scales, and the diversity and the richness of the features can be captured on different scales through multiscale neighborhood feature extraction. Neighborhood features of different scales may provide different levels of information, such as local detail and global structure. By fusing the characteristics of multiple scales, more comprehensive and richer characteristic expression can be obtained, and the characteristic expression capability is improved.
In one embodiment of the present application, fig. 4 illustrates a block diagram of a one-dimensional association encoding module in a system for detecting abnormal behavior of network data according to an embodiment of the present application. As shown in fig. 4, in the abnormal behavior detection system 100 of network data, a one-dimensional association coding module 140 includes: a first neighborhood scale encoding unit 141, configured to input the one-dimensional feature vector into a first convolution layer of the multi-scale neighborhood feature extraction module, where the first convolution layer performs one-dimensional convolution encoding on the one-dimensional feature vector by using a one-dimensional convolution kernel having a first length to obtain a first-scale neighborhood associated feature vector; a second neighborhood scale encoding unit 142, configured to input the one-dimensional feature vector into a second convolution layer of the multi-scale neighborhood feature extraction module, where the second convolution layer performs one-dimensional convolution encoding on the one-dimensional feature vector by using a one-dimensional convolution kernel having a second length to obtain a second-scale neighborhood associated feature vector; and the multi-scale cascading unit 143 is configured to cascade the first-scale neighborhood associated feature vector and the second-scale neighborhood associated feature vector to obtain the multi-scale neighborhood associated feature vector.
In the embodiment of the present application, the feature vector fusion module 150 is configured to fuse the flow feature vector and the multi-scale neighborhood feature vector to obtain a classification feature matrix. It should be understood that the fusion flow feature vector and the multi-scale neighborhood feature vector can comprehensively utilize different information contained in the flow feature vector and the multi-scale neighborhood feature vector, enrich feature representation, integrate different information sources and improve the performance of classification tasks. By fusing them into the classification feature matrix, more comprehensive and representative feature information can be provided, which is helpful for better detecting whether potential network intrusion behavior exists. Specifically, the method comprises the following steps: jointly encoding the flow feature vector and the multi-scale neighborhood feature vector to generate the classification feature matrix according to the following formula;
wherein, the formula is:
wherein the method comprises the steps ofRepresenting vector multiplication, M representing the classification feature matrix, V 1 Representing the flow characteristic vector, V 2 Representing the multi-scale neighborhood feature vector, ++>Representing a transpose of the multi-scale neighborhood feature vector.
In the embodiment of the present application, the optimization module 160 is configured to perform low-dimensional density domain mapping on the classification feature matrix to obtain an optimized classification feature matrix. It should be appreciated that considering that a classification feature matrix is typically made up of a plurality of features, each feature may have a high dimension. By low-dimensional density domain mapping, high-dimensional features can be mapped to a low-dimensional space, thereby reducing the dimensions of the features. This helps reduce computational complexity, reduces storage space, and may better visualize and understand the data. Meanwhile, in the classification feature matrix, there may be some noise or outliers, which may interfere with the performance of the classification algorithm. By low-dimensional density domain mapping, we can map noisy data points to low-density regions, filtering out this noise. This helps to improve the robustness and accuracy of the classification algorithm. Moreover, the method of low-dimensional density domain mapping can maintain the distribution structure of data and maintain the local relation among data points as much as possible. This means that in a low dimensional space, similar data points remain a closer distance and dissimilar data points remain a farther distance. This helps preserve important features of the data while reducing the impact of irrelevant features on the classification results. By low-dimensional density domain mapping of the classification feature matrix, a more compact and optimized feature representation can be obtained, which helps to improve the performance and effectiveness of the classification algorithm.
In one embodiment of the present application, the optimization module 160 includes: the characteristic expansion unit is used for carrying out characteristic expansion processing on each row vector of the classification characteristic matrix to obtain a plurality of classification local characteristic vectors; the feature domain density value unit is used for calculating the feature domain density value of each classified local feature vector aiming at each classified local feature vector in the classified local feature vectors, wherein the feature domain density value of each classified local feature vector is the reciprocal of the minimum distance value in the distance values of each classified local feature vector and other classified local feature vectors in the classified local feature vectors, and the feature domain density value of each classified local feature vector is the Euclidean distance between each classified local feature vector and the other classified feature vectors in the classified local feature vectors; the Sigmoid activation unit is used for arranging the feature domain density values of the classified local feature vectors into feature domain density input vectors and obtaining feature domain density mapping feature vectors through a Sigmoid activation function; and the matrix multiplication unit is used for respectively multiplying the feature domain density mapping feature vector with the multiple classification local feature vectors in a matrix manner and respectively mapping the multiple classification local feature vectors into a high-dimensional feature space where the feature domain density mapping feature vector is positioned so as to obtain the optimized classification feature matrix.
Specifically, the classification feature matrix is a feature set of each row vector, in order to improve intra-class consistency among the classification local features of the classification feature matrix and strengthen inter-class heterogeneity among the classification local features, in the technical scheme of the application, a low-dimensional feature homography mapping domain (i.e., the feature domain density mapping feature vector) is constructed based on feature distribution characteristics among global classification local features of the classification feature matrix by calculating feature domain density values of the classification local feature vectors, and then, the feature domain density mapping feature vector is respectively multiplied by the plurality of classification local feature vectors to respectively map the plurality of classification local feature vectors to a high-dimensional feature space where the feature domain density mapping feature vector is located so as to obtain the optimized classification feature matrix, that is, each classification local feature of the classification feature matrix is mapped from the high-dimensional feature space to the low-dimensional density domain so as to realize data reduction and clustering, and thus, the distribution structure of data can be ensured not to be destroyed, and the dimension and noise of the data can be reduced.
In the embodiment of the present application, the classification result generating module 170 is configured to pass the optimized classification feature matrix through a classifier to obtain a classification result, where the classification result is used to indicate whether a potential network intrusion behavior exists. It should be understood that whether potential network intrusion behavior exists can be judged by passing the optimized classification feature matrix through the classifier to obtain a classification result, so that an automatic intrusion detection and early warning system is realized, and the security and response capability of the network are improved. The classification results may provide useful information and decision support to help network security teams take timely action to cope with potential network intrusion behavior. Specifically, the method comprises the following steps: the full-connection coding unit is used for carrying out full-connection coding on the optimized classification characteristic matrix by using a full-connection layer of the classifier so as to obtain a full-connection coding characteristic matrix; the probability obtaining unit is used for obtaining a first probability of attributing to the existence of network intrusion and a second probability of attributing to the absence of network intrusion through a Softmax classification function of the classifier; and a classification result determining unit configured to determine the classification result based on a comparison between the first probability and the second probability.
In summary, according to the system and method for detecting abnormal behavior of network data according to the embodiments of the present application, firstly, flow data and log files are obtained from a network server, then, a deep neural network model based on deep learning is used as a feature extractor to perform multi-source data encoding on the flow data and log files generated by a network security system so as to fully mine internal implicit information and associated features thereof, and the mined features are represented by a classifier so as to obtain a classification result for indicating whether network intrusion behavior exists, so as to improve the management and control capability of network data security.
As described above, the abnormal behavior detection system 100 of network data according to the embodiment of the present application may be implemented in various terminal devices, for example, a server or the like of the abnormal behavior detection system of network data. In one example, the abnormal behavior detection system 100 according to network data may be integrated into the terminal device as one software module and/or hardware module. For example, the abnormal behavior detection system 100 of the network data may be a software module in the operating system of the terminal device, or may be an application developed for the terminal device; of course, the abnormal behavior detection system 100 of the network data may also be one of a plurality of hardware modules of the terminal device.
Alternatively, in another example, the abnormal behavior detection system 100 of network data and the terminal device may be separate devices, and the abnormal behavior detection system 100 of network data may be connected to the terminal device through a wired and/or wireless network and transmit interactive information in a contracted data format.
Exemplary method
Fig. 5 is a flowchart of a method for detecting abnormal behavior of network data according to an embodiment of the present application. As shown in fig. 5, the method for detecting abnormal behavior of network data according to an embodiment of the present application includes: s110, acquiring flow data and log files acquired from a network server; s120, arranging the network flow data into flow input vectors according to time dimension, and then obtaining flow characteristic vectors through a time sequence encoder comprising a one-dimensional convolution layer; s130, passing the log file through a context encoder comprising an embedded layer to obtain a one-dimensional feature vector; s140, the one-dimensional feature vector passes through a multi-scale neighborhood feature extraction module to obtain a multi-scale neighborhood feature vector; s150, fusing the flow characteristic vector and the multi-scale neighborhood characteristic vector to obtain a classification characteristic matrix; s160, performing low-dimensional density domain mapping on the classification feature matrix to obtain an optimized classification feature matrix; and S170, the optimized classification feature matrix passes through a classifier to obtain a classification result, wherein the classification result is used for indicating whether potential network intrusion behaviors exist or not.
Fig. 6 is a schematic diagram of an architecture of a method for detecting abnormal behavior of network data according to an embodiment of the present application. As shown in fig. 6, in the embodiment of the present application, first, traffic data and log files collected from a web server are acquired. Secondly, the network flow data are arranged into flow input vectors according to time dimension, and then the flow input vectors are obtained through a time sequence encoder comprising a one-dimensional convolution layer. The log file is then passed through a context encoder comprising an embedded layer to obtain a one-dimensional feature vector. And then, fusing the flow characteristic vector and the multi-scale neighborhood characteristic vector to obtain a classification characteristic matrix. And then, performing low-dimensional density domain mapping on the classification characteristic matrix to obtain an optimized classification characteristic matrix. And finally, the optimized classification feature matrix passes through a classifier to obtain a classification result, wherein the classification result is used for indicating whether potential network intrusion behaviors exist or not.
In one embodiment of the present application, the step of arranging the network traffic data into traffic input vectors according to time dimension and then obtaining traffic feature vectors through a time sequence encoder comprising a one-dimensional convolution layer comprises the following steps: respectively arranging the network flow data of the plurality of preset time points into input vectors according to the time dimension; and performing full-connection coding on the input vector by using a full-connection layer of the time sequence coder to extract high-dimensional implicit characteristics of characteristic values of all positions in the input vector, wherein the formula is as follows: Wherein X is the input vector, Y is the output vector, W is the weight matrix, B is the bias vector, +.>Representing a matrix multiplication; performing one-dimensional convolution encoding on the input vector by using a one-dimensional convolution layer of a time sequence encoder to extract associated high-dimensional implicit association features among feature values of each position in the input vector, wherein the formula is as follows:
wherein a is the width of a convolution kernel in the X direction, F is a convolution kernel parameter vector, G is a local vector matrix calculated by a convolution kernel function, w is the size of the convolution kernel, X represents an input vector, and Cov (X) represents one-dimensional convolution encoding of the input vector.
In one embodiment of the present application, passing the log file through a context encoder comprising an embedded layer to obtain a one-dimensional feature vector comprises: word segmentation processing is carried out on the log file to obtain a word sequence; respectively inputting each word in the word sequence into an embedding layer of the context encoder to convert each word into a word embedding vector by the embedding layer to obtain a word embedding vector sequence; inputting the sequence of word embedding vectors into a converter-based Bert model of the context encoder to obtain a plurality of word sense feature vectors; and cascading the plurality of word sense feature vectors to obtain the one-dimensional feature vector.
Here, it will be understood by those skilled in the art that the specific operations of the respective steps in the above-described abnormal behavior detection method of network data have been described in detail in the above description of the abnormal behavior detection system of network data with reference to fig. 1 to 4, and thus, repetitive descriptions thereof will be omitted.
Claims (10)
1. An abnormal behavior detection system for network data, comprising:
the scanning data acquisition module is used for acquiring flow data and log files acquired from the network server;
the time sequence coding module is used for arranging the network flow data into flow input vectors according to time dimensions and then obtaining flow characteristic vectors through a time sequence coder comprising a one-dimensional convolution layer;
the context coding module is used for enabling the log file to pass through a context coder comprising an embedded layer to obtain a one-dimensional feature vector;
the one-dimensional association coding module is used for enabling the one-dimensional feature vector to pass through the multi-scale neighborhood feature extraction module to obtain a multi-scale neighborhood feature vector;
the feature vector fusion module is used for fusing the flow feature vector and the multi-scale neighborhood feature vector to obtain a classification feature matrix;
the optimizing module is used for carrying out low-dimensional density domain mapping on the classification characteristic matrix to obtain an optimized classification characteristic matrix;
And the classification result generation module is used for enabling the optimized classification characteristic matrix to pass through a classifier to obtain a classification result, wherein the classification result is used for indicating whether potential network intrusion behaviors exist or not.
2. The system for detecting abnormal behavior of network data according to claim 1, wherein the timing encoding module comprises:
an input vector construction unit, configured to arrange the network traffic data at the plurality of predetermined time points into input vectors according to time dimensions, respectively;
and the full-connection coding unit is used for carrying out full-connection coding on the input vector by using a full-connection layer of the time sequence coder according to the following formula to extract high-dimensional implicit characteristics of characteristic values of all positions in the input vector, wherein the formula is as follows:wherein X is the input vector, Y is the output vector, W is the weight matrix, B is the bias vector, +.>Representing a matrix multiplication;
the one-dimensional convolution coding unit is used for carrying out one-dimensional convolution coding on the input vector by using a one-dimensional convolution layer of the timing encoder to extract associated high-dimensional implicit association features among feature values of each position in the input vector, wherein the formula is as follows:
Wherein a is the width of a convolution kernel in the X direction, F is a convolution kernel parameter vector, G is a local vector matrix calculated by a convolution kernel function, w is the size of the convolution kernel, X represents an input vector, and Cov (X) represents one-dimensional convolution encoding of the input vector.
3. The system for detecting abnormal behavior of network data according to claim 2, wherein said context encoding module comprises:
the word segmentation unit is used for carrying out word segmentation processing on the log file to obtain a word sequence;
a word embedding unit, configured to input each word in the word sequence into an embedding layer of the context encoder, so that the embedding layer converts each word into a word embedding vector to obtain a word embedding vector sequence;
a context semantic understanding unit for inputting the sequence of word embedding vectors into a converter-based Bert model of the context encoder to obtain a plurality of word semantic feature vectors;
and the cascading unit is used for cascading the plurality of word sense feature vectors to obtain the one-dimensional feature vector.
4. The system for detecting abnormal behavior of network data according to claim 3, wherein said one-dimensional correlation encoding module comprises:
The first neighborhood scale coding unit is used for inputting the one-dimensional feature vector into a first convolution layer of the multi-scale neighborhood feature extraction module, wherein the first convolution layer performs one-dimensional convolution coding on the one-dimensional feature vector by using a one-dimensional convolution check with a first length to obtain a first scale neighborhood associated feature vector;
a second neighborhood scale encoding unit, configured to input the one-dimensional feature vector into a second convolution layer of the multi-scale neighborhood feature extraction module, where the second convolution layer performs one-dimensional convolution encoding on the one-dimensional feature vector by using a one-dimensional convolution check having a second length to obtain a second scale neighborhood associated feature vector;
and the multi-scale cascading unit is used for cascading the first scale neighborhood associated feature vector and the second scale neighborhood associated feature vector to obtain the multi-scale neighborhood associated feature vector.
5. The system for detecting abnormal behavior of network data according to claim 4, wherein the feature vector fusion module comprises: jointly encoding the flow feature vector and the multi-scale neighborhood feature vector to generate the classification feature matrix according to the following formula;
Wherein, the formula is:
wherein the method comprises the steps ofRepresenting vector multiplication, M representing the classification feature matrix, V 1 Representing the flow characteristic vector, V 2 Representing the multi-scale neighborhood feature vector, ++>Representing a transpose of the multi-scale neighborhood feature vector.
6. The system for detecting abnormal behavior of network data according to claim 5, wherein the optimizing module comprises:
the characteristic expansion unit is used for carrying out characteristic expansion processing on each row vector of the classification characteristic matrix to obtain a plurality of classification local characteristic vectors;
the feature domain density value unit is used for calculating the feature domain density value of each classified local feature vector aiming at each classified local feature vector in the classified local feature vectors, wherein the feature domain density value of each classified local feature vector is the reciprocal of the minimum distance value in the distance values of each classified local feature vector and other classified local feature vectors in the classified local feature vectors, and the feature domain density value of each classified local feature vector is the Euclidean distance between each classified local feature vector and the other classified feature vectors in the classified local feature vectors;
The Sigmoid activation unit is used for arranging the feature domain density values of the classified local feature vectors into feature domain density input vectors and obtaining feature domain density mapping feature vectors through a Sigmoid activation function;
and the matrix multiplication unit is used for respectively multiplying the feature domain density mapping feature vector with the multiple classification local feature vectors in a matrix manner and respectively mapping the multiple classification local feature vectors into a high-dimensional feature space where the feature domain density mapping feature vector is positioned so as to obtain the optimized classification feature matrix.
7. The abnormal behavior detection system of network data according to claim 6, wherein the classification result generation module comprises:
the full-connection coding unit is used for carrying out full-connection coding on the optimized classification characteristic matrix by using a full-connection layer of the classifier so as to obtain a full-connection coding characteristic matrix;
the probability obtaining unit is used for obtaining a first probability of attributing to the existence of network intrusion and a second probability of attributing to the absence of network intrusion through a Softmax classification function of the classifier;
and a classification result determining unit configured to determine the classification result based on a comparison between the first probability and the second probability.
8. A method for detecting abnormal behavior of network data, comprising:
acquiring flow data and log files acquired from a network server;
arranging the network flow data into flow input vectors according to time dimension, and then passing through a time sequence encoder comprising a one-dimensional convolution layer to obtain flow characteristic vectors;
passing the log file through a context encoder comprising an embedded layer to obtain a one-dimensional feature vector;
passing the one-dimensional feature vector through a multi-scale neighborhood feature extraction module to obtain a multi-scale neighborhood feature vector;
fusing the flow characteristic vector and the multi-scale neighborhood characteristic vector to obtain a classification characteristic matrix;
performing low-dimensional density domain mapping on the classification feature matrix to obtain an optimized classification feature matrix;
and the optimized classification feature matrix passes through a classifier to obtain a classification result, wherein the classification result is used for indicating whether potential network intrusion behaviors exist or not.
9. The method for detecting abnormal behavior of network data according to claim 8, wherein the step of obtaining the traffic feature vector by a time-series encoder including a one-dimensional convolution layer after the network traffic data is arranged into the traffic input vector in time dimension comprises:
Respectively arranging the network flow data of the plurality of preset time points into input vectors according to the time dimension;
and performing full-connection coding on the input vector by using a full-connection layer of the time sequence coder to extract high-dimensional implicit characteristics of characteristic values of all positions in the input vector, wherein the formula is as follows:wherein X is the input vector, Y is the output vector, W is the weight matrix, B is the bias vector, +.>Representing a matrix multiplication;
performing one-dimensional convolution encoding on the input vector by using a one-dimensional convolution layer of a time sequence encoder to extract associated high-dimensional implicit association features among feature values of each position in the input vector, wherein the formula is as follows:
wherein a is the width of a convolution kernel in the X direction, F is a convolution kernel parameter vector, G is a local vector matrix calculated by a convolution kernel function, w is the size of the convolution kernel, X represents an input vector, and Cov (X) represents one-dimensional convolution encoding of the input vector.
10. The method for detecting abnormal behavior of network data according to claim 9, wherein passing the log file through a context encoder including an embedded layer to obtain a one-dimensional feature vector comprises:
Word segmentation processing is carried out on the log file to obtain a word sequence;
respectively inputting each word in the word sequence into an embedding layer of the context encoder to convert each word into a word embedding vector by the embedding layer to obtain a word embedding vector sequence;
inputting the sequence of word embedding vectors into a converter-based Bert model of the context encoder to obtain a plurality of word sense feature vectors;
and cascading the plurality of word sense feature vectors to obtain the one-dimensional feature vector.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311155130.8A CN117176433A (en) | 2023-09-07 | 2023-09-07 | Abnormal behavior detection system and method for network data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311155130.8A CN117176433A (en) | 2023-09-07 | 2023-09-07 | Abnormal behavior detection system and method for network data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117176433A true CN117176433A (en) | 2023-12-05 |
Family
ID=88937157
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311155130.8A Pending CN117176433A (en) | 2023-09-07 | 2023-09-07 | Abnormal behavior detection system and method for network data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117176433A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117574135A (en) * | 2024-01-16 | 2024-02-20 | 国网浙江省电力有限公司丽水供电公司 | Power grid attack event detection method, device, equipment and storage medium |
-
2023
- 2023-09-07 CN CN202311155130.8A patent/CN117176433A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117574135A (en) * | 2024-01-16 | 2024-02-20 | 国网浙江省电力有限公司丽水供电公司 | Power grid attack event detection method, device, equipment and storage medium |
| CN117574135B (en) * | 2024-01-16 | 2024-03-26 | 国网浙江省电力有限公司丽水供电公司 | Power grid attack event detection method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108965245B (en) | Phishing website detection method and system based on self-adaptive heterogeneous multi-classification model | |
| CN110765458B (en) | Malicious software image format detection method and device based on deep learning | |
| CN110233849B (en) | Method and system for analyzing network security situation | |
| CN109005145B (en) | Malicious URL detection system and method based on automatic feature extraction | |
| CN111652290B (en) | Method and device for detecting countermeasure sample | |
| CN111600919B (en) | Method and device for constructing intelligent network application protection system model | |
| CN109831460B (en) | Web attack detection method based on collaborative training | |
| KR102093275B1 (en) | Malicious code infection inducing information discrimination system, storage medium in which program is recorded and method | |
| CN111259219B (en) | Malicious webpage identification model establishment method, malicious webpage identification method and malicious webpage identification system | |
| CN113806746B (en) | Malicious code detection method based on improved CNN (CNN) network | |
| CN112541476B (en) | Malicious webpage identification method based on semantic feature extraction | |
| Ishaque et al. | Feature extraction using deep learning for intrusion detection system | |
| Park et al. | Host-based intrusion detection model using siamese network | |
| CN113269228B (en) | Method, device and system for training graph network classification model and electronic equipment | |
| CN117176433A (en) | Abnormal behavior detection system and method for network data | |
| CN115277189B (en) | Unsupervised intrusion flow detection and identification method based on generation type countermeasure network | |
| CN113904881A (en) | Intrusion detection rule false alarm processing method and device | |
| CN116827656A (en) | Network information safety protection system and method thereof | |
| Wang et al. | Malware detection using cnn via word embedding in cloud computing infrastructure | |
| CN116722992A (en) | Fraud website identification method and device based on multi-mode fusion | |
| Cristin et al. | Image tampering detection in image forensics using earthworm‐rider optimization | |
| Jan et al. | Effective intrusion detection in IoT environment: deep learning approach | |
| CN113688346A (en) | Illegal website identification method, device, equipment and storage medium | |
| Li et al. | An Anomaly Detection Approach Based on Integrated LSTM for IoT Big Data | |
| Wu et al. | Intrusion Detection System Using a Distributed Ensemble Design Based Convolutional Neural Network in Fog Computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |