TW202135507A - Unsupervised malicious flow detecting system and method capable of classifying normal flow rate or abnormal flow rate by only inspecting the first few bytes of the first few packets in each flow - Google Patents

Abstract

The invention provides an unsupervised malicious flow detecting system and method. A pre-processing module is used to classify the received original packets according to the flow to which the original packets belong, and then the first few bytes of the first few packets in the same flow are selected to be input to a convolutional neural network model for performing at least one convolution and dimension reduction sampling so as to screen out features of the packets. Furthermore, an autoencoder is used to learn and classify the features of the packets so as to establish at least one type of normal flow rate, and determine whether the flow rate of the flow detected at present is abnormal or not according to the type of normal flow rate. Therefore, the normal flow rate or abnormal flow rate can be classified by only inspecting the first few bytes of the first few packets in each flow without having to inspect the complete flow, so that the system efficiency can be increased, and the abnormal flow rate can be stopped as soon as possible.

Description

Unsupervised malicious flow detection system and method

The present invention relates to a technology for detecting malicious network traffic, in particular to an unsupervised malicious traffic detection system and method.

In the face of various network threats, there are probably two main detection methods for intrusion detection systems: Signature-based Detection is the method of judging by comparing specific fragments in the traffic with data in the malicious traffic database. Although the false positive rate of this method is low, it will lose the ability to judge in the face of unknown attack traffic, and because of the need to extract features, the performance of real-time detection systems is poor. The other is Anomaly-based Detection, which can detect unknown types of intrusions, but has a high false alarm rate. .

Today's anomaly detection systems are mostly classified into the following four classification methods: port-based, deep packets inspection based, traffic statistics (statistical), and traffic behavior mode (behavioral). From the point of view of machine thinking, the first two belong to the rule-based approach that uses defined rules to identify traffic (Rule-based approach) that requires comparison of data to determine, but has a certain computational cost and cannot determine encrypted traffic. The latter two belong to the category of machine learning, and use the extracted features to classify traffic. Although it breaks through the rule-based shortcomings, the feature extraction will have a great impact on the results. In addition, there are also deep learning architectures that use autoencoders for feature learning and dimensionality reduction, and train for different inputs to detect whether IoT devices are sending out malicious traffic. Use connection features as input to filter important features. It has a high accuracy rate, but the quality of the features has a greater impact on the results, and because the input data needs to be extracted from the original connection, the performance of real-time detection is reduced, and it is easy to get from the same type. The address information finds out the packet relevance and affects privacy.

In view of this, the present invention proposes an unsupervised malicious traffic detection system and method, which uses the weight training in the convolutional neural network model of deep learning to achieve the functions of automatic feature extraction and selection, so as to effectively solve the above-mentioned problems. The problems, specific structure and implementation methods will be detailed below:

The main purpose of the present invention is to provide an unsupervised malicious traffic detection system and method. It only needs to check the first few bytes of the first few packets in each connection to determine whether the network traffic is normal or abnormal. For classification, there is no need to view the complete connection, so the traffic under inspection can be greatly reduced, system performance can be improved, and abnormal traffic can be blocked early.

Another object of the present invention is to provide an unsupervised malicious traffic detection system and method, which uses a convolutional neural network to automatically learn features from original packets, and then uses an autoencoder to establish a pattern of normal traffic based on these features , So it is quite easy to deploy and adjust, and can achieve high accuracy.

Another object of the present invention is to provide an unsupervised malicious traffic detection system and method, which is used to distinguish between normal and abnormal traffic. The threshold set is based on the mean square error (MSELoss) distribution of the normal traffic in the autoencoder. And can carry out grading warning according to the difference of different mean square error.

To achieve the above objective, the present invention provides an unsupervised malicious traffic detection system, including: a preprocessing module, which classifies the received plural original packets according to the connection to which they belong, and then takes the first plural of the same connection Then extract the first multiple bytes of the packets; a convolutional neural network model, the signal is connected to the preprocessing module, and the bytes are used as input for at least one convolution and dimensionality reduction sampling , And then filter out the characteristics of the packets; and an autoencoder, the signal is connected to the convolutional neural network model, to learn and classify the characteristics of the packets, establish at least one type of normal traffic, and use the The type of normal traffic is classified as to whether the traffic of the connection currently being checked is abnormal.

According to an embodiment of the present invention, the convolutional neural network model includes a convolutional layer and a pooling layer. The convolutional layer uses the bytes as input to perform convolution to obtain a feature image. The pooling layer At least one feature is sampled on the feature image in a dimensionality reduction manner.

According to an embodiment of the present invention, the preprocessing module determines whether the original packets are the same connection based on the source IP address, source port, destination IP address, destination port, and transport layer protocol of the original packets.

In addition, the preprocessing module deletes errors and duplicate traffic, and randomizes the source IP address, MAC address and other information of the packets.

According to an embodiment of the present invention, the bytes include a header field of the packets and part of the packet content.

According to an embodiment of the present invention, the autoencoder is an unsupervised binary classifier, which classifies the connection traffic as normal or abnormal.

According to an embodiment of the present invention, a cross-entropy loss (CrossEntropyLoss) of the convolutional neural network model plus a mean square error (MSELoss) of the autoencoder can obtain a loss function.

According to an embodiment of the present invention, the automatic encoder has a threshold, and the threshold is calculated by referring to the distribution of the mean square error obtained from the automatic encoder with reference to the normal flow.

According to an embodiment of the present invention, the convolutional neural network model further includes a fully connected layer (Dense Layer), which includes a plurality of neurons corresponding to the number of a header field of the packet.

The present invention also provides an unsupervised malicious traffic detection method, including the following steps: using a preprocessing module to classify the received plural original packets according to the connection (flow) to which they belong, and then select the previous ones in the same connection. Multiple packets, and then extract the first multiple bytes of the packets; input the same bytes into a convolutional neural network model, perform at least one convolution and dimensionality reduction sampling, and then filter out the characteristics of the packets ; And using an auto-encoder to learn and classify the characteristics of the packets, establish at least one normal traffic type, and use the normal traffic type to classify whether the current connection traffic is abnormal.

The present invention provides an unsupervised malicious traffic detection system and method. It first uses a convolutional neural network to automatically learn the traffic characteristics of each device from an original packet, and only inspects a small part of the header and content of the original packet to learn The latter data is output to an unsupervised deep learning model (autoencoder), which is trained to establish a pattern of normal traffic, and based on this, it is determined whether the traffic under inspection is abnormal. Since the latest defense systems for various attacks still mostly rely on pre-defined characteristics of complete network traffic, these characteristics are defined manually, and it is too late to block malicious traffic after extracting the traffic characteristics. However, the present invention only inspects the first few bytes of the first few packets of each connection, so the inspected traffic can be greatly reduced, abnormal traffic can be detected quickly, and abnormal traffic can be detected early and blocked.

Please refer to Figure 1, which is a block diagram of the unsupervised malicious traffic detection system of the present invention. Please also refer to Figure 2, which is a flowchart of the unsupervised malicious traffic detection method of the present invention.

The unsupervised malicious traffic detection system of the present invention includes a preprocessing module 10, a convolutional neural network (Convolutional Neural Network, CNN) 12, and an autoencoder (Autoencoder) 14, wherein the convolutional neural network The signal of the model 12 is connected to the preprocessing module 10, and the signal of the autoencoder 14 is connected to the convolutional neural network model 12. The autoencoder 14 in the present invention is an unsupervised deep learning model.

When the original packet is received, as described in step S10, the preprocessing module 10 classifies the received original packet. The original packets belonging to the same flow are classified together, and then the packets in the same flow The first plurality of packets, and then the first plurality of bytes of the packets are extracted; then in step S12, these bytes are used as the input of the convolutional neural network model 12, which is performed in the convolutional neural network model 12. After at least one convolution and dimensionality reduction sampling, the characteristics of the packets are filtered out; as described in step S14, the autoencoder 14 is used to learn and classify the characteristics of the packets to establish at least one type of normal traffic, Finally, it is determined whether the current flow of the connection under inspection is abnormal according to the normal flow type, as described in step S16.

The detailed flow of each component in each step is detailed below.

Preprocessing module 10 :

The preprocessing module 10 judges whether it is the same connection based on the source IP address, source port, destination IP address, destination port, and transport layer protocol of the original packet, and after removing errors and duplicate traffic, it has input The original packets are classified according to their connection; then, since only a few malicious traffic in the experiment are attacked, and in reality, most attacks will forge the source IP. In order to ensure the credibility of the system, the present invention is particularly Randomize the fixed identity information (such as source IP address, MAC address, etc.) of malicious traffic. Finally, the size and number of packets in each connection will be tested to strike a balance between accuracy and real-time.

Convolutional neural network model 12 :

Convolutional neural network is a deep neural network. It is most commonly used to analyze visual images. The color, texture, light source, size, etc. in the image are used as a neural network (neural network) by means of a convolution layer. ) Input features. Compared with the general multi-layer perceptron, the biggest feature is the local perception and weight sharing. The filter extracts the local features of the image, and allows each area of the image to share this Filter, which can improve the original neural network to pull the image into In the case of 1×N vector, the input data loses the problem of local relevance, so it is often used in the image recognition field with strong local relations.

The basic idea of convolutional neural network is simple and intuitive. It uses a diversified image database as training image, and uses millions of neural network parameters (a group of parameters with specific functions we call model) to the network. The output end is passed, the target and prediction errors are calculated at the output end, and the weight value of the neural network is continuously updated through back-propagation, so that the convolutional neural network can solve the problem of a large amount of data. For high-variability, large-scale and high-dimensional image recognition, it has great application and research value. The network architecture often includes single or multiple convolution layers and pooling layers (subsampling). And connect the fully-connected layer (original neural network) at the output end.

……..(1) 其中，k為過濾器之代號；W^k 為第k個過濾器的向量權重；b_k 為第k個過濾器的偏移量；x_ij 為基於第k個過濾器之大小下於原始影像的位置(i,j)中，各像素之數值；而h^k _ij 為基於第k個過濾器的向量權重與基於第k個過濾器之大小下於原始影像的位置(i,j)中像素之數值進行點積後，所輸出之新的像素值。The architecture diagram of the convolutional neural network model 12 is shown in Figure 1. The operation of the first convolutional layer 122 is to convolve with the original image through each filter, and then a feature image can be obtained. And the depth of the feature image will be equal to the number of filters, and the equation is as follows (1):

……..(1) where k is the code name of the filter; W ^k is the vector weight _{of the k-th filter; b k} is the offset of the k-th filter; x _ij is based on the k-th filter The size of is the value of each pixel in the position (i, j) of the original image; and h ^k _ij is the vector weight based on the k-th filter and the position of the original image based on the size of the k-th filter ( The new pixel value output after dot product of the pixel value in i, j).

The operation of the second pooling layer 124 is similar to signal processing, and feature sampling in a dimensionality reduction manner. Assume that Maxpooling is taken as an example. As shown in Figure 2, an image with 16 pixels is divided into four blocks, and the four pixels in each block take the maximum value. For example, the block in the upper left corner is 1,1,5,6, the maximum value is 6, and so on, the maximum pooled image can be obtained with four pixels including 6, 8, 3, and 4.

……(2) 其上述之參數n^w _i 為第w個全連接層下，第i個神經元之輸出值；k為全連接層中神經元之數量；ω^w _ji 為第w個全連接層中，對於第j個特徵參數所對應之第i個神經元的向量權重；b^w 為第w個全連接層中之偏移量；而x_j 為第j張圖片之輸入的特徵向量。The third fully-connected layer 126 operates like a fully-connected layer in a general neural network. It passes the original image through several layers of convolutional layer 122 and pooling layer 124, and then the selected important images are doubled with neurons. The dot product between vectors, the equation is as follows (2):

……(2) The above-mentioned parameter n ^w _i is the output value of the i-th neuron under the w-th fully connected layer; k is the number of neurons in the fully-connected layer; ω ^w _ji is the w-th fully connected layer In the layer, the vector weight of the i-th neuron corresponding to the j-th feature parameter; b ^w is the offset in the w-th fully connected layer; and x _j is the input feature vector of the j-th picture.

第四層輸出層128之運作為經過全連接層126後欲輸出之預測結果，其方程式如下式(3)： ……….(3) 其中，參數o_c 為c類別之預測輸出結果；l為輸入之神經元數量；ω_ic 為c類別之神經元中，對於第i個神經元之權重值；b為輸出層之偏移量；而n_i 為欲輸入之第i個神經元。

The operation of the fourth output layer 128 is the prediction result to be output after the fully connected layer 126, and its equation is as follows (3): ... (3) where the parameter o _c is the prediction output result of category c; Is the number of input neurons; ω _ic is the weight value of the i-th neuron in the neuron of category c; b is the offset of the output layer; and n _i is the i-th neuron to be input.

As described above, the convolutional neural network model 12 used in the present invention uses the method of classifying two-dimensional image data to classify the original packets of network traffic, but it can also be used in a one-dimensional manner. In this case, a one-dimensional convolution The neural network model takes the header field of the original packet as input, so the kernel size of the passer of the convolutional layer 124 is set to 6, which is the Mac with the largest width field in the header field Address setting).

Auto encoder 14 :

The autoencoder is a neural network training process by reconstructing the input, and its fully connected layer vector has the effect of dimensionality reduction and noise reduction. The characteristic is that the encoder will establish a fully connected layer (or multiple fully connected layers) containing the low-dimensional vector of the meaning of the input data. In addition, there is a decoder that reconstructs the input data from the low-dimensional vectors of the fully connected layer. Through the training of the neural network, the autoencoder will obtain a low-dimensional vector representing the input data in the fully connected layer, which can help retain important information to achieve data classification, visualization, storage, compression, noise reduction... etc. , Is an unsupervised learning mode, only need to input data, no label input data.

The autoencoder 14 in the present invention is an unsupervised binary classifier, used to classify the connected traffic as normal or abnormal, and classify the fully connected layer (layer 5) in the above-mentioned one-dimensional convolutional neural network The autoencoder 14 is added to learn the features extracted from the convolutional neural network model 12, which can be used to train all normal traffic patterns.

When the autoencoder 14 completes the training of the normal traffic pattern and finally tests the original traffic, it will classify the traffic based on a test set balanced with normal and malicious data and a mean square error (MSELoss) output from the autoencoder, and Since the threshold is calculated based on the normal flow rate, it can be used as a warning for different mean square error differences. The detailed architecture parameter design is shown in Table 1: Number of layers Type Filter/neuron Stride Padding 1 1D-ConV+Relu+ batch standardization 32 (core size=6) 1 5 2 Max pooling Core size = 2 2 - 3 1D-ConV+Relu+ batch standardization 64 (core size=6) 1 5 4 Max pooling Core size = 2 2 - 5 Fully connected layer (Dense) + batch standardization 1024 - - 6 Fully connected layer (Dense) + batch standardization 25 - - 7 Fully connected layer (Dense) 10 - - 8 Fully connected layer (Dense) 512 - - 9 Fully connected layer (Dense) 256 - - 10 Fully connected layer (Dense) 512 - - 11 Fully connected layer (Dense) 1024 - - Table 1 In the above table 1, the 6th and 7th layers are the layers designed to calculate the cross-entropy loss (CrossEntropyLoss) of the convolutional neural network, and the previous layer of the 8th layer is the 5th layer.

The visualization results of the mean square error of T-SNE dimensionality reduction are shown in Figures 6A to 6C. Figure 6A is a normal traffic distribution map, Figure 6B is a malicious traffic distribution map, and Figure 6C is a normal and malicious traffic distribution. Common distribution map, where the dimensionality reduction data is the feature extraction output distribution of the convolutional neural network model.

In particular, the present invention further optimizes the mean square error (MSELoss, the original loss function of the autoencoder) of the autoencoder 14, which combines the cross-entropy loss of one of the convolutional neural network models 12 with the autoencoder The mean square error of the device 14 is used as a loss function of the overall architecture of the present invention. In addition, the present invention also provides the following optimization procedures: 1. Optimize the size of each packet and the number of packets in the connection, find the input data that can be processed in the shortest time with the least data, and a suitable combination of data with a certain accuracy; 2. Batch normalization between all convolutional neural network layers is due to the deep learning architecture of the present invention with more layers. The addition of batch normalization between each layer can make the parameter distribution relatively stable, accelerate the learning efficiency, and also alleviate Vanishing gradients and over-learning (Overfitting); 3. When extracting features from the convolutional neural network model, an additional layer of 25 neurons is added to the dense layer (Dense Layer), which includes plural neurons that match the number of header fields in the packet, but due to The header field is mainly used as the input data, so an additional layer of 25 neurons is added to refer to the permutation and combination of various features. Each combination of features has the opportunity to affect the classification result. The present invention can avoid missing important The feature combination of is used for classification, which greatly improves the classification result; 4. All fully connected layers are designed with layer-by-layer greedy pre-training. The layer-by-layer greedy pre-training design can also alleviate the problems of gradient disappearance and over-learning in the deep architecture, and it can better initialize the parameters of each layer; 5. Finally, when detecting an attack, the mean square error distribution generated by the training set of the autoencoder (ie, normal traffic) is used, and the maximum value is compared with the average value of the maximum 1% data to determine the threshold. If the difference between the maximum value and the maximum 1% data average exceeds three times the standard deviation of the mean square error distribution, the maximum 1% data average value will be used as the threshold; otherwise, the maximum value will be the detection valve value.

Experiment with the system and method of the present invention. The normal flow data of USTC-TFC2016 is used as the input training data. After preprocessing, the input data is 10 types of normal flow. The test data is to balance the normal flow of USTC-TFC2016 and Mirai. The test set of malicious DDoS data is shown in Tables 2 and 3: Training set type quantity BitTorrent 6000 Facetime 6000 FTP 6000 Gmail 6000 MySQL 6000 Outlook 6000 Skype 6000 SMB 6000 Weibo 6000 WorldofWarcraft 6000 Table II Test set type quantity BitTorrent 2398 Facetime 2398 FTP 2399 Gmail 2399 MySQL 2399 Outlook 2399 Skype 2399 SMB 2399 Weibo 2399 WorldofWarcraft 2399 ACK Flood 5997 SYN Flood 5997 UDP Flood 5997 HTTP Flood 5997 Table Three

The input data is processed with different packet sizes and number of packets in the connection, and the results of the respective tests are as follows: Number of packets Packet size ( bytes ) 40 50 60 70 80 2 99.96% 99.59% 100.00% 100.00% 99.98% 3 99.89% 100.00% 100.00% 100.00% 100.00% 4 99.85% 100.00% 100.00% 100.00% 100.00% 5 99.55% 99.39% 99.99% 98.49% 98.86% Table Four

It can be seen from Table 4 above that when the data in the header field of the packet is obtained (TCP generally has 54 bytes, UDP generally has 42 bytes), this unsupervised classification architecture has a 99.6% accuracy rate Above, when each packet takes 50 bytes and each connection takes two packets, the effect of complete classification can be achieved. It can be seen from the experiment that the present invention only needs to capture a few packets in a connection to detect malicious connections.

Figure 7 is a histogram of the mean square error distribution of the test set in the experiment of the present invention, in which the dashed line is the threshold set by the classification. From the figure, we can clearly see the difference between the mean square error between normal traffic and Mirai DDoS (test set traffic). This figure shows the architecture result of 50 bytes for each packet and two packets for each connection. The horizontal axis is the value of the mean square error, and the vertical axis is the number of data in the unit interval.

In summary, an unsupervised malicious traffic detection system and method provided by the present invention uses convolutional neural networks to automatically learn features from original packets, and then uses an autoencoder to establish a pattern of normal traffic based on these features. Therefore, it is quite easy to deploy and adjust, and can achieve high accuracy. In addition, the present invention only needs to view the first few bytes of the first few packets in each connection. Although only a small number of packets and a few bytes in it are checked, it can classify whether the network traffic is normal or abnormal. , It is not necessary to check the complete connection, so it can greatly reduce the traffic under inspection, improve system performance, and block abnormal traffic early.

Only the above are only preferred embodiments of the present invention and are not used to limit the scope of implementation of the present invention. Therefore, all equivalent changes or modifications made in accordance with the characteristics and spirit of the application scope of the present invention should be included in the patent application scope of the present invention.

10: preprocessing module 12: Convolutional Neural Network Model 122: Convolutional layer 124: Pooling layer 126: Fully connected layer 128: output layer 14: Auto encoder

Figure 1 is a block diagram of the unsupervised malicious traffic detection system of the present invention. Figure 2 is a flowchart of the unsupervised malicious traffic detection method of the present invention. Figure 3 is a schematic diagram of the architecture of the convolutional neural network model Figure 4 is a schematic diagram of maximum pooling in the convolutional neural network model. Figure 5 is a schematic diagram of a one-dimensional convolutional neural network model combined with an automatic encoder in the unsupervised malicious traffic detection method of the present invention. Figure 6A is a distribution of normal traffic, Figure 6B is a distribution of malicious traffic, and Figure 6C is a common distribution of normal and malicious traffic. Figure 7 is a histogram of the mean square error distribution of the test set of the experiment conducted by the present invention.

10: preprocessing module

12: Convolutional Neural Network Model

122: Convolutional layer

124: Pooling layer

126: Fully connected layer

128: output layer

14: Auto encoder

Claims (18)

An unsupervised malicious traffic detection system, including: A preprocessing module, after classifying the received plural original packets according to the flow to which they belong, taking the first plural packets in the same connection, and then extracting the first plural bytes of the packets; A convolutional neural network model, the signal is connected to the preprocessing module, convolution and dimensionality reduction sampling are performed at least once with the bytes as input, and then the characteristics of the packets are filtered out; and An autoencoder, the signal is connected to the convolutional neural network model, learns and classifies the characteristics of the packets, establishes at least one normal traffic type, and classifies the currently viewed by the at least one normal traffic type Whether the connection traffic is abnormal. The unsupervised malicious traffic detection system according to claim 1, wherein the convolutional neural network model includes a convolutional layer and a pooling layer, and the convolutional layer uses the bytes as input for convolution, A feature image is obtained, and the pooling layer performs at least one feature sampling on the feature image in a dimensionality reduction manner. The unsupervised malicious traffic detection system described in claim 1, wherein the preprocessing module judges whether the original packets are based on the source IP address, source port, destination IP address, destination port, and transport layer protocol of the original packets For the same connection. The unsupervised malicious traffic detection system described in claim 3, wherein the preprocessing module deletes errors and duplicate traffic, and randomizes the source IP address, MAC address and other information of the packets. The unsupervised malicious traffic detection system according to claim 1, wherein the bytes include a header field of the packets and part of the packet content. The unsupervised malicious traffic detection system according to claim 1, wherein the autoencoder is an unsupervised binary classifier to classify the connection traffic as normal or abnormal. The unsupervised malicious traffic detection system according to claim 1, wherein a cross-entropy loss (CrossEntropyLoss) of the convolutional neural network model plus a mean square error (MSELoss) of the autoencoder can obtain a loss function. The unsupervised malicious traffic detection system according to claim 7, wherein the autoencoder has a threshold, and the calculation method of the threshold is the distribution of the mean square error obtained from the autoencoder with reference to the normal flow. The unsupervised malicious traffic detection system according to claim 1, wherein the convolutional neural network model further includes a fully connected layer (Dense Layer), including the number of header fields corresponding to the packet The plural neurons. An unsupervised malicious traffic detection method includes the following steps: After using a preprocessing module to classify the received plural original packets according to the connection (flow) to which they belong, take the first plural packets in the same connection, and then extract the first plural bytes of the packets; Input these bytes into a convolutional neural network model, perform convolution and dimensionality reduction sampling at least once, and then filter out the characteristics of the packets; and Use an auto-encoder to learn and classify the characteristics of the packets, establish at least one normal traffic type, and use the normal traffic type to classify whether the current connection traffic is abnormal or not. The unsupervised malicious traffic detection method according to claim 10, wherein the convolutional neural network model includes a convolutional layer and a pooling layer, and the convolutional layer uses the bytes as input for convolution, A feature image is obtained, and the pooling layer performs at least one feature sampling on the feature image in a dimensionality reduction manner. The unsupervised malicious traffic detection method described in claim 10, wherein the preprocessing module determines whether the original packets are based on the source IP address, source port, destination IP address, destination port, and transport layer protocol of the original packets For the same connection. In the unsupervised malicious traffic detection method described in claim 12, the preprocessing module deletes errors and duplicate traffic, and randomizes the source IP address, MAC address and other information of the packets. The unsupervised malicious traffic detection method according to claim 10, wherein the bytes include a header field of the packets and part of the packet content. The unsupervised malicious traffic detection method according to claim 10, wherein the autoencoder is an unsupervised binary classifier to classify the connection traffic as normal or abnormal. The unsupervised malicious traffic detection method according to claim 10, wherein a cross-entropy loss (CrossEntropyLoss) of the convolutional neural network model plus a mean square error (MSELoss) of the autoencoder can obtain a loss function. The unsupervised malicious traffic detection method according to claim 16, wherein the autoencoder has a threshold, and the threshold is calculated by referring to the distribution of the mean square error obtained from the autoencoder with reference to normal traffic. The unsupervised malicious traffic detection method according to claim 10, wherein the convolutional neural network model further includes a fully connected layer (Dense Layer), including the number of header fields corresponding to the packet The plural neurons.

Images