WO2022011977A1 - Network anomaly detection method and system, terminal and storage medium - Google Patents

Network anomaly detection method and system, terminal and storage medium Download PDF

Info

Publication number
WO2022011977A1
WO2022011977A1 PCT/CN2020/138820 CN2020138820W WO2022011977A1 WO 2022011977 A1 WO2022011977 A1 WO 2022011977A1 CN 2020138820 W CN2020138820 W CN 2020138820W WO 2022011977 A1 WO2022011977 A1 WO 2022011977A1
Authority
WO
WIPO (PCT)
Prior art keywords
network traffic
network
hidden state
artificial
gram
Prior art date
Application number
PCT/CN2020/138820
Other languages
French (fr)
Chinese (zh)
Inventor
叶可江
林鹏
须成忠
Original Assignee
中国科学院深圳先进技术研究院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国科学院深圳先进技术研究院 filed Critical 中国科学院深圳先进技术研究院
Publication of WO2022011977A1 publication Critical patent/WO2022011977A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Definitions

  • the present application belongs to the technical field of network security, and in particular, relates to a network abnormality detection method, system, terminal and storage medium.
  • network anomaly detection techniques can be divided into two categories:
  • Signature-based detection method Its principle is to analyze the known abnormal traffic data, extract a specific string pattern from it, and build an abnormal traffic fingerprint database based on this. When new network traffic is found, the traffic is compared with the fingerprints in the database one by one. Once fingerprints containing malicious traffic are found, the current traffic can be determined to be abnormal.
  • the fingerprint-based detection method is a relatively mature detection method. This method has high accuracy, but it requires experienced experts to extract fingerprints, and requires long-term maintenance of the fingerprint database. With more and more abnormal traffic, it becomes increasingly bloated. The fingerprint database will inevitably affect the speed of network anomaly detection; moreover, this method can only identify known malicious attacks, and cannot deal with unknown new attacks, such as 0-day vulnerability detection.
  • Anomaly-based detection method is the current mainstream research direction of ADS.
  • the core idea of this method is to establish a credible activity model for legitimate user behavior, and then use the model to calculate the probability that the new behavior satisfies the legitimate behavior. If the score is lower, the behavior may be abnormal.
  • the methods of building models often use knowledge such as mathematical statistics, data mining, and machine learning. This method can detect unknown network traffic, but how to build an effective model with low false alarm rate and low false negative rate has always been a challenge.
  • the present application provides a network anomaly detection method, system, terminal and storage medium, aiming to solve one of the above-mentioned technical problems in the prior art at least to a certain extent.
  • a network anomaly detection method comprising the following steps:
  • the technical solutions adopted in the embodiments of the present application further include: before the vector transformation of the network traffic data using the n-gram model further includes:
  • the network traffic is divided into m groups according to the five-tuple ⁇ source IP, destination IP, source port, destination port, transmission protocol>, and each group represents a bidirectional communication flow;
  • the vector transformation of network traffic by using the n-gram model includes:
  • a corresponding d-dimensional vector is respectively set to each element in the 1-gram, 2-gram, and 3gram hash byte tables;
  • the technical solutions adopted in the embodiments of the present application further include: the use of a long-short-term memory network and a bidirectional gated cyclic unit to perform spatiotemporal feature extraction on the vector matrix of the network traffic, and obtaining the hidden state of the network traffic includes:
  • the spatiotemporal feature extraction is performed on the first hidden states h 1 of the m*p network traffic data packets, respectively, to obtain the second hidden states h 2 of each network traffic data packet.
  • the technical solutions adopted in the embodiments of the present application further include: performing a one-dimensional convolution operation on the vector matrices of the m*p network traffic data packets respectively includes:
  • the technical solution adopted in the embodiment of the present application further includes: the step of extracting the spatiotemporal features of the first hidden states h 1 of the m*p network traffic data packets respectively includes:
  • the technical solutions adopted in the embodiments of the present application further include: extracting the artificial features of the network traffic by using an artificial feature extractor further includes:
  • Each network flow in the network flow is represented as a flow vector with a size of 1*80, and each column represents an eigenvalue.
  • the technical solution adopted in the embodiment of the present application further includes: performing spatiotemporal feature extraction on the artificial feature, and obtaining the hidden state of the artificial feature includes:
  • a network anomaly detection system comprising:
  • Vector conversion module used to perform vector conversion on network traffic by using the n-gram model to obtain a vector matrix of the network traffic;
  • the first spatiotemporal feature extraction module used for extracting spatiotemporal features from the vector matrix of the network traffic by using a long-short-term memory network and a bidirectional gated cyclic unit to obtain the hidden state of the network traffic;
  • Artificial feature extraction module for extracting the artificial features of the network traffic through an artificial feature extractor
  • the second spatiotemporal feature extraction module used for performing spatiotemporal feature extraction on the artificial feature to obtain the hidden state of the artificial feature;
  • Network traffic prediction module used to splicing the hidden state of the network traffic with the hidden state of the artificial feature, inputting the deep neural network to classify and predict the network traffic, and determining whether the network traffic is abnormal according to the prediction result .
  • a terminal includes a processor and a memory coupled to the processor, wherein,
  • the memory stores program instructions for implementing the network anomaly detection method
  • the processor is configured to execute the program instructions stored in the memory to control network anomaly detection.
  • a storage medium storing program instructions executable by a processor, where the program instructions are used to execute the network abnormality detection method.
  • the beneficial effects of the embodiments of the present application are: the network anomaly detection method, system, terminal and storage medium of the embodiments of the present application establish a combination table of network traffic by using the n-gram model, and for each combination Learning a vector representation in a low-dimensional space, and using fused features to model the model, that is, using a deep neural network to learn the intrinsic feature representation of network traffic on the basis of artificially designed features, which can better represent network traffic and increase The upper bound of the model prediction effect.
  • the embodiment of the present application uses one-dimensional convolution, bidirectional LSTM, bidirectional GRU and attention mechanism, which can better reflect the internal implicit relationship of data, so as to better learn the feature representation of network traffic, which can achieve better classification effect.
  • FIG. 1 is a flowchart of a network abnormality detection method according to an embodiment of the present application.
  • FIG. 2 is a schematic diagram of an original network traffic conversion method according to an embodiment of the present application.
  • Fig. 3 is the flow chart that the embodiment of the present application adopts n-gram model to carry out vector conversion to the network traffic data packet of standard input form;
  • FIG. 4 is a flow chart of performing a one-dimensional convolution operation on a vector matrix of each network traffic data packet according to an embodiment of the present application
  • FIG. 6 is a schematic structural diagram of a network anomaly detection system according to an embodiment of the present application.
  • FIG. 7 is a schematic structural diagram of a terminal according to an embodiment of the present application.
  • FIG. 8 is a schematic structural diagram of a storage medium according to an embodiment of the present application.
  • the embodiment of the present application uses the n-gram model to establish a combination table of network traffic, and learns a vector representation in a low-dimensional space for each combination, and each network data packet is processed by the n-gram model. After splitting and vector transformation, it is sent to a deep neural network to learn the vector space representation of network traffic and extract spatiotemporal features. At the same time, in order to supplement the hidden features that the neural network may not learn, the embodiment of the present application further improves the detection effect of the model by adding artificially designed feature representations.
  • FIG. 1 is a flowchart of a network abnormality detection method according to an embodiment of the present application.
  • the network anomaly detection method according to the embodiment of the present application includes the following steps:
  • S1 Collect raw network traffic, and execute S2 and S6 at the same time;
  • the network traffic collection method is specifically: using a network traffic capture technology such as Wireshark and TCPdump to capture network traffic data packets, and save the captured network traffic data packets as a pcp file.
  • a network traffic capture technology such as Wireshark and TCPdump
  • Figure 2 is a schematic diagram of the original network traffic conversion method, which specifically includes:
  • S21 Divide the original network traffic into m groups according to the five-tuple ⁇ source IP, destination IP, source port, destination port, transmission protocol>, and each group represents a bidirectional communication flow; wherein, the size of the m value can be determined according to the actual application make settings;
  • S22 Take the first p data packets in each group to obtain m*p data packets; wherein, if there is a group with less than p data packets, fill the group to make it reach p data packets; p The size of the value can be set according to the actual application;
  • S3 Use the n-gram model to perform vector transformation on the network traffic data packets in the form of standard input, and obtain the vector matrix of each network traffic data packet;
  • FIG. 3 is a flow chart of vector conversion of network traffic data packets in the form of standard input using the n-gram model, which specifically includes:
  • FIG. 4 it is a flow chart of performing a one-dimensional convolution operation on the vector matrix of each network traffic data packet, which specifically includes:
  • S42 Perform a row-direction one-dimensional convolution operation on the i-th (0 ⁇ i ⁇ p) network traffic data packet, and each convolution kernel can obtain a feature map, then a total of 3r feature maps are obtained;
  • S43 Perform a maximum pooling operation on the 3r feature maps respectively to obtain 3r values, and splicing the 3r values to obtain the first hidden state h i1 of the i-th network traffic data packet.
  • S5 Perform spatiotemporal feature extraction on the first hidden states h 1 of m*p network traffic data packets, respectively, to obtain second hidden states h 2 of each network traffic data packet, and execute S9;
  • the two-way LSTM structure, the two-way GRU structure and the attention mechanism are used to extract the spatiotemporal features of the network traffic data packets, as shown in Figure 5, which is a flowchart of the spatiotemporal feature extraction, which specifically includes:
  • S51 send the first hidden state h i1 of the i-th network traffic data packet into a bidirectional long-short-term memory network (Bi-LSTM) to learn the first hidden state s i1 of each time step;
  • Bi-LSTM bidirectional long-short-term memory network
  • S52 send all the first hidden states s i1 to the bidirectional gated recurrent unit (Bi-GRU) to learn the second hidden states h i2 of each time step;
  • S6 perform artificial feature extraction on the original network traffic through an artificial feature extractor to obtain an artificial feature representation of the original network traffic
  • the manual feature extraction method of the original network traffic specifically includes: using the traffic feature extraction tool CICFlowMeter to extract 80 manually designed network traffic features from the pcap file; representing each network flow in the original network traffic as a size is a 1*80 traffic vector, each column represents an eigenvalue.
  • the conversion method of artificial feature representation is specifically:
  • each network flow vector is combined with its previous w-1 network flow vectors to obtain a flow vector representation with a size of w*80.
  • a bidirectional LSTM structure, bi-directional, and attention mechanisms GRU artificial structure characterized in packet temporal feature extraction, hidden state flow vector h '2 hidden state and a second network traffic data 2 h temporal characteristics
  • the extraction process is the same and will not be repeated here.
  • Step 900 splicing the second hidden state h 2 of the network traffic data packet and the hidden state h′ 2 of the traffic vector to obtain the final third hidden state h 3 , and inputting the third hidden state h 3 into the deep neural network for network Classification prediction of traffic, according to the prediction result to determine whether the network traffic data is abnormal;
  • the network anomaly detection method of the embodiment of the present application uses fused features to model the model, that is, uses a deep neural network to learn the intrinsic feature representation of network traffic on the basis of artificially designed features, so that the network can be better represented. traffic, thereby increasing the upper bound of the model's predictive effect.
  • the embodiment of this application proposes a new byte combination embedding method, which learns the vector representation of 1-gram, 2-gram and 3-gram for network traffic, and splices them horizontally, so as to better represent network traffic .
  • the embodiment of this application uses one-dimensional convolution, bidirectional LSTM, bidirectional GRU and attention mechanism, which can better reflect the internal implicit relationship of data, so as to better learn the feature representation of network traffic, so as to achieve better classification effect.
  • FIG. 6 is a schematic structural diagram of a network anomaly detection system according to an embodiment of the present application.
  • the network anomaly detection system of the embodiment of the present application includes:
  • Traffic collection module used to collect original network traffic; in the embodiment of the present application, the network traffic collection method is specifically: using Wireshark, TCPdump and other network traffic capture technologies to capture network traffic data packets, and save the captured network traffic data packets as pacp file.
  • Traffic conversion module used to convert the original network traffic into network traffic data packets in the form of standard input; the traffic conversion method specifically includes:
  • the original network traffic is divided into m groups according to the five-tuple ⁇ source IP, destination IP, source port, destination port, transmission protocol>, and each group represents a bidirectional communication flow; the value of m can be set according to the actual application.
  • Vector conversion module It is used to perform vector conversion on network traffic data packets in the form of standard input by using the n-gram model to obtain a vector matrix of each network traffic data packet; wherein, the vector conversion methods specifically include:
  • Convolution calculation module used to perform a one-dimensional convolution operation on the vector matrix of m*p network traffic data packets, respectively, to obtain the first hidden state h 1 of each network traffic data packet; wherein, the embodiment of the present application uses a Dimensional convolution computes a vertical scan of a vector matrix of network traffic packets, and compresses the data using a max pooling technique. Specifically include:
  • each convolution kernel can obtain a feature map, and a total of 3r feature maps are obtained;
  • a first temporal feature extraction module a second hidden states for a first hidden state m * p network traffic packets h 1 respectively temporal feature extraction, to give the respective network data packet traffic h 2; wherein the application of the present embodiment
  • the example uses the bidirectional LSTM structure, the bidirectional GRU structure and the attention mechanism to extract the spatiotemporal features of the network traffic data packets, including:
  • Manual feature extraction module It is used to perform manual feature extraction on the original network traffic through an artificial feature extractor to obtain the artificial feature representation of the original network traffic; wherein, the manual feature extraction method of the original network traffic specifically includes: using the traffic feature extraction tool CICFlowMeter from 80 hand-designed network traffic features are extracted from the pcap file; each network flow in the original network traffic is represented as a traffic vector with a size of 1*80, and each column represents a feature value.
  • Artificial feature conversion module It is used to convert the artificial feature representation of the original network traffic into an artificial feature data packet in the form of standard input; wherein, the conversion method of the artificial feature representation is specifically:
  • each network flow vector is combined with its previous w-1 network flow vectors to obtain a flow vector representation with a size of w*80.
  • the second spatiotemporal feature extraction module is used to extract spatiotemporal features from the artificial feature data packets in the form of standard input, and obtain the hidden state h′ 2 of each traffic vector; wherein, the hidden state h′ 2 of the traffic vector and the network traffic data
  • the spatiotemporal feature extraction process of the second hidden state h 2 is the same, which will not be repeated here.
  • FIG. 7 is a schematic structural diagram of a terminal according to an embodiment of the present application.
  • the terminal 50 includes a processor 51 and a memory 52 coupled to the processor 51 .
  • the memory 52 stores program instructions for implementing the above-mentioned network abnormality detection method.
  • the processor 51 is configured to execute program instructions stored in the memory 52 to control network anomaly detection.
  • the processor 51 may also be referred to as a CPU (Central Processing Unit, central processing unit).
  • the processor 51 may be an integrated circuit chip with signal processing capability.
  • the processor 51 may also be a general purpose processor, digital signal processor (DSP), application specific integrated circuit (ASIC), off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component .
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA off-the-shelf programmable gate array
  • a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
  • FIG. 8 is a schematic structural diagram of a storage medium according to an embodiment of the present application.
  • the storage medium of this embodiment of the present application stores a program file 61 capable of implementing all the above methods, wherein the program file 61 may be stored in the above-mentioned storage medium in the form of a software product, and includes several instructions to make a computer device (which may It is a personal computer, a server, or a network device, etc.) or a processor that executes all or part of the steps of the methods of the various embodiments of the present invention.
  • a computer device which may It is a personal computer, a server, or a network device, etc.
  • a processor that executes all or part of the steps of the methods of the various embodiments of the present invention.
  • the aforementioned storage medium includes: U disk, removable hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes, or Computers, servers, mobile phones, tablets and other terminal equipment.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present application relates to a network anomaly detection method and system, a terminal and a storage medium. Said method comprises: performing vector conversion on network traffic by using an n-gram model, to obtain a vector matrix of the network traffic; performing spatial-temporal feature extraction on the vector matrix of the network traffic by using a long short-term memory network and a bidirectional gated recurrent unit, to obtain a hidden state of the network traffic; extracting an artificial feature of the network traffic by using an artificial feature extractor, and performing spatial-temporal feature extraction on the artificial feature, to obtain a hidden state of the artificial feature; and splicing the hidden state of the network traffic and the hidden state of the artificial feature, then inputting same to a deep neural network for classification and prediction of the network traffic, and determining, according to the prediction result, whether the network traffic is anomalous. In the present application, a fused feature is used for modeling of a model, being able to better represent network traffic, increasing the upper limit of a model prediction effect, and being able to achieve a better classification effect.

Description

一种网络异常检测方法、系统、终端以及存储介质A network abnormality detection method, system, terminal and storage medium 技术领域technical field
本申请属于网络安全技术领域,特别涉及一种网络异常检测方法、系统、终端以及存储介质。The present application belongs to the technical field of network security, and in particular, relates to a network abnormality detection method, system, terminal and storage medium.
背景技术Background technique
根据中国互联网络信息中心(CNNIC)的第45次中国互联网络发展状况统计报告,截止2020年3月,我国网民规模突破九亿,互联网普及率达64.5%。但随着网络技术的蓬勃发展,网络安全事件也层出不穷。据深信服科技报告,恶意软件在2019年表现非常活跃,病毒感染、勒索软件、网络攻击等恶意行为层出不穷。当前网络安全威胁非常严峻,如果能在网络入侵的早期发现这些异常的网络流量,并对其进行拦截,就可以有效减少网络入侵事件的发生,增加信息系统的稳定性。网络异常检测系统,正是被用于解决这个问题的,它的目的是识别出网络流量中不符合正常行为模式的网络流量。According to the 45th Statistical Report on Internet Development in China by China Internet Network Information Center (CNNIC), as of March 2020, the number of Internet users in my country exceeded 900 million, and the Internet penetration rate reached 64.5%. But with the vigorous development of network technology, network security incidents are emerging one after another. According to the Sangfor Technology report, malware was very active in 2019, and malicious behaviors such as virus infection, ransomware, and network attacks emerged one after another. The current network security threats are very serious. If these abnormal network traffic can be found in the early stage of network intrusion and intercepted, the occurrence of network intrusion events can be effectively reduced and the stability of information systems can be increased. The network anomaly detection system is used to solve this problem, and its purpose is to identify the network traffic that does not conform to the normal behavior pattern in the network traffic.
目前,网络异常检测技术可以分为两类:Currently, network anomaly detection techniques can be divided into two categories:
一、基于指纹的(Signature-based)检测方法:它的原理是分析已知异常的流量数据,从中提取出特定的字符串模式,以此为基础建立异常流量指纹数据库。当发现新的网络流量时将该流量与数据库中的指纹一一对比,一旦发现含有恶意流量的指纹,即可判定当前流量为异常。基于指纹的检测方法是一种比较成熟的检测方法,这种方法准确率高,但是它需要经验丰富的专家来提取指纹,且需要长期维护指纹数据库,随着异常流量越来越多,日益臃肿的指纹数据库必然会影响网络异常检测的速度;再者,该方法只能识别已知的恶意攻击,无法应对未知的新攻击,例如0day漏洞检测等。1. Signature-based detection method: Its principle is to analyze the known abnormal traffic data, extract a specific string pattern from it, and build an abnormal traffic fingerprint database based on this. When new network traffic is found, the traffic is compared with the fingerprints in the database one by one. Once fingerprints containing malicious traffic are found, the current traffic can be determined to be abnormal. The fingerprint-based detection method is a relatively mature detection method. This method has high accuracy, but it requires experienced experts to extract fingerprints, and requires long-term maintenance of the fingerprint database. With more and more abnormal traffic, it becomes increasingly bloated. The fingerprint database will inevitably affect the speed of network anomaly detection; moreover, this method can only identify known malicious attacks, and cannot deal with unknown new attacks, such as 0-day vulnerability detection.
二、基于异常的(Anomaly-based)检测方法:基于异常的检测方法是当前ADS的主流研究方向。该方法的核心思想是为合法的用户行为建立可信的活动模型,然后将该模型用于计算新行为满足合法行为的概率,如果得分越低,说明该行为有可能是异常行为。建立模型的方法往往使用了数理统计、数据挖掘、机器学习等知识。该方法可以检 测未知的网络流量,但是如何建立一个有效的、误警率低、漏报率低的模型,一直是一个挑战。2. Anomaly-based detection method: Anomaly-based detection method is the current mainstream research direction of ADS. The core idea of this method is to establish a credible activity model for legitimate user behavior, and then use the model to calculate the probability that the new behavior satisfies the legitimate behavior. If the score is lower, the behavior may be abnormal. The methods of building models often use knowledge such as mathematical statistics, data mining, and machine learning. This method can detect unknown network traffic, but how to build an effective model with low false alarm rate and low false negative rate has always been a challenge.
基于异常的检测方法,目前也存在大量的研究工作。但为了使用机器学习等方法训练分类器,必须先将网络流量转换成一组向量表示,而这部分目前往往是由人工实现的。大部分的研究工作基于人工设定的流量特征数据集,这显然不能特征设计的好坏决定了分类器的上限。也有部分工作尝试使用原始数据建模,但所使用的流量嵌入方式多为字节级别的one-hot编码,存在一定的缺陷,不能很好地反应数据的内部隐含关系。There is also a lot of research work on anomaly-based detection methods. But in order to train a classifier using methods such as machine learning, the network traffic must first be converted into a set of vector representations, and this part is currently often implemented manually. Most of the research work is based on the artificially set traffic feature dataset, which obviously cannot determine the upper limit of the classifier based on the quality of the feature design. There are also some works that try to use raw data for modeling, but most of the traffic embedding methods used are byte-level one-hot encoding, which has certain defects and cannot reflect the internal implicit relationship of the data well.
发明内容SUMMARY OF THE INVENTION
本申请提供了一种网络异常检测方法、系统、终端以及存储介质,旨在至少在一定程度上解决现有技术中的上述技术问题之一。The present application provides a network anomaly detection method, system, terminal and storage medium, aiming to solve one of the above-mentioned technical problems in the prior art at least to a certain extent.
为了解决上述问题,本申请提供了如下技术方案:In order to solve the above problems, the application provides the following technical solutions:
一种网络异常检测方法,包括以下步骤:A network anomaly detection method, comprising the following steps:
采用n-gram模型对网络流量进行向量转换,得到所述网络流量的向量矩阵;Use n-gram model to perform vector transformation on network traffic to obtain a vector matrix of the network traffic;
采用长短时记忆网络及双向门控循环单元对所述网络流量的向量矩阵进行时空特征提取,得到所述网络流量的隐状态;Using a long-short-term memory network and a two-way gated cyclic unit to perform spatiotemporal feature extraction on the vector matrix of the network traffic to obtain the hidden state of the network traffic;
通过人工特征提取器提取所述网络流量的人工特征,并对所述人工特征进行时空特征提取,得到所述人工特征的隐状态;Extract the artificial features of the network traffic through an artificial feature extractor, and perform spatiotemporal feature extraction on the artificial features to obtain the hidden state of the artificial features;
将所述网络流量的隐状态与所述人工特征的隐状态进行拼接后,输入深度神经网络进行所述网络流量的分类预测,根据所述预测结果判定网络流量是否异常。After splicing the hidden state of the network traffic with the hidden state of the artificial feature, input the deep neural network to perform classification prediction of the network traffic, and determine whether the network traffic is abnormal according to the prediction result.
本申请实施例采取的技术方案还包括:所述采用n-gram模型对网络流量数据进行向量转换前还包括:The technical solutions adopted in the embodiments of the present application further include: before the vector transformation of the network traffic data using the n-gram model further includes:
将所述网络流量转换成标准输入形式的网络流量数据包;具体为:Convert the network traffic into network traffic data packets in the form of standard input; specifically:
将所述网络流量按照五元组<源IP,目标IP,源端口,目标端口,传输协议>分成m个组,每一组代表一个双向通信流;The network traffic is divided into m groups according to the five-tuple <source IP, destination IP, source port, destination port, transmission protocol>, and each group represents a bidirectional communication flow;
取每个组中的前p个数据包,得到m*p个数据包;Take the first p packets in each group to get m*p packets;
取每个数据包的前q个字节,得到m*p*q个字节;Take the first q bytes of each data packet to get m*p*q bytes;
将m个组中前p个数据包的前q字节进行拼接,形成一个m*p*q的张量。Concatenate the first q bytes of the first p packets in m groups to form a m*p*q tensor.
本申请实施例采取的技术方案还包括:所述采用n-gram模型对网络流量进行向量转换包括:The technical solutions adopted in the embodiments of the present application further include: the vector transformation of network traffic by using the n-gram model includes:
设置长度为256的1-gram哈希字节表,并设置长度为l 1的2-gram哈希字节表和长度为l 2的3-gram哈希字节表; Set length of 256 bytes of the 1-gram hash table, and set the length l 2-gram hash table and the byte length of 1 l 3-gram Hash Table 2 bytes;
将每个2-gram和3-gram的字节组合分别映射到2-gram哈希字节表和3-gram哈希字节表中,相同位置的组合使用共享的嵌入表示;Map each 2-gram and 3-gram byte combination to a 2-gram hash byte table and a 3-gram hash byte table, respectively, and the combination in the same position is represented by a shared embedding;
对所述1-gram、2-gram、3gram哈希字节表中的每项元素分别设置一个对应的d维向量;A corresponding d-dimensional vector is respectively set to each element in the 1-gram, 2-gram, and 3gram hash byte tables;
将所述m*p*q的张量中的q个字节分别经过所述1-gram、2-gram、3gram哈希字节表进行向量转换,得到v 1,v 1,v 3,并将v 1,v 1,v 3进行拼接,得到输出维度为m*p*n*3d的张量,其中n=p+p/2+p/3。 The q bytes in the tensor of m*p*q are converted into vectors through the 1-gram, 2-gram, and 3gram hash byte tables, respectively, to obtain v 1 , v 1 , v 3 , and convert v 1 , v 1 , v 3 are spliced to obtain a tensor with an output dimension of m*p*n*3d, where n=p+p/2+p/3.
本申请实施例采取的技术方案还包括:所述采用长短时记忆网络及双向门控循环单元对所述网络流量的向量矩阵进行时空特征提取,得到所述网络流量的隐状态包括:The technical solutions adopted in the embodiments of the present application further include: the use of a long-short-term memory network and a bidirectional gated cyclic unit to perform spatiotemporal feature extraction on the vector matrix of the network traffic, and obtaining the hidden state of the network traffic includes:
对所述m*p个网络流量数据包的向量矩阵分别进行一维卷积操作,得到各个网络流量数据包的第一隐状态h 1Performing a one-dimensional convolution operation on the vector matrix of the m*p network traffic data packets, respectively, to obtain the first hidden state h 1 of each network traffic data packet;
对所述m*p个网络流量数据包的第一隐状态h 1分别进行时空特征提取,得到各个网络流量数据包的第二隐状态h 2 The spatiotemporal feature extraction is performed on the first hidden states h 1 of the m*p network traffic data packets, respectively, to obtain the second hidden states h 2 of each network traffic data packet.
本申请实施例采取的技术方案还包括:所述对所述m*p个网络流量数据包的向量矩阵分别进行一维卷积操作包括:The technical solutions adopted in the embodiments of the present application further include: performing a one-dimensional convolution operation on the vector matrices of the m*p network traffic data packets respectively includes:
分别设置尺寸为3*3d、4*3d和5*3d的卷积核,每种卷积核使用的数量为r,所述卷积核总数为3r;Set convolution kernels with sizes of 3*3d, 4*3d and 5*3d respectively, the number of each convolution kernel used is r, and the total number of the convolution kernels is 3r;
对第i个(0<i≤p)网络流量数据包进行行方向的一维卷积操作,得到3r个特征图;Perform a one-dimensional convolution operation in the row direction on the i-th (0<i≤p) network traffic data packet to obtain 3r feature maps;
对所述3r个特征图分别进行最大池化操作,得到3r个值,将所述3r个值进行拼接,得到第i个网络流量数据包的第一隐状态h i1Perform a maximum pooling operation on the 3r feature maps respectively to obtain 3r values, and splicing the 3r values to obtain the first hidden state h i1 of the i-th network traffic data packet.
本申请实施例采取的技术方案还包括:所述对所述m*p个网络流量数据包的第一隐状态h 1分别进行时空特征提取包括: The technical solution adopted in the embodiment of the present application further includes: the step of extracting the spatiotemporal features of the first hidden states h 1 of the m*p network traffic data packets respectively includes:
将第i个网络流量数据包的第一隐状态h i1送进双向的长短时记忆网络中学习每一个时间步的第一隐状态s i1 Send the first hidden state h i1 of the i-th network traffic data packet into the bidirectional long-short-term memory network to learn the first hidden state s i1 of each time step;
将所有的第一隐状态s i1送进双向门控循环单元学习每一个时间步的第二隐状态h i2Send all the first hidden states s i1 to the bidirectional gated recurrent unit to learn the second hidden states h i2 of each time step;
根据第二隐状态h i2计算每一个时间步的注意力权重:e i=tanh(Wh i2+b),
Figure PCTCN2020138820-appb-000001
Calculate the attention weight of each time step according to the second hidden state h i2 : e i =tanh(Wh i2 +b),
Figure PCTCN2020138820-appb-000001
对所有第二隐状态h i2进行加权求和,得到第i个网络流量数据包的第二隐状态:h 2=∑ iα i*h i2Perform weighted summation on all the second hidden states h i2 to obtain the second hidden state of the i-th network traffic data packet: h 2 =∑ i α i *h i2 .
本申请实施例采取的技术方案还包括:所述通过人工特征提取器提取所述网络流量的人工特征还包括:The technical solutions adopted in the embodiments of the present application further include: extracting the artificial features of the network traffic by using an artificial feature extractor further includes:
使用流量特征提取工具从所述网络流量中提取80个手工设计的网络流量特征;Extracting 80 hand-designed network traffic features from the network traffic using a traffic feature extraction tool;
将所述网络流量中的每一条网络流分别表示成一个尺寸为1*80的流量向量,每一列代表一个特征值。Each network flow in the network flow is represented as a flow vector with a size of 1*80, and each column represents an eigenvalue.
本申请实施例采取的技术方案还包括:所述对所述人工特征进行时空特征提取,得到所述人工特征的隐状态包括:The technical solution adopted in the embodiment of the present application further includes: performing spatiotemporal feature extraction on the artificial feature, and obtaining the hidden state of the artificial feature includes:
将所述网络流量的人工特征转换成标准输入形式的人工特征数据包;Converting the artificial characteristics of the network traffic into artificial characteristic data packets in the form of standard input;
将所述标准输入形式的人工特征数据包进行时空特征提取,得到每条流量向量的隐状态h′ 2Perform spatiotemporal feature extraction on the artificial feature data packet in the standard input form to obtain the hidden state h′ 2 of each traffic vector.
本申请实施例采取的另一技术方案为:一种网络异常检测系统,包括:Another technical solution adopted by the embodiments of the present application is: a network anomaly detection system, comprising:
向量转换模块:用于采用n-gram模型对网络流量进行向量转换,得到所述网络流量的向量矩阵;Vector conversion module: used to perform vector conversion on network traffic by using the n-gram model to obtain a vector matrix of the network traffic;
第一时空特征提取模块:用于采用长短时记忆网络及双向门控循环单元对所述网络流量的向量矩阵进行时空特征提取,得到所述网络流量的隐状态;The first spatiotemporal feature extraction module: used for extracting spatiotemporal features from the vector matrix of the network traffic by using a long-short-term memory network and a bidirectional gated cyclic unit to obtain the hidden state of the network traffic;
人工特征提取模块:用于通过人工特征提取器提取所述网络流量的人工特征;Artificial feature extraction module: for extracting the artificial features of the network traffic through an artificial feature extractor;
第二时空特征提取模块:用于对所述人工特征进行时空特征提取,得到所述人工特征的隐状态;The second spatiotemporal feature extraction module: used for performing spatiotemporal feature extraction on the artificial feature to obtain the hidden state of the artificial feature;
网络流量预测模块:用于将所述网络流量的隐状态与所述人工特征的隐状态进行拼接后,输入深度神经网络进行所述网络流量的分类预测,根据所述预测结果判定网络流量是否异常。Network traffic prediction module: used to splicing the hidden state of the network traffic with the hidden state of the artificial feature, inputting the deep neural network to classify and predict the network traffic, and determining whether the network traffic is abnormal according to the prediction result .
本申请实施例采取的又一技术方案为:一种终端,所述终端包括处理器、与所述处理器耦接的存储器,其中,Another technical solution adopted by the embodiments of the present application is: a terminal, the terminal includes a processor and a memory coupled to the processor, wherein,
所述存储器存储有用于实现所述网络异常检测方法的程序指令;The memory stores program instructions for implementing the network anomaly detection method;
所述处理器用于执行所述存储器存储的所述程序指令以控制网络异常检测。The processor is configured to execute the program instructions stored in the memory to control network anomaly detection.
本申请实施例采取的又一技术方案为:一种存储介质,存储有处理器可运行的程序指令,所述程序指令用于执行所述网络异常检测方法。Another technical solution adopted by the embodiments of the present application is: a storage medium storing program instructions executable by a processor, where the program instructions are used to execute the network abnormality detection method.
相对于现有技术,本申请实施例产生的有益效果在于:本申请实施例的网络异常检测方法、系统、终端及存储介质通过使用n-gram模型建立网络流量的组合表,并对每一个组合学习一个低维空间中的向量表示,并使用融合的特征进行模型的建模,即在人工设计的特征基础上使用深度神经网络学习网络流量的内在特征表示,能够更好地表示网络流量,增加了模型预测效果的上限。同时,本申请实施例使用一维卷积、双向LSTM、双向GRU和注意力机制,能够更好的反应数据的内部隐含关系,从而更好地学习到网络流量的特征表示,可以达到更好的分类效果。Compared with the prior art, the beneficial effects of the embodiments of the present application are: the network anomaly detection method, system, terminal and storage medium of the embodiments of the present application establish a combination table of network traffic by using the n-gram model, and for each combination Learning a vector representation in a low-dimensional space, and using fused features to model the model, that is, using a deep neural network to learn the intrinsic feature representation of network traffic on the basis of artificially designed features, which can better represent network traffic and increase The upper bound of the model prediction effect. At the same time, the embodiment of the present application uses one-dimensional convolution, bidirectional LSTM, bidirectional GRU and attention mechanism, which can better reflect the internal implicit relationship of data, so as to better learn the feature representation of network traffic, which can achieve better classification effect.
附图说明Description of drawings
图1是本申请实施例的网络异常检测方法的流程图;1 is a flowchart of a network abnormality detection method according to an embodiment of the present application;
图2为本申请实施例的原始网络流量转换方式示意图;2 is a schematic diagram of an original network traffic conversion method according to an embodiment of the present application;
图3为本申请实施例采用n-gram模型对标准输入形式的网络流量数据包进行向量转换的流程图;Fig. 3 is the flow chart that the embodiment of the present application adopts n-gram model to carry out vector conversion to the network traffic data packet of standard input form;
图4为本申请实施例对每个网络流量数据包的向量矩阵进行一维卷积操作的流程图;4 is a flow chart of performing a one-dimensional convolution operation on a vector matrix of each network traffic data packet according to an embodiment of the present application;
图5为本申请实施例时空特征提取的流程图;5 is a flowchart of spatiotemporal feature extraction according to an embodiment of the present application;
图6是本申请实施例的网络异常检测系统的结构示意图;6 is a schematic structural diagram of a network anomaly detection system according to an embodiment of the present application;
图7为本申请实施例的终端结构示意图;FIG. 7 is a schematic structural diagram of a terminal according to an embodiment of the present application;
图8为本申请实施例的存储介质的结构示意图。FIG. 8 is a schematic structural diagram of a storage medium according to an embodiment of the present application.
具体实施方式detailed description
为了使本申请的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本申请进行进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本申请,并不用于限定本申请。In order to make the purpose, technical solutions and advantages of the present application more clearly understood, the present application will be described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present application, but not to limit the present application.
为了解决现有技术的不足,本申请实施例使用n-gram模型建立网络流量的组合表,并对每一个组合学习一个低维空间中的向量表示,每一个网络数据包通过n-gram模型进行拆分并进行向量转换后,送入深度神经网络学习网络流量的向量空间表示,提取时空特 征。同时,为了补充神经网络可能没有学习到的隐含特征,本申请实施例通过加入人工设计的特征表示,进一步提高模型的检测效果。In order to solve the deficiencies of the prior art, the embodiment of the present application uses the n-gram model to establish a combination table of network traffic, and learns a vector representation in a low-dimensional space for each combination, and each network data packet is processed by the n-gram model. After splitting and vector transformation, it is sent to a deep neural network to learn the vector space representation of network traffic and extract spatiotemporal features. At the same time, in order to supplement the hidden features that the neural network may not learn, the embodiment of the present application further improves the detection effect of the model by adding artificially designed feature representations.
具体的,请参阅图1,是本申请实施例的网络异常检测方法的流程图。本申请实施例的网络异常检测方法包括以下步骤:Specifically, please refer to FIG. 1 , which is a flowchart of a network abnormality detection method according to an embodiment of the present application. The network anomaly detection method according to the embodiment of the present application includes the following steps:
S1:采集原始网络流量,并同时执行S2和S6;S1: Collect raw network traffic, and execute S2 and S6 at the same time;
本申请实施例中,网络流量采集方式具体为:使用Wireshark、TCPdump等网络流量捕获技术捕获网络流量数据包,并将捕获到的网络流量数据包保存为pacp文件。In the embodiment of the present application, the network traffic collection method is specifically: using a network traffic capture technology such as Wireshark and TCPdump to capture network traffic data packets, and save the captured network traffic data packets as a pcp file.
S2:将原始网络流量转换成标准输入形式的网络流量数据包;S2: Convert the original network traffic into network traffic packets in the form of standard input;
本步骤中,请一并参阅图2,为原始网络流量转换方式示意图,其具体包括:In this step, please refer to Figure 2, which is a schematic diagram of the original network traffic conversion method, which specifically includes:
S21:将原始网络流量按照五元组<源IP,目标IP,源端口,目标端口,传输协议>分成m个组,每一组代表一个双向通信流;其中,m值的大小可根据实际应用进行设定;S21: Divide the original network traffic into m groups according to the five-tuple <source IP, destination IP, source port, destination port, transmission protocol>, and each group represents a bidirectional communication flow; wherein, the size of the m value can be determined according to the actual application make settings;
S22:取每个组中的前p个数据包,得到m*p个数据包;其中,如果存在不足p个数据包的组,则对该组进行填充,使其达到p个数据包;p值的大小可根据实际应用进行设定;S22: Take the first p data packets in each group to obtain m*p data packets; wherein, if there is a group with less than p data packets, fill the group to make it reach p data packets; p The size of the value can be set according to the actual application;
S23:取每个数据包的前q个字节,得到m*p*q个字节;其中,如果存在不足q个字节的数据包,则对该数据包进行0x00字节的填充,使其达到q个字节;q值的大小可根据实际应用进行设定;S23: Take the first q bytes of each data packet to obtain m*p*q bytes; wherein, if there is a data packet less than q bytes, the data packet is filled with 0x00 bytes, so that It reaches q bytes; the size of the q value can be set according to the actual application;
S24:将m个组中前p个数据包的前q字节进行拼接,形成一个m*p*q的张量。S24: Concatenate the first q bytes of the first p data packets in the m groups to form a m*p*q tensor.
S3:采用n-gram模型对标准输入形式的网络流量数据包进行向量转换,得到每个网络流量数据包的向量矩阵;S3: Use the n-gram model to perform vector transformation on the network traffic data packets in the form of standard input, and obtain the vector matrix of each network traffic data packet;
本步骤中,请一并参阅图3,为采用n-gram模型对标准输入形式的网络流量数据包进行向量转换的流程图,其具体包括:In this step, please refer to FIG. 3 together, which is a flow chart of vector conversion of network traffic data packets in the form of standard input using the n-gram model, which specifically includes:
S31:设置长度为256的1-gram哈希字节表,并设置长度为l 1的2-gram哈希字节表和长度为l 2的3-gram哈希字节表; S31: Set the length of 1-gram byte hash table 256, and sets the length l 2-gram hash table and the byte length of 1 l 3-gram Hash Table 2 bytes;
S32:将每个2-gram和3-gram的字节组合分别映射到2-gram哈希字节表和3-gram哈希字节表中,相同位置的组合使用共享的嵌入表示;S32: Map each 2-gram and 3-gram byte combination to the 2-gram hash byte table and the 3-gram hash byte table respectively, and the combination in the same position is represented by a shared embedding;
S33:对1-gram、2-gram、3gram字节表中的每项元素设置一个对应的d维向量,该d维向量的值先随机初始化;S33: Set a corresponding d-dimensional vector for each element in the 1-gram, 2-gram, and 3gram byte tables, and the value of the d-dimensional vector is randomly initialized first;
S34:将m*p*q的张量中的q个字节分别经过1-gram、2-gram、3gram字节表进行向量转换,得到v 1,v 1,v 3,并将v 1,v 1,v 3进行拼接,得到输出维度为m*p*n*3d的张量,其中n=p+p/2+p/3。 S34: Convert the q bytes in the m*p*q tensor through the 1-gram, 2-gram, and 3gram byte tables to vector conversion to obtain v 1 , v 1 , v 3 , and convert v 1 , v 1 , v 3 is spliced to obtain a tensor with an output dimension of m*p*n*3d, where n=p+p/2+p/3.
S4:对m*p个网络流量数据包的向量矩阵分别进行一维卷积操作,得到各个网络流量数据包的第一隐状态h 1S4: respectively perform a one-dimensional convolution operation on the vector matrix of m*p network traffic data packets to obtain the first hidden state h 1 of each network traffic data packet;
本步骤中,通过使用一维卷积对网络流量数据包的向量矩阵进行纵向扫描计算,并使用最大池化技术压缩数据。具体如图4所示,为对每个网络流量数据包的向量矩阵进行一维卷积操作的流程图,其具体包括:In this step, by using one-dimensional convolution to perform vertical scanning calculation on the vector matrix of network traffic data packets, and use the maximum pooling technology to compress the data. Specifically, as shown in Figure 4, it is a flow chart of performing a one-dimensional convolution operation on the vector matrix of each network traffic data packet, which specifically includes:
S41:分别设置尺寸为3*3d、4*3d和5*3d的3种卷积核,每种卷积核使用的数量为r,即卷积核总数为3r;S41: Set three convolution kernels with sizes of 3*3d, 4*3d and 5*3d respectively, and the number of each convolution kernel used is r, that is, the total number of convolution kernels is 3r;
S42:对第i个(0<i≤p)网络流量数据包进行行方向的一维卷积操作,每个卷积核可得到一个特征图,则共得到3r个特征图;S42: Perform a row-direction one-dimensional convolution operation on the i-th (0<i≤p) network traffic data packet, and each convolution kernel can obtain a feature map, then a total of 3r feature maps are obtained;
S43:对3r个特征图分别进行最大池化操作,得到3r个值,将3r个值进行拼接,得到第i个网络流量数据包的第一隐状态h i1S43: Perform a maximum pooling operation on the 3r feature maps respectively to obtain 3r values, and splicing the 3r values to obtain the first hidden state h i1 of the i-th network traffic data packet.
S5:对m*p个网络流量数据包的第一隐状态h 1分别进行时空特征提取,得到各个网络流量数据包的第二隐状态h 2,并执行S9; S5: Perform spatiotemporal feature extraction on the first hidden states h 1 of m*p network traffic data packets, respectively, to obtain second hidden states h 2 of each network traffic data packet, and execute S9;
本步骤中,使用双向的LSTM结构、双向的GRU结构以及注意力机制对网络流量数据包进行时空特征提取,具体如图5所示,为时空特征提取的流程图,其具体包括:In this step, the two-way LSTM structure, the two-way GRU structure and the attention mechanism are used to extract the spatiotemporal features of the network traffic data packets, as shown in Figure 5, which is a flowchart of the spatiotemporal feature extraction, which specifically includes:
S51:将第i个网络流量数据包的第一隐状态h i1送进双向的长短时记忆网络(Bi-LSTM)中学习每一个时间步的第一隐状态s i1S51: send the first hidden state h i1 of the i-th network traffic data packet into a bidirectional long-short-term memory network (Bi-LSTM) to learn the first hidden state s i1 of each time step;
S52:将所有的第一隐状态s i1送进双向门控循环单元(Bi-GRU)学习每一个时间步的第二隐状态h i2S52: send all the first hidden states s i1 to the bidirectional gated recurrent unit (Bi-GRU) to learn the second hidden states h i2 of each time step;
S53:根据第二隐状态h i2计算每一个时间步的注意力权重:e i=tanh(Wh i2+b),
Figure PCTCN2020138820-appb-000002
S53: Calculate the attention weight of each time step according to the second hidden state h i2 : e i =tanh(Wh i2 +b),
Figure PCTCN2020138820-appb-000002
S54:对所有第二隐状态h i2进行加权求和,得到第i个网络流量数据包的第二隐状态:h 2=∑ iα i*h i2S54: Perform weighted summation on all the second hidden states h i2 to obtain the second hidden state of the i-th network traffic data packet: h 2 =∑ i α i *h i2 .
S6:通过人工特征提取器对原始网络流量进行人工特征提取,得到原始网络流量的人工特征表示;S6: perform artificial feature extraction on the original network traffic through an artificial feature extractor to obtain an artificial feature representation of the original network traffic;
本步骤中,原始网络流量的人工特征提取方式具体包括:使用流量特征提取工具CICFlowMeter从pcap文件中提取80个手工设计的网络流量特征;将原始网络流量中的每一条网络流分别表示成一个尺寸为1*80的流量向量,每一列代表一个特征值。In this step, the manual feature extraction method of the original network traffic specifically includes: using the traffic feature extraction tool CICFlowMeter to extract 80 manually designed network traffic features from the pcap file; representing each network flow in the original network traffic as a size is a 1*80 traffic vector, each column represents an eigenvalue.
S7:将原始网络流量的人工特征表示转换成标准输入形式的人工特征数据包;S7: Convert the artificial feature representation of the original network traffic into an artificial feature data packet in the form of standard input;
本步骤中,人工特征表示的转换方式具体为:In this step, the conversion method of artificial feature representation is specifically:
首先,对原始网络流量中每一条网络流的每一个特征分别进行归一化操作,将属性值映射到0-1之间:First, normalize each feature of each network flow in the original network traffic, and map the attribute values to between 0 and 1:
Figure PCTCN2020138820-appb-000003
Figure PCTCN2020138820-appb-000003
然后,设定窗口长度w,将每一条网络流向量与其前w-1条网络流向量进行组合,得到尺寸为w*80的流量向量表示。Then, the window length w is set, and each network flow vector is combined with its previous w-1 network flow vectors to obtain a flow vector representation with a size of w*80.
S8:将标准输入形式的人工特征数据包进行时空特征提取,得到每条流量向量的隐状态h′ 2S8: perform spatiotemporal feature extraction on the artificial feature data packet in the form of standard input, and obtain the hidden state h′ 2 of each traffic vector;
本步骤中,使用双向的LSTM结构、双向的GRU结构以及注意力机制对人工特征数据包进行时空特征提取,流量向量的隐状态h′ 2与网络流量数据的第二隐状态h 2的时空特征提取过程相同,此处将不再赘述。 In this step, a bidirectional LSTM structure, bi-directional, and attention mechanisms GRU artificial structure characterized in packet temporal feature extraction, hidden state flow vector h '2 hidden state and a second network traffic data 2 h temporal characteristics The extraction process is the same and will not be repeated here.
步骤900:将网络流量数据包的第二隐状态h 2与流量向量的隐状态h′ 2进行拼接,得到最终的第三隐状态h 3,将第三隐状态h 3输入深度神经网络进行网络流量的分类预测,根据预测结果判定网络流量数据是否异常; Step 900 : splicing the second hidden state h 2 of the network traffic data packet and the hidden state h′ 2 of the traffic vector to obtain the final third hidden state h 3 , and inputting the third hidden state h 3 into the deep neural network for network Classification prediction of traffic, according to the prediction result to determine whether the network traffic data is abnormal;
本步骤中,将h 3送进深度神经网络后,首先计算网络流量不同类别的输出预测值:u=Wh 3+b;然后对预测值u进行Softmax分类,得到网络流量的预测标签:
Figure PCTCN2020138820-appb-000004
Figure PCTCN2020138820-appb-000005
In this step, after sending h 3 into the deep neural network, first calculate the output predicted values of different categories of network traffic: u=Wh 3 +b; then perform Softmax classification on the predicted value u to obtain the predicted labels of network traffic:
Figure PCTCN2020138820-appb-000004
Figure PCTCN2020138820-appb-000005
基于上述,本申请实施例的网络异常检测方法通过使用融合的特征进行模型的建模,即在人工设计的特征基础上使用深度神经网络学习网络流量的内在特征表示,从而能够更好地表示网络流量,从而增加了模型预测效果的上限。同时,本申请实施例提出一种新的字节组合嵌入方法,对网络流量学习1-gram、2-gram和3-gram的向量表示,并将其进行横向拼接,从而更好地表示网络流量。另外,本申请实施例使用一维卷积、双向LSTM、双向GRU和注意力机制,能够更好的反应数据的内部隐含关系,从而更好地学习到网络流量的特征表示,以达到更好的分类效果。Based on the above, the network anomaly detection method of the embodiment of the present application uses fused features to model the model, that is, uses a deep neural network to learn the intrinsic feature representation of network traffic on the basis of artificially designed features, so that the network can be better represented. traffic, thereby increasing the upper bound of the model's predictive effect. At the same time, the embodiment of this application proposes a new byte combination embedding method, which learns the vector representation of 1-gram, 2-gram and 3-gram for network traffic, and splices them horizontally, so as to better represent network traffic . In addition, the embodiment of this application uses one-dimensional convolution, bidirectional LSTM, bidirectional GRU and attention mechanism, which can better reflect the internal implicit relationship of data, so as to better learn the feature representation of network traffic, so as to achieve better classification effect.
请参阅图6,是本申请实施例的网络异常检测系统的结构示意图。本申请实施例的网络异常检测系统包括:Please refer to FIG. 6 , which is a schematic structural diagram of a network anomaly detection system according to an embodiment of the present application. The network anomaly detection system of the embodiment of the present application includes:
流量采集模块:用于采集原始网络流量;本申请实施例中,网络流量采集方式具体为:使用Wireshark、TCPdump等网络流量捕获技术捕获网络流量数据包,并将捕获到的网络流量数据包保存为pacp文件。Traffic collection module: used to collect original network traffic; in the embodiment of the present application, the network traffic collection method is specifically: using Wireshark, TCPdump and other network traffic capture technologies to capture network traffic data packets, and save the captured network traffic data packets as pacp file.
流量转换模块:用于将原始网络流量转换成标准输入形式的网络流量数据包;其中,流量转换方式具体包括:Traffic conversion module: used to convert the original network traffic into network traffic data packets in the form of standard input; the traffic conversion method specifically includes:
将原始网络流量按照五元组<源IP,目标IP,源端口,目标端口,传输协议>分成m个组,每一组代表一个双向通信流;其中,m值的大小可根据实际应用进行设定;The original network traffic is divided into m groups according to the five-tuple <source IP, destination IP, source port, destination port, transmission protocol>, and each group represents a bidirectional communication flow; the value of m can be set according to the actual application. Certainly;
取每个组中的前p个数据包,得到m*p个数据包;其中,如果存在不足p个数据包的组,则对该组进行填充,使其达到p个数据包;p值的大小可根据实际应用进行设定;Take the first p data packets in each group to get m*p data packets; among them, if there is a group with less than p data packets, fill the group to make it reach p data packets; The size can be set according to the actual application;
取每个数据包的前q个字节,得到m*p*q个字节;其中,如果存在不足q个字节的数据包,则对该数据包进行0x00字节的填充,使其达到q个字节;q值的大小可根据实际应用进行设定;Take the first q bytes of each data packet to get m*p*q bytes; among them, if there is a data packet with less than q bytes, the data packet is filled with 0x00 bytes to make it reach q bytes; the size of the q value can be set according to the actual application;
将m个组中前p个数据包的前q字节进行拼接,形成一个m*p*q的张量。Concatenate the first q bytes of the first p packets in m groups to form a m*p*q tensor.
向量转换模块:用于采用n-gram模型对标准输入形式的网络流量数据包进行向量转换,得到每个网络流量数据包的向量矩阵;其中,向量转换方式具体包括:Vector conversion module: It is used to perform vector conversion on network traffic data packets in the form of standard input by using the n-gram model to obtain a vector matrix of each network traffic data packet; wherein, the vector conversion methods specifically include:
设置长度为256的1-gram哈希字节表,并设置长度为l 1的2-gram哈希字节表和长度为l 2的3-gram哈希字节表; Set length of 256 bytes of the 1-gram hash table, and set the length l 2-gram hash table and the byte length of 1 l 3-gram Hash Table 2 bytes;
将每个2-gram和3-gram的字节组合分别映射到2-gram哈希字节表和3-gram哈希字节表中,相同位置的组合使用共享的嵌入表示;Map each 2-gram and 3-gram byte combination to a 2-gram hash byte table and a 3-gram hash byte table, respectively, and the combination in the same position is represented by a shared embedding;
对1-gram、2-gram、3gram字节表中的每项元素设置一个对应的d维向量,该d维向量的值先随机初始化;Set a corresponding d-dimensional vector for each element in the 1-gram, 2-gram, and 3gram byte tables, and the value of the d-dimensional vector is randomly initialized first;
将m*p*q的张量中的q个字节分别经过1-gram、2-gram、3gram字节表进行向量转换,得到v 1,v 1,v 3,并将v 1,v 1,v 3进行拼接,得到输出维度为m*p*n*3d的张量,其中n=p+p/2+p/3。 Convert the q bytes in the m*p*q tensor through the 1-gram, 2-gram, and 3gram byte tables to vector conversion to obtain v 1 , v 1 , v 3 , and convert v 1 , v 1 , v 3 Perform splicing to obtain a tensor with an output dimension of m*p*n*3d, where n=p+p/2+p/3.
卷积计算模块:用于对m*p个网络流量数据包的向量矩阵分别进行一维卷积操作,得到各个网络流量数据包的第一隐状态h 1;其中,本申请实施例通过使用一维卷积对网 络流量数据包的向量矩阵进行纵向扫描计算,并使用最大池化技术压缩数据。具体包括: Convolution calculation module: used to perform a one-dimensional convolution operation on the vector matrix of m*p network traffic data packets, respectively, to obtain the first hidden state h 1 of each network traffic data packet; wherein, the embodiment of the present application uses a Dimensional convolution computes a vertical scan of a vector matrix of network traffic packets, and compresses the data using a max pooling technique. Specifically include:
分别设置尺寸为3*3d、4*3d和5*3d的3种卷积核,每种卷积核使用的数量为r,即卷积核总数为3r;Three convolution kernels with sizes of 3*3d, 4*3d and 5*3d are set respectively, and the number of each convolution kernel used is r, that is, the total number of convolution kernels is 3r;
对第i个(0<i≤p)网络流量数据包进行行方向的一维卷积操作,每个卷积核可得到一个特征图,则共得到3r个特征图;Perform a one-dimensional convolution operation in the row direction on the i-th (0<i≤p) network traffic data packet, each convolution kernel can obtain a feature map, and a total of 3r feature maps are obtained;
对3r个特征图分别进行最大池化操作,得到3r个值,将3r个值进行拼接,得到第i个网络流量数据包的第一隐状态h i1Perform a maximum pooling operation on the 3r feature maps respectively to obtain 3r values, and splicing the 3r values to obtain the first hidden state h i1 of the ith network traffic data packet.
第一时空特征提取模块:用于对m*p个网络流量数据包的第一隐状态h 1分别进行时空特征提取,得到各个网络流量数据包的第二隐状态h 2;其中,本申请实施例使用双向的LSTM结构、双向的GRU结构以及注意力机制对网络流量数据包进行时空特征提取,具体包括: A first temporal feature extraction module: a second hidden states for a first hidden state m * p network traffic packets h 1 respectively temporal feature extraction, to give the respective network data packet traffic h 2; wherein the application of the present embodiment The example uses the bidirectional LSTM structure, the bidirectional GRU structure and the attention mechanism to extract the spatiotemporal features of the network traffic data packets, including:
将第i个网络流量数据包的第一隐状态h i1送进双向的长短时记忆网络(Bi-LSTM)中学习每一个时间步的第一隐状态s i1 Send the first hidden state h i1 of the i-th network traffic data packet into a bidirectional long-short-term memory network (Bi-LSTM) to learn the first hidden state s i1 of each time step;
将所有的第一隐状态s i1送进双向门控循环单元(Bi-GRU)学习每一个时间步的第二隐状态h i2Send all the first hidden states s i1 into the bidirectional gated recurrent unit (Bi-GRU) to learn the second hidden states h i2 of each time step;
根据第二隐状态h i2计算每一个时间步的注意力权重:e i=tanh(Wh i2+b),
Figure PCTCN2020138820-appb-000006
Calculate the attention weight of each time step according to the second hidden state h i2 : e i =tanh(Wh i2 +b),
Figure PCTCN2020138820-appb-000006
对所有第二隐状态h i2进行加权求和,得到第i个网络流量数据包的第二隐状态:h 2=∑ iα i*h i2Perform weighted summation on all the second hidden states h i2 to obtain the second hidden state of the i-th network traffic data packet: h 2 =∑ i α i *h i2 .
人工特征提取模块:用于通过人工特征提取器对原始网络流量进行人工特征提取,得到原始网络流量的人工特征表示;其中,原始网络流量的人工特征提取方式具体包括:使用流量特征提取工具CICFlowMeter从pcap文件中提取80个手工设计的网络流量特征;将原始网络流量中的每一条网络流分别表示成一个尺寸为1*80的流量向量,每一列代表一个特征值。Manual feature extraction module: It is used to perform manual feature extraction on the original network traffic through an artificial feature extractor to obtain the artificial feature representation of the original network traffic; wherein, the manual feature extraction method of the original network traffic specifically includes: using the traffic feature extraction tool CICFlowMeter from 80 hand-designed network traffic features are extracted from the pcap file; each network flow in the original network traffic is represented as a traffic vector with a size of 1*80, and each column represents a feature value.
人工特征转换模块:用于将原始网络流量的人工特征表示转换成标准输入形式的人工特征数据包;其中,人工特征表示的转换方式具体为:Artificial feature conversion module: It is used to convert the artificial feature representation of the original network traffic into an artificial feature data packet in the form of standard input; wherein, the conversion method of the artificial feature representation is specifically:
首先,对原始网络流量中每一条网络流的每一个特征分别进行归一化操作,将属性值映射到0-1之间:First, normalize each feature of each network flow in the original network traffic, and map the attribute values to between 0 and 1:
Figure PCTCN2020138820-appb-000007
Figure PCTCN2020138820-appb-000007
然后,设定窗口长度w,将每一条网络流向量与其前w-1条网络流向量进行组合,得到尺寸为w*80的流量向量表示。Then, the window length w is set, and each network flow vector is combined with its previous w-1 network flow vectors to obtain a flow vector representation with a size of w*80.
第二时空特征提取模块:用于将标准输入形式的人工特征数据包进行时空特征提取,得到每条流量向量的隐状态h′ 2;其中,流量向量的隐状态h′ 2与网络流量数据的第二隐状态h 2的时空特征提取过程相同,此处将不再赘述。 The second spatiotemporal feature extraction module is used to extract spatiotemporal features from the artificial feature data packets in the form of standard input, and obtain the hidden state h′ 2 of each traffic vector; wherein, the hidden state h′ 2 of the traffic vector and the network traffic data The spatiotemporal feature extraction process of the second hidden state h 2 is the same, which will not be repeated here.
网络流量预测模块:用于将网络流量数据包的第二隐状态h 2与流量向量的隐状态h′ 2进行拼接,得到最终的第三隐状态h 3,将隐状态h 3输入深度神经网络进行网络流量的分类预测,根据预测结果判定网络流量是否异常;其中,将h 3送进深度神经网络后,首先计算网络流量不同类别的输出预测值:u=Wh 3+b;然后对预测值u进行Softmax分类,得到网络流量的预测标签:
Figure PCTCN2020138820-appb-000008
Network traffic prediction module: used to splicing the second hidden state h 2 of the network traffic data packet with the hidden state h′ 2 of the traffic vector to obtain the final third hidden state h 3 , and input the hidden state h 3 into the deep neural network Carry out classification prediction of network traffic, and determine whether the network traffic is abnormal according to the prediction result; among them, after sending h 3 into the deep neural network, first calculate the output predicted value of different categories of network traffic: u=Wh 3 +b; u performs Softmax classification to get the predicted label of network traffic:
Figure PCTCN2020138820-appb-000008
请参阅图7,为本申请实施例的终端结构示意图。该终端50包括处理器51、与处理器51耦接的存储器52。Please refer to FIG. 7 , which is a schematic structural diagram of a terminal according to an embodiment of the present application. The terminal 50 includes a processor 51 and a memory 52 coupled to the processor 51 .
存储器52存储有用于实现上述网络异常检测方法的程序指令。The memory 52 stores program instructions for implementing the above-mentioned network abnormality detection method.
处理器51用于执行存储器52存储的程序指令以控制网络异常检测。The processor 51 is configured to execute program instructions stored in the memory 52 to control network anomaly detection.
其中,处理器51还可以称为CPU(CentralProcessingUnit,中央处理单元)。处理器51可能是一种集成电路芯片,具有信号的处理能力。处理器51还可以是通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。The processor 51 may also be referred to as a CPU (Central Processing Unit, central processing unit). The processor 51 may be an integrated circuit chip with signal processing capability. The processor 51 may also be a general purpose processor, digital signal processor (DSP), application specific integrated circuit (ASIC), off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component . A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
请参阅图8,为本申请实施例的存储介质的结构示意图。本申请实施例的存储介质存储有能够实现上述所有方法的程序文件61,其中,该程序文件61可以以软件产品的形式存储在上述存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)或处理器(processor)执行本发明各个实施方式方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-OnlyMemory)、随机存取存储器(RAM,RandomAccessMemory)、磁碟或者光盘等各种可以存储程序代码的介质,或者是计算机、服务器、手机、平板等终端设备。Please refer to FIG. 8 , which is a schematic structural diagram of a storage medium according to an embodiment of the present application. The storage medium of this embodiment of the present application stores a program file 61 capable of implementing all the above methods, wherein the program file 61 may be stored in the above-mentioned storage medium in the form of a software product, and includes several instructions to make a computer device (which may It is a personal computer, a server, or a network device, etc.) or a processor that executes all or part of the steps of the methods of the various embodiments of the present invention. The aforementioned storage medium includes: U disk, removable hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes, or Computers, servers, mobile phones, tablets and other terminal equipment.
对所公开的实施例的上述说明,使本领域专业技术人员能够实现或使用本申请。对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的,本申请中所定义的一般原理可以在不脱离本申请的精神或范围的情况下,在其它实施例中实现。因此,本申请将不会被限制于本申请所示的这些实施例,而是要符合与本申请所公开的原理和新颖特点相一致的最宽的范围。The above description of the disclosed embodiments enables any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined in this application may be implemented in other embodiments without departing from the spirit or scope of this application. Therefore, this application is not to be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (11)

  1. 一种网络异常检测方法,其特征在于,包括以下步骤:A network anomaly detection method, comprising the following steps:
    采用n-gram模型对网络流量进行向量转换,得到所述网络流量的向量矩阵;Use n-gram model to perform vector transformation on network traffic to obtain a vector matrix of the network traffic;
    采用长短时记忆网络及双向门控循环单元对所述网络流量的向量矩阵进行时空特征提取,得到所述网络流量的隐状态;Using a long-short-term memory network and a two-way gated cyclic unit to perform spatiotemporal feature extraction on the vector matrix of the network traffic to obtain the hidden state of the network traffic;
    通过人工特征提取器提取所述网络流量的人工特征,并对所述人工特征进行时空特征提取,得到所述人工特征的隐状态;Extract the artificial features of the network traffic through an artificial feature extractor, and perform spatiotemporal feature extraction on the artificial features to obtain the hidden state of the artificial features;
    将所述网络流量的隐状态与所述人工特征的隐状态进行拼接后,输入深度神经网络进行所述网络流量的分类预测,根据所述预测结果判定所述网络流量是否异常。After splicing the hidden state of the network traffic with the hidden state of the artificial feature, input the deep neural network to perform classification prediction of the network traffic, and determine whether the network traffic is abnormal according to the prediction result.
  2. 根据权利要求1所述的网络异常检测方法,其特征在于,所述采用n-gram模型对网络流量数据进行向量转换前还包括:The network anomaly detection method according to claim 1, wherein before the vector transformation is performed on the network traffic data by using the n-gram model, the method further comprises:
    将所述网络流量转换成标准输入形式的网络流量数据包;具体为:Convert the network traffic into network traffic data packets in the form of standard input; specifically:
    将所述网络流量按照五元组<源IP,目标IP,源端口,目标端口,传输协议>分成m个组,每一组代表一个双向通信流;The network traffic is divided into m groups according to the five-tuple <source IP, destination IP, source port, destination port, transmission protocol>, and each group represents a bidirectional communication flow;
    取每个组中的前p个数据包,得到m*p个数据包;Take the first p packets in each group to get m*p packets;
    取每个数据包的前q个字节,得到m*p*q个字节;Take the first q bytes of each data packet to get m*p*q bytes;
    将m个组中前p个数据包的前q字节进行拼接,形成一个m*p*q的张量。Concatenate the first q bytes of the first p packets in m groups to form a m*p*q tensor.
  3. 根据权利要求2所述的网络异常检测方法,其特征在于,所述采用n-gram模型对网络流量进行向量转换包括:The network anomaly detection method according to claim 2, wherein the vector transformation of the network traffic using the n-gram model comprises:
    设置长度为256的1-gram哈希字节表,并设置长度为l 1的2-gram哈希字节表和长度为l 2的3-gram哈希字节表; Set length of 256 bytes of the 1-gram hash table, and set the length l 2-gram hash table and the byte length of 1 l 3-gram Hash Table 2 bytes;
    将每个2-gram和3-gram的字节组合分别映射到2-gram哈希字节表和3-gram哈希字节表中,相同位置的组合使用共享的嵌入表示;Map each 2-gram and 3-gram byte combination to a 2-gram hash byte table and a 3-gram hash byte table, respectively, and the combination in the same position is represented by a shared embedding;
    对所述1-gram、2-gram、3gram哈希字节表中的每项元素分别设置一个对应的d维向量;A corresponding d-dimensional vector is respectively set to each element in the 1-gram, 2-gram, and 3gram hash byte tables;
    将所述m*p*q的张量中的q个字节分别经过所述1-gram、2-gram、3gram哈希字节表进行向量转换,得到v 1,v 1,v 3,并将v 1,v 1,v 3进行拼接,得到输出维度为m*p*n*3d的张量,其中n=p+p/2+p/3。 The q bytes in the tensor of m*p*q are converted into vectors through the 1-gram, 2-gram, and 3gram hash byte tables, respectively, to obtain v 1 , v 1 , v 3 , and convert v 1 , v 1 , v 3 are spliced to obtain a tensor with an output dimension of m*p*n*3d, where n=p+p/2+p/3.
  4. 根据权利要求3所述的网络异常检测方法,其特征在于,所述采用长短时记忆网络及双向门控循环单元对所述网络流量的向量矩阵进行时空特征提取,得到所述网络流量的隐状态包括:The network anomaly detection method according to claim 3, characterized in that, using a long-short-term memory network and a bidirectional gated loop unit to perform spatiotemporal feature extraction on the vector matrix of the network traffic to obtain a hidden state of the network traffic include:
    对所述m*p个网络流量数据包的向量矩阵分别进行一维卷积操作,得到各个网络流量数据包的第一隐状态h 1Performing a one-dimensional convolution operation on the vector matrix of the m*p network traffic data packets, respectively, to obtain the first hidden state h 1 of each network traffic data packet;
    对所述m*p个网络流量数据包的第一隐状态h 1分别进行时空特征提取,得到各个网络流量数据包的第二隐状态h 2 The spatiotemporal feature extraction is performed on the first hidden states h 1 of the m*p network traffic data packets, respectively, to obtain the second hidden states h 2 of each network traffic data packet.
  5. 根据权利要求4所述的网络异常检测方法,其特征在于,所述对所述m*p个网络流量数据包的向量矩阵分别进行一维卷积操作包括:The network anomaly detection method according to claim 4, wherein the performing a one-dimensional convolution operation on the vector matrix of the m*p network traffic data packets respectively comprises:
    分别设置尺寸为3*3d、4*3d和5*3d的卷积核,每种卷积核使用的数量为r,所述卷积核总数为3r;Set convolution kernels with sizes of 3*3d, 4*3d and 5*3d respectively, the number of each convolution kernel used is r, and the total number of the convolution kernels is 3r;
    对第i个(0<i≤p)网络流量数据包进行行方向的一维卷积操作,得到3r个特征图;Perform a one-dimensional convolution operation in the row direction on the i-th (0<i≤p) network traffic data packet to obtain 3r feature maps;
    对所述3r个特征图分别进行最大池化操作,得到3r个值,将所述3r个值进行拼接,得到第i个网络流量数据包的第一隐状态h i1Perform a maximum pooling operation on the 3r feature maps respectively to obtain 3r values, and splicing the 3r values to obtain the first hidden state h i1 of the i-th network traffic data packet.
  6. 根据权利要求5所述的网络异常检测方法,其特征在于,所述对所述m*p个网络流量数据包的第一隐状态h 1分别进行时空特征提取包括: The network anomaly detection method according to claim 5, wherein the step of extracting spatiotemporal features for the first hidden states h 1 of the m*p network traffic data packets respectively comprises:
    将第i个网络流量数据包的第一隐状态h i1送进双向的长短时记忆网络中学习每一个时间步的第一隐状态s i1 Send the first hidden state h i1 of the i-th network traffic data packet into the bidirectional long-short-term memory network to learn the first hidden state s i1 of each time step;
    将所有的第一隐状态s i1送进双向门控循环单元学习每一个时间步的第二隐状态h i2Send all the first hidden states s i1 to the bidirectional gated recurrent unit to learn the second hidden states h i2 of each time step;
    根据第二隐状态h i2计算每一个时间步的注意力权重:e i=tanh(Wh i2+b),
    Figure PCTCN2020138820-appb-100001
    Calculate the attention weight of each time step according to the second hidden state h i2 : e i =tanh(Wh i2 +b),
    Figure PCTCN2020138820-appb-100001
    对所有第二隐状态h i2进行加权求和,得到第i个网络流量数据包的第二隐状态:h 2=∑ iα i*h i2Perform weighted summation on all the second hidden states h i2 to obtain the second hidden state of the i-th network traffic data packet: h 2 =∑ i α i *h i2 .
  7. 根据权利要求1所述的网络异常检测方法,其特征在于,所述通过人工特征提取器提取所述网络流量的人工特征还包括:The network anomaly detection method according to claim 1, wherein the extracting the artificial features of the network traffic by an artificial feature extractor further comprises:
    使用流量特征提取工具从所述网络流量中提取80个手工设计的网络流量特征;Extracting 80 hand-designed network traffic features from the network traffic using a traffic feature extraction tool;
    将所述网络流量中的每一条网络流分别表示成一个尺寸为1*80的流量向量,每一列代表一个特征值。Each network flow in the network flow is represented as a flow vector with a size of 1*80, and each column represents an eigenvalue.
  8. 根据权利要求7所述的网络异常检测方法,其特征在于,所述对所述人工特征进行时空特征提取,得到所述人工特征的隐状态包括:The network anomaly detection method according to claim 7, wherein the extraction of spatiotemporal features from the artificial features to obtain a hidden state of the artificial features comprises:
    将所述网络流量的人工特征转换成标准输入形式的人工特征数据包;Converting the artificial characteristics of the network traffic into artificial characteristic data packets in the form of standard input;
    将所述标准输入形式的人工特征数据包进行时空特征提取,得到每条流量向量的隐状态h′ 2Perform spatiotemporal feature extraction on the artificial feature data packet in the standard input form to obtain the hidden state h′ 2 of each traffic vector.
  9. 一种网络异常检测系统,其特征在于,包括:A network anomaly detection system, characterized in that it includes:
    向量转换模块:用于采用n-gram模型对网络流量进行向量转换,得到所述网络流量的向量矩阵;Vector conversion module: used to perform vector conversion on network traffic by using the n-gram model to obtain a vector matrix of the network traffic;
    第一时空特征提取模块:用于采用长短时记忆网络及双向门控循环单元对所述网络流量的向量矩阵进行时空特征提取,得到所述网络流量的隐状态;The first spatiotemporal feature extraction module: used to extract the spatiotemporal feature of the vector matrix of the network traffic by using a long-short-term memory network and a bidirectional gated cyclic unit to obtain the hidden state of the network traffic;
    人工特征提取模块:用于通过人工特征提取器提取所述网络流量的人工特征;Artificial feature extraction module: used to extract the artificial features of the network traffic through an artificial feature extractor;
    第二时空特征提取模块:用于对所述人工特征进行时空特征提取,得到所述人工特征的隐状态;The second spatiotemporal feature extraction module: used for performing spatiotemporal feature extraction on the artificial feature to obtain the hidden state of the artificial feature;
    网络流量预测模块:用于将所述网络流量的隐状态与所述人工特征的隐状态进行拼接后,输入深度神经网络进行所述网络流量的分类预测,根据所述预测结果判定网络流量是否异常。Network traffic prediction module: After splicing the hidden state of the network traffic and the hidden state of the artificial feature, inputting the deep neural network to perform classification prediction of the network traffic, and determining whether the network traffic is abnormal according to the prediction result .
  10. 一种终端,其特征在于,所述终端包括处理器、与所述处理器耦接的存储器,其中,A terminal, characterized in that the terminal includes a processor and a memory coupled to the processor, wherein,
    所述存储器存储有用于实现权利要求1-8任一项所述的网络异常检测方法的程序指令;The memory stores program instructions for implementing the network abnormality detection method according to any one of claims 1-8;
    所述处理器用于执行所述存储器存储的所述程序指令以控制网络异常检测。The processor is configured to execute the program instructions stored in the memory to control network anomaly detection.
  11. 一种存储介质,其特征在于,存储有处理器可运行的程序指令,所述程序指令用于执行权利要求1至8任一项所述网络异常检测方法。A storage medium, characterized in that it stores program instructions executable by a processor, and the program instructions are used to execute the network abnormality detection method according to any one of claims 1 to 8.
PCT/CN2020/138820 2020-07-15 2020-12-24 Network anomaly detection method and system, terminal and storage medium WO2022011977A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010680957.0 2020-07-15
CN202010680957.0A CN111885035B (en) 2020-07-15 2020-07-15 Network anomaly detection method, system, terminal and storage medium

Publications (1)

Publication Number Publication Date
WO2022011977A1 true WO2022011977A1 (en) 2022-01-20

Family

ID=73154474

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/138820 WO2022011977A1 (en) 2020-07-15 2020-12-24 Network anomaly detection method and system, terminal and storage medium

Country Status (2)

Country Link
CN (1) CN111885035B (en)
WO (1) WO2022011977A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114640502A (en) * 2022-02-17 2022-06-17 南京航空航天大学 Android malicious software detection method and detection system based on traffic fingerprint and graph data characteristics
CN115021987A (en) * 2022-05-24 2022-09-06 桂林电子科技大学 Internet of things intrusion detection method based on ARN
CN115348215A (en) * 2022-07-25 2022-11-15 南京信息工程大学 Encrypted network flow classification method based on space-time attention mechanism
CN116208506A (en) * 2023-02-01 2023-06-02 哈尔滨工业大学 Encryption traffic website identification method based on space-time correlation website fingerprint
CN116471196A (en) * 2023-06-19 2023-07-21 宏景科技股份有限公司 Operation and maintenance monitoring network maintenance method, system and equipment
CN116894115A (en) * 2023-06-12 2023-10-17 国网湖北省电力有限公司经济技术研究院 Automatic archiving method for power grid infrastructure files
CN117278262A (en) * 2023-09-13 2023-12-22 武汉卓讯互动信息科技有限公司 DDOS safety defense system based on deep neural network
CN117375893A (en) * 2023-09-22 2024-01-09 南京中新赛克科技有限责任公司 Industrial Internet cross-domain access request potential risk judging method and system based on r-GRU network

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112671600A (en) * 2020-12-09 2021-04-16 中国科学院深圳先进技术研究院 Network flow feature extraction method, network flow abnormity detection method and related device
CN113556317B (en) * 2021-06-07 2022-10-11 中国科学院信息工程研究所 Abnormal flow detection method and device based on network flow structural feature fusion
CN114915496B (en) * 2022-07-11 2023-01-10 广州番禺职业技术学院 Network intrusion detection method and device based on time weight and deep neural network
CN115511890B (en) * 2022-11-23 2023-04-07 深圳市吉斯凯达智慧科技有限公司 Analysis system for large-flow data of special-shaped network interface

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150205826A1 (en) * 2013-03-11 2015-07-23 International Business Machines Corporation Caching of deep structures for efficient parsing
CN106951783A (en) * 2017-03-31 2017-07-14 国家电网公司 A kind of Method for Masquerade Intrusion Detection and device based on deep neural network
CN108173708A (en) * 2017-12-18 2018-06-15 北京天融信网络安全技术有限公司 Anomalous traffic detection method, device and storage medium based on incremental learning
CN110851782A (en) * 2019-11-12 2020-02-28 南京邮电大学 Network flow prediction method based on lightweight spatiotemporal deep learning model

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109241738A (en) * 2018-07-09 2019-01-18 四川大学 It is a kind of that software detection technology is extorted based on deep learning
CN111382439A (en) * 2020-03-28 2020-07-07 玉溪师范学院 Malicious software detection method based on multi-mode deep learning

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150205826A1 (en) * 2013-03-11 2015-07-23 International Business Machines Corporation Caching of deep structures for efficient parsing
CN106951783A (en) * 2017-03-31 2017-07-14 国家电网公司 A kind of Method for Masquerade Intrusion Detection and device based on deep neural network
CN108173708A (en) * 2017-12-18 2018-06-15 北京天融信网络安全技术有限公司 Anomalous traffic detection method, device and storage medium based on incremental learning
CN110851782A (en) * 2019-11-12 2020-02-28 南京邮电大学 Network flow prediction method based on lightweight spatiotemporal deep learning model

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
QIU YUAN;CHANG XIANGMAO;QIU QIAN;PENG CHENG;SU SHANTING: "Stream Data Anomaly Detection Method Based on Long Short-Term Memory Network and Sliding Window", JOURNAL OF COMPUTER APPLICATIONS, vol. 40, no. 5, 3 December 2019 (2019-12-03), pages 1335 - 1339, XP055886935, ISSN: 1001-9081, DOI: 10.11772/j.issn.1001-9081.2019111970 *

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114640502A (en) * 2022-02-17 2022-06-17 南京航空航天大学 Android malicious software detection method and detection system based on traffic fingerprint and graph data characteristics
CN115021987A (en) * 2022-05-24 2022-09-06 桂林电子科技大学 Internet of things intrusion detection method based on ARN
CN115021987B (en) * 2022-05-24 2024-04-05 桂林电子科技大学 ARN-based Internet of things intrusion detection method
CN115348215B (en) * 2022-07-25 2023-11-24 南京信息工程大学 Encryption network traffic classification method based on space-time attention mechanism
CN115348215A (en) * 2022-07-25 2022-11-15 南京信息工程大学 Encrypted network flow classification method based on space-time attention mechanism
CN116208506A (en) * 2023-02-01 2023-06-02 哈尔滨工业大学 Encryption traffic website identification method based on space-time correlation website fingerprint
CN116208506B (en) * 2023-02-01 2023-07-21 哈尔滨工业大学 Encryption traffic website identification method based on space-time correlation website fingerprint
CN116894115A (en) * 2023-06-12 2023-10-17 国网湖北省电力有限公司经济技术研究院 Automatic archiving method for power grid infrastructure files
CN116894115B (en) * 2023-06-12 2024-05-24 国网湖北省电力有限公司经济技术研究院 Automatic archiving method for power grid infrastructure files
CN116471196B (en) * 2023-06-19 2023-10-20 宏景科技股份有限公司 Operation and maintenance monitoring network maintenance method, system and equipment
CN116471196A (en) * 2023-06-19 2023-07-21 宏景科技股份有限公司 Operation and maintenance monitoring network maintenance method, system and equipment
CN117278262A (en) * 2023-09-13 2023-12-22 武汉卓讯互动信息科技有限公司 DDOS safety defense system based on deep neural network
CN117278262B (en) * 2023-09-13 2024-03-22 武汉卓讯互动信息科技有限公司 DDOS safety defense system based on deep neural network
CN117375893A (en) * 2023-09-22 2024-01-09 南京中新赛克科技有限责任公司 Industrial Internet cross-domain access request potential risk judging method and system based on r-GRU network
CN117375893B (en) * 2023-09-22 2024-05-24 南京中新赛克科技有限责任公司 Industrial Internet cross-domain access request potential risk judging method and system based on r-GRU network

Also Published As

Publication number Publication date
CN111885035B (en) 2022-02-22
CN111885035A (en) 2020-11-03

Similar Documents

Publication Publication Date Title
WO2022011977A1 (en) Network anomaly detection method and system, terminal and storage medium
US11334764B2 (en) Real-time detection method and apparatus for DGA domain name
Zhang et al. Network intrusion detection: Based on deep hierarchical network and original flow data
WO2021088372A1 (en) Neural network-based ddos detection method and system in sdn network
CN109063745B (en) Network equipment type identification method and system based on decision tree
CN111107102A (en) Real-time network flow abnormity detection method based on big data
CN111131260B (en) Mass network malicious domain name identification and classification method and system
CN112235288B (en) NDN network intrusion detection method based on GAN
He et al. Deep‐Feature‐Based Autoencoder Network for Few‐Shot Malicious Traffic Detection
CN108282460B (en) Evidence chain generation method and device for network security event
Lu et al. An efficient communication intrusion detection scheme in AMI combining feature dimensionality reduction and improved LSTM
Qin et al. Deep learning based anomaly detection scheme in software-defined networking
CN111600876B (en) Slow denial of service attack detection method based on MFOPA algorithm
CN113364787A (en) Botnet flow detection method based on parallel neural network
CN112804253A (en) Network flow classification detection method, system and storage medium
CN112261063A (en) Network malicious traffic detection method combined with deep hierarchical network
CN116150688A (en) Lightweight Internet of things equipment identification method and device in smart home
CN112733954A (en) Abnormal traffic detection method based on generation countermeasure network
Yujie et al. End-to-end android malware classification based on pure traffic images
CN113946823A (en) SQL injection detection method and device based on URL baseline deviation analysis
CN116708431A (en) Government information security and resource sharing system based on big data
CN113382003B (en) RTSP mixed intrusion detection method based on two-stage filter
CN115473734A (en) Remote code execution attack detection method based on single classification and federal learning
CN113542222B (en) Zero-day multi-step threat identification method based on dual-domain VAE
CN115712857A (en) Abnormal flow detection method, equipment and medium

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20944954

Country of ref document: EP

Kind code of ref document: A1

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20944954

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 20944954

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 04.07.2023)

122 Ep: pct application non-entry in european phase

Ref document number: 20944954

Country of ref document: EP

Kind code of ref document: A1