WO2022011977A1 - Network anomaly detection method and system, terminal and storage medium - Google Patents
Network anomaly detection method and system, terminal and storage medium Download PDFInfo
- Publication number
- WO2022011977A1 WO2022011977A1 PCT/CN2020/138820 CN2020138820W WO2022011977A1 WO 2022011977 A1 WO2022011977 A1 WO 2022011977A1 CN 2020138820 W CN2020138820 W CN 2020138820W WO 2022011977 A1 WO2022011977 A1 WO 2022011977A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network traffic
- network
- hidden state
- artificial
- gram
- Prior art date
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 42
- 239000013598 vector Substances 0.000 claims abstract description 75
- 238000000605 extraction Methods 0.000 claims abstract description 41
- 239000011159 matrix material Substances 0.000 claims abstract description 23
- 238000000034 method Methods 0.000 claims abstract description 22
- 230000002457 bidirectional effect Effects 0.000 claims abstract description 20
- 238000006243 chemical reaction Methods 0.000 claims abstract description 19
- 238000013528 artificial neural network Methods 0.000 claims abstract description 13
- 230000000306 recurrent effect Effects 0.000 claims abstract description 5
- 230000002159 abnormal effect Effects 0.000 claims description 12
- 230000009466 transformation Effects 0.000 claims description 8
- 230000005856 abnormality Effects 0.000 claims description 7
- 238000011176 pooling Methods 0.000 claims description 6
- 125000004122 cyclic group Chemical group 0.000 claims description 5
- 230000007175 bidirectional communication Effects 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 claims description 4
- 230000000694 effects Effects 0.000 abstract description 8
- 230000002547 anomalous effect Effects 0.000 abstract 1
- 230000006403 short-term memory Effects 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 8
- 230000006399 behavior Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 5
- 230000002123 temporal effect Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 3
- 238000011160 research Methods 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 230000009385 viral infection Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Definitions
- the present application belongs to the technical field of network security, and in particular, relates to a network abnormality detection method, system, terminal and storage medium.
- network anomaly detection techniques can be divided into two categories:
- Signature-based detection method Its principle is to analyze the known abnormal traffic data, extract a specific string pattern from it, and build an abnormal traffic fingerprint database based on this. When new network traffic is found, the traffic is compared with the fingerprints in the database one by one. Once fingerprints containing malicious traffic are found, the current traffic can be determined to be abnormal.
- the fingerprint-based detection method is a relatively mature detection method. This method has high accuracy, but it requires experienced experts to extract fingerprints, and requires long-term maintenance of the fingerprint database. With more and more abnormal traffic, it becomes increasingly bloated. The fingerprint database will inevitably affect the speed of network anomaly detection; moreover, this method can only identify known malicious attacks, and cannot deal with unknown new attacks, such as 0-day vulnerability detection.
- Anomaly-based detection method is the current mainstream research direction of ADS.
- the core idea of this method is to establish a credible activity model for legitimate user behavior, and then use the model to calculate the probability that the new behavior satisfies the legitimate behavior. If the score is lower, the behavior may be abnormal.
- the methods of building models often use knowledge such as mathematical statistics, data mining, and machine learning. This method can detect unknown network traffic, but how to build an effective model with low false alarm rate and low false negative rate has always been a challenge.
- the present application provides a network anomaly detection method, system, terminal and storage medium, aiming to solve one of the above-mentioned technical problems in the prior art at least to a certain extent.
- a network anomaly detection method comprising the following steps:
- the technical solutions adopted in the embodiments of the present application further include: before the vector transformation of the network traffic data using the n-gram model further includes:
- the network traffic is divided into m groups according to the five-tuple ⁇ source IP, destination IP, source port, destination port, transmission protocol>, and each group represents a bidirectional communication flow;
- the vector transformation of network traffic by using the n-gram model includes:
- a corresponding d-dimensional vector is respectively set to each element in the 1-gram, 2-gram, and 3gram hash byte tables;
- the technical solutions adopted in the embodiments of the present application further include: the use of a long-short-term memory network and a bidirectional gated cyclic unit to perform spatiotemporal feature extraction on the vector matrix of the network traffic, and obtaining the hidden state of the network traffic includes:
- the spatiotemporal feature extraction is performed on the first hidden states h 1 of the m*p network traffic data packets, respectively, to obtain the second hidden states h 2 of each network traffic data packet.
- the technical solutions adopted in the embodiments of the present application further include: performing a one-dimensional convolution operation on the vector matrices of the m*p network traffic data packets respectively includes:
- the technical solution adopted in the embodiment of the present application further includes: the step of extracting the spatiotemporal features of the first hidden states h 1 of the m*p network traffic data packets respectively includes:
- the technical solutions adopted in the embodiments of the present application further include: extracting the artificial features of the network traffic by using an artificial feature extractor further includes:
- Each network flow in the network flow is represented as a flow vector with a size of 1*80, and each column represents an eigenvalue.
- the technical solution adopted in the embodiment of the present application further includes: performing spatiotemporal feature extraction on the artificial feature, and obtaining the hidden state of the artificial feature includes:
- a network anomaly detection system comprising:
- Vector conversion module used to perform vector conversion on network traffic by using the n-gram model to obtain a vector matrix of the network traffic;
- the first spatiotemporal feature extraction module used for extracting spatiotemporal features from the vector matrix of the network traffic by using a long-short-term memory network and a bidirectional gated cyclic unit to obtain the hidden state of the network traffic;
- Artificial feature extraction module for extracting the artificial features of the network traffic through an artificial feature extractor
- the second spatiotemporal feature extraction module used for performing spatiotemporal feature extraction on the artificial feature to obtain the hidden state of the artificial feature;
- Network traffic prediction module used to splicing the hidden state of the network traffic with the hidden state of the artificial feature, inputting the deep neural network to classify and predict the network traffic, and determining whether the network traffic is abnormal according to the prediction result .
- a terminal includes a processor and a memory coupled to the processor, wherein,
- the memory stores program instructions for implementing the network anomaly detection method
- the processor is configured to execute the program instructions stored in the memory to control network anomaly detection.
- a storage medium storing program instructions executable by a processor, where the program instructions are used to execute the network abnormality detection method.
- the beneficial effects of the embodiments of the present application are: the network anomaly detection method, system, terminal and storage medium of the embodiments of the present application establish a combination table of network traffic by using the n-gram model, and for each combination Learning a vector representation in a low-dimensional space, and using fused features to model the model, that is, using a deep neural network to learn the intrinsic feature representation of network traffic on the basis of artificially designed features, which can better represent network traffic and increase The upper bound of the model prediction effect.
- the embodiment of the present application uses one-dimensional convolution, bidirectional LSTM, bidirectional GRU and attention mechanism, which can better reflect the internal implicit relationship of data, so as to better learn the feature representation of network traffic, which can achieve better classification effect.
- FIG. 1 is a flowchart of a network abnormality detection method according to an embodiment of the present application.
- FIG. 2 is a schematic diagram of an original network traffic conversion method according to an embodiment of the present application.
- Fig. 3 is the flow chart that the embodiment of the present application adopts n-gram model to carry out vector conversion to the network traffic data packet of standard input form;
- FIG. 4 is a flow chart of performing a one-dimensional convolution operation on a vector matrix of each network traffic data packet according to an embodiment of the present application
- FIG. 6 is a schematic structural diagram of a network anomaly detection system according to an embodiment of the present application.
- FIG. 7 is a schematic structural diagram of a terminal according to an embodiment of the present application.
- FIG. 8 is a schematic structural diagram of a storage medium according to an embodiment of the present application.
- the embodiment of the present application uses the n-gram model to establish a combination table of network traffic, and learns a vector representation in a low-dimensional space for each combination, and each network data packet is processed by the n-gram model. After splitting and vector transformation, it is sent to a deep neural network to learn the vector space representation of network traffic and extract spatiotemporal features. At the same time, in order to supplement the hidden features that the neural network may not learn, the embodiment of the present application further improves the detection effect of the model by adding artificially designed feature representations.
- FIG. 1 is a flowchart of a network abnormality detection method according to an embodiment of the present application.
- the network anomaly detection method according to the embodiment of the present application includes the following steps:
- S1 Collect raw network traffic, and execute S2 and S6 at the same time;
- the network traffic collection method is specifically: using a network traffic capture technology such as Wireshark and TCPdump to capture network traffic data packets, and save the captured network traffic data packets as a pcp file.
- a network traffic capture technology such as Wireshark and TCPdump
- Figure 2 is a schematic diagram of the original network traffic conversion method, which specifically includes:
- S21 Divide the original network traffic into m groups according to the five-tuple ⁇ source IP, destination IP, source port, destination port, transmission protocol>, and each group represents a bidirectional communication flow; wherein, the size of the m value can be determined according to the actual application make settings;
- S22 Take the first p data packets in each group to obtain m*p data packets; wherein, if there is a group with less than p data packets, fill the group to make it reach p data packets; p The size of the value can be set according to the actual application;
- S3 Use the n-gram model to perform vector transformation on the network traffic data packets in the form of standard input, and obtain the vector matrix of each network traffic data packet;
- FIG. 3 is a flow chart of vector conversion of network traffic data packets in the form of standard input using the n-gram model, which specifically includes:
- FIG. 4 it is a flow chart of performing a one-dimensional convolution operation on the vector matrix of each network traffic data packet, which specifically includes:
- S42 Perform a row-direction one-dimensional convolution operation on the i-th (0 ⁇ i ⁇ p) network traffic data packet, and each convolution kernel can obtain a feature map, then a total of 3r feature maps are obtained;
- S43 Perform a maximum pooling operation on the 3r feature maps respectively to obtain 3r values, and splicing the 3r values to obtain the first hidden state h i1 of the i-th network traffic data packet.
- S5 Perform spatiotemporal feature extraction on the first hidden states h 1 of m*p network traffic data packets, respectively, to obtain second hidden states h 2 of each network traffic data packet, and execute S9;
- the two-way LSTM structure, the two-way GRU structure and the attention mechanism are used to extract the spatiotemporal features of the network traffic data packets, as shown in Figure 5, which is a flowchart of the spatiotemporal feature extraction, which specifically includes:
- S51 send the first hidden state h i1 of the i-th network traffic data packet into a bidirectional long-short-term memory network (Bi-LSTM) to learn the first hidden state s i1 of each time step;
- Bi-LSTM bidirectional long-short-term memory network
- S52 send all the first hidden states s i1 to the bidirectional gated recurrent unit (Bi-GRU) to learn the second hidden states h i2 of each time step;
- S6 perform artificial feature extraction on the original network traffic through an artificial feature extractor to obtain an artificial feature representation of the original network traffic
- the manual feature extraction method of the original network traffic specifically includes: using the traffic feature extraction tool CICFlowMeter to extract 80 manually designed network traffic features from the pcap file; representing each network flow in the original network traffic as a size is a 1*80 traffic vector, each column represents an eigenvalue.
- the conversion method of artificial feature representation is specifically:
- each network flow vector is combined with its previous w-1 network flow vectors to obtain a flow vector representation with a size of w*80.
- a bidirectional LSTM structure, bi-directional, and attention mechanisms GRU artificial structure characterized in packet temporal feature extraction, hidden state flow vector h '2 hidden state and a second network traffic data 2 h temporal characteristics
- the extraction process is the same and will not be repeated here.
- Step 900 splicing the second hidden state h 2 of the network traffic data packet and the hidden state h′ 2 of the traffic vector to obtain the final third hidden state h 3 , and inputting the third hidden state h 3 into the deep neural network for network Classification prediction of traffic, according to the prediction result to determine whether the network traffic data is abnormal;
- the network anomaly detection method of the embodiment of the present application uses fused features to model the model, that is, uses a deep neural network to learn the intrinsic feature representation of network traffic on the basis of artificially designed features, so that the network can be better represented. traffic, thereby increasing the upper bound of the model's predictive effect.
- the embodiment of this application proposes a new byte combination embedding method, which learns the vector representation of 1-gram, 2-gram and 3-gram for network traffic, and splices them horizontally, so as to better represent network traffic .
- the embodiment of this application uses one-dimensional convolution, bidirectional LSTM, bidirectional GRU and attention mechanism, which can better reflect the internal implicit relationship of data, so as to better learn the feature representation of network traffic, so as to achieve better classification effect.
- FIG. 6 is a schematic structural diagram of a network anomaly detection system according to an embodiment of the present application.
- the network anomaly detection system of the embodiment of the present application includes:
- Traffic collection module used to collect original network traffic; in the embodiment of the present application, the network traffic collection method is specifically: using Wireshark, TCPdump and other network traffic capture technologies to capture network traffic data packets, and save the captured network traffic data packets as pacp file.
- Traffic conversion module used to convert the original network traffic into network traffic data packets in the form of standard input; the traffic conversion method specifically includes:
- the original network traffic is divided into m groups according to the five-tuple ⁇ source IP, destination IP, source port, destination port, transmission protocol>, and each group represents a bidirectional communication flow; the value of m can be set according to the actual application.
- Vector conversion module It is used to perform vector conversion on network traffic data packets in the form of standard input by using the n-gram model to obtain a vector matrix of each network traffic data packet; wherein, the vector conversion methods specifically include:
- Convolution calculation module used to perform a one-dimensional convolution operation on the vector matrix of m*p network traffic data packets, respectively, to obtain the first hidden state h 1 of each network traffic data packet; wherein, the embodiment of the present application uses a Dimensional convolution computes a vertical scan of a vector matrix of network traffic packets, and compresses the data using a max pooling technique. Specifically include:
- each convolution kernel can obtain a feature map, and a total of 3r feature maps are obtained;
- a first temporal feature extraction module a second hidden states for a first hidden state m * p network traffic packets h 1 respectively temporal feature extraction, to give the respective network data packet traffic h 2; wherein the application of the present embodiment
- the example uses the bidirectional LSTM structure, the bidirectional GRU structure and the attention mechanism to extract the spatiotemporal features of the network traffic data packets, including:
- Manual feature extraction module It is used to perform manual feature extraction on the original network traffic through an artificial feature extractor to obtain the artificial feature representation of the original network traffic; wherein, the manual feature extraction method of the original network traffic specifically includes: using the traffic feature extraction tool CICFlowMeter from 80 hand-designed network traffic features are extracted from the pcap file; each network flow in the original network traffic is represented as a traffic vector with a size of 1*80, and each column represents a feature value.
- Artificial feature conversion module It is used to convert the artificial feature representation of the original network traffic into an artificial feature data packet in the form of standard input; wherein, the conversion method of the artificial feature representation is specifically:
- each network flow vector is combined with its previous w-1 network flow vectors to obtain a flow vector representation with a size of w*80.
- the second spatiotemporal feature extraction module is used to extract spatiotemporal features from the artificial feature data packets in the form of standard input, and obtain the hidden state h′ 2 of each traffic vector; wherein, the hidden state h′ 2 of the traffic vector and the network traffic data
- the spatiotemporal feature extraction process of the second hidden state h 2 is the same, which will not be repeated here.
- FIG. 7 is a schematic structural diagram of a terminal according to an embodiment of the present application.
- the terminal 50 includes a processor 51 and a memory 52 coupled to the processor 51 .
- the memory 52 stores program instructions for implementing the above-mentioned network abnormality detection method.
- the processor 51 is configured to execute program instructions stored in the memory 52 to control network anomaly detection.
- the processor 51 may also be referred to as a CPU (Central Processing Unit, central processing unit).
- the processor 51 may be an integrated circuit chip with signal processing capability.
- the processor 51 may also be a general purpose processor, digital signal processor (DSP), application specific integrated circuit (ASIC), off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component .
- DSP digital signal processor
- ASIC application specific integrated circuit
- FPGA off-the-shelf programmable gate array
- a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
- FIG. 8 is a schematic structural diagram of a storage medium according to an embodiment of the present application.
- the storage medium of this embodiment of the present application stores a program file 61 capable of implementing all the above methods, wherein the program file 61 may be stored in the above-mentioned storage medium in the form of a software product, and includes several instructions to make a computer device (which may It is a personal computer, a server, or a network device, etc.) or a processor that executes all or part of the steps of the methods of the various embodiments of the present invention.
- a computer device which may It is a personal computer, a server, or a network device, etc.
- a processor that executes all or part of the steps of the methods of the various embodiments of the present invention.
- the aforementioned storage medium includes: U disk, removable hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes, or Computers, servers, mobile phones, tablets and other terminal equipment.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims (11)
- 一种网络异常检测方法,其特征在于,包括以下步骤:A network anomaly detection method, comprising the following steps:采用n-gram模型对网络流量进行向量转换,得到所述网络流量的向量矩阵;Use n-gram model to perform vector transformation on network traffic to obtain a vector matrix of the network traffic;采用长短时记忆网络及双向门控循环单元对所述网络流量的向量矩阵进行时空特征提取,得到所述网络流量的隐状态;Using a long-short-term memory network and a two-way gated cyclic unit to perform spatiotemporal feature extraction on the vector matrix of the network traffic to obtain the hidden state of the network traffic;通过人工特征提取器提取所述网络流量的人工特征,并对所述人工特征进行时空特征提取,得到所述人工特征的隐状态;Extract the artificial features of the network traffic through an artificial feature extractor, and perform spatiotemporal feature extraction on the artificial features to obtain the hidden state of the artificial features;将所述网络流量的隐状态与所述人工特征的隐状态进行拼接后,输入深度神经网络进行所述网络流量的分类预测,根据所述预测结果判定所述网络流量是否异常。After splicing the hidden state of the network traffic with the hidden state of the artificial feature, input the deep neural network to perform classification prediction of the network traffic, and determine whether the network traffic is abnormal according to the prediction result.
- 根据权利要求1所述的网络异常检测方法,其特征在于,所述采用n-gram模型对网络流量数据进行向量转换前还包括:The network anomaly detection method according to claim 1, wherein before the vector transformation is performed on the network traffic data by using the n-gram model, the method further comprises:将所述网络流量转换成标准输入形式的网络流量数据包;具体为:Convert the network traffic into network traffic data packets in the form of standard input; specifically:将所述网络流量按照五元组<源IP,目标IP,源端口,目标端口,传输协议>分成m个组,每一组代表一个双向通信流;The network traffic is divided into m groups according to the five-tuple <source IP, destination IP, source port, destination port, transmission protocol>, and each group represents a bidirectional communication flow;取每个组中的前p个数据包,得到m*p个数据包;Take the first p packets in each group to get m*p packets;取每个数据包的前q个字节,得到m*p*q个字节;Take the first q bytes of each data packet to get m*p*q bytes;将m个组中前p个数据包的前q字节进行拼接,形成一个m*p*q的张量。Concatenate the first q bytes of the first p packets in m groups to form a m*p*q tensor.
- 根据权利要求2所述的网络异常检测方法,其特征在于,所述采用n-gram模型对网络流量进行向量转换包括:The network anomaly detection method according to claim 2, wherein the vector transformation of the network traffic using the n-gram model comprises:设置长度为256的1-gram哈希字节表,并设置长度为l 1的2-gram哈希字节表和长度为l 2的3-gram哈希字节表; Set length of 256 bytes of the 1-gram hash table, and set the length l 2-gram hash table and the byte length of 1 l 3-gram Hash Table 2 bytes;将每个2-gram和3-gram的字节组合分别映射到2-gram哈希字节表和3-gram哈希字节表中,相同位置的组合使用共享的嵌入表示;Map each 2-gram and 3-gram byte combination to a 2-gram hash byte table and a 3-gram hash byte table, respectively, and the combination in the same position is represented by a shared embedding;对所述1-gram、2-gram、3gram哈希字节表中的每项元素分别设置一个对应的d维向量;A corresponding d-dimensional vector is respectively set to each element in the 1-gram, 2-gram, and 3gram hash byte tables;将所述m*p*q的张量中的q个字节分别经过所述1-gram、2-gram、3gram哈希字节表进行向量转换,得到v 1,v 1,v 3,并将v 1,v 1,v 3进行拼接,得到输出维度为m*p*n*3d的张量,其中n=p+p/2+p/3。 The q bytes in the tensor of m*p*q are converted into vectors through the 1-gram, 2-gram, and 3gram hash byte tables, respectively, to obtain v 1 , v 1 , v 3 , and convert v 1 , v 1 , v 3 are spliced to obtain a tensor with an output dimension of m*p*n*3d, where n=p+p/2+p/3.
- 根据权利要求3所述的网络异常检测方法,其特征在于,所述采用长短时记忆网络及双向门控循环单元对所述网络流量的向量矩阵进行时空特征提取,得到所述网络流量的隐状态包括:The network anomaly detection method according to claim 3, characterized in that, using a long-short-term memory network and a bidirectional gated loop unit to perform spatiotemporal feature extraction on the vector matrix of the network traffic to obtain a hidden state of the network traffic include:对所述m*p个网络流量数据包的向量矩阵分别进行一维卷积操作,得到各个网络流量数据包的第一隐状态h 1; Performing a one-dimensional convolution operation on the vector matrix of the m*p network traffic data packets, respectively, to obtain the first hidden state h 1 of each network traffic data packet;对所述m*p个网络流量数据包的第一隐状态h 1分别进行时空特征提取,得到各个网络流量数据包的第二隐状态h 2。 The spatiotemporal feature extraction is performed on the first hidden states h 1 of the m*p network traffic data packets, respectively, to obtain the second hidden states h 2 of each network traffic data packet.
- 根据权利要求4所述的网络异常检测方法,其特征在于,所述对所述m*p个网络流量数据包的向量矩阵分别进行一维卷积操作包括:The network anomaly detection method according to claim 4, wherein the performing a one-dimensional convolution operation on the vector matrix of the m*p network traffic data packets respectively comprises:分别设置尺寸为3*3d、4*3d和5*3d的卷积核,每种卷积核使用的数量为r,所述卷积核总数为3r;Set convolution kernels with sizes of 3*3d, 4*3d and 5*3d respectively, the number of each convolution kernel used is r, and the total number of the convolution kernels is 3r;对第i个(0<i≤p)网络流量数据包进行行方向的一维卷积操作,得到3r个特征图;Perform a one-dimensional convolution operation in the row direction on the i-th (0<i≤p) network traffic data packet to obtain 3r feature maps;对所述3r个特征图分别进行最大池化操作,得到3r个值,将所述3r个值进行拼接,得到第i个网络流量数据包的第一隐状态h i1。 Perform a maximum pooling operation on the 3r feature maps respectively to obtain 3r values, and splicing the 3r values to obtain the first hidden state h i1 of the i-th network traffic data packet.
- 根据权利要求5所述的网络异常检测方法,其特征在于,所述对所述m*p个网络流量数据包的第一隐状态h 1分别进行时空特征提取包括: The network anomaly detection method according to claim 5, wherein the step of extracting spatiotemporal features for the first hidden states h 1 of the m*p network traffic data packets respectively comprises:将第i个网络流量数据包的第一隐状态h i1送进双向的长短时记忆网络中学习每一个时间步的第一隐状态s i1; Send the first hidden state h i1 of the i-th network traffic data packet into the bidirectional long-short-term memory network to learn the first hidden state s i1 of each time step;将所有的第一隐状态s i1送进双向门控循环单元学习每一个时间步的第二隐状态h i2; Send all the first hidden states s i1 to the bidirectional gated recurrent unit to learn the second hidden states h i2 of each time step;根据第二隐状态h i2计算每一个时间步的注意力权重:e i=tanh(Wh i2+b), Calculate the attention weight of each time step according to the second hidden state h i2 : e i =tanh(Wh i2 +b),对所有第二隐状态h i2进行加权求和,得到第i个网络流量数据包的第二隐状态:h 2=∑ iα i*h i2。 Perform weighted summation on all the second hidden states h i2 to obtain the second hidden state of the i-th network traffic data packet: h 2 =∑ i α i *h i2 .
- 根据权利要求1所述的网络异常检测方法,其特征在于,所述通过人工特征提取器提取所述网络流量的人工特征还包括:The network anomaly detection method according to claim 1, wherein the extracting the artificial features of the network traffic by an artificial feature extractor further comprises:使用流量特征提取工具从所述网络流量中提取80个手工设计的网络流量特征;Extracting 80 hand-designed network traffic features from the network traffic using a traffic feature extraction tool;将所述网络流量中的每一条网络流分别表示成一个尺寸为1*80的流量向量,每一列代表一个特征值。Each network flow in the network flow is represented as a flow vector with a size of 1*80, and each column represents an eigenvalue.
- 根据权利要求7所述的网络异常检测方法,其特征在于,所述对所述人工特征进行时空特征提取,得到所述人工特征的隐状态包括:The network anomaly detection method according to claim 7, wherein the extraction of spatiotemporal features from the artificial features to obtain a hidden state of the artificial features comprises:将所述网络流量的人工特征转换成标准输入形式的人工特征数据包;Converting the artificial characteristics of the network traffic into artificial characteristic data packets in the form of standard input;将所述标准输入形式的人工特征数据包进行时空特征提取,得到每条流量向量的隐状态h′ 2。 Perform spatiotemporal feature extraction on the artificial feature data packet in the standard input form to obtain the hidden state h′ 2 of each traffic vector.
- 一种网络异常检测系统,其特征在于,包括:A network anomaly detection system, characterized in that it includes:向量转换模块:用于采用n-gram模型对网络流量进行向量转换,得到所述网络流量的向量矩阵;Vector conversion module: used to perform vector conversion on network traffic by using the n-gram model to obtain a vector matrix of the network traffic;第一时空特征提取模块:用于采用长短时记忆网络及双向门控循环单元对所述网络流量的向量矩阵进行时空特征提取,得到所述网络流量的隐状态;The first spatiotemporal feature extraction module: used to extract the spatiotemporal feature of the vector matrix of the network traffic by using a long-short-term memory network and a bidirectional gated cyclic unit to obtain the hidden state of the network traffic;人工特征提取模块:用于通过人工特征提取器提取所述网络流量的人工特征;Artificial feature extraction module: used to extract the artificial features of the network traffic through an artificial feature extractor;第二时空特征提取模块:用于对所述人工特征进行时空特征提取,得到所述人工特征的隐状态;The second spatiotemporal feature extraction module: used for performing spatiotemporal feature extraction on the artificial feature to obtain the hidden state of the artificial feature;网络流量预测模块:用于将所述网络流量的隐状态与所述人工特征的隐状态进行拼接后,输入深度神经网络进行所述网络流量的分类预测,根据所述预测结果判定网络流量是否异常。Network traffic prediction module: After splicing the hidden state of the network traffic and the hidden state of the artificial feature, inputting the deep neural network to perform classification prediction of the network traffic, and determining whether the network traffic is abnormal according to the prediction result .
- 一种终端,其特征在于,所述终端包括处理器、与所述处理器耦接的存储器,其中,A terminal, characterized in that the terminal includes a processor and a memory coupled to the processor, wherein,所述存储器存储有用于实现权利要求1-8任一项所述的网络异常检测方法的程序指令;The memory stores program instructions for implementing the network abnormality detection method according to any one of claims 1-8;所述处理器用于执行所述存储器存储的所述程序指令以控制网络异常检测。The processor is configured to execute the program instructions stored in the memory to control network anomaly detection.
- 一种存储介质,其特征在于,存储有处理器可运行的程序指令,所述程序指令用于执行权利要求1至8任一项所述网络异常检测方法。A storage medium, characterized in that it stores program instructions executable by a processor, and the program instructions are used to execute the network abnormality detection method according to any one of claims 1 to 8.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010680957.0 | 2020-07-15 | ||
CN202010680957.0A CN111885035B (en) | 2020-07-15 | 2020-07-15 | Network anomaly detection method, system, terminal and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022011977A1 true WO2022011977A1 (en) | 2022-01-20 |
Family
ID=73154474
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/138820 WO2022011977A1 (en) | 2020-07-15 | 2020-12-24 | Network anomaly detection method and system, terminal and storage medium |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN111885035B (en) |
WO (1) | WO2022011977A1 (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114640502A (en) * | 2022-02-17 | 2022-06-17 | 南京航空航天大学 | Android malicious software detection method and detection system based on traffic fingerprint and graph data characteristics |
CN115021987A (en) * | 2022-05-24 | 2022-09-06 | 桂林电子科技大学 | Internet of things intrusion detection method based on ARN |
CN115348215A (en) * | 2022-07-25 | 2022-11-15 | 南京信息工程大学 | Encrypted network flow classification method based on space-time attention mechanism |
CN116208506A (en) * | 2023-02-01 | 2023-06-02 | 哈尔滨工业大学 | Encryption traffic website identification method based on space-time correlation website fingerprint |
CN116471196A (en) * | 2023-06-19 | 2023-07-21 | 宏景科技股份有限公司 | Operation and maintenance monitoring network maintenance method, system and equipment |
CN116894115A (en) * | 2023-06-12 | 2023-10-17 | 国网湖北省电力有限公司经济技术研究院 | Automatic archiving method for power grid infrastructure files |
CN117278262A (en) * | 2023-09-13 | 2023-12-22 | 武汉卓讯互动信息科技有限公司 | DDOS safety defense system based on deep neural network |
CN117375893A (en) * | 2023-09-22 | 2024-01-09 | 南京中新赛克科技有限责任公司 | Industrial Internet cross-domain access request potential risk judging method and system based on r-GRU network |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112671600A (en) * | 2020-12-09 | 2021-04-16 | 中国科学院深圳先进技术研究院 | Network flow feature extraction method, network flow abnormity detection method and related device |
CN113556317B (en) * | 2021-06-07 | 2022-10-11 | 中国科学院信息工程研究所 | Abnormal flow detection method and device based on network flow structural feature fusion |
CN114915496B (en) * | 2022-07-11 | 2023-01-10 | 广州番禺职业技术学院 | Network intrusion detection method and device based on time weight and deep neural network |
CN115511890B (en) * | 2022-11-23 | 2023-04-07 | 深圳市吉斯凯达智慧科技有限公司 | Analysis system for large-flow data of special-shaped network interface |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150205826A1 (en) * | 2013-03-11 | 2015-07-23 | International Business Machines Corporation | Caching of deep structures for efficient parsing |
CN106951783A (en) * | 2017-03-31 | 2017-07-14 | 国家电网公司 | A kind of Method for Masquerade Intrusion Detection and device based on deep neural network |
CN108173708A (en) * | 2017-12-18 | 2018-06-15 | 北京天融信网络安全技术有限公司 | Anomalous traffic detection method, device and storage medium based on incremental learning |
CN110851782A (en) * | 2019-11-12 | 2020-02-28 | 南京邮电大学 | Network flow prediction method based on lightweight spatiotemporal deep learning model |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109241738A (en) * | 2018-07-09 | 2019-01-18 | 四川大学 | It is a kind of that software detection technology is extorted based on deep learning |
CN111382439A (en) * | 2020-03-28 | 2020-07-07 | 玉溪师范学院 | Malicious software detection method based on multi-mode deep learning |
-
2020
- 2020-07-15 CN CN202010680957.0A patent/CN111885035B/en active Active
- 2020-12-24 WO PCT/CN2020/138820 patent/WO2022011977A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150205826A1 (en) * | 2013-03-11 | 2015-07-23 | International Business Machines Corporation | Caching of deep structures for efficient parsing |
CN106951783A (en) * | 2017-03-31 | 2017-07-14 | 国家电网公司 | A kind of Method for Masquerade Intrusion Detection and device based on deep neural network |
CN108173708A (en) * | 2017-12-18 | 2018-06-15 | 北京天融信网络安全技术有限公司 | Anomalous traffic detection method, device and storage medium based on incremental learning |
CN110851782A (en) * | 2019-11-12 | 2020-02-28 | 南京邮电大学 | Network flow prediction method based on lightweight spatiotemporal deep learning model |
Non-Patent Citations (1)
Title |
---|
QIU YUAN;CHANG XIANGMAO;QIU QIAN;PENG CHENG;SU SHANTING: "Stream Data Anomaly Detection Method Based on Long Short-Term Memory Network and Sliding Window", JOURNAL OF COMPUTER APPLICATIONS, vol. 40, no. 5, 3 December 2019 (2019-12-03), pages 1335 - 1339, XP055886935, ISSN: 1001-9081, DOI: 10.11772/j.issn.1001-9081.2019111970 * |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114640502A (en) * | 2022-02-17 | 2022-06-17 | 南京航空航天大学 | Android malicious software detection method and detection system based on traffic fingerprint and graph data characteristics |
CN115021987A (en) * | 2022-05-24 | 2022-09-06 | 桂林电子科技大学 | Internet of things intrusion detection method based on ARN |
CN115021987B (en) * | 2022-05-24 | 2024-04-05 | 桂林电子科技大学 | ARN-based Internet of things intrusion detection method |
CN115348215B (en) * | 2022-07-25 | 2023-11-24 | 南京信息工程大学 | Encryption network traffic classification method based on space-time attention mechanism |
CN115348215A (en) * | 2022-07-25 | 2022-11-15 | 南京信息工程大学 | Encrypted network flow classification method based on space-time attention mechanism |
CN116208506A (en) * | 2023-02-01 | 2023-06-02 | 哈尔滨工业大学 | Encryption traffic website identification method based on space-time correlation website fingerprint |
CN116208506B (en) * | 2023-02-01 | 2023-07-21 | 哈尔滨工业大学 | Encryption traffic website identification method based on space-time correlation website fingerprint |
CN116894115A (en) * | 2023-06-12 | 2023-10-17 | 国网湖北省电力有限公司经济技术研究院 | Automatic archiving method for power grid infrastructure files |
CN116894115B (en) * | 2023-06-12 | 2024-05-24 | 国网湖北省电力有限公司经济技术研究院 | Automatic archiving method for power grid infrastructure files |
CN116471196B (en) * | 2023-06-19 | 2023-10-20 | 宏景科技股份有限公司 | Operation and maintenance monitoring network maintenance method, system and equipment |
CN116471196A (en) * | 2023-06-19 | 2023-07-21 | 宏景科技股份有限公司 | Operation and maintenance monitoring network maintenance method, system and equipment |
CN117278262A (en) * | 2023-09-13 | 2023-12-22 | 武汉卓讯互动信息科技有限公司 | DDOS safety defense system based on deep neural network |
CN117278262B (en) * | 2023-09-13 | 2024-03-22 | 武汉卓讯互动信息科技有限公司 | DDOS safety defense system based on deep neural network |
CN117375893A (en) * | 2023-09-22 | 2024-01-09 | 南京中新赛克科技有限责任公司 | Industrial Internet cross-domain access request potential risk judging method and system based on r-GRU network |
CN117375893B (en) * | 2023-09-22 | 2024-05-24 | 南京中新赛克科技有限责任公司 | Industrial Internet cross-domain access request potential risk judging method and system based on r-GRU network |
Also Published As
Publication number | Publication date |
---|---|
CN111885035B (en) | 2022-02-22 |
CN111885035A (en) | 2020-11-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2022011977A1 (en) | Network anomaly detection method and system, terminal and storage medium | |
US11334764B2 (en) | Real-time detection method and apparatus for DGA domain name | |
Zhang et al. | Network intrusion detection: Based on deep hierarchical network and original flow data | |
WO2021088372A1 (en) | Neural network-based ddos detection method and system in sdn network | |
CN109063745B (en) | Network equipment type identification method and system based on decision tree | |
CN111107102A (en) | Real-time network flow abnormity detection method based on big data | |
CN111131260B (en) | Mass network malicious domain name identification and classification method and system | |
CN112235288B (en) | NDN network intrusion detection method based on GAN | |
He et al. | Deep‐Feature‐Based Autoencoder Network for Few‐Shot Malicious Traffic Detection | |
CN108282460B (en) | Evidence chain generation method and device for network security event | |
Lu et al. | An efficient communication intrusion detection scheme in AMI combining feature dimensionality reduction and improved LSTM | |
Qin et al. | Deep learning based anomaly detection scheme in software-defined networking | |
CN111600876B (en) | Slow denial of service attack detection method based on MFOPA algorithm | |
CN113364787A (en) | Botnet flow detection method based on parallel neural network | |
CN112804253A (en) | Network flow classification detection method, system and storage medium | |
CN112261063A (en) | Network malicious traffic detection method combined with deep hierarchical network | |
CN116150688A (en) | Lightweight Internet of things equipment identification method and device in smart home | |
CN112733954A (en) | Abnormal traffic detection method based on generation countermeasure network | |
Yujie et al. | End-to-end android malware classification based on pure traffic images | |
CN113946823A (en) | SQL injection detection method and device based on URL baseline deviation analysis | |
CN116708431A (en) | Government information security and resource sharing system based on big data | |
CN113382003B (en) | RTSP mixed intrusion detection method based on two-stage filter | |
CN115473734A (en) | Remote code execution attack detection method based on single classification and federal learning | |
CN113542222B (en) | Zero-day multi-step threat identification method based on dual-domain VAE | |
CN115712857A (en) | Abnormal flow detection method, equipment and medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20944954 Country of ref document: EP Kind code of ref document: A1 |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20944954 Country of ref document: EP Kind code of ref document: A1 |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20944954 Country of ref document: EP Kind code of ref document: A1 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 04.07.2023) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20944954 Country of ref document: EP Kind code of ref document: A1 |