CN109194612B - Network attack detection method based on deep belief network and SVM - Google Patents

Network attack detection method based on deep belief network and SVM Download PDF

Info

Publication number
CN109194612B
CN109194612B CN201810832545.7A CN201810832545A CN109194612B CN 109194612 B CN109194612 B CN 109194612B CN 201810832545 A CN201810832545 A CN 201810832545A CN 109194612 B CN109194612 B CN 109194612B
Authority
CN
China
Prior art keywords
network
network attack
data
training
layer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810832545.7A
Other languages
Chinese (zh)
Other versions
CN109194612A (en
Inventor
唐舸轩
石波
赵磊
吴朝雄
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Computer Technology and Applications
Original Assignee
Beijing Institute of Computer Technology and Applications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Computer Technology and Applications filed Critical Beijing Institute of Computer Technology and Applications
Priority to CN201810832545.7A priority Critical patent/CN109194612B/en
Publication of CN109194612A publication Critical patent/CN109194612A/en
Application granted granted Critical
Publication of CN109194612B publication Critical patent/CN109194612B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network attack detection method based on a deep belief network and an SVM, wherein the method comprises the following steps: step 1: constructing a network attack behavior feature vector; step 2: determining a model training set and a test set, making a label for data, distinguishing a normal behavior from an attack behavior, and classifying the attack behavior; and step 3: constructing a depth confidence network model, training layer by layer, extracting network attack behavior characteristics, calculating errors until convergence, and finely adjusting the weight of the model to obtain a characteristic vector; and 4, step 4: taking the extracted feature vectors as input parameters, selecting a proper SVM classifier for training, classifying the network attack behaviors, and constructing a network attack detection model; and 5: and constructing a network attack behavior analysis model, testing the accuracy of the model by using a test set, calculating the accuracy, the false alarm rate and the missing report rate, and optimizing by using the identified network attack behavior as training data.

Description

Network attack detection method based on deep belief network and SVM
Technical Field
The invention belongs to the technical field of network security, and provides a network attack detection method based on a deep belief network and an SVM.
Background
Currently, networks play more and more important roles in the life of people, and countries pay more and more attention to network security, and network space gradually becomes a new territory for competition among large countries in the world. The attack behavior in the network space has the characteristics of high occurrence speed, wide range, strong burstiness and the like, and a great amount of events and data are accompanied in the action process, which brings a brand new challenge to the discovery of the network attack behavior.
The network attack behavior detection needs to acquire a large amount of data, so that the dimensionality of the feature vector is too high, and when the classification model is used for training, the accuracy rate is reduced, so that the network attack behavior detection fails. The method for extracting the network attack behavior characteristics by using the artificial means has the advantages of large limitation, poor generalization capability and no universality, and generally can only obtain good results under data sets with similar modes. Therefore, the characteristic data is extracted by adopting a deep learning method, and the attack behavior in the network space is dynamically detected and discovered by using the classification model, so that short boards such as large limitation, weak generalization capability, poor universality and the like of the traditional method are made up. The features extracted by the deep learning method are better in classification effect and beneficial to improving the accuracy of model identification.
The Deep Belief network (DBN, Deep Belief Nets) is taken as a representative of unsupervised learning in the Deep neural network, and can obtain a good learning effect under the condition of lacking a large number of unlabeled training sets. Support Vector Machines (SVMs), which are commonly used classification algorithm models, also exhibit many good characteristics in solving nonlinear, high-dimensional pattern recognition. Therefore, the invention mainly utilizes the two algorithms to construct a network attack behavior detection model.
The deep belief network comprises:
the deep confidence network is formed by stacking a plurality of Restricted Boltzmann Machines (RBMs), each hidden layer in the deep confidence network is a Restricted Boltzmann Machine, and the structure of the deep confidence network deepens layer by layer with the increase of the RBM layer. Therefore, the RBM training algorithm is used for the weight pre-training process of the deep belief network. A feedback neural network is added into a final output layer of the deep confidence network, the output layer compares training data with tag data, and fine adjustment of the network is carried out by using a Back-Propagation algorithm (BP).
In the process of unsupervised weight pre-training of a DBN, one problem to be solved is how to reconstruct information into input data by using a hidden layer neuron state when the input data obtains the hidden layer neuron state from a display layer neuron through calculation, and simultaneously ensure that an error between original input data and reconstructed input data is as small as possible. In the wake-sleep algorithm, the model can obtain the state of the hidden layer neuron by inputting data from the apparent layer neuron through learning the cognitive weight. And then, a weight is generated through learning, and the process of reconstructing hidden layer neurons and displaying layer input is realized. Meanwhile, the cognitive weight and the generated weight are continuously adjusted, and errors generated when data are reconstructed are reduced.
The support vector machine (II) comprises:
a Support Vector Machine (SVM) is a supervised learning model, and is mainly used for analyzing data, recognizing patterns, and performing classification analysis and regression analysis on the data. The standard support vector machine is a non-probabilistic linear classifier, that is, it can predict the input as one of two known classes for each particular input. Since the SVM is a classifier, given a set of training sets, each training sample is labeled as belonging to one of two classes, and the support vector machine algorithm is suitable for solving the problem of non-black, i.e., white, and is therefore commonly used to solve the problem of two classes.
Disclosure of Invention
The invention aims to provide a network attack detection method based on a deep confidence network and an SVM (support vector machine), which is used for solving the problems in the prior art.
The invention relates to a network attack detection method based on a deep confidence network and an SVM, wherein the method comprises the following steps: step 1: constructing a network attack behavior feature vector; step 2: determining a model training set and a test set, making a label for data, distinguishing a normal behavior from an attack behavior, and classifying the attack behavior; and step 3: constructing a depth confidence network model, training layer by layer, extracting network attack behavior characteristics, calculating errors until convergence, and finely adjusting the weight of the model to obtain a characteristic vector; and 4, step 4: taking the extracted feature vectors as input parameters, selecting a proper SVM classifier for training, classifying the network attack behaviors, and constructing a network attack detection model; and 5: and constructing a network attack behavior analysis model, testing the accuracy of the model by using a test set, calculating the accuracy, the false alarm rate and the missing report rate, and optimizing by using the identified network attack behavior as training data.
According to an embodiment of the network attack detection method based on the deep belief network and the SVM, the step 1 comprises the following steps: the network attack behavior characteristic attributes are used as a group of quantitative analysis data for describing the current network attack, the characteristic data collected from the sensor form a one-dimensional vector to obtain a network attack behavior characteristic vector, and the characteristic vector collected in the time t aiming at the ith network attack behavior is marked as Vi(t):Vi(t)={a1,a2,a3,…,an}; wherein, anThe value of the nth attribute of the ith network attack behavior at the moment t.
According to an embodiment of the network attack detection method based on the deep trusted network and the SVM, in step 1, if an attack is performed on the windows operating system, the collected characteristic data includes system file deletion, system file renaming, system file creation, temporary file creation, file execution, file modification, registry key deletion, service deletion, execution mode change, registration operation, service registration, BHO entry addition, process creation, process termination, process search, DLL code injection, thread creation, port opening, port binding, network connection establishment, network connection disconnection, data transmission, data reception, source IP, destination IP, source port, destination port, URL type, content type, behavior action type, network traffic packet number, and packet length.
According to an embodiment of the network attack detection method based on the deep belief network and the SVM, the step 2 specifically includes: step 2.1, the collected characteristic vector Vi(t) separation into tagged and untagged portions S1,S2"tagged data" means data that can specify what kind of attack is, and "tagged data S2Comprises the following steps: vi(t)∈{P1,P2,P3,…,Pn}; wherein, PnRepresenting that the ith network attack event belongs to the nth network attack; the rest of the data is data S without label1(ii) a Step 2.2: creating Training Set as S1+S21In which S is1For unlabeled training data, S21For tagged data, from S2The a% labeled data is selected to be applied to the weight fine adjustment process of the BP feedback algorithm, so S21=a%*S2(ii) a Step 2.3: construct Test Set ═ S22And the test set is used for testing the model identification accuracy rate, and is totally labeled data, S2The rest of the data are regarded as S22(ii) a Step 2.4: to pairAnd carrying out normalization processing on the data of the training set and the test set so that: s1,S2∈(0,1)。
According to an embodiment of the network attack detection method based on the deep belief network and the SVM, a% is 30%.
According to an embodiment of the network attack detection method based on the deep belief network and the SVM, the step 3 comprises the following steps:
step 3.1: constructing a deep confidence network model structure:
training each RBM layer in turn by using a network model formed by 3 hidden layers, including RBM1、RBM2And RBM3(ii) a Wherein v is an output layer neuron, hnIs the nth hidden layer, and W is the weight;
step 3.2: training a first RBM layer by using a Training Set, and calculating the state of each neuron, wherein each neuron has two states of activation or inhibition:
Figure BDA0001743836070000051
wherein Pstate is the state of the neuron, and alpha is the probability threshold value of whether the neuron is activated or not. In a deep belief network, a threshold α is randomly generated from a uniform distribution of (0,1), computing the hidden neuron activation probability:
Figure BDA0001743836070000052
calculating apparent neuron activation probability:
Figure BDA0001743836070000053
wherein
Figure BDA0001743836070000054
WijIs the connection weight of neuron i and neuron j, bjFor apparent neurons j bias, ciBias for hidden layer neuron i;
updating the weight, the apparent layer neuron bias and the hidden layer neuron bias according to the activation probability of the apparent layer neuron and the hidden layer neuron:
Figure BDA0001743836070000055
Figure BDA0001743836070000056
ci=ci+p(hi=1|v0)-p(hi=1|vk);
wherein v isj kCalculating the error of the RBM layer training for the value of the jth neuron at the kth iteration:
Figure BDA0001743836070000057
when the delta v is smaller than a certain threshold value, the RBM layer training is considered to be converged, otherwise, the step 3.2 is carried out again, and the RBM layer is trained continuously;
step 3.3: will RBM1Taking the output data of the layer as the input data of the next RBM layer, and then training according to the step 3.2 until the training of all RBM layers is completed;
step 3.4: using S in Training Set21Data, carrying out weight fine adjustment, wherein the adjustment of the weight comprises two parts, the adjustment of the output layer weight is carried out, the adjustment of the hidden layer weight is carried out, the output result of the depth confidence network is directly influenced by the output layer weight, and the first step is to adjust the output layer weight:
wji=wji-ηxjiyi(1-yi)(yi-di);
wherein wjiIs the output layer weight, xjiIs the input value, y, of an output layer neuroniAs output results of output layer neurons, diη is the learning rate for the desired output result;
adjusting weights for hidden layer neurons includes:
Figure BDA0001743836070000061
wherein WkjIs a hidden layer weight, y'jOutput results for hidden layer neurons, xkjIs the input to the hidden layer neurons.
According to an embodiment of the network attack detection method based on the deep belief network and the SVM, the number of RBM layers is three.
According to an embodiment of the network attack detection method based on the deep belief network and the SVM, the step 4 comprises the following steps: step 4.1: taking the network attack feature vector subjected to dimensionality reduction and feature extraction as an input parameter, and transmitting the input parameter into a first SVM classifier; step 4.2: and selecting different SVM classifiers to distinguish different network attack behaviors.
According to an embodiment of the network attack detection method based on the deep belief network and the SVM, the step 5 comprises the following steps:
step 5.1: calculating the identification accuracy rate C of the network attack detection model:
Figure BDA0001743836070000062
wherein N isnormalIndicates the number of detected normal behaviors, niRepresenting the number of detected certain network attacks, m representing the number of types of intrusion attacks, and n representing the total number of test sets;
step 5.2: and (3) using a network attack detection model to discover network attack behaviors, calibrating the correctly classified data and putting the data into a training set.
According to an embodiment of the network attack detection method based on the deep confidence network and the SVM, the SVM classifier specifically comprises: the system comprises an SVM classifier for distinguishing normal behaviors from network attack behaviors and a plurality of SVM classifiers for identifying different attack types.
In conclusion, the invention provides a network attack analysis method based on a deep confidence network and an SVM, aiming at the problem that the identification accuracy is reduced due to the fact that the dimensionality of a feature vector is too high during network attack detection. And (3) carrying out dimensionality reduction processing on the original high-dimensional network attack behavior characteristic data by using a deep belief network, extracting a network attack behavior characteristic vector which has stronger expression capability, higher universality and better classification effect by learning, and carrying out classification and identification on the network attack behavior characteristic vector by using an SVM (support vector machine).
Drawings
FIG. 1 is a flow chart of a network attack detection method based on a deep belief network and an SVM;
FIG. 2 is a diagram illustrating a deep belief network model architecture;
FIG. 3 is a diagram illustrating the processing of an SVM classifier.
Detailed Description
In order to make the objects, contents, and advantages of the present invention clearer, the following detailed description of the embodiments of the present invention will be made in conjunction with the accompanying drawings and examples.
Fig. 1 is a flowchart of a network attack detection method based on a deep confidence network and an SVM, and as shown in fig. 1, the network attack detection method based on the deep confidence network and the SVM of the present invention includes the following steps:
step 1: constructing a network attack behavior feature vector;
step 2: determining a model training set and a test set, making a label for data, distinguishing a normal behavior from an attack behavior, and classifying the attack behavior;
and step 3: constructing a deep belief network model, training layer by layer, extracting network attack behavior characteristics, and calculating errors until convergence;
and 4, step 4: through dimension reduction and feature extraction of a deep confidence network, the feature vector of the learned network attack behavior is used as an input parameter, a proper SVM kernel function is selected for training, and the network attack behavior is classified;
and 5: and constructing a network attack behavior analysis model, testing the model accuracy by using the test set, and calculating the accuracy, the false alarm rate and the missing report rate. And the successfully identified network attack behavior is used as training data, the model is continuously optimized, and the accuracy is improved.
As shown in fig. 1, the network attack detection method based on the deep belief network and the SVM specifically includes:
step 1: constructing a network attack behavior feature vector, comprising:
the characteristic attribute of the network attack behavior is a group of quantitative analysis data used for describing the current network attack, the characteristic data collected from the sensor forms a one-dimensional vector to obtain the characteristic vector of the network attack behavior, for example, the attack is carried out aiming at a windows operating system, the characteristic data which can be collected comprises system file deletion, system file renaming, system file creation, temporary file creation, file execution, file modification, registry key deletion, service deletion, execution mode change, registration operation, service registration, BHO item addition, process creation, process termination, process search, DLL code injection, thread creation, port opening, port binding, network connection establishment, network connection disconnection, data sending, data receiving, source IP, destination IP, source port, destination port, URL type, content type, behavior action type, the number of network flow packets, The length of the packet and the like as attributes.
Aiming at the ith network attack behavior, the feature vector collected in the time t is marked as Vi(t):
Vi(t)={a1,a2,a3,…,an};
Wherein, anThe value of the nth attribute of the ith network attack behavior at the moment t.
Step 2: determining a model training set and a test set, making a label for data, distinguishing normal behaviors from aggressive behaviors, and manually classifying the aggressive behaviors, wherein the method comprises the following steps:
step 2.1, the collected characteristic vector Vi(t) separation into two parts, labelled and unlabelled{S1,S2"tagged data" means data that can specify what kind of attack is, and "tagged data S2Namely:
Vi(t)∈{P1,P2,P3,…,Pn};
wherein, PnRepresenting that the ith network attack event belongs to the nth network attack; the rest of the data is the data S without the label1
Step 2.2: creating Training Set as S1+S21In which S is1As the training data without labels, the method can be applied to the weight pre-training process of the deep belief network, S21For tagged data, from S230% of the labeled data is selected to be applied to the weight fine adjustment process of the BP feedback algorithm, so S21=0.3*S2
Step 2.3: construct Test Set ═ S22And the test set is used for testing the model identification accuracy, and the accuracy, the false alarm rate and the missing report rate need to be calculated, so that the test set needs to be completely labeled data S2The rest of the data are regarded as S22
Step 2.4: and carrying out normalization processing on the data of the training set and the test set so that:
S1,S2∈(0,1)。
and step 3: constructing a deep belief network model, training layer by layer, extracting network attack behavior characteristics, calculating errors until convergence, and then finely adjusting the weight of the model to obtain a characteristic vector out, wherein the method comprises the following steps:
fig. 2 is a schematic structural diagram of the deep belief network model, and as shown in fig. 2, step 3.1: constructing a deep confidence network model structure:
for example, a network model composed of 3 hidden layers is used for training each RBM layer (RBM) in turn1、RBM2、RBM3). Wherein v is an output layer neuron, hnFor the nth hidden layer, W is the weight.
Step 3.2: training with Training SetExercise RBM1. Calculating the state of each neuron, wherein each neuron has two states of activation or inhibition:
Figure BDA0001743836070000091
wherein Pstate is the state of the neuron, and alpha is the probability threshold value of whether the neuron is activated or not. In a deep belief network, the threshold α is randomly generated from a uniform distribution of (0, 1). Calculating hidden layer neuron activation probability:
Figure BDA0001743836070000101
calculating apparent neuron activation probability:
Figure BDA0001743836070000102
wherein
Figure BDA0001743836070000103
WijIs the connection weight of neuron i and neuron j, bjFor apparent neurons j bias, ciBias for hidden layer neuron i.
Updating the weight, the apparent layer neuron bias and the hidden layer neuron bias according to the activation probability of the apparent layer neuron and the hidden layer neuron:
Figure BDA0001743836070000104
Figure BDA0001743836070000105
ci=ci+p(hi=1|v0)-p(hi=1|vk);
wherein v isj kIs as followsThe value of j neurons at the kth iteration. Finally, the error of this RBM layer training is calculated:
Figure BDA0001743836070000106
when the delta v is smaller than a certain threshold value, the RBM layer training is considered to be converged at the moment, otherwise, the step 3.2 is carried out again, and the RBM training is continued1
Step 3.3: will RBM1The output data of the layer is used as input data of the second RBM layer, and RBM is trained according to step 3.22Layer, when its error value meets the requirement, then train RBM according to step 3.23And (5) finishing the training of all RBM layers.
Step 3.4: using S in Training Set21And (6) carrying out weight fine adjustment on the data. The adjustment of the weight comprises two parts, namely the adjustment of the output layer weight and the adjustment of the hidden layer weight. The weight of the output layer directly influences the output result of the depth confidence network, and the first step is to adjust the weight of the output layer:
wji=wji-ηxjiyi(1-yi)(yi-di);
wherein wjiIs the output layer weight, xjiIs the input value, y, of an output layer neuroniAs output results of output layer neurons, diη is the learning rate for the desired output result;
the weight between the neurons in the hidden layer can indirectly affect the output of the whole depth confidence network, so the weight adjustment of the network is related to the adjustment of the neuron in the previous layer, the residual error of the adjustment of the neuron in the previous layer needs to be calculated and accumulated on the layer, and the weight of the neuron in the hidden layer is adjusted in the second step:
Figure BDA0001743836070000111
wherein WkjIs a hidden layer weight, y'jFor neurons with hidden layersOutput result of (1), xkjIs the input to the hidden layer neurons.
And 4, step 4: taking the feature vector out extracted in the step 3 as an input parameter, selecting a proper SVM kernel function for training, and classifying the network attack behaviors, so as to construct a network attack detection model, which comprises the following steps:
fig. 3 is a schematic diagram illustrating the processing of the SVM classifier, as shown in fig. 3, step 4.1: and taking the network attack feature vector subjected to dimension reduction and feature extraction as an input parameter, and transmitting the input parameter into a first SVM classifier.
The first SVM classifier mainly distinguishes normal behaviors and network attack behaviors, the confirmed normal behaviors are re-marked, and the marked normal behaviors can be used as training set data of repeated training, so that the accuracy of the model is improved.
Step 4.2: and selecting different kernel functions from the attack behaviors distinguished by the first SVM classifier, and distinguishing different network attack behaviors. For example, SVM2Identifying attack type P1,SVM3Identifying attack type P2And so on until the last classifier SVMnIs of the attacked type PnAnd completes the identification of the attack type. When using the last classifier SVMnAnd determining the attack type which cannot be identified as the unknown attack type, and judging whether the attack type is a novel network attack which is not in the attack type set or not manually.
And 5: and determining a network attack detection model, testing the accuracy of the network attack detection model by using the test set, and calculating the accuracy. And the successfully identified network attack behavior is used as training data, the model is continuously optimized, and the accuracy is improved.
Step 5.1: the accuracy rate is an important index for evaluating the classification standard of the network attack behavior, so the identification accuracy rate C of the network attack detection model is calculated:
Figure BDA0001743836070000121
wherein N isnormalIndicating detected normal behaviorNumber, niIndicating the number of certain detected network attacks, m indicating the number of types of intrusion attacks, and n indicating the total number of test sets.
Step 5.2: and (3) using the network attack detection model to discover network attack behaviors, calibrating the correctly classified data and putting the data into a training set, thereby improving the accuracy of model identification.
In conclusion, the invention provides a network attack analysis method based on a deep confidence network and an SVM, aiming at the problem that the identification accuracy is reduced due to the fact that the dimensionality of a feature vector is too high during network attack detection. And (3) carrying out dimensionality reduction processing on the original high-dimensional network attack behavior characteristic data by using a deep belief network, extracting a network attack behavior characteristic vector which has stronger expression capability, higher universality and better classification effect by learning, and carrying out classification and identification on the network attack behavior characteristic vector by using an SVM (support vector machine).
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.

Claims (9)

1. A network attack detection method based on a deep confidence network and an SVM is characterized by comprising the following steps:
step 1: constructing a network attack behavior feature vector;
step 2: determining a model training set and a test set, making a label for data, distinguishing a normal behavior from an attack behavior, and classifying the attack behavior;
and step 3: constructing a depth confidence network model, training layer by layer, extracting network attack behavior characteristics, calculating errors until convergence, and finely adjusting the weight of the model to obtain a characteristic vector;
and 4, step 4: taking the extracted feature vectors as input parameters, selecting a proper SVM classifier for training, classifying the network attack behaviors, and constructing a network attack detection model;
and 5: constructing a network attack behavior analysis model, testing the accuracy of the model by using a test set, calculating the accuracy, the false alarm rate and the missing report rate, and optimizing by using the identified network attack behavior as training data;
step 4 comprises the following steps:
step 4.1: taking the network attack feature vector subjected to dimensionality reduction and feature extraction as an input parameter, and transmitting the input parameter into a first SVM classifier;
step 4.2: and selecting different SVM classifiers to distinguish different network attack behaviors.
2. The network attack detection method based on the deep belief network and the SVM as claimed in claim 1, wherein the step 1 comprises:
the network attack behavior characteristic attribute is used as a group of quantitative analysis data for describing the current network attack, the characteristic data collected from the sensor forms a one-dimensional vector to obtain the network attack behavior characteristic vector,
aiming at the ith network attack behavior, the feature vector collected in the time t is marked as Vi(t):
Vi(t)={a1,a2,a3,…,an};
Wherein, anThe value of the nth attribute of the ith network attack behavior at the moment t.
3. The method for detecting network attack based on deep trusted network and SVM as claimed in claim 1, wherein in step 1, if the attack is performed on windows operating system, the collected feature data includes system file deletion, system file renaming, system file creation, temporary file creation, file execution, file modification, registry key deletion, service deletion, execution mode change, registration operation, service registration, BHO entry addition, process creation, process termination, process search, DLL code injection, thread creation, port opening, port binding, network connection establishment, network connection disconnection, data transmission, data reception, source IP, destination IP, source port, destination port, URL type, content type, behavior action type, network traffic packet amount and packet length.
4. The network attack detection method based on the deep belief network and the SVM as claimed in claim 1, wherein the step 2 specifically comprises:
step 2.1, the collected characteristic vector Vi(t) separation into tagged and untagged portions S1,S2"tagged data" means data that can specify what kind of attack is, and "tagged data S2Comprises the following steps:
Vi(t)∈{P1,P2,P3,…,Pn};
wherein, PnRepresenting that the ith network attack event belongs to the nth network attack; the rest of the data is data S without label1
Step 2.2: creating Training Set as S1+S21In which S is1For unlabeled training data, S21For tagged data, from S2The a% labeled data is selected to be applied to the weight fine adjustment process of the BP feedback algorithm, so S21=a%*S2
Step 2.3: construct Test Set ═ S22And the test set is used for testing the model identification accuracy rate, and is totally labeled data, S2The rest of the data are regarded as S22
Step 2.4: and carrying out normalization processing on the data of the training set and the test set so that:
S1,S2∈(0,1)。
5. the network attack detection method based on the deep belief network and the SVM of claim 4, wherein a% is 30%.
6. The network attack detection method based on the deep belief network and the SVM as claimed in claim 1, wherein the step 3 comprises:
step 3.1: constructing a deep confidence network model structure:
training each RBM layer in turn by using a network model formed by 3 hidden layers, including RBM1、RBM2And RBM3(ii) a Wherein v is an output layer neuron, hnIs the nth hidden layer, and W is the weight;
step 3.2: training a first RBM layer by using a Training Set, and calculating the state of each neuron, wherein each neuron has two states of activation or inhibition:
Figure FDA0002991993250000031
wherein Pstate is the state of the neuron, and alpha is the probability threshold value of whether the neuron is activated or not; in a deep belief network, a threshold α is randomly generated from a uniform distribution of (0,1), computing the hidden neuron activation probability:
Figure FDA0002991993250000032
calculating apparent neuron activation probability:
Figure FDA0002991993250000033
wherein
Figure FDA0002991993250000034
WijIs the connection weight of neuron i and neuron j, bjFor apparent neurons j bias, ciBias for hidden layer neuron i;
updating the weight, the apparent layer neuron bias and the hidden layer neuron bias according to the activation probability of the apparent layer neuron and the hidden layer neuron:
Figure FDA0002991993250000035
Figure FDA0002991993250000036
ci=ci+p(hi=1|v0)-p(hi=1|vk);
wherein v isj kCalculating the error of the RBM layer training for the value of the jth neuron at the kth iteration:
Figure FDA0002991993250000041
when the delta v is smaller than a certain threshold value, the RBM layer training is considered to be converged, otherwise, the step 3.2 is carried out again, and the RBM layer is trained continuously;
step 3.3: will RBM1Taking the output data of the layer as the input data of the next RBM layer, and then training according to the step 3.2 until the training of all RBM layers is completed;
step 3.4: using S in Training Set21Data, carrying out weight fine adjustment, wherein the adjustment of the weight comprises two parts, the adjustment of the output layer weight is carried out, the adjustment of the hidden layer weight is carried out, the output result of the depth confidence network is directly influenced by the output layer weight, and the first step is to adjust the output layer weight:
wji=wji-ηxjiyi(1-yi)(yi-di);
wherein wjiIs the output layer weight, xjiIs the input value, y, of an output layer neuroniAs output results of output layer neurons, diη is the learning rate for the desired output result;
adjusting weights for hidden layer neurons includes:
Figure FDA0002991993250000042
wherein WkjIs a hidden layer weight, y'jOutput results for hidden layer neurons, xkjIs the input to the hidden layer neurons.
7. The network attack detection method based on the deep belief network and the SVM of claim 6, wherein the number of RBM layers is three.
8. The network attack detection method based on the deep belief network and the SVM as claimed in claim 1, wherein the step 5 comprises:
step 5.1: calculating the identification accuracy rate C of the network attack detection model:
Figure FDA0002991993250000043
wherein N isnormalIndicates the number of detected normal behaviors, niRepresenting the number of detected certain network attacks, m representing the number of types of intrusion attacks, and n representing the total number of test sets;
step 5.2: and (3) using a network attack detection model to discover network attack behaviors, calibrating the correctly classified data and putting the data into a training set.
9. The network attack detection method based on the deep belief network and the SVM as claimed in claim 7, wherein the SVM classifier specifically comprises: the system comprises an SVM classifier for distinguishing normal behaviors from network attack behaviors and a plurality of SVM classifiers for identifying different attack types.
CN201810832545.7A 2018-07-26 2018-07-26 Network attack detection method based on deep belief network and SVM Active CN109194612B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810832545.7A CN109194612B (en) 2018-07-26 2018-07-26 Network attack detection method based on deep belief network and SVM

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810832545.7A CN109194612B (en) 2018-07-26 2018-07-26 Network attack detection method based on deep belief network and SVM

Publications (2)

Publication Number Publication Date
CN109194612A CN109194612A (en) 2019-01-11
CN109194612B true CN109194612B (en) 2021-05-18

Family

ID=64937508

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810832545.7A Active CN109194612B (en) 2018-07-26 2018-07-26 Network attack detection method based on deep belief network and SVM

Country Status (1)

Country Link
CN (1) CN109194612B (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110149280B (en) * 2019-05-27 2020-08-28 中国科学技术大学 Network traffic classification method and device
CN110266675B (en) * 2019-06-12 2022-11-04 成都积微物联集团股份有限公司 Automatic detection method for xss attack based on deep learning
CN110636053B (en) * 2019-09-05 2021-08-03 浙江工业大学 Network attack detection method based on local mean decomposition and support vector machine
CN110889111A (en) * 2019-10-23 2020-03-17 广东工业大学 Power grid virtual data injection attack detection method based on deep belief network
CN111049828B (en) * 2019-12-13 2021-05-07 国网浙江省电力有限公司信息通信分公司 Network attack detection and response method and system
CN111083151B (en) * 2019-12-23 2021-05-25 深圳供电局有限公司 Attack identification method based on deep belief network and wind power management system
CN111144279A (en) * 2019-12-25 2020-05-12 苏州奥易克斯汽车电子有限公司 Method for identifying obstacle in intelligent auxiliary driving
CN113132291B (en) * 2019-12-30 2022-02-18 中国科学院沈阳自动化研究所 Heterogeneous terminal feature generation and identification method based on network traffic at edge side
CN111343147B (en) * 2020-02-05 2020-12-11 北京中科研究院 Network attack detection device and method based on deep learning
CN111507385B (en) * 2020-04-08 2023-04-28 中国农业科学院农业信息研究所 Extensible network attack behavior classification method
CN112134873B (en) * 2020-09-18 2022-04-26 国网山东省电力公司青岛供电公司 IoT network abnormal flow real-time detection method and system
CN114095260A (en) * 2021-11-22 2022-02-25 广东电网有限责任公司 Method, device and equipment for detecting abnormal flow of power grid and computer medium
CN115189939A (en) * 2022-07-08 2022-10-14 国网甘肃省电力公司信息通信公司 HMM model-based power grid network intrusion detection method and system
CN117688558B (en) * 2024-02-01 2024-05-07 杭州海康威视数字技术股份有限公司 Terminal attack lightweight detection method and device based on microstructure abnormal event

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105956473A (en) * 2016-05-15 2016-09-21 广东技术师范学院 Malicious code detection method based on SDN (Software Defined Networking)
CN106131027A (en) * 2016-07-19 2016-11-16 北京工业大学 A kind of exception flow of network based on software defined network detection system of defense
CN107104951A (en) * 2017-03-29 2017-08-29 国家电网公司 The detection method and device of Attack Source
CN107454039A (en) * 2016-05-31 2017-12-08 北京京东尚科信息技术有限公司 The method of network attack detection system and detection network attack
CN107911346A (en) * 2017-10-31 2018-04-13 天津大学 A kind of intrusion detection method based on extreme learning machine

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2374256B1 (en) * 2008-12-31 2017-07-12 Telecom Italia S.p.A. Anomaly detection for packet-based networks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105956473A (en) * 2016-05-15 2016-09-21 广东技术师范学院 Malicious code detection method based on SDN (Software Defined Networking)
CN107454039A (en) * 2016-05-31 2017-12-08 北京京东尚科信息技术有限公司 The method of network attack detection system and detection network attack
CN106131027A (en) * 2016-07-19 2016-11-16 北京工业大学 A kind of exception flow of network based on software defined network detection system of defense
CN107104951A (en) * 2017-03-29 2017-08-29 国家电网公司 The detection method and device of Attack Source
CN107911346A (en) * 2017-10-31 2018-04-13 天津大学 A kind of intrusion detection method based on extreme learning machine

Also Published As

Publication number Publication date
CN109194612A (en) 2019-01-11

Similar Documents

Publication Publication Date Title
CN109194612B (en) Network attack detection method based on deep belief network and SVM
CN110691100B (en) Hierarchical network attack identification and unknown attack detection method based on deep learning
Li et al. Are generative classifiers more robust to adversarial attacks?
CN109284606B (en) Data flow anomaly detection system based on empirical characteristics and convolutional neural network
CN109768985B (en) Intrusion detection method based on flow visualization and machine learning algorithm
WO2019144521A1 (en) Deep learning-based malicious attack detection method in traffic cyber physical system
CN109962909B (en) Network intrusion anomaly detection method based on machine learning
CN112381121A (en) Unknown class network flow detection and identification method based on twin network
CN110808971B (en) Deep embedding-based unknown malicious traffic active detection system and method
CN101582813B (en) Distributed migration network learning-based intrusion detection system and method thereof
CN107241358B (en) Smart home intrusion detection method based on deep learning
CN110166484A (en) A kind of industrial control system intrusion detection method based on LSTM-Attention network
CN107292097B (en) Chinese medicine principal symptom selection method based on feature group
CN110047506B (en) Key audio detection method based on convolutional neural network and multi-core learning SVM
CN112989035A (en) Method, device and storage medium for recognizing user intention based on text classification
CN111626367A (en) Countermeasure sample detection method, apparatus, device and computer readable storage medium
Dawoud et al. Deep learning for network anomalies detection
CN107145778B (en) Intrusion detection method and device
CN113489685A (en) Secondary feature extraction and malicious attack identification method based on kernel principal component analysis
CN116318928A (en) Malicious traffic identification method and system based on data enhancement and feature fusion
Fatemifar et al. A stacking ensemble for anomaly based client-specific face spoofing detection
CN115622806A (en) Network intrusion detection method based on BERT-CGAN
Sunyoto Enhance Intrusion Detection (IDS) System Using Deep SDAE to Increase Effectiveness of Dimensional Reduction in Machine Learning and Deep Learning.
CN114254691A (en) Multi-channel operation wind control method based on active identification and intelligent monitoring
CN111970305B (en) Abnormal flow detection method based on semi-supervised descent and Tri-LightGBM

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant