CN113206824A

CN113206824A - Dynamic network abnormal attack detection method and device, electronic equipment and storage medium

Info

Publication number: CN113206824A
Application number: CN202110308731.2A
Authority: CN
Inventors: 郭亚星; 谭清耀; 刘易; 胡彦杰; 韩言妮; 谭倩
Original assignee: Institute of Information Engineering of CAS
Current assignee: Institute of Information Engineering of CAS
Priority date: 2021-03-23
Filing date: 2021-03-23
Publication date: 2021-08-03
Anticipated expiration: 2041-03-23
Also published as: CN113206824B

Abstract

The invention provides a method and a device for detecting abnormal attacks of a dynamic network, electronic equipment and a storage medium, wherein the method comprises the following steps: constructing a network attribute feature vector based on the crawled network traffic log data; inputting the network attribute feature vector into an abnormal attack detection model, and outputting a corresponding abnormal attack detection result; the abnormal attack detection model is obtained by training based on a sample first network attribute feature vector and a corresponding first abnormal attack label, and a classifier is constructed by using a combined classifier algorithm in the training process of the abnormal attack detection model. The method, the device, the electronic equipment and the storage medium provided by the invention realize the improvement of the accuracy of the network abnormal attack detection.

Description

Dynamic network abnormal attack detection method and device, electronic equipment and storage medium

Technical Field

The present invention relates to the field of network attack detection technologies, and in particular, to a method and an apparatus for detecting a dynamic network abnormal attack, an electronic device, and a storage medium.

Background

With the increasing complexity and scale of modern systems, manual detection methods have become impractical in reality; most of the current anomaly detection models are established through a data set generated by normal behaviors, so that the normal behaviors and the abnormal behaviors are distinguished from a large amount of network data, a specific attack mode is judged in the abnormal behaviors, the classification problem can be essentially regarded as a classification problem, and the early stage usually adopts a traditional machine learning algorithm, such as naive Bayes, a support vector machine, K-nearest neighbor and other standard machine models. With the rapid increase of network traffic, when the prior knowledge is insufficient, it is difficult to find a suitable method for processing a large amount of data, a combined classifier method which is gradually popular in the field of machine learning provides a new research direction for such problems, and then more and more students begin to perform anomaly detection by constructing different combined classifiers.

Furthermore standard machine learning usually assumes that the data source is clean, i.e. features and labels are set correctly, but in practice the collected data may be unreliable, since inadvertent annotations or malicious data transformations can cause noise, especially learning from data with label noise can significantly reduce the classification accuracy.

In the past model, the anomaly classifier usually adopts a single classifier algorithm, which may have bias and thus low accuracy.

Therefore, how to avoid the situation that the result is biased and the accuracy is low due to too single classifier used in the dynamic network anomaly attack detection method based on machine learning in the prior art is still a problem to be solved by those skilled in the art.

Disclosure of Invention

The invention provides a dynamic network abnormal attack detection method, a device, electronic equipment and a storage medium, which are used for solving the problem that the accuracy is low in the dynamic network abnormal attack detection method based on machine learning in the prior art because the result has bias due to the fact that a used classifier is too single, and the detection result accuracy is higher by balancing the bias of the single classifier through a combined classifier in the abnormal attack detection model training process.

The invention provides a dynamic network abnormal attack detection method, which comprises the following steps:

constructing a network attribute feature vector based on the crawled network traffic log data;

inputting the network attribute feature vector into an abnormal attack detection model, and outputting a corresponding abnormal attack detection result;

the abnormal attack detection model is obtained by training based on a sample first network attribute feature vector and a corresponding first abnormal attack label, and a classifier is constructed by using a combined classifier algorithm in the training process of the abnormal attack detection model.

According to the method for detecting the dynamic network abnormal attack, the first sample network attribute feature vector and the corresponding first abnormal attack tag are obtained by inputting the sample network attribute feature vector determined based on the crawled original network flow log data and the corresponding second abnormal attack tag into a tag cleaning model and then outputting the sample network attribute feature vector and the corresponding second abnormal attack tag;

the label cleaning model is obtained by training a sample constructed on the basis of a second sample network attribute feature vector and an added noise abnormal attack label and a corresponding real label.

According to the dynamic network abnormal attack detection method provided by the invention, a multilayer perceptron algorithm is adopted in the label cleaning model training process.

According to the method for detecting the dynamic network abnormal attack, the multilayer perceptron algorithm is adopted in the label cleaning model training process, and the method specifically comprises the following steps:

performing label noise filtering on sample label data input in the current round by using the middle label cleaning model obtained in the previous round of training to obtain clean sample label data;

adding the clean sample label data into the sample label data used in the previous round of training, and training again to update the middle label cleaning model.

According to the dynamic network anomaly attack detection method provided by the invention, the combined classifier comprises at least two of the following classifiers:

a K-neighborhood classifier, a decision tree classifier, and a support vector machine classifier.

According to the method for detecting the abnormal attack of the dynamic network, provided by the invention, the abnormal attack detection result is determined by the following formula:

i is 0 or 1

Wherein, when i is 0,

outputting a probability of being a no-anomalous attack detection result for a kth classifier of the combined classifiers,

when the abnormal attack detection result is the probability of no abnormal attack, and i is 1,

outputting the probability of having abnormal attack detection result for the kth classifier in the combined classifier,

for the detection result of abnormal attack, the probability of abnormal attack, alpha_kAnd N is the weight coefficient of the kth classifier in the combined classifier, and N is the number of the classifiers in the combined classifier.

According to the method for detecting the abnormal attack of the dynamic network provided by the invention, alpha_k＝1/N。

The invention also provides a dynamic network abnormal attack detection device, which comprises:

the crawling unit is used for constructing a network attribute feature vector based on the crawled network traffic log data;

the detection unit is used for inputting the crawled network flow log data into the abnormal attack detection model and outputting a corresponding abnormal attack detection result;

the abnormal attack detection model is obtained by training based on first sample network flow log data and a corresponding first abnormal attack label, and a classifier is constructed by using a combined classifier algorithm in the training process of the abnormal attack detection model.

The present invention also provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and capable of running on the processor, wherein the processor implements the steps of the dynamic network anomaly attack detection method as described in any one of the above when executing the program.

The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the dynamic network anomaly attack detection method as described in any one of the above.

According to the method, the device, the electronic equipment and the storage medium for detecting the dynamic network abnormal attack, the network attribute feature vector is constructed through the crawl-based network flow log data; inputting the network attribute feature vector into an abnormal attack detection model, and outputting a corresponding abnormal attack detection result; the abnormal attack detection model is obtained by training based on a sample first network attribute feature vector and a corresponding first abnormal attack label, and a classifier is constructed by using a combined classifier algorithm in the training process of the abnormal attack detection model. Because the combined classifier is used in the training process of the abnormal attack detection model, the problem that the model used in the traditional network abnormal attack detection is the neural network training constructed based on a single classifier, so that the model has bias and low accuracy is solved, and the accuracy of the network abnormal attack detection is improved. Therefore, the method, the device, the electronic equipment and the storage medium provided by the invention realize the improvement of the accuracy of the network abnormal attack detection.

Drawings

In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.

Fig. 1 is a schematic flow chart of a dynamic network anomaly attack detection method provided by the present invention;

FIG. 2 is a diagram illustrating exemplary values of a vote classifier provided in the present invention;

fig. 3 is a schematic structural diagram of a dynamic network anomaly attack detection apparatus provided in the present invention;

FIG. 4 is a comparative schematic diagram of the effect of experimental validation of initial samples on model accuracy provided by the present invention;

FIG. 5 is a schematic diagram showing the comparison of model accuracy rates at 30% noise in experimental verification provided by the present invention;

FIG. 6 is a diagram of the accuracy of an initial sample 6000 under different noises according to experimental verification provided by the present invention;

fig. 7 is a schematic physical structure diagram of an electronic device provided in the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The dynamic network abnormal attack detection method based on machine learning in the prior art generally has the problem of low accuracy due to the fact that a result has bias caused by the fact that a used classifier is too single. A dynamic network anomaly attack detection method according to the present invention is described below with reference to fig. 1. Fig. 1 is a schematic flow chart of a dynamic network anomaly attack detection method provided by the present invention, and as shown in fig. 1, the method includes:

and step 110, constructing a network attribute feature vector based on the crawled network traffic log data.

Specifically, network traffic log data are crawled from a network area needing to be detected in the internet, the network traffic log data are all data packets captured within a preset time period, corresponding data packet attribute features are extracted from all the captured data packets, and a network attribute feature vector is combined and constructed, wherein the vector comprises multiple attribute features of the network area, for example: aggregating traffic from the host (IP) that recently came from the packet, aggregating traffic from the host (IP + MAC) that recently came from the packet, aggregating traffic from the host (IP) that recently came from this packet to the destination host for the packet, and the like are common packet attribute features that help determine whether the packet includes anomalous attack information. Generally, the more network attribute features included in the network attribute feature vector are more helpful for more accurately determining whether the data packet is an abnormal attack, but the larger the dimension of the network attribute feature vector is, the larger the calculation amount is, and therefore, the calculation amount and the determination accuracy rate need to be balanced when determining the data packet attribute features included in the vector when constructing the network attribute feature vector.

Step 120, inputting the network attribute feature vector into an abnormal attack detection model, and outputting a corresponding abnormal attack detection result;

Specifically, the constructed network attribute feature vector is input into an abnormal attack detection model, and a corresponding abnormal attack detection result is output, where the abnormal attack detection result is divided into two types, one is to detect and discover an abnormal attack, the other is to detect and discover no abnormal attack, and a more subdivided case is that, as for the result of detecting and discovering an abnormal attack, an abnormal attack type, for example, an ACK attack, a SCAN attack, a SYN attack, or a COMBO attack, and the like, can also be output, and therefore, the output abnormal attack detection result can be either a rough case or a non-rough case, or a fine result output by continuously classifying different abnormal attack types under the abnormal attack condition according to types, which is not specifically limited herein. The abnormal attack detection model is obtained by training based on a sample first network attribute feature vector and a corresponding first abnormal attack label, namely, the abnormal attack detection model is limited to be a detection tool trained based on machine learning, a machine learning technology is used, namely, a large number of sample first network attribute feature vectors and corresponding first abnormal attack labels are adopted for training, parameters in the abnormal attack detection model are continuously corrected and optimized through the training of a large number of sample labels until the parameters in the abnormal attack detection model are adjusted to a good effect (the good effect is that the output result of the model is almost consistent with the label value, namely, the judgment standard of the good effect can be that the number of training iterations reaches a preset value or that the loss function is smaller than a preset value). For the sample first network attribute feature vector used for training the abnormal attack detection model and the corresponding first abnormal attack tag, the obtaining process is usually that the sample first network attribute feature vector is obtained by a large number of sample first network attribute feature vectors constructed based on network attribute features extracted from network traffic log data of a network area to be detected in the crawled internet, and the corresponding first abnormal attack tag is obtained by manually labeling the first network attribute feature vector or processing the first network attribute feature vector by using other abnormal attack detection tools with high accuracy, which is not specifically limited herein. The neural network structure used in the training process of the abnormal attack detection model is limited, and the combined classifier is selected to avoid the bias of the classification result compared with the traditional single classifier, so that the accuracy of classification judgment can be improved.

The method for detecting the dynamic network abnormal attack comprises the steps of constructing a network attribute feature vector based on crawled network flow log data; inputting the network attribute feature vector into an abnormal attack detection model, and outputting a corresponding abnormal attack detection result; the abnormal attack detection model is obtained by training based on a sample first network attribute feature vector and a corresponding first abnormal attack label, and a classifier is constructed by using a combined classifier algorithm in the training process of the abnormal attack detection model. Because the combined classifier is used in the training process of the abnormal attack detection model, the problem that the model used in the traditional network abnormal attack detection is the neural network training constructed based on a single classifier, so that the model has bias and low accuracy is solved, and the accuracy of the network abnormal attack detection is improved. Therefore, the method provided by the invention realizes the improvement of the accuracy of the network abnormal attack detection.

Based on the above embodiment, in the method, the first sample network attribute feature vector and the corresponding first abnormal attack tag are obtained by inputting a sample network attribute feature vector determined based on the crawled original network traffic log data and a corresponding second abnormal attack tag into a tag cleaning model and then outputting the sample network attribute feature vector and the corresponding second abnormal attack tag;

Specifically, the first sample network attribute feature vector of the training data used for training the abnormal attack detection model and the corresponding first abnormal attack label are obtained by label cleaning on the basis of a sample network attribute feature vector constructed by the network attribute features of the extracted original network traffic log data and a corresponding second abnormal attack label determined in a preset manner, where the preset manner may be a manual label labeling manner, or an existing abnormal attack detection tool is used to process the sample network attribute feature vector, and is not specifically limited here, but the preset manner cannot guarantee the accuracy of the label, so that label cleaning is also needed to be performed to correct a sample with a wrong label, and the manner of further limiting sample cleaning is performed on the basis of a label cleaning model, which is based on a machine learning technology and uses a large number of samples and corresponding noise labels as a training set And training the obtained label cleaning tool on the basis.

The method comprises the following steps that a training data second sample network attribute feature vector of a label cleaning model and a manually labeled noisy abnormal attack label are constructed, and further, a training data set of the label cleaning model is constructed in the following mode:

firstly, crawling a large amount of network flow log data of a network area to be detected on the Internet, extracting network attribute features from the network flow log data, constructing a large amount of second sample network attribute feature vectors, determining an abnormal attack label of each second sample network attribute feature vector aiming at the second sample network attribute feature vectors, wherein the determination mode can be manual marking or detection by using the existing abnormal attack detection tool, the determination mode is not specifically limited, the obtained corresponding abnormal attack label is accurate in default, the second sample network attribute feature vectors and the corresponding accurate abnormal attack labels are used as a clean training data set, then 0-90% of sample labels in the training data set are changed into error labels by uniformly adding noise to the clean training data set, wherein, the error labels are selected from the desired categories except the accurate error-free labels with equal probability, and the noise level of the labels in the training data set is controlled by a preset proportion to obtain the training data set containing noise. In particular, for example, for any second sample network attribute feature vector A in a clean training data set_iThe corresponding accurate error-free abnormal attack label is T_i ^jI 1,2, M is the number of second sample network attribute feature vectors in the clean training data set, if j>And 1, j is the j-1 th abnormal attack type, otherwise, j is the abnormal attack free, j is 1,2, …, and Q +1, and Q is the number of the abnormal attack type. The uniform tag noise adding manner is to be accurate and error-freeAbnormal attack tag T_i ^jRandomly picking an error label T from other Q constant attack detection results except the jth abnormal attack detection result with equal probability_i ^sAdding the corresponding second sample network attribute feature vector A_iS ≠ j and s ∈ [1, Q +1 ]]As samples in the noisy training data set, the i-th sample in the noisy training data set is therefore [ a ]_i,T_i ^s]The corresponding label is T_i ^j. And continuously outputting an evaluation result whether the noise-containing label represented by the last one-dimensional characteristic in the sample is accurate by the label cleaning model in the training process, comparing the evaluation result with the real label to calculate the value of the loss function, and feeding back and adjusting the parameter to be optimized of the neural network in the label cleaning model training process by the value until the evaluation result output by the model is almost consistent with the real label, thereby completing the training.

In the traditional abnormal attack detection method, whether a sample for training an abnormal attack detection model and a corresponding label are real, accurate and free of noise is not considered, but when a training data set for training the abnormal attack detection model is constructed by the label cleaning model provided by the invention, the originally constructed sample and the label are subjected to label cleaning by using the label cleaning model, so that a more accurate and real training data set for training the abnormal attack detection model is obtained.

Based on any one of the above embodiments, in the method, a multi-layer perceptron algorithm is adopted in the label washing model training process.

Specifically, when the label cleaning model is trained, a multilayer perceptron algorithm is used, namely the label cleaning model is continuously updated, training data for training the label cleaning model, which come from a batch, are sequentially input into the label cleaning model obtained by the previous round of updating for label cleaning, and the cleaned sample and the label data are added into the training data of the previous round for retraining the label cleaning model for updating.

Based on any one of the above embodiments, in the method, the multi-layer perceptron algorithm is adopted in the label cleaning model training process, and specifically includes:

Specifically, a label cleaning model is continuously updated by using a multilayer perceptron algorithm, noise data are filtered from the training data of the arriving batch, and clean and accurate samples and label data are screened out and used for training a subsequent abnormal attack detection model. The specific algorithm is described by the following steps:

step 1: the original data is read.

Step 2: the raw data is divided into a training set D and a test set P.

Step 3: in order to explore the influence of different levels of label noise on an abnormal attack detection model, the label noise level of a training set is controlled by a uniform label noise method (0-90% of sample labels of the training set are changed into wrong labels, wherein the labels are selected from all categories except real labels with equal probability), and a training set D (S) containing noise is obtained.

Step 4: initializing i to 0, and when i to 0, selecting S from the training set D₀One sample as an initial sample D₀(|D₀|＝S₀)；D₀Training label quality evaluator L R^f→ q ∈ {0,1}, (each sample has f features. each sample belongs to a class q, where q ∈ {0, 1}), resulting in a label quality evaluator model L₀。

Step 5: let i ═ i +1, when i ≠ 0, select N samples D from training set D_1,i,d_2,i,…d_N,iAs a batch sample set D_iLabel quality evaluator model S_i-1For batch sample set D_iOf each sample d_j,iIs evaluated if

Meaning an incorrect tag, then discard; if it is not

The samples of the clean labels are merged to form a sample set

Step 6: if i<(S-S₀)/N，D₀,

Retraining the label quality evaluator to obtain a label quality evaluator model S_iLoop Step 5; if i ≧ (S-S)₀)/N,

Training anomaly classifier C R^fK ∈ {0,1, … K }, (each sample has f features. each sample belongs to a class K, where K ∈ {0,1, … K }), resulting in an anomaly classifier model C_iTest set P passing anomaly classifier model C_iAnd (5) predicting, calculating the prediction accuracy and ending the program.

Based on any embodiment, in the method, the combined classifier includes at least two of the following classifiers:

Specifically, considering that a small amount of label noise still exists in a sample after the quality of a label is evaluated by using a multi-layer perceptron algorithm before the training of the abnormal attack detection model, the combined classifier model is adopted for abnormal classification during the training of the abnormal attack detection model. For the selection of the classifier combination method, considering the time complexity of the Stacking algorithm and the sensitivity of the Boosting algorithm to noise, a voting classifier method is selected, and a soft voting method (generally, soft voting refers to taking the average value of the probabilities that all model prediction samples are in a certain class as a standard, and the class with the highest corresponding average value is determined as a final prediction result) is adopted as a decision rule; in addition, for the selection of the base classifier, not only the accuracy but also the diversity is considered. Fig. 2 is a schematic diagram illustrating exemplary values of a voting classifier provided in the present invention, as shown in fig. 2, if the combined classifier includes three types of base classifiers: three machine learning algorithms of K-neighborhood (KNN), decision tree (CART) and Support Vector Machine (SVM) are adopted as base classifiers, and then a soft voting method is used for calculating a final result, and the three base classifiers are based on different classification principles, so that the diversity of the combined classifier is enhanced, and the combined classifier has good complementarity and accuracy.

Based on any of the above embodiments, in the method, the abnormal attack detection result is determined by the following formula:

i is 0 or 1

Wherein, when i is 0,

Specifically, there are 11 classes of abnormal attack detection results defined here, that is, there are 10 classes of abnormal attacks and 1 class of abnormal attack-free attacks (also called benign attacks), and therefore, the output result is in accordance withThe probabilities of various types are represented, because a combined classifier is adopted, any classifier k can output the probability of abnormal attack and the probability of no abnormal attack, the final result needs to comprehensively consider the output results of all the classifiers, the most common comprehensive consideration method is a weighting method in soft decision, and different classifiers perform weight coefficient proportion change on the output abnormal attack result probability based on the weight coefficient determined by initial setting and then accumulate the output abnormal attack result probability with the value of the same abnormal attack result of other classifiers after the output abnormal attack result probability is changed in the weight coefficient proportion, so as to obtain the final result. Wherein alpha is_kIs set according to the positive correlation of the deviation degree of the kth base classifier in the combined classifier.

In the method according to any of the above embodiments, α_k＝1/N。

Specifically, the most unbiased and simple weighting factor setting means is averaging.

The following describes the dynamic network abnormal attack detection device provided by the present invention, and the dynamic network abnormal attack detection device described below and the dynamic network abnormal attack detection method described above can be referred to in correspondence.

Fig. 3 is a schematic structural diagram of the dynamic network anomaly attack detection apparatus provided by the present invention, as shown in fig. 3, including a crawling unit 310 and a detection unit 320, wherein,

the crawling unit 310 is configured to construct a network attribute feature vector based on the crawled network traffic log data;

the detecting unit 320 is configured to input the crawled network traffic log data into an abnormal attack detection model, and output a corresponding abnormal attack detection result;

The dynamic network abnormal attack detection device provided by the invention constructs a network attribute feature vector through the crawled network flow log data; inputting the network attribute feature vector into an abnormal attack detection model, and outputting a corresponding abnormal attack detection result; the abnormal attack detection model is obtained by training based on a sample first network attribute feature vector and a corresponding first abnormal attack label, and a classifier is constructed by using a combined classifier algorithm in the training process of the abnormal attack detection model. Because the combined classifier is used in the training process of the abnormal attack detection model, the problem that the model used in the traditional network abnormal attack detection is the neural network training constructed based on a single classifier, so that the model has bias and low accuracy is solved, and the accuracy of the network abnormal attack detection is improved. Therefore, the device provided by the invention realizes the improvement of the accuracy of the network abnormal attack detection.

Based on the above embodiment, in the apparatus, the first sample network attribute feature vector and the corresponding first abnormal attack tag are obtained by inputting a sample network attribute feature vector determined based on the crawled original network traffic log data and a corresponding second abnormal attack tag into a tag cleaning model and then outputting the sample network attribute feature vector and the corresponding second abnormal attack tag;

Based on the above embodiment, in the device, a multi-layer perceptron algorithm is adopted in the label cleaning model training process.

Based on the above embodiment, in the apparatus, the multilayer perceptron algorithm is adopted in the label cleaning model training process, and specifically includes:

Based on the above embodiment, in the apparatus, the combined classifier includes at least two of the following classifiers:

Based on the above embodiment, in the apparatus, the abnormal attack detection result is determined by the following formula:

i is 0 or 1

Wherein, when i is 0,

Based on the above embodiment, in the device, α_k＝1/N。

Based on the above embodiment, an experiment is provided to verify the effect of the abnormal attack detection provided by the present invention.

The MCRAD verification work of the anomaly detection model algorithm all adopts a real data set as an experimental data set, and the data set is collected by the Ecobee thermostat internet-of-things device infected by 10 kinds of malignant attacks launched by Mirai and Bashlite software in real life by y. Table 1 is a data set attribute information table, and table 2 is a data set category information table, as shown in tables 1 and 2, the data set has 115 attributes, including 10 attack types and 1 "benign" attack, and the number of samples of each type of attack is balanced.

TABLE 1 data set Attribute information

TABLE 2 data set Category information

Table 3 description of the data set

Table 3 is a data set description table, and in the experiment, the number of initial clean data instances of the thermostat device data set was changed from 1000 to 6000, and after a plurality of experiments, the classification accuracy was measured after all batches of data arrived, and finally the data set size was determined as shown in table 3.

Before the experiment begins, firstly, processing data, adding noises of different levels, repeating each experiment for 10 times to obtain an average value of abnormal detection accuracy as an evaluation index, and comparing and analyzing an MCRAD model, an RAD model and an optimal sample selection (OptSel) model: the RAD model screens out clean samples in all batch samples by adopting a multilayer perceptron algorithm, an anomaly classifier is trained, and the anomaly classifier adopts a K nearest neighbor algorithm to calculate the accuracy rate of anomaly detection; the optimal sample selection (OptSel) model simulates an unknown agent, perfectly distinguishes all batches of clean samples, trains an anomaly classifier, and calculates the anomaly detection accuracy by adopting a combined classifier algorithm.

(1) Fig. 4 is a schematic diagram illustrating the comparison of the effect of the experimental verification initial sample on the accuracy of the model provided by the present invention, where the initial sample is set to 6000, and when the noise is 30%, the MCRAD model always maintains the accuracy of about 98%, and then the experiment changes the number of the initial clean data instances of the thermostat device data set from 1000 to 7000, and measures the classification accuracy after all the batches of data arrive, so as to obtain the result shown in fig. 4.

From fig. 4, it can be seen that the MCRAD model has an accuracy of about 97% at 2000 in the initial sample, which is improved by 2% compared to the RAD model, and has an accuracy close to the OptSel model without noise at 6000 and 7000 in the initial sample. Therefore, the combined classifier has stronger error recovery capability and stability than a single classifier, and has weaker dependence on the initial sample than the RAD model.

(2) Fig. 5 is a schematic diagram showing comparison of model accuracy rates under experimental verification of 30% noise provided by the present invention, where 30% noise is set, an initial sample is set to 6000, a data batch is set to 300, and the RAD and MCRAD models are reproduced under the same setting, so as to obtain the result of fig. 5.

The accuracy of the RAD model is gradually improved until a stable level, the accuracy of the RAD model finally reaches about 96%, the MCRAD model gradually enters along with more 'clean' data, the convergence speed of the MCRAD model is high, and the accuracy is always about 98%, so that the stability and the high accuracy of the MCRAD model of the combined classifier are higher than the availability of the RAD model, and in addition, the accuracy of the MCRAD model is higher than that of the combined classifier, which shows that the two-layer architecture plays an important role in improving the accuracy of the combined classifier.

(3) On this basis, fig. 6 is a schematic diagram of accuracy under different noises when the initial samples 6000 are verified through the experiment provided by the present invention, wherein the initial samples are respectively set at 6000 in the experiment, and the abnormal classification condition of the model under the noise conditions of different levels is detected. The RAD and MCRAD models have been applied with 0-90% tag noise, resulting in the results shown in fig. 6.

As shown in fig. 6, when the initial sample is 6000, the MCRAD model still performs well under different noise levels, and approaches the OptSel model when the noise is less than 40%, and from the perspective of accuracy and usability, the MCRAD model is more stable and better than the RAD model as shown in fig. 6.

Compared with the prior art, the method has the advantages that the combined classifier algorithm is used in the abnormal classifier module, and the influence of noise on the initial sample and the influence of classification accuracy are reduced. Experiments prove that the dependence of the MCRAD model on the initial sample number is weaker than that of the RAD model without the combined classifier, and the model is more stable. Under different noise levels, the MCRAD model is obviously superior to the RAD model, and the advantages of the combined classifier are reflected. The MCRAD model combines the advantages of the RAD framework and the combined classifier, and has obvious advantages in effectiveness and usability.

Fig. 7 is a schematic physical structure diagram of an electronic device provided in the present invention, and as shown in fig. 7, the electronic device may include: a processor (processor)710, a communication Interface (Communications Interface)720, a memory (memory)730, and a communication bus 740, wherein the processor 710, the communication Interface 720, and the memory 730 communicate with each other via the communication bus 740. Processor 710 may invoke logic instructions in memory 730 to perform a dynamic network anomaly attack detection method comprising: constructing a network attribute feature vector based on the crawled network traffic log data; inputting the network attribute feature vector into an abnormal attack detection model, and outputting a corresponding abnormal attack detection result; the abnormal attack detection model is obtained by training based on a sample first network attribute feature vector and a corresponding first abnormal attack label, and a classifier is constructed by using a combined classifier algorithm in the training process of the abnormal attack detection model.

In addition, the logic instructions in the memory 730 can be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

In another aspect, the present invention also provides a computer program product, which includes a computer program stored on a non-transitory computer-readable storage medium, the computer program including program instructions, when the program instructions are executed by a computer, the computer being capable of executing the dynamic network anomaly attack detection method provided by the above methods, the method including: constructing a network attribute feature vector based on the crawled network traffic log data; inputting the network attribute feature vector into an abnormal attack detection model, and outputting a corresponding abnormal attack detection result; the abnormal attack detection model is obtained by training based on a sample first network attribute feature vector and a corresponding first abnormal attack label, and a classifier is constructed by using a combined classifier algorithm in the training process of the abnormal attack detection model.

In yet another aspect, the present invention also provides a non-transitory computer-readable storage medium, on which a computer program is stored, the computer program being implemented by a processor to execute the dynamic network anomaly attack detection method provided by the above methods, the method including: constructing a network attribute feature vector based on the crawled network traffic log data; inputting the network attribute feature vector into an abnormal attack detection model, and outputting a corresponding abnormal attack detection result; the abnormal attack detection model is obtained by training based on a sample first network attribute feature vector and a corresponding first abnormal attack label, and a classifier is constructed by using a combined classifier algorithm in the training process of the abnormal attack detection model.

The above-described server embodiments are only illustrative, and the units described as separate components may or may not be physically separate, and components displayed as units may or may not be physical units, may be located in one place, or may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.

Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.

Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims

1. A dynamic network abnormal attack detection method is characterized by comprising the following steps:

2. The method according to claim 1, wherein the first sample network attribute feature vector and the corresponding first abnormal attack tag are obtained by inputting a sample network attribute feature vector determined based on the crawled original network traffic log data and a corresponding second abnormal attack tag into a tag cleaning model and then outputting the sample network attribute feature vector and the corresponding second abnormal attack tag;

3. The method for detecting the dynamic network abnormal attack as claimed in claim 2, wherein a multi-layer perceptron algorithm is adopted in the label cleaning model training process.

4. The method for detecting the abnormal attack on the dynamic network according to claim 3, wherein a multi-layer perceptron algorithm is adopted in the training process of the label cleaning model, and the method specifically comprises the following steps:

5. The dynamic network anomaly attack detection method according to any one of claims 1-4, wherein the combined classifier comprises at least two of the following classifiers:

6. The dynamic network abnormal attack detection method according to any one of claims 1-4, wherein the abnormal attack detection result is determined by the following formula:

i is 0 or 1

Wherein, when i is 0,

7. The dynamic network anomaly attack detection method according to claim 6, wherein α is_k＝1/N。

8. A dynamic network anomaly attack detection apparatus, comprising:

9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the dynamic network anomaly attack detection method according to any one of claims 1 to 7 when executing the program.

10. A non-transitory computer readable storage medium, having stored thereon a computer program, which, when being executed by a processor, implements the steps of the dynamic network anomaly attack detection method according to any one of claims 1 to 7.