CN116866089A - Network flow detection method and device based on twin capsule network - Google Patents
Network flow detection method and device based on twin capsule network Download PDFInfo
- Publication number
- CN116866089A CN116866089A CN202311132870.XA CN202311132870A CN116866089A CN 116866089 A CN116866089 A CN 116866089A CN 202311132870 A CN202311132870 A CN 202311132870A CN 116866089 A CN116866089 A CN 116866089A
- Authority
- CN
- China
- Prior art keywords
- network
- capsule
- capsule network
- capsules
- similarity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 239000002775 capsule Substances 0.000 title claims abstract description 207
- 238000001514 detection method Methods 0.000 title claims abstract description 71
- 239000011159 matrix material Substances 0.000 claims abstract description 27
- 238000012545 processing Methods 0.000 claims abstract description 20
- 239000013598 vector Substances 0.000 claims abstract description 20
- 238000003384 imaging method Methods 0.000 claims abstract description 11
- 230000006870 function Effects 0.000 claims description 48
- 238000012549 training Methods 0.000 claims description 23
- 239000000523 sample Substances 0.000 claims description 22
- 230000015654 memory Effects 0.000 claims description 18
- 238000003860 storage Methods 0.000 claims description 17
- 238000004364 calculation method Methods 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 6
- 238000007781 pre-processing Methods 0.000 claims description 6
- 230000009466 transformation Effects 0.000 claims description 6
- 239000013074 reference sample Substances 0.000 claims description 5
- 238000004140 cleaning Methods 0.000 claims description 4
- 230000011218 segmentation Effects 0.000 claims description 3
- 238000000034 method Methods 0.000 abstract description 33
- 238000000605 extraction Methods 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 10
- 238000013528 artificial neural network Methods 0.000 description 7
- 238000013527 convolutional neural network Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000013135 deep learning Methods 0.000 description 5
- 230000006854 communication Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 210000002569 neuron Anatomy 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 238000003062 neural network model Methods 0.000 description 2
- 230000000306 recurrent effect Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 230000008485 antagonism Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 230000008034 disappearance Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000011010 flushing procedure Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000006403 short-term memory Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000007723 transport mechanism Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/028—Capturing of monitoring data by filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
- H04L43/045—Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Artificial Intelligence (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- Evolutionary Computation (AREA)
- Life Sciences & Earth Sciences (AREA)
- Molecular Biology (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Technology Law (AREA)
- Image Analysis (AREA)
Abstract
The application discloses a network flow detection method and a device based on a twin capsule network, wherein the method comprises the following steps: acquiring flow data, and performing imaging processing on the flow data to obtain gray scale image information; inputting gray map information into a preset twin capsule network to obtain a distance value between the gray map information and a class center feature of the twin capsule network, wherein the twin capsule network comprises a plurality of capsule networks with the same structure, a loss function of the capsule network is determined by a triplet loss function and a center loss function, and a similarity matrix between capsules in the capsule network is determined by a vector dot product of the capsules; and obtaining a detection result according to the distance value. The loss function of the capsule network is improved, so that the twin capsule network can better distinguish the similarity among samples, the feature extraction efficiency of the twin capsule network is improved through a similarity matrix, and the detection efficiency and the accuracy of network flow are ensured.
Description
Technical Field
The application relates to the technical field of flow detection, in particular to a network flow detection method and device based on a twin capsule network.
Background
In recent years, with the rapid development of internet technology, network attacks have become a non-negligible problem. An attacker attacks the network system by various means, such as exploit, trojan virus, distributed denial of service attack (Distributed Denial of Service, DDoS) and the like, and brings great threat to network security. Therefore, research into network traffic detection techniques is critical to maintaining network space security.
Currently, network attack traffic detection technology has achieved a certain result, and is mainly divided into a feature-based method and a deep learning-based method. The feature-based method mainly extracts partial features by analyzing data such as network traffic and event logs, and uses a machine learning algorithm to classify the features so as to judge whether the network is attacked. Because the method is simple to apply and quick to respond, the method is widely applied to the fields of enterprise network security, electronic government affairs and the like, but the network attack means are continuously changed at the present stage, new attack characteristics are often covered or hidden rapidly, and therefore, the characteristic-based method is often required to continuously update the characteristic set so as to ensure the detection effect. In addition, the construction of the feature set has strict theoretical requirements, and requires complex reasoning and calculation. Therefore, the existing feature-based detection method is poor in generalization, high in feature set updating cost and high in detection accuracy in a network environment of variegated moire detection.
Disclosure of Invention
In order to solve the problems, the application aims to provide a network flow detection method and device based on a twin capsule network and a storage medium thereof, which improve the feature extraction efficiency of the twin capsule network and ensure the detection efficiency and accuracy of the network flow.
The application solves the problems by adopting the following technical scheme:
in a first aspect, an embodiment of the present application provides a network traffic detection method based on a twin capsule network, where the method includes: acquiring flow data, and performing imaging processing on the flow data to obtain gray scale image information; inputting the gray map information into a preset twin capsule network to obtain a distance value between the gray map information and a center-like feature of the twin capsule network, wherein the twin capsule network comprises a plurality of capsule networks with the same structure, a loss function of the capsule network is determined by a triplet loss function and a center loss function, and a similarity matrix among capsules in the capsule network is determined by a vector dot product of the capsules; and obtaining a detection result according to the distance value.
In a second aspect, an embodiment of the present application provides a network traffic detection device based on a twin capsule network, including: the acquisition module is used for acquiring flow data and carrying out imaging processing on the flow data to obtain gray scale image information; the calculation module is used for inputting the gray map information into a preset twin capsule network to obtain a distance value between the gray map information and a class center feature of the twin capsule network, wherein the twin capsule network comprises a plurality of capsule networks with the same structure, a loss function of the capsule network is determined by a triplet loss function and a center loss function, and a similarity matrix among capsules in the capsule network is determined by a vector dot product of the capsules; and the detection module is used for obtaining a detection result according to the distance value.
In a third aspect, an embodiment of the present application provides an electronic device, including: the system comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the network traffic detection method based on the twin capsule network when executing the computer program.
In a fourth aspect, an embodiment of the present application provides a computer readable storage medium storing a computer program which, when executed by a processor, implements a network traffic detection method based on a twinning capsule network as described above.
According to the embodiment of the application, the gray scale image information is obtained by acquiring the flow data and performing imaging processing on the flow data; inputting gray map information into a preset twin capsule network to obtain a distance value between the gray map information and a class center feature of the twin capsule network, wherein the twin capsule network comprises a plurality of capsule networks with the same structure, a loss function of the capsule network is determined by a triplet loss function and a center loss function, and a similarity matrix between capsules in the capsule network is determined by a vector dot product of the capsules; and obtaining a detection result according to the distance value. The loss function of the capsule network is improved, so that the twin capsule network can better distinguish the similarity among samples, the feature extraction efficiency of the twin capsule network is improved through a similarity matrix, and the detection efficiency and the accuracy of network flow are ensured.
Additional aspects and advantages of the application will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the application.
Drawings
FIG. 1 is a flow chart of a network flow detection method based on a twinning capsule network according to an embodiment of the present application;
FIG. 2 is a flowchart of step S1000 in FIG. 1;
FIG. 3 is a flowchart of step S2000 in FIG. 1;
fig. 4 is a flowchart of step S2300 in fig. 3;
FIG. 5 is a flowchart of step S2330 of FIG. 4;
FIG. 6 is a flowchart illustrating another embodiment of the step S2000 in FIG. 1;
FIG. 7 is a block diagram of the twinning capsule network in step S2000 of FIG. 1;
FIG. 8 is a flow chart of a network traffic detection method based on a twinning capsule network according to another embodiment of the present application;
FIG. 9 is a block diagram of a network flow detection device based on a twinning capsule network according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Embodiments of the present application are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative only and are not to be construed as limiting the application.
In the description of the present application, it should be understood that references to orientation descriptions such as upper, lower, front, rear, left, right, etc. are based on the orientation or positional relationship shown in the drawings, are merely for convenience of description of the present application and to simplify the description, and do not indicate or imply that the apparatus or elements referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus should not be construed as limiting the present application.
In the description of the present application, a number means one or more, a number means two or more, and greater than, less than, exceeding, etc. are understood to not include the present number, and above, below, within, etc. are understood to include the present number. The description of the first and second is for the purpose of distinguishing between technical features only and should not be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated or implicitly indicating the precedence of the technical features indicated.
In the description of the present application, unless explicitly defined otherwise, terms such as arrangement, installation, connection, etc. should be construed broadly and the specific meaning of the terms in the present application can be reasonably determined by a person skilled in the art in combination with the specific contents of the technical scheme.
The network flow detection method and device based on the twin capsule network, which are related by the embodiment of the application, are model learning methods based on the capsule network. Among them, capsule networks are based on a new structural Capsule (Capsule) which, by combining with existing convolutional neural networks (Convolutional Neural Networks, CNN), achieves very superior performance on some image-classified data. The capsule is a vector formed by replacing individual neurons in the original neural network with a group of neurons, and the neurons are wrapped together to form the capsule. Thus, each layer of neural network in the capsule network contains a plurality of capsule base units, which interact with the capsules in the upper layer network.
On the other hand, the deep learning-based method is to construct a deep neural network model, perform model training by using a large amount of data, automatically learn the characteristics in the network data, and then classify the network data by a classifier. Compared with a method based on characteristics, the method based on the deep learning has stronger generalization capability and adaptability and can automatically identify new attack characteristics due to the high-efficiency learning capability of the deep neural network. In the deep learning-based method, models such as CNN, recurrent neural network (Recursive Neural Network, RNN) and the like are widely applied, and a good detection effect is obtained.
However, although existing network traffic detection methods based on deep learning have achieved good results, these methods still have some drawbacks. For example, the deep convolutional neural network model has a large parameter amount and is slow in processing real-time data. And the recurrent neural network model is easy to have gradient disappearance or explosion problems during training, and the performance of the model is influenced. In addition, in a real network environment, the network traffic detection has the problem of sample imbalance, namely the normal traffic scale is far larger than the scale of attack traffic, so that the trained model has higher false alarm rate.
Based on the above, the embodiment of the application provides a network flow detection method and a device based on a twin capsule network, which obtain gray scale image information by acquiring flow data and performing imaging processing on the flow data; inputting gray map information into a preset twin capsule network to obtain a distance value between the gray map information and a class center feature of the twin capsule network, wherein the twin capsule network comprises a plurality of capsule networks with the same structure, a loss function of the capsule network is determined by a triplet loss function and a center loss function, and a similarity matrix between capsules in the capsule network is determined by a vector dot product of the capsules; and obtaining a detection result according to the distance value. The loss function of the capsule network is improved, so that the twin capsule network can better distinguish the similarity among samples, the feature extraction efficiency of the twin capsule network is improved through a similarity matrix, and the detection efficiency and the accuracy of network flow are ensured.
Referring to fig. 1, fig. 1 shows a flow of a network flow detection method based on a twin capsule network according to an embodiment of the present application. As shown in fig. 1, the network traffic detection method based on the twin capsule network according to the embodiment of the application includes the following steps:
and step S1000, acquiring flow data, and performing imaging processing on the flow data to obtain gray scale image information.
It is understood that, since DDoS attack often adopts legal data request technology, and adds a puppet machine, DDoS attack becomes one of the most difficult network attacks. DDoS attacks mainly use the internet protocol and the fundamental advantage of the internet, namely, the unbiased transmission of data packets from any source to any destination. Conventional network devices and peripheral security technologies, such as firewalls and intrusion detection systems (Intrusion Detection Systems, ids), rate limiting, access limiting, etc., do not provide very effective protection against DDoS attacks, and a new architecture and technology is needed to resist complex DDoS denial of service attacks. Therefore, how to obtain the flow data and quickly distinguish whether the flow data is the network flow can effectively improve the defending performance of the network under attack and ensure the network security.
It can be understood that in order to improve the learning and analysis efficiency of the learning model, the acquired flow data needs to be subjected to imaging processing, so that the flow data is converted into gray scale map information which can be directly processed by the twin capsule network.
Referring to fig. 2, fig. 2 is a schematic diagram illustrating a specific implementation procedure of another embodiment of the step S1000. As shown in fig. 2, step S1000 includes at least the following steps:
and step S1100, acquiring flow data through honeypot capturing or package capturing software.
It can be appreciated that there are various ways of obtaining traffic data in the prior art, in which the honeypot technology is equivalent to an information collection system, and the system or the network is intentionally set out of holes to induce an attacker to attack them. Therefore, the attack mode of an attacker can be obtained, information such as what technology is utilized, and then the data and the attack mode are analyzed, so that the own defense system is consolidated. Therefore, honeypot capturing is an active defense technology, and attacks are induced by one or more vulnerable loopholes or defects to launch the attacks by simulating, so that attack flow and samples are collected, attack means are analyzed, network threats are found, threat characteristics are extracted, and the method is a process of attacking and defending the attackers.
It will be appreciated that the packet-grabbing software is software that intercepts viewing of the network packet content. The packet capturing software is always a common fault checking tool for the tank in the traditional fixed network data communication maintenance work because the packet capturing software can capture all internet protocol (Internet Protocol, IP) messages in the data communication process and perform layer-by-layer unpacking analysis. In practice, there are many common package capturing software, such as Wire share, snifferPro, snoop, tcpdump, etc.
And step 1200, performing segmentation processing on the flow data to obtain segmented flow data.
It will be appreciated that network traffic is typically divided into different flows, which may be classified according to their five element (source IP, source port, destination IP, destination port, transport layer protocol) differences. In order to segment the traffic to identify the end of a stream, the embodiment of the application sets the time threshold to 90 seconds. I.e. no new data packets are present in the time sequence of 90 seconds, the stream is considered to have ended.
Step S1300, cleaning the cut flow data to obtain preprocessed flow data.
It will be appreciated that in real-world network environments, training data and test data often come from different network environments, and their corresponding IP addresses and media access control address (Media Access Control Address, MAC) addresses may not be available for classification, thus requiring flushing of such traffic data. During the cleaning process, there may be a network flow whose IP address and MAC address may be different, but whose upper layers contain the same data, resulting in the presence of duplicate samples. In order to avoid the influence of repeated samples on the training of the model, the embodiment of the application performs the deduplication operation on the samples. In addition, the embodiment of the application fixes the data size after the flow splitting and cleaning operation to 784 bytes, and if the length is greater than 784 bytes, the data is intercepted in a segmented mode and is complemented by 0x 00.
Step S1400, converting the preprocessing flow data with fixed length into pixel point data.
It can be understood that after obtaining the preprocessing flow data with fixed length and format, the preprocessing flow data with 8 bit bytes is converted into decimal pixel points according to the following formula:
wherein,,-/>corresponding 8 bits for preprocessing the traffic data.
Step S1500, gray scale image information is obtained according to the pixel point data.
It will be appreciated that the pixel data obtained by the above steps may be converted into 784 bytes of data into a 28 x 28 gray scale image. Because 28 x 28 images can be acquired with smaller features, embodiments of the present application reconstruct 9 consecutive 28 x 28 images into an 84 x 84 image.
Specifically, in the training stage of the learning model, the embodiment of the present application uses the USTC-TFC2016 data set as basic data, where the data set includes 10 attack traffic data and 10 normal traffic data, and the data processing manner during training is consistent with the traffic data processing procedure in the above steps, which is not described herein.
Step S2000, inputting gray map information into a preset twin capsule network to obtain a distance value between the gray map information and a class center feature of the twin capsule network, wherein the twin capsule network comprises a plurality of capsule networks with the same structure, a loss function of the capsule network is determined by a triplet loss function and a center loss function, and a similarity matrix among capsules in the capsule network is determined by a vector dot product of the capsules.
It can be understood that the twin neural network is formed by splicing two sub-networks with the same structure and shared weight. Typical subnetworks include CNN, long Short-Term Memory (LSTM), etc., which are used to extract features of the input samples. When two samples are input, the sub-network maps out the feature vectors of the samples respectively, calculates Euclidean distance between the two feature vectors to represent the difference between the vectors, fits the similarity difference of the input images through the distance, and stores the result in the similarity. The essence of the twin network is to calculate the similarity between samples, and determine the category to which the sample to be classified belongs according to the similarity. The embodiment of the application adopts Euclidean distance to measure the similarity between samples, and the specific formula is as follows:
where x, y represent two different vectors.
It will be appreciated that the subnetworks of the twin network are structurally identical and weight shared, ensuring that features extracted from the input sample pairs are in the same distribution domain. Twin networks require pairs of samples as inputs, and the probability of whether the outputs are similar. Compared with the traditional neural network, the twin network can better play a role under the condition of a small number of samples, can learn the similarity measurement of the features from the existing categories, and can accurately judge very similar samples. Meanwhile, the generalization of the twin network is strong, and unknown class samples can be compared and resolved through a sample library. Therefore, the embodiment of the application adopts the twin network to extract the characteristics of the imaged flow data. Meanwhile, in order to enable the model to have better feature extraction capability and reduce the parameter quantity of the model, the embodiment of the application adopts a capsule network as a sub-network.
Referring to fig. 3, fig. 3 is a schematic diagram illustrating a specific implementation procedure of another embodiment of the step S2000. As shown in fig. 3, step S2000 includes at least the following steps:
in step S2100, the triplet loss function is determined by a reference sample, a positive sample and a negative sample in the training samples of the capsule network, where the reference sample is generated by the training samples of the capsule network, and the positive sample and the negative sample are generated by a preset training set.
It can be understood that the flow data is converted into gray level images after data processing, namely the data to be detected is input into a twin capsule network, traversal calculation is carried out on the data and positive and negative samples in a sample library, euclidean distance is calculated, and finally similarity prediction is carried out according to the sample with the maximum similarity, and a prediction result is output. In order to increase the differentiation of the models and to increase the convergence speed of the models, the loss function of the twinning capsule network is improved herein. The embodiment of the application replaces cross entropy loss by a loss function that combines the triplet loss and the center loss function. In order to better distinguish the similarity among samples and better fit a model, the embodiment of the application adopts a triplet loss function, and the loss function reduces the distance among samples of the same category and increases the distance among different samples by introducing a spacing parameter margin at one point, and specifically, the triplet loss function is shown in the following formula:
wherein a represents a reference sample, P is a positive sample, and N is a negative sample. Thus, the triplet loss function can continuously optimize the model according to the relative distance between samples.
Step S2200, the center loss function is determined by the output characteristics of the training samples in the capsule network and the corresponding class center characteristics.
It can be understood that in order to comprehensively consider the absolute distance between samples, the application adds the center loss on the basis of the triplet loss, and solves the problem of unstable convergence of the triplet loss. Specifically, the center loss function is shown as follows:
wherein,,for inputting the number of samples +.>For capsule network->Output characteristics of individual samples, +.>For its corresponding class center feature.
In practical application, the weight value of the center loss function is setAnd (3) carrying out weighted summation on the triplet loss function and the center loss function obtained in the steps to obtain the loss function of the capsule network in the embodiment of the application, wherein the specific formula is as follows:
specifically, in embodiments of the present application, the center loss functionWeight value +.>Set to 0.0005.
In step S2300, the similarity matrix between the capsules in the capsule network is determined by the vector dot product of the capsules.
It can be understood that, unlike the complex image content in other computer vision tasks, the network traffic data has less information, and the information after the gray image is obtained by converting the traffic data is more concise, so that the dynamic routing process of the capsule network can be optimized to be more suitable for network traffic detection. Specifically, the method adopts the attention fraction to replace the coupling coefficient of the original iterative loop, thereby simplifying the routing mechanism of the capsule graph. The global information of the capsule layer can be obtained by adopting the attention score, and the feature extraction efficiency can be improved by weight adjustment. The embodiment of the application adopts the drawing attention to carry out the feature processing, and only obtains the position feature of the capsule when the feature is selected.
Referring to fig. 4, fig. 4 is a schematic diagram illustrating a specific implementation procedure of another embodiment of the step S2300. As shown in fig. 4, step S2300 includes at least the steps of:
step S2310, carrying out channel convolution on the gray map information to obtain a primary capsule.
It will be appreciated that the primary capsules are obtained by channel convolution of gray-scale image information input to the capsule network. The acquisition of the primary capsules by means of channel convolution is of prior art and is not described in detail here.
Step S2320, performing linear transformation on the primary capsule to obtain a prediction capsule.
It can be understood that the predicted capsule in the capsule map network is then obtained by linear transformation, and the specific process is as follows:
wherein,,weights for linear transformation +.>Is primary capsule, is prepared from herba Cistanchis herba>To predict capsules. />For the transformation matrix, it is important spatial and other relationships between the coding low-level features and the high-level features. The dimension of the prediction capsule can be effectively increased by carrying out linear transformation on the primary capsule, the information quantity of the acquired characteristics is improved, and more references are provided for characteristic selection.
And step S2330, obtaining the similarity between the prediction capsules according to the vector dot product result of the prediction capsules.
It can be understood that in the computer vision task, the capsules extract different position features respectively, and the embodiment of the application acquires the similarity between the capsules by dot product attentionThe capsules which are related to important information are highlighted by giving different weights according to the importance degree of the information contained in the adjacent pixel points, and the specific process is as follows:
wherein,,and->Capsules are predicted for vectors of the same layer. Through vector dot product calculation, the degree of similarity between different positions of the image can be accurately represented, and the assignment of the weight is completed according to the importance of the features.
Step S2340, obtaining a similarity matrix between the prediction capsules according to the similarity.
It can be understood that, after the similarity between the prediction capsules obtained by the above steps, in order to reduce the influence of noise characteristics, the accuracy of the similarity between the prediction capsules is improved, and the similarity matrix between the prediction capsules is obtained by filtering and integrating the similarity.
Referring to fig. 5, fig. 5 is a schematic diagram illustrating a specific implementation procedure of another embodiment of the step S2340. As shown in fig. 5, step S2340 includes at least the following steps:
step S2341, inputting the similarity into a similarity matrix when the similarity between the prediction capsules is greater than 0.
It will be appreciated that when the similarity between the prediction capsules is greater than 0, the similarity between the prediction capsules can be considered to have a reference meaning, and the similarity can be input into the similarity matrix.
In step S2342, when the similarity between the prediction capsules is less than or equal to 0, the similarity is input into the similarity matrix after the similarity is 0.
It is understood that, in order to reduce the influence of noise characteristics, setting the partial weight to 0 can improve the detection efficiency and speed. Specifically, when the similarity between the prediction capsules is 0 or less, the similarity value is 0. Thus, the specific calculation of the attention score matrix between the predictive capsules is shown in the following formula:
at the same time, a attention score matrix can be obtainedSum of each row element->The specific formula is as follows:
will beN×n diagonal matrix D is formed. Then according to the Laplace characteristic mapping mode, obtaining the glueLayered characteristic propagation operator of capsule network, and clustering to obtain advanced capsules>The specific formula is as follows:
wherein the method comprises the steps ofTo predict capsules.
Finally, the output is limited to be within the interval of [0,1] by adopting a compression function, and the value of the output capsule is obtained as shown in the following formula:
referring to fig. 6, fig. 6 is a schematic diagram illustrating a specific implementation procedure of another embodiment of the step S2000. As shown in fig. 6, step S2000 further includes at least the following steps:
step 2400, inputting training samples of the capsule network into the condition generation countermeasure network to generate attack samples.
It will be appreciated that embodiments of the present application generate new sample data through a conditional generation antagonism network (Conditional Adversarial Nets, cGAN). Specifically, carrying out data set division on the preprocessed USTC-TFC2016 data set data, generating a small number of class network traffic samples through cGAN, and inputting the generated samples into a trained twin capsule network; and then dynamically adjusting the parameters of the cGAN according to the output result, and finally generating an attack sample with the confidence coefficient larger than a confidence coefficient threshold value. Specifically, the confidence threshold is set to 0.9.
And step 2500, combining the attack samples into training samples, and performing iterative training on the capsule network.
It can be appreciated that combining attack samples into training samples iteratively trains the capsule network, preserving the optimal model. In particular, in the parametric dynamics of capsule networksIn state adjustment, the generator is first fixedAnd then calculating a game objective function through the output result, maximizing the accuracy of the discriminator D, and adjusting the parameters of the discriminator through the adaptive moment estimation optimizer. Finally, an optimized discriminator D 'is obtained, and the discriminator D' is fixed; homography optimization generator->. Specifically, the game objective function of cGAN is shown in the following formula:
wherein,,for the cost function->And->Random noise and raw data from training set, respectively, < >>For its corresponding distribution->And->Distribution->And->Entropy after passing through the discriminator, < >>Generating category labels for expectationsAnd (5) signing.
Step S3000, obtaining a detection result according to the distance value.
It can be understood that after the distance value between the gray map information and the class center feature of the twinning capsule network is obtained, whether the flow data belongs to attack flow data can be judged according to the classification closest to the gray map information, and the detection result of the flow data is output. In practical application, the detection result of outputting the flow data according to the distance value belongs to the prior art, and will not be described here again.
Referring to fig. 7, fig. 7 shows a structure diagram of the twinning capsule network in the above step S2000. As shown in fig. 7, the flow data is converted into a gray image after data processing, namely the data to be measured, the data is input into a twin capsule network, traversal is performed on the data and positive and negative samples in a sample library to calculate the euclidean distance, and finally, a similarity prediction is made according to the sample with the maximum similarity, and a prediction result is output.
Referring to fig. 8, fig. 8 is a flowchart illustrating a network traffic detection method based on a twin capsule network according to another embodiment of the present application. As shown in fig. 8, the twin capsule network performs preprocessing on the data of the training set and performs division processing on the data set. Meanwhile, the capsule network is trained through the attack sample generated in the step S2400, so that the accuracy and training efficiency of the capsule network model are improved.
Referring to fig. 9, fig. 9 is a schematic structural diagram of a network traffic detection device 400 based on a twin capsule network according to an embodiment of the present application, where the following modules in the network traffic detection device based on a twin capsule network are involved in the whole flow of the network traffic detection method based on a twin capsule network according to the embodiment of the present application: an acquisition module 410, a calculation module 420, and a detection module 430.
The acquiring module 410 is configured to acquire flow data, and perform imaging processing on the flow data to obtain gray scale map information;
the calculation module 420 is configured to input the gray map information to a preset twin capsule network to obtain a distance value between the gray map information and a class center feature of the twin capsule network, where the twin capsule network includes a plurality of capsule networks with the same structure, a loss function of the capsule network is determined by a triplet loss function and a center loss function, and a similarity matrix between capsules in the capsule network is determined by a vector dot product of the capsules;
the detection module 430 is configured to obtain a detection result according to the distance value.
It should be noted that, because the content of information interaction and execution process between modules of the above apparatus is based on the same concept as the method embodiment of the present application, specific functions and technical effects thereof may be found in the method embodiment section, and will not be described herein again.
Fig. 10 shows an electronic device 500 provided by an embodiment of the application. The electronic device 500 includes, but is not limited to:
a memory 501 for storing a program;
the processor 502 is configured to execute the program stored in the memory 501, and when the processor 502 executes the program stored in the memory 501, the processor 502 is configured to execute the network traffic detection method based on the twin capsule network described above.
The processor 502 and the memory 501 may be connected by a bus or other means.
The memory 501 is used as a non-transitory computer readable storage medium for storing non-transitory software programs and non-transitory computer executable programs, such as the network traffic detection method based on a twinning capsule network described in any embodiment of the application. The processor 502 implements the network traffic detection method based on the twin capsule network described above by running non-transitory software programs and instructions stored in the memory 501.
The memory 501 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, at least one application program required for a function; the storage data area may store and execute the network traffic detection method based on the twin capsule network. In addition, memory 501 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some implementations, memory 501 may optionally include memory located remotely from processor 502, which may be connected to processor 502 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The non-transitory software programs and instructions required to implement the network traffic detection method based on a twinning capsule network described above are stored in the memory 501, which when executed by the one or more processors 502, perform the network traffic detection method based on a twinning capsule network provided by any embodiment of the present application.
The embodiment of the application also provides a storage medium which stores computer executable instructions for executing the network traffic detection method based on the twin capsule network.
In an embodiment, the storage medium stores computer executable instructions that are executed by one or more control processors 502, for example, by one of the processors 502 in the electronic device 500, so that the one or more processors 502 perform the network traffic detection method based on the twinning capsule network according to any embodiment of the present application.
The embodiments described above are merely illustrative, wherein the units described as separate components may or may not be physically separate, i.e. may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
Those of ordinary skill in the art will appreciate that all or some of the steps, systems, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically include computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and may include any information delivery media.
Claims (10)
1. The network flow detection method based on the twin capsule network is characterized by comprising the following steps of:
acquiring flow data, and performing imaging processing on the flow data to obtain gray scale image information;
inputting the gray map information into a preset twin capsule network to obtain a distance value between the gray map information and a center-like feature of the twin capsule network, wherein the twin capsule network comprises a plurality of capsule networks with the same structure, a loss function of the capsule network is determined by a triplet loss function and a center loss function, and a similarity matrix among capsules in the capsule network is determined by a vector dot product of the capsules;
and obtaining a detection result according to the distance value.
2. The network traffic detection method based on a twinning capsule network of claim 1, wherein the acquiring traffic data comprises:
acquiring the flow data through honeypot capturing or package capturing software;
performing segmentation processing on the flow data to obtain segmented flow data;
and cleaning the segmentation flow data to obtain preprocessed flow data.
3. The network traffic detection method based on the twinning capsule network according to claim 2, wherein the imaging the traffic data to obtain gray scale map information includes:
converting the preprocessing flow data with fixed length into pixel point data;
and obtaining the gray scale image information according to the pixel point data.
4. The network traffic detection method based on a twinning capsule network of claim 1, wherein the triplet loss function is determined by a reference sample, a positive sample and a negative sample of the capsule network, wherein the reference sample is generated by a training sample of the capsule network, and the positive sample and the negative sample are generated by a preset training set; the center loss function is determined by the output characteristics of the training samples in the capsule network and the corresponding center-like characteristics.
5. The network traffic detection method based on a twinning capsule network of claim 1, wherein the similarity matrix between capsules within the capsule network is determined by a vector dot product of the capsules, comprising:
carrying out channel convolution on the gray map information to obtain a primary capsule;
performing linear transformation on the primary capsules to obtain prediction capsules;
obtaining the similarity between the prediction capsules according to the vector dot product result of the prediction capsules;
and obtaining a similarity matrix between the prediction capsules according to the similarity.
6. The network traffic detection method based on a twinning capsule network according to claim 5, wherein the obtaining the similarity matrix between the prediction capsules according to the similarity comprises:
inputting the similarity into the similarity matrix under the condition that the similarity between the prediction capsules is larger than 0;
and under the condition that the similarity between the prediction capsules is smaller than or equal to 0, inputting the similarity value into the similarity matrix after the similarity value is 0.
7. The network traffic detection method based on a twinning capsule network according to claim 1, wherein the inputting the gray map information into a preset twinning capsule network further comprises:
inputting training samples of the capsule network into a condition generation countermeasure network to generate attack samples;
and combining the attack samples into the training samples, and performing iterative training on the capsule network.
8. A network traffic detection device based on a twinning capsule network, comprising:
the acquisition module is used for acquiring flow data and carrying out imaging processing on the flow data to obtain gray scale image information;
the calculation module is used for inputting the gray map information into a preset twin capsule network to obtain a distance value between the gray map information and a class center feature of the twin capsule network, wherein the twin capsule network comprises a plurality of capsule networks with the same structure, a loss function of the capsule network is determined by a triplet loss function and a center loss function, and a similarity matrix among capsules in the capsule network is determined by a vector dot product of the capsules;
and the detection module is used for obtaining a detection result according to the distance value.
9. An electronic device, comprising: a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the network traffic detection method based on a twinning capsule network according to any one of claims 1 to 7 when the computer program is executed.
10. A computer readable storage medium, characterized in that a computer program is stored, which, when being executed by a processor, implements the network traffic detection method based on a twinning capsule network according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311132870.XA CN116866089B (en) | 2023-09-05 | 2023-09-05 | Network flow detection method and device based on twin capsule network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311132870.XA CN116866089B (en) | 2023-09-05 | 2023-09-05 | Network flow detection method and device based on twin capsule network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116866089A true CN116866089A (en) | 2023-10-10 |
| CN116866089B CN116866089B (en) | 2024-01-30 |
Family
ID=88225353
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311132870.XA Active CN116866089B (en) | 2023-09-05 | 2023-09-05 | Network flow detection method and device based on twin capsule network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116866089B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110321859A (en) * | 2019-07-09 | 2019-10-11 | 中国矿业大学 | A kind of optical remote sensing scene classification method based on the twin capsule network of depth |
| CN111191660A (en) * | 2019-12-30 | 2020-05-22 | 浙江工业大学 | Rectal cancer pathology image classification method based on multi-channel collaborative capsule network |
| CN111325169A (en) * | 2020-02-26 | 2020-06-23 | 河南理工大学 | Deep video fingerprint algorithm based on capsule network |
| US20200285896A1 (en) * | 2019-03-09 | 2020-09-10 | Tongji University | Method for person re-identification based on deep model with multi-loss fusion training strategy |
| CN112819065A (en) * | 2021-01-28 | 2021-05-18 | 广东工业大学 | Unsupervised pedestrian sample mining method and unsupervised pedestrian sample mining system based on multi-clustering information |
| CN113449819A (en) * | 2021-08-27 | 2021-09-28 | 中国测绘科学研究院 | Credit evaluation model method based on capsule network and storage medium thereof |
| CN114463548A (en) * | 2021-12-31 | 2022-05-10 | 电子科技大学成都学院 | Image classification method based on visual features and capsule network |
| CN114492768A (en) * | 2022-04-06 | 2022-05-13 | 南京众智维信息科技有限公司 | Twin capsule network intrusion detection method based on small sample learning |
| CN115564712A (en) * | 2022-09-07 | 2023-01-03 | 长江大学 | Method for removing redundant frames of video images of capsule endoscope based on twin network |
-
2023
- 2023-09-05 CN CN202311132870.XA patent/CN116866089B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200285896A1 (en) * | 2019-03-09 | 2020-09-10 | Tongji University | Method for person re-identification based on deep model with multi-loss fusion training strategy |
| CN110321859A (en) * | 2019-07-09 | 2019-10-11 | 中国矿业大学 | A kind of optical remote sensing scene classification method based on the twin capsule network of depth |
| CN111191660A (en) * | 2019-12-30 | 2020-05-22 | 浙江工业大学 | Rectal cancer pathology image classification method based on multi-channel collaborative capsule network |
| CN111325169A (en) * | 2020-02-26 | 2020-06-23 | 河南理工大学 | Deep video fingerprint algorithm based on capsule network |
| CN112819065A (en) * | 2021-01-28 | 2021-05-18 | 广东工业大学 | Unsupervised pedestrian sample mining method and unsupervised pedestrian sample mining system based on multi-clustering information |
| CN113449819A (en) * | 2021-08-27 | 2021-09-28 | 中国测绘科学研究院 | Credit evaluation model method based on capsule network and storage medium thereof |
| CN114463548A (en) * | 2021-12-31 | 2022-05-10 | 电子科技大学成都学院 | Image classification method based on visual features and capsule network |
| CN114492768A (en) * | 2022-04-06 | 2022-05-13 | 南京众智维信息科技有限公司 | Twin capsule network intrusion detection method based on small sample learning |
| CN115564712A (en) * | 2022-09-07 | 2023-01-03 | 长江大学 | Method for removing redundant frames of video images of capsule endoscope based on twin network |
Non-Patent Citations (1)
| Title |
|---|
| 董元菲;王康;: "基于频域卷积和三元组损失的端到端声纹识别", 电子设计工程, no. 13, pages 160 - 165 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116866089B (en) | 2024-01-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112953924B (en) | Network abnormal flow detection method, system, storage medium, terminal and application | |
| US10375143B2 (en) | Learning indicators of compromise with hierarchical models | |
| US9934379B2 (en) | Methods, systems, and computer readable media for detecting a compromised computing host | |
| CN109450721B (en) | Network abnormal behavior identification method based on deep neural network | |
| CN111818103B (en) | Traffic-based tracing attack path method in network target range | |
| CN107733851A (en) | DNS tunnels Trojan detecting method based on communication behavior analysis | |
| US9298913B2 (en) | Method of detecting intrusion based on improved support vector machine | |
| CN110417729B (en) | Service and application classification method and system for encrypted traffic | |
| CN111726264B (en) | Network protocol variation detection method, device, electronic equipment and storage medium | |
| CN110830490A (en) | Malicious domain name detection method and system based on area confrontation training deep network | |
| CN113992349B (en) | Malicious traffic identification method, device, equipment and storage medium | |
| Ahuja et al. | Ascertain the efficient machine learning approach to detect different ARP attacks | |
| CN111709022A (en) | Hybrid alarm association method based on AP clustering and causal relationship | |
| CN116915450A (en) | Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction | |
| Kozik et al. | Pattern extraction algorithm for NetFlow‐based botnet activities detection | |
| Brandao et al. | Log Files Analysis for Network Intrusion Detection | |
| CN113965393B (en) | Botnet detection method based on complex network and graph neural network | |
| CN111953665A (en) | Server attack access identification method and system, computer equipment and storage medium | |
| CN113794731B (en) | Method, device, equipment and medium for identifying CDN (content delivery network) -based traffic masquerading attack | |
| Kamran et al. | Semi-supervised conditional GAN for simultaneous generation and detection of phishing URLs: A game theoretic perspective | |
| CN105897751A (en) | Generation method and device of threat Intelligence | |
| CN116866089B (en) | Network flow detection method and device based on twin capsule network | |
| Gromov et al. | Edge computing for real time botnet propagation detection | |
| Zhou et al. | IoT unbalanced traffic classification system based on Focal_Attention_LSTM | |
| CN111031068B (en) | DNS analysis method based on complex network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |