CN117081831A - Network intrusion detection method and system based on data generation and attention mechanism - Google Patents
Network intrusion detection method and system based on data generation and attention mechanism Download PDFInfo
- Publication number
- CN117081831A CN117081831A CN202311150569.1A CN202311150569A CN117081831A CN 117081831 A CN117081831 A CN 117081831A CN 202311150569 A CN202311150569 A CN 202311150569A CN 117081831 A CN117081831 A CN 117081831A
- Authority
- CN
- China
- Prior art keywords
- network
- data set
- samples
- intrusion detection
- network traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 56
- 230000007246 mechanism Effects 0.000 title claims abstract description 25
- 238000012549 training Methods 0.000 claims abstract description 58
- 238000007781 pre-processing Methods 0.000 claims abstract description 15
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 7
- 238000011156 evaluation Methods 0.000 claims abstract description 7
- 238000003062 neural network model Methods 0.000 claims abstract description 7
- 238000005457 optimization Methods 0.000 claims abstract description 7
- 238000000034 method Methods 0.000 claims description 43
- 230000006870 function Effects 0.000 claims description 40
- 238000012545 processing Methods 0.000 claims description 15
- 238000013528 artificial neural network Methods 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 9
- 238000012360 testing method Methods 0.000 claims description 9
- ORILYTVJVMAKLC-UHFFFAOYSA-N Adamantane Natural products C1C(C2)CC3CC1CC2C3 ORILYTVJVMAKLC-UHFFFAOYSA-N 0.000 claims description 7
- 230000004913 activation Effects 0.000 claims description 6
- 238000013527 convolutional neural network Methods 0.000 claims description 6
- 230000004927 fusion Effects 0.000 claims description 3
- 230000002123 temporal effect Effects 0.000 claims 1
- 230000002159 abnormal effect Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 4
- 238000002474 experimental method Methods 0.000 description 3
- 238000007637 random forest analysis Methods 0.000 description 3
- 238000002679 ablation Methods 0.000 description 2
- 230000008485 antagonism Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000013145 classification model Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 238000010606 normalization Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000011176 pooling Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 241001091575 Echeveria Species 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- FFBHFFJDDLITSX-UHFFFAOYSA-N benzyl N-[2-hydroxy-4-(3-oxomorpholin-4-yl)phenyl]carbamate Chemical compound OC1=C(NC(=O)OCC2=CC=CC=C2)C=CC(=C1)N1CCOCC1=O FFBHFFJDDLITSX-UHFFFAOYSA-N 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000007477 logistic regression Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 210000002569 neuron Anatomy 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/044—Recurrent networks, e.g. Hopfield networks
- G06N3/0442—Recurrent networks, e.g. Hopfield networks characterised by memory or gating, e.g. long short-term memory [LSTM] or gated recurrent units [GRU]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/0464—Convolutional networks [CNN, ConvNet]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/0475—Generative networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Biophysics (AREA)
- Mathematical Physics (AREA)
- Computational Linguistics (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Biomedical Technology (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Computer Hardware Design (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network intrusion detection method and a system based on a data generation and attention mechanism, which relate to the technical field of networks and comprise the following steps: receiving a network traffic data set, and preprocessing the network traffic data set to obtain a preprocessed network traffic data set; inputting minority attack class samples in the attack class samples into a pre-established ECGAN model to obtain minority attack class samples of a preset type and a preset number, and merging the minority attack class samples with the network traffic samples to obtain a final training data set; inputting the final training data set into a pre-established neural network model to obtain high-dimensional space-time flow characteristics, and inputting the high-dimensional space-time flow characteristics into a preset classification network to obtain a classification result; and training a pre-established network intrusion detection model by taking a loss function as an evaluation standard and an optimization algorithm as an optimizer in combination with the classification result to obtain a trained network intrusion detection model, thereby realizing a network intrusion detection function.
Description
Technical Field
The invention relates to the technical field of networks, in particular to a network intrusion detection method and system based on a data generation and attention mechanism.
Background
With the rapid development of technologies such as 4G, 5G, internet of things and cloud computing, great convenience is brought to life of people, but network security problems with increased network attack events are brought along, and great threat and challenges are brought to social security. For example, in month 4 of 2020, the echeveria organization initiates a network attack on the subject of covd-19 against the chinese healthcare industry and institutions to steal related secrets of the chinese healthcare industry. Therefore, timely detection and blocking of network attacks is critical to network security. The network intrusion detection is used as an important component of network security, can actively detect abnormal traffic data possibly existing in a network, identify network attacks, provide real-time network protection and has important research significance.
In recent years, the traditional machine learning method is widely applied to the field of network intrusion detection, but the traditional shallow machine learning cannot automatically learn features, needs to manually extract features, has poor detection performance when facing high-dimensional large-scale network data traffic, and cannot meet the requirements of a novel network environment. And the deep learning can learn the characteristics autonomously, so that the intrusion detection performance is better. In addition, because of unbalance of flow data distribution in a real network environment, normal flow behavior is far higher than abnormal flow behavior, and detection performance of abnormal samples is poor based on a model trained by a data set with unbalanced data types. Aiming at the data class imbalance problem, the traditional methods solve the class imbalance problem by utilizing undersampling, oversampling, mixed sampling and other technologies, but the methods have the risks of overfitting and losing useful information.
The existing network intrusion detection research is singly aimed at the problem of poor performance of a classification model or the problem of unbalanced classification of network traffic data, but the two problems are not combined to be processed, and the generalization capability of the model is insufficient, so that unknown network attacks cannot be effectively detected.
Disclosure of Invention
To solve the above-mentioned deficiencies of the prior art, an object of the present invention is to provide a method and a system for network intrusion detection based on data generation and attention mechanisms.
The aim of the invention can be achieved by the following technical scheme: a network intrusion detection method based on data generation and attention mechanism includes the following steps:
the method comprises the steps of receiving a network traffic data set, and preprocessing the network traffic data set to obtain a preprocessed network traffic data set, wherein a network traffic sample is arranged in the preprocessed network traffic data set, and comprises a normal traffic sample and an attack sample;
inputting minority attack class samples in the attack class samples into a pre-established ECGAN model to obtain minority attack class samples of a preset type and a preset number, and combining the obtained minority attack class samples of the preset type and the preset number with the network traffic samples to obtain a final training data set;
inputting the final training data set into a pre-established CNN-BiLSTM-Attention neural network model to obtain high-dimensional space-time flow characteristics, and inputting the high-dimensional space-time flow characteristics into a preset classification network to obtain a classification result;
and combining the classification result, training a pre-established network intrusion detection model by taking a loss function Binary crossentropy as an evaluation standard and an optimization algorithm Adam as an optimizer to obtain a trained network intrusion detection model, thereby realizing the function of network intrusion detection.
Preferably, the process of preprocessing the network traffic data set includes:
standardizing and outlier processing are carried out on the network traffic data set: converting the symbol features into digital feature representations by single-hot encoding; and carrying out Min-Max Scaling on the network flow data set subjected to standardization and outlier processing to normalize the value to between 0 and 1.
Preferably, the network traffic data set includes a training data set and a test data set, wherein the network traffic samples in the training data set and the test data set include normal traffic samples and attack class samples, and the minority class attack class samples in the attack class samples are input into the pre-established ECGAN model, and are adopted as minority class attack class samples in the training data set.
Preferably, the feature types included in the network traffic data set are numerical features and symbolic features, the network traffic data set is subjected to standardization processing, and the symbolic features are converted into numerical feature representations based on a single-hot coding method:
based on the Min-Max Scaling method, the normalized network flow data set is normalized according to the following formula:
wherein x is the data corresponding to one of the numerical characteristics in the network flow data set, x max For maximum value in the data corresponding to the numerical characteristic, x min Is the minimum value, x in the corresponding data of the numerical characteristic * And representing the normalized numerical characteristic corresponding data.
Preferably, the ECGAN model includes a generator G, a discriminator D, and a classifier C.
Preferably, the loss function of the discriminator is defined as:
L D (x,z)=BCE(D(x),1)+BCE(D(G(z)),0)
wherein BCE is binary cross entropy, D is discriminator, G is generator, x is true mark data, z is a random vector;
the loss function of the generator is defined as:
L G (z)=BCE(D(G(z)),1)
for the generator, only the predictor of the discriminator needs to be input and tag 1 indicates that the predictor is correct;
for a classifier, the loss function is defined as:
L C (x,y,z)=CE(C(x),y)+λCE(C(G(z)),argmax(C(G(z)))>t)
where y is the pseudo tag, λ is the unsupervised loss weight (antagonism weight), CE is the cross entropy loss, C is the classifier, and t is the pseudo tag threshold.
Preferably, the process of inputting the minority attack class samples in the attack class samples into the pre-established ECGAN model to obtain the minority attack class samples with the preset type and the preset number is as follows:
adopting a generator G, a discriminator D and a classifier C to perform iterative training of preset times on the ECGAN network model, and storing network parameters corresponding to the minimum value of the loss function in iteration as optimal data to generate the network model;
and generating data of minority attack class samples in the attack class samples by using the optimal data generation network model to obtain minority attack class samples of a preset type and a preset number.
Preferably, the one-dimensional numerical value characteristics of the network traffic samples in the final training data set are converted into two-dimensional numerical value characteristics and input into a CNN neural network, the spatial characteristics of the network traffic samples are extracted, then the spatial characteristics of the network traffic samples are integrated and input into a BiLSTM network through a full connection layer to extract the time characteristics of the network traffic samples, and finally the extracted high-dimensional space-time traffic characteristics are output;
and inputting the numerical characteristics of the network flow samples in the final training data set into an Attention network, obtaining the time-space fusion characteristics of the network flow samples in the training data set, carrying out Attention weighting, obtaining the output of a weighted result, and finally, carrying out two-class output by using a sigmoid function as an activation function, and outputting the class results respectively corresponding to the network flow data samples.
In a second aspect, to achieve the above object, the present invention discloses a network intrusion detection system based on a data generation and attention mechanism, comprising:
and a data preprocessing module: the method comprises the steps of receiving a network traffic data set, and preprocessing the network traffic data set to obtain a preprocessed network traffic data set, wherein a network traffic sample is arranged in the preprocessed network traffic data set, and comprises a normal traffic sample and an attack sample;
sample processing module: the method comprises the steps of inputting minority attack class samples in attack class samples into a pre-established ECGAN model to obtain minority attack class samples of a preset type and a preset number, and combining the obtained minority attack class samples of the preset type and the preset number with network traffic samples to obtain a final training data set;
and a feature classification module: the method comprises the steps of inputting a final training data set into a pre-established CNN-BiLSTM-Attention neural network model to obtain high-dimensional space-time flow characteristics, and inputting the high-dimensional space-time flow characteristics into a preset classification network to obtain a classification result;
model training module: the method is used for training a pre-established network intrusion detection model by taking a loss function Binary crossentropy as an evaluation standard and an optimization algorithm Adam as an optimizer in combination with the classification result to obtain a trained network intrusion detection model, thereby realizing the function of network intrusion detection.
In another aspect of the present invention, in order to achieve the above object, there is disclosed an apparatus comprising:
one or more processors;
a memory for storing one or more programs;
when executed by one or more of the processors, causes the one or more processors to implement the data generation and attention mechanism based network intrusion detection method as described above.
The invention has the beneficial effects that:
the invention utilizes ECGAN model attack sample to generate data, and also utilizes CNN-BiLSTM-Attention classification model to complete classification judgment task for network traffic, thereby further improving network intrusion detection precision, improving unknown attack detection function and reducing false alarm rate.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described, and it will be obvious to those skilled in the art that other drawings can be obtained according to these drawings without inventive effort;
FIG. 1 is a schematic flow chart of the method of the present invention;
FIG. 2 is a schematic diagram of a network intrusion detection model according to the present invention;
FIG. 3 is a schematic diagram of the training process based on the ECGAN network model according to the present invention;
FIG. 4 is a block diagram of a schematic CNN-BiLSTM-Attention neural network of the present invention;
FIG. 5 is a schematic diagram of the system architecture of the present invention;
FIG. 6 is a verification graph of an ablation experiment of the present invention;
fig. 7 is a graph comparing the present invention with other models.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, the network intrusion detection method based on the data generation and attention mechanism includes the following steps:
the method comprises the steps of receiving a network traffic data set, and preprocessing the network traffic data set to obtain a preprocessed network traffic data set, wherein a network traffic sample is arranged in the preprocessed network traffic data set, and comprises a normal traffic sample and an attack sample;
the data preprocessing method specifically comprises the following steps: carrying out standardization processing on the network flow data set, namely adopting single-heat coding to convert symbol characteristics into numerical value characteristic representation; min-Max Scaling is performed on the normalized and outlier processed data set to normalize the values to between 0 and 1. Taking a network flow sample in the network flow data set as input, and taking the network flow sample in the preprocessed network flow data set as output, so as to construct a network flow data preprocessing module;
the network flow data set adopted by the embodiment of the invention is a UNSW-NB15 data set, wherein the UNSW-NB15 data set is characterized in that:
the UNSW-NB15 dataset comprises a training dataset and a test dataset. The training data set and the test data set both comprise a plurality of class labels, in the method, only a classification task is needed to be carried out, namely whether the network traffic data sample is normal traffic or abnormal traffic is judged, the abnormal traffic represents that the network traffic data sample is attacked, and the data set labels are replaced. The training set is 175341, the test set is 82332, and the training set comprises 43 features, a multi-class label and a two-class label, wherein the multi-class label has 10 types in total and is respectively in Normal state and 9 attack types.
The feature types contained in the network flow data set are numerical features and symbol features, the network flow data set is subjected to standardized processing, and the symbol features are converted into numerical feature representations based on a single-heat coding method.
The UNSW-NB15 data set comprises 40 numerical characteristics and 3 symbol characteristics, wherein the 3 symbol characteristics are protocol_type characteristics, service characteristics and flag characteristics respectively, 3 symbol characteristics such as protocol_type and the like are converted into 3 numerical characteristics corresponding to the 3 numerical characteristics based on single-hot coding, and the original 43-dimensional network traffic data set is converted into 196-dimensional network traffic data set.
Based on Min-Max Scaling method, carrying out normalization processing on the network flow data set after normalization processing according to a formula:
wherein x is the data corresponding to one of the numerical characteristics in the network flow data set, x max Is the maximum value, x in the data corresponding to the numerical characteristic min Is the minimum value, x in the data corresponding to the numerical characteristic * And representing the data corresponding to the normalized numerical characteristics.
Inputting minority attack class samples in the attack class samples into a pre-established ECGAN model to obtain minority attack class samples of a preset type and a preset number, and combining the obtained minority attack class samples of the preset type and the preset number with the network traffic samples to obtain a final training data set;
in this embodiment, the network traffic data set includes a training data set and a test data set, where the network traffic samples in the training data set and the test data set include attack class samples, and fewer attack class samples of the training data set in the preprocessed network traffic data set are used as inputs.
In this embodiment, as shown in FIG. 3, a minority class attack class sample x in the preprocessed training dataset i Input into the ECGAN model, which consists of three parts: generator G, discriminator D, classifier C. The first stage of each training period trains a generator G and a discriminator D, and the generator G receives random noise and random labels and generates corresponding artificial data and artificial labels. The arbiter D is then trained using the real data and the artificial samples generated by the producer G and updated to better distinguish the real samples from the artificial samples. And training the classifier in the second stage of each training period, converting the real label and the generated label code into a one-hot code form, and calculating the loss of the classifier by using the real data and the artificial sample generated by the generator respectively. ECGAN uses a pseudo-tagging method that assumes tags based on the most likely class of classifier C in its current state. The generated samples and labels are retained only if the model predicts the class of samples with a probability above a certain threshold. The loss function of the discriminator is defined as:
L D (x,z)=BCE(D(x),1)+BCE(D(G(z)),0)
where BCE is binary cross entropy, D is discriminator, G is generator, x is true mark data, and z is a random vector. The loss function of the generator is defined as:
L G (z)=BCE(D(G(z)),1)
for the generator, only the predictor of the discriminator needs to be entered and tag 1 indicates that the predictor is correct. This training generator learns to generate more realistic data. For a classifier, the loss function is defined as:
L C (x,y,z)=CE(C(x),y)+λCE(C(G(z)),argmax(C(G(z)))>t)
where y is the pseudo tag, λ is the unsupervised loss weight (antagonism weight), CE is the cross entropy loss, C is the classifier, and t is the pseudo tag threshold.
Based on input few attack samples and output specific types and number of generated samples, the constructed generator G, the discriminator D and the loss function of the classifier C are adopted to carry out iterative training for the ECGAN network model for preset times, and network parameters corresponding to the minimum value of the loss function in iteration are stored to be used as optimal data to generate the network model.
Loading the obtained optimal data generation network model to generate data of minority attack class samples in the training data set, and generating a preset number of minority attack class samples;
and merging the obtained attack samples with preset types and numbers with the training data set in the network traffic data set subjected to data preprocessing to construct a final training data set.
In one embodiment, the preset number of iterations is 9000 rounds.
Inputting the final training data set into a pre-established CNN-BiLSTM-Attention neural network model to obtain high-dimensional space-time flow characteristics, and inputting the high-dimensional space-time flow characteristics into a preset classification network to obtain a classification result;
and combining the classification result, training a pre-established network intrusion detection model by taking a loss function Binary crossentropy as an evaluation standard and an optimization algorithm Adam as an optimizer to obtain a trained network intrusion detection model, thereby realizing the function of network intrusion detection.
In this embodiment, as shown in fig. 4, converting one-dimensional numerical characteristics of the network traffic samples in the final training dataset into two-dimensional numerical characteristics, inputting the two-dimensional numerical characteristics into the CNN neural network, extracting spatial characteristics of the network traffic samples, integrating the spatial characteristics of the network traffic samples into the BiLSTM network through the full connection layer, extracting time characteristics of the network traffic samples, and finally outputting the extracted high-dimensional space-time traffic characteristics; the CNN neural network consists of an input layer, a two-dimensional convolution layer, a pooling layer, a full-connection layer and an output layer, wherein the deep network with the convolution layer and the pooling layer alternately overlapped can iteratively extract more complex flow space characteristics; the BiLSTM neural network is a bidirectional long-short-term memory neural network, is a special LSTM network, is formed by combining forward LSTM and backward LSTM, and can better capture bidirectional dependency, so that the BiLSTM neural network is applied to extract the time characteristics of network flow samples in the final training data set.
The space-time fusion characteristics extracted by the CNN-BiLSTM network are used as the input of the Attention mechanism, and the calculation process of the Attention mechanism can be divided into two processes: firstly, calculating weight coefficients, and secondly, weighting and summing. In the process 1, similarity calculation is carried out between the value of an input vector Key and a query vector F (Q, K) to obtain an attention score S, and then the attention score S is normalized by a softmax function and is converted into a probability distribution form to obtain a weight coefficient A; in process 2, normalized attention weight A is multiplied by each Value vector and added to get the final attention vector Value. Through the two processes, the AttenionValue for the Query vector can be obtained, so that the targeted attention to the input sequence is realized, finally, a sigmoid function is used as an activation function to perform two-class output, the classification result corresponding to each network traffic data sample is output, and the performance of the provided network intrusion detection model is checked. .
By adopting the network intrusion detection model, quick, efficient and accurate network intrusion detection is realized.
In one embodiment, each model uses an Adam optimizer, the generator G and the arbiter D of the ECGAN network model use wastertein loss functions, the classifier C uses cross entropy loss functions, the drop rate of neurons of the Dropout layer of the ECGAN network model is set to 0.3, the tanh activation function, the CNN layer and the BiLSTM layer in the CNN-BiLSTM-Attention neural network each use a relu function as an activation function, and the output layer uses a sigmoid function as an activation function.
In another aspect, as shown in fig. 5, in order to achieve the above object, the present invention discloses a network intrusion detection system based on a data generation and attention mechanism, comprising:
and a data preprocessing module: the method comprises the steps of receiving a network traffic data set, and preprocessing the network traffic data set to obtain a preprocessed network traffic data set, wherein a network traffic sample is arranged in the preprocessed network traffic data set, and comprises a normal traffic sample and an attack sample;
sample processing module: the method comprises the steps of inputting minority attack class samples in attack class samples into a pre-established ECGAN model to obtain minority attack class samples of a preset type and a preset number, and combining the obtained minority attack class samples of the preset type and the preset number with network traffic samples to obtain a final training data set;
and a feature classification module: the method comprises the steps of inputting a final training data set into a pre-established CNN-BiLSTM-Attention neural network model to obtain high-dimensional space-time flow characteristics, and inputting the high-dimensional space-time flow characteristics into a preset classification network to obtain a classification result;
model training module: the method is used for training a pre-established network intrusion detection model by taking a loss function Binary crossentropy as an evaluation standard and an optimization algorithm Adam as an optimizer in combination with the classification result to obtain a trained network intrusion detection model, thereby realizing the function of network intrusion detection.
In addition, in order to verify the effectiveness of the ECGAN model and the attribute mechanism on network intrusion detection, each model is subjected to an ablation experiment on the UNSW-NB15 data set, and the result is shown in fig. 6, and as can be seen from the graph, the classification prediction performance is better than that of the CNN model and the CNN-BiLSTM model. The accuracy of the CNN-BiLSTM model after the Attention mechanism is added is improved to 90.19 percent. After the artificial abnormal flow sample generated by the ECGAN model is added into the CNN-BiLSTM-Attention model for training, the accuracy of the model is further improved to 92.16%, and experiments prove that the ECGAN model and the Attention mechanism can improve the detection capability of the CNN-BiLSTM model on abnormal flow.
Comparing the model with naive Bayes, logistic regression, decision trees, random forests and other models, the result is shown in FIG. 7, wherein the random forests in the above models relatively perform optimally, and the accuracy of the random forests reaches 86.16%, but is still lower than that of the invention: 92.16%. The CNN-BiLSTM model based on ECGAN model and attribute mechanism has more advantages in network intrusion detection compared with other models.
Based on the same inventive concept, the present invention also provides a computer apparatus comprising: one or more processors, and memory for storing one or more computer programs; the program includes program instructions and the processor is configured to execute the program instructions stored in the memory. The processor may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application SpecificIntegrated Circuit, ASIC), field-Programmable gate arrays (FPGAs) or other Programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc., which are the computational core and control core of the terminal for implementing one or more instructions, in particular for loading and executing one or more instructions within a computer storage medium to implement the methods described above.
It should be further noted that, based on the same inventive concept, the present invention also provides a computer storage medium having a computer program stored thereon, which when executed by a processor performs the above method. The storage media may take the form of any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electrical, magnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
In the description of the present specification, the descriptions of the terms "one embodiment," "example," "specific example," and the like, mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present disclosure. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The foregoing has shown and described the basic principles, principal features, and advantages of the present disclosure. It will be understood by those skilled in the art that the present disclosure is not limited to the embodiments described above, which have been described in the foregoing and description merely illustrates the principles of the disclosure, and that various changes and modifications may be made therein without departing from the spirit and scope of the disclosure, which is defined in the appended claims.
Claims (10)
1. A network intrusion detection method based on data generation and attention mechanisms, the method comprising the steps of:
the method comprises the steps of receiving a network traffic data set, and preprocessing the network traffic data set to obtain a preprocessed network traffic data set, wherein a network traffic sample is arranged in the preprocessed network traffic data set, and comprises a normal traffic sample and an attack sample;
inputting minority attack class samples in the attack class samples into a pre-established ECGAN model to obtain minority attack class samples of a preset type and a preset number, and combining the obtained minority attack class samples of the preset type and the preset number with the network traffic samples to obtain a final training data set;
inputting the final training data set into a pre-established CNN-BiLSTM-Attention neural network model to obtain high-dimensional space-time flow characteristics, and inputting the high-dimensional space-time flow characteristics into a preset classification network to obtain a classification result;
and combining the classification result, training a pre-established network intrusion detection model by taking a loss function Binary crossentropy as an evaluation standard and an optimization algorithm Adam as an optimizer to obtain a trained network intrusion detection model, thereby realizing the function of network intrusion detection.
2. The method for data generation and attention mechanism based network intrusion detection according to claim 1, wherein the process of preprocessing the network traffic data set comprises:
standardizing and outlier processing are carried out on the network traffic data set: converting the symbol features into digital feature representations by single-hot encoding; and carrying out Min-Max Scaling on the network flow data set subjected to standardization and outlier processing to normalize the value to between 0 and 1.
3. The method for network intrusion detection based on data generation and attention mechanisms according to claim 2, wherein the network traffic data set comprises a training data set and a test data set, wherein the network traffic samples in the training data set and the test data set comprise normal traffic samples and attack class samples, and wherein the inputting of minority class attack class samples in the attack class samples into the pre-established ECGAN model is performed by using minority class attack class samples in the training data set.
4. A network intrusion detection method according to claim 3 based on data generation and attention mechanisms, wherein the network traffic data sets contain feature types of numerical features and symbolic features, the network traffic data sets are subjected to standardization processing, and the symbolic features are converted into numerical feature representations based on a single-heat coding method:
based on the Min-Max Scaling method, the normalized network flow data set is normalized according to the following formula:
wherein x is the data corresponding to one of the numerical characteristics in the network flow data set, x max For maximum value in the data corresponding to the numerical characteristic, x min Is the minimum value, x in the corresponding data of the numerical characteristic * And representing the normalized numerical characteristic corresponding data.
5. The method of claim 1, wherein the ECGAN model comprises a generator G, a discriminator D, and a classifier C.
6. The data generation and attention mechanism based network intrusion detection method of claim 5, wherein the discriminator's loss function is defined as:
L D (x,z)=BCE(D(x),1)+BCE(D(G(z)),0)
wherein BCE is binary cross entropy, D is discriminator, G is generator, x is true mark data, z is a random vector;
the loss function of the generator is defined as:
L G (z)=BCE(D(G(z)),1)
for the generator, only the predictor of the discriminator needs to be input and tag 1 indicates that the predictor is correct;
for a classifier, the loss function is defined as:
L C (x,y,z)=CE(C(x),y)+λCE(C(G(z)),argmax(C(G(z)))>t)
y is the pseudo tag, λ is the unsupervised loss weight, CE is the cross entropy loss, C is the classifier, and t is the pseudo tag threshold.
7. The network intrusion detection method based on the data generation and attention mechanism according to claim 1, wherein the process of inputting the minority attack class samples in the attack class samples into the pre-established ECGAN model to obtain the minority attack class samples of the preset type and the preset number is as follows:
adopting a generator G, a discriminator D and a classifier C to perform iterative training of preset times on the ECGAN network model, and storing network parameters corresponding to the minimum value of the loss function in iteration as optimal data to generate the network model;
and generating data of minority attack class samples in the attack class samples by using the optimal data generation network model to obtain minority attack class samples of a preset type and a preset number.
8. The network intrusion detection method based on the data generation and attention mechanism according to claim 1, wherein the one-dimensional numerical characteristics of the network traffic samples in the final training dataset are converted into two-dimensional numerical characteristics, the two-dimensional numerical characteristics are input into a CNN neural network, the spatial characteristics of the network traffic samples are extracted, the temporal characteristics of the network traffic samples are extracted by integrating the time characteristics input into the BiLSTM network through a full connection layer, and the extracted high-dimensional space-time traffic characteristics are finally output;
and inputting the numerical characteristics of the network flow samples in the final training data set into an Attention network, obtaining the time-space fusion characteristics of the network flow samples in the training data set, carrying out Attention weighting, obtaining the output of a weighted result, and finally, carrying out two-class output by using a sigmoid function as an activation function, and outputting the class results respectively corresponding to the network flow data samples.
9. A network intrusion detection system based on data generation and attention mechanisms, comprising:
and a data preprocessing module: the method comprises the steps of receiving a network traffic data set, and preprocessing the network traffic data set to obtain a preprocessed network traffic data set, wherein a network traffic sample is arranged in the preprocessed network traffic data set, and comprises a normal traffic sample and an attack sample;
sample processing module: the method comprises the steps of inputting minority attack class samples in attack class samples into a pre-established ECGAN model to obtain minority attack class samples of a preset type and a preset number, and combining the obtained minority attack class samples of the preset type and the preset number with network traffic samples to obtain a final training data set;
and a feature classification module: the method comprises the steps of inputting a final training data set into a pre-established CNN-BiLSTM-Attention neural network model to obtain high-dimensional space-time flow characteristics, and inputting the high-dimensional space-time flow characteristics into a preset classification network to obtain a classification result;
model training module: the method is used for training a pre-established network intrusion detection model by taking a loss function Binary crossentropy as an evaluation standard and an optimization algorithm Adam as an optimizer in combination with the classification result to obtain a trained network intrusion detection model, thereby realizing the function of network intrusion detection.
10. An apparatus, comprising:
one or more processors;
a memory for storing one or more programs;
when executed by one or more of the processors, causes the one or more processors to implement a data generation and attention mechanism based network intrusion detection method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311150569.1A CN117081831A (en) | 2023-09-07 | 2023-09-07 | Network intrusion detection method and system based on data generation and attention mechanism |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311150569.1A CN117081831A (en) | 2023-09-07 | 2023-09-07 | Network intrusion detection method and system based on data generation and attention mechanism |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117081831A true CN117081831A (en) | 2023-11-17 |
Family
ID=88715362
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311150569.1A Pending CN117081831A (en) | 2023-09-07 | 2023-09-07 | Network intrusion detection method and system based on data generation and attention mechanism |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117081831A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117527451A (en) * | 2024-01-08 | 2024-02-06 | 国网江苏省电力有限公司苏州供电分公司 | Network intrusion detection method, device, electronic equipment and storage medium |
| CN117527449A (en) * | 2024-01-05 | 2024-02-06 | 之江实验室 | Intrusion detection method, device, electronic equipment and storage medium |
| CN118137277A (en) * | 2024-05-06 | 2024-06-04 | 南京信息工程大学 | Rapid automatic mode locking method, system and equipment based on deep learning |
-
2023
- 2023-09-07 CN CN202311150569.1A patent/CN117081831A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117527449A (en) * | 2024-01-05 | 2024-02-06 | 之江实验室 | Intrusion detection method, device, electronic equipment and storage medium |
| CN117527451A (en) * | 2024-01-08 | 2024-02-06 | 国网江苏省电力有限公司苏州供电分公司 | Network intrusion detection method, device, electronic equipment and storage medium |
| CN117527451B (en) * | 2024-01-08 | 2024-04-02 | 国网江苏省电力有限公司苏州供电分公司 | Network intrusion detection method, device, electronic equipment and storage medium |
| CN118137277A (en) * | 2024-05-06 | 2024-06-04 | 南京信息工程大学 | Rapid automatic mode locking method, system and equipment based on deep learning |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Jiang et al. | Network intrusion detection combined hybrid sampling with deep hierarchical network | |
| CN117081831A (en) | Network intrusion detection method and system based on data generation and attention mechanism | |
| Zhang et al. | Self-supervised learning for time series analysis: Taxonomy, progress, and prospects | |
| Chen et al. | An efficient network behavior anomaly detection using a hybrid DBN-LSTM network | |
| Lim et al. | Efficient-prototypicalnet with self knowledge distillation for few-shot learning | |
| Yang et al. | Application of meta-learning in cyberspace security: A survey | |
| CN113595998A (en) | Bi-LSTM-based power grid information system vulnerability attack detection method and device | |
| Ra et al. | DeepAnti-PhishNet: Applying deep neural networks for phishing email detection | |
| Bohani et al. | A comprehensive analysis of supervised learning techniques for electricity theft detection | |
| Huang | Network Intrusion Detection Based on an Improved Long‐Short‐Term Memory Model in Combination with Multiple Spatiotemporal Structures | |
| Ding et al. | Efficient BiSRU combined with feature dimensionality reduction for abnormal traffic detection | |
| Said et al. | AI-based solar energy forecasting for smart grid integration | |
| Chethana et al. | Analysis of Credit Card Fraud Data Using Various Machine Learning Methods | |
| Lu et al. | Self‐supervised domain adaptation for cross‐domain fault diagnosis | |
| Li et al. | Adadebunk: An efficient and reliable deep state space model for adaptive fake news early detection | |
| Huang et al. | SOPA‐GA‐CNN: Synchronous optimisation of parameters and architectures by genetic algorithms with convolutional neural network blocks for securing Industrial Internet‐of‐Things | |
| Ding et al. | A deep learning‐based classification scheme for cyber‐attack detection in power system | |
| Yu et al. | Efficient Classification of Malicious URLs: M-BERT-A Modified BERT Variant for Enhanced Semantic Understanding | |
| Bi et al. | Improved network intrusion classification with attention-assisted bidirectional LSTM and optimized sparse contractive autoencoders | |
| Jiang et al. | PruneFaceDet: Pruning lightweight face detection network by sparsity training | |
| Khetarpal et al. | Power quality disturbance signal segmentation and classification based on modified BI‐LSTM with double attention mechanism | |
| CN113469816A (en) | Digital currency identification method, system and storage medium based on multigroup technology | |
| Zhao et al. | IoT intrusion detection model based on gated recurrent unit and residual network | |
| Patidar et al. | Leveraging LSTM-RNN combined with SVM for Network Intrusion Detection | |
| De Peng et al. | Industrial intrusion detection technology based on one-dimensional multi-scale residual network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |