CN117527449A - Intrusion detection method, device, electronic equipment and storage medium - Google Patents

Intrusion detection method, device, electronic equipment and storage medium Download PDF

Info

Publication number
CN117527449A
CN117527449A CN202410019107.4A CN202410019107A CN117527449A CN 117527449 A CN117527449 A CN 117527449A CN 202410019107 A CN202410019107 A CN 202410019107A CN 117527449 A CN117527449 A CN 117527449A
Authority
CN
China
Prior art keywords
target
sample
coding
result
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410019107.4A
Other languages
Chinese (zh)
Inventor
查超
张汝云
王之宇
范逸飞
张音捷
白冰
韩孟玲
梁思远
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Lab
Original Assignee
Zhejiang Lab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Lab filed Critical Zhejiang Lab
Priority to CN202410019107.4A priority Critical patent/CN117527449A/en
Publication of CN117527449A publication Critical patent/CN117527449A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/044Recurrent networks, e.g. Hopfield networks
    • G06N3/0442Recurrent networks, e.g. Hopfield networks characterised by memory or gating, e.g. long short-term memory [LSTM] or gated recurrent units [GRU]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • G06N3/0455Auto-encoder networks; Encoder-decoder networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/0464Convolutional networks [CNN, ConvNet]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Physics (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The specification discloses an intrusion detection method, an intrusion detection device, an electronic device and a storage medium, wherein target characteristics corresponding to target flow data are determined, a coding result of the target characteristics is determined through a coding layer of a detection model obtained through training based on sample characteristics of sample flow data corresponding to known anomaly types in advance, and a target type corresponding to the target characteristics is determined from the preset known anomaly types. And determining the decoding result of the target feature through a decoding layer of the detection model. And finally, determining an abnormal detection result of the target flow data according to the difference between the decoding result and the target characteristic. According to the method, when the target flow belongs to the abnormal type corresponding to the novel network attack behavior, the characteristics of the target flow cannot be accurately restored through the detection model of the encoder-decoder structure, so that the novel network attack behavior can be accurately identified, and the detection efficiency is ensured.

Description

Intrusion detection method, device, electronic equipment and storage medium
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to an intrusion detection method, an intrusion detection device, an electronic device, and a storage medium.
Background
At present, with the development of computer technology, computer networks are increasingly used in people's lives. Therefore, how to secure a computer network has become one of the technical problems to be solved at present.
One common method of protecting computer network security is based on traffic data. Specifically, when the flow data is received, the attribute data corresponding to the flow data is determined. And then inputting the flow data and the corresponding attribute data into a pre-trained detection model to obtain a detection result output by the detection model, so as to judge whether the flow data is abnormal or not according to the detection result. The detection result may be whether or not there is an abnormality in the flow data, or may be a probability that there is an abnormality in the flow data.
However, the current detection model can only determine whether the flow data is abnormal based on the similarity between the flow data and the characteristics of the abnormality type corresponding to the sample flow used in training the detection model. When the flow data corresponds to the novel network attack behavior, the detection model often cannot obtain an accurate detection result.
Based on the above, the present specification provides an intrusion detection method based on passive defense.
Disclosure of Invention
The present disclosure provides an intrusion detection method, apparatus, electronic device, and storage medium, so as to partially solve the foregoing problems in the prior art.
The technical scheme adopted in the specification is as follows:
the present specification provides an intrusion detection method, comprising:
determining target flow data in response to a detection request, and determining target characteristics of the target flow data;
inputting the target features into a coding layer of a pre-trained detection model to obtain a coding result corresponding to the target features output by the coding layer, and determining a target type corresponding to the target features from preset known abnormal types;
inputting the coding result into a decoding layer of the detection model to obtain a decoding result corresponding to the target feature output by the decoding layer; the detection model is obtained by training in advance based on sample characteristics of sample flow data corresponding to known abnormal types respectively;
determining a gap between the decoding result and the target feature, and determining an abnormal detection result of the target flow data according to the gap; wherein the anomaly detection result includes at least one of the target type and an unknown anomaly type.
Optionally, the detection model is trained by the following method:
determining sample flow data, determining an abnormality type corresponding to the sample flow data, and determining a sample characteristic of the sample flow data as a first label of the sample flow data and a second label of the sample flow data;
inputting the sample characteristics into a coding layer of a detection model to be trained, obtaining a sample coding result corresponding to the sample characteristics output by the coding layer, and determining a sample abnormality type corresponding to the sample characteristics;
taking the sample coding result as input, inputting the sample coding result into a decoding layer of the detection model, and obtaining a sample decoding result corresponding to the sample characteristics output by the decoding layer;
and training the detection model according to the difference between the first label and the sample abnormal type and the difference between the second label and the sample decoding result.
Optionally, the detection model is trained by the following method:
determining sample flow data, determining a coding layer which is trained in advance according to the sample flow data and the corresponding abnormality type of the sample flow data, and determining sample characteristics of the sample flow data;
Inputting the sample characteristics into the coding layer to obtain sample coding results corresponding to the sample characteristics output by the coding layer;
inputting the sample coding result into a decoding layer to be trained to obtain a sample decoding result output by the decoding layer;
training the decoding layer according to the difference between the sample characteristics and the sample decoding results;
and combining the coding layer and the decoding layer which are trained to obtain a detection model.
Optionally, determining the target feature of the target flow data specifically includes:
determining at least one of a length characteristic of a data packet corresponding to the target flow data, a transmission rate characteristic of the data packet and a transmission time characteristic corresponding to the target flow data as attribute data of the target flow data;
and determining target characteristics according to the attribute data.
Optionally, the attribute data includes discrete attribute and continuous attribute;
according to the attribute data, determining the target characteristics specifically comprises:
aiming at each attribute data of the flow data, if the attribute data belongs to a discrete attribute, performing single-heat coding on the attribute data to obtain a coding result, wherein the coding result is used as a target feature corresponding to the attribute data; if the attribute data belongs to the continuity attribute, normalizing the attribute data to obtain a normalization result, wherein the normalization result is used as a target feature corresponding to the attribute data;
And determining the target characteristics of the flow data according to the target characteristics respectively corresponding to the attribute data.
Optionally, the coding layer comprises a plurality of self-attention coding units;
inputting the target features into a coding layer of a detection model which is trained in advance to obtain a coding result corresponding to the target features output by the coding layer, wherein the coding result comprises the following specific steps:
taking the target characteristics as input, respectively inputting the target characteristics into respective attention coding units in the coding layer to obtain respective initial coding results respectively output by the respective attention coding units;
and obtaining the coding result corresponding to the target feature according to the initial coding results.
Optionally, determining an abnormal detection result of the target flow data according to the gap specifically includes:
when the difference is larger than a preset difference threshold, determining that the abnormality detection result of the target flow data is of an unknown abnormality type;
and when the difference is not larger than a preset difference threshold, determining that the abnormal detection result of the target flow data is the target type.
The present specification provides an intrusion detection device, the device comprising:
the determining module is used for responding to the detection request, determining target flow data and determining target characteristics of the target flow data;
The coding module is used for inputting the target features into a coding layer of a pre-trained detection model, obtaining a coding result corresponding to the target features output by the coding layer, and determining a target type corresponding to the target features from preset known abnormal types;
the decoding module is used for inputting the coding result into a decoding layer of the detection model to obtain a decoding result corresponding to the target feature output by the decoding layer; the detection model is obtained by training in advance based on sample characteristics of sample flow data corresponding to known abnormal types respectively;
the attack detection module is used for determining the difference between the decoding result and the target characteristic and determining an abnormal detection result of the target flow data according to the difference; wherein the anomaly detection result includes at least one of the target type and an unknown anomaly type. The present specification provides a computer readable storage medium storing a computer program which when executed by a processor implements the intrusion detection method described above.
The present specification provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the intrusion detection method described above when executing the program.
The above-mentioned at least one technical scheme that this specification adopted can reach following beneficial effect:
in the intrusion detection method provided in the present specification, under the condition of obtaining target flow data, determining a target feature corresponding to the target flow data, determining a coding result of the target feature through a coding layer of a detection model obtained by training based on sample features of sample flow data corresponding to each known anomaly type in advance, and determining a target type corresponding to the target feature from preset known anomaly types. And determining the decoding result of the target feature through a decoding layer of the detection model. And finally, determining an abnormal detection result of the target flow data according to the difference between the decoding result and the target characteristic.
According to the intrusion detection method in the specification, when the target flow belongs to the abnormal type corresponding to the novel network attack behavior, the characteristics of the target flow cannot be accurately restored through the detection model of the coder-decoder structure, so that the novel network attack behavior can be accurately identified, and the detection efficiency is ensured. Meanwhile, when the target flow data belongs to the flow data corresponding to each known abnormality type in history, the method can determine the target type corresponding to the target flow data from the known abnormality types as an abnormality detection result of the target flow data, and further ensure the accuracy and the completeness of the detection result.
Drawings
The accompanying drawings, which are included to provide a further understanding of the specification, illustrate and explain the exemplary embodiments of the present specification and their description, are not intended to limit the specification unduly. In the drawings:
FIG. 1 is a schematic flow chart of an intrusion detection method provided in the present specification;
FIG. 2 is a schematic flow chart of an intrusion detection method provided in the present disclosure;
FIG. 3 is a schematic flow chart of an intrusion detection method provided in the present disclosure;
FIG. 4 is a schematic diagram of an intrusion detection device provided in the present specification;
fig. 5 is a schematic view of the electronic device corresponding to fig. 1 provided in the present specification.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the present specification more apparent, the technical solutions of the present specification will be clearly and completely described below with reference to specific embodiments of the present specification and corresponding drawings. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present specification. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are intended to be within the scope of the present disclosure.
The following describes in detail the technical solutions provided by the embodiments of the present specification with reference to the accompanying drawings.
Fig. 1 is a schematic flow chart of an intrusion detection method provided in the present specification, specifically including the following steps:
s100: in response to the detection request, target flow data is determined, and a target characteristic of the target flow data is determined.
Different from the fact that whether the target flow data is abnormal or not is determined based on the similarity between the target flow data and the target flow data corresponding to each abnormal type respectively at present, an accurate abnormal detection result cannot be obtained under the condition that the target flow data corresponds to the novel network attack. The present disclosure provides a new intrusion detection method, where, when target traffic data is acquired, a target feature corresponding to the target traffic data is determined, and a coding result of the target feature is determined by a coding layer of a detection model trained in advance based on sample features of sample traffic data corresponding to each known anomaly type, and a target type corresponding to the target feature is determined from preset known anomaly types. And determining the decoding result of the target feature through a decoding layer of the detection model. And finally, determining an abnormal detection result of the target flow data according to the difference between the decoding result and the target characteristic.
According to the intrusion detection method in the specification, when the target flow belongs to the abnormal type corresponding to the novel network attack behavior, the characteristics of the target flow cannot be accurately restored through the detection model of the coder-decoder structure, so that the novel network attack behavior can be accurately identified, and the detection efficiency is ensured. Meanwhile, when the target flow data belongs to the flow data corresponding to each known abnormality type in history, the method can determine the target type corresponding to the target flow data from the known abnormality types as an abnormality detection result of the target flow data, and further ensure the accuracy and the completeness of the detection result.
Based on the above description of the core idea of the intrusion detection method provided in the present specification, the intrusion detection method provided in the present specification may be executed by a variety of electronic devices such as a server for intrusion detection, a server for anomaly detection, and a terminal for data verification. Such as notebook computers, cell phones, etc. The electronic device for executing the intrusion detection method and the electronic device for training the intrusion detection model may be the same electronic device or different electronic devices, which is not limited in this specification.
The intrusion detection method provided in the present specification will be exemplarily described below using only a server for intrusion detection as an execution subject.
Specifically, the server may receive a detection request including target traffic data. The detection request can be sent directly to the server by the user, or can be automatically generated by the server according to the stored flow data after the preset time is reached. In particular, how the detection request is determined can be set according to needs, and this specification does not limit the detection request.
The server may then parse the detection request to determine target traffic data contained in the detection request. Or, the detection request may only include the identifier of the target flow data, so the server may analyze the detection request, determine the identifier of the target flow data, and determine, according to the identifier, the target flow data corresponding to the identifier from the flow data stored in the server.
Then, the server may determine at least one of a length characteristic of a data packet corresponding to the target traffic data, a transmission rate characteristic of the data packet, and a transmission time characteristic corresponding to the target traffic data as attribute data of the target traffic data.
The length characteristics of the data packet corresponding to the target traffic data may include: at least one of indexes such as total number of forward and reverse packets, total size of forward and reverse packets, maximum size of forward and reverse packets, minimum size of forward and reverse packets, average size of forward and reverse packets, standard deviation size of forward and reverse packets, number of reverse packets before each second, maximum and minimum and average length of stream, standard deviation length of stream, average size of packets, average size of forward and reverse, and the like.
The transmission rate characteristics of the data packet may include: at least one of the stream byte rate, i.e. the number of packets transmitted per second, the stream packet rate, i.e. the number of packets transmitted per second, etc.
The transmission time characteristics corresponding to the target flow data may include: at least one of indicators of a flow duration, a time average between two flows, a time standard deviation of two flows, a time maximum between two flows, a time minimum between two packets sent in a forward reverse direction, a time total between two packets sent in a forward reverse direction, a time average between two packets sent in a forward reverse direction, a time maximum between two packets sent in a forward reverse direction, a time minimum between packets sent in a forward reverse direction, a time minimum arrival interval of a packet, a time average of a flow in an active state before becoming idle, a time standard deviation of a flow in an active state before becoming idle, a time maximum of a flow in an active state before becoming idle, a time minimum of a flow in an active state before becoming idle, a time average of a flow in an idle state before becoming active, a time standard deviation of a flow idle before becoming active, a time minimum of a flow idle before becoming active, and the like.
Finally, the server may directly use the attribute data as the target feature of the target traffic data. Alternatively, the server may splice the target traffic data and the attribute data as target features of the target traffic data.
It should be noted that, the attribute data may further include indexes such as the number of times (UDP is 0) that PSH and URG flags are set in the data packets transmitted in forward and reverse directions in the data stream, the number of data packets in the data stream SYN, FIN, RST, PUSH, ACK, URG, CWE, ECE, and the download and upload ratio, and since the indexes are all common indexes used for performing network traffic analysis, the meaning represented by each index in this specification is not repeated. And the specific index type that can be included in the attribute data can be set according to the needs, which is not limited in the present specification.
Further, for each attribute data of the target traffic data, the attribute data may be a continuity attribute, for example, an attribute formed by lengths corresponding to respective packets included in the traffic data. Or may be a discrete attribute, such as a protocol type corresponding to a packet included in the traffic data. For continuous type attribute and discrete type attribute, different processing modes are generally needed to extract the information contained in the continuous type attribute and the discrete type attribute.
Then, for each attribute data of the target flow data, if the attribute data is a discrete attribute, the server may perform one-hot encoding on the attribute data to obtain an encoding result corresponding to the attribute data, and use the encoding result as a target feature corresponding to the attribute data.
If the attribute data is continuous data, the server can normalize the attribute data to obtain a normalized result, and the normalized result is used as a target feature corresponding to the attribute data.
Finally, after obtaining the target features corresponding to the attribute data respectively, the server can splice the target features corresponding to the attribute data respectively, and the splicing result is used as the target features corresponding to the target flow data.
Wherein, the discrete attributes are subjected to one-hot encoding, which maps each discrete attribute into a vector, wherein only one element is 1, and the other elements are 0. The following is a process of single-hot encoding:
it is assumed that the target flow data contains n discrete attributes, and that all discrete attributes have a total of m different categories.
Thus, the server may first mark each category: each different category of attributes is assigned a unique label or index, which may be numbered from 0 to m-1. These markers will be used to create the one-hot encoded vector.
The server may then create a zero vector: for each discrete attribute, a zero vector of length m is created, which will be used to represent the one-hot encoding.
Second, the server may set the corresponding location to 1: the server may set the corresponding position in the zero vector to 1 according to the attribute value corresponding to the attribute data. I.e., the i-th element in the one-hot encoded vector of the category with index i is set to 1 and the other elements are set to 0.
Finally, the server may obtain a representation of the discrete attribute: finally, for each attribute data, the discrete attribute may be represented as a one-hot encoded vector of length m, where only one element is 1 and the other elements are 0.
For continuous type attributes, the server may perform a maximum and minimum normalization process on the continuous type attribute that scales the numerical type feature to a specified range, typically between [0, 1 ]. The following is the procedure for maximum and minimum normalization:
for each continuity attribute of the target traffic data, the server may determine a maximum value and a minimum value of the continuity attribute: all samples are traversed to find the minimum value of the attribute (noted as) And maximum (noted- >)。
Thereafter, the server may calculate a normalized value: for each value in the discrete attributeThe normalized value +.>
This formula will be the original attribute valueSwitch to->Within the range.
Finally, the server may obtain a representation: finally, each attribute value in the continuity attribute is converted intoNormalized values within the range. The server can splice the attribute valuesAs the target feature corresponding to the continuous attribute.
In addition, since the network attack behavior always tries to masquerade as normal access behavior, the probability of successful network attack can be increased. Therefore, if the target traffic data is the network traffic corresponding to the novel network attack behavior, the target characteristics corresponding to the target traffic data may be similar to those of the normal traffic data, but there are differences. Therefore, the server can perform self-attention processing on the obtained spliced result to obtain the target feature which can better represent the data characteristics of the target flow data, process the target feature and take the processed result as the target feature besides directly splicing the target feature corresponding to each attribute data to obtain the target feature.
Essentially, the splicing result is taken as a vectorFor example, the server may determine a transpose vector corresponding to the vector. Then, the product of the vector and the transpose vector is determined +.>. Wherein the product may be a matrix. The server may then determine, for each value in the matrix, a function value corresponding to the product by a tangent function. Finally, the server can determine the target characteristics according to the function values corresponding to the positions in the matrix.
S102: inputting the target features into a coding layer of a pre-trained detection model, obtaining a coding result corresponding to the target features output by the coding layer, and determining the target types corresponding to the target features from preset known abnormal types.
In one or more embodiments provided in the present disclosure, as described above, the intrusion detection method may encode and decode the characteristics of the target traffic data based on a detection model obtained by training in advance, and further determine whether the target traffic data is traffic data corresponding to a novel network attack based on a gap between the characteristics and decoding results of the target traffic.
Specifically, the server may take the target feature in step S100 as input, input the target feature into the coding layer of the detection model, and code the target feature through the coding layer in the detection model, to obtain a coding result output by the coding layer.
The structure of the coding layer may be a convolutional neural network structure or a cyclic neural network structure, and the specific network structure corresponding to the coding layer may be set as required, which is not limited in this specification.
Further, the coding layer may include a plurality of self-attention coding units. Each sub-attention encoding unit may be used to extract different types of information.
Then, the server may input the target feature as an input to each self-attention encoding unit in the encoding layer, and obtain an initial encoding result output after the self-attention encoding unit performs self-attention enhancement according to the target feature.
Finally, according to each initial coding result, the server can determine the coding result corresponding to the target feature.
Specifically, the server may perform attention calculations on the input sequence simultaneously by a plurality of self-attention encoding units. Each self-attention encoding unit may learn different attention weights to capture different relationships in the input sequence. Each self-attention encoding unit calculates a weighted sum for each element in the input sequence, representing the correlation of that element with other elements. The multi-head self-attention mechanism can learn multiple information interaction modes in parallel.
Of course, the above-mentioned attention code units may also be in a serial relationship in the code layer, that is, the target feature is input to the first self-attention code unit in the code layer to obtain the corresponding initial code result, and the initial code result is input to the second self-attention code unit in the code layer to obtain the initial code result output by the second self-attention code unit. And continuing to take the initial coding result output by the second self-attention coding unit as input to obtain initial coding results respectively corresponding to the attention coding units in the coding layer.
And finally, obtaining the coding result of the target feature according to the initial coding results respectively output by the attention coding units.
In addition, for the target flow rate data, the abnormality detection result of the target flow rate data may include two types, one of which is a known abnormality type and the other of which is an unknown abnormality type. Whether the target traffic data is of an unknown anomaly type can be determined based on whether the decoding layer can accurately decode the encoding result corresponding to the target feature. Then for a known anomaly type corresponding to the target traffic data, a determination may be made based on the encoding results corresponding to the target feature after the encoding results are determined.
Specifically, a plurality of known exception types may be preset in the server, and for each known exception type, the encoding result corresponding to the known exception type may be stored in the server in advance.
Then, after obtaining the coding result corresponding to the target feature, the server may determine the similarity corresponding to the coding result corresponding to the target feature and the coding result corresponding to each known anomaly type.
And finally, the server can determine the known abnormal type corresponding to the coding result with the highest similarity between the coding results corresponding to the target features according to the determined similarities, and the known abnormal type is used as the target type corresponding to the target features.
S104: inputting the coding result into a decoding layer of the detection model to obtain a decoding result corresponding to the target feature output by the decoding layer; the detection model is obtained by training in advance based on sample characteristics of sample flow data corresponding to known anomaly types.
In one or more embodiments provided herein, after obtaining the encoding results, the server may decode the encoding results.
Specifically, the server may input the encoding result of step S102 as an input to a decoding layer of the detection model, and decode the encoding result through the decoding layer in the detection model to obtain a decoding result output by the decoding layer.
The decoding structure may be a convolutional neural network structure or a cyclic neural network structure, and the specific network structure corresponding to the decoding layer may be set as required, which is not limited in this specification.
Of course, the decoding layer may also include a plurality of self-attention decoding units, so that the server may decode the encoding results respectively by the self-attention decoding units to obtain initial decoding results respectively output by the self-attention decoding units. And finally, determining the decoding result of the target feature according to each initial decoding result.
It should be noted that, the dimension of the input data of the decoding layer may be different from the dimension of the input data of the encoding layer, and the number of self-attention decoding units included in the decoding layer may be different from the number of self-attention encoding units included in the encoding layer.
S106: determining a gap between the decoding result and the target feature, and determining an abnormal detection result of the target flow data according to the gap; wherein the anomaly detection result includes at least one of the target type and an unknown anomaly type.
In one or more embodiments provided in the present disclosure, as described above, if the target traffic data is traffic data corresponding to a known anomaly type, the decoding layer obtained by training in advance based on the sample features of the sample traffic data corresponding to each known anomaly type may accurately restore the encoding result corresponding to the target feature. If the target flow data is the flow data corresponding to the unknown abnormal type, the difference between the decoding result obtained based on the decoding layer and the target feature is larger. Thus, based on the gap, the server can determine an abnormality detection result of the target flow rate data.
In particular, the server may determine a gap between the decoding result and the target feature. Wherein the server may determine a similarity between the decoding result and the target feature and determine a gap between the decoding result and the target feature based on the similarity. The similarity may be a euclidean distance, a cosine distance, etc. The type of the similarity can be set as needed, and this specification is not limited thereto.
Of course, the server may also determine the number of different values of the decoding result and the target feature at the same position directly from the decoding result and the target feature, and determine the gap according to the number.
If the gap is greater than a preset gap threshold, the server may determine that the anomaly detection result of the target traffic data is of an unknown anomaly type. If the gap is not greater than the gap threshold, the server may determine that the anomaly detection result of the target traffic data is a known anomaly type.
Of course, in the case where the gap is not greater than the gap threshold, the server may determine that the abnormality detection result of the target flow rate data is a known abnormality type, or may determine that the abnormality detection result of the target flow rate data is a target type corresponding to the target feature. In the case where the gap is not greater than the gap threshold, the specific content of the abnormality detection result may be set as needed, which is not limited in this specification.
Based on the intrusion detection method of fig. 1, under the condition of acquiring target flow data, determining a target feature corresponding to the target flow data, determining a coding result of the target feature through a coding layer of a detection model obtained by training based on sample features of sample flow data corresponding to each known anomaly type in advance, and determining a target type corresponding to the target feature from preset known anomaly types. And determining the decoding result of the target feature through a decoding layer of the detection model. And finally, determining an abnormal detection result of the target flow data according to the difference between the decoding result and the target characteristic.
According to the intrusion detection method in the specification, when the target flow belongs to the abnormal type corresponding to the novel network attack behavior, the characteristics of the target flow cannot be accurately restored through the detection model of the coder-decoder structure, so that the novel network attack behavior can be accurately identified, and the detection efficiency is ensured. Meanwhile, when the target flow data belongs to the flow data corresponding to each known abnormality type in history, the method can determine the target type corresponding to the target flow data from the known abnormality types as an abnormality detection result of the target flow data, and further ensure the accuracy and the completeness of the detection result.
In addition, the detection model can be trained by the following method:
specifically, the server may determine sample flow data, and determine an anomaly type corresponding to the sample flow data, as a first label of the sample flow data. The abnormal type corresponding to the sample flow data is one of preset abnormal types.
Then, as described above, the detection model can accurately encode and decode and restore the flow data corresponding to each known anomaly type. Thus, the server may also determine the sample characteristics of each sample flow data as a second annotation of the sample flow data.
Then, the server can input the sample characteristics into a coding layer of a detection model to be trained to obtain sample coding results corresponding to the sample characteristics output by the coding layer. Meanwhile, the server can determine the sample abnormal type corresponding to the sample characteristic according to the sample coding result of the sample characteristic.
Then, the server can input the sample coding result as input to a decoding layer of the detection model to obtain a sample decoding result corresponding to the sample characteristics output by the decoding layer.
Finally, the server can determine a first loss according to the difference between the first label and the sample anomaly type and the difference between the second label and the sample decoding result, and adjust model parameters of the detection model with the loss minimized as an optimization target. Until a preset iteration termination condition is reached. The iteration termination condition may be that the difference between the sample feature and the sample decoding result is smaller than a preset difference threshold, or that the iteration number is larger than a preset number threshold, and the specific content of the iteration termination condition may be set according to needs, which is not limited in this specification.
Furthermore, because the difficulty of training the coding layer and the decoding layer is high, the server can train the coding layer first and train the decoding layer after training the coding layer.
Specifically, first, the server may determine sample flow data and determine sample characteristics of the sample flow data.
The server may then determine a pre-trained encoded layer based on the sample traffic data and its corresponding anomaly type.
Then, the server can input the sample characteristics into a pre-trained coding layer to obtain sample coding results corresponding to the sample characteristics output by the coding layer,
and then, the server can input the sample coding result into a decoding layer to be trained to obtain a sample decoding result output by the decoding layer.
Finally, the server may determine a second loss based on a gap between the sample feature and the sample decoding result, and train the decoding layer with the second loss minimized as an optimization objective.
After training is completed, the server may combine the trained encoded layer and decoded layer to obtain a detection model.
The coding layer is obtained by training in the following mode:
First, the server may determine sample flow data and determine sample characteristics of the sample flow data.
The server may then determine the type of anomaly corresponding to the sample traffic data as a first annotation of the sample traffic data.
Then, the server can input the sample characteristics as input into a coding layer to be trained to obtain sample coding results corresponding to the sample characteristics output by the coding layer.
Then, the server can determine the sample abnormal type corresponding to the sample characteristic according to the sample coding result and the coding result corresponding to each known abnormal type.
Finally, based on the gap between the sample anomaly type and the first annotation, the server may determine a third loss and train the coding layer with the third loss minimized as an optimization objective.
Furthermore, the encoding results corresponding to the known anomaly types can be obtained in the following manner.
Specifically, the server may determine, for each preset anomaly type, sample traffic data corresponding to the anomaly type.
Then, the server inputs the sample flow corresponding to each abnormal type into the coding layer of the detection model to obtain the coding result corresponding to each sample flow data.
Then, the server can cluster the coding results corresponding to the sample flow data respectively to obtain clustering results, and according to each clustering cluster in the clustering results, the known abnormal type corresponding to the clustering cluster is determined according to the abnormal type corresponding to the coding results contained in the clustering cluster.
Finally, the server can determine the coding results corresponding to the different types respectively.
Based on the same idea, the present disclosure provides a flow diagram of an intrusion detection method, as shown in fig. 2.
Fig. 2 is a flow chart of an intrusion detection method provided in the present specification. The server can firstly determine target flow data and target characteristics of the target flow data, then encode the target characteristics to obtain an encoding result corresponding to the target characteristics, and then decode the encoding result to obtain a decoding result. And determining that the detection model cannot accurately restore the target flow data when the difference between the decoding structure and the target feature is greater than a preset difference threshold, i.e. the target flow data is flow data corresponding to an unknown anomaly type.
In addition, the coding layer can comprise a coding sub-layer and a classifying sub-layer, wherein the coding sub-layer is used for coding the sample characteristics and determining sample coding results corresponding to the sample characteristics. The classifying sub-layer is used for classifying sample coding results corresponding to the sample features and determining sample abnormal types corresponding to the sample features.
When the server trains the coding layer, the sample characteristics can be input into the coding sublayers in the coding layer to obtain sample coding results corresponding to the sample characteristics output by the coding sublayers.
Then, the server can input the sample coding result into a classification sub-layer in the coding layer to obtain the sample abnormal type corresponding to the sample characteristic output by the classification sub-layer.
Finally, the server may determine a third loss based on a gap between the sample anomaly type and the first annotation of the sample traffic data, and train the encoding sub-layer and the classification sub-layer with the third loss minimized as an optimization objective.
Then, after the training of the coding layer is completed, the server inputs the target feature into the coding sub-layer of the coding layer to obtain a coding result corresponding to the target feature output by the coding sub-layer, and inputs the coding result corresponding to the target feature into the classifying sub-layer of the coding layer to obtain an abnormal type corresponding to the target feature output by the classifying sub-layer.
Based on the same idea, the present disclosure provides a flow diagram of an intrusion detection method, as shown in fig. 3.
Fig. 3 is a flow chart of an intrusion detection method provided in the present specification. The server can firstly determine target flow data, determine target characteristics of the target flow data, input the target characteristics into coding sublayers in the coding layers to obtain coding results corresponding to the target characteristics, and then input the target characteristics into classifying sublayers in the coding layers to obtain target types corresponding to the target characteristics.
Then, the server can input the coding result corresponding to the target feature into a decoding layer in the detection model to obtain a decoding result output by the decoding layer.
Finally, the server may determine an anomaly detection result for the target traffic data based on a gap between the decoding result and the target feature. That is, when the difference between the decoding result and the target feature is greater than the difference threshold, it is determined that the abnormality detection result of the target traffic data is an unknown abnormality type, and when the difference between the decoding result and the target feature is not greater than the difference threshold, it is determined that the abnormality type of the encoding result is a target type.
The intrusion detection method provided for one or more embodiments of the present disclosure further provides a corresponding intrusion detection device based on the same concept, as shown in fig. 4.
Fig. 4 is a schematic diagram of an intrusion detection device provided in the present specification, specifically including:
the determining module 200 is configured to determine, in response to a detection request, target flow data, and determine a target characteristic of the target flow data.
The encoding module 202 is configured to input the target feature into an encoding layer of a pre-trained detection model, obtain an encoding result corresponding to the target feature output by the encoding layer, and determine a target type corresponding to the target feature from preset known anomaly types.
The decoding module 204 is configured to input the encoding result into a decoding layer of the detection model, and obtain a decoding result corresponding to the target feature output by the decoding layer; the detection model is obtained by training in advance based on sample characteristics of sample flow data corresponding to known anomaly types.
An attack detection module 206, configured to determine a gap between the decoding result and the target feature, and determine an anomaly detection result of the target traffic data according to the gap; wherein the anomaly detection result includes at least one of the target type and an unknown anomaly type.
Optionally, the method further comprises:
the training module 208 is configured to train to obtain the detection model in the following manner: determining sample flow data, determining an abnormal type corresponding to the sample flow data, taking the sample flow data as a first label of the sample flow data, determining a sample characteristic of the sample flow data as a second label of the sample flow data, inputting the sample characteristic into an encoding layer of a detection model to be trained to obtain a sample encoding result corresponding to the sample characteristic output by the encoding layer, determining a sample abnormal type corresponding to the sample characteristic, taking the sample encoding result as an input, inputting the sample encoding result into a decoding layer of the detection model to obtain a sample decoding result corresponding to the sample characteristic output by the decoding layer, and training the detection model according to a difference between the first label and the sample abnormal type and a difference between the second label and the sample decoding result.
Optionally, the training module 208 is configured to train to obtain the detection model in the following manner: determining sample flow data, determining a coding layer which is trained in advance according to the sample flow data and the corresponding abnormal type of the sample flow data, determining sample characteristics of the sample flow data, inputting the sample characteristics into the coding layer to obtain a sample coding result corresponding to the sample characteristics output by the coding layer, inputting the sample coding result into a decoding layer to be trained to obtain a sample decoding result output by the decoding layer, training the decoding layer according to a difference between the sample characteristics and the sample decoding result, and combining the trained coding layer and the decoding layer to obtain a detection model.
Optionally, the encoding module 202 is configured to determine at least one of a length characteristic of a data packet corresponding to the target traffic data, a transmission rate characteristic of the data packet, and a transmission time characteristic corresponding to the target traffic data, as attribute data of the target traffic data; and determining target characteristics according to the attribute data.
Optionally, the encoding module 202 is configured to perform, for each attribute data of the flow data, single-hot encoding on the attribute data if the attribute data belongs to a discrete attribute, to obtain an encoding result, where the encoding result is used as a target feature corresponding to the attribute data; if the attribute data belongs to the continuity attribute, normalizing the attribute data to obtain a normalization result, and determining the target feature of the flow data according to the target feature corresponding to each attribute data as the target feature corresponding to the attribute data, wherein the attribute data comprises a discrete attribute and a continuous attribute.
Optionally, the encoding module 202 is configured to take the target feature as an input, respectively input the target feature into respective attention encoding units in the encoding layer, obtain respective initial encoding results output by the respective attention encoding units, and obtain an encoding result corresponding to the target feature according to the respective initial encoding results, where the encoding layer includes a plurality of self-attention encoding units.
Optionally, the detecting module 206 is configured to determine that the anomaly detection result of the target traffic data is an unknown anomaly type when the gap is greater than a preset gap threshold, and determine that the anomaly detection result of the target traffic data is the target type when the gap is not greater than the preset gap threshold.
The present specification also provides a computer readable storage medium storing a computer program operable to perform the intrusion detection method provided in fig. 1 described above.
The present specification also provides a schematic structural diagram of the electronic device shown in fig. 5. At the hardware level, the electronic device includes a processor, an internal bus, a network interface, a memory, and a non-volatile storage, as illustrated in fig. 5, although other hardware required by other services may be included. The processor reads the corresponding computer program from the non-volatile memory into the memory and then runs to implement the intrusion detection method described above with respect to fig. 1. Of course, other implementations, such as logic devices or combinations of hardware and software, are not excluded from the present description, that is, the execution subject of the following processing flows is not limited to each logic unit, but may be hardware or logic devices.
In the 90 s of the 20 th century, improvements to one technology could clearly be distinguished as improvements in hardware (e.g., improvements to circuit structures such as diodes, transistors, switches, etc.) or software (improvements to the process flow). However, with the development of technology, many improvements of the current method flows can be regarded as direct improvements of hardware circuit structures. Designers almost always obtain corresponding hardware circuit structures by programming improved method flows into hardware circuits. Therefore, an improvement of a method flow cannot be said to be realized by a hardware entity module. For example, a programmable logic device (Programmable Logic Device, PLD) (e.g., field programmable gate array (Field Programmable Gate Array, FPGA)) is an integrated circuit whose logic function is determined by the programming of the device by a user. A designer programs to "integrate" a digital system onto a PLD without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Moreover, nowadays, instead of manually manufacturing integrated circuit chips, such programming is mostly implemented by using "logic compiler" software, which is similar to the software compiler used in program development and writing, and the original code before the compiling is also written in a specific programming language, which is called hardware description language (Hardware Description Language, HDL), but not just one of the hdds, but a plurality of kinds, such as ABEL (Advanced Boolean Expression Language), AHDL (Altera Hardware Description Language), confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), lava, lola, myHDL, PALASM, RHDL (Ruby Hardware Description Language), etc., VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog are currently most commonly used. It will also be apparent to those skilled in the art that a hardware circuit implementing the logic method flow can be readily obtained by merely slightly programming the method flow into an integrated circuit using several of the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer readable medium storing computer readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, application specific integrated circuits (Application Specific Integrated Circuit, ASIC), programmable logic controllers, and embedded microcontrollers, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic of the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller in a pure computer readable program code, it is well possible to implement the same functionality by logically programming the method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers, etc. Such a controller may thus be regarded as a kind of hardware component, and means for performing various functions included therein may also be regarded as structures within the hardware component. Or even means for achieving the various functions may be regarded as either software modules implementing the methods or structures within hardware components.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. One typical implementation is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of each element may be implemented in one or more software and/or hardware elements when implemented in the present specification.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
It will be appreciated by those skilled in the art that embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, the present specification may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present description can take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.
The foregoing is merely exemplary of the present disclosure and is not intended to limit the disclosure. Various modifications and alterations to this specification will become apparent to those skilled in the art. Any modifications, equivalent substitutions, improvements, or the like, which are within the spirit and principles of the present description, are intended to be included within the scope of the claims of the present description.

Claims (10)

1. An intrusion detection method, the method comprising:
determining target flow data in response to a detection request, and determining target characteristics of the target flow data;
inputting the target features into a coding layer of a pre-trained detection model to obtain a coding result corresponding to the target features output by the coding layer, and determining a target type corresponding to the target features from preset known abnormal types;
inputting the coding result into a decoding layer of the detection model to obtain a decoding result corresponding to the target feature output by the decoding layer; the detection model is obtained by training in advance based on sample characteristics of sample flow data corresponding to known abnormal types respectively;
determining a gap between the decoding result and the target feature, and determining an abnormal detection result of the target flow data according to the gap; wherein the anomaly detection result includes at least one of the target type and an unknown anomaly type.
2. The method of claim 1, wherein the detection model is trained by:
determining sample flow data, determining an abnormality type corresponding to the sample flow data, and determining a sample characteristic of the sample flow data as a first label of the sample flow data and a second label of the sample flow data;
Inputting the sample characteristics into a coding layer of a detection model to be trained, obtaining a sample coding result corresponding to the sample characteristics output by the coding layer, and determining a sample abnormality type corresponding to the sample characteristics;
taking the sample coding result as input, inputting the sample coding result into a decoding layer of the detection model, and obtaining a sample decoding result corresponding to the sample characteristics output by the decoding layer;
and training the detection model according to the difference between the first label and the sample abnormal type and the difference between the second label and the sample decoding result.
3. The method of claim 1, wherein the detection model is trained by:
determining sample flow data, determining a coding layer which is trained in advance according to the sample flow data and the corresponding abnormality type of the sample flow data, and determining sample characteristics of the sample flow data;
inputting the sample characteristics into the coding layer to obtain sample coding results corresponding to the sample characteristics output by the coding layer;
inputting the sample coding result into a decoding layer to be trained to obtain a sample decoding result output by the decoding layer;
Training the decoding layer according to the difference between the sample characteristics and the sample decoding results;
and combining the coding layer and the decoding layer which are trained to obtain a detection model.
4. The method of claim 1, wherein determining the target characteristic of the target flow data comprises:
determining at least one of a length characteristic of a data packet corresponding to the target flow data, a transmission rate characteristic of the data packet and a transmission time characteristic corresponding to the target flow data as attribute data of the target flow data;
and determining target characteristics according to the attribute data.
5. The method of claim 4, wherein the attribute data includes discrete attributes and continuous attributes;
according to the attribute data, determining the target characteristics specifically comprises:
aiming at each attribute data of the flow data, if the attribute data belongs to a discrete attribute, performing single-heat coding on the attribute data to obtain a coding result, wherein the coding result is used as a target feature corresponding to the attribute data; if the attribute data belongs to the continuity attribute, normalizing the attribute data to obtain a normalization result, wherein the normalization result is used as a target feature corresponding to the attribute data;
And determining the target characteristics of the flow data according to the target characteristics respectively corresponding to the attribute data.
6. The method of claim 1, wherein the coding layer comprises a plurality of self-attention coding units;
inputting the target features into a coding layer of a detection model which is trained in advance to obtain a coding result corresponding to the target features output by the coding layer, wherein the coding result comprises the following specific steps:
taking the target characteristics as input, respectively inputting the target characteristics into respective attention coding units in the coding layer to obtain respective initial coding results respectively output by the respective attention coding units;
and obtaining the coding result corresponding to the target feature according to the initial coding results.
7. The method of claim 1, wherein determining the anomaly detection result of the target flow data based on the gap comprises:
when the difference is larger than a preset difference threshold, determining that the abnormality detection result of the target flow data is of an unknown abnormality type;
and when the difference is not larger than a preset difference threshold, determining that the abnormal detection result of the target flow data is the target type.
8. An intrusion detection device, the device comprising:
the determining module is used for responding to the detection request, determining target flow data and determining target characteristics of the target flow data;
the coding module is used for inputting the target features into a coding layer of a pre-trained detection model, obtaining a coding result corresponding to the target features output by the coding layer, and determining a target type corresponding to the target features from preset known abnormal types;
the decoding module is used for inputting the coding result into a decoding layer of the detection model to obtain a decoding result corresponding to the target feature output by the decoding layer; the detection model is obtained by training in advance based on sample characteristics of sample flow data corresponding to known abnormal types respectively;
the attack detection module is used for determining the difference between the decoding result and the target characteristic and determining an abnormal detection result of the target flow data according to the difference; wherein the anomaly detection result includes at least one of the target type and an unknown anomaly type.
9. A computer readable storage medium, characterized in that the storage medium stores a computer program which, when executed by a processor, implements the method of any of the preceding claims 1-7.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of the preceding claims 1-7 when executing the program.
CN202410019107.4A 2024-01-05 2024-01-05 Intrusion detection method, device, electronic equipment and storage medium Pending CN117527449A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410019107.4A CN117527449A (en) 2024-01-05 2024-01-05 Intrusion detection method, device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410019107.4A CN117527449A (en) 2024-01-05 2024-01-05 Intrusion detection method, device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117527449A true CN117527449A (en) 2024-02-06

Family

ID=89755398

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410019107.4A Pending CN117527449A (en) 2024-01-05 2024-01-05 Intrusion detection method, device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117527449A (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021151299A1 (en) * 2020-05-29 2021-08-05 平安科技(深圳)有限公司 Artificial intelligence-based data enhancement method, apparatus, electronic device, and medium
CN113364752A (en) * 2021-05-27 2021-09-07 鹏城实验室 Flow abnormity detection method, detection equipment and computer readable storage medium
WO2022040972A1 (en) * 2020-08-24 2022-03-03 深圳大学 Product information visualization processing method and apparatus, and computer device
CN115913643A (en) * 2022-10-19 2023-04-04 麒麟软件有限公司 Network intrusion detection method, system and medium based on countermeasure self-encoder
CN116664514A (en) * 2023-05-30 2023-08-29 支付宝(杭州)信息技术有限公司 Data processing method, device and equipment
CN117081831A (en) * 2023-09-07 2023-11-17 南京信息工程大学 Network intrusion detection method and system based on data generation and attention mechanism
CN117093862A (en) * 2023-08-04 2023-11-21 支付宝(杭州)信息技术有限公司 Model training method and device, electronic equipment and storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021151299A1 (en) * 2020-05-29 2021-08-05 平安科技(深圳)有限公司 Artificial intelligence-based data enhancement method, apparatus, electronic device, and medium
WO2022040972A1 (en) * 2020-08-24 2022-03-03 深圳大学 Product information visualization processing method and apparatus, and computer device
CN113364752A (en) * 2021-05-27 2021-09-07 鹏城实验室 Flow abnormity detection method, detection equipment and computer readable storage medium
CN115913643A (en) * 2022-10-19 2023-04-04 麒麟软件有限公司 Network intrusion detection method, system and medium based on countermeasure self-encoder
CN116664514A (en) * 2023-05-30 2023-08-29 支付宝(杭州)信息技术有限公司 Data processing method, device and equipment
CN117093862A (en) * 2023-08-04 2023-11-21 支付宝(杭州)信息技术有限公司 Model training method and device, electronic equipment and storage medium
CN117081831A (en) * 2023-09-07 2023-11-17 南京信息工程大学 Network intrusion detection method and system based on data generation and attention mechanism

Similar Documents

Publication Publication Date Title
CN115712866B (en) Data processing method, device and equipment
CN111538925B (en) Uniform resource locator URL fingerprint feature extraction method and device
CN116186330B (en) Video deduplication method and device based on multi-mode learning
CN112597459A (en) Identity verification method and device
CN116150380B (en) Text matching method, device, storage medium and equipment
CN115567371B (en) Abnormity detection method, device, equipment and readable storage medium
CN116863484A (en) Character recognition method, device, storage medium and electronic equipment
CN117527449A (en) Intrusion detection method, device, electronic equipment and storage medium
CN107368281B (en) Data processing method and device
CN115830633A (en) Pedestrian re-identification method and system based on multitask learning residual error neural network
CN115221523A (en) Data processing method, device and equipment
CN109325127B (en) Risk identification method and device
CN112397073B (en) Audio data processing method and device
CN114912513A (en) Model training method, information identification method and device
CN111242195B (en) Model, insurance wind control model training method and device and electronic equipment
CN117391150B (en) Graph data retrieval model training method based on hierarchical pooling graph hash
CN115017899B (en) Abbreviation generation method, apparatus, device and storage medium
CN110674495B (en) Detection method, device and equipment for group border crossing access
CN116340852B (en) Model training and business wind control method and device
CN116070916B (en) Data processing method, device and equipment
CN115495776A (en) Method and device for adjusting model, storage medium and electronic equipment
CN117573849A (en) Knowledge graph multi-hop question-answering method, device, equipment and storage medium
CN118069824A (en) Risk identification method and device, storage medium and electronic equipment
CN116822606A (en) Training method, device, equipment and storage medium of anomaly detection model
CN117592998A (en) Wind control method and device, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination