[go: up one dir, main page]

CN117614703A - Network attack identification methods, devices, storage media and electronic equipment - Google Patents

Network attack identification methods, devices, storage media and electronic equipment Download PDF

Info

Publication number
CN117614703A
CN117614703A CN202311609305.8A CN202311609305A CN117614703A CN 117614703 A CN117614703 A CN 117614703A CN 202311609305 A CN202311609305 A CN 202311609305A CN 117614703 A CN117614703 A CN 117614703A
Authority
CN
China
Prior art keywords
neural network
result
network model
training
deep neural
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311609305.8A
Other languages
Chinese (zh)
Inventor
王小虎
董佳涵
李博文
郭广鑫
李香龙
金童
任天宇
王立永
潘鸣宇
王超
王磊
赵广怀
胡柏吉
蔺子卿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electric Power Research Institute Co Ltd CEPRI
State Grid Beijing Electric Power Co Ltd
State Grid Corp of China SGCC
Original Assignee
China Electric Power Research Institute Co Ltd CEPRI
State Grid Beijing Electric Power Co Ltd
State Grid Corp of China SGCC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Electric Power Research Institute Co Ltd CEPRI, State Grid Beijing Electric Power Co Ltd, State Grid Corp of China SGCC filed Critical China Electric Power Research Institute Co Ltd CEPRI
Priority to CN202311609305.8A priority Critical patent/CN117614703A/en
Publication of CN117614703A publication Critical patent/CN117614703A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/16Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • Physics & Mathematics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Data Mining & Analysis (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Medical Informatics (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a network attack identification method, a network attack identification device, a storage medium and electronic equipment. Wherein the method comprises the following steps: acquiring current network flow data; and inputting the current network traffic data into the trained deep neural network model for recognition to obtain a recognition result of the current network traffic data, wherein the recognition result is used for representing the attack type corresponding to the current network traffic data. The invention solves the technical problem of lower accuracy of network attack detection in the related art.

Description

Network attack identification method and device, storage medium and electronic equipment
Technical Field
The present invention relates to the field of network security, and in particular, to a method and apparatus for identifying a network attack, a storage medium, and an electronic device.
Background
With the popularization of the internet, network attack means become more and more complex. Traditional network security systems rely primarily on rule and signature based methods to detect known attack patterns. However, these methods perform poorly in dealing with complex attacks, resulting in less accurate detection of network attacks.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the invention provides a network attack identification method and device, a storage medium and electronic equipment, and aims to at least solve the technical problem of low accuracy of network attack detection in related technologies.
According to an aspect of an embodiment of the present invention, there is provided a network attack identification method, including: acquiring current network flow data; and inputting the current network traffic data into the trained deep neural network model for recognition to obtain a recognition result of the current network traffic data, wherein the recognition result is used for representing the attack type corresponding to the current network traffic data.
Further, the method further comprises: collecting a sample data set, wherein the sample data set comprises a plurality of network attack types, and the sample data set comprises a training set and a testing set; training the initial neural network model based on the sample data set to obtain a deep neural network model.
Further, training the initial neural network model based on the sample data set to obtain a deep neural network model, including: the training sets are input into the initial neural network model one by one to conduct prediction, and a prediction result corresponding to the training sets is obtained; acquiring actual sample tag information corresponding to a training set, wherein the actual sample tag information is used for representing a network attack type corresponding to sample data; and optimizing and adjusting parameters of the initial neural network model based on the prediction result and the actual sample label information to obtain the deep neural network model.
Further, based on the prediction result and the actual sample label information, optimizing and adjusting parameters of the initial neural network model to obtain a deep neural network model, including: carrying out loss analysis on the actual sample label information and the predicted label information corresponding to the predicted result through a loss function to obtain a loss value; and optimizing and adjusting parameters of the initial neural network model based on the loss value to obtain the deep neural network model.
Further, optimizing and adjusting parameters of the initial neural network model based on the loss value to obtain a deep neural network model, including: judging whether the loss value meets a preset loss threshold value or not; responding to the loss value meeting a preset loss threshold value to obtain a deep neural network model, wherein the deep neural network model is used for representing a model obtained after optimizing and adjusting parameters of the initial neural network model; and responding to the loss value not meeting the preset loss threshold value, and continuing to optimally adjust the parameters of the initial neural network model.
Further, the method further comprises: and updating the weight information of the initial neural network model through a gradient optimizer, and optimizing and adjusting parameters of the initial neural network model to obtain the deep neural network model.
Further, the method further comprises: acquiring a current training period of an initial neural network model; judging whether the current training period reaches a preset training period or not; responding to the current training period reaching a preset training period, and ending training to obtain a deep neural network model; and continuing training the initial neural network model in response to the current training period not reaching the preset training period.
Further, after training the initial neural network model based on the sample data set to obtain the deep neural network model, the method further includes: acquiring a preset evaluation index, wherein the preset evaluation index is used for representing an index for model evaluation; and evaluating the deep neural network model based on a preset evaluation index to obtain the prediction performance of the deep neural network model.
Further, the preset evaluation index at least comprises an accuracy index, and the deep neural network model is evaluated based on the preset evaluation index, and the method comprises the following steps: obtaining a real example result, a true negative example result, a false positive example result and a false negative example result in the prediction result, wherein the real example result is used for representing a result of correctly classifying the positive example in the training set as the positive example, the true negative example result is used for representing a result of correctly classifying the negative example in the training set as the negative example, the false positive example result is used for representing a result of incorrectly classifying the negative example in the training set as the positive example, and the false negative example result is used for representing a result of incorrectly classifying the positive example in the training set as the negative example; obtaining the sum of a real case result and a real negative case result to obtain a first sum value; obtaining a sum of a real example result, a real negative example result, a false positive example result and a false negative example result to obtain a second sum value; and obtaining the ratio of the first sum value to the second sum value, and taking the ratio result as an accuracy index.
Further, the preset evaluation index at least comprises a recall index, and the deep neural network model is evaluated based on the preset evaluation index, and the method comprises the following steps: obtaining the sum of a real case result and a false negative case result in the predicted result to obtain a third sum value; and obtaining the ratio of the real case result to the third sum value, and taking the ratio result as a recall index.
According to another aspect of the embodiment of the present invention, there is also provided a network attack recognition device, including: the acquisition module is used for acquiring current network flow data; the recognition module is used for inputting the current network flow data into the trained deep neural network model for recognition, and obtaining a recognition result of the current network flow data, wherein the recognition result is used for representing the attack type corresponding to the current network flow data.
According to a third aspect of the embodiments of the present invention, there is further provided a computer readable storage medium, the computer readable storage medium including a stored program, wherein when the program is executed, the device in which the computer readable storage medium is located is controlled to execute the network attack identification method of any one of the above.
According to a fourth aspect of an embodiment of the present invention, there is also provided an electronic device including: a memory storing an executable program; and the processor is used for running the program, wherein the network attack identification method of any one of the above steps is executed when the program runs.
In the embodiment of the invention, the current network flow data is acquired; and inputting the current network traffic data into the trained deep neural network model for recognition to obtain a recognition result of the current network traffic data, wherein the recognition result is used for representing the attack type corresponding to the current network traffic data. It is easy to notice that the current network traffic data is identified through the trained deep neural network model, so that the attack type corresponding to the network traffic data can be obtained, the coping strategy of the attack type can be conveniently and rapidly and accurately determined, serious network problems are avoided, the aim of accurately identifying the network attack is fulfilled, the technical effect of improving the accuracy of network attack detection is achieved, and the technical problem of lower accuracy of network attack detection in the related art is further solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiments of the invention and together with the description serve to explain the invention and do not constitute a limitation on the invention. In the drawings:
FIG. 1 is a flow chart of a network attack identification method according to an embodiment of the present invention;
FIG. 2 is a flow chart of an alternative deep learning based network attack identification method according to an embodiment of the present invention;
FIG. 3 is a flow chart of an alternative data preprocessing in accordance with an embodiment of the present invention;
fig. 4 is a schematic diagram of a network attack recognition device according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
In accordance with an embodiment of the present invention, there is provided an embodiment of a network attack identification method, it being noted that the steps shown in the flowchart of the figures may be performed in a computer system, such as a set of computer executable instructions, and that, although a logical sequence is shown in the flowchart, in some cases, the steps shown or described may be performed in a different order than what is shown or described herein.
Fig. 1 is a flowchart of a network attack recognition method according to an embodiment of the present invention, as shown in fig. 1, the method includes the steps of:
step S102, current network flow data is obtained;
specifically, the current network traffic data may be used to represent the acquired traffic data currently accessing a certain network or a certain system, and generally includes at least information such as access IP (Internet Protocol ) and port number.
Generally, in the process of acquiring current network traffic data, the network traffic data may be captured and analyzed by using a network monitoring tool, the network traffic data may be acquired by using a network device, the network traffic data may be acquired and analyzed by using network traffic analysis software to help, the network traffic data may be acquired by using an API (Application Programming Interface ) interface, etc., and it should be noted that the above-mentioned acquisition mode is only an exemplary illustration, not limited to a certain acquisition mode, and may be determined by practical situations.
Step S104, inputting the current network flow data into the trained deep neural network model for recognition, and obtaining a recognition result of the current network flow data, wherein the recognition result is used for representing the attack type corresponding to the current network flow data.
Specifically, the deep neural network model can be used as a model for identifying and predicting the attack mode of the current network traffic data.
The deep neural network has the characteristics of a multi-level structure, end-to-end learning, nonlinear activation function and the like, can automatically learn and represent complex data characteristics through layer-by-layer training and large-scale data optimization, has strong nonlinear fitting and generalization capability, and is widely applied to the fields of image recognition, natural language processing and the like, so that the deep neural network has remarkable advantages in the aspects of processing large-scale data and recognizing network attacks. Compared with the traditional method, the deep neural network has better robustness and adaptability in the aspect of attack detection. In general, the application of the deep neural network in network attack recognition is helpful to enhance the security of the network and improve the detection and coping ability of malicious activities.
Generally, before current network traffic data is input to a trained deep neural network model for recognition, the deep neural network model needs to be trained, and input information is predicted through the trained deep neural network model, so that a recognition result corresponding to the input information can be determined.
Specifically, in the process of identifying the current network traffic data through the trained deep neural network model, input information, namely the current network traffic data, can be received based on an input layer of the deep neural network model, and then the input information is identified through a hidden layer and a Dropout layer of the model, so that a network attack identification type corresponding to the current network traffic data is obtained, and then the network attack identification type is output through an output layer of the model, so that an identification result of the current network traffic data is obtained.
Generally, the attack types described above include, but are not limited to, DDoS (Distributed Denial of Service, distributed denial of service attack) attacks, SQL (Structured Query Language ) injection, malware propagation, and the like.
Fig. 2 is a flow chart of an alternative deep learning based network attack identification method according to an embodiment of the present invention. As shown in fig. 2, in the process of training the deep neural network model, data needs to be loaded and preprocessed; extracting features; training a deep neural network model; performance evaluation and parameter optimization.
In summary, current network traffic data is obtained; and inputting the current network traffic data into the trained deep neural network model for recognition to obtain a recognition result of the current network traffic data, wherein the recognition result is used for representing the attack type corresponding to the current network traffic data. It is easy to notice that the current network traffic data is identified through the trained deep neural network model, so that the attack type corresponding to the network traffic data can be obtained, the coping strategy of the attack type can be conveniently and rapidly and accurately determined, serious network problems are avoided, the aim of accurately identifying the network attack is fulfilled, the technical effect of improving the accuracy of network attack detection is achieved, and the technical problem of lower accuracy of network attack detection in the related art is further solved.
Optionally, the method further comprises: collecting a sample data set, wherein the sample data set comprises a plurality of network attack types, and the sample data set comprises a training set and a testing set; training the initial neural network model based on the sample data set to obtain a deep neural network model.
In particular, the sample data set described above may be used to represent collected network traffic data including multiple network attack types.
In general, in the process of model training by using a sample data set, the sample data set needs to be distinguished, a part of sample data is used for model training, and another part of sample data is used for testing a trained model, so that the final trained model prediction capability is ensured to reach a higher level.
For example, 80% of the data in the sample data set may be divided into training sets, and the remaining 20% of the data may be divided into test sets, and it should be noted that the above is merely exemplary, and the division of the data set is not specifically limited herein, and may be determined according to practical situations.
The initial neural network model can be used for representing a preset initialized model, the initial neural network model is trained through the sample data set, a deep neural network model with specific model parameters can be obtained, and further the deep neural network model is used for carrying out subsequent data prediction.
In an alternative embodiment, during the process of constructing the deep neural network model, a sample data set is required to be collected for model training and model testing, and then the initial neural network model is trained based on the sample data set, so as to obtain the deep neural network model.
Specifically, in the process of training the initial neural network model based on the sample data set, firstly, initializing the deep neural network model, including initializing the cycle number parameter, the learning rate parameter, the momentum parameter and the like, and then randomly selecting one sample from the training set as the input of the network, predicting the input data through the model to obtain a prediction result, and simultaneously judging whether all samples in the training set are trained, if the training is finished, finishing the model training, otherwise, performing an iterative loop until all samples in the training set are trained.
In addition, the deep neural network model at least comprises the following layers: input layer: accepting the data input subjected to pretreatment and feature extraction; hidden layer: the model contains two hidden layers, both containing 64 neurons, these intermediate layers introduce non-linear properties through the ReLU (Rectified Linear Unit, activation function); dropout (discard layer for randomly discarding part of neurons during neural network training) layer: a Dropout layer is added behind each hidden layer, and the Dropout layer can randomly discard the output of a part of neurons, so that the excessive fitting of a model to training data is reduced; output layer: the output layer applies a softmax (normalized function) function that converts the raw output value into a probability value for each class.
In the training process, the Dropout layer can randomly discard the output of a part of neurons, so that the model is more robust, dependence on certain specific neurons is reduced, meanwhile, the complexity of the model is reduced, and the risk of overfitting is reduced. Dropout layers are typically used between the full connection layer and the convolutional layer, and the drop ratio can be controlled by setting the drop rate. During the test phase, the Dropout layer is typically turned off and no elements are discarded to maintain stability of the model.
The Softmax function indexes each element of the input vector, and normalizes the indexed result to obtain an output probability distribution. Thus, the relative magnitude relation of the input vectors can be reserved, and the relative magnitude relation is converted into probability distribution, so that classification and probability calculation are facilitated.
Optionally, training the initial neural network model based on the sample data set to obtain a deep neural network model, including: the training sets are input into the initial neural network model one by one to conduct prediction, and a prediction result corresponding to the training sets is obtained; acquiring actual sample tag information corresponding to a training set, wherein the actual sample tag information is used for representing a network attack type corresponding to sample data; and optimizing and adjusting parameters of the initial neural network model based on the prediction result and the actual sample label information to obtain the deep neural network model.
Specifically, the above prediction result may be used to represent a result obtained by predicting the input information through the initial neural network model, and may further be an attack type corresponding to the network traffic data in the predicted training set.
The actual sample label information can be used for representing the attack type actually corresponding to the network traffic data in the training set.
In an alternative embodiment, in the process of training an initial neural network model based on a sample data set to obtain a deep neural network model, a training set is input into the initial neural network model one by one to predict, so as to obtain a prediction result corresponding to the training set, in order to correct the accuracy of model training, the prediction result needs to be calibrated, namely, the actual sample label information corresponding to the training set is obtained, the attack type corresponding to the network flow data in the training set is obtained, and the attack type corresponding to the network flow data obtained by model prediction is compared, so that the accuracy of model training can be corrected.
Further, if the prediction result is consistent with the actual sample label information through comparison, the model training is accurate, otherwise, if the difference between the prediction result and the actual sample label information is large, the model training is not accurate enough, and the model training needs to be continued.
Therefore, in the process of comparing the prediction result and the actual sample label information, the parameters of the initial neural network model are optimally adjusted, and further the accuracy of model training is calibrated.
In addition, before the training sets are input into the initial neural network model one by one to predict, the training set data needs to be preprocessed, and generally, after the training sets are loaded, data cleaning needs to be performed, namely, whether the data contain missing values or abnormal values or not is checked, the missing values are processed, unnecessary columns are deleted, and the abnormal values are processed; further, preprocessing training set data in a one-hot (coding of the classification variable), normalization processing, label coding and other modes; further, characteristics with the most information value are selected by adopting characteristic selection methods such as chi-square inspection and mutual information so as to reduce the dimension of training set data and realize characteristic engineering processing of the preprocessed data; and further, training a model based on the data processed by the feature engineering, namely adopting a deep neural network, and training the model by using the data subjected to the feature extraction, so that the deep neural network model is obtained.
The one-hot code is used for performing one-hot coding on the non-numerical class characteristics contained in the training set to convert the non-numerical class characteristics into numerical data; tag coding, namely coding tags in a data set, and converting non-digital class tags into digital forms; feature normalization scales the values of the features into a specified range 0, 1.
FIG. 3 is a flow chart of an alternative data preprocessing according to an embodiment of the present invention. As shown in fig. 3, the data set loading is performed first; further, data cleaning is performed, missing values are processed, unnecessary columns are deleted, and abnormal values are processed; performing single-heat coding on non-numerical class features contained in the data set to convert the non-numerical class features into numerical data; encoding tags in the dataset and converting non-digital tags into digital form; feature normalization, scaling the values of the features to a specified range [0,1]; data division, namely dividing a data set into a training set and a testing set.
Optionally, based on the prediction result and the actual sample label information, optimizing and adjusting parameters of the initial neural network model to obtain a deep neural network model, including: carrying out loss analysis on the actual sample label information and the predicted label information corresponding to the predicted result through a loss function to obtain a loss value; and optimizing and adjusting parameters of the initial neural network model based on the loss value to obtain the deep neural network model.
Specifically, the loss value described above may be used to represent a result obtained by performing loss analysis on actual sample tag information and predicted tag information corresponding to a predicted result.
Generally, under the condition that the actual sample label information is consistent with the predicted label information corresponding to the predicted result, the loss value approaches to 0, and the model training is accurate; on the contrary, when the difference between the actual sample label information and the predicted label information corresponding to the predicted result is large, the larger the loss value is, the inaccurate model training is indicated.
The loss function is a function that measures the difference between the model predicted value and the true value. It is typically used to evaluate the performance of the model and optimize model parameters. Common loss functions include mean square error, cross entropy loss, etc. The loss value is the difference between the model predicted value and the true value calculated by the loss function. The smaller the loss value, the higher the accuracy of model prediction. During the training process, the optimization algorithm adjusts model parameters according to the loss values to minimize the loss values, thereby improving the performance of the model.
In an alternative embodiment, in the process of optimizing and adjusting parameters of an initial neural network model based on a prediction result and actual sample label information to obtain a deep neural network model, loss analysis is needed to be performed on the actual sample label information and the prediction label information corresponding to the prediction result through a loss function to obtain a loss value, wherein the loss value reflects the difference between the model prediction value and the true value, so that the parameters of the initial neural network model are conveniently optimized and adjusted based on the loss value to obtain the deep neural network model, namely, in the optimizing process, model parameters are adjusted through the loss value to improve training capacity of the model.
Optionally, optimizing and adjusting parameters of the initial neural network model based on the loss value to obtain a deep neural network model, including: judging whether the loss value meets a preset loss threshold value or not; responding to the loss value meeting a preset loss threshold value to obtain a deep neural network model, wherein the deep neural network model is used for representing a model obtained after optimizing and adjusting parameters of the initial neural network model; and responding to the loss value not meeting the preset loss threshold value, and continuing to optimally adjust the parameters of the initial neural network model.
Specifically, the above-mentioned preset loss threshold value may be used to indicate a preset loss value interval, and in general, the smaller the loss value, the larger the loss value is indicated within the preset loss threshold value interval.
In an alternative embodiment, in the process of optimizing and adjusting the parameters of the initial neural network model based on the loss value to obtain the deep neural network model, each pair of model parameters is adjusted once, the loss value needs to be determined once, namely whether the loss value meets a preset loss threshold value is judged, if the loss value meets the preset loss threshold value, the current loss value is within the preset loss threshold value interval, namely the loss value is smaller, and the deep neural network model can be obtained; otherwise, if the loss value does not meet the preset loss threshold, it indicates that the current loss value is not within the preset loss threshold interval, that is, the loss value is larger, so that the parameters of the initial neural network model need to be continuously optimized and adjusted, so that the difference between the model training result after adjustment and the actual value is smaller, and the accuracy of model training is improved.
Optionally, the method further comprises: and updating the weight information of the initial neural network model through a gradient optimizer, and optimizing and adjusting parameters of the initial neural network model to obtain the deep neural network model.
Specifically, the gradient optimizer described above may be used to represent a device that optimizes the weight information of an initial neural network model.
Generally, the gradient of the model parameters of the loss function is calculated, a random gradient descent optimizer is selected to update the weight of the model by using gradient information, so that the accurate adjustment of the model parameters is realized, and the performance of the model is improved.
SGD (Stochastic Gradient Descent, random gradient descent) optimizers are a commonly used optimization algorithm for training neural network models. Unlike conventional gradient descent algorithms, the SGD updates the model parameters with only one sample per iteration, which can speed up training, especially on large-scale data sets. The SGD optimizer works on the principle that the model parameters are iteratively updated continuously so that the loss function is gradually reduced. In each iteration, the SGD updates the model parameters according to the gradient of the current sample, and then proceeds to the next sample. Such an iterative process may bring the model parameters closer towards the optimal value.
In an alternative embodiment, in the process of optimizing and adjusting the parameters of the initial neural network model to obtain the deep neural network model, the weight information of the initial neural network model can be updated through a gradient optimizer, and the model parameters can be updated only by one sample through each iteration, so that the loss function is gradually reduced, and the parameters of the initial neural network model are optimized and adjusted to obtain the deep neural network model.
Optionally, the method further comprises: acquiring a current training period of an initial neural network model; judging whether the current training period reaches a preset training period or not; responding to the current training period reaching a preset training period, and ending training to obtain a deep neural network model; and continuing training the initial neural network model in response to the current training period not reaching the preset training period.
Specifically, the current training period described above may be used to represent the period during which the initial neural network model is currently trained.
The preset training period can be used for representing a preset period in which the initial neural network model needs to be trained.
In an alternative embodiment, in the process of training the initial neural network model, it is required to ensure that the training period of the initial neural network model meets a certain time, so as to improve the accuracy of model training. Therefore, in the model training process, the current training period of the initial neural network model needs to be acquired, whether the current training period reaches the preset training period is further judged, if the current training period reaches the preset training period, the training period of the initial neural network model is proved to meet a certain time, and the training is ended; otherwise, if the current training period does not reach the preset training period, the training period of the initial neural network model is less, a certain time is not met, and the initial neural network model needs to be trained continuously, so that the training times of the initial neural network model are enough, and the accuracy of model training is improved.
Optionally, after training the initial neural network model based on the sample data set to obtain the deep neural network model, the method further includes: acquiring a preset evaluation index, wherein the preset evaluation index is used for representing an index for model evaluation; and evaluating the deep neural network model based on a preset evaluation index to obtain the prediction performance of the deep neural network model.
Specifically, after training the initial neural network model based on the sample data set to obtain the deep neural network model, performance of the deep neural network model needs to be evaluated. In general, performance assessment can help understand the accuracy and stability of a model. By evaluating the performances of the model on different data sets, whether the model has good generalization capability or not can be judged, namely whether the model performs well on new data or not, which is very important for the model in practical application; secondly, performance assessment can also help to compare the performance between different models, by comparing the performance of different models on the same dataset, the best model can be found, or aspects that need improvement can be found, which is important for selecting the appropriate model and algorithm; in addition, performance evaluation can also help to improve the model, by knowing the behavior of the model under different conditions, weaknesses of the model can be found, and targeted improvement and optimization can be performed, so that a more accurate and stable model can be constructed.
In an alternative embodiment, in the performance evaluation process, a preset evaluation index needs to be obtained, that is, performance evaluation on which aspects of the deep neural network model need to be performed is required, and then the deep neural network model is evaluated based on the preset evaluation index, so as to obtain the predicted performance of the deep neural network model. The predicted performance reflects the performance test result of the deep neural network model in a certain aspect, and further improvement and optimization can be carried out on the deep neural network model based on the predicted performance.
Optionally, the preset evaluation index at least includes an accuracy index, and the deep neural network model is evaluated based on the preset evaluation index, and the method includes: obtaining a real example result, a true negative example result, a false positive example result and a false negative example result in the prediction result, wherein the real example result is used for representing a result of correctly classifying the positive example in the training set as the positive example, the true negative example result is used for representing a result of correctly classifying the negative example in the training set as the negative example, the false positive example result is used for representing a result of incorrectly classifying the negative example in the training set as the positive example, and the false negative example result is used for representing a result of incorrectly classifying the positive example in the training set as the negative example; obtaining the sum of a real case result and a real negative case result to obtain a first sum value; obtaining a sum of a real example result, a real negative example result, a false positive example result and a false negative example result to obtain a second sum value; and obtaining the ratio of the first sum value to the second sum value, and taking the ratio result as an accuracy index.
Specifically, the above-described accuracy index may be used to represent an index for performing accuracy evaluation on the deep neural network model.
In an alternative embodiment, in the process of evaluating the deep neural network model by using the accuracy index, a true example result, a true negative example result, a false positive example result and a false negative example result in the prediction result need to be obtained, and the accuracy of the model is evaluated by the four existing results.
Specifically, the sum of a real example result and a real negative example result is obtained, so that a first sum value is obtained; meanwhile, obtaining the sum of a real example result, a real negative example result, a false positive example result and a false negative example result, so as to obtain a second sum value; further, the ratio of the first sum value to the second sum value is obtained, and the ratio result is used as the accuracy index, and further, the method can be realized through the following formula:
the true example result may be represented by TP, the true example result may be represented by TN, the false positive example result may be represented by FP, and the false negative example result may be represented by FN.
Optionally, the preset evaluation index at least includes a recall index, and the deep neural network model is evaluated based on the preset evaluation index, and the method includes: obtaining the sum of a real case result and a false negative case result in the predicted result to obtain a third sum value; and obtaining the ratio of the real case result to the third sum value, and taking the ratio result as a recall index.
Specifically, the recall index described above may be used to represent an index for performing recall evaluation on a deep neural network model.
In general, the evaluation of recall rates for models refers to evaluating the proportion of models that were successfully identified in identifying true positive examples. In machine learning and data mining, recall is one of the important indicators used to evaluate the performance of classification models. The higher the recall rate, the better the representation model can identify the true positive, i.e., the stronger the coverage of the model.
The recall rate of the assessment model may be achieved by: collecting real tag data: firstly, a group of data sets with real labels are required to be collected, and the labels can be manually marked or can be data with known real values; prediction was performed using a model: inputting the collected data into a model, predicting by using the model, and recording the number of positive cases identified by the model; calculating recall rate: and calculating the proportion of the number of the real positive examples successfully identified by the model to the number of all the real positive examples to obtain the recall rate of the model. The evaluation result of the recall rate can help to know the performance of the model in the real scene and the recognition capability of the model to the real data. In practical applications, the evaluation result of the recall rate can help to select a proper model, optimize model parameters, and formulate an effective application strategy.
In an alternative embodiment, in the process of evaluating the deep neural network model by using the recall index, the sum of the real case result and the false negative case result in the predicted result needs to be obtained, so as to obtain a third sum value; and further obtaining the ratio of the real case result to the third sum value, and taking the ratio result as the recall index. Further, this can be achieved by the following formula:
where TP represents the true case result and FN represents the false negative case result.
In summary, the accuracy, efficiency and expandability of network attack detection are improved by fully utilizing the deep neural network in deep learning.
Example 2
According to the embodiment of the present invention, a network attack recognition device is further provided, which can execute a network attack recognition method provided in the foregoing embodiment 1, and a specific implementation manner and a preferred application scenario are the same as those of the foregoing embodiment 1, and are not described herein.
Fig. 4 is a schematic diagram of a network attack recognition device according to an embodiment of the present invention. As shown in fig. 4, the apparatus includes:
an obtaining module 402, configured to obtain current network traffic data;
the recognition module 404 is configured to input the current network traffic data to the trained deep neural network model for recognition, and obtain a recognition result of the current network traffic data, where the recognition result is used to characterize an attack type corresponding to the current network traffic data.
Optionally, the apparatus further comprises: the system comprises an acquisition module, a test module and a data processing module, wherein the acquisition module is used for acquiring a sample data set, the sample data set comprises a plurality of network attack types, and the sample data set comprises a training set and a test set; and the training module is used for training the initial neural network model based on the sample data set to obtain the deep neural network model.
Optionally, the training module includes: the prediction module is used for obtaining a prediction result corresponding to the training set by inputting the training set into the initial neural network model one by one for prediction; the tag acquisition module is used for acquiring actual sample tag information corresponding to the training set, wherein the actual sample tag information is used for representing the network attack type corresponding to the sample data; and the optimization module is used for optimizing and adjusting parameters of the initial neural network model based on the prediction result and the actual sample label information to obtain the deep neural network model.
Optionally, the optimizing module includes: the loss analysis module is used for carrying out loss analysis on the actual sample label information and the predicted label information corresponding to the predicted result through a loss function to obtain a loss value; and the parameter adjustment module is used for carrying out optimization adjustment on the parameters of the initial neural network model based on the loss value to obtain the deep neural network model.
Optionally, the parameter adjustment module includes: the judging module is used for judging whether the loss value meets a preset loss threshold value or not; the model obtaining module is used for responding to the loss value to meet a preset loss threshold value to obtain a deep neural network model, wherein the deep neural network model is used for representing a model obtained after the parameters of the initial neural network model are optimized and adjusted; and the optimization adjustment module is used for continuously performing optimization adjustment on the parameters of the initial neural network model in response to the loss value not meeting the preset loss threshold.
Optionally, the apparatus further comprises: and the weight updating module is used for updating the weight information of the initial neural network model through the gradient optimizer and optimizing and adjusting the parameters of the initial neural network model to obtain the deep neural network model.
Optionally, the apparatus further comprises: the period acquisition module is used for acquiring the current training period of the initial neural network model; the period judging module is used for judging whether the current training period reaches a preset training period or not; the ending module is used for responding to the fact that the current training period reaches a preset training period, and training is ended to obtain a deep neural network model; and the training module is used for continuously training the initial neural network model in response to the current training period not reaching the preset training period.
Optionally, the apparatus further comprises: the index acquisition module is used for acquiring a preset evaluation index, wherein the preset evaluation index is used for representing an index for model evaluation; the model evaluation module is used for evaluating the deep neural network model based on a preset evaluation index to obtain the prediction performance of the deep neural network model.
Optionally, the model evaluation module includes: the device comprises a result acquisition module, a prediction module and a calculation module, wherein the result acquisition module is used for acquiring a real example result, a true negative example result, a false positive example result and a false negative example result in the prediction result, the real example result is used for representing the result of correctly classifying the positive example in the training set as the positive example, the true negative example result is used for representing the result of correctly classifying the negative example in the training set as the negative example, the false positive example result is used for representing the result of incorrectly classifying the negative example in the training set as the positive example, and the false negative example result is used for representing the result of incorrectly classifying the positive example in the training set as the negative example; the first summation module is used for obtaining the summation of the real case result and the real negative case result to obtain a first summation value; the second summation module is used for obtaining the summation of the real example result, the real negative example result, the false positive example result and the false negative example result to obtain a second summation value; the first ratio module is used for obtaining the ratio of the first sum value to the second sum value, and taking the ratio result as an accuracy index.
Optionally, the model evaluation module further comprises: the third summation module is used for obtaining the summation of the real example result and the false negative example result in the prediction result to obtain a third summation value; and the second ratio module is used for obtaining the ratio of the real case result to the third sum value and taking the ratio result as a recall index.
Example 3
According to an embodiment of the present invention, there is further provided a computer readable storage medium, where the computer readable storage medium includes a stored program, and when the program runs, the device where the computer readable storage medium is controlled to execute the network attack identification method of any one of the above.
Example 4
According to an embodiment of the present invention, there is also provided an electronic device including: a memory storing an executable program; and the processor is used for running the program, wherein the network attack identification method of any one of the above steps is executed when the program runs.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present invention, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology content may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, for example, may be a logic function division, and may be implemented in another manner, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.

Claims (13)

1. A network attack identification method, comprising:
acquiring current network flow data;
and inputting the current network flow data into a trained deep neural network model for recognition to obtain a recognition result of the current network flow data, wherein the recognition result is used for representing the attack type corresponding to the current network flow data.
2. The network attack identification method according to claim 1, wherein the method further comprises:
collecting a sample data set, wherein the sample data set comprises a plurality of network attack types, and the sample data set comprises a training set and a testing set;
and training an initial neural network model based on the sample data set to obtain the deep neural network model.
3. The network attack identification method according to claim 2, wherein training an initial neural network model based on the sample data set to obtain the deep neural network model comprises:
Inputting the training sets one by one into the initial neural network model for prediction to obtain a prediction result corresponding to the training set;
acquiring actual sample tag information corresponding to the training set, wherein the actual sample tag information is used for representing a network attack type corresponding to sample data;
and optimizing and adjusting parameters of the initial neural network model based on the prediction result and the actual sample label information to obtain the deep neural network model.
4. The network attack recognition method according to claim 3, wherein optimizing and adjusting parameters of the initial neural network model based on the prediction result and the actual sample tag information to obtain the deep neural network model includes:
carrying out loss analysis on the actual sample label information and the predicted label information corresponding to the predicted result through a loss function to obtain a loss value;
and optimizing and adjusting parameters of the initial neural network model based on the loss value to obtain the deep neural network model.
5. The network attack recognition method according to claim 4, wherein optimizing and adjusting parameters of the initial neural network model based on the loss value to obtain the deep neural network model includes:
Judging whether the loss value meets a preset loss threshold value or not;
responding to the loss value meeting the preset loss threshold value to obtain the deep neural network model, wherein the deep neural network model is used for representing a model obtained after the parameters of the initial neural network model are optimized and adjusted;
and responding to the loss value not meeting the preset loss threshold value, and continuing to optimally adjust the parameters of the initial neural network model.
6. A network attack identification method according to claim 3, wherein the method further comprises:
and updating the weight information of the initial neural network model through a gradient optimizer, and optimizing and adjusting parameters of the initial neural network model to obtain the deep neural network model.
7. A network attack identification method according to claim 3, wherein the method further comprises:
acquiring a current training period of the initial neural network model;
judging whether the current training period reaches a preset training period or not;
responding to the current training period reaching the preset training period, and ending training to obtain a deep neural network model;
And continuing training the initial neural network model in response to the current training period not reaching the preset training period.
8. The network attack identification method according to claim 3, wherein after training an initial neural network model based on the sample data set to obtain the deep neural network model, the method further comprises:
acquiring a preset evaluation index, wherein the preset evaluation index is used for representing an index for model evaluation;
and evaluating the deep neural network model based on the preset evaluation index to obtain the prediction performance of the deep neural network model.
9. The network attack identification method according to claim 8, wherein the preset evaluation index includes at least an accuracy index, the deep neural network model is evaluated based on the preset evaluation index, the method comprising:
obtaining a real example result, a true negative example result, a false positive example result and a false negative example result in the prediction result, wherein the real example result is used for representing a result of correctly classifying a positive example in the training set as a positive example, the true negative example result is used for representing a result of correctly classifying a negative example in the training set as a negative example, the false positive example result is used for representing a result of incorrectly classifying the negative example in the training set as a positive example, and the false negative example result is used for representing a result of incorrectly classifying the positive example in the training set as a negative example;
Obtaining the sum of the real case result and the real negative case result to obtain a first sum value;
obtaining the sum of the real case result, the true negative case result, the false positive case result and the false negative case result to obtain a second sum value;
and obtaining the ratio of the first sum value to the second sum value, and taking the ratio result as the accuracy index.
10. The network attack identification method according to claim 8, wherein the preset evaluation index includes at least a recall index, the deep neural network model is evaluated based on the preset evaluation index, the method comprising:
obtaining the sum of a real example result and a false negative example result in the prediction result to obtain a third sum value;
and obtaining the ratio of the real case result to the third sum value, and taking the ratio result as the recall index.
11. A network attack recognition device, comprising:
the acquisition module is used for acquiring current network flow data;
the identification module is used for inputting the current network flow data into the trained deep neural network model for identification, and obtaining an identification result of the current network flow data, wherein the identification result is used for representing the attack type corresponding to the current network flow data.
12. A computer-readable storage medium, characterized in that the computer-readable storage medium comprises a stored program, wherein the program, when run, controls a device in which the computer-readable storage medium is located to perform the network attack identification method according to any one of claims 1 to 10.
13. An electronic device, comprising:
a memory storing an executable program;
a processor for running the program, wherein the program when run performs the network attack identification method according to any of claims 1 to 10.
CN202311609305.8A 2023-11-28 2023-11-28 Network attack identification methods, devices, storage media and electronic equipment Pending CN117614703A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311609305.8A CN117614703A (en) 2023-11-28 2023-11-28 Network attack identification methods, devices, storage media and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311609305.8A CN117614703A (en) 2023-11-28 2023-11-28 Network attack identification methods, devices, storage media and electronic equipment

Publications (1)

Publication Number Publication Date
CN117614703A true CN117614703A (en) 2024-02-27

Family

ID=89951109

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311609305.8A Pending CN117614703A (en) 2023-11-28 2023-11-28 Network attack identification methods, devices, storage media and electronic equipment

Country Status (1)

Country Link
CN (1) CN117614703A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119232440A (en) * 2024-09-11 2024-12-31 广东电网有限责任公司 A network attack prevention method, device, terminal equipment and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119232440A (en) * 2024-09-11 2024-12-31 广东电网有限责任公司 A network attack prevention method, device, terminal equipment and storage medium

Similar Documents

Publication Publication Date Title
CN109889538B (en) User abnormal behavior detection method and system
CN108718310A (en) Multi-level attack signatures generation based on deep learning and malicious act recognition methods
CN111030992B (en) Detection method, server and computer readable storage medium
CN112188532A (en) Training method of network anomaly detection model, network detection method and device
CN112738014A (en) Industrial control flow abnormity detection method and system based on convolution time sequence network
CN114218998A (en) Power system abnormal behavior analysis method based on hidden Markov model
CN110162958B (en) Method, apparatus and recording medium for calculating comprehensive credit score of device
CN118282766A (en) Network intrusion detection method, device, storage medium and computer equipment
CN115242431A (en) Industrial Internet of things data anomaly detection method based on random forest and long-short term memory network
CN115987552A (en) Network intrusion detection method based on deep learning
CN116483602A (en) Abnormality detection method, abnormality detection device and computer storage medium
CN119513763A (en) Anomaly detection method and system for Internet of Things cards based on improved K-means algorithm
CN115296837A (en) SSA optimization-based sustainable integrated intrusion detection method
CN112115996B (en) Image data processing method, device, equipment and storage medium
CN116647374B (en) Network flow intrusion detection method based on big data
CN117614703A (en) Network attack identification methods, devices, storage media and electronic equipment
CN110808947A (en) Automatic vulnerability quantitative evaluation method and system
CN115085948A (en) Network security situation assessment method based on improved D-S evidence theory
CN117459247A (en) Webshell detection method and device based on deep learning
CN118351532A (en) Foodborne pathogen detection tools and methods
CN116996313A (en) Method, medium and product for obtaining white flow identification model
CN112598118B (en) Method, device, storage medium and equipment for processing abnormal labeling in supervised learning
CN116977834A (en) Method for identifying internal and external images distributed under open condition
CN116467697A (en) Data association system based on information security network defense
CN117014193A (en) Unknown Web attack detection method based on behavior baseline

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination