[go: up one dir, main page]

CN119603071A - Network intrusion detection method, device, electronic device and storage medium - Google Patents

Network intrusion detection method, device, electronic device and storage medium Download PDF

Info

Publication number
CN119603071A
CN119603071A CN202510113891.XA CN202510113891A CN119603071A CN 119603071 A CN119603071 A CN 119603071A CN 202510113891 A CN202510113891 A CN 202510113891A CN 119603071 A CN119603071 A CN 119603071A
Authority
CN
China
Prior art keywords
target
model
network access
access behavior
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202510113891.XA
Other languages
Chinese (zh)
Other versions
CN119603071B (en
Inventor
张武超
钱立佩
王旭
孙逢宁
李少博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jianheng Xin'an Technology Co ltd
Original Assignee
Beijing Jianheng Xin'an Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jianheng Xin'an Technology Co ltd filed Critical Beijing Jianheng Xin'an Technology Co ltd
Priority to CN202510113891.XA priority Critical patent/CN119603071B/en
Publication of CN119603071A publication Critical patent/CN119603071A/en
Application granted granted Critical
Publication of CN119603071B publication Critical patent/CN119603071B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/044Recurrent networks, e.g. Hopfield networks
    • G06N3/0442Recurrent networks, e.g. Hopfield networks characterised by memory or gating, e.g. long short-term memory [LSTM] or gated recurrent units [GRU]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Biophysics (AREA)
  • Molecular Biology (AREA)
  • Biomedical Technology (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a network intrusion detection method, a device, electronic equipment and a storage medium, which relate to the technical field of network security and can acquire target network access behavior data to be detected; the method comprises the steps of encoding and decoding target network access behavior data by using an eccentric model to obtain target decoded data, and carrying out network intrusion detection on the target network access behavior data by using an LSTM model according to the target decoded data to obtain a target detection result, wherein the LSTM model and the eccentric model are obtained by combined training. Therefore, the network attack is detected by matching the eccentric model with the LSTM model, the problem of shallow learning limitation is effectively solved, and the detection result is more accurate.

Description

Network intrusion detection method, device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a network intrusion detection method, a device, an electronic device, and a storage medium.
Background
With the continuous development of artificial intelligence technology, the deep learning method gradually becomes one of research hotspots in the field of network security. The long-short-term memory neural network (Long Short Term Memory, abbreviated as LSTM) is used as a special cyclic neural network (Recurrent Neural Network, abbreviated as RNN), and is widely used in various fields because it can process long-term dependency in sequence data. LSTM is widely adopted in the field of network security, especially in terms of network attack detection, because of its advantages in processing time-series data. By analyzing the network traffic data, the LSTM can identify abnormal behavior patterns, thereby helping to detect potential network attack events.
Specifically, LSTM controls the flow of information through its unique gating mechanism so that the model can remember past data and use this information when appropriate. This feature makes it well suited for handling network attack detection tasks, since many network attacks have some sequence and time dependence. For example, by analyzing network traffic data over a period of time, the LSTM may identify a particular pattern or sequence that an attacker may use, thereby pre-warning of potential security threats in advance.
However, LSTM also presents certain limitations in practical applications. On the one hand, when a new type of attack is encountered, LSTM may not accurately identify these unknown types of attacks due to the lack of samples in the training dataset that correspond to the new type of attack. On the other hand, LSTM may also have difficulty distinguishing normal network activity from malicious attacks for those attacks that vary in surface features, but remain unchanged in deep features.
Disclosure of Invention
The invention aims to provide a network intrusion detection method, a network intrusion detection device, electronic equipment and a storage medium, so as to improve the accuracy of detection results.
In a first aspect, the present invention provides a network intrusion detection method, including:
Acquiring target network access behavior data to be detected;
encoding and decoding the target network access behavior data by using the eccentric model to obtain target decoded data;
And performing network intrusion detection on the target network access behavior data by utilizing an LSTM model according to the target decoded data to obtain a target detection result, wherein the LSTM model and the eccentric model are obtained through joint training.
In an alternative embodiment, after obtaining the target network access behavior data to be detected, the method further includes:
And carrying out vectorization processing on the target network access behavior data to obtain an original target vector.
In an alternative embodiment, encoding and decoding the target network access behavior data by using the eccentric model to obtain target decoded data includes:
And inputting the original target vector obtained by vector quantization of the target network access behavior data into an eccentric model, and determining a decoding target vector output by the eccentric model as target decoded data, wherein the decoding target vector is obtained by encoding and decoding the original target vector by the eccentric model.
In an alternative embodiment, according to the target decoded data, network intrusion detection is performed on the target network access behavior data by using an LSTM model, so as to obtain a target detection result, including:
combining the target decoded data with the target network access behavior data to obtain target combined sequence data;
Inputting the target combined sequence data into the LSTM model to obtain a target detection result output by the LSTM model.
In an alternative embodiment, the method further comprises:
acquiring a plurality of pieces of sample network access behavior data and labels thereof, wherein the labels are used for identifying whether the corresponding network access behavior is a network intrusion behavior or not;
encoding and decoding each sample network access behavior data by utilizing the current eccentric model to be trained to obtain sample decoded data;
according to the decoded data of each sample, performing network intrusion detection on the network access behavior data of the corresponding sample by utilizing the current LSTM model to be trained, and obtaining a sample detection result;
and simultaneously updating parameters of the current eccentric model and the current LSTM model according to the detection result of each sample and the labels of the corresponding sample network access behavior data so as to obtain the trained eccentric model and the trained LSTM model.
In an alternative embodiment, after obtaining the plurality of pieces of sample network access behavior data and the labels thereof, the method further includes:
and carrying out vectorization processing on each piece of sample network access behavior data to obtain an original sample vector.
In a second aspect, the present invention provides a network intrusion detection device, including:
the acquisition module is used for acquiring target network access behavior data to be detected;
the encoding and decoding module is used for encoding and decoding the target network access behavior data by utilizing the eccentric model to obtain target decoded data;
And the detection module is used for carrying out network intrusion detection on the target network access behavior data by utilizing the LSTM model according to the target decoded data to obtain a target detection result, wherein the LSTM model and the eccentric model are obtained through combined training.
In an alternative embodiment, the apparatus further includes a training module configured to:
acquiring a plurality of pieces of sample network access behavior data and labels thereof, wherein the labels are used for identifying whether the corresponding network access behavior is a network intrusion behavior or not;
encoding and decoding each sample network access behavior data by utilizing the current eccentric model to be trained to obtain sample decoded data;
according to the decoded data of each sample, performing network intrusion detection on the network access behavior data of the corresponding sample by utilizing the current LSTM model to be trained, and obtaining a sample detection result;
and simultaneously updating parameters of the current eccentric model and the current LSTM model according to the detection result of each sample and the labels of the corresponding sample network access behavior data so as to obtain the trained eccentric model and the trained LSTM model.
In a third aspect, the present invention provides an electronic device, including a memory, a processor, in which a computer program is stored that is executable on the processor, the processor implementing the network intrusion detection method according to any one of the foregoing embodiments when the computer program is executed.
In a fourth aspect, the present invention provides a computer readable storage medium having a computer program stored thereon, which when executed by a processor performs the network intrusion detection method according to any one of the preceding embodiments.
The network intrusion detection method, the network intrusion detection device, the electronic equipment and the storage medium can acquire target network access behavior data to be detected, encode and decode the target network access behavior data by utilizing the eccentric model to obtain target decoded data, and perform network intrusion detection on the target network access behavior data by utilizing the LSTM model according to the target decoded data to obtain a target detection result, wherein the LSTM model and the eccentric model are obtained through combined training. Therefore, the network attack is detected by matching the eccentric model with the LSTM model, the problem of shallow learning limitation is effectively solved, and the detection result is more accurate.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a network intrusion detection method according to an embodiment of the present invention;
fig. 2 is a data flow diagram of a network intrusion detection method according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of training flow of an LSTM model and an eccentric model according to an embodiment of the present invention;
Fig. 4 is a flow chart of another network intrusion detection method according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a network intrusion detection device according to an embodiment of the present invention;
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be clearly and completely described in connection with the embodiments, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The use of LSTM (Long Short Term Memory, long and short term memory neural network) for network attack detection is one of the means commonly used at present, but LSTM has certain limitations, such as failure to identify when a new attack is faced, because there is no new attack feature in the training data, and failure to identify when an attack with shallow features changed but bottom features unchanged is faced. Based on the above, the network intrusion detection method, device, electronic equipment and storage medium provided by the embodiment of the invention combine the classical LSTM neural network with the eccentric model to detect network intrusion, so that the accuracy of the detection result can be improved.
For the sake of understanding the present embodiment, a detailed description will be given of a network intrusion detection method disclosed in the embodiment of the present invention.
The embodiment of the invention provides a network intrusion detection method which can be executed by electronic equipment with data processing capability. Referring to a flow chart of a network intrusion detection method shown in fig. 1, the method mainly includes steps S110 to S130 as follows:
step S110, obtaining target network access behavior data to be detected.
Network access behavior data for network intrusion detection will be required here as target network access behavior data to be detected. The network access behavior data may include a variety of information such as user identification information, time stamps, URL (Uniform Resource Locator ) of access, HTTP (Hyper Text Transfer Protocol, hypertext transfer protocol) method, browser and operating system information, geographical location information, and download/upload file information, etc.
The user identification information may include an IP address, a device ID, a Cookie ID, etc. for identifying a specific user or device. The timestamp is the point in time at which each network request occurs and helps track the time and frequency of user activity. The URL accessed is a specific address of the web page browsed by the user and may include protocols (e.g., HTTP/HTTPs), domain names, paths, and query parameters. The HTTP method can be a GET, POST and other request modes, and indicates whether the user is acquiring the resource or submitting the data. The browser and operating system information may be information contained in a User-Agent string, such as a browser type, a version number, an operating system platform, etc., and may be used to learn about a technical environment of a User. The geographic location information may be the user's location as inferred based on an IP address or other location technology. The download/upload file information may include details of file transfer size, format, etc., and may be used to monitor bandwidth usage or potential security risks.
And step S120, encoding and decoding the target network access behavior data by using the eccentric model to obtain target decoded data.
The eccentric model can be a traditional deep neural network (Deep Neural Network, DNN for short) network, and the eccentric model has the function of encoding and decoding network access behavior data so as to better extract deep features. The DNN network of the eccentric model may employ an asymmetric encoding-decoding structure.
In order to facilitate calculation of the eccentric model and the LSTM model, after the target network access behavior data to be detected is obtained, the method further comprises the step of vectorizing the target network access behavior data to obtain an original target vector.
It should be noted that, the embodiment of the present invention does not limit a specific vectorization processing method, for example, the vectorization processing method may use One-hot encoding or Bag of Words (BoW, i.e. word Bag model), etc., and the One-hot vector may be obtained through One-hot encoding, and the word-Bag vector may be obtained through word Bag model.
In some possible embodiments, the step S120 may include inputting the original target vector obtained by the vector quantization of the target network access behavior data into an eccentric model, and determining a decoded target vector output by the eccentric model as target decoded data, where the decoded target vector is obtained by encoding and decoding the original target vector by the eccentric model.
And step S130, performing network intrusion detection on the target network access behavior data by utilizing an LSTM model according to the target decoded data to obtain a target detection result, wherein the LSTM model and the eccentric model are obtained through joint training.
When the LSTM model is used for detecting network intrusion, not only the target network access behavior data is utilized, but also the target decoded data is combined, so that the problem of shallow learning limitation can be effectively solved. It should be noted that, for the network structures of the LSTM model and the eccentric model, the size, the number of parameters, and the like may be set according to the data amount of the training data set.
In some possible embodiments, the step S130 may include combining the target decoded data and the target network access behavior data to obtain target combined sequence data, and inputting the target combined sequence data into the LSTM model to obtain a target detection result output by the LSTM model.
Optionally, the target decoded data may be a decoded target vector, the target combined sequence data adopts a vector form, and the decoded target vector and an original target vector corresponding to the target network access behavior data may be combined to obtain the target combined sequence vector.
It should be noted that, the combination manner of the target decoded data and the target network access behavior data may be set according to actual requirements, which is not limited herein, for example, the original target vector is V, the decoded target vector is Dv, and the target combined sequence vector may be [ V, dv ] or [ Dv, V ].
The network intrusion detection method provided by the embodiment of the invention can acquire the target network access behavior data to be detected, encode and decode the target network access behavior data by utilizing the eccentric model to obtain target decoded data, and perform network intrusion detection on the target network access behavior data by utilizing the LSTM model according to the target decoded data to obtain a target detection result, wherein the LSTM model and the eccentric model are obtained by combined training. Therefore, the network attack is detected by matching the eccentric model with the LSTM model, the problem of shallow learning limitation is effectively solved, and the detection result is more accurate.
The embodiment of the invention also provides a combined training method of the eccentric model and the LSTM model, which comprises the steps of obtaining a plurality of pieces of sample network access behavior data and labels thereof, wherein the labels are used for identifying whether corresponding network access behaviors are network intrusion behaviors, utilizing a current eccentric model to be trained to encode and decode each piece of sample network access behavior data to obtain sample decoded data, utilizing the current LSTM model to be trained to conduct network intrusion detection on the corresponding sample network access behavior data according to each piece of sample decoded data to obtain sample detection results, and simultaneously updating parameters of the current eccentric model and the current LSTM model according to each sample detection result and the labels of the corresponding sample network access behavior data to obtain the trained eccentric model and the trained LSTM model.
Optionally, a plurality of pieces of sample network access behavior data can be selected from a pre-constructed training data set to train the eccentric model and the LSTM model, wherein the label of the sample network access behavior data can be 0 or 1,0 indicates that the corresponding network access behavior is not a network intrusion behavior, and 1 indicates that the corresponding network access behavior is a network intrusion behavior.
Optionally, after acquiring the plurality of pieces of sample network access behavior data and the labels thereof, the method further comprises vectorizing each piece of sample network access behavior data to obtain an original sample vector. Based on the method, an original sample vector can be input into a current eccentric model to obtain a decoded sample vector output by the current eccentric model, namely sample decoded data, the decoded sample vector is combined with the original sample vector to obtain a sample combined sequence vector, the sample combined sequence vector is input into a current LSTM model, the current LSTM model outputs a sample detection result, a model loss value is calculated according to the sample detection result and a label, and the current eccentric model and the current LSTM model are reversely updated according to the model loss value.
It should be noted that, the steps not described in detail in the training process may refer to the corresponding content in the foregoing network intrusion detection method, which is not described herein again.
For ease of understanding, the network intrusion detection method described above is further described below.
The embodiment of the invention provides a network intrusion detection method for detecting network attacks by combining an eccentric model with an LSTM model, which can effectively solve the problem of shallow learning limitation and enable the detection result to be more accurate.
The network intrusion detection method provided by the embodiment of the invention is mainly divided into two parts, namely firstly, adding intervention of an eccentric model when training an LSTM model to detect network attack so that the LSTM model can adapt to the existence of the eccentric model, and secondly, adding the eccentric model when using the LSTM model to detect network attack so as to improve the accuracy of detection results.
Referring to a data flow diagram of a network intrusion detection method shown in fig. 2, a network access behavior is vectorized, vectors of the network access behavior are directly given to an eccentric model and an LSTM model, the eccentric model encodes and decodes the vectors of the network access behavior, the vectors encoded and decoded by the eccentric model are given to the LSTM model, and the LSTM model processes the vectors of the network access behavior and the decoded vectors to give a detection result of whether the behavior is the network intrusion behavior.
Referring to a training flow diagram of an LSTM model and an eccentric model shown in fig. 3, the training flow of the LSTM model and the eccentric model is that firstly a training data set is obtained, the training data set comprises a plurality of pieces of network access behavior data and labels thereof, then the data vectorization is carried out on the plurality of pieces of data in the training data set and is output to the eccentric model and the LSTM model, vectors coded and decoded by the eccentric model are output to the LSTM model, the LSTM model outputs a prediction result (i.e. a sample detection result), loss (i.e. loss) calculation is carried out on the prediction result and a real result (i.e. the labels), and model parameters of the eccentric model and the LSTM model are updated reversely at the same time, and finally, when iteration stop conditions are met, training is completed. The iteration stop condition may be set according to actual requirements, for example, the iteration number reaches a preset number of times threshold, or both the eccentric model and the LSTM model converge.
An exemplary training process is as follows:
1. taking n pieces of data (n may be any integer greater than 0, for example, a power of 2, 4, 8, etc. 2) from the training dataset;
2. Vectorization processing is performed on each of the n pieces of data taken out. Vectorization can be carried out by any method, and can be one-hot vectors or word-bag vectors, and no requirement is required;
3. Setting the vector of the data as V;
the V is handed over to the eccentric model D for encoding and decoding processing to obtain Dv;
v and Dv are combined into sequence data [ V, dv ];
taking [ V, dv ] as input data, and delivering the input data to an LSTM model for calculation;
4. And calculating loss according to the prediction result and the real result output by the LSTM model, and updating model parameters of the LSTM model and the eccentric model according to the loss.
For the application of the LSTM model+the eccentric model, referring to a flow chart of another network intrusion detection method shown in fig. 4, in this embodiment, the method for using the combination of the LSTM model and the eccentric model is as follows:
1. carrying out data vectorization processing on the access behaviors to be detected to obtain V;
2. Encoding and decoding V by using an eccentric model to obtain Dv;
3. combining Dv with V into a sequence vector [ V, dv ];
4. And (3) transmitting the [ V, dv ] to the LSTM to detect whether the network intrusion is generated, and judging whether the network intrusion is generated or not to finish the detection.
Corresponding to the network intrusion detection method, the embodiment of the invention also provides a network intrusion detection device. Referring to fig. 5, a schematic diagram of a network intrusion detection device, the device includes:
an obtaining module 501, configured to obtain target network access behavior data to be detected;
The encoding and decoding module 502 is configured to encode and decode the target network access behavior data by using the eccentric model, so as to obtain target decoded data;
And the detection module 503 is configured to perform network intrusion detection on the target network access behavior data by using an LSTM model according to the target decoded data, so as to obtain a target detection result, where the LSTM model and the eccentric model are obtained by joint training.
The network intrusion detection device provided by the embodiment of the invention can acquire target network access behavior data to be detected, encode and decode the target network access behavior data by utilizing the eccentric model to obtain target decoded data, and perform network intrusion detection on the target network access behavior data by utilizing the LSTM model according to the target decoded data to obtain a target detection result, wherein the LSTM model and the eccentric model are obtained by combined training. Therefore, the network attack is detected by matching the eccentric model with the LSTM model, the problem of shallow learning limitation is effectively solved, and the detection result is more accurate.
Further, the device further comprises a vectorization module, which is used for vectorizing the target network access behavior data to obtain an original target vector.
Further, the encoding and decoding module 502 is specifically configured to input an original target vector obtained by vector quantization of target network access behavior data into an eccentric model, and determine a decoded target vector output by the eccentric model as target decoded data, where the decoded target vector is obtained by encoding and decoding the original target vector by the eccentric model.
Further, the detection module 503 is specifically configured to combine the target decoded data and the target network access behavior data to obtain target combined sequence data, and input the target combined sequence data into the LSTM model to obtain a target detection result output by the LSTM model.
Further, the device further comprises a training module for:
acquiring a plurality of pieces of sample network access behavior data and labels thereof, wherein the labels are used for identifying whether the corresponding network access behavior is a network intrusion behavior or not;
encoding and decoding each sample network access behavior data by utilizing the current eccentric model to be trained to obtain sample decoded data;
according to the decoded data of each sample, performing network intrusion detection on the network access behavior data of the corresponding sample by utilizing the current LSTM model to be trained, and obtaining a sample detection result;
and simultaneously updating parameters of the current eccentric model and the current LSTM model according to the detection result of each sample and the labels of the corresponding sample network access behavior data so as to obtain the trained eccentric model and the trained LSTM model.
Furthermore, the training module is also used for vectorizing each piece of sample network access behavior data to obtain an original sample vector.
The network intrusion detection device provided in this embodiment has the same implementation principle and technical effects as those of the foregoing network intrusion detection method embodiment, and for a brief description, reference may be made to corresponding contents in the foregoing network intrusion detection method embodiment where the network intrusion detection device embodiment is not mentioned.
As shown in fig. 6, an electronic device 600 according to an embodiment of the present invention includes a processor 601, a memory 602, and a bus, where the memory 602 stores a computer program that can be run on the processor 601, and when the electronic device 600 is running, the processor 601 communicates with the memory 602 through the bus, and the processor 601 executes the computer program to implement the network intrusion detection method described above.
Specifically, the memory 602 and the processor 601 can be general-purpose memories and processors, which are not particularly limited herein.
The embodiment of the invention also provides a computer readable storage medium, and a computer program is stored on the computer readable storage medium, and when the computer program is executed by a processor, the network intrusion detection method described in the previous method embodiment is executed. The computer readable storage medium includes various media capable of storing program codes, such as a U disk, a mobile hard disk, a Read-Only Memory (ROM), a RAM, a magnetic disk or an optical disk.
The term "and/or" is merely an association relationship describing the associated object, and means that three relationships may exist, for example, a and/or B may mean that a exists alone, while a and B exist together, and B exists alone. In addition, the term "at least one" herein means any one of a plurality or any combination of at least two of a plurality, for example, including at least one of A, B, C, may mean including any one or more elements selected from the group consisting of A, B and C.
Any particular values in all examples shown and described herein are to be construed as merely illustrative and not a limitation, and thus other examples of exemplary embodiments may have different values.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, and the division of the modules is merely a logical function division, and there may be additional divisions when actually implemented, and for example, multiple modules or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, indirect coupling or communication connection of devices or modules, electrical, mechanical, or other form.
The modules described as separate components may or may not be physically separate, and components shown as modules may or may not be physical modules, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in each embodiment of the present invention may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module.
It should be noted that the above embodiments are merely for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those skilled in the art that the technical solution described in the above embodiments may be modified or some or all of the technical features may be equivalently replaced, and these modifications or substitutions do not make the essence of the corresponding technical solution deviate from the scope of the technical solution of the embodiments of the present invention.

Claims (10)

1.一种网络入侵检测方法,其特征在于,包括:1. A network intrusion detection method, comprising: 获取待检测的目标网络访问行为数据;Obtain the target network access behavior data to be detected; 利用偏心模型对所述目标网络访问行为数据进行编码和解码,得到目标解码后数据;Encoding and decoding the target network access behavior data using an eccentric model to obtain target decoded data; 根据所述目标解码后数据,利用LSTM模型对所述目标网络访问行为数据进行网络入侵检测,得到目标检测结果;其中,所述LSTM模型和所述偏心模型是联合训练得到的。According to the decoded data of the target, the LSTM model is used to perform network intrusion detection on the target network access behavior data to obtain a target detection result; wherein the LSTM model and the eccentricity model are obtained by joint training. 2.根据权利要求1所述的方法,其特征在于,在获取待检测的目标网络访问行为数据之后,所述方法还包括:2. The method according to claim 1, characterized in that after obtaining the target network access behavior data to be detected, the method further comprises: 对所述目标网络访问行为数据进行向量化处理,得到原始目标向量。Vectorization is performed on the target network access behavior data to obtain an original target vector. 3.根据权利要求1所述的方法,其特征在于,所述利用偏心模型对所述目标网络访问行为数据进行编码和解码,得到目标解码后数据,包括:3. The method according to claim 1, characterized in that the encoding and decoding of the target network access behavior data using the eccentric model to obtain the target decoded data comprises: 将所述目标网络访问行为数据经向量化处理得到的原始目标向量输入所述偏心模型,并将所述偏心模型输出的解码目标向量确定为所述目标解码后数据;其中,所述解码目标向量是所述偏心模型对所述原始目标向量进行编码和解码得到的。The original target vector obtained by vectorizing the target network access behavior data is input into the eccentric model, and the decoded target vector output by the eccentric model is determined as the target decoded data; wherein the decoded target vector is obtained by encoding and decoding the original target vector by the eccentric model. 4.根据权利要求1所述的方法,其特征在于,所述根据所述目标解码后数据,利用LSTM模型对所述目标网络访问行为数据进行网络入侵检测,得到目标检测结果,包括:4. The method according to claim 1 is characterized in that the step of performing network intrusion detection on the target network access behavior data using an LSTM model based on the target decoded data to obtain a target detection result comprises: 对所述目标解码后数据和所述目标网络访问行为数据进行组合,得到目标组合序列数据;Combining the target decoded data and the target network access behavior data to obtain target combined sequence data; 将所述目标组合序列数据输入所述LSTM模型,得到所述LSTM模型输出的目标检测结果。The target combination sequence data is input into the LSTM model to obtain the target detection result output by the LSTM model. 5.根据权利要求1所述的方法,其特征在于,所述方法还包括:5. The method according to claim 1, characterized in that the method further comprises: 获取多条样本网络访问行为数据及其标签,所述标签用于标识相应网络访问行为是否为网络入侵行为;Acquire multiple pieces of sample network access behavior data and their labels, where the labels are used to identify whether the corresponding network access behavior is a network intrusion behavior; 利用待训练的当前偏心模型对每条所述样本网络访问行为数据进行编码和解码,得到样本解码后数据;Using the current eccentricity model to be trained, encoding and decoding each piece of the sample network access behavior data to obtain sample decoded data; 根据每条所述样本解码后数据,利用待训练的当前LSTM模型对相应所述样本网络访问行为数据进行网络入侵检测,得到样本检测结果;According to each piece of decoded sample data, the current LSTM model to be trained is used to perform network intrusion detection on the corresponding sample network access behavior data to obtain a sample detection result; 根据每个所述样本检测结果和相应所述样本网络访问行为数据的标签,同时对所述当前偏心模型和所述当前LSTM模型进行参数更新,以得到训练后的所述偏心模型和所述LSTM模型。According to each of the sample detection results and the label of the corresponding sample network access behavior data, the parameters of the current eccentricity model and the current LSTM model are updated simultaneously to obtain the trained eccentricity model and the LSTM model. 6.根据权利要求5所述的方法,其特征在于,在获取多条样本网络访问行为数据及其标签之后,所述方法还包括:6. The method according to claim 5, characterized in that after obtaining a plurality of sample network access behavior data and their labels, the method further comprises: 对每条所述样本网络访问行为数据进行向量化处理,得到原始样本向量。Each piece of the sample network access behavior data is vectorized to obtain an original sample vector. 7.一种网络入侵检测装置,其特征在于,包括:7. A network intrusion detection device, comprising: 获取模块,用于获取待检测的目标网络访问行为数据;An acquisition module is used to acquire the target network access behavior data to be detected; 编解码模块,用于利用偏心模型对所述目标网络访问行为数据进行编码和解码,得到目标解码后数据;A coding and decoding module, used for encoding and decoding the target network access behavior data using an eccentric model to obtain target decoded data; 检测模块,用于根据所述目标解码后数据,利用LSTM模型对所述目标网络访问行为数据进行网络入侵检测,得到目标检测结果;其中,所述LSTM模型和所述偏心模型是联合训练得到的。The detection module is used to perform network intrusion detection on the target network access behavior data using the LSTM model according to the target decoded data to obtain a target detection result; wherein the LSTM model and the eccentricity model are obtained by joint training. 8.根据权利要求7所述的装置,其特征在于,所述装置还包括训练模块,用于:8. The device according to claim 7, characterized in that the device further comprises a training module for: 获取多条样本网络访问行为数据及其标签,所述标签用于标识相应网络访问行为是否为网络入侵行为;Acquire multiple pieces of sample network access behavior data and their labels, where the labels are used to identify whether the corresponding network access behavior is a network intrusion behavior; 利用待训练的当前偏心模型对每条所述样本网络访问行为数据进行编码和解码,得到样本解码后数据;Using the current eccentricity model to be trained, encoding and decoding each piece of the sample network access behavior data to obtain sample decoded data; 根据每条所述样本解码后数据,利用待训练的当前LSTM模型对相应所述样本网络访问行为数据进行网络入侵检测,得到样本检测结果;According to each piece of decoded sample data, the current LSTM model to be trained is used to perform network intrusion detection on the corresponding sample network access behavior data to obtain a sample detection result; 根据每个所述样本检测结果和相应所述样本网络访问行为数据的标签,同时对所述当前偏心模型和所述当前LSTM模型进行参数更新,以得到训练后的所述偏心模型和所述LSTM模型。According to each of the sample detection results and the label of the corresponding sample network access behavior data, the parameters of the current eccentricity model and the current LSTM model are updated simultaneously to obtain the trained eccentricity model and the LSTM model. 9.一种电子设备,包括存储器、处理器,所述存储器中存储有可在所述处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现权利要求1-6中任一项所述的网络入侵检测方法。9. An electronic device comprising a memory and a processor, wherein the memory stores a computer program that can be run on the processor, wherein the processor implements the network intrusion detection method according to any one of claims 1 to 6 when executing the computer program. 10.一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,其特征在于,所述计算机程序被处理器运行时执行权利要求1-6中任一项所述的网络入侵检测方法。10. A computer-readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, executes the network intrusion detection method according to any one of claims 1 to 6.
CN202510113891.XA 2025-01-24 2025-01-24 Network intrusion detection method, device, electronic equipment and storage medium Active CN119603071B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202510113891.XA CN119603071B (en) 2025-01-24 2025-01-24 Network intrusion detection method, device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202510113891.XA CN119603071B (en) 2025-01-24 2025-01-24 Network intrusion detection method, device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN119603071A true CN119603071A (en) 2025-03-11
CN119603071B CN119603071B (en) 2025-07-25

Family

ID=94844861

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202510113891.XA Active CN119603071B (en) 2025-01-24 2025-01-24 Network intrusion detection method, device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN119603071B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210089272A1 (en) * 2019-09-25 2021-03-25 Purdue Research Foundation Ternary in-memory accelerator
CN113556319A (en) * 2021-06-11 2021-10-26 杭州电子科技大学 Intrusion detection method based on long-short term memory self-coding classifier under internet of things
CN117411684A (en) * 2023-10-17 2024-01-16 国网新疆电力有限公司营销服务中心(资金集约中心、计量中心) A deep learning-based industrial control network intrusion detection method and system
CN118740513A (en) * 2024-08-05 2024-10-01 国网河南省电力公司信息通信分公司 Network attack identification method based on behavior modeling

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210089272A1 (en) * 2019-09-25 2021-03-25 Purdue Research Foundation Ternary in-memory accelerator
CN113556319A (en) * 2021-06-11 2021-10-26 杭州电子科技大学 Intrusion detection method based on long-short term memory self-coding classifier under internet of things
CN117411684A (en) * 2023-10-17 2024-01-16 国网新疆电力有限公司营销服务中心(资金集约中心、计量中心) A deep learning-based industrial control network intrusion detection method and system
CN118740513A (en) * 2024-08-05 2024-10-01 国网河南省电力公司信息通信分公司 Network attack identification method based on behavior modeling

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
于继江: "面向网络安全入侵检测的Bi-LSTM 算法设计", 微型电脑应用, vol. 40, no. 11, 30 November 2024 (2024-11-30), pages 222 - 225 *
李泽煜: "基于深度学习的轻量级入侵检测模型与算法研究", 硕士学位论文, 15 November 2023 (2023-11-15), pages 2 *

Also Published As

Publication number Publication date
CN119603071B (en) 2025-07-25

Similar Documents

Publication Publication Date Title
Olmezogullari et al. Representation of click-stream datasequences for learning user navigational behavior by using embeddings
CN112019569B (en) Malicious domain name detection method and device and storage medium
CN113343235B (en) Application layer malicious effective load detection method, system, device and medium based on Transformer
CN108259494A (en) A kind of network attack detecting method and device
CN110990273A (en) Clone code detection method and device
CN115328753B (en) Fault prediction method and device, electronic equipment and storage medium
CN112801155B (en) Business big data analysis method based on artificial intelligence and server
CN113779429A (en) Traffic congestion situation prediction method, device, equipment and storage medium
CN113010777B (en) Data pushing method, device, equipment and storage medium
CN118264450B (en) Alarm information processing method, system, equipment and medium
CN112462261B (en) Motor abnormality detection method and device, electronic equipment and storage medium
CN114090769A (en) Entity mining method, entity mining device, computer equipment and storage medium
CN116091276A (en) Long-time sequence prediction method, device, equipment and medium based on deep learning
CN117938455A (en) Attack detection method, apparatus, device and computer readable storage medium
CN119603071B (en) Network intrusion detection method, device, electronic equipment and storage medium
CN114862372B (en) Intelligent education data tamper-proof processing method and system based on block chain
CN117176417A (en) Network traffic abnormality determination method, device, electronic equipment and readable storage medium
CN120146166A (en) Knowledge graph dynamic update method, device, equipment and storage medium
CN110674497B (en) Malicious program similarity calculation method and device
CN114297640B (en) Attack detection method, device, medium and equipment
CN116415251B (en) A vulnerability impact range reasoning method and system based on deep learning
CN118211656A (en) Internet of things data processing method, device and equipment applied to intelligent water affairs
Li et al. Multivariate Short-Term Marine Meteorological Prediction Model
CN115115536A (en) Image processing method, apparatus, electronic device, and computer-readable storage medium
CN114301629A (en) IP detection method, device, terminal device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant