CN112839034B - A Network Intrusion Detection Method Based on CNN-GRU Hierarchical Neural Network - Google Patents

Abstract

The invention relates to a network intrusion detection method based on a CNN-GRU hierarchical neural network, which comprises the following steps: capturing a network flow data packet, namely a data packet to be classified, by Wireshark software; carrying out data packet marking, preprocessing and data cleaning on a data packet to be classified, further analyzing the data packet into decimal data, and converting the decimal data into a 40 × 40 single-channel gray-scale image to obtain a sample complete set; dividing a sample complete set into a training set and a testing set, taking a single-channel gray-scale map matrix as an input vector, and establishing a CNN-GRU hierarchical neural network classification model through the training set; and after the model training is finished, the data of the test set is transmitted into the model, the model predicts the input data according to the parameters obtained by training, and classifies unknown network traffic to judge whether the unknown network traffic is attack traffic. The experimental result shows that the accuracy of the method for classifying the normal flow and the attack flow reaches 99.92%.

Description

A Network Intrusion Detection Method Based on CNN-GRU Hierarchical Neural Network

technical field

The invention relates to the technical field of network security, in particular to a network intrusion detection method based on a CNN-GRU layered neural network.

Background technique

With the rapid development of the Internet, a large number of devices and personnel have joined the Internet environment. At the same time, issues related to the security of network traffic have also increased. Among them, network attackers often paralyze the network according to the loopholes on the Internet, causing immeasurable losses to users. In the past, such attacks have often caused financial losses to businesses, but now include the theft of personal privacy, which has caused great harm to the rights and interests of most network users.

To avoid such problems, we often need to be able to detect attacks by analyzing the traffic data generated by network users. The key challenge is how to effectively identify traffic data with aggressive behavior. Since the traditional method of cracking and decrypting network traffic needs to deploy additional equipment, the cost and deployment difficulty are high. Traditional payload-based methods have been unable to handle today's increasing amounts of encrypted traffic, and traditional machine learning models are often used in machine learning-based network intrusion detection. However, the common problem encountered is that it is difficult to find suitable functions as the reference standard of the network. Machine learning models usually require more quantifiable features as training references, which are not suitable for classification training with unclear features. When using machine learning methods for classification, it further leads to a bottleneck in accuracy, which is difficult to improve.

With the development of chip technology, the computing power of computers has been greatly developed in recent years. At the same time, the development of the Internet has also spawned a large amount of data. In this context, deep learning networks have been widely used, including network intrusion detection. Compared with traditional machine learning methods, deep learning methods can automatically discover the correlation between different traffic information, and assign different weights to features through massive data training. Compared with the method of manually defining features, the features obtained by this method have better applicability and are more suitable for the realization of network intrusion detection systems.

SUMMARY OF THE INVENTION

The purpose of the present invention is: the present invention analyzes the characteristic attributes in the collected network traffic through the CNN-GRU layered neural network, and proposes a network intrusion detection method based on the CNN-GRU layered neural network. According to the actual problems of network intrusion detection, the raw data that can be obtained is collected, and the label data that has been determined is used to extract the complete set of CNN-GRU hierarchical neural network samples. Through feature engineering, the raw data is preprocessed and removed. Invalid content in part of packet. After dividing the full set of samples into training set and test set according to the appropriate ratio, the model is trained, and the validity of the model is verified through the test set, and the CNN-GRU hierarchical neural network classification model is obtained to realize the accurate monitoring of network intrusion behavior.

In order to solve the above problems, the technical scheme adopted in the present invention is:

A network intrusion detection method based on a CNN-GRU layered neural network, characterized in that it comprises the following steps:

(1) Capture network traffic through Wireshark software to obtain network traffic data packets, that is, data packets to be classified;

(2) Data packet marking is performed on the data packets to be classified, and at the same time, the data packets to be classified are preprocessed through feature engineering to remove some invalid contents in the data packets; Cleaning; then parse the data packet into decimal data, and convert the decimal data into a 40*40 single-channel grayscale image; obtain all the image samples required for model training, thereby obtaining the complete set of CNN-GRU hierarchical neural network samples;

(3) Divide the entire sample set into training set and test set according to the appropriate ratio, based on the CNN-GRU hierarchical neural network algorithm, the single-channel grayscale image matrix is used as the input vector, and the CNN-GRU hierarchical neural network classification is established through the training set model, which allows the model to learn how to classify samples;

(4) After the model training is completed, the data of the test set is passed into the model, and the model predicts the input data according to the parameters obtained by training, and classifies the unknown network traffic to determine whether it is attack traffic or what type of attack traffic it is. .

Further, in the network traffic data packet captured in step (1), the content stored in the data packet at this time is binary data.

Further, the specific process of step (2) includes:

(2.1) Mark the data packets to be classified, and mark the normal traffic and attack traffic according to the requirements. If there is a need to classify the attack traffic, it is also necessary to mark the different types of attack traffic. The result of traffic type marking is numerical storage, starting from 0;

(2.2) Preprocess the data packets to be classified through feature engineering, divide the captured network flow according to the source IP address, source port, and destination IP address, and use the SliptCat software to realize the distribution;

(2.3) Clean the data packets in all the flows, remove the MAC source address, MAC destination address, and network protocol type information used in the data packets, extract the first 160 bytes of data from each data packet, and analyze the data. The part of the packet less than 160 bytes is filled with 0;

(2.4) Cleaning each data stream, extracting the first 10 data packets from each data stream, and filling 160 bytes of all 0 data packets in the case of less than 10 data packets in the data stream until 10 data packets;

(2.5) At this time, the data in each stream is 160*10 and a total of 1600 bytes. Convert the data in each byte into decimal to obtain a value ranging from 0 to 255, and convert the 1600-dimensional decimal data into is 40*40 matrix data;

(2.6) Convert the values in the 40*40 matrix data into grayscale, and obtain a single-channel grayscale image with a size of 40*40 corresponding to each matrix, and obtain all the image samples required for model training.

Further, the specific flow of step (3) includes:

(3.1) The data first entered an improved LetNet-5 network, using two convolutional layers and two max-pooling layers to extract the spatial features of the original network traffic data; 32 were used in the first layer of the convolution process 5*5 convolution kernels, and then perform the max pooling operation, the second convolution layer uses 64 3*3 convolution kernels, and then performs the max pooling operation; after each convolution operation, the CNN hidden layer first uses ReLU The activation function is transformed, and then a max pooling operation is used. After processing, the original single-channel 40*40 picture will be transformed into an 8*8 picture with 64 channels; after fully expanding them, a 4096-dimensional vector is obtained and transferred to The output layer of the CNN network, the output layer uses a full-junction layer, and the full-junction layer uses 1600 neurons. This transformation retains the same dimension. After extracting the original data, considering that the fully-connected layer makes some neurons randomly deactivated , to avoid overfitting;

(3.2) The temporal features of the original stream data are then automatically extracted using the GRU network, which uses two layers of units to extract temporal features; each unit of the GRU includes 256 GRU units, and the activation function of each layer is performed using a sigmoid function. Non-linear operations; the last layer of the GRU network uses a fully connected layer, and the number of neurons in the fully connected layer is equal to the number of flow categories;

(3.3) Use the training set to train the network intrusion detection model.

Further, the convolution operation in step (3.1) uses a convolution kernel ω of size f*f to perform sliding convolution on an image of size n*n, and each sliding convolution will generate a new feature; assuming X is the volume The input of the product, b is the bias term, ci is the new feature generated by convolution at the i-th layer, and σr is the activation function ReLU; then, the new feature obtained by the convolution operation is: ci=σr*(ω*Xi +bi), after the convolution operation, the feature map of n*n will generate the feature map of c=(nf+1)*(nf+1); the size is determined by the sliding window of the convolution kernel of size ff; the volume After the product, the feature map c is max-pooled, and the maximum value in the selected window is used as the final feature; the final feature map size is: [(nf+1)*(nf+1)]/2.

Further, the GRU network in step (3.2) obtains two gated states from a transmitted state h ^t -1 and the input x ^t of the current node; where r controls the reset gate, and z is the gate that controls the update control. h ^t-1′ = h ^t-1 Θr After obtaining the gate control signal, first use the reset gate to obtain the subsequent data h ^t-1′ = h ^t-1 Θr, and then connect h ^t-1′ with the input x ^t is spliced, and then a tanh activation function is used to scale the data to the range of -1 to 1. At the same time, two steps of forgetting and memory are performed, and the previously obtained update gate z is used to obtain the final expression: h ^t = (1-z)Θh ^t-1 +zΘh ^′ .

The output of the fully connected layer is input to the softmax regression layer, and the softmax classifier outputs the classification probability of each stream; the label with the highest probability represents the classification result of the hierarchical network on the stream; the loss function used in the model is the mean square loss function, The training optimizer uses AdamOptimizer, which uses adaptive moment estimation for gradient descent.

Further, step (4) also includes: comparing the results predicted by the model with the actual results of the test set, and judging the specific indicators of the model prediction results, and the reference items include accuracy, precision, recall, F1-Measure and convergence speed. .

The beneficial effects of the above technical solutions provided by the present invention at least include: compared with the currently widely used method for network intrusion detection through deep learning, the method has the following advantages:

1. The acquired traffic data comes directly from the transmitted data packets, and the extremely low cost of data acquisition can significantly increase the breadth of data sources;

2. Innovatively convert the one-dimensional data packet data into a two-dimensional image, in this way, the different features in the data packet can be fully combined, and a feature combination that is more conducive to describing the type of data packet is obtained;

3. The GRU network is used to describe the timing relationship between data packets. In view of the fact that only some of the data packets contain attack information among the first 10 data packets in the same stream intercepted, the random before and after correlation of the GRU network describes this from the underlying design. A situation, which more closely describes the situation of packet transmission;

4. After the two networks are combined hierarchically, compared with the traditional machine learning method, the method proposed by the present invention has a significant improvement in accuracy. According to the experimental results, the accuracy of classifying normal traffic and attack traffic is improved. It reaches 99.92%, and the accuracy of classifying normal traffic and attack traffic types reaches 99.77%, which cannot be achieved by traditional methods;

5. The disadvantage of this model compared to traditional machine learning methods or single-network deep learning methods is that the convergence time is longer.

Other features and advantages of the present invention will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description, claims, and drawings.

The technical solutions of the present invention will be further described in detail below through the accompanying drawings and embodiments.

Description of drawings

The accompanying drawings are used to provide a further understanding of the present invention, and constitute a part of the specification, and are used to explain the present invention together with the embodiments of the present invention, and do not constitute a limitation to the present invention. In the attached image:

1 is a model structure diagram of a network intrusion detection method based on a CNN-GRU layered neural network disclosed in an embodiment of the present invention;

Figure 2 is a graphical flow chart of network traffic data.

Detailed ways

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided so that the present disclosure will be more thoroughly understood, and will fully convey the scope of the present disclosure to those skilled in the art.

As shown in Figure 1, a specific implementation of a network intrusion detection method based on a CNN-GRU hierarchical neural network is as follows:

The network traffic is captured by the Wireshark software to obtain the network traffic data packets, that is, the data packets to be classified, and the content stored in the data packets is binary data at this time.

Mark the data packets to be classified, and mark the normal traffic and attack traffic according to the requirements. If there is a need to classify the attack traffic, you need to mark the different types of attack traffic. The result of traffic type marking is stored in numbers, from 0 starts.

The data packets to be classified are preprocessed through feature engineering, and the captured network flow is divided according to the source IP address, source port and destination IP address, and the flow is realized by using SliptCat software.

Clean the data packets in all flows, remove the MAC source address, MAC destination address, and network protocol type information used in the data packets, and extract the first 160 bytes of data from each data packet. The 160-byte part is filled with 0s.

The selection of 160-byte data takes into account two effects. Choosing a shorter length may make the selected features insufficient to obtain a good feature of the display data package. If the selected data is too long, the training time of the model will be significantly increased. , and selecting longer data will cause too much padding to affect the display of packet characteristics.

Each data stream is cleaned, the first 10 data packets are extracted from each data stream, and if there are less than 10 data packets in the data stream, 160 bytes of all 0 data packets are filled and processed until there are 10 data packets.

The selection of 10 data packets is based on the fact that in most network attacks, there is less network traffic data. In order to better describe this process, it is not appropriate to select too many data packets, otherwise it is very likely that various network attacks will be mixed together. Or mix attack traffic with normal traffic.

At this time, the data in each stream is 160*10 and a total of 1600 bytes. Convert the data in each byte into decimal to obtain a value ranging from 0 to 255, and convert the 1600-dimensional decimal data into 40* 40 matrix data.

Convert the values in the 40*40 matrix data to grayscale to obtain a single-channel grayscale image of size 40*40 corresponding to each matrix, and obtain all the image samples required for model training.

20% of all processed samples are taken as test samples, and the rest are training samples. The training samples are sent to the model for training, so that the model learns how to classify the samples.

The training samples enter the model, which starts with an improved LetNet-5 network, which uses two convolutional layers and two max-pooling layers to extract the spatial features of the original network traffic data, which are used to describe the features contained in each data packet , by converting the data packets into pictures, the features of the data packets that are originally far away are combined together, which makes it easier to learn the feature combination that is beneficial for classification.

The network has two layers. In the first layer of the convolution process, 32 5*5 convolution kernels are used, and then a max pooling operation is performed. The second convolution layer uses 64 3*3 convolution kernels, and then Perform a max pooling operation. After each convolution operation, the CNN hidden layer is first transformed using the ReLU activation function, and then using the max pooling operation, after processing, the original single-channel 40*40 image will be transformed into an 8*8 image with 64 channels. After expanding them sufficiently, a 4096-dimensional vector is obtained and transmitted to the output layer of the CNN network, which uses a full-junction layer with 1600 neurons, this transformation preserves the same dimensionality. After extracting the original data, consider that the fully connected layer deactivates some neurons randomly to avoid overfitting.

The convolution operation uses a convolution kernel ω of size f*f to perform sliding convolution on an image of size n*n, and each sliding convolution generates a new feature. Suppose X is the input of the convolution, b is the bias term, ci is the new feature produced by the convolution at the i-th layer, and σr is the activation function ReLU. Then, the new feature obtained by the convolution operation is: ci=σr*(ω*Xi+bi) After the convolution operation, the feature map of n*n will generate c=(nf+1)*(nf+1) feature map. The size is determined by a sliding window of convolution kernels of size ff. The feature map c is max-pooled after convolution, and the maximum value in the selected window is taken as the final feature. The final feature map size is: [(nf+1)*(nf+1)]/2.

The second layer of the model is a two-layer GRU network used to extract the temporal features of the original network traffic data. This feature is used to describe the relationship between the data packets in the same flow in the order of timestamps, which is in line with the actual process of data packet transmission. , which more comprehensively describes the characteristics of network flows to identify their types.

Each layer of the network contains 256 GRU units and the activation function of each layer uses a sigmoid function for nonlinear operations. The last layer of the GRU network uses a fully connected layer, and the number of neurons in the fully connected layer is equal to the number of flow categories.

The GRU network obtains two gated states with a transmitted state h ^t -1 and the input x ^t of the current node. where r controls the gate for reset and z is the gate for update. h ^t-1′ = h ^t-1 Θr After obtaining the gate control signal, first use the reset gate to obtain the subsequent data h ^t-1′ = h ^t-1 Θr, and then connect h ^t-1′ with the input x ^t is spliced, and then a tanh activation function is used to scale the data to the range of -1 to 1. At the same time, the two steps of forgetting and memory are carried out, and the previously obtained update gate z is used to obtain the final expression: h ^t = (1-z)Θh ^t-1 +zΘh'.

The output of the fully connected layer is input to the softmax regression layer, and the softmax classifier outputs the classification probability of each stream. The label with the highest probability represents the classification result of the hierarchical network on the stream. The loss function used in the model is a mean squared loss function and the training optimizer uses AdamOptimizer which uses adaptive moment estimation for gradient descent.

After the model training is completed, the data of the test set is passed into the model, and the model predicts the input data according to the parameters obtained from the training, and classifies the unknown network traffic to determine whether it is attack traffic or what type of attack traffic it is.

Compare the predicted results of the model with the actual results of the test set, and judge the specific indicators of the predicted results of the model. The reference items are Accuracy, Precision, Recall, F1-Measure and convergence speed ( Convergence speed).

Specific examples:

The model is tested using the CICIDS2017 dataset, which has the advantage of having richer traffic types and relatively new data release time, which is more in line with the actual situation of the current network. This dataset comes from attack scenarios designed by the researchers. All data collected on the first day is normal network traffic. Over the next four days, the network was attacked and traffic information was recorded. The final result is stored in a PCAP file, which includes all traffic marked as normal network traffic and various network attacks. Considering the reliability of the training results, we selected the top ten attack traffic and normal traffic as our training and test sets, ensuring that each type contains at least two thousand traffic data. Given that the labels given in the dataset do not meet the actual needs, we re-add the labels to the traffic data to meet the training requirements. After certain processing, the number and proportion of network flows are shown in the following table:

Table 1: The number and proportion of network traffic

To give more completeness to the testing of the model, we tested the results of the model classifying only normal and attack traffic, and the results of classifying each type of attack traffic, for 20,000 iterations:

Table 2: Model Classification Results

As can be seen from the table, the accuracy of the model's prediction exceeds 99.5% in any classification mode with very high training accuracy.

This example can show that the method can effectively realize the accurate classification of network intrusion detection traffic and realize network intrusion detection.

It is understood that the specific order or hierarchy of steps in the disclosed processes is an example of a sample approach. Based upon design preferences, it is understood that the specific order or hierarchy of steps in the processes may be rearranged without departing from the scope of the present disclosure. The accompanying method claims present elements of the various steps in a sample order, and are not meant to be limited to the specific order or hierarchy presented.

In the foregoing Detailed Description, various features are grouped together in a single embodiment for the purpose of simplifying the disclosure. This method of disclosure should not be construed as reflecting an intention that embodiments of the claimed subject matter require more features than are expressly recited in each claim. Rather, as the following claims reflect, present invention lies in less than all features of a single disclosed embodiment. Thus, the following claims are hereby expressly incorporated into the Detailed Description, with each claim standing on its own as a separate preferred embodiment of this invention.

Those skilled in the art will also appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the embodiments herein may be implemented as electronic hardware, computer software, or combinations thereof. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether this functionality is implemented as hardware or software depends on the specific application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, however, such implementation decisions should not be interpreted as a departure from the scope of the present disclosure.

The steps of a method or algorithm described in connection with the embodiments herein may be directly embodied in hardware, a software module executed by a processor, or a combination thereof. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, removable disk, CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such that the processor can read information from, and write information to, the storage medium. Of course, the storage medium can also be an integral part of the processor. The processor and storage medium may reside in an ASIC. The ASIC may be located in the user terminal. Of course, the processor and the storage medium may also exist in the user terminal as discrete components.

For a software implementation, the techniques described in this application may be implemented in modules (eg, procedures, functions, etc.) that perform the functions described in this application. These software codes may be stored in a memory unit and executed by a processor. The memory unit may be implemented within the processor or external to the processor, in which case it is communicatively coupled to the processor via various means, as is known in the art.

The above description includes examples of one or more embodiments. Of course, it is not possible to describe all possible combinations of components or methods in order to describe the above embodiments, but one of ordinary skill in the art will recognize that further combinations and permutations of the various embodiments are possible. Accordingly, the embodiments described herein are intended to cover all such changes, modifications and variations that fall within the scope of the appended claims. Furthermore, with respect to the term "comprising," as used in the specification or claims, the word is encompassed in a manner similar to the term "comprising," as if "comprising," were construed as a conjunction in the claims. Furthermore, any use of the term "or" in the specification of the claims is intended to mean a "non-exclusive or."

Claims (4)

1. a network intrusion detection method based on CNN-GRU layered neural network, is characterized in that, comprises the steps: (1) Capture network traffic through Wireshark software to obtain network traffic data packets, that is, data packets to be classified; (2) Data packet marking is performed on the data packets to be classified, and at the same time, the data packets to be classified are preprocessed through feature engineering to remove some invalid contents in the data packets; Cleaning; then parse the data packet into decimal data, and convert the decimal data into a 40*40 single-channel grayscale image; obtain all the image samples required for model training, thereby obtaining the complete set of CNN-GRU hierarchical neural network samples; (3) Divide the entire sample set into training set and test set according to the appropriate ratio, based on the CNN-GRU hierarchical neural network algorithm, the single-channel grayscale image matrix is used as the input vector, and the CNN-GRU hierarchical neural network classification is established through the training set model, which allows the model to learn how to classify samples; (4) After the model training is completed, the data of the test set is passed into the model, and the model predicts the input data according to the parameters obtained by training, and classifies the unknown network traffic to determine whether it is attack traffic or what type of attack traffic it is. ; The specific process of step (2) includes: (2.1) Mark the data packets to be classified, and mark the normal traffic and attack traffic according to the requirements. If there is a need to classify the attack traffic, it is also necessary to mark the different types of attack traffic. The result of traffic type marking is numerical storage, starting from 0; (2.2) Preprocess the data packets to be classified through feature engineering, divide the captured network flow according to the source IP address, source port, and destination IP address, and use the SliptCat software to realize the distribution; (2.3) Clean the data packets in all the flows, remove the MAC source address, MAC destination address, and network protocol type information used in the data packets, extract the first 160 bytes of data from each data packet, and analyze the data. The part of the packet less than 160 bytes is filled with 0; (2.4) Cleaning each data stream, extracting the first 10 data packets from each data stream, and filling 160 bytes of all 0 data packets in the case of less than 10 data packets in the data stream until 10 data packets; (2.5) At this time, the data in each stream is 160*10 and a total of 1600 bytes. Convert the data in each byte into decimal to obtain a value ranging from 0 to 255, and convert the 1600-dimensional decimal data into is 40*40 matrix data; (2.6) Convert the values in the 40*40 matrix data into grayscale, and obtain a single-channel grayscale image with a size of 40*40 corresponding to each matrix, and obtain all the image samples required for model training; The specific process of step (3) includes: (3.1) The data first entered an improved LetNet-5 network, using two convolutional layers and two max-pooling layers to extract the spatial features of the original network traffic data; 32 were used in the first layer of the convolution process 5*5 convolution kernels, and then perform the max pooling operation, the second convolution layer uses 64 3*3 convolution kernels, and then performs the max pooling operation; after each convolution operation, the CNN hidden layer first uses ReLU The activation function is transformed, and then a max pooling operation is used. After processing, the original single-channel 40*40 picture will be transformed into an 8*8 picture with 64 channels; after fully expanding them, a 4096-dimensional vector is obtained and transferred to The output layer of the CNN network, the output layer uses a full-junction layer, and the full-junction layer uses 1600 neurons. This transformation retains the same dimension. After extracting the original data, considering that the fully-connected layer makes some neurons randomly deactivated , to avoid overfitting; (3.2) The temporal features of the original stream data are then automatically extracted using the GRU network, which uses two-layer units to extract temporal features; each unit of the GRU includes 256 GRU units, and the activation function of each layer is performed using a sigmoid function. Non-linear operations; the last layer of the GRU network uses a fully connected layer, and the number of neurons in the fully connected layer is equal to the number of flow categories; (3.3) Use the training set to train to obtain a network intrusion detection model; The convolution operation in step (3.1) uses a convolution kernel ω of size f*f to perform sliding convolution on an image of size n*n, and each sliding convolution generates a new feature; assuming X is the input of the convolution , b is the bias term, c _i is the new feature generated by convolution at the i-th layer, and σr is the activation function ReLU; then, the new feature obtained by the convolution operation is: c _i =σr*(ω*X _i +b _i ), after the convolution operation, the feature map of n*n will generate the feature map of c=(n-f+1)*(n-f+1); through the convolution kernel of size f*f Sliding window to determine the size; after convolution, maximum pooling is performed on the feature map c, and the maximum value in the selected window is used as the final feature; the final feature map size is: [(n-f+1)*(n- f+1)]/2. 2. a kind of network intrusion detection method based on CNN-GRU layered neural network as claimed in claim 1, is characterized in that, the network traffic data packet that step (1) grabs, in the data packet this time storage content is binary data. 3. a kind of network intrusion detection method based on CNN-GRU layered neural network as claimed in claim 1, is characterized in that, the state h ^t -1 that a GRU network in step (3.2) transmits and current node's Input x ^t to obtain two gated states; where r controls the reset gate, z controls the update gate, h ^t-1′ =h ^t-1 Θr After the gate signal is obtained, first use the reset gate Control to get the following data h ^t-1′ = h ^t-1 Θr, then splicing h ^t-1′ with the input x ^t , and then use a tanh activation function to scale the data to the range of -1～1 Inside, carry out two steps of forgetting and remembering at the same time, use the update gate z obtained previously, obtain the final expression: h ^t = (1-z) Θh ^t-1 +zΘh'; The output of the fully connected layer is input to the softmax regression layer, and the softmax classifier outputs the classification probability of each stream; the label with the highest probability represents the classification result of the hierarchical network on the stream; the loss function used in the model is the mean square loss function, The training optimizer uses AdamOptimizer, which uses adaptive moment estimation for gradient descent. 4. a kind of network intrusion detection method based on CNN-GRU layered neural network as claimed in claim 1, is characterized in that, step (4) also comprises: the result of model prediction and the actual result of test set are compared, The specific indicators for judging the prediction results of the model, the reference items are accuracy, precision, recall, F1-Measure and convergence speed.

Images