Data stream anomaly detection system based on empirical features and convolution neural network

Abstract

The invention discloses a data stream anomaly detection system based on empirical characteristics and convolution neural network. The system includes an empirical feature extraction module, which is used to identify statistical features and header features as features based on artificial experience, which play a more important role in data packet anomaly recognition; a bit stream conversion picture module used to convert the data stream into the form of two-dimensional gray-scale picture, and then through the convolutional neural network perception, the global high-level perception features are extracted; a fusion splicing module used for fusing the above modules as the data stream characteristics and identifying abnormal data streams by using the full connection layer of the neural network; a distillation model module that replaces complex networks in actual deployment; a concept drift fine-tuning module updates the detection model of concept drift; an update experience database module adding new network attacks or hidden attack instructions to the artificial experience database. The invention accurately and efficiently detects abnormal behaviors such as network failure, user misoperation, network attack and the like.

Description

technical field [0001] The invention relates to an information security technology, in particular to a data flow anomaly detection system based on empirical features and a convolutional neural network. Background technique [0002] With the rapid development and wide application of the Internet, incidents such as network attacks and network failures are becoming more and more frequent, and the importance of information security in the cyberspace domain to personal life, economic and social stability, and even national security is increasing day by day. In cyberspace, the vast majority of attacks are based on network data streams, such as DOS and other denial-of-service attacks, Trojan horses, worms, etc.; and abnormal events such as 1.21DNS resolution failure events, network failures will also be reflected in the The state of the network data flow. Therefore, the data flow anomaly detection technology based on observing the pattern of network data flow for anomaly detection...

AI Technical Summary

Problems solved by technology

However, due to network attacks, hackers often hide their attacks, such as using payloads to place attack codes or hiding attack codes in fields that are not commonly used, so non-cooperative active attacks often have a high rate of missed detection

The second is to analyze all the information of the data stream, but the disaster of dimensionality caused by the high-dimensionality of the data stream will cause the accuracy rate of the machine learning method to drop, so we can only adopt the matching method, and the global data processing will also consume a lot of computing resources. , the problem of low time efficiency, does not meet the real-time requirements of data flow anomaly detection

Due to the dynamic nature of network data flow, data drift is prone to occur. In this case, the original model does not conform to the new data distribution. Traditional methods often need to retrain new models, so it is difficult to meet the real-time requirements of data flow anomaly detection.

[0006] A large amount of network data is constantly pouring in, so data flow detection has high requirements for real-time performance, and the existing algorithms for checking all information of network data flow require a large amount of calculation and processing time, making it difficult to deploy on a large scale

Images