Method for identifying network abnormal behavior based on deep neural network

Abstract

The invention relates to a method for identifying a network abnormal behavior based on a deep neural network. The method comprises the following steps: step 1: standardizing layer information and session information marks of a network-related data packet; step 2: filtering related network connection session data to be processed; step 3: performing feature pre-extraction on various protocol data; step 4: performing normalization processing on the above feature data; step 5: marking an obtained vector; step 6: deforming a data set to a certain extent; step 7: training the data; and step 8: constructing a deep neural network structure, and generating a neural network description file. By adoption of the scheme, a more comprehensive means is provided for the security audit of network information, thereby providing a strong support for enterprises in the compliance inspection of network security management, information security management and control, and information security management.

Description

technical field [0001] The invention relates to an identification method, in particular to a network abnormal behavior identification method based on a deep neural network, and belongs to the technical field of deep packet detection. Background technique [0002] The neural network abstracts the human brain neuron network from the perspective of information processing, establishes a simple model, and forms different networks according to different connection methods. In engineering and academia, it is often referred to directly as a neural network or a neural network. A neural network is an operational model consisting of multiple layers and a large number of nodes (or neurons) connected to each other. Each node represents a specific output function, called the activation function (Activation Function). Each connection between two nodes represents a weighted value for the signal passing through the connection, called weight, which is equivalent to the memory of the artific...

AI Technical Summary

Problems solved by technology

[0013] 1. Excessive reliance on regular expressions and various single-mode / multi-mode matching methods, and these modes are pre-made and initialized into the system. Once installed, they can only be updated through upgrades. Therefore, for new types of Abnormal network behavior is powerless, that is, unknown abnormal behavior cannot be discovered;

[0014] 2. Traditional network anomaly identification technologies based on statistical methods are generally more sensitive to similar DDos attacks, but are not very sensitive to some abnormal behaviors such as Trojan horse connection and Trojan horse heartbeat, which will lead to the loss of important information;

[0015] 3. The most important thing is that most of the network communication data with abnormal behaviors such as network penetration are encrypted, so it is impossible to detect possible problems only by relying on methods such as packet depth detection, so that more hidden problem can't be found

Although this invention uses some simple machine learning methods to detect abnormal network behaviors, it mainly only uses the data of the dimension of information entropy standard deviation, and this method is mainly aimed at the detection of distributed denial of service (DDoS) attacks. That is to say, it does not have the ability to detect or discover abnormal network behaviors in a more complex environment, especially the so-called APT (Advanced Persistent Threat) attacks, because the methods of such attacks are relatively complex, the traffic is small and very hidden, and they Use relatively legal ports or services, such as public protocols based on HTTP or HTTPS (because other ports may have been blocked by firewall policies), so it is often difficult to locate only through ordinary statistical methods based on network session protocols

Images