Network abnormal flow detection method, model and system

Abstract

The invention provides a network abnormal flow detection method, model and system based on a residual error gating circulation unit (Re-GRU) and integrated dynamic extreme learning (ELM) optimization. The method comprises the following steps: firstly, establishing a feature optimization method of Fisher Score and a maximum information coefficient; secondly, changing an original GRU candidate hidden state activation function into an unsaturated activation function, and introduing a residual structure into the GRU candidate hidden state, so that the gradient disappearance problem is avoided, the network is more sensitive to gradient change, and the purpose of relieving network degradation is achieved. Then, the model is optimized and designed into a bidirectional residual GRU structure, so that the network flow characteristic extraction performance of the model is more excellent; and finally, a two-step game integrated dynamic ELM network flow detection method is provided, and an overfitting problem is solved by using a full connection layer and a Dropout layer so as to improve the detection precision, and outputting a detection result. According to the method, the experimental simulation model is established, the validity is verified according to the comparison result of different parameters, and compared with a traditional detection method, the method has better detection effect and accuracy when detecting the abnormal traffic of the network.

Description

technical field [0001] The invention belongs to the technical field of the Internet, and relates to a method for monitoring abnormal network traffic, a model, a method and a system for model training. Background technique [0002] With the rapid development of network technology, the network structure is becoming more and more complex, and the risk of network intrusion and abnormal traffic attacks is also increasing. How to identify various network intrusions has become a matter of great concern to people. The continuous increase and increase of network scale, network speed and intrusion types make intrusion detection technology face more and more challenges. Therefore, how to design a network intrusion detection method for complex network environments and future intelligence, while improving the detection accuracy of intrusion detection, reducing the false negative rate, and improving detection performance has become the core issue of concern in related fields. [0003] Ai...

AI Technical Summary

Problems solved by technology

However, ordinary cyclic neural networks will become unstable due to the problems of vanishing gradient (Vanishing Gradient) and gradient explosion (Exploding Gradient), so researchers propose a long short-term memory unit (Long Short Term Memory, LSTM) neural network to improve the above question

Although LSTM is indeed effective, its complicated threshold leads to unsatisfactory detection results, and the detection performance becomes worse and worse as the number of network layers increases

Among the existing methods, the Highway-Networks method can alleviate the degradation problem of the network, but this method will increase the amount of network parameters and time-consuming training

The SRU network that has received much attention in the past two years also includes a structure similar to Highway-Networks. At the same time, SRU discards the time parameters in the recurrent unit, so it can perform deeper network training while running fast, but in complex networks When testing in the environment, the problem of gradient disappearance still occurs

Furthermore, with the intermittent arrival of the data stream, the imbalance degree of the initial sample is difficult to be constant

In the current network traffic sample interval, there will also be severe label imbalance and imbalance deflection. However, it is difficult to guarantee the credibility of new samples by using neighborhood sample resampling and undersampling data processing methods, and new data information may lead to overfitting

Especially for multi-class label classification, decomposing the multi-classification problem into multiple binary classification problems will cause problems such as model redundancy and difficulty in calculation

If the relationship between the model and the data cannot be established, the classifier will be limited to multiple parameter categories, it will be difficult to obtain the optimal weight, and the stability of the model cannot be guaranteed

[0005] There are multiple types of sample labels in complex network traffic, while the traditional Recurrent Neural Network (RNN) is prone to gradient disappearance and network degradation problems during network anomaly detection, resulting in low detection accuracy and high false negative rate

Images