A deep learning-based DDoS attack detection method

By employing deep learning methods and combining SDAE, CNN, and Self-Attention models, this study addresses the high false positive and false negative rates of existing DDoS detection methods when identifying complex DDoS attacks, achieving efficient and accurate detection and classification of DDoS attacks.

CN119945791BActive Publication Date: 2026-06-09XIDIAN UNIV HANGZHOU RES INST +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
XIDIAN UNIV HANGZHOU RES INST
Filing Date
2025-02-17
Publication Date
2026-06-09

Smart Images

  • Figure CN119945791B_ABST
    Figure CN119945791B_ABST
Patent Text Reader

Abstract

This invention belongs to the field of network security technology and discloses a deep learning-based DDoS attack detection method, including S1, data preprocessing, which performs data cleaning, noise reduction, and format standardization on the acquired network traffic data stream to ensure that the data is suitable for subsequent processing; S2, feature selection, which transmits the preprocessed network traffic data to a feature selection module and uses a selective deep autoencoder to extract potential attack features from the network traffic data; S3, attack detection, which transmits the extracted network traffic data features to a DDoS attack detection module and uses a CNN-Self-Attention model to detect whether the network traffic data is DDoS attack traffic and identify its attack type. This invention can extract important characteristics from complex network traffic data, improve detection accuracy, and achieve high accuracy results, making it suitable for current DDoS attack detection systems.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of network security technology, specifically relating to a DDoS attack detection method based on deep learning. Background Technology

[0002] With the widespread application and rapid development of the Internet of Things (IoT), the scale and complexity of global networks have increased significantly. The surge in network traffic and the exponential increase in the number of connected devices have made network security issues increasingly serious, becoming a focus of attention across all sectors. Distributed Denial-of-Service (DDoS) attacks, as a serious network attack method, are increasingly being used to disrupt normal network operations due to their distributed, coordinated, and large-scale characteristics, posing a significant threat to various network systems and services.

[0003] A DDoS (Distributed Denial of Service) attack is a type of distributed denial-of-service attack, typically launched by a botnet of numerous malicious computers or devices distributed across different geographical locations. The target is usually a network, service, or website. Attackers use massive amounts of fake traffic or requests to prevent the target system from responding to legitimate user requests, causing the target service to become unresponsive or even completely crash. Due to its stealthy attack methods, massive traffic volume, and dispersed sources, DDoS attacks are difficult to defend against, causing incalculable losses to network service security and other related fields.

[0004] DDoS attacks are essentially a bursty, many-to-one communication method, with attack traffic exhibiting distinct temporal and spatial characteristics. Therefore, traditional DDoS detection methods typically focus only on statistical characteristics of traffic over time, failing to adequately consider changes in the overall network state and the potential correlations between interactive communication patterns within the attack traffic. Because they neglect the spatial and temporal variations in network traffic, existing methods often perform poorly in identifying certain complex DDoS attacks, particularly large-scale, distributed attacks, resulting in high false positive and false negative rates.

[0005] Furthermore, traditional DDoS attack classification methods typically classify attacks based on a single dimension of traffic characteristics. However, with the diversification of DDoS attack methods, especially the camouflage of traffic characteristics and changes in attack patterns, many attacks exhibit high similarity in the traffic dimension, making existing classification methods inadequate for handling complex, fine-grained attack classification tasks. As the volume of network data and the number of feature dimensions increase, the computational demands on existing models are also growing, requiring classification methods to ensure high accuracy while also considering computational performance and real-time capabilities. Summary of the Invention

[0006] The purpose of this invention is to provide a deep learning-based DDoS attack detection method to solve the above-mentioned technical problems.

[0007] The technical solution adopted by the present invention to achieve the above objectives is as follows:

[0008] A deep learning-based DDoS attack detection method includes the following steps:

[0009] 1) Preprocess the acquired network traffic data stream;

[0010] 2) Use Selective Deep Autoencoder (SDAE) to extract potential attack features from preprocessed network traffic data;

[0011] 3) Based on the extracted attack features, use a deep learning model to detect whether network traffic data is DDoS attack traffic and identify its attack type.

[0012] Step 1) includes the following steps:

[0013] 1.1) Perform data cleaning on the acquired network traffic data stream;

[0014] 1.2) Perform SMOTE oversampling on the cleaned data stream;

[0015] 1.3) Normalize the oversampled data.

[0016] Step 1.1) specifically refers to:

[0017] Remove irrelevant features that cannot distinguish between attack and normal traffic, as well as samples containing NaN values, infinite values, and null values. The irrelevant features include “Unnamed”, “Flow ID”, “Destination Port”, “Source Port”, “Destination IP”, “Source IP”, and “SimilarHTTP”.

[0018] Step 1.2) specifically refers to:

[0019] Select a minority class of samples from the dataset whose number is less than a threshold. For each minority class sample X, use SMOTE oversampling to calculate its k nearest neighbors in the feature space, and then randomly select a neighbor sample X from the selected k neighbors. n Based on the current sample and its neighbor sample X n A new sample X is generated from the distance between them. new That is, in the original sample X and the neighbor sample X n Random interpolation is used to generate a new minority class sample X. new ,Right now:

[0020] X new =X+θ(X) n -X)

[0021] Where θ is a random number between 0 and 1.

[0022] Step 2) includes the following steps:

[0023] 2.1) Pre-training stage: The pre-processed raw data is input into the encoder part of the autoencoder model to obtain the low-dimensional latent representation of the input data. The decoder of the autoencoder model reconstructs the low-dimensional latent representation to obtain the reconstructed data. The reconstructed data is compared with the original data, the loss is calculated and the model parameters are adjusted accordingly. Then the next round of training is carried out until the training converges.

[0024] 2.2) Feature selection stage: After the encoder is trained in the pre-training stage, a selective layer is added in front of it, and the decoder part is removed to obtain a new deep network model. The selective layer assigns a weight vector to each input feature. The encoder learns a new low-dimensional latent representation of the data based on the selected features, optimizes its similarity with the low-dimensional latent representation in the pre-training stage and the weight of the selective layer. Finally, only the features corresponding to non-zero weights are retained as a subset representing the entire feature space.

[0025] The similarity between the new low-dimensional latent representation and the low-dimensional latent representation in the pre-training stage, as well as the selection of layer weights, are optimized by minimizing an objective function, wherein the objective function is:

[0026]

[0027] Where W≥0 represents the nonnegativity constraint of the weights, θ enc The parameters represent the depth encoder, where γ1>0 represents the coefficient parameter of the L1 regularization term of the encoder layer, and γ2>0 represents the coefficient parameter of the L1 regularization term of the selection layer. f(XW,θ) represents the reconstructed encoding in the encoder network during the pre-training phase. enc ) represents the reconstructed encoding of the depth encoder.

[0028] Step 3) includes the following steps:

[0029] 3.1) Batch normalization is used to normalize the input data;

[0030] 3.2) The normalized output is processed by the first convolutional layer containing eight 1*3 convolutional kernels, and F0 is obtained by linear transformation through the ReLU activation function;

[0031] 3.3) Input F0 into two parallel convolutional layers to obtain F1 and F2, respectively, to extract deeper features from F0 in the horizontal and vertical directions. Then, process the F0 through a max pooling layer to obtain F1. pool1 and F pool2 ;

[0032] 3.4) The outputs of two parallel convolutional layers are concatenated using a depthwise layer, and then processed using a max pooling layer to obtain F. concat ;

[0033] 3.5) After F0 passes through the max pooling layer, it is combined with F concat After deep cascading layers are connected and processed using an average pooling layer, F is obtained. t ;

[0034] 3.6) Using a self-attention mechanism module that integrates convolution operations and self-attention mechanisms to apply F... t Process it;

[0035] 3.6) The output of the self-attention mechanism module is processed sequentially through a dense layer, a softmax layer, and a fully connected layer to obtain the detection results.

[0036] Step 3.3) specifically refers to:

[0037] The first convolutional stream is processed again with an asymmetric convolution kernel after one convolutional layer and then passed through a max pooling layer to obtain deeper features F. pool1 ;

[0038]

[0039] F pool1 =P max (F1)

[0040] in, This indicates the output result after passing through one convolutional layer. These represent the output results processed using two asymmetric convolutional blocks, respectively. F1 represents the result of the first convolutional stream, D represents the depthwise cascaded layer function, and P represents the output of the first convolutional stream. max F represents the max pooling layer. pool1 This represents the result of the first convolutional stream being processed by the max pooling layer;

[0041] The second convolutional stream is processed through two convolutional layers to obtain deeper features F. pool2 :

[0042]

[0043] F pool2 =P max (F2)

[0044] in, This represents the output of the first convolutional layer. F2 represents the output of the second convolutional layer, D represents the result of the second convolutional stream, and P represents the depthwise cascaded layer function. max F represents the max pooling layer. pool2 This represents the result of the second convolutional flow being processed by the max pooling layer.

[0045] A deep learning-based DDoS attack detection system includes:

[0046] The data stream preprocessing module is used to preprocess the acquired network traffic data stream;

[0047] The feature extraction module is used to extract potential attack features from preprocessed network traffic data using a selective deep autoencoder (SDAE).

[0048] The DDoS attack identification module is used to detect whether network traffic data is DDoS attack traffic and identify its attack type based on the extracted attack characteristics using a deep learning model.

[0049] A computer-readable storage medium storing a computer program that, when executed by a processor, implements the deep learning-based DDoS attack detection method.

[0050] The present invention has the following beneficial effects and advantages:

[0051] 1. To address the imbalance problem in existing DDoS detection technologies, this invention employs SMOTE oversampling technology to oversample the fewer sample types, thereby increasing the number of samples and resolving the dataset imbalance problem.

[0052] 2. To address the problem of excessive overhead in existing DDoS detection technology models, this invention uses SDAE for feature selection, autonomously trains to obtain the optimal number of features to select, removes redundant features to reduce data dimensionality, reduces model time complexity, and minimizes overhead.

[0053] 3. To address the issues of information loss or difficulty in capturing global information when dealing with long-distance dependencies, this invention employs a self-attention model to capture global dependencies in the sequence, thus more comprehensively considering the complex global correlation information of various parts of network traffic data.

[0054] 4. To address the difficulty in identifying specific attack patterns, this invention employs a CNN-self-Attention model to capture more comprehensive attack features from both spatial and temporal dimensions, thereby enabling more accurate and flexible identification of different attack patterns. Attached Figure Description

[0055] Figure 1 This is a schematic diagram of a deep learning-based DDoS attack detection method disclosed in an embodiment of the present invention.

[0056] Figure 2 This is an implementation framework diagram of a deep learning-based DDoS attack detection method disclosed in an embodiment of the present invention.

[0057] Figure 3 This is a structural diagram of the SDAE model used in the embodiments of the present invention.

[0058] Figure 4 This is a diagram of the CNN model structure used in the embodiments of the present invention.

[0059] Figure 5 This is a structural diagram of the self-attention mechanism model used in the embodiments of the present invention.

[0060] Figure 6 This is a structural diagram of the CNN-self-Attention model used in the embodiments of the present invention.

[0061] Figure 7 This is a schematic diagram of the CIC-DDoS-2019 dataset confusion matrix according to an embodiment of the present invention. Detailed Implementation

[0062] The present invention will now be described in further detail with reference to the accompanying drawings and embodiments.

[0063] like Figure 1 As shown and as Figure 2As shown, the deep learning-based DDoS attack detection method of this invention first removes redundant features and samples containing outliers from network traffic data through a data preprocessing module. Then, the SMOTE oversampling technique is used to increase the number of attack types with fewer samples. The data is then normalized to make it processable by the deep learning model. The preprocessed dataset is divided into a labeled training set and an unlabeled test set, which are then fed into the model training and detection phases, respectively. In the training phase, the preprocessed training data is used as input to the CNN-Self-Attention deep learning model for training, obtaining prediction results, which are compared with the true labels. The loss is calculated, and the model parameters are adjusted accordingly. The next round of training is then performed until convergence. The trained model parameters are then fed into the model framework in the detection phase. The test data is also preprocessed and entered into the model for classification to obtain predicted labels. Finally, various evaluation metrics are calculated to determine the effectiveness of the intrusion detection system.

[0064] like Figure 3 As shown, the feature selection method based on SDAE of the present invention firstly involves inputting preprocessed data into the encoder part of the model during the pre-training stage to obtain a low-dimensional latent representation of the input data. Then, the decoder reconstructs the low-dimensional latent representation to obtain reconstructed data. The reconstructed data is compared with the original data, the loss is calculated, and the model parameters are adjusted accordingly. The next round of training is then performed until training converges. Next, in the feature selection stage, a selective layer is added before the encoder obtained after the pre-training stage, and the decoder part is removed to obtain a new deep network model. The selective layer assigns a weight vector to each input feature. The encoder learns the low-dimensional latent representation of the data based on the selected features, optimizing its similarity to the low-dimensional latent representation in the pre-training stage and the weights of the selective layer. Finally, only the features corresponding to non-zero weights are retained as a subset representing the entire feature space.

[0065] like Figure 4 As shown, the CNN model used in this invention employs convolution decomposition, decomposing a large convolutional kernel into two asymmetric small convolutional kernels to extract deep features of the data from the horizontal and vertical directions respectively, reducing the amount of matrix multiplication computation, and using a residual network structure to alleviate the gradient vanishing problem.

[0066] like Figure 5 As shown, the Self-Attention model used in this invention integrates convolution operations and self-attention mechanisms. First, convolution operations are used to extract local features. Then, the feature map is divided into three parts: query (q), key (k), and value (v). The feature output is obtained based on the calculation. Then, residual edges are used to fuse the v feature with the self-attention feature to improve the model's backpropagation ability.

[0067] like Figure 6 As shown, the deep learning-based DDoS attack detection method of the present invention first inputs the features selected by SDAE into a CNN model to extract deep spatial features, then inputs them into a Self-Attention model to extract deep temporal features, and finally processes them sequentially through a dense layer, a softmax layer and a fully connected layer to obtain the detection result.

[0068] The method for preprocessing network traffic data in this invention, as well as the CNN-Self-Attention deep learning model, will be explained in detail below.

[0069] The deep learning-based DDoS attack detection method of the present invention includes three steps: Step S1, data preprocessing module, which performs preprocessing operations such as oversampling, data cleaning, noise reduction and format standardization on the acquired network traffic data stream to ensure that the data is suitable for subsequent processing;

[0070] Step S2, Feature Selection: The preprocessed network traffic is transmitted to the feature selection module, and the Selective Deep Autoencoder (SDAE) is used to extract potential attack features from the network traffic data.

[0071] Step S3: The attack detection module transmits the extracted network traffic data features to the DDoS attack detection module, and uses a deep learning model to detect whether the network traffic data is DDoS attack traffic and identify its attack type.

[0072] The specific implementation method of step S1 in the deep learning-based DDoS attack detection method of the present invention is as follows:

[0073] First, remove the seven irrelevant features that cannot distinguish between attack and normal traffic: “Unnamed”, “Flow ID”, “Destination Port”, “Source Port”, “Destination IP”, “Source IP”, and “SimilarHTTP”. Then, clean up the samples in the dataset that contain NaN values, infinite values, and null values.

[0074] Furthermore, the specific method for SMOTE oversampling in step S1 is as follows:

[0075] First, minority class samples are selected from the dataset. Then, for each minority class sample, SMOTE calculates its k nearest neighbors in the feature space. After that, a neighbor is randomly selected from the selected k neighbors, and a new sample is generated based on the distance between the current sample and that neighbor. Then, a new minority class sample is generated by randomly interpolating between the original sample and the neighbor sample.

[0076] Furthermore, the specific calculation method for SMOTE oversampling in step S1 is as follows:

[0077] X new =X+θ(X) n -X)

[0078] Where θ is a random number between 0 and 1, and X n These are neighboring samples.

[0079] Furthermore, the data normalization calculation method in step S1 is as follows:

[0080]

[0081] Among them, X sca X represents the result of data normalization. min X represents the minimum value of the data. max This indicates the maximum value of the data.

[0082] The specific implementation method of step S2 in the deep learning-based DDoS attack detection method of the present invention is as follows:

[0083] The feature selection module includes a pre-training phase and a feature selection phase.

[0084] Pre-training Phase: In this phase, SDAE first trains a deep autoencoder to learn a low-dimensional latent representation of the input data by minimizing the reconstruction error. The encoder part of the autoencoder maps the input data to the latent space, while the decoder is responsible for reconstructing the latent representation back to the original data. The reconstructed data is compared with the original data, the loss is calculated, and the model parameters are adjusted accordingly. The next round of training is then performed until convergence. By optimizing this process, SDAE can obtain a low-dimensional encoding with global representativeness.

[0085] Feature Selection Stage: In the feature selection process, SDAE introduces a custom selection layer. This layer selects the most relevant features by weighting the input features (using a feature-related weight vector). The weights of the selection layer are sparsified using L1 regularization, pushing the weights of redundant features to zero. The encoder learns a low-dimensional latent representation of the data based on the selected features, optimizing its similarity to the low-dimensional latent representation from the pre-training stage and the selection layer weights, i.e., minimizing the following objective function:

[0086]

[0087] Ultimately, only the features corresponding to non-zero weights are retained as a subset representing the entire feature space.

[0088] The specific implementation method of step S3 in the deep learning-based DDoS attack detection method of the present invention is as follows:

[0089] The attack detection module inputs the network traffic features extracted by the feature selection module into the CNN detection model. First, batch normalization is used to normalize the input data. The normalized output is processed by a convolutional layer containing 8 (1*3) convolutional kernels and then linearly transformed by the ReLU activation function to obtain F0.

[0090]

[0091] F0 is fed into two parallel convolutional layers to extract richer features from the horizontal and vertical directions, respectively.

[0092] The first convolutional stream is processed again with an asymmetric convolutional kernel after one layer of convolutional operations to extract deeper features;

[0093]

[0094] F pool1 =P max (F1)

[0095] The second convolutional stream is processed through two convolutional layers to extract deeper features:

[0096]

[0097] F pool2 =P max (F2)

[0098] Then, the outputs of the two parallel convolutional layers are connected through a depth-level layer and processed by a max pooling layer.

[0099] F concat =D(Fpool1 ,F pool2 )

[0100] Subsequently, to prevent gradient vanishing, the output of the first convolutional layer, after being max-pooled, is concatenated with the result of the max-pooling layer through a depthwise concatenation layer and then passed through an average pooling layer P. avg deal with;

[0101] F t =P avg (z)+(X 1×1 (F concat ))

[0102] The result of the average pooling layer is input into the self-attention mechanism module, which integrates convolution operations and the self-attention mechanism. First, convolution operations are used to extract local features. Then, the feature map is divided into three parts: query (q), key (k), and value (v), and the feature output is calculated.

[0103]

[0104] Where Q represents the query vector, K represents the key vector, V represents the value vector, and d represents the value vector. k Represents the dimension of the key vector.

[0105] Finally, the output of the self-attention mechanism module is fed into the dense layer. After the dense layer, the output data is processed by the softmax layer and the fully connected layer to obtain the detection results.

[0106] After training a deep network using network traffic training data, a detection model is obtained. The network traffic test data is preprocessed, and the trained detection model is used for detection, outputting classification results to determine whether the data represents a DDoS attack and identify its specific attack type.

[0107] During the training of the detection model, the cross-entropy loss function is used, and the detection accuracy of the detection model is calculated until the requirements are met to obtain a well-trained detection model.

[0108] This invention uses the CIC-DDoS-2019 dataset compiled by the Canadian Cyber ​​Security Institute to verify the effectiveness of the deep learning-based DDoS attack detection method. Dataset information is shown in Table 1. Model parameter settings are shown in Table 2. Evaluation metrics include confusion matrix, accuracy, precision, recall, and F1 score to measure the algorithm's performance.

[0109] Table 1 Dataset Information:

[0110]

[0111]

[0112] Table 2 Model Parameter Settings:

[0113] parameter value Total number of characteristics 88 Optimizer Adam loss function Binary Cross-Entropy Bath size 128 Epochs 30 Activation function ReLU Learning rate 0.001

[0114] The confusion matrix, also known as the error matrix, is used to evaluate the performance of a classifier by counting the number of observations misclassified and correctly classified. The confusion matrices for the four attack types in the in-vehicle network attack dataset obtained from the experiment are shown below. Figure 7 As shown, the model performs very well in detecting various types of attacks.

[0115] Table 3 shows the performance of the method of the present invention on the CIC-DDoS-2019 dataset.

[0116] Table 3 CIC-DDoS-2019 Performance:

[0117] Model accuracy Accuracy Recall rate F1 score CNN-Self-Attention 99.00% 99.08% 92.22% 95.52%

[0118] The above results demonstrate that the deep learning-based DDoS attack detection method proposed in this invention, based on the multi-dimensional and temporal characteristics of traffic features, achieves high accuracy, precision, recall, and F1-score, and exhibits good performance on different types of attacks on the CIC-DDoS-2019 dataset.

[0119] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. A deep learning-based DDoS attack detection method, characterized in that, Includes the following steps: 1) Preprocess the acquired network traffic data stream; 2) Use Selective Deep Autoencoder (SDAE) to extract potential attack features from preprocessed network traffic data; 3) Based on the extracted attack features, use a deep learning model to detect whether network traffic data is DDoS attack traffic and identify its attack type; Step 3) includes the following steps: 3.1) Batch normalization is used to normalize the input data; 3.2) The normalized output is processed using a first convolutional layer containing eight 1*3 kernels, and then linearly transformed using the ReLU activation function to obtain the final output. ; 3.3) will The inputs are fed into two parallel convolutional layers to obtain... and From the horizontal and vertical directions respectively Extracting deeper features, followed by processing with a max pooling layer to obtain... and ; 3.4) The outputs of two parallel convolutional layers are concatenated using a depthwise layer, and then processed using a max pooling layer to obtain... ; 3.5) will After the max pooling layer and After deep cascading layers are connected and processed using an average pooling layer, the following is obtained: ; 3.6) Using a self-attention mechanism module that integrates convolution operations and self-attention mechanisms to... Process it; 3.7) The output of the self-attention mechanism module is processed sequentially through a dense layer, a softmax layer, and a fully connected layer to obtain the detection result.

2. The deep learning-based DDoS attack detection method according to claim 1, characterized in that, Step 1) includes the following steps: 1.1) Perform data cleaning on the acquired network traffic data stream; 1.2) Perform cleaning on the data stream. Oversampling; 1.3) Normalize the oversampled data.

3. The deep learning-based DDoS attack detection method according to claim 2, characterized in that, Step 1.1) specifically refers to: Remove irrelevant features that cannot distinguish between attack and normal traffic, as well as samples containing NaN values, infinite values, and null values. The irrelevant features include "Unnamed", "Flow ID", "Destination Port", "Source Port", "Destination IP", "Source IP", and "SimilarHTTP".

4. The deep learning-based DDoS attack detection method according to claim 2, characterized in that, Step 1.2) specifically refers to: Select samples from a certain class whose number is less than a threshold from the dataset, and designate them as the minority class samples. For each minority class sample... ,use Oversampling calculates its nearest neighbor in the feature space A sample of neighbors, and from the selected... Randomly select a neighbor sample from the neighbor samples. Based on the current sample and its neighboring samples A new sample is generated from the distance between them. That is, in the original sample and neighbor samples Random interpolation between values ​​generates a new minority class sample. ,Right now: in, It is a random number between 0 and 1.

5. The deep learning-based DDoS attack detection method according to claim 1, characterized in that, Step 2) includes the following steps: 2.1) Pre-training stage: The pre-processed raw data is input into the encoder part of the autoencoder model to obtain the low-dimensional latent representation of the input data. The decoder of the autoencoder model reconstructs the low-dimensional latent representation to obtain the reconstructed data. The reconstructed data is compared with the original data, the loss is calculated and the model parameters are adjusted accordingly. Then the next round of training is carried out until the training converges. 2.2) Feature selection stage: After the encoder is trained in the pre-training stage, a selective layer is added in front of it, and the decoder part is removed to obtain a new deep network model. The selective layer assigns a weight vector to each input feature. The encoder learns a new low-dimensional latent representation of the data based on the selected features, optimizes its similarity with the low-dimensional latent representation in the pre-training stage and the weight of the selective layer. Finally, only the features corresponding to non-zero weights are retained as a subset representing the entire feature space.

6. The deep learning-based DDoS attack detection method according to claim 5, characterized in that, The similarity between the new low-dimensional latent representation and the low-dimensional latent representation in the pre-training stage, as well as the selection of layer weights, are optimized by minimizing an objective function, wherein the objective function is: in, This represents the nonnegativity constraint of the weights. Parameters representing the depth encoder, The coefficient parameters represent the L1 regularization term of the encoder layer. This represents the coefficient parameters of the L1 regularization term in the selection layer. This represents the reconstructed encoding in the encoder network during the pre-training phase. This represents the reconstructed encoding of the depth encoder.

7. The deep learning-based DDoS attack detection method according to claim 1, characterized in that, Step 3.3) specifically refers to: The first convolutional stream is processed again with an asymmetric convolution kernel after one convolutional operation and then passed through a max pooling layer to obtain deeper features. ; in, This indicates the output result after passing through one convolutional layer. , These represent the output results processed using two asymmetric convolutional blocks. This represents the processing result of the first convolutional stream. This represents a deep cascaded layer function. Indicates the max pooling layer. This represents the result of the first convolutional stream being processed by the max pooling layer; The second convolutional stream is processed through two convolutional layers to obtain deeper features. : in, This represents the output of the first convolutional layer. This represents the output of the second convolutional layer. This represents the processing result of the second convolutional stream. This represents a deep cascaded layer function. Indicates the max pooling layer. This represents the result of the second convolutional flow being processed by the max pooling layer.

8. A deep learning-based DDoS attack detection system, used to implement the deep learning-based DDoS attack detection method described in claim 1, characterized in that, include: The data stream preprocessing module is used to preprocess the acquired network traffic data stream; The feature extraction module is used to extract potential attack features from preprocessed network traffic data using a selective deep autoencoder (SDAE). The DDoS attack identification module is used to detect whether network traffic data is DDoS attack traffic and identify its attack type based on the extracted attack characteristics using a deep learning model.

9. A computer-readable storage medium, characterized in that, The storage medium stores a computer program, which, when executed by a processor, implements a deep learning-based DDoS attack detection method as described in any one of claims 1-7.