A deep learning-based network intrusion detection method and system

By constructing a spatiotemporal matrix and grayscale images, and combining dynamic time warping and K-means clustering, a long short-term memory network model is built. This solves the problem of insufficient adaptability of deep learning network intrusion detection methods to new attacks in dynamic environments, and achieves more efficient intrusion behavior recognition and prediction.

CN120017400BActive Publication Date: 2026-06-09NANJING FORESTRY UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
NANJING FORESTRY UNIV
Filing Date
2025-03-11
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

Existing deep learning-based network intrusion detection methods are poorly adapted to new attacks in dynamic environments, fail to fully exploit spatiotemporal information and topological features, and fail to effectively utilize the nonlinear relationships and local variation features of time series when identifying mutation points and detecting anomalies.

Method used

Network traffic data is collected using network packet capture tools, a spatiotemporal matrix is ​​constructed and converted into a grayscale image, important topological features are screened and enhanced, the spatiotemporal mapping generation method is used for segmentation and dynamic time warping to calculate DTW distance, and intrusion behavior is predicted by combining K-means clustering and long short-term memory network models, and the network traffic data is stored and analyzed.

Benefits of technology

It improves the accuracy and real-time response capability of network intrusion detection, enhances adaptability to new types of attacks and detection precision, and can more accurately identify potential intrusion behaviors.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN120017400B_ABST
    Figure CN120017400B_ABST
Patent Text Reader

Abstract

The application discloses a network intrusion detection method and system based on deep learning, relates to the technical field of network security, and comprises the following steps: collecting network flow data by using a network packet capturing tool, constructing a space-time matrix by using a mapping matrix construction method, converting the space-time matrix into a gray image, dynamically adjusting by using a dynamic weight adjustment formula, constructing a topological complex, screening important topological features, respectively performing enhancement processing on the important topological features, fusing by using a weighted average method, and generating a fused gray image; segmenting by using a space-time mapping generation method, calculating a DTW (Dynamic Time Warping) distance by using a dynamic time warping calculation, marking a mutation point segment, calculating the evolution fitness of the mutation point segment by using an evolution fitness formula, and identifying an intrusion behavior. The neural biological signal processing technology is combined with the topological data analysis, the processability of data and the identifiable property of features are improved, the evolution fitness formula is used for analyzing the mutation point segment, and the detection precision and the adaptability of the intrusion behavior are enhanced.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, and in particular to a network intrusion detection method and system based on deep learning. Background Technology

[0002] With the rapid development of information technology, network security issues are becoming increasingly serious. In particular, the prevention and detection of network intrusion has become one of the core issues in the field of network security. Traditional network intrusion detection methods mostly rely on techniques such as rule matching and packet analysis, which are mainly based on matching and analysis of known attack characteristics. These methods have shown significant shortcomings when facing unknown attacks or rapidly changing attack patterns. Rule matching methods can only identify known attack patterns and have limited detection capabilities for new and variant attacks. Packet analysis-based methods are prone to efficiency bottlenecks when handling large-scale network traffic and are difficult to identify potential intrusion behaviors in real time and effectively. Researchers have gradually begun to introduce technologies such as machine learning and deep learning into the field of network intrusion detection to improve its automation and intelligence, and enhance the system's adaptability and accuracy.

[0003] Existing deep learning applications still face some challenges in network intrusion detection. Current technologies rely on simple network traffic feature extraction and fail to fully explore spatiotemporal information and topological features, resulting in poor adaptability to new attacks in dynamic environments. When dealing with mutation point identification and anomaly detection, existing technologies mostly use traditional distance metrics or static threshold settings, failing to fully utilize the nonlinear relationships and local change features in time series. Summary of the Invention

[0004] In view of the aforementioned existing problems, the present invention is proposed.

[0005] Therefore, this invention provides a network intrusion detection method and system based on deep learning, which solves the problem that existing technologies rely on simple network traffic feature extraction and fail to fully explore spatiotemporal information and topological features, resulting in poor adaptability to new attacks in dynamic environments. Existing technologies mostly use traditional distance metrics or static threshold settings when dealing with mutation point identification and anomaly detection, failing to make full use of nonlinear relationships and local change features in time series.

[0006] To solve the above-mentioned technical problems, the present invention provides the following technical solution:

[0007] In a first aspect, the present invention provides a network intrusion detection method based on deep learning, comprising,

[0008] Network traffic data is collected using network packet capture tools, preprocessed, a spatiotemporal matrix is ​​constructed using the mapping matrix construction method, converted into a grayscale image, dynamically adjusted using a dynamic weight adjustment formula, a topological complex is constructed and important topological features are selected, important topological features are enhanced respectively, and a weighted average method is used for fusion to generate a fused grayscale image.

[0009] The spatiotemporal mapping generation method is used for segmentation, dynamic time warping is used to calculate DTW distance and mark mutation point segments, and the evolutionary fitness formula is used to calculate the evolutionary fitness of mutation point segments and identify intrusion behavior.

[0010] The K-means clustering method is used to cluster the mutation point fragments corresponding to the invasion behavior, and a long short-term memory network model is constructed to predict the invasion behavior at time t.

[0011] Store, collect, and analyze the network traffic data generated.

[0012] As a preferred embodiment of the deep learning-based network intrusion detection method of the present invention, the following steps are included: collecting network traffic data using a network packet capture tool, constructing a spatiotemporal matrix using a mapping matrix construction method, converting it into a grayscale image, dynamically adjusting it using a dynamic weight adjustment formula, constructing a topological complex and screening important topological features, enhancing the important topological features respectively, and fusing them using a weighted average method to generate a fused grayscale image, comprising:

[0013] The network traffic data includes packet size, transmission delay, source port, destination port, transmission time, traffic frequency, and timestamp;

[0014] The preprocessed network traffic data is sorted in chronological order. The mapping matrix construction method is used to map the timestamps corresponding to the preprocessed network traffic data to the rows of the spatiotemporal matrix and the preprocessed network traffic data to the columns of the spatiotemporal matrix to construct the spatiotemporal matrix.

[0015] The spatiotemporal matrix is ​​converted into a grayscale image using a grayscale value mapping formula.

[0016] The neighborhood window is set using the sliding window method. The mean and standard deviation of the neighborhood window are calculated. The local relative contrast of the (x,y)th pixel is calculated using the local relative contrast formula. , where x and y are the row and column indices in the grayscale image, respectively;

[0017] The time window size was set using a time window selection method, the time decay rate was set using an experimental method, and the neural signal intensity at the (x,y)th pixel was calculated using a Gaussian time-weighted activation function. ;

[0018] The constant factor for enhancing intensity was set using statistical analysis. A random search method is used to set the threshold for neural signals. The gray value of the (x,y)th pixel in the grayscale image is dynamically adjusted using a dynamic weight adjustment formula.

[0019] Calculate the grayscale difference between pixels in the adjusted grayscale image and set it as the connection strength. Use statistical analysis to set the connection threshold, mark the connection strength greater than the connection threshold as 1, and mark the connection strength less than or equal to the connection threshold as 0, and construct the adjacency matrix.

[0020] The Rips complex construction method is used to construct the topological complex, and the topological feature extraction method is used to extract the topological features, including connected components and loop structures. The persistence calculation method is used to calculate the persistence of connected components and loop structures respectively, and the persistence screening method is used to screen the important topological features of connected components and loop structures respectively.

[0021] The grayscale image of the important topological features of the connected components is enhanced using the brightness enhancement method, and the grayscale image of the important topological features of the loop structure is enhanced using the normalization enhancement method.

[0022] The weighting coefficients are set using the backpropagation algorithm, and the enhanced gray values ​​are fused using the weighted average method to obtain the fused gray values. The image is then reconstructed using the fused gray values ​​to generate the fused gray image.

[0023] As a preferred embodiment of the deep learning-based network intrusion detection method of the present invention, the preprocessing of network traffic data includes:

[0024] Gaussian filtering was used for noise reduction, interquartile range method was used to identify and delete outlier data, mode imputation method was used to fill in missing data, and network traffic data was normalized.

[0025] As a preferred embodiment of the deep learning-based network intrusion detection method of the present invention, the steps of segmentation using a spatiotemporal mapping generation method, calculating DTW distance and marking mutation point segments using dynamic time warping, and calculating the evolutionary fitness of mutation point segments and identifying intrusion behavior using an evolutionary fitness formula include:

[0026] The spatiotemporal mapping generation method is used to segment the fused grayscale image according to the time dimension and extract spatiotemporal data fragments;

[0027] Network traffic data is collected from the MongoDB database. The spatiotemporal data fragmentation method is used to segment the collected network traffic data from the database according to the timestamp, and database data fragments are extracted.

[0028] The BLAST algorithm is used to locally compare spatiotemporal data segments with database data segments, calculate the similarity score of the time segments, and sort the similarity scores from largest to smallest.

[0029] Dynamic time warping is used to calculate the DTW distance between the data segment corresponding to the maximum similarity score and the other data segments. The percentile method is used to set the outlier threshold, and segments with a DTW distance greater than the outlier threshold are marked as mutation point segments.

[0030] The similarity score between the mutation point fragment and the database data fragment is calculated using the Jaccard similarity coefficient formula, and the evolutionary fitness of the mutation point fragment is calculated using the evolutionary fitness formula.

[0031] Using rules of thumb to set a detection threshold, mutation points with evolutionary fitness greater than the detection threshold are marked as intrusive behaviors.

[0032] As a preferred embodiment of the deep learning-based network intrusion detection method of the present invention, the step of clustering the mutation point fragments corresponding to the intrusion behavior using the K-means clustering method includes:

[0033] Normalize the mutation point fragments corresponding to the intrusion behavior;

[0034] The ROC curve method is used to set the classification threshold, and the elbow rule is used to set the number of clusters K. K load data are randomly selected as initial cluster centers from the normalized mutation point fragments. The Euclidean distance formula is used to calculate the Euclidean distance from the normalized mutation point fragments to the K distance centers. The normalized mutation point fragments are assigned to the nearest cluster centers. After each assignment, the K cluster centers are recalculated. The iteration stops when the calculated number of cluster centers is less than the classification threshold, resulting in K clustered invasion types.

[0035] As a preferred embodiment of the deep learning-based network intrusion detection method of the present invention, the step of constructing a long short-term memory network model to predict intrusion behavior at time t includes:

[0036] Collect labeled historical network traffic data and preprocess it to generate a training set;

[0037] Construct a long short-term memory network model, including an input layer, an LSTM layer, a Dense layer, and an output layer;

[0038] The input layer is formatted as network traffic data;

[0039] The long short-term memory network model was trained using the training set, and the model parameters were iteratively optimized using the loss function and the Adam optimizer.

[0040] The preprocessed network traffic data is fed into the trained Long Short-Term Memory network model to obtain the intrusion behavior at time t.

[0041] The intrusion behaviors include SQL injection, phishing attacks, brute-force attacks, and lateral movement.

[0042] As a preferred embodiment of the deep learning-based network intrusion detection method of the present invention, the storage, collection, and analysis of the generated network traffic data includes:

[0043] All collected network traffic data and analysis data are stored in a central database, and secure access measures are set up. The central database backs up the stored data to the cloud and regularly performs integrity checks on the stored data and backup data. After the checks are completed, integrity check records are generated and synchronously stored in the central database.

[0044] Secondly, this invention provides a deep learning-based network intrusion detection system, comprising:

[0045] The collection and enhancement module is used to collect network traffic data using network packet capture tools, preprocess the network traffic data, construct a spatiotemporal matrix using the mapping matrix construction method, convert it into a grayscale image, dynamically adjust it using the dynamic weight adjustment formula, construct a topological complex and screen important topological features, enhance the important topological features respectively, and fuse them using the weighted average method to generate a fused grayscale image.

[0046] The identification module is used to segment using the spatiotemporal mapping generation method, calculate the DTW distance using dynamic time warping and mark mutation point segments, and calculate the evolutionary fitness of mutation point segments using the evolutionary fitness formula and identify intrusion behavior.

[0047] The clustering prediction module is used to cluster the mutation point fragments corresponding to the invasion behavior using the K-means clustering method, and to build a long short-term memory network model to predict the invasion behavior at time t.

[0048] The storage module is used to store the network traffic data collected and analyzed.

[0049] Thirdly, the present invention provides a computer device including a memory and a processor, wherein the memory stores a computer program, wherein the computer program, when executed by the processor, implements any step of the deep learning-based network intrusion detection method described in the first aspect of the present invention.

[0050] Fourthly, the present invention provides a computer-readable storage medium having a computer program stored thereon, wherein: when the computer program is executed by a processor, it implements any step of the deep learning-based network intrusion detection method described in the first aspect of the present invention.

[0051] The beneficial effects of this invention are as follows: This invention collects network traffic data using network packet capture tools, preprocesses the network traffic data, constructs a spatiotemporal matrix using a mapping matrix construction method, converts it into a grayscale image, dynamically adjusts it using a dynamic weight adjustment formula, constructs a topological complex and filters important topological features, enhances these important topological features, and fuses them using a weighted average method to generate a fused grayscale image. It uses a spatiotemporal mapping generation method for segmentation, calculates the DTW distance using dynamic time warping and marks mutation point segments, calculates the evolutionary fitness of mutation point segments using an evolutionary fitness formula, and identifies intrusion behaviors. It uses the K-means clustering method to cluster mutation point segments corresponding to intrusion behaviors, constructs a long short-term memory network model to predict intrusion behaviors at time t. This improves the detection accuracy and real-time response capability, enhancing the detection precision and adaptability of intrusion behaviors. Attached Figure Description

[0052] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the following description of the embodiments will be briefly introduced. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0053] Figure 1 This is a flowchart of the deep learning-based network intrusion detection method in Example 1.

[0054] Figure 2 This is a structural diagram of the deep learning-based network intrusion detection system in Example 1. Detailed Implementation

[0055] To make the above-mentioned objects, features and advantages of the present invention more apparent and understandable, the specific embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

[0056] Many specific details are set forth in the following description in order to provide a full understanding of the invention. However, the invention may also be practiced in other ways different from those described herein, and those skilled in the art can make similar extensions without departing from the spirit of the invention. Therefore, the invention is not limited to the specific embodiments disclosed below.

[0057] Secondly, the term "one embodiment" or "embodiment" as used herein refers to a specific feature, structure, or characteristic that may be included in at least one implementation of the present invention. The phrase "in one embodiment" appearing in different places in this specification does not necessarily refer to the same embodiment, nor is it a single or selective embodiment that is mutually exclusive with other embodiments.

[0058] Example 1, referring to Figure 1 and Figure 2 This is the first embodiment of the present invention, which provides a network intrusion detection method based on deep learning, including the following steps:

[0059] S1. Use a network packet capture tool to collect network traffic data, preprocess the network traffic data, construct a spatiotemporal matrix using the mapping matrix construction method, convert it into a grayscale image, dynamically adjust it using the dynamic weight adjustment formula, construct a topological complex and screen important topological features, enhance the important topological features respectively, and fuse them using the weighted average method to generate a fused grayscale image.

[0060] Specifically, network traffic data is collected using network packet capture tools, a spatiotemporal matrix is ​​constructed using a mapping matrix construction method, and converted into a grayscale image. Dynamic weight adjustment is performed using a dynamic weight adjustment formula to construct a topological complex and filter important topological features. These important topological features are then enhanced, and a weighted average method is used for fusion to generate a fused grayscale image, including:

[0061] The network traffic data includes packet size, transmission delay, source port, destination port, transmission time, traffic frequency, and timestamp;

[0062] The preprocessed network traffic data is sorted in chronological order. The mapping matrix construction method is used to map the timestamps corresponding to the preprocessed network traffic data to the rows of the spatiotemporal matrix and the preprocessed network traffic data to the columns of the spatiotemporal matrix to construct the spatiotemporal matrix.

[0063] The spatiotemporal matrix is ​​converted into a grayscale image using a grayscale value mapping formula.

[0064] The neighborhood window is set using the sliding window method. The mean and standard deviation of the neighborhood window are calculated. The local relative contrast of the (x,y)th pixel is calculated using the local relative contrast formula. Where x and y are the row and column indices in the grayscale image, respectively, the formula is:

[0065] ,

[0066] in Let be the gray value of the (x,y)th pixel in the grayscale image. Let be the mean value of the (x, y)th pixel in the neighborhood window. Let be the standard deviation of the (x,y)th pixel in the neighborhood window. It is a very small constant to avoid division by zero errors;

[0067] The time window size was set using a time window selection method, the time decay rate was set using an experimental method, and the neural signal intensity at the (x,y)th pixel was calculated using a Gaussian time-weighted activation function. The formula is:

[0068] ,

[0069] Where T is the size of the time window. The decay rate at time point t;

[0070] The constant factor for enhancing intensity was set using statistical analysis. A random search method is used to set the threshold for neural signals. The grayscale value of the (x,y)th pixel in the grayscale image is dynamically adjusted using a dynamic weight adjustment formula. The formula is as follows:

[0071] ,

[0072] in Let x be the gray value of the (x, y)th pixel in the adjusted grayscale image;

[0073] Calculate the grayscale difference between pixels in the adjusted grayscale image and set it as the connection strength. Use statistical analysis to set the connection threshold, mark the connection strength greater than the connection threshold as 1, and mark the connection strength less than or equal to the connection threshold as 0, and construct an adjacency matrix to represent the topological structure of pixels in the image.

[0074] The Rips complex construction method is used to construct the topological complex, and the topological feature extraction method is used to extract the topological features, including connected components and loop structures. The persistence calculation method is used to calculate the persistence of connected components and loop structures respectively, and the persistence screening method is used to screen the important topological features of connected components and loop structures respectively.

[0075] The grayscale image for filtering important topological features of connected components is enhanced using a brightness enhancement method, and the grayscale image for filtering important topological features of loop structures is enhanced using a normalization enhancement method. The formulas are as follows:

[0076] ,

[0077] ,

[0078] in Let (x, y) be the grayscale value of the (x, y)th pixel after connected component enhancement. Let (x, y) be the grayscale value of the (x, y)th pixel after enhancement by the ring structure. For the persistence of connected components, It is the maximum value in the durability of connected components. The mean gray value of the ring structure represents the average gray value of all ring structures. is the standard deviation of the gray values ​​of the ring structure, representing the standard deviation of the gray values ​​of all ring structures;

[0079] The backpropagation algorithm is used to set weighting coefficients, and the weighted average method is used to fuse the enhanced gray values ​​to obtain the fused gray values. The image is then reconstructed using the fused gray values ​​to generate the fused gray image. The formula is as follows:

[0080] ,

[0081] in To merge the gray values ​​of the (x,y)th pixel in the image, These are weighting coefficients. Let be the grayscale value of the (x,y)th pixel after all enhancements, including the grayscale value of the (x,y)th pixel after enhancements by connected components and loop structures.

[0082] This invention uses a mapping matrix construction method to construct a spatiotemporal matrix and improves the data processability and feature identifiability through grayscale image conversion technology. The dynamic weight adjustment formula and the construction of topological complexes effectively enhance the ability to extract important features, thereby improving the accuracy and real-time performance of intrusion detection. The topological complex construction method is used to extract the topological features of network traffic, and the persistent computation method is used to filter out important topological features. The image quality is further improved through enhancement processing, enabling the deep learning model to more accurately identify potential network intrusion behaviors.

[0083] By using network packet capture tools to collect information such as packet size, transmission delay, source port, and destination port, a comprehensive understanding of network communication behavior can be achieved. Sorting the data chronologically ensures its temporal order. Converting the spatiotemporal matrix to a grayscale image simplifies data representation, making subsequent image processing and deep learning algorithms more efficient, reducing data complexity, and highlighting key features in network traffic. Combining Gaussian time-weighted activation functions to calculate neural signal intensity simulates neural responses to network traffic changes, effectively identifying sudden anomalies that may indicate intrusion. The construction of topological complexes and the extraction of topological features help extract more representative features from complex data. Persistent computation methods are used to filter features meaningful for intrusion detection, effectively reducing the impact of noise on detection results and improving detection accuracy. Weighted averaging is used to fuse the enhanced grayscale images, generating a fused image that improves the overall quality of image features. This enables intrusion detection algorithms to more accurately identify potential security threats, improving the processing efficiency of network traffic data and the accuracy of intrusion detection.

[0084] Furthermore, the network traffic data undergoes preprocessing, including:

[0085] Gaussian filtering was used for noise reduction, interquartile range method was used to identify and delete outlier data, mode imputation method was used to fill in missing data, and network traffic data was normalized.

[0086] Gaussian filtering smooths the data, reducing interference and providing a more stable data foundation for model training and analysis. By using the interquartile range method, outliers can be automatically detected and removed during data analysis, preventing them from interfering with model training and prediction, improving data stability and model robustness. After filling in missing data, the integrity of the dataset is guaranteed, enabling the model to effectively learn the features of all data and avoiding imbalance problems caused by missing data. Normalization prevents features with large numerical ranges from dominating the model learning process, thereby improving the training speed and accuracy of the model. Data preprocessing methods provide a reliable data foundation for subsequent tasks such as intrusion detection and network traffic analysis, improving the model's prediction accuracy and computational efficiency.

[0087] S2. Use the spatiotemporal mapping generation method for segmentation, use dynamic time warping to calculate DTW distance and mark mutation point segments, use the evolutionary fitness formula to calculate the evolutionary fitness of mutation point segments and identify intrusion behavior;

[0088] Specifically, the spatiotemporal mapping generation method is used for segmentation, dynamic time warping is used to calculate DTW distance and mark mutation point fragments, and the evolutionary fitness formula is used to calculate the evolutionary fitness of mutation point fragments and identify intrusion behavior, including:

[0089] The spatiotemporal mapping generation method is used to segment the fused grayscale image according to the time dimension, and spatiotemporal data fragments are extracted from each row;

[0090] Network traffic data is collected from the MongoDB database. The spatiotemporal data fragmentation method is used to divide the collected network traffic data from the database according to the timestamp, and data fragments are extracted from each row.

[0091] The BLAST algorithm is used to locally compare spatiotemporal data segments with database data segments, calculate the similarity score of the time segments, and sort the similarity scores from largest to smallest.

[0092] Dynamic time warping is used to calculate the DTW distance between the data segment corresponding to the maximum similarity score and the other data segments. The percentile method is used to set the outlier threshold, and segments with a DTW distance greater than the outlier threshold are marked as mutation point segments.

[0093] The similarity score between the mutation point fragment and the database data fragment is calculated using the Jaccard similarity coefficient formula, and the evolutionary fitness of the mutation point fragment is calculated using the evolutionary fitness formula, which is as follows:

[0094] ,

[0095] in The evolutionary fitness of the mutation point fragment w. The similarity score between the mutation point fragment w and the database data fragment z;

[0096] Using rules of thumb to set a detection threshold, mutation points with evolutionary fitness greater than the detection threshold are marked as intrusive behaviors.

[0097] This invention addresses the shortcomings of existing technologies in mutation point identification and dynamic intrusion detection by introducing spatiotemporal data segmentation and dynamic time warping calculation, combined with evolutionary fitness analysis. It segments network traffic data using a spatiotemporal mapping generation method and calculates the similarity of data segments using the Dynamic Time Warping (DTW) algorithm, effectively identifying mutation point segments and thus improving the detection accuracy of intrusion behavior. The use of an evolutionary fitness formula to analyze mutation point segments automatically evaluates and adjusts the detection threshold, further enhancing the model's adaptability and accuracy. This invention not only has significant advantages in capturing spatiotemporal dynamic features but also maintains high computational performance and a low false alarm rate when dealing with large-scale network traffic data, significantly improving the effectiveness of network intrusion detection.

[0098] Using a spatiotemporal mapping generation method to segment grayscale images according to the time dimension can effectively extract the temporal features of network traffic data and structure it into easily processed spatiotemporal data fragments. Using the BLAST algorithm to calculate similarity scores can effectively identify the similarity between historical data and current network traffic, thus providing a basis for intrusion detection. By calculating the DTW distance between the most similar fragment and other fragments, abrupt change fragments that differ significantly from normal behavior patterns can be accurately marked. The introduction of DTW can compensate for the shortcomings of traditional time series analysis methods, especially when dealing with network traffic with inconsistent signal rate changes, enabling more accurate similarity calculations. Jaccard similarity can quickly assess the similarity between data fragments, especially when facing massive amounts of network traffic data, effectively identifying which data fragments have abnormal patterns. The evolutionary fitness formula, by introducing a dynamic fitness evaluation mechanism, can adaptively adjust the detection strategy, gradually identifying the most potentially threatening behavioral fragments, and can identify new intrusion behaviors that are difficult to detect by traditional methods, exhibiting strong universality and adaptability.

[0099] S3. Use the K-means clustering method to cluster the mutation point fragments corresponding to the invasion behavior, and construct a long short-term memory network model to predict the invasion behavior at time t.

[0100] Specifically, the K-means clustering method is used to cluster the mutation point fragments corresponding to the invasion behavior, including:

[0101] Normalize the mutation point fragments corresponding to the intrusion behavior;

[0102] The ROC curve method is used to set the classification threshold, and the elbow rule is used to set the number of clusters K. K load data are randomly selected as initial cluster centers from the normalized mutation point fragments. The Euclidean distance formula is used to calculate the Euclidean distance from the normalized mutation point fragments to the K distance centers. The normalized mutation point fragments are assigned to the nearest cluster centers. After each assignment, the K cluster centers are recalculated. The iteration stops when the calculated number of cluster centers is less than the classification threshold, resulting in K clustered invasion types.

[0103] Normalization eliminates the influence of differences in feature scales, ensuring that each feature has the same weight during clustering. This prevents some features from being over- or under-considered due to large or small values, thus improving the accuracy and stability of the K-means clustering algorithm. The ROC curve method helps select an optimal threshold by comparing the true positive rate and false positive rate under different classification thresholds. A suitable K value ensures the stability and accuracy of the clustering process, avoiding the influence of too many or too few cluster centers. Choosing a suitable K value makes the clustering results more consistent with the distribution of actual data, improving the classification accuracy of intrusion behaviors. Cluster assignment groups similar intrusion behaviors into the same cluster, enhancing the system's ability to identify different intrusion types. By setting a classification threshold, the algorithm can be ensured to converge after an appropriate number of iterations, avoiding computational waste caused by excessive iteration and improving clustering efficiency. Clustering methods can identify potential attack patterns in large-scale network traffic and classify them into different types of intrusion behaviors. They can accurately identify multiple intrusion behavior types, helping to take targeted defensive measures and improving the practicality and effectiveness of intrusion detection.

[0104] Furthermore, a long short-term memory network model is constructed to predict intrusion behavior at time t, including:

[0105] Collect labeled historical network traffic data and preprocess it to generate a training set;

[0106] Construct a long short-term memory network model, including an input layer, an LSTM layer, a Dense layer, and an output layer;

[0107] The input layer is formatted as network traffic data;

[0108] The long short-term memory network model was trained using the training set, and the model parameters were iteratively optimized using the loss function and the Adam optimizer.

[0109] The preprocessed network traffic data is fed into the trained Long Short-Term Memory network model to obtain the intrusion behavior at time t.

[0110] The intrusion behaviors include SQL injection, phishing attacks, brute-force attacks, and lateral movement.

[0111] By collecting and organizing historical data, the accuracy and reliability of training data can be ensured. Data preprocessing can improve the quality of network traffic data and ensure the learning effect of the model during training. The use of LSTM layers can help the model learn long-term dependencies, that is, capture historical patterns in network traffic and use them to predict future intrusion behaviors. By predicting intrusion behaviors, the system can identify potential attack patterns in advance and take corresponding defensive measures, thereby effectively improving network security protection capabilities. The output layer of the LSTM network transforms the prediction results of network traffic data into intrusion behavior categories. The accurate identification of these categories helps the network security system respond in a timely manner. Through continuous training and optimization, the LSTM network can improve its generalization ability in different network environments and adapt to various complex intrusion detection scenarios.

[0112] S4. Store and analyze the network traffic data generated;

[0113] Specifically, the storage, collection, and analysis of network traffic data includes:

[0114] All collected network traffic data and analysis data are stored in a central database, and secure access measures are set up. The central database backs up the stored data to the cloud and regularly performs integrity checks on the stored data and backup data. After the checks are completed, integrity check records are generated and synchronously stored in the central database.

[0115] All data generated by the analysis, including clustering results and intrusion behavior predicted at time t.

[0116] During network security monitoring, real-time acquisition of network traffic and prediction results helps security analysts respond promptly to potential threats and attacks. Secure access measures help protect sensitive information stored in a central database, preventing data leaks or misuse and enhancing system security, especially important when processing sensitive data such as network traffic and intrusion prediction information. Cloud backup has high reliability and can restore data in the event of system failure, natural disasters, or other unforeseen circumstances. Data integrity testing can be achieved through methods such as calculating hash values ​​and checksums to ensure the correctness and consistency of data. Cloud backup and integrity testing provide dual protection for data, enabling rapid recovery and ensuring data integrity in the face of data loss, damage, or tampering. The security and integrity of data also improve the credibility of intrusion detection results and avoid misjudgments caused by data problems.

[0117] This embodiment also provides a deep learning-based network intrusion detection system, including:

[0118] The collection and enhancement module is used to collect network traffic data using network packet capture tools, preprocess the network traffic data, construct a spatiotemporal matrix using the mapping matrix construction method, convert it into a grayscale image, dynamically adjust it using the dynamic weight adjustment formula, construct a topological complex and screen important topological features, enhance the important topological features respectively, and fuse them using the weighted average method to generate a fused grayscale image.

[0119] The identification module is used to segment using the spatiotemporal mapping generation method, calculate the DTW distance using dynamic time warping and mark mutation point segments, and calculate the evolutionary fitness of mutation point segments using the evolutionary fitness formula and identify intrusion behavior.

[0120] The clustering prediction module is used to cluster the mutation point fragments corresponding to the invasion behavior using the K-means clustering method, and to build a long short-term memory network model to predict the invasion behavior at time t.

[0121] The storage module is used to store the network traffic data collected and analyzed.

[0122] This embodiment also provides a computer device applicable to the network intrusion detection method based on deep learning, including: a memory and a processor; the memory is used to store computer-executable instructions, and the processor is used to execute the computer-executable instructions to implement the network intrusion detection method based on deep learning as proposed in the above embodiment.

[0123] The computer device can be a terminal, comprising a processor, memory, communication interface, display screen, and input devices connected via a system bus. The processor provides computing and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system and computer programs. The internal memory provides an environment for the operation of the operating system and computer programs stored in the non-volatile storage media. The communication interface is used for wired or wireless communication with external terminals; wireless communication can be achieved through Wi-Fi, carrier networks, NFC (Near Field Communication), or other technologies. The display screen can be an LCD screen or an e-ink screen. The input devices can be a touch layer covering the display screen, buttons, a trackball, or a touchpad on the computer device's casing, or an external keyboard, touchpad, or mouse.

[0124] This embodiment also provides a storage medium storing a computer program that, when executed by a processor, implements the deep learning-based network intrusion detection method proposed in the above embodiments. The storage medium can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as Static Random Access Memory (SRAM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read Only Memory (EPROM), Programmable Red-Only Memory (PROM), Read-Only Memory (ROM), magnetic storage, flash memory, magnetic disk, or optical disk.

[0125] In summary, this invention collects network traffic data using network packet capture tools, preprocesses the network traffic data, constructs a spatiotemporal matrix using a mapping matrix construction method, converts it into a grayscale image, dynamically adjusts it using a dynamic weight adjustment formula, constructs a topological complex and filters important topological features, enhances these important topological features, and fuses them using a weighted average method to generate a fused grayscale image. It then uses a spatiotemporal mapping generation method for segmentation, calculates the DTW distance using dynamic time warping and marks mutation point segments, calculates the evolutionary fitness of mutation point segments using an evolutionary fitness formula, and identifies intrusion behaviors. Finally, it uses K-means clustering to cluster mutation point segments corresponding to intrusion behaviors, constructs a long short-term memory network model to predict intrusion behaviors at time t. This improves the detection accuracy and real-time response capability, enhancing the detection precision and adaptability of intrusion behaviors.

[0126] It should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and are not intended to limit it. Although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art should understand that modifications or equivalent substitutions can be made to the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, and all such modifications or substitutions should be covered within the scope of the claims of the present invention.

Claims

1. A network intrusion detection method based on deep learning, characterized in that: include, Network traffic data is collected using network packet capture tools, preprocessed, a spatiotemporal matrix is ​​constructed using the mapping matrix construction method, converted into a grayscale image, dynamically adjusted using a dynamic weight adjustment formula, a topological complex is constructed and important topological features are selected, important topological features are enhanced respectively, and a weighted average method is used for fusion to generate a fused grayscale image. The spatiotemporal mapping generation method is used for segmentation, dynamic time warping is used to calculate DTW distance and mark mutation point segments, and the evolutionary fitness formula is used to calculate the evolutionary fitness of mutation point segments and identify intrusion behavior. The K-means clustering method is used to cluster the mutation point fragments corresponding to the invasion behavior, and a long short-term memory network model is constructed to predict the invasion behavior at time t. Store, collect, and analyze the network traffic data generated; The process involves collecting network traffic data using a network packet capture tool, constructing a spatiotemporal matrix using a mapping matrix construction method, converting it to a grayscale image, dynamically adjusting it using a dynamic weight adjustment formula, constructing a topological complex and selecting important topological features, enhancing these important features, and then fusing them using a weighted average method to generate a fused grayscale image. This includes: The network traffic data includes packet size, transmission delay, source port, destination port, transmission time, traffic frequency, and timestamp; The preprocessed network traffic data is sorted in chronological order. The mapping matrix construction method is used to map the timestamps corresponding to the preprocessed network traffic data to the rows of the spatiotemporal matrix and the preprocessed network traffic data to the columns of the spatiotemporal matrix to construct the spatiotemporal matrix. The spatiotemporal matrix is ​​converted into a grayscale image using a grayscale value mapping formula. The neighborhood window is set using the sliding window method. The mean and standard deviation of the neighborhood window are calculated. The local relative contrast of the (x,y)th pixel is calculated using the local relative contrast formula. , where x and y are the row and column indices in the grayscale image, respectively; The time window size was set using a time window selection method, the time decay rate was set using an experimental method, and the neural signal intensity at the (x,y)th pixel was calculated using a Gaussian time-weighted activation function. ; The constant factor for enhancing intensity was set using statistical analysis. A random search method is used to set the threshold for neural signals. The gray value of the (x,y)th pixel in the grayscale image is dynamically adjusted using a dynamic weight adjustment formula. Calculate the grayscale difference between pixels in the adjusted grayscale image and set it as the connection strength. Use statistical analysis to set the connection threshold, mark the connection strength greater than the connection threshold as 1, and mark the connection strength less than or equal to the connection threshold as 0, and construct the adjacency matrix. The Rips complex construction method is used to construct the topological complex, and the topological feature extraction method is used to extract the topological features, including connected components and loop structures. The persistence calculation method is used to calculate the persistence of connected components and loop structures respectively, and the persistence screening method is used to screen the important topological features of connected components and loop structures respectively. The grayscale image of the important topological features of the connected components is enhanced using the brightness enhancement method, and the grayscale image of the important topological features of the loop structure is enhanced using the normalization enhancement method. The weighting coefficients are set using the backpropagation algorithm, and the enhanced gray values ​​are fused using the weighted average method to obtain the fused gray values. The image is then reconstructed using the fused gray values ​​to generate the fused gray image. The segmentation process using a spatiotemporal mapping generation method, the calculation of DTW distance using dynamic time warping and the marking of mutation point fragments, and the calculation of the evolutionary fitness of mutation point fragments using an evolutionary fitness formula to identify intrusion behavior include: The spatiotemporal mapping generation method is used to segment the fused grayscale image according to the time dimension and extract spatiotemporal data fragments; Network traffic data is collected from the MongoDB database. The spatiotemporal data fragmentation method is used to segment the collected network traffic data from the database according to the timestamp, and database data fragments are extracted. The BLAST algorithm is used to locally compare spatiotemporal data segments with database data segments, calculate the similarity score of the time segments, and sort the similarity scores from largest to smallest. Dynamic time warping is used to calculate the DTW distance between the data segment corresponding to the maximum similarity score and the other data segments. The percentile method is used to set the outlier threshold, and segments with a DTW distance greater than the outlier threshold are marked as mutation point segments. The similarity score between the mutation point fragment and the database data fragment is calculated using the Jaccard similarity coefficient formula, and the evolutionary fitness of the mutation point fragment is calculated using the evolutionary fitness formula. Using rules of thumb to set a detection threshold, mutation points with evolutionary fitness greater than the detection threshold are marked as intrusive behaviors.

2. The deep learning-based network intrusion detection method as described in claim 1, characterized in that: The method of clustering mutation point fragments corresponding to invasion behavior using K-means clustering includes: Normalize the mutation point fragments corresponding to the intrusion behavior; The ROC curve method is used to set the classification threshold, and the elbow rule is used to set the number of clusters K. K load data are randomly selected as initial cluster centers from the normalized mutation point fragments. The Euclidean distance formula is used to calculate the Euclidean distance from the normalized mutation point fragments to the K distance centers. The normalized mutation point fragments are assigned to the nearest cluster centers. After each assignment, the K cluster centers are recalculated. The iteration stops when the calculated number of cluster centers is less than the judgment threshold, resulting in K clustered invasion types.

3. The deep learning-based network intrusion detection method as described in claim 2, characterized in that: The construction of a long short-term memory network model to predict intrusion behavior at time t includes: Collect labeled historical network traffic data and preprocess it to generate a training set; Construct a long short-term memory network model, including an input layer, an LSTM layer, a Dense layer, and an output layer; The input layer is formatted as network traffic data; The long short-term memory network model was trained using the training set, and the model parameters were iteratively optimized using the loss function and the Adam optimizer. The preprocessed network traffic data is fed into the trained Long Short-Term Memory network model to obtain the intrusion behavior at time t. The intrusion behaviors include SQL injection, phishing attacks, brute-force attacks, and lateral movement.

4. The deep learning-based network intrusion detection method as described in claim 3, characterized in that: The preprocessing of network traffic data includes: Gaussian filtering was used for noise reduction, interquartile range method was used to identify and delete outlier data, mode imputation method was used to fill in missing data, and network traffic data was normalized.

5. The deep learning-based network intrusion detection method as described in claim 4, characterized in that: The network traffic data collected and analyzed includes: All collected network traffic data and analysis data are stored in a central database, and secure access measures are set up. The central database backs up the stored data to the cloud and regularly performs integrity checks on the stored data and backup data. After the checks are completed, integrity check records are generated and synchronously stored in the central database.

6. A deep learning-based network intrusion detection system, based on the deep learning-based network intrusion detection method according to any one of claims 1 to 5, characterized in that: include, The collection and enhancement module is used to collect network traffic data using network packet capture tools, preprocess the network traffic data, construct a spatiotemporal matrix using the mapping matrix construction method, convert it into a grayscale image, dynamically adjust it using the dynamic weight adjustment formula, construct a topological complex and screen important topological features, enhance the important topological features respectively, and fuse them using the weighted average method to generate a fused grayscale image. The identification module is used to segment using the spatiotemporal mapping generation method, calculate the DTW distance using dynamic time warping and mark mutation point segments, and calculate the evolutionary fitness of mutation point segments using the evolutionary fitness formula and identify intrusion behavior. The clustering prediction module is used to cluster the mutation point fragments corresponding to the invasion behavior using the K-means clustering method, and to build a long short-term memory network model to predict the invasion behavior at time t. The storage module is used to store the network traffic data collected and analyzed.

7. A computer device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that: When the processor executes the computer program, it implements the steps of the deep learning-based network intrusion detection method according to any one of claims 1 to 5.

8. A computer-readable storage medium having a computer program stored thereon, characterized in that: When the computer program is executed by the processor, it implements the steps of the deep learning-based network intrusion detection method according to any one of claims 1 to 5.