Network risk identification model training method and device, equipment and readable storage medium
By performing protocol identification and hybrid encoding on raw network traffic data, and combining it with a conditional generative adversarial model for data augmentation, the problems of high false alarm rate and low efficiency in the training of existing network risk identification models are solved, and efficient network risk identification is achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- CHINA MOBILE FINANCIAL TECHNOLOGY CO LTD
- Filing Date
- 2026-03-30
- Publication Date
- 2026-07-10
AI Technical Summary
Existing network risk identification model training methods suffer from high false positive rates and low training efficiency, mainly due to coarse data preprocessing granularity, weak data augmentation targeting, and poor interpretability, resulting in poor dataset quality and affecting training speed and computing costs.
By identifying protocols in raw network traffic data, using hybrid coding to process data of different protocol types, combining conditional generative adversarial models for data augmentation, and training based on feature extraction models to ensure that convolutional kernel parameters are adapted to protocol context, a network risk identification model is constructed.
It achieves semantic-level fine-grained processing, improves the expressive power of the feature extraction module and the generalization performance of the model, significantly reduces the false alarm rate of risk identification, and improves the model training efficiency and the pertinence and effectiveness of data augmentation.
Smart Images

Figure CN122372243A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of artificial intelligence technology, specifically to a method, apparatus, device, and readable storage medium for training a network risk identification model. Background Technology
[0002] With the rapid development of information technology and the continuous changes in the network environment, the volume of network data has surged, especially in the financial sector where attacks account for a high proportion, providing attackers with more opportunities. Network attack methods are becoming increasingly complex and professional, evolving from traditional viruses and Trojans to advanced threats such as APT attacks and zero-day exploits. End users face multiple risks, including identity theft, privacy breaches, and financial losses. Advanced network risk identification technologies can effectively reduce network attacks and minimize losses for businesses and users. Therefore, research on network risk identification methods is of great significance in fields such as finance.
[0003] Existing methods for identifying network risks typically begin with data preprocessing through cleaning and simple normalization. This is followed by iterative training using deep learning models such as machine learning or convolutional neural networks (CNNs). Finally, the trained weights are used to identify risks in network traffic data. However, this method suffers from coarse-grained data preprocessing, leading to poor dataset quality and a high false positive rate. Furthermore, the network traffic data augmentation provided by this model is weakly targeted and lacks interpretability, thus impacting training speed and increasing computational costs. Summary of the Invention
[0004] This application provides a method, apparatus, device, and readable storage medium for training a network risk identification model, which solves the problems of high false alarm rate and low training efficiency in existing network risk identification model training methods.
[0005] In a first aspect, embodiments of this application provide a method for training a network risk identification model, including:
[0006] The raw network traffic data is subjected to protocol identification to obtain data of at least two protocol types;
[0007] After processing the data of the at least two protocol types according to their respective processing channels, the data is then subjected to hybrid encoding to obtain hybrid encoded feature data.
[0008] Using a conditional generative adversarial model, data augmentation is performed on the hybrid encoded feature data to obtain augmented data;
[0009] Based on the training set, the feature extraction model is trained to obtain the network risk identification model. The training set includes the original network traffic data and the augmented data. The convolution kernel parameters and size of the feature extraction model can be adapted to the protocol context.
[0010] In some embodiments, the method further includes:
[0011] Based on real time-series traffic datasets, a key time-series pattern anchor point library is constructed, which includes multiple time-series attack anchor point patterns with high discriminative power.
[0012] The generative adversarial model is trained based on random noise vectors, condition variables, and anchor patterns selected from the key temporal pattern anchor point library to obtain the conditional generative adversarial model. The condition variables include category labels, text descriptions, or scene constraint information, which are used to guide the generator in the generative adversarial model to generate temporal data under specific scenarios.
[0013] In some embodiments, training the generative adversarial model based on a random noise vector, conditional variables, and anchor patterns selected from the key temporal pattern anchor library to obtain the conditional generative adversarial model includes:
[0014] Based on the random noise vector, condition variables, and anchor patterns selected from the key time series pattern anchor point library, the generator generates complete time series samples.
[0015] Extract the time series sub-segments corresponding to the anchor point pattern from the complete time series sample;
[0016] Calculate the distance between the temporal sub-segment and the anchor point pattern;
[0017] The generator and the discriminator in the generative adversarial model are alternately optimized according to the first loss function until the first termination condition is met, thus obtaining the conditional generative adversarial model.
[0018] The first loss function includes adversarial loss and pattern anchoring loss. The adversarial loss is determined based on the complete time series sample, and the pattern anchoring loss is determined based on the distance between the time series sub-segment and the anchor pattern.
[0019] In some embodiments, training the feature extraction model based on the training set to obtain the network risk identification model includes:
[0020] The training set is input into the feature extraction model, and after passing through the residual convolutional layer, pooling layer and feature fusion pyramid in sequence, the fused feature data is obtained. The training set includes positive sample pairs and negative sample library.
[0021] The fused feature data is subjected to protocol embedding feature extraction, and the extracted feature data is passed through a fully connected layer to obtain the feature vectors of positive samples, negative samples, and anchor samples.
[0022] Based on the feature vector of the negative sample, the feature vector of the anchor sample, and the local density estimate of the negative sample, the local density adaptive weight is calculated.
[0023] Based on the second loss function, the model parameters of the feature extraction model are updated until the second termination condition is met, thus obtaining the network risk identification model.
[0024] The second loss function is determined based on the local density adaptive weights, the feature vectors of the positive samples, the feature vectors of the negative samples, and the feature vectors of the anchor samples.
[0025] In some embodiments, the step of extracting protocol embedding features from the fused feature data includes:
[0026] The fused feature data is then subjected to global average pooling to obtain a global feature vector.
[0027] The target convolutional kernel is determined based on the protocol embedding vector; wherein the protocol embedding vector is generated from the original network traffic data and is used to characterize the semantic information of the protocol context, and the target convolutional kernel is adapted to the protocol context;
[0028] Based on the target convolution kernel, the global feature vector is convolved to obtain feature weights;
[0029] Based on the feature weights and the fused data features, feature extraction is performed to obtain the extracted feature data.
[0030] In some embodiments, determining the target convolutional kernel based on the protocol embedding vector includes:
[0031] A linear transformation is performed on the protocol embedding vector to obtain the original weight information required to generate the convolution kernel;
[0032] The original weight information is reshaped to obtain the first convolutional kernel;
[0033] Using the geometric center of the first convolutional kernel as the origin, a target convolutional kernel adapted to the protocol context is cropped.
[0034] In some embodiments, the method further includes:
[0035] The model parameters in the student model are trained and updated using samples in a three-level memory. The three-level memory includes a core sample library, a hard sample library, and a new protocol sample library. The core sample library stores the latest standardized protocol samples, the hard sample library stores samples that the model predicts incorrectly, and the new protocol sample library stores new protocol samples.
[0036] By using the exponential moving average (EMA), the model parameters in the student model are fused with the model parameters of the network risk identification model to obtain an optimized network risk identification model.
[0037] Secondly, embodiments of this application also provide a network risk identification model training device, comprising:
[0038] The protocol identification module is used to identify the protocol of the raw network traffic data and obtain data of at least two protocol types.
[0039] The first processing module is used to process the data of the at least two protocol types according to their respective processing channels, and then perform mixed encoding processing to obtain the mixed encoded feature data.
[0040] The data augmentation module is used to augment the hybrid encoded feature data using a conditional generative adversarial model to obtain augmented data.
[0041] The model training module is used to train the feature extraction model based on the training set to obtain the network risk identification model. The training set includes the original network traffic data and the augmented data. The convolution kernel parameters and size of the feature extraction model can be adapted to the protocol context.
[0042] Thirdly, embodiments of this application also provide a network risk identification model training device, including a processor and a transceiver, wherein the transceiver receives and transmits data under the control of the processor, and the processor is used to perform the following operations:
[0043] The raw network traffic data is subjected to protocol identification to obtain data of at least two protocol types;
[0044] After processing the data of the at least two protocol types according to their respective processing channels, the data is then subjected to hybrid encoding to obtain hybrid encoded feature data.
[0045] Using a conditional generative adversarial model, data augmentation is performed on the hybrid encoded feature data to obtain augmented data;
[0046] Based on the training set, the feature extraction model is trained to obtain the network risk identification model. The training set includes the original network traffic data and the augmented data. The convolution kernel parameters and size of the feature extraction model can be adapted to the protocol context.
[0047] Fourthly, embodiments of this application also provide a network risk identification model training device, including a memory, a processor, and a computer program stored in the memory and running on it. When the processor executes the program, it implements the network risk identification model training method as described in the first aspect above.
[0048] Fifthly, embodiments of this application also provide a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps in the network risk identification model training method described in the first aspect above.
[0049] In a sixth aspect, embodiments of this application also provide a computer program product, including computer instructions, which, when executed by a processor, implement the steps in the network risk identification model training method described in the first aspect above.
[0050] The above-mentioned technical solution of this application has at least the following beneficial effects:
[0051] In this embodiment, protocol identification is performed on the original network traffic data to obtain data of at least two protocol types. The data of the at least two protocol types are processed according to their respective processing channels, and then subjected to hybrid encoding to obtain hybrid encoded feature data. A conditional generative adversarial model is used to augment the hybrid encoded feature data to obtain augmented data. Based on a training set, a feature extraction model is trained to obtain a network risk identification model. The training set includes the original network traffic data and the augmented data. The convolutional kernel parameters and size of the feature extraction model are adapted to the protocol context. Thus, by identifying the protocol in the original network traffic data and using different processing channels for different protocol types, semantic-level fine-grained processing can be achieved. Hybrid encoding enables efficient unified encoding of high-dimensional sparse features and continuous features, balancing efficiency and information preservation. Using a conditional generative adversarial model for data augmentation improves the relevance and effectiveness of the generated data, thereby improving model training efficiency. Furthermore, the convolutional kernel parameters and size of the feature extraction model are adapted to the protocol context, enabling adaptive extraction of protocol traffic features at an extremely fine granularity, significantly improving the expressive power of the feature extraction module and the model's generalization performance. Attached Figure Description
[0052] Figure 1 This is a flowchart illustrating one of the network risk identification model training methods according to an embodiment of this application;
[0053] Figure 2 A flowchart illustrating the hybrid encoding of an embodiment of this application;
[0054] Figure 3 This is a schematic diagram illustrating the structure of the feature extraction model according to an embodiment of this application;
[0055] Figure 4 A flowchart illustrating the online self-optimization of the model in an embodiment of this application;
[0056] Figure 5 The second schematic flowchart illustrates the network risk identification model training method according to an embodiment of this application;
[0057] Figure 6 A schematic diagram of the modules of the network risk identification model training device according to an embodiment of this application;
[0058] Figure 7 This is a schematic diagram of the hardware structure of the network risk identification model training device according to an embodiment of this application. Detailed Implementation
[0059] The technical solutions of the embodiments of this application will be clearly described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this application. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0060] The terms "first," "second," etc., used in the specification and claims of this application are used to distinguish similar objects and are not used to describe a specified order or sequence. It should be understood that such use of data can be interchanged where appropriate so that embodiments of this application can be implemented in orders other than those illustrated or described herein, and the objects distinguished by "first" and "second" are generally of the same class, not limited in number; for example, a first object can be one or more. Furthermore, in the specification and claims, "and" indicates at least one of the connected objects, and the character " / " generally indicates that the preceding and following objects are in an "or" relationship.
[0061] Existing network risk identification methods only perform simple normalization of network traffic data during the data preprocessing stage. Although some technical solutions identify protocols, they lack dedicated channels for different protocols and cannot perform protocol-specific operations, thus affecting the detection depth. Furthermore, static encoding strategies are prone to dimensionality explosion or information loss, making them difficult to adapt to dynamic traffic changes. Consequently, these methods result in poor dataset quality, high false positive rates in risk identification, and high human costs for risk processing.
[0062] Moreover, among existing network traffic data augmentation methods, traditional Generative Adversarial Networks (GANs) only learn the overall data distribution. The generation process is random and uncontrollable, making it difficult to ensure that the generated "attack traffic" contains well-defined and critical temporal attack patterns (such as specific time interval sequences of port scanning or burst traffic waveforms of Distributed Denial of Service (DDoS) attacks). This results in weak targeting and poor interpretability of the augmented data, which in turn affects training speed and increases computational costs.
[0063] To address the aforementioned technical problems, this invention provides a method, apparatus, device, and readable storage medium for training a network risk identification model. The method and apparatus are based on the same concept as described in the application. Since the principles underlying the problems solved by the method and apparatus are similar, their implementations can be mutually referenced, and repeated details will not be elaborated further.
[0064] like Figure 1 As shown in the embodiments of this application, a method for training a network risk identification model is provided, which may specifically include:
[0065] Step 101: Perform protocol identification on the raw network traffic data to obtain data of at least two protocol types;
[0066] Among them, a trained supervised learning model (XGBoost) can be used to identify the protocol of the original network traffic data, and finally output the protocol label and confidence level, that is, to determine which protocol type the original network traffic data belongs to, that is, to obtain data of at least two protocol types.
[0067] It should be noted that before performing protocol identification on the raw network traffic data, data cleaning can be performed. Specifically, this involves processing invalid data, identical traffic records, missing and outlier values, and timestamps with different formats. For example, timestamps from different time zones and formats can be unified to Unix timestamps. For incomplete traffic records in the raw network traffic data, if the missing rate is low (<5%) and randomly distributed, missing records can be deleted. Numerical features (such as packet length and traffic size) can be filled using the mean / median.
[0068] Step 102: After processing the data of the at least two protocol types according to their respective processing channels, the data is then mixed and encoded to obtain the mixed-encoded feature data.
[0069] Here, the protocol types for network traffic data include, but are not limited to, Hypertext Transfer Protocol (HTTP), Transmission Control Protocol (TCP), and Domain Name System (DNS).
[0070] For different protocol types, this application uses different processing channels to achieve semantic-level fine-grained processing. Furthermore, through hybrid encoding, it can achieve efficient unified encoding of high-dimensional sparse features and continuous features, balancing efficiency and information preservation.
[0071] Step 103: Using a conditional generative adversarial model, perform data augmentation on the hybrid encoded feature data to obtain augmented data;
[0072] Here, the hybrid encoded feature data can be input into the conditional generative adversarial model for data augmentation, which can effectively increase the proportion of positive samples in the dataset and improve the imbalance between positive and negative samples in the dataset.
[0073] Specifically, this application constructs a key temporal pattern anchor point library, which can accurately indicate which specific, highly discriminative attack "fingerprint" (i.e., anchor point pattern) the conditional generative adversarial model must embody in the output, thereby achieving precise guidance and control of the generation process, ensuring that the generated augmented data necessarily contains predefined, interpretable key attack features, improving the targeting and effectiveness of the generated data, avoiding the "pattern collapse" problem of the conditional generative adversarial model only generating a few simple patterns, and ensuring the diversity of attack patterns.
[0074] Step 104: Based on the training set, train the feature extraction model to obtain the network risk identification model. The training set includes the original network traffic data and the augmented data. The convolution kernel parameters and size of the feature extraction model can be adapted to the protocol context.
[0075] Here, the convolution kernel parameters and size of the feature extraction model can be adapted to the protocol context, which enables the adaptive extraction of protocol traffic features with extremely fine granularity. It is particularly good at handling traffic of protocols with large internal differences and emerging unknown protocols, which significantly improves the expressive power of the feature extraction module and the generalization performance of the model.
[0076] The network risk identification model training method of this application embodiment performs protocol identification on the original network traffic data to obtain data of at least two protocol types; after processing the data of the at least two protocol types according to their respective corresponding processing channels, it undergoes hybrid encoding to obtain hybrid encoded feature data; using a conditional generative adversarial model, it performs data augmentation on the hybrid encoded feature data to obtain augmented data; and based on a training set, it trains a feature extraction model to obtain a network risk identification model, wherein the training set includes the original network traffic data and the augmented data, and the convolution kernel parameters and size of the feature extraction model are compatible with the protocol... The following is an adaptation: By identifying the protocol in the raw network traffic data and using different processing channels for different protocol types, semantic-level fine-grained processing can be achieved. Furthermore, through hybrid encoding, efficient unified encoding of high-dimensional sparse features and continuous features can be achieved, balancing efficiency and information preservation. Data augmentation using a conditional generative adversarial model enhances the relevance and effectiveness of the generated data, thereby improving model training efficiency. Moreover, the convolutional kernel parameters and size of the feature extraction model are adapted to the protocol context, enabling adaptive extraction of protocol traffic features at an extremely fine granular level, significantly improving the expressive power of the feature extraction module and the model's generalization performance.
[0077] As an optional implementation, step 102 above involves processing the data of the at least two protocol types according to their respective processing channels, including:
[0078] For HTTP data, header parsing methods are used to perform chunked transfer decoding, compressed content decompression (gzip / deflate), and cookie sensitive field desensitization.
[0079] For TCP data, stream reassembly and sequence analysis techniques are used, an adaptive window adjustment algorithm is used to optimize the data, and retransmission mode recognition (timeout / fast retransmission) is used to identify timeouts and fast retransmissions.
[0080] For DNS type data, query matching technology is used to perform domain name detection using the Domain Generation Algorithm (DGA), Time-to-Live (TTL) consistency checks, and Domain Name System Security Extensions (DNSSEC) signature verification.
[0081] Here, data from at least two protocol types are processed according to their respective processing channels to obtain their corresponding feature data; then, the feature data corresponding to different protocol types are mixed and encoded. See also Figure 2 The implementation process of hybrid encoding can be explained in detail below.
[0082] 1) Use the feature data output from different processing channels as input features to determine the feature type;
[0083] Here, feature type determination is based on automated rules and statistical algorithms, specifically:
[0084] First, the cardinality of the feature values is calculated. Features with fewer than 1,000 unique values and a high-frequency value ratio of over 90% are identified as high-frequency discrete features. Features with extremely high cardinality and long-tailed distribution are identified as low-frequency discrete features based on information entropy (Entropy > 5.0). For numerical data, the continuity (such as variance and skewness) is detected and confirmed as continuous numerical features through quantile distribution analysis.
[0085] 2) Hybrid encoding, which means using different encoding schemes to encode different features obtained after feature type determination, in order to achieve semantic unity of different data types.
[0086] For high-frequency discrete features, one-hot encoding is used: First, a dictionary is constructed, the frequency of each field value in the training set is counted, and the top-N high-frequency values are retained (e.g., N=1000). Then, rare values that exceed the dictionary (e.g., long-tail low-frequency values, new values not logged in, or invalid or abnormal discrete values generated by malicious injection) are hashed and bucketed to avoid dimensionality explosion.
[0087] For low-frequency discrete features, dynamic embedding encoding is performed based on information entropy: first, a dynamic dictionary is initialized, and then the embedding dimension is dynamically adjusted according to the feature entropy value.
[0088] For continuous numerical features, quantile normalization encoding is used: first, the P2 algorithm is used to estimate quantiles online (without storing the full data), then Winsorization is used to truncate outliers, and finally the normalized values are discretized into integer bins.
[0089] 3) Perform dimensional compression on the encoded data.
[0090] It should be noted that hybrid encoding can achieve efficient unified encoding of high-dimensional sparse features and continuous features, balancing efficiency and information preservation.
[0091] In step 103 above, a conditional generative adversarial model is used to augment the hybrid encoded feature data. That is, a pre-trained conditional generative adversarial model is required. The conditional generative adversarial model can be trained in the following way.
[0092] As an optional implementation, the method of this application also includes:
[0093] Based on real time-series traffic datasets, a key time-series pattern anchor point library is constructed, which includes multiple time-series attack anchor point patterns with high discriminative power.
[0094] Here, highly discriminative time-series attack anchor patterns can be manually extracted or labeled from real time-series traffic datasets to build a key time-series pattern anchor library.
[0095] Optional, highly discriminative timing attack anchor patterns include, but are not limited to, network attack timing segments such as DDoS attacks (e.g., burst traffic waveforms of DDoS attacks) and port scans (e.g., specific time interval sequences of port scans).
[0096] It should be noted that the highly discriminative temporal attack anchor patterns in the key temporal pattern anchor point library serve as conditional control signals during training. They tell the generator in the generative adversarial model which specific attack "fingerprint" (i.e., anchor pattern) must be reproduced. They are also used to calculate the pattern anchoring loss in the subsequent first loss function, comparing the temporal segments generated by the generator with the anchor patterns and penalizing mismatched generation results.
[0097] The generative adversarial model is trained based on random noise vectors, condition variables, and anchor patterns selected from the key temporal pattern anchor point library to obtain the conditional generative adversarial model. The condition variables include category labels, text descriptions, or scene constraint information, which are used to guide the generator in the generative adversarial model to generate temporal data under specific scenarios.
[0098] As an optional implementation, this step may specifically include:
[0099] Based on the random noise vector, condition variables, and anchor patterns selected from the key time series pattern anchor point library, the generator generates complete time series samples.
[0100] Here, the generative adversarial model consists of a generator G and a discriminator D. Specifically, the generator G generates complete time-series samples x. gen It can be represented as: x gen =G(z,c,a k ); where z represents a random noise vector, c represents a condition variable (such as category label, text description, etc.), and a k Indicates the selected anchor point pattern.
[0101] Extract the time series sub-segments corresponding to the anchor point pattern from the complete time series sample;
[0102] Here, the ExtractSegment() function is used to extract the anchor pattern a. k Corresponding time segment x gen_segment For example, if a k If it is a DDoS mode that lasts for 2 seconds, then extract the 2-second segment with the best matching features from the complete time series sample.
[0103] Calculate the distance between the temporal sub-segment and the anchor point pattern;
[0104] Here, the distance between the temporal sub-segment and the anchor pattern can be the Dynamic Time Warping (DTW) distance, Mean Squared Error (MSE), or Cosine Similarity. Wherein, the temporal sub-segment x gen_segment With anchor point pattern a k The distance between them can be represented as Distance(x) gen_segment , a k Distance() is a distance metric function used to calculate the difference between two time segments.
[0105] The generator and the discriminator in the generative adversarial model are alternately optimized according to the first loss function until the first termination condition is met, thus obtaining the conditional generative adversarial model.
[0106] The first loss function includes adversarial loss and pattern anchoring loss. The adversarial loss is determined based on the complete time series sample, and the pattern anchoring loss is determined based on the distance between the time series sub-segment and the anchor pattern.
[0107] Here, the adversarial loss can be expressed as The pattern anchoring loss can be expressed as .in, This indicates that the discriminator D calculates the probability that a fake sample generated by the generator G is a real sample.
[0108] The first loss function L(G) can be expressed as:
[0109]
[0110] Among them, the adversarial loss can constrain the generator to output samples that conform to the distribution of real time-series data, thus ensuring the authenticity of the generated data; the pattern anchoring loss can constrain the generator to accurately reproduce the selected anchor pattern, thus ensuring the controllability and accuracy of the generated content.
[0111] This represents the pattern anchoring loss weight coefficient, used to balance the weight ratio of adversarial loss and pattern anchoring loss, so that the model achieves the optimal balance between realism and anchor point matching, realizing controllable, accurate, and realistic time-series data generation. Here, It was determined using a grid search method.
[0112] In this embodiment, a pattern anchoring loss is added on top of the adversarial loss. This loss term penalizes the difference between the generated fragment and the target anchor pattern (i.e., the selected anchor pattern), forcing the generator to reproduce it accurately.
[0113] It should be understood that alternately optimizing the generator and discriminator according to the first loss function means: fixing the generator G, updating the discriminator D to distinguish between real samples and generated samples; fixing the discriminator D, updating the generator with the first loss function as the objective, and repeating the above steps until the termination condition is met, such as the number of training times reaching a preset number, or the loss value no longer changing (i.e., the model converges).
[0114] It should be noted that before performing step 104, an adaptive confidence threshold can be calculated first; then, the confidence of the samples in the training set can be determined based on the adaptive confidence threshold.
[0115] Specifically, the adaptive confidence threshold a t It is calculated using the following formula:
[0116]
[0117] Where, initial a base =0.9, β=0.1, lowest a base =0.75. The total sample size is the training set, which includes raw network traffic data and augmented data. In supervised learning, the total sample size will contain some labeled samples and some unlabeled samples to reduce manual workload.
[0118] Then, when the real-time traffic confidence level > a t At that time, network traffic data enters the pseudo-label generation stage of multimodal verification; low-confidence samples are diverted to manual review or automatic labeling through the intelligent pre-screening system (anomaly detection + cluster analysis); the real-time traffic confidence is obtained in the above generative adversarial model.
[0119] As an optional implementation, step 104 above, based on the training set, trains the feature extraction model to obtain a network risk identification model, including:
[0120] Step 1041: Input the training set into the feature extraction model, and after passing through the residual convolutional layer, pooling layer and feature fusion pyramid in sequence, obtain the fused feature data. The training set includes positive sample pairs and negative sample library.
[0121] Step 1042: Perform protocol embedding feature extraction on the fused feature data, and pass the extracted feature data through a fully connected layer to obtain the feature vectors of positive samples, negative samples, and anchor samples.
[0122] See Figure 3 The feature extraction model includes residual convolutional layers, pooling layers, feature fusion pyramids, an adaptive feature extraction module (i.e., performing protocol embedding feature extraction steps), and fully connected layers.
[0123] The residual convolutional layer is used to perform preliminary feature extraction on the fused feature data, resulting in feature maps P1 and P2. After pooling, feature map P3 is obtained. The pooling layer can reduce the spatial size of the feature map, reduce the number of network parameters, and extract important features. Then, feature map P3 is input into the feature fusion pyramid. Through the bottom-up fusion path, high-resolution (fine-grained) features are fused into low-resolution features with stronger semantics. Through the top-down fusion path, high-level semantic information is passed to the lower layers, enhancing the discriminative power of detailed features.
[0124] Existing network risk identification models use preset and fixed convolutional kernel sizes and attention weight calculations, which cannot be dynamically adjusted according to the protocol attributes of the input data. This makes them difficult to adapt to complex and ever-changing network environments, affecting inference speed and accuracy. To address this issue, as an optional implementation, step 1042 involves extracting protocol embedding features from the fused feature data, including:
[0125] The fused feature data is then subjected to global average pooling to obtain a global feature vector.
[0126] Here, the fused feature data undergoes Global Average Pooling (GAP), which averages the spatial locations of each feature map in the fused feature data to capture the overall distribution of the feature maps, thus obtaining the global feature vector.
[0127] The target convolutional kernel is determined based on the protocol embedding vector; wherein the protocol embedding vector is generated from the original network traffic data and is used to characterize the semantic information of the protocol context, and the target convolutional kernel is adapted to the protocol context;
[0128] Specifically, the target convolutional kernel, determined based on the protocol embedding vector, dynamically and continuously generates the kernel parameters and size best suited to the current protocol context by utilizing the semantic information contained in the protocol embedding vector. This allows the network to autonomously learn whether, for the current input protocol traffic, it should focus more on local subtle features (k close to 3) or global macroscopic patterns (k close to 9). This enables adaptive extraction of protocol traffic features at an extremely fine granular level, making it particularly adept at handling traffic from protocols with significant internal differences and emerging, unknown protocols, significantly improving the expressive power of the adaptive feature extraction module and the model's generalization performance.
[0129] Based on the target convolution kernel, the global feature vector is convolved to obtain feature weights;
[0130] Based on the feature weights and the fused data features, feature extraction is performed to obtain the extracted feature data.
[0131] In an optional embodiment, feature extraction based on the feature weights and the fused data features may include:
[0132] The feature weights A can be... c Multiply by the fused data features, then use residual connections to perform summation and ReLU to obtain the feature F1;
[0133] in, Input feature (i.e., the fused data features) tensor Relu represents the ReLU activation function.
[0134] Feature F1 is processed by global average pooling and global max pooling to obtain two feature maps; then, a concat operation, convolution, and sigmoid function are performed to obtain the spatial weights A. s Finally, the spatial weights A s Multiply by feature F1, and then output the gated residual.
[0135] After obtaining the extracted feature data, a fully connected layer is used to integrate the extracted feature data into global discriminative features, that is, to obtain the feature vectors of positive samples, negative samples, and anchor samples.
[0136] Step 1043: Based on the feature vector of the negative sample, the feature vector of the anchor sample, and the local density estimate of the negative sample, calculate the local density adaptive weight;
[0137] Step 1044: Based on the second loss function, update the model parameters of the feature extraction model until the second termination condition is met, and obtain the network risk identification model;
[0138] The second loss function is determined based on the local density adaptive weights, the feature vectors of the positive samples, the feature vectors of the negative samples, and the feature vectors of the anchor samples.
[0139] The local density adaptive weights can be calculated using the following formula:
[0140]
[0141] Here, w ik Represents the local density adaptive weights, z i The feature vector representing the anchor sample is used to construct the loss function in this application; z k This represents the feature vector of the negative sample, which should be semantically dissimilar to the anchor sample i. This represents the local density estimate of sample k; a larger value indicates a denser surrounding area. This represents the density factor index, which controls the suppression intensity of samples in low-density regions.
[0142] The second loss function L can be expressed as:
[0143]
[0144] Here, z j represents the feature vector of the positive sample, which should be semantically similar to the anchor sample i; a represents the temperature coefficient.
[0145] It's important to note that difficult-to-negative samples are beneficial, forcing the model to learn more refined features; while false negative samples (potentially noise or rare samples) are harmful, misleading the model's learning. This application introduces local density estimation of samples, dynamically and adaptively reweighting sample pairs. The goal is not simply to give more weight to difficult-to-negative samples, but to intelligently distinguish between "beneficial difficult-to-negative samples" and "harmful false negative samples." High-density regions: Samples are clustered, with semantically ambiguous but unclear concepts. A negative sample similar to the anchor point located in a high-density region is likely a true negative sample. Low-density regions: Samples are sparse, possibly containing labeled noise, rare samples, or class boundaries. A negative sample similar to the anchor point located in a low-density region is highly likely a false negative sample (belonging to the anchor point's category but rare or mislabeled, etc.). This application gives moderate attention to difficult-to-negative samples in high-density regions, while significantly reducing the weight of difficult-to-negative samples in low-density regions, suppressing the contribution of negative sample pairs in low-density regions, while normally utilizing difficult-to-negative samples in high-density regions, making the learning process more robust. This is to avoid learning noise, thereby improving the model's robustness and generalization ability on real and noisy data.
[0146] As an optional implementation, determining the target convolutional kernel based on the protocol embedding vector includes:
[0147] A linear transformation is performed on the protocol embedding vector to obtain the original weight information required to generate the convolution kernel;
[0148] Here, a linear transformation of the protocol embedding vector can be achieved through a linear projection layer.
[0149] The original weight information is reshaped to obtain the first convolutional kernel;
[0150] Specifically, by reshaping the original weight information to readjust the dimensions, a standard 4D convolutional kernel (i.e., the first convolutional kernel) tensor W is formed. p .
[0151] Using the geometric center of the first convolutional kernel as the origin, a target convolutional kernel adapted to the protocol context is cropped.
[0152] Here, the first convolution kernel is the largest convolution kernel W. p Using the geometric center of the first convolutional kernel as the origin, a target convolutional kernel adapted to the protocol context is cropped, i.e., a smaller convolutional kernel of size k×k (floating-point numbers need to be rounded down). It should be noted that after obtaining the target convolutional kernel, convolution processing is performed on the global feature vector based on the target convolutional kernel. To ensure that the output size remains unchanged, padding is set to k / 2.
[0153] Specifically, the first convolution kernel W p It can be calculated using the following formula:
[0154]
[0155] Among them, e p For the protocol embedding vector, b g For the corresponding bias term, W p The initial size of the first generated convolutional kernel tensor is fixed at the maximum possible size. W g For the learnable weight matrix, C out Indicates the number of output channels (number of convolution kernels), C in This indicates the number of input channels (the same as the number of input feature map channels).
[0156] Target convolution kernel That is, a sub-nucleus with an actual size of k×k can be calculated using the following formula:
[0157]
[0158] After obtaining the network risk identification model through the above training process, online self-optimization can be performed in the practical application stage. During online self-optimization, existing technologies use a unified storage structure to store sample data, which cannot adapt to diverse data characteristics. Frequently accessed difficult samples are mixed with low-frequency historical data, leading to low retrieval efficiency for hot data and wasted storage resources. To solve this problem, in an optional implementation, the method of this application further includes:
[0159] The model parameters in the student model are trained and updated using samples in a three-level memory. The three-level memory includes a core sample library, a hard sample library, and a new protocol sample library. The core sample library stores the latest standardized protocol samples, the hard sample library stores samples that the model predicts incorrectly, and the new protocol sample library stores new protocol samples.
[0160] By using the exponential moving average (EMA), the model parameters in the student model are fused with the model parameters of the network risk identification model to obtain an optimized network risk identification model.
[0161] For this implementation method, please refer to Figure 4 The annotation data drives the training of a lightweight student model (3-layer CNN). The pre-trained network risk identification model is used as the teacher model. The model parameters of the teacher model (i.e., the network risk identification model) are progressively updated using exponential moving average (EMA). During online self-optimization, a three-level memory (core samples / difficult samples / new protocol samples) is dynamically maintained. The three-level memory uses a three-level classification storage: Core sample library (capacity 10,000 records): It adopts a FIFO (First-In-First-Out) rolling update strategy to store standardized samples of the most recent and common protocols. When new samples are added, the oldest samples are automatically discarded. Difficult sample library (capacity 5,000 records): It prioritizes storing samples that the model predicted incorrectly (such as false positives / false negatives). The retention strategy is based on the prediction uncertainty weight (the higher the uncertainty, the higher the retention priority). New protocol sample library (capacity 2,000 records): It uses clustering and deduplication storage to retain 2,000 new protocol samples. The three-level storage structure prioritizes the use of limited space to store data that has the greatest impact on model training, solving the resource waste problem caused by "a large amount of space being occupied by low-frequency invalid data" in the unified storage architecture.
[0162] Here, this application uses a multi-dimensional monitoring panel (feature drift, prediction consistency, business violations) to assess model health in real time and trigger a tiered response: in case of anomalies, a precise rollback is performed (only the problematic module is rolled back), and in case of normal operation, a new version is seamlessly deployed, forming an enhanced closed loop of "dynamic threshold - intelligent traffic diversion - gradual update - targeted repair".
[0163] It should be noted that after the model is optimized, the optimized model is used to perform anomaly detection on the data in the test set to obtain the detection results.
[0164] See Figure 5 The following example illustrates the overall implementation process of the method in this application.
[0165] Step 501: Obtain raw network traffic data.
[0166] Step 502: Perform protocol-aware preprocessing on the raw network traffic data.
[0167] That is, after identifying the protocol of the raw network traffic data, the data of different protocol types are processed and mixed and encoded according to their respective processing channels.
[0168] Step 503: Perform data augmentation on the hybrid encoded feature data to obtain augmented data.
[0169] Here, after obtaining the augmented data, an adaptive sample confidence determination is performed on the augmented data and the original network traffic data.
[0170] Step 504: Obtain the training set and test set based on the augmented data and the original network traffic data.
[0171] Step 505: Based on the training set, perform self-supervised pre-training on the feature extraction model to obtain the network risk identification model.
[0172] Step 506: Perform online self-optimization on the network risk identification model to obtain the optimized network risk identification model.
[0173] Step 507: Use the optimized network risk identification model to perform anomaly detection on the data in the test set to obtain the prediction results.
[0174] like Figure 6 As shown in the figure, this application embodiment also provides a network risk identification model training device, including:
[0175] The protocol identification module 601 is used to identify the protocol of the raw network traffic data and obtain data of at least two protocol types.
[0176] The first processing module 602 is used to process the data of the at least two protocol types according to their respective processing channels, and then perform mixed encoding processing to obtain the mixed encoded feature data.
[0177] Data augmentation module 603 is used to augment the hybrid encoded feature data using a conditional generative adversarial model to obtain augmented data;
[0178] The model training module 604 is used to train the feature extraction model based on the training set to obtain the network risk identification model. The training set includes the original network traffic data and the augmented data. The convolution kernel parameters and size of the feature extraction model can be adapted to the protocol context.
[0179] In some embodiments of this application, the apparatus further includes:
[0180] The second processing module is used to construct a key time-series pattern anchor point library based on real time-series traffic datasets. The key time-series anchor point library includes multiple time-series attack anchor point patterns with high discriminative power.
[0181] The third processing module is used to train the generative adversarial model based on random noise vectors, condition variables, and anchor patterns selected from the key temporal pattern anchor point library to obtain the conditional generative adversarial model. The condition variables include category labels, text descriptions, or scene constraint information, which are used to guide the generator in the generative adversarial model to generate temporal data under specific scenarios.
[0182] In some embodiments, the third processing module includes:
[0183] The first processing unit is used to generate complete time series samples through the generator based on random noise vectors, condition variables, and anchor patterns selected from the key time series pattern anchor point library.
[0184] The second processing unit is used to extract the time series sub-segments corresponding to the anchor point pattern from the complete time series sample;
[0185] A calculation unit is used to calculate the distance between the temporal sub-segment and the anchor point pattern;
[0186] The third processing unit is used to alternately optimize the generator and the discriminator in the generative adversarial model according to the first loss function until the first termination condition is met, so as to obtain the conditional generative adversarial model.
[0187] The first loss function includes adversarial loss and pattern anchoring loss. The adversarial loss is determined based on the complete time series sample, and the pattern anchoring loss is determined based on the distance between the time series sub-segment and the anchor pattern.
[0188] In some embodiments, the model training module 604 includes:
[0189] The fourth processing unit is used to input the training set into the feature extraction model, and after passing through the residual convolutional layer, pooling layer and feature fusion pyramid in sequence, the fused feature data is obtained. The training set includes positive sample pairs and negative sample library.
[0190] The fifth processing unit is used to extract protocol embedding features from the fused feature data, and then pass the extracted feature data through a fully connected layer to obtain the feature vectors of positive samples, negative samples, and anchor samples.
[0191] The sixth processing unit is used to calculate the local density adaptive weight based on the feature vector of the negative sample, the feature vector of the anchor sample, and the local density estimate of the negative sample.
[0192] The seventh processing unit is used to update the model parameters of the feature extraction model based on the second loss function until the second termination condition is met, thereby obtaining the network risk identification model.
[0193] The second loss function is determined based on the local density adaptive weights, the feature vectors of the positive samples, the feature vectors of the negative samples, and the feature vectors of the anchor samples.
[0194] In some embodiments, the fifth processing unit is specifically used for:
[0195] The fused feature data is then subjected to global average pooling to obtain a global feature vector.
[0196] The target convolutional kernel is determined based on the protocol embedding vector; wherein the protocol embedding vector is generated from the original network traffic data and is used to characterize the semantic information of the protocol context, and the target convolutional kernel is adapted to the protocol context;
[0197] Based on the target convolution kernel, the global feature vector is convolved to obtain feature weights;
[0198] Based on the feature weights and the fused data features, feature extraction is performed to obtain the extracted feature data.
[0199] In some embodiments, the fifth processing unit is further configured to:
[0200] A linear transformation is performed on the protocol embedding vector to obtain the original weight information required to generate the convolution kernel;
[0201] The original weight information is reshaped to obtain the first convolutional kernel;
[0202] Using the geometric center of the first convolutional kernel as the origin, a target convolutional kernel adapted to the protocol context is cropped.
[0203] In some embodiments, the apparatus of this application further includes:
[0204] The fourth processing module is used to train and update the model parameters in the student model using samples in the three-level memory. The three-level memory includes a core sample library, a hard sample library, and a new protocol sample library. The core sample library stores the latest standardized protocol samples, the hard sample library stores samples that the model predicts incorrectly, and the new protocol sample library stores new protocol samples.
[0205] The fifth processing module is used to fuse the model parameters in the student model with the model parameters in the network risk identification model through the exponential moving average (EMA) to obtain an optimized network risk identification model.
[0206] The network risk identification model training device of this application embodiment performs protocol identification on the original network traffic data to obtain data of at least two protocol types; after processing the data of the at least two protocol types according to their respective corresponding processing channels, it performs hybrid encoding processing to obtain hybrid encoded feature data; using a conditional generative adversarial model, it performs data augmentation on the hybrid encoded feature data to obtain augmented data; based on the training set, it trains a feature extraction model to obtain a network risk identification model, wherein the training set includes the original network traffic data and the augmented data, and the convolution kernel parameters and size of the feature extraction model can be compatible with the protocol... The following is an adaptation: By identifying the protocol in the raw network traffic data and using different processing channels for different protocol types, semantic-level fine-grained processing can be achieved. Furthermore, through hybrid encoding, efficient unified encoding of high-dimensional sparse features and continuous features can be achieved, balancing efficiency and information preservation. Data augmentation using a conditional generative adversarial model enhances the relevance and effectiveness of the generated data, thereby improving model training efficiency. Moreover, the convolutional kernel parameters and size of the feature extraction model are adapted to the protocol context, enabling adaptive extraction of protocol traffic features at an extremely fine granular level, significantly improving the expressive power of the feature extraction module and the model's generalization performance.
[0207] To better achieve the above objectives, such as Figure 7 As shown in the illustration, this application embodiment also provides a network risk identification model training device, including a processor 700 and a transceiver 710. The transceiver 710 receives and transmits data under the control of the processor 700, and the processor 700 is used to perform the following operations:
[0208] The raw network traffic data is subjected to protocol identification to obtain data of at least two protocol types;
[0209] After processing the data of the at least two protocol types according to their respective processing channels, the data is then subjected to hybrid encoding to obtain hybrid encoded feature data.
[0210] Using a conditional generative adversarial model, data augmentation is performed on the hybrid encoded feature data to obtain augmented data;
[0211] Based on the training set, the feature extraction model is trained to obtain the network risk identification model. The training set includes the original network traffic data and the augmented data. The convolution kernel parameters and size of the feature extraction model can be adapted to the protocol context.
[0212] In some embodiments, the processor 700 is further configured to:
[0213] Based on real time-series traffic datasets, a key time-series pattern anchor point library is constructed, which includes multiple time-series attack anchor point patterns with high discriminative power.
[0214] The generative adversarial model is trained based on random noise vectors, condition variables, and anchor patterns selected from the key temporal pattern anchor point library to obtain the conditional generative adversarial model. The condition variables include category labels, text descriptions, or scene constraint information, which are used to guide the generator in the generative adversarial model to generate temporal data under specific scenarios.
[0215] In some embodiments, the processor 700 is further configured to:
[0216] Based on the random noise vector, condition variables, and anchor patterns selected from the key time series pattern anchor point library, the generator generates complete time series samples.
[0217] Extract the time series sub-segments corresponding to the anchor point pattern from the complete time series sample;
[0218] Calculate the distance between the temporal sub-segment and the anchor point pattern;
[0219] The generator and the discriminator in the generative adversarial model are alternately optimized according to the first loss function until the first termination condition is met, thus obtaining the conditional generative adversarial model.
[0220] The first loss function includes adversarial loss and pattern anchoring loss. The adversarial loss is determined based on the complete time series sample, and the pattern anchoring loss is determined based on the distance between the time series sub-segment and the anchor pattern.
[0221] In some embodiments, the processor 700 is further configured to:
[0222] The training set is input into the feature extraction model, and after passing through the residual convolutional layer, pooling layer and feature fusion pyramid in sequence, the fused feature data is obtained. The training set includes positive sample pairs and negative sample library.
[0223] The fused feature data is subjected to protocol embedding feature extraction, and the extracted feature data is passed through a fully connected layer to obtain the feature vectors of positive samples, negative samples, and anchor samples.
[0224] Based on the feature vector of the negative sample, the feature vector of the anchor sample, and the local density estimate of the negative sample, the local density adaptive weight is calculated.
[0225] Based on the second loss function, the model parameters of the feature extraction model are updated until the second termination condition is met, thus obtaining the network risk identification model.
[0226] The second loss function is determined based on the local density adaptive weights, the feature vectors of the positive samples, the feature vectors of the negative samples, and the feature vectors of the anchor samples.
[0227] In some embodiments, the processor 700 is further configured to:
[0228] The fused feature data is then subjected to global average pooling to obtain a global feature vector.
[0229] The target convolutional kernel is determined based on the protocol embedding vector; wherein the protocol embedding vector is generated from the original network traffic data and is used to characterize the semantic information of the protocol context, and the target convolutional kernel is adapted to the protocol context;
[0230] Based on the target convolution kernel, the global feature vector is convolved to obtain feature weights;
[0231] Based on the feature weights and the fused data features, feature extraction is performed to obtain the extracted feature data.
[0232] In some embodiments, the processor 700 is further configured to:
[0233] A linear transformation is performed on the protocol embedding vector to obtain the original weight information required to generate the convolution kernel;
[0234] The original weight information is reshaped to obtain the first convolutional kernel;
[0235] Using the geometric center of the first convolutional kernel as the origin, a target convolutional kernel adapted to the protocol context is cropped.
[0236] In some embodiments, the processor 700 is further configured to:
[0237] The model parameters in the student model are trained and updated using samples in a three-level memory. The three-level memory includes a core sample library, a hard sample library, and a new protocol sample library. The core sample library stores the latest standardized protocol samples, the hard sample library stores samples that the model predicts incorrectly, and the new protocol sample library stores new protocol samples.
[0238] By using the exponential moving average (EMA), the model parameters in the student model are fused with the model parameters of the network risk identification model to obtain an optimized network risk identification model.
[0239] The network risk identification model training device of this application embodiment performs protocol identification on the original network traffic data to obtain data of at least two protocol types; after processing the data of the at least two protocol types according to their respective corresponding processing channels, it performs hybrid encoding processing to obtain hybrid encoded feature data; using a conditional generative adversarial model, it performs data augmentation on the hybrid encoded feature data to obtain augmented data; based on the training set, it trains a feature extraction model to obtain a network risk identification model, wherein the training set includes the original network traffic data and the augmented data, and the convolution kernel parameters and size of the feature extraction model can be compatible with the protocol... The following is an adaptation: By identifying the protocol in the raw network traffic data and using different processing channels for different protocol types, semantic-level fine-grained processing can be achieved. Furthermore, through hybrid encoding, efficient unified encoding of high-dimensional sparse features and continuous features can be achieved, balancing efficiency and information preservation. Data augmentation using a conditional generative adversarial model enhances the relevance and effectiveness of the generated data, thereby improving model training efficiency. Moreover, the convolutional kernel parameters and size of the feature extraction model are adapted to the protocol context, enabling adaptive extraction of protocol traffic features at an extremely fine granular level, significantly improving the expressive power of the feature extraction module and the model's generalization performance.
[0240] This application embodiment also provides a network risk identification model training device, including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the program, it implements the above-described... Figure 1 The various processes in the network risk identification model training method embodiment shown can achieve the same technical effect, and will not be described again here to avoid repetition.
[0241] This application also provides a computer-readable storage medium storing a computer program thereon, which, when executed by a processor, implements the above-described functionality. Figure 1The various processes in the network risk identification model training method embodiment shown herein achieve the same technical effect, and will not be described again here to avoid repetition. The computer-readable storage medium mentioned herein includes, for example, read-only memory (ROM), random access memory (RAM), magnetic disk, or optical disk.
[0242] This application also provides a computer program product, including computer instructions, which, when executed by a processor, implement the above-described functionality. Figure 1 The steps in the training method for the network risk identification model are shown.
[0243] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-readable storage media (including, but not limited to, disk storage and optical storage) containing computer-usable program code.
[0244] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this application. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart... Figure 1 A device for one or more processes and / or the functions specified in one or more boxes.
[0245] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce a paper article including an instruction means, the instruction means being implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0246] These computer program instructions can also be loaded onto a computer or other programmable data processing equipment, causing the computer or other programmable equipment to perform a series of operational steps to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0247] The above description represents the preferred embodiments of the present invention. It should be noted that those skilled in the art can make various improvements and modifications without departing from the principles of the present invention, and these improvements and modifications should also be considered within the scope of protection of the present invention.
Claims
1. A method for training a network risk identification model, characterized in that, include: The raw network traffic data is subjected to protocol identification to obtain data of at least two protocol types; After processing the data of the at least two protocol types according to their respective processing channels, the data is then subjected to hybrid encoding to obtain hybrid encoded feature data. Using a conditional generative adversarial model, data augmentation is performed on the hybrid encoded feature data to obtain augmented data; Based on the training set, the feature extraction model is trained to obtain the network risk identification model. The training set includes the original network traffic data and the augmented data. The convolution kernel parameters and size of the feature extraction model can be adapted to the protocol context.
2. The method according to claim 1, characterized in that, The method further includes: Based on real time-series traffic datasets, a key time-series pattern anchor point library is constructed, which includes multiple time-series attack anchor point patterns with high discriminative power. The generative adversarial model is trained based on random noise vectors, condition variables, and anchor patterns selected from the key temporal pattern anchor point library to obtain the conditional generative adversarial model. The condition variables include category labels, text descriptions, or scene constraint information, which are used to guide the generator in the generative adversarial model to generate temporal data under specific scenarios.
3. The method according to claim 2, characterized in that, The conditional generative adversarial model is obtained by training the generative adversarial model based on random noise vectors, conditional variables, and anchor patterns selected from the key temporal pattern anchor point library, including: Based on the random noise vector, condition variables, and anchor patterns selected from the key time series pattern anchor point library, the generator generates complete time series samples. Extract the time series sub-segments corresponding to the anchor point pattern from the complete time series sample; Calculate the distance between the temporal sub-segment and the anchor point pattern; The generator and the discriminator in the generative adversarial model are alternately optimized according to the first loss function until the first termination condition is met, thus obtaining the conditional generative adversarial model. The first loss function includes adversarial loss and pattern anchoring loss. The adversarial loss is determined based on the complete time series sample, and the pattern anchoring loss is determined based on the distance between the time series sub-segment and the anchor pattern.
4. The method according to claim 1, characterized in that, The process of training the feature extraction model based on the training set to obtain the network risk identification model includes: The training set is input into the feature extraction model, and after passing through the residual convolutional layer, pooling layer and feature fusion pyramid in sequence, the fused feature data is obtained. The training set includes positive sample pairs and negative sample library. The fused feature data is subjected to protocol embedding feature extraction, and the extracted feature data is passed through a fully connected layer to obtain the feature vectors of positive samples, negative samples, and anchor samples. Based on the feature vector of the negative sample, the feature vector of the anchor sample, and the local density estimate of the negative sample, the local density adaptive weight is calculated. Based on the second loss function, the model parameters of the feature extraction model are updated until the second termination condition is met, thus obtaining the network risk identification model. The second loss function is determined based on the local density adaptive weights, the feature vectors of the positive samples, the feature vectors of the negative samples, and the feature vectors of the anchor samples.
5. The method according to claim 4, characterized in that, The step of extracting protocol embedding features from the fused feature data includes: The fused feature data is then subjected to global average pooling to obtain a global feature vector. The target convolutional kernel is determined based on the protocol embedding vector; wherein the protocol embedding vector is generated from the original network traffic data and is used to characterize the semantic information of the protocol context, and the target convolutional kernel is adapted to the protocol context; Based on the target convolution kernel, the global feature vector is convolved to obtain feature weights; Based on the feature weights and the fused data features, feature extraction is performed to obtain the extracted feature data.
6. The method according to claim 5, characterized in that, Determining the target convolutional kernel based on the protocol embedding vector includes: A linear transformation is performed on the protocol embedding vector to obtain the original weight information required to generate the convolution kernel; The original weight information is reshaped to obtain the first convolutional kernel; Using the geometric center of the first convolutional kernel as the origin, a target convolutional kernel adapted to the protocol context is cropped.
7. The method according to claim 1, characterized in that, The method further includes: The model parameters in the student model are trained and updated using samples in a three-level memory. The three-level memory includes a core sample library, a hard sample library, and a new protocol sample library. The core sample library stores the latest standardized protocol samples, the hard sample library stores samples that the model predicts incorrectly, and the new protocol sample library stores new protocol samples. By using the exponential moving average (EMA), the model parameters in the student model are fused with the model parameters of the network risk identification model to obtain an optimized network risk identification model.
8. A network risk identification model training device, characterized in that, include: The protocol identification module is used to identify the protocol of the raw network traffic data and obtain data of at least two protocol types. The first processing module is used to process the data of the at least two protocol types according to their respective processing channels, and then perform mixed encoding processing to obtain the mixed encoded feature data. The data augmentation module is used to augment the hybrid encoded feature data using a conditional generative adversarial model to obtain augmented data. The model training module is used to train the feature extraction model based on the training set to obtain the network risk identification model. The training set includes the original network traffic data and the augmented data. The convolution kernel parameters and size of the feature extraction model can be adapted to the protocol context.
9. A network risk identification model training device, characterized in that, Includes a processor and a transceiver, the transceiver receiving and sending data under the control of the processor, the processor being used to perform the following operations: The raw network traffic data is subjected to protocol identification to obtain data of at least two protocol types; After processing the data of the at least two protocol types according to their respective processing channels, the data is then subjected to hybrid encoding to obtain hybrid encoded feature data. Using a conditional generative adversarial model, data augmentation is performed on the hybrid encoded feature data to obtain augmented data; Based on the training set, the feature extraction model is trained to obtain the network risk identification model. The training set includes the original network traffic data and the augmented data. The convolution kernel parameters and size of the feature extraction model can be adapted to the protocol context.
10. A network risk identification model training device, comprising a memory, a processor, and a computer program stored in the memory and running thereon, characterized in that, When the processor executes the program, it implements the network risk identification model training method as described in any one of claims 1 to 7.
11. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the program is executed by the processor, it implements the steps in the network risk identification model training method as described in any one of claims 1 to 7.
12. A computer program product, characterized in that, It includes computer instructions that, when executed by a processor, implement the steps in the network risk identification model training method as described in any one of claims 1 to 7.