Traffic detection method and device based on graph convolution network, equipment and medium
By constructing a directed graph based on graph convolutional networks and training a target inference model using packet attribute information, the problem that existing DDoS detection technologies cannot detect dynamic changes in attack traffic is solved, achieving high-precision network traffic detection and improving network security.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- ELECTRIC POWER RES INST CHINA SOUTHERN POWER GRID CO LTD
- Filing Date
- 2026-04-13
- Publication Date
- 2026-07-10
Smart Images

Figure CN122372264A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of computer technology, and in particular to a method, apparatus, device, and medium for traffic detection based on graph convolutional networks. Background Technology
[0002] The network architecture in new power systems is becoming increasingly complex, and Distributed Denial of Service (DDoS) attacks are exhibiting new characteristics of multi-source collaboration and dynamic changes. Existing DDoS detection technologies are mainly based on traffic threshold statistics and static machine learning models. These methods obtain anomaly detection results by analyzing traffic characteristics (such as packet rate, number of bytes, etc.) within a fixed time window.
[0003] However, using static thresholds for anomaly detection cannot detect dynamic changes in attack traffic, leading to missed detections or false alarms, which reduces the security of network operations. Summary of the Invention
[0004] Therefore, it is necessary to provide a traffic detection method, apparatus, device, and medium based on graph convolutional networks that can improve network operation security in response to the above-mentioned technical problems.
[0005] Firstly, this application provides a traffic detection method based on graph convolutional networks, including:
[0006] Based on the source and destination addresses in each data packet of the target network within the current time window, determine at least two directed edges and each data packet corresponding to each directed edge; wherein, the starting point of the directed edge is the source address and the ending point of the directed edge is the destination address.
[0007] For each directed edge, the directed edge characteristics are determined based on the data attribute information of each data packet corresponding to the directed edge.
[0008] Construct the current directed graph based on the directed edge characteristics of each directed edge;
[0009] A target inference model is used to process the current directed graph to obtain the target traffic detection result. The target inference model is trained on a graph convolutional network using the sample directed graph and the actual traffic detection result corresponding to the sample directed graph.
[0010] In one embodiment, the directed edge characteristics of the directed edge are determined based on the data attribute information of each data packet corresponding to the directed edge, including:
[0011] The protocol characteristics of the directed edges are determined based on the protocol type information in the data attribute information of each data packet corresponding to the directed edge.
[0012] The characteristics of the data packets of the directed edges are determined based on the data volume and data transmission interval of each data packet corresponding to the directed edge.
[0013] Based on protocol characteristics and data packet characteristics, determine the directed edge characteristics of directed edges.
[0014] In one embodiment, the data packet characteristics of the directed edge are determined based on the data volume and data transmission interval of each data packet corresponding to the directed edge, including:
[0015] Based on the data volume of each data packet corresponding to the directed edge, determine the data packet distribution characteristics and real-time traffic rate;
[0016] Based on the data transmission interval of each data packet corresponding to the directed edge, determine the data packet interval time characteristics and service burst parameters;
[0017] Based on packet distribution characteristics, real-time traffic rate, packet interval time characteristics, and service burst parameters, the packet characteristics of directed edges are determined.
[0018] In one embodiment, the graph convolutional network has the same network hierarchy as the target network; the graph convolutional network is trained using the sample directed graph and the actual traffic detection results corresponding to the sample directed graph, including:
[0019] Using a network simulation platform, the communication process under various preset scenarios is simulated based on graph convolutional networks to generate sample traffic packets. The preset scenarios include normal operation scenarios, sudden operation scenarios, and attack scenarios.
[0020] Generate a directed graph of samples based on each sample traffic packet; and,
[0021] The preset scenario corresponding to the directed graph of the sample is used as the actual traffic detection result corresponding to the directed graph of the sample;
[0022] The target inference model is obtained by training a graph convolutional network using the sample directed graph and the actual traffic detection results corresponding to the sample directed graph.
[0023] In one embodiment, the method further includes:
[0024] If the traffic fluctuation of the target network is detected to be greater than a preset threshold, obtain the window length of the current time window;
[0025] If the window length is greater than the minimum window size, the window length of the time window following the current time window will be reduced to the minimum window size.
[0026] In one embodiment, the method further includes:
[0027] When the target network is in a secure operating state, security verification information is generated based on the node identifier, network access attributes, and node operation permissions of each node in the target network.
[0028] Upon reaching a new time window, a security verification is performed on the target network based on the security verification information.
[0029] Secondly, this application also provides a traffic detection device based on graph convolutional networks, comprising:
[0030] The partitioning module is used to determine at least two directed edges and each data packet corresponding to each directed edge based on the source address and destination address in each data packet of the target network within the current time window; wherein the starting point of the directed edge is the source address and the ending point of the directed edge is the destination address.
[0031] The feature determination module is used to determine the directed edge features of each directed edge based on the data attribute information of each data packet corresponding to the directed edge.
[0032] The construction module is used to construct the current directed graph based on the directed edge characteristics of each directed edge;
[0033] The result determination module is used to process the current directed graph using a target inference model to obtain the target traffic detection result. The target inference model is obtained by training a graph convolutional network using the sample directed graph and the actual traffic detection result corresponding to the sample directed graph.
[0034] Thirdly, this application also provides a computer device, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to perform the following steps:
[0035] Based on the source and destination addresses in each data packet of the target network within the current time window, determine at least two directed edges and each data packet corresponding to each directed edge; wherein, the starting point of the directed edge is the source address and the ending point of the directed edge is the destination address.
[0036] For each directed edge, the directed edge characteristics are determined based on the data attribute information of each data packet corresponding to the directed edge.
[0037] Construct the current directed graph based on the directed edge characteristics of each directed edge;
[0038] A target inference model is used to process the current directed graph to obtain the target traffic detection result. The target inference model is trained on a graph convolutional network using the sample directed graph and the actual traffic detection result corresponding to the sample directed graph.
[0039] Fourthly, this application also provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, performs the following steps:
[0040] Based on the source and destination addresses in each data packet of the target network within the current time window, determine at least two directed edges and each data packet corresponding to each directed edge; wherein, the starting point of the directed edge is the source address and the ending point of the directed edge is the destination address.
[0041] For each directed edge, the directed edge characteristics are determined based on the data attribute information of each data packet corresponding to the directed edge.
[0042] Construct the current directed graph based on the directed edge characteristics of each directed edge;
[0043] A target inference model is used to process the current directed graph to obtain the target traffic detection result. The target inference model is trained on a graph convolutional network using the sample directed graph and the actual traffic detection result corresponding to the sample directed graph.
[0044] Fifthly, this application also provides a computer program product, including a computer program that, when executed by a processor, performs the following steps:
[0045] Based on the source and destination addresses in each data packet of the target network within the current time window, determine at least two directed edges and each data packet corresponding to each directed edge; wherein, the starting point of the directed edge is the source address and the ending point of the directed edge is the destination address.
[0046] For each directed edge, the directed edge characteristics are determined based on the data attribute information of each data packet corresponding to the directed edge.
[0047] Construct the current directed graph based on the directed edge characteristics of each directed edge;
[0048] A target inference model is used to process the current directed graph to obtain the target traffic detection result. The target inference model is trained on a graph convolutional network using the sample directed graph and the actual traffic detection result corresponding to the sample directed graph.
[0049] The aforementioned traffic detection method, apparatus, device, and medium based on graph convolutional networks introduce a target inference model trained using a sample directed graph and corresponding actual traffic detection results. By determining at least two directed edges and the corresponding data packets of each directed edge based on the source and destination addresses in each data packet of the target network within the current time window, and by determining the directed edge features of each directed edge based on the data attribute information of each data packet corresponding to each directed edge, the current directed graph is constructed based on these features. The target inference model is then used to process the current directed graph to obtain the target traffic detection result. By constructing a current directed graph containing the directed edge features of each directed edge and processing it using the target inference model, the target traffic detection result can be obtained. This allows for dynamic analysis of the traffic transmission status of the target network, improving the target traffic detection result and thus enhancing the security of the target network operation. Attached Figure Description
[0050] To more clearly illustrate the technical solutions in the embodiments of this application or related technologies, the drawings used in the description of the embodiments of this application or related technologies will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.
[0051] Figure 1 This is a flowchart illustrating a traffic detection method based on graph convolutional networks in one embodiment.
[0052] Figure 2 This is a flowchart illustrating the process of determining directed edge features in one embodiment;
[0053] Figure 3 This is a flowchart illustrating the process of determining directed edge features in another embodiment;
[0054] Figure 4 This is a schematic diagram of the training process for a graph convolutional network in one embodiment;
[0055] Figure 5 This is a flowchart illustrating a traffic detection method based on graph convolutional networks in another embodiment;
[0056] Figure 6 This is a structural block diagram of a traffic detection device based on a graph convolutional network in one embodiment;
[0057] Figure 7 This is an internal structural diagram of a computer device in one embodiment. Detailed Implementation
[0058] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the scope of this application.
[0059] The network architecture in new power systems is becoming increasingly complex, and DDoS attacks are exhibiting new characteristics of multi-source collaboration and dynamic changes. Existing DDoS detection technologies are mainly based on traffic threshold statistics and static machine learning models. These methods obtain anomaly detection results by analyzing traffic characteristics (such as packet rate, number of bytes, etc.) within a fixed time window.
[0060] However, using static thresholds for anomaly detection cannot detect dynamic changes in attack traffic, leading to missed detections or false alarms, which reduces the security of network operations.
[0061] In one exemplary embodiment, a traffic detection method based on graph convolutional networks is provided. The method is illustrated using an application to a server as an example. Figure 1 As shown, the specific steps include:
[0062] S101, based on the source address and destination address in each data packet of the target network within the current time window, determine at least two directed edges and each data packet corresponding to each directed edge.
[0063] Here, the so-called current time window is the time window in which the current moment occurs; the so-called target network is the network that has traffic detection requirements; the so-called source address is the address from which the data packet originates, such as the attacking host and the normal user; the so-called destination address is the address to which the data packet is to be sent, such as the server or the router; the starting point of a directed edge is the source address, and the ending point of a directed edge is the destination address.
[0064] Optionally, after obtaining each data packet for the target network within the current time window, data packets that simultaneously have the same source address and destination address can be grouped into a set based on the source address and destination address in each data packet.
[0065] For each set of data packets, the source address corresponding to each data packet in the set can be used as the starting point and the destination address as the ending point to obtain the directed edge corresponding to the set of data packets. Each data packet in the set of data packets can be used as the data packet corresponding to the directed edge.
[0066] S102, For each directed edge, determine the directed edge characteristics based on the data attribute information of each data packet corresponding to the directed edge.
[0067] The so-called data attribute information refers to the attribute information of the data packet, which may include, but is not limited to, the size of the data packet, protocol information, etc. The so-called directed edge features refer to the relevant features of each data packet corresponding to the directed edge.
[0068] Optionally, for each directed edge, features can be extracted from the data attribute information of each data packet corresponding to the directed edge under preset dimensions to obtain information features under each preset dimension. Then, the information features under each preset dimension can be concatenated to obtain the directed edge features of the directed edge. The preset dimensions may include, but are not limited to, protocol type dimension, data volume dimension, etc.
[0069] S103, construct the current directed graph based on the directed edge characteristics of each directed edge.
[0070] The so-called current directed graph is a directed graph composed of all directed edges within the current time window.
[0071] Optionally, the current directed graph can be constructed based on the source and destination addresses corresponding to each directed edge, according to the directed edge characteristics of each directed edge. For example, the current directed graph can be represented by G=(V,E,A), where G is the current directed graph; V represents the nodes corresponding to each address, which can include the source node set (nodes corresponding to the source address) VS and the destination node set VT (nodes corresponding to the destination address); E represents each directed edge, indicating the communication relationship between nodes; and A represents the directed edge characteristics of each directed edge.
[0072] S104 uses a target reasoning model to process the current directed graph and obtain the target traffic detection result.
[0073] The target inference model is trained on a graph convolutional network using sample directed graphs and their corresponding actual traffic detection results. It determines the traffic detection result by analyzing the directed graph within each time window. The sample directed graph refers to the directed graph used as sample data; the actual traffic detection result is the actual traffic detection result corresponding to the sample directed graph. A graph convolutional network (GCN) is a deep learning model specifically designed for processing graph-structured data. The target traffic detection result is the traffic detection result of the target network within the current time window.
[0074] For example, the GCN structure includes three hidden layers, each containing 128 neurons. After each hidden layer, a ReLU activation function f(x)=max(0,x) is applied to introduce nonlinearity and accelerate convergence, where x is any neuron; then a dropout operation is performed with a dropout rate of 50% (i.e., randomly setting the output of 50% of the neurons to 0) to prevent overfitting.
[0075] When training the graph convolutional network using the sample directed graph and the corresponding actual traffic detection results, the Cross-Entropy Loss is used as the loss function, referring to the following formula (1). Then, an Adaptive Moment Estimator (Adam) with a learning rate of 0.01 is used, and the optimal number of iterations of 100 rounds is determined through experiments to make the target inference model obtained after training reach the peak accuracy (99.95%).
[0076] (1)
[0077] in, The labels are real (0 = normal traffic, 1 = attack traffic); The confidence level is the probability that the model predicts an attack.
[0078] Understandably, in this embodiment, the optimized 3-layer GCN network (128 neurons / layer) combined with 50% Dropout and the Adam optimizer (0.01 learning rate) achieves millisecond-level response while ensuring detection accuracy. The AES-GCM trust value calculation overhead is controlled within 0.5ms, adapting to the resource constraints of edge devices. Here, AES-GCM consists of AES-CTR (encryption, ensuring confidentiality) and GHASH (authentication, ensuring integrity).
[0079] Optionally, the current directed graph can be input into the target inference model, which will then analyze and process the features of each directed edge in the current directed graph to obtain the target flow detection results.
[0080] The aforementioned traffic detection method based on graph convolutional networks introduces a target inference model trained using a sample directed graph and corresponding actual traffic detection results. By determining at least two directed edges and the corresponding data packets within each data packet of the target network in the current time window, and based on the data attribute information of each data packet corresponding to each directed edge, the directed edge features of each directed edge are determined. Then, based on the directed edge features, a current directed graph is constructed, and the target inference model is used to process the current directed graph to obtain the target traffic detection result. By constructing a current directed graph containing the directed edge features of each directed edge and processing it with the target inference model to obtain the target traffic detection result, this method can dynamically analyze the traffic transmission status of the target network, improving the target traffic detection result and thus enhancing the security of the target network operation.
[0081] Based on the above embodiments, this application provides an optional method for determining directed edge features, such as... Figure 2 As shown, the specific steps include:
[0082] S201. Determine the protocol characteristics of the directed edge based on the protocol type information in the data attribute information of each data packet corresponding to the directed edge.
[0083] The so-called protocol type information refers to the type of communication protocol contained in the data packet. The so-called protocol feature refers to the feature corresponding to the communication protocol of each data packet in the directed edge.
[0084] Optionally, the protocol type information of each data packet can be obtained from the data attribute information of each data packet corresponding to the directed edge. Then, the protocol type with the highest proportion is taken as the current protocol type corresponding to the directed edge, and the current protocol type is encoded to obtain the protocol characteristics of the directed edge.
[0085] For example, the encoding values of each communication protocol can be preset: Transmission Control Protocol (TCP) = 1, User Datagram Protocol (UDP) = 2, Internet Control Message Protocol (ICMP) = 3, and others = 0. If the communication protocol of the data packets corresponding to directed edge A is detected to be TCP, the protocol characteristic of directed edge A is 1.
[0086] Understandably, since Synchronize Flood (SYN) attacks use only the TCP protocol, UDP flood attacks use only the UDP protocol, and Ping (ICMP) flood attacks use only the ICMP protocol, protocol characteristics can be used to quickly distinguish attack types.
[0087] S202, determine the data packet characteristics of the directed edge based on the data volume and data transmission interval of each data packet corresponding to the directed edge.
[0088] Here, data volume refers to the number of bytes of data in a data packet; data transmission interval refers to the transmission interval between data packets; and data packet characteristics refer to the features within the data packet dimension.
[0089] In one optional implementation, the data volume characteristic of a data packet can be determined based on the data volume of each data packet corresponding to the directed edge, and the data packet interval time characteristic can be determined based on the data transmission interval of each data packet corresponding to the directed edge. Then, the data volume characteristic and the data packet interval time characteristic are concatenated to obtain the data packet characteristic of the directed edge. The data transmission interval between each data packet can be determined based on the transmission timestamp of each data packet; the data packet interval time characteristic is the characteristic in the time dimension of the data packet transmission interval.
[0090] S203, determine the directed edge characteristics of the directed edge based on the protocol characteristics and data packet characteristics.
[0091] Optionally, the protocol features and data packet features can be normalized, and then the normalized protocol features and data packet features can be fused to obtain directed edge features. For example, the normalized protocol features and data packet features can be concatenated to obtain directed edge features of directed edges.
[0092] Understandably, by adopting the GCN heterogeneous graph learning architecture and analyzing dynamic edge attributes such as protocol type and packet interval variation coefficient, collaborative pattern recognition of distributed attacks across subnets can be achieved, breaking through the limitations of traditional single-point detection.
[0093] In this embodiment of the application, the directed edge characteristics of the directed edge are determined by combining the protocol type information, data volume and data transmission interval of each data packet, which can ensure the rationality of the determination of the directed edge characteristics.
[0094] Based on the above embodiments, this application provides another optional method for determining directed edge features, such as... Figure 3 As shown, the specific steps include:
[0095] S301, determine the data packet distribution characteristics and real-time traffic rate based on the data volume of each data packet corresponding to the directed edge.
[0096] Among them, the so-called packet distribution characteristics are used to characterize the distribution of packet data volume. The so-called real-time traffic rate is the traffic rate in the communication path corresponding to the directed edge per unit time.
[0097] Optionally, the mean, variance, maximum, and minimum values of each data packet can be determined based on the data volume of each data packet corresponding to the directed edge. Then, the mean, variance, maximum, and minimum values are concatenated to obtain the data packet distribution characteristics. It is understandable that the data packet distribution characteristics can reflect attack traffic patterns; for example, under a flooding attack, the size of the data packets tends to be concentrated.
[0098] The real-time traffic rate is determined based on the data volume and number of data packets corresponding to each directed edge. For example, the ratio of the number of data packets to the total number of bytes in each data packet can be used as the real-time traffic rate. It is understandable that the real-time traffic rate can quantify the attack intensity, such as a flood attack rate > 1000 pps.
[0099] S302, determine the data packet interval time characteristics and service burst parameters based on the data transmission interval of each data packet corresponding to the directed edge.
[0100] The standard transmission interval is the transmission interval between data packets in the target network under normal operating conditions. The service burst parameter is used to determine whether there is a burst of service.
[0101] Optionally, the mean and standard deviation of the transmission interval can be calculated based on the data transmission interval of each data packet corresponding to the directed edge. Then, the mean and standard deviation of the transmission interval can be concatenated to obtain the data packet interval time characteristics. The ratio between the mean and standard deviation of the transmission interval can be used as a service burst parameter.
[0102] Understandably, the service burst parameter is used to identify the difference in burstiness between flash traffic and attack traffic. Flash traffic refers to normal, instantaneous high-concurrency communication traffic initiated by real users, with packet intervals that are erratic and fluctuate wildly, resulting in a larger service burst parameter. Attack traffic, on the other hand, is machine-driven, uniform-rate bombardment (DDoS), with extremely regular intervals, resulting in a smaller service burst parameter. In this embodiment, the service burst parameter CV is used to forcibly separate the two, preventing the mistaken blocking of normal services.
[0103] S303 determines the packet characteristics of directed edges based on packet distribution characteristics, real-time traffic rate, packet interval time characteristics, and service burst parameters.
[0104] Optionally, the packet distribution characteristics, real-time traffic rate, packet interval time characteristics, and service burst parameters can be normalized to scale each feature to the [0,1] interval. Furthermore, low-variance features can be removed through analysis of variance, and highly correlated features (correlation coefficient > 0.95) can be eliminated through correlation analysis.
[0105] Furthermore, the processed data packet distribution characteristics, real-time traffic rate, data packet interval time characteristics, and service burst parameters can be concatenated to obtain the data packet characteristics of directed edges.
[0106] In this embodiment of the application, the data packet characteristics of the directed edge are determined based on the data packet distribution characteristics, real-time traffic rate, data packet interval time characteristics, and service burst parameters, which ensures the comprehensiveness of the data packet characteristics.
[0107] Based on the above embodiments, in this embodiment, the graph convolutional network and the target network have the same network hierarchy. Therefore, an alternative method for training the graph convolutional network is provided, such as... Figure 4 As shown, the specific steps include:
[0108] S401 uses a network simulation platform to simulate the communication process under various preset scenarios based on graph convolutional networks, in order to generate sample traffic packets.
[0109] The network simulation platform is a platform capable of simulating network communication scenarios; for example, it could be the NS-3 network simulator. Sample traffic packets are the sample traffic packets generated when simulating various communication scenarios. Preset scenarios include normal operation scenarios, sudden operation scenarios, and attack scenarios.
[0110] Understandably, to ensure compatibility between the target inference model and the target network, the graph convolutional network in the target inference model shares the same network hierarchy as the target network. Graph convolutional networks possess the ability to simulate dynamic characteristics, using stochastic pathpoint models to simulate the dynamic positional changes of terminal devices. By randomly setting node movement direction, speed, and pause time, realistic movement trajectories can be simulated. Furthermore, parameterized latency, packet loss rate, and bandwidth settings (non-configurable) can be introduced, and experimental tools can hardcode values to accurately simulate network congestion and instability caused by DDoS attacks. Additionally, a dynamic frequency hopping mechanism can be deployed at the convergence layer of the graph convolutional network to switch communication frequencies in real time to avoid attack interference and improve anti-interference capabilities.
[0111] For example, a graph convolutional network with the same hierarchical structure as the target network can be deployed in a network simulation platform. Specifically, based on the target network's hierarchical structure, a GCN layered network topology can be constructed using the NS-3 network simulator. Different network structures are built in GCN as follows: the core layer is the target node set VS, the aggregation layer is dynamic intermediary nodes, and the edge layer is the source node set VT. The aggregation layer can perform trust value calculation, that is, it sequentially collects and encrypts the three pieces of information—node identity, network access attributes, node operation permissions, and security status—to prevent interference from attacking nodes, and then dynamically responds to attack information. Attacking source nodes are distributed in different physical areas (e.g., subnets A, B, and C) to simulate a distributed attack scenario. The target node is configured as a single Ubuntu server, or expanded into a multi-server cluster to match the real network environment.
[0112] Optionally, after deploying a graph convolutional network (GCNN) in a network simulation platform, different tools can be used to simulate communication processes under various preset scenarios based on the GCNN, generating sample traffic packets for each scenario. Specifically, in the case of an attack scenario, a random path point model can be used to simulate mobility and dynamically switch the location of the attack source node. The parameters are set as follows: movement speed 1-10 m / s, pause time 0-30 seconds, and transmission range 150 meters. Then, by configuring multiple attack hosts, the dynamic characteristics of a real-world DDoS attack are simulated at three speed levels (low speed / slow speed / flood).
[0113] For example, HTTP performance testing tools (httperf) or distributed internet traffic generators (D-ITG) can be used to simulate stable and clean traffic from daily user browsing and regular business access to generate sample data packets under normal operating conditions; curl load generators (curl-loader) can be used to simulate peak traffic surges caused by flash sales, event peaks, and a large influx of real users to generate sample data packets under sudden operational scenarios; network packet sending testing tools (hping3) or slow HTTP attack testing tools (slowhttptest) can be used to simulate malicious traffic such as high-speed flooding and slow resource exhaustion to generate sample data packets under attack scenarios.
[0114] S402 generates a directed sample graph based on each sample traffic packet.
[0115] Optionally, at least two sample directed edges and corresponding sample data packets can be determined based on the source and destination addresses in each sample traffic packet. Then, the protocol characteristics of the sample directed edges can be determined based on the protocol type information in the data attribute information of each sample data packet corresponding to the sample directed edge; the data packet distribution characteristics and real-time traffic rate of the sample directed edge can be determined based on the data volume of each sample data packet corresponding to the sample directed edge; the data packet interval time characteristics and service burst parameters of the sample directed edge can be determined based on the data transmission interval of each sample data packet corresponding to the sample directed edge; and the directed edge characteristics of the sample directed edge can be determined based on the protocol characteristics, data packet distribution characteristics, real-time traffic rate, data packet interval time characteristics, and service burst parameters.
[0116] Furthermore, a directed graph of samples can be constructed based on the directed edge features of each sample's directed edges;
[0117] S403 uses the preset scenario corresponding to the directed graph of the sample as the actual traffic detection result corresponding to the directed graph of the sample.
[0118] Optionally, for each directed graph sample, the preset scenario that generated the directed graph sample can be used as the actual traffic detection result corresponding to the directed graph sample. For example, if the preset scenario that generated directed graph sample B is an attack scenario, the actual traffic detection result of directed graph sample B is determined to indicate the presence of an attack.
[0119] To facilitate the differentiation of traffic detection results, normal operation scenarios and sudden operation scenarios can be encoded as 0, and attack scenarios can be encoded as 1.
[0120] S404 uses the sample directed graph and the actual traffic detection results corresponding to the sample directed graph to train the graph convolutional network and obtain the target inference model.
[0121] Optionally, the directed graph of the samples can be input into a graph convolutional network, which processes the directed graph of the samples to obtain the predicted traffic detection result. Then, based on the deviation between the predicted traffic detection result and the actual traffic detection result corresponding to the directed graph of the samples, the graph convolutional network is optimized to obtain the target inference model.
[0122] In this embodiment of the application, a network simulation platform is used to simulate the communication process under various preset scenarios based on convolutional networks, thereby determining the target inference model and ensuring the reliability of the target inference model training.
[0123] Based on the above embodiments, this application provides an optional method for adjusting the window length. Specifically, when the traffic fluctuation of the target network is detected to be greater than a preset threshold, the window length of the current time window is obtained; when the window length is greater than the minimum window value, the window length of the time window following the current time window is reduced to the minimum window value.
[0124] The preset threshold is used to measure the magnitude of traffic fluctuations. The window length is the duration of a time window. The minimum window size is the minimum configurable window length in the target network, for example, 1 second.
[0125] Optionally, if the traffic fluctuation of the target network is detected to be greater than a preset threshold, it proves that there is a sudden traffic outbreak (such as an attack outbreak) in the target network. At this time, the window length of the current time window can be obtained and compared with the minimum window value.
[0126] If the window length is greater than the minimum window size, to improve the efficiency of traffic detection, the window length of time windows following the current time window can be reduced to the minimum window size. If the window length is equal to the minimum window size, the window length of subsequent time windows will not be adjusted.
[0127] Furthermore, if the traffic fluctuation of the target network is less than or equal to the preset threshold, it proves that there is no sudden traffic in the target network. In this case, the window length of the time window after the current time window can be adjusted to the maximum window value, such as 10 seconds.
[0128] In this embodiment, the efficiency of traffic monitoring is adaptively adjusted by dynamically adjusting the size of the time window, thereby ensuring the reliability of traffic monitoring.
[0129] Based on the above embodiments, this application provides an optional method for security monitoring, specifically, when the target network is in a secure operating state, generating security verification information based on the node identifier, network access attributes, and node operation permissions of each node in the target network; and when a new time window arrives, performing security verification on the target network based on the security verification information.
[0130] The node identifier is the node's unique identification information, such as an identity ID. Network access attributes are information related to the node's network access, such as the access port, subnet, access method (wired / wireless), base station / aggregation layer location, signal quality, and link type. Node operation permissions are the permissions the node is allowed to perform operations, including permitted service ranges, bandwidth limits, security levels, whether it is marked as suspicious / malicious, and whether it has passed trust authentication. Security verification information is used to verify the security of the node's operation.
[0131] Optionally, if it is determined that the target network is in a secure operating state, the node identifier, network access attributes, and node operation permissions of each node in the target network can be obtained, and the node identifier, network access attributes, and node operation permissions of each node can be concatenated to obtain security verification information.
[0132] For example, security verification information can be represented as Tv=AES_GCM(ID) i ∥RAN∥Permissions); where, ID i RAN is the node identifier; RAN is the network access attribute; permissions refer to the node's operational permissions. AES_GCM is a symmetric encryption algorithm, short for Advanced Encryption Standard - Galois / Counter Mode. It is used for encryption, preventing others from seeing the original content, and for integrity verification; that is, any changes to the content can be detected immediately.
[0133] Furthermore, during subsequent network operation, upon reaching each new time window, each node in the target network can be verified based on the security verification information to ensure the security of each node's operation.
[0134] In this embodiment of the application, by generating security verification information based on the node identifier, network access attributes and node operation permissions of each node in the target network, and performing security verification on the target network based on the security verification information when a new time window arrives, the security of network operation can be guaranteed.
[0135] Figure 5This is a flowchart illustrating a traffic detection method based on graph convolutional networks in another embodiment. Building upon the above embodiments, this embodiment provides an optional example of a traffic detection method based on graph convolutional networks. (Combined with...) Figure 5 The specific implementation process is as follows:
[0136] S501 uses a network simulation platform to simulate communication processes under various preset scenarios based on graph convolutional networks, in order to generate sample traffic packets.
[0137] The preset scenarios include normal operation scenarios, emergency operation scenarios, and attack scenarios.
[0138] S502 generates a directed sample graph based on each sample traffic packet, and uses the preset scenario corresponding to the directed sample graph as the actual traffic detection result corresponding to the directed sample graph.
[0139] S503 uses the directed sample graph and the actual traffic detection results corresponding to the directed sample graph to train the graph convolutional network and obtain the target inference model.
[0140] S504: Based on the source and destination addresses in each data packet of the target network within the current time window, determine at least two directed edges and each data packet corresponding to each directed edge.
[0141] In this context, the starting point of a directed edge is the source address, and the ending point of a directed edge is the target address.
[0142] S505: For each directed edge, determine the protocol characteristics of the directed edge based on the protocol type information in the data attribute information of each data packet corresponding to the directed edge, and determine the data packet characteristics of the directed edge based on the data volume and data transmission interval of each data packet corresponding to the directed edge.
[0143] Optionally, based on the data volume of each data packet corresponding to the directed edge, determine the data packet distribution characteristics and real-time traffic rate; based on the data transmission interval of each data packet corresponding to the directed edge, determine the data packet interval time characteristics and service burst parameters; based on the data packet distribution characteristics, real-time traffic rate, data packet interval time characteristics, and service burst parameters, determine the data packet characteristics of the directed edge.
[0144] S506: For each directed edge, determine the directed edge characteristics based on the protocol characteristics and data packet characteristics corresponding to the directed edge.
[0145] S507: Based on the directed edge characteristics of each directed edge, construct the current directed graph, and use the target inference model to process the current directed graph to obtain the target traffic detection result.
[0146] The target inference model is obtained by training a graph convolutional network using a directed sample graph and the actual traffic detection results corresponding to the directed sample graph.
[0147] Optionally, if the traffic fluctuation of the target network is detected to be greater than a preset threshold, the window length of the current time window is obtained; if the window length is greater than the minimum window value, the window length of the time window following the current time window is reduced to the minimum window value.
[0148] Optionally, when the target network is in a secure operating state, security verification information is generated based on the node identifier, network access attributes, and node operation permissions of each node in the target network; when a new time window arrives, security verification is performed on the target network based on the security verification information.
[0149] The specific processes of S501-S507 described above can be found in the description of the above method embodiments. Their implementation principles and technical effects are similar, and will not be repeated here.
[0150] It should be understood that although the steps in the flowcharts of the embodiments described above are shown sequentially according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the flowcharts of the embodiments described above may include multiple steps or multiple stages. These steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these steps or stages is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the steps or stages of other steps.
[0151] Based on the same inventive concept, this application also provides a graph convolutional network-based traffic detection device for implementing the above-described traffic detection method based on graph convolutional networks. The solution provided by this device is similar to the implementation described in the above-described method. Therefore, the specific limitations in one or more embodiments of the graph convolutional network-based traffic detection device provided below can be found in the limitations of the graph convolutional network-based traffic detection method described above, and will not be repeated here.
[0152] In one exemplary embodiment, such as Figure 6 As shown, a traffic detection device 1 based on graph convolutional networks is provided, comprising: a partitioning module 10, a feature determination module 20, a construction module 30, and a result determination module 40, wherein:
[0153] The partitioning module 10 is used to determine at least two directed edges and each data packet corresponding to each directed edge based on the source address and destination address in each data packet of the target network within the current time window; wherein, the starting point of the directed edge is the source address and the ending point of the directed edge is the destination address.
[0154] The feature determination module 20 is used to determine the directed edge features of each directed edge based on the data attribute information of each data packet corresponding to the directed edge.
[0155] Module 30 is used to construct the current directed graph based on the directed edge characteristics of each directed edge;
[0156] The result determination module 40 is used to process the current directed graph using a target inference model to obtain the target traffic detection result. The target inference model is obtained by training a graph convolutional network using the sample directed graph and the actual traffic detection result corresponding to the sample directed graph.
[0157] In an exemplary embodiment, the feature determination module 20 is specifically used for:
[0158] Based on the protocol type information in the data attribute information of each data packet corresponding to the directed edge, the protocol characteristics of the directed edge are determined; based on the data volume and data transmission interval of each data packet corresponding to the directed edge, the data packet characteristics of the directed edge are determined; based on the protocol characteristics and data packet characteristics, the directed edge characteristics of the directed edge are determined.
[0159] In one exemplary embodiment, the feature determination module 20 is further configured to:
[0160] Based on the data volume of each data packet corresponding to the directed edge, determine the data packet distribution characteristics and real-time traffic rate; based on the data transmission interval of each data packet corresponding to the directed edge, determine the data packet interval time characteristics and service burst parameters; based on the data packet distribution characteristics, real-time traffic rate, data packet interval time characteristics, and service burst parameters, determine the data packet characteristics of the directed edge.
[0161] In an exemplary embodiment, the traffic detection device 1 based on graph convolutional networks further includes a training model, wherein the training model is specifically used for:
[0162] Using a network simulation platform, the communication process under various preset scenarios is simulated based on a graph convolutional network to generate sample traffic packets. The preset scenarios include normal operation, sudden operation, and attack scenarios. A sample directed graph is generated based on each sample traffic packet. The preset scenarios corresponding to the sample directed graph are used as the actual traffic detection results corresponding to the sample directed graph. The graph convolutional network is trained using the sample directed graph and the actual traffic detection results corresponding to the sample directed graph to obtain the target inference model.
[0163] In an exemplary embodiment, the traffic detection device 1 based on graph convolutional networks further includes a detection model, wherein the detection model is specifically used for:
[0164] If the traffic fluctuation of the target network is detected to be greater than a preset threshold, the window length of the current time window is obtained; if the window length is greater than the minimum window value, the window length of the time window following the current time window is reduced to the minimum window value.
[0165] In one exemplary embodiment, the detection model is further used for:
[0166] When the target network is in a secure operating state, security verification information is generated based on the node identifier, network access attributes, and node operation permissions of each node in the target network; when a new time window arrives, security verification is performed on the target network based on the security verification information.
[0167] The modules in the aforementioned graph convolutional network-based traffic detection device can be implemented entirely or partially through software, hardware, or a combination thereof. These modules can be embedded in or independent of the processor in a computer device, or stored in the computer device's memory as software, so that the processor can call and execute the corresponding operations of each module.
[0168] In one exemplary embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as follows: Figure 7 As shown, this computer device includes a processor, memory, input / output interfaces (I / O), and a communication interface. The processor, memory, and I / O interfaces are connected via a system bus, and the communication interface is also connected to the system bus via the I / O interfaces. The processor provides computational and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system, computer programs, and a database. The internal memory provides the environment for the operation of the operating system and computer programs stored in the non-volatile storage media. The database stores attribute data of data packets. The I / O interfaces are used for exchanging information between the processor and external devices. The communication interface is used for communicating with external terminals via a network connection. When executed by the processor, the computer program implements a traffic detection method based on a graph convolutional network.
[0169] Those skilled in the art will understand that Figure 7The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the computer device to which the present application is applied. Specific computer devices may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.
[0170] In one embodiment, a computer device is also provided, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to implement the steps in the above method embodiments.
[0171] In one embodiment, a computer-readable storage medium is provided having a computer program stored thereon that, when executed by a processor, implements the steps in the above method embodiments.
[0172] In one embodiment, a computer program product is provided, including a computer program that, when executed by a processor, implements the steps in the above method embodiments.
[0173] It should be noted that the data involved in this application (including but not limited to data attribute information) is all data authorized by the user or fully authorized by all parties, and the collection, use and processing of the relevant data must comply with relevant regulations.
[0174] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. Any references to memory, databases, or other media used in the embodiments provided in this application can include at least one of non-volatile memory and volatile memory. Non-volatile memory can include read-only memory (ROM), magnetic tape, floppy disk, flash memory, optical memory, high-density embedded non-volatile memory, resistive random access memory (ReRAM), magnetic random access memory (MRAM), ferroelectric random access memory (FRAM), phase change memory (PCM), graphene memory, etc. Volatile memory can include random access memory (RAM) or external cache memory, etc. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM). The databases involved in the embodiments provided in this application may include at least one type of relational database and non-relational database. Non-relational databases may include, but are not limited to, blockchain-based distributed databases. The processors involved in the embodiments provided in this application may be general-purpose processors, central processing units, graphics processing units, digital signal processors, programmable logic devices, quantum computing-based data processing logic devices, artificial intelligence (AI) processors, etc., and are not limited to these.
[0175] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this application.
[0176] The embodiments described above are merely illustrative of several implementation methods of this application, and while the descriptions are specific and detailed, they should not be construed as limiting the scope of this patent application. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of this application, and these all fall within the protection scope of this application. Therefore, the protection scope of this application should be determined by the appended claims.
Claims
1. A traffic detection method based on graph convolutional networks, characterized in that, The method includes: Based on the source and destination addresses in each data packet of the target network within the current time window, determine at least two directed edges and each data packet corresponding to each directed edge; wherein, the starting point of the directed edge is the source address and the ending point of the directed edge is the destination address. For each directed edge, the directed edge characteristics are determined based on the data attribute information of each data packet corresponding to the directed edge; Construct the current directed graph based on the directed edge characteristics of each directed edge; A target inference model is used to process the current directed graph to obtain the target traffic detection result; wherein, the target inference model is obtained by training a graph convolutional network using the sample directed graph and the actual traffic detection result corresponding to the sample directed graph.
2. The method according to claim 1, characterized in that, The step of determining the directed edge characteristics of the directed edge based on the data attribute information of each data packet corresponding to the directed edge includes: Based on the protocol type information in the data attribute information of each data packet corresponding to the directed edge, the protocol characteristics of the directed edge are determined; The data packet characteristics of the directed edge are determined based on the data volume and data transmission interval of each data packet corresponding to the directed edge; The directed edge characteristics of the directed edge are determined based on the protocol characteristics and the data packet characteristics.
3. The method according to claim 2, characterized in that, The step of determining the data packet characteristics of the directed edge based on the data volume and data transmission interval of each data packet corresponding to the directed edge includes: Based on the data volume of each data packet corresponding to the directed edge, determine the data packet distribution characteristics and real-time traffic rate; Based on the data transmission interval of each data packet corresponding to the directed edge, determine the data packet interval time characteristics and service burst parameters; The data packet characteristics of the directed edge are determined based on the data packet distribution characteristics, the real-time traffic rate, the data packet interval time characteristics, and the service burst parameters.
4. The method according to claim 1, characterized in that, The graph convolutional network has the same network hierarchy as the target network; the step of training the graph convolutional network using the sample directed graph and the actual traffic detection results corresponding to the sample directed graph includes: Using a network simulation platform, the communication process under various preset scenarios is simulated based on graph convolutional networks to generate sample traffic packets; wherein, the preset scenarios include normal operation scenarios, sudden operation scenarios, and attack scenarios; Generate a directed graph of samples based on each sample traffic packet; and, The preset scenario corresponding to the directed graph of the sample is taken as the actual traffic detection result corresponding to the directed graph of the sample; The target inference model is obtained by training the graph convolutional network using the sample directed graph and the actual traffic detection results corresponding to the sample directed graph.
5. The method according to claim 1, characterized in that, The method further includes: If the traffic fluctuation of the target network is detected to be greater than a preset threshold, the window length of the current time window is obtained; If the window length is greater than the minimum window value, the window length of the time window following the current time window will be reduced to the minimum window value.
6. The method according to claim 1, characterized in that, The method further includes: When the target network is in a secure operating state, security verification information is generated based on the node identifier, network access attributes, and node operation permissions of each node in the target network. Upon reaching a new time window, the target network is subjected to security verification based on the security verification information.
7. A flow detection device based on graph convolutional networks, characterized in that, The device includes: The partitioning module is used to determine at least two directed edges and each data packet corresponding to each directed edge based on the source address and destination address in each data packet of the target network within the current time window; wherein the starting point of the directed edge is the source address and the ending point of the directed edge is the destination address. The feature determination module is used to determine the directed edge features of each directed edge based on the data attribute information of each data packet corresponding to the directed edge. The construction module is used to construct the current directed graph based on the directed edge characteristics of each directed edge; The result determination module is used to process the current directed graph using a target inference model to obtain the target traffic detection result; wherein, the target inference model is obtained by training a graph convolutional network using the sample directed graph and the actual traffic detection result corresponding to the sample directed graph.
8. A computer device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the steps of the method according to any one of claims 1 to 6.
9. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 6.
10. A computer program product, comprising a computer program, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 6.