1. A network attack detection method is characterized by comprising the following steps:

collecting network flow of each network node within a period of time, and carrying out statistical analysis on network flow data transmitted by each network node;

constructing a double-layer circulating neural network, training the double-layer circulating neural network through the collected network flow data, and predicting the network flow of each node based on the trained double-layer circulating neural network;

calculating a residual error between the real flow and the predicted flow of each node to obtain a multi-dimensional residual error matrix, and determining an abnormal node classification boundary based on a random forest model;

and acquiring the flow of each network node, judging that network attack occurs when the number of the abnormal nodes and the duration time of the abnormal nodes exceed a preset threshold, and performing early warning prompt.

2. The method of claim 1, wherein the determining abnormal node allocation boundaries based on a random forest model comprises;

training the random forest model by using multi-dimensional data, and searching optimal hyper-parameters in a grid mode, wherein the hyper-parameters comprise the number of decision trees, the depth of the decision trees and the number of cross validation times;

and acquiring corresponding abnormal node classification boundaries in the model based on the trained random forest model.

3. The method according to claim 1, wherein the obtaining of the traffic of each network node, when both the number of abnormal nodes and the duration of the abnormal nodes exceed a preset threshold, before determining that a network attack occurs, further comprises:

in limited input data, the highest classification accuracy is used as a solution space, and an optimal abnormal node number threshold and an abnormal node duration threshold are solved through an artificial ant colony algorithm.

4. The method of claim 1, wherein the obtaining of the traffic of each network node, and when both the number of abnormal nodes and the duration of the abnormal nodes exceed a preset threshold, determining that a network attack occurs further comprises:

fuzzifying the number of data packets, the speed increase of the data packets, the number of IP addresses and the speed increase parameters of the IP addresses in the node network flow, carrying out fuzzy reasoning on input abnormal node flow data according to an existing knowledge base and a rule base, and verifying the abnormal node flow data into the probability of an abnormal node;

and when the two associated abnormal nodes are judged to be abnormal by fuzzy reasoning, the probability that the two associated abnormal nodes are abnormal exceeds a preset value, and then the network attack is judged to occur.

5. The method of claim 1, wherein the obtaining of the traffic of each network node, and when both the number of abnormal nodes and the duration of the abnormal nodes exceed a preset threshold, determining that a network attack occurs further comprises:

and after judging the network attack, determining a network attack path based on the abnormal node, rejecting the data packet forwarded by the abnormal node equipment in the attack path, and clearing the data with the IP address of the abnormal node equipment or the forwarded empty packet in the network node.

6. A cyber attack detection system, comprising:

the acquisition module is used for acquiring the network traffic of each network node within a period of time and carrying out statistical analysis on the network traffic data transmitted by each network node;

the prediction module is used for constructing a double-layer cyclic neural network, training the double-layer cyclic neural network through the collected network flow data, and predicting the network flow of each node based on the trained double-layer cyclic neural network;

the residual error calculation module is used for calculating the residual error between the real flow and the predicted flow of each node to obtain a multi-dimensional residual error matrix, and determining the classification boundary of the abnormal node based on the random forest model;

and the attack detection module is used for acquiring the flow of each network node, judging that network attack occurs when the number of abnormal nodes and the duration time of the abnormal nodes exceed a preset threshold value, and performing early warning prompt.

7. The system of claim 6, wherein the determining abnormal node allocation boundaries based on the random forest model comprises;

training the random forest model by using multi-dimensional data, and searching optimal hyper-parameters in a grid mode, wherein the hyper-parameters comprise the number of decision trees, the depth of the decision trees and the number of cross validation times;

and acquiring corresponding abnormal node classification boundaries in the model based on the trained random forest model.

8. The system of claim 6, wherein the attack detection module further comprises:

and the verification module is used for fuzzifying the data packet quantity, the data packet acceleration rate, the IP address quantity and the IP address acceleration rate parameters in the node network flow, carrying out fuzzy reasoning on the input abnormal node flow data according to the existing knowledge base and rule base, verifying the abnormal node probability, and judging that network attack occurs when the two related abnormal nodes are judged to be abnormal by fuzzy reasoning and the abnormal probabilities exceed the preset value.

9. An electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of the network attack detection method according to any one of claims 1 to 5 when executing the computer program.

10. A computer-readable storage medium, in which a computer program is stored, which, when being executed by a processor, carries out the steps of the network attack detection method according to any one of claims 1 to 5.

Background

Network attacks refer to unauthorized intrusion into network systems and computer systems thereof, and can not only destroy the confidentiality and integrity of network transmission, but also affect the availability of network services. Network attacks can be classified into system leakage attacks and denial of service attacks, and any attack mode can affect normal use of network users, so that illegal network attacks need to be detected so as to prevent the network system.

At present, a commonly used attack detection method is based on attack behavior detection of a neural network, and a detection model is trained according to features of attack flow data, user features and the like, so as to distinguish illegal attack behaviors through a training model. However, because the user behavior is very complex in practice, such as repeated access in a short time, it is difficult to distinguish effectively based on the traditional neural network model, and the accuracy rate of actual network attack detection is low.

Disclosure of Invention

In view of this, embodiments of the present invention provide a network attack detection method and system, so as to solve the problem that the existing network attack detection accuracy is low.

In a first aspect of the embodiments of the present invention, a network attack detection method is provided, including:

collecting network flow of each network node within a period of time, and carrying out statistical analysis on network flow data transmitted by each network node;

constructing a double-layer circulating neural network, training the double-layer circulating neural network through the collected network flow data, and predicting the network flow of each node based on the trained double-layer circulating neural network;

calculating a residual error between the real flow and the predicted flow of each node to obtain a multi-dimensional residual error matrix, and determining an abnormal node classification boundary based on a random forest model;

and acquiring the flow of each network node, judging that network attack occurs when the number of the abnormal nodes and the duration time of the abnormal nodes exceed a preset threshold, and performing early warning prompt.

In a second aspect of the embodiments of the present invention, a network attack detection system is provided, including:

the acquisition module is used for acquiring the network traffic of each network node within a period of time and carrying out statistical analysis on the network traffic data transmitted by each network node;

the prediction module is used for constructing a double-layer cyclic neural network, training the double-layer cyclic neural network through the collected network flow data, and predicting the network flow of each node based on the trained double-layer cyclic neural network;

the residual error calculation module is used for calculating the residual error between the real flow and the predicted flow of each node to obtain a multi-dimensional residual error matrix, and determining the classification boundary of the abnormal node based on the random forest model;

and the attack detection module is used for acquiring the flow of each network node, judging that network attack occurs when the number of abnormal nodes and the duration time of the abnormal nodes exceed a preset threshold value, and performing early warning prompt.

In a third aspect of the embodiments of the present invention, there is provided an electronic device, which at least includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the steps of the method according to the first aspect of the embodiments of the present invention are implemented.

In a fourth aspect of the embodiments of the present invention, a computer-readable storage medium is provided, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the method provided in the first aspect of the embodiments of the present invention.

In the embodiment of the invention, the network flow of each node is predicted through a double-layer cyclic neural network, the multidimensional residual error matrix of the real flow and the predicted flow is calculated, the classification boundary of abnormal nodes is determined based on a random forest model, and when the number of the abnormal nodes and the duration of the abnormal nodes in a network system exceed threshold values, the network attack is determined and early warning prompt is carried out. Therefore, the network attack can be accurately detected, the detection efficiency is high, and the safety of a network system can be effectively guaranteed.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.

Fig. 1 is a schematic flowchart of a network attack detection method according to an embodiment of the present invention;

fig. 2 is a schematic structural diagram of a network attack detection system according to an embodiment of the present invention.

Detailed Description

In order to make the objects, features and advantages of the present invention more obvious and understandable, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the embodiments described below are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The terms "comprises" and "comprising," when used in this specification and claims, and in the accompanying drawings and figures, are intended to cover non-exclusive inclusions, such that a process, method or system, or apparatus that comprises a list of steps or elements is not limited to the listed steps or elements. In addition, "first" and "second" are used to distinguish different objects, and are not used to describe a specific order.

Referring to fig. 1, fig. 1 is a schematic flow chart of a network attack detection method provided in an embodiment of the present invention, including:

s101, collecting network flow of each network node within a period of time, and carrying out statistical analysis on network flow data transmitted by each network node;

the network traffic is data volume flowing through the network node, and is generally measured by the number of data packets, and the network traffic includes data packet receiving volume, forwarding volume, and the like of the network node. The network node refers to a network device, such as a router, a switch, a server, etc., having an independent address and capable of transmitting or receiving data in a network system, and the nodes are connected by communication lines (wired or wireless).

The statistical analysis of the network flow also comprises the statistical calculation of the data packet speed, the data packet speed increasing, the IP address quantity, the IP address increasing and the like.

The collected network node flow data is divided into a training set and a testing set according to the collection time sequence. For example, the 90% flow data at the front of the time is used as a training set, and the 10% flow data at the back of the time is used as a testing set.

S102, constructing a double-layer circulating neural network, training the double-layer circulating neural network through collected network flow data, and predicting the network flow of each node based on the trained double-layer circulating neural network;

the double-layer cyclic neural network comprises a forward cyclic neural network and a reverse cyclic neural network, and can be used for predicting the network flow of each network node in each time period. The recurrent neural network is a recurrent neural network in which data is input, recursion is performed in the direction of evolution, and all nodes are chained.

The double-layer cyclic neural network is trained through the sampled training set, and the test is carried out through the test set, so that the network model achieves a certain prediction accuracy rate.

Optionally, accurate data is predicted subsequently through the double-layer recurrent neural network, and the model can be iteratively input for training, so that the prediction accuracy of the network is continuously improved.

S103, calculating a residual error between the real flow and the predicted flow of each node to obtain a multi-dimensional residual error matrix, and determining an abnormal node classification boundary based on a random forest model;

the flow data of each node can be analyzed from multiple angles, such as data packet receiving amount, data packet acceleration rate, IP address number and the like, the dimensionality of flow analysis is determined based on different angles, and the residual error between the predicted value and the true value of each node is obtained from each dimensionality to obtain a multi-dimensional residual error matrix.

Preferably, the random forest model is trained by using multidimensional data, and the optimal hyper-parameters are searched by a grid, wherein the hyper-parameters comprise the number of decision trees, the depth of the decision trees and the number of cross validation times; and acquiring corresponding abnormal node classification boundaries in the model based on the trained random forest model.

Training a random forest model based on multi-dimensional residual matrix data to obtain a classification result, iteratively training the model, obtaining an optimal hyper-parameter after a preset accuracy is achieved, and determining a node classification boundary by combining the hyper-parameter and the model classification result, wherein the classification boundary comprises a classification threshold value of each dimension data.

And S104, acquiring the flow of each network node, judging that network attack occurs when the number of abnormal nodes and the duration of the abnormal nodes exceed a preset threshold, and performing early warning prompt.

The preset threshold value of the number of the abnormal nodes is different from the preset threshold value of the duration time of the abnormal nodes.

Preferably, in limited input data, the maximum classification accuracy is used as a solution space, and the optimal abnormal node number threshold and the abnormal node duration threshold are solved through an artificial ant colony algorithm.

Based on the abnormal node classification boundary, whether the network node is abnormal or not can be judged, and when the node is judged to be abnormal, whether the network node is a network attack or not cannot be judged, and the network attack needs to be judged by combining the data quantity of the abnormal node and the abnormal duration of each node. After the thresholds of the number of abnormal nodes and the duration of the abnormal nodes are obtained through the artificial ant colony algorithm, the abnormal nodes detected in the network can be judged based on the two thresholds, and if the number of the abnormal nodes and the duration of the abnormal nodes exceed the thresholds at the same time, the network attack can be judged.

In practical application, the false judgment is easy to occur in some special cases simply based on fixed classification boundaries and threshold values, so that the judgment result inspection can be selectively carried out on the network attack.

Preferably, the number of data packets, the speed increase of the data packets, the number of IP addresses and the speed increase parameters of the IP addresses in the node network flow are fuzzified, input abnormal node flow data are subjected to fuzzy reasoning according to an existing knowledge base and a rule base, and the probability of the abnormal node is verified; and when the two associated abnormal nodes are judged to be abnormal by fuzzy reasoning, the probability that the two associated abnormal nodes are abnormal exceeds a preset value, and then the network attack is judged to occur.

By combining fuzzy reasoning of expert experience, the network attack result can be verified, and misjudgment and missed judgment can be prevented.

In one embodiment, after a network attack is determined, a network attack path is determined based on an abnormal node, a data packet forwarded by abnormal node equipment in the attack path is rejected, and data with an abnormal node equipment IP address in a network node or a forwarded empty packet is removed.

After the network attack is detected, the corresponding equipment can be found according to the node coordinates in the matrix or the number corresponding to each node, an attack chain and an attack source are determined, and measures such as refusing and clearing are further taken to prevent the attack.

It should be noted that the detection method provided by the embodiment of the present invention is mainly directed to network attack behaviors such as DDoS attacks and flooding attacks.

The method provided by the embodiment can accurately detect the network attack behavior in the network system, has high detection efficiency, and can judge the attack only based on the pre-trained network model, the calculated classification boundary and the judgment threshold. In addition, the detection result can be verified, measures are taken for prevention after the network attack is judged, and the detection accuracy can be guaranteed and reported to the safety of a network system.

It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, but should not constitute any limitation to the implementation process of the embodiments of the present invention,

fig. 2 is a schematic structural diagram of a network attack detection system according to an embodiment of the present invention, where the system includes:

the collecting module 210 is configured to collect network traffic of each network node within a period of time, and perform statistical analysis on network traffic data transmitted by each network node;

the prediction module 220 is configured to construct a double-layer cyclic neural network, train the double-layer cyclic neural network through the acquired network traffic data, and predict the network traffic of each node based on the trained double-layer cyclic neural network;

a residual error calculation module 230, configured to calculate a residual error between the actual flow rate and the predicted flow rate of each node to obtain a multi-dimensional residual error matrix, and determine an abnormal node classification boundary based on a random forest model;

specifically, the random forest model is trained by using multidimensional data, and optimal hyper-parameters are searched by grids, wherein the hyper-parameters comprise the number of decision trees, the depth of the decision trees and the number of cross validation times; and acquiring corresponding abnormal node classification boundaries in the model based on the trained random forest model.

And the attack detection module 240 is configured to acquire traffic of each network node, determine that a network attack occurs when both the number of abnormal nodes and the duration of the abnormal nodes exceed a preset threshold, and perform early warning prompt.

In limited input data, the highest classification accuracy is used as a solution space, and an optimal abnormal node quantity threshold and an abnormal node duration threshold are solved through an artificial ant colony algorithm.

Preferably, the attack detection module 240 further includes:

and the verification module is used for fuzzifying the data packet quantity, the data packet acceleration rate, the IP address quantity and the IP address acceleration rate parameters in the node network flow, carrying out fuzzy reasoning on the input abnormal node flow data according to the existing knowledge base and rule base, verifying the abnormal node probability, and judging that network attack occurs when the two related abnormal nodes are judged to be abnormal by fuzzy reasoning and the abnormal probabilities exceed the preset value.

Further, after the network attack is judged, a network attack path is determined based on the abnormal node, the data packet forwarded by the abnormal node equipment in the attack path is rejected, and the data with the IP address of the abnormal node equipment in the network node or the forwarded empty packet is removed.

In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.

It is understood that, in one embodiment, the electronic device includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the computer program executes steps S101 to S104 in the first embodiment, and the processor implements network attack detection when executing the computer program.

It will be understood by those skilled in the art that all or part of the steps in the method for implementing the above embodiments may be implemented by instructing the relevant hardware through a program, where the program may be stored in a computer-readable storage medium, and when the program is executed, the program includes steps S101 to S104, and the storage medium includes, for example, ROM/RAM.

The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.