CN116958701A - Network abnormal flow detection method based on improved VGG16 and image enhancement - Google Patents

Network abnormal flow detection method based on improved VGG16 and image enhancement Download PDF

Info

Publication number
CN116958701A
CN116958701A CN202310956833.4A CN202310956833A CN116958701A CN 116958701 A CN116958701 A CN 116958701A CN 202310956833 A CN202310956833 A CN 202310956833A CN 116958701 A CN116958701 A CN 116958701A
Authority
CN
China
Prior art keywords
network
layer
feature
vgg16
detection method
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310956833.4A
Other languages
Chinese (zh)
Inventor
王颖伟
干淇任
高振国
游政贤
沈永胜
许庆龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xiaokuai Xiamen Network Technology Co ltd
Original Assignee
Xiaokuai Xiamen Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xiaokuai Xiamen Network Technology Co ltd filed Critical Xiaokuai Xiamen Network Technology Co ltd
Priority to CN202310956833.4A priority Critical patent/CN116958701A/en
Publication of CN116958701A publication Critical patent/CN116958701A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V10/00Arrangements for image or video recognition or understanding
    • G06V10/70Arrangements for image or video recognition or understanding using pattern recognition or machine learning
    • G06V10/764Arrangements for image or video recognition or understanding using pattern recognition or machine learning using classification, e.g. of video objects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/0464Convolutional networks [CNN, ConvNet]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V10/00Arrangements for image or video recognition or understanding
    • G06V10/70Arrangements for image or video recognition or understanding using pattern recognition or machine learning
    • G06V10/82Arrangements for image or video recognition or understanding using pattern recognition or machine learning using neural networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Evolutionary Computation (AREA)
  • Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Multimedia (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Molecular Biology (AREA)
  • General Engineering & Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Image Analysis (AREA)

Abstract

The invention belongs to the technical field of network security, and discloses a network abnormal flow detection method based on improved VGG16 and image enhancement, which comprises the following steps: the one-dimensional network flow data acquired in a preset time period is converted into a two-dimensional gray scale map through normalization processing; preprocessing the two-dimensional gray scale map by an ImageDataGenerator to obtain enhanced sample image data; constructing an anomaly detection model through an improved VGG16 network fused with a convolution attention module, and training the anomaly detection model by utilizing the enhanced sample image data; and applying the anomaly detection model to real-time detection of network anomaly traffic. In summary, the convolution attention module is integrated into the VGG16 network, so that full extraction of self-feature fusion of the network from shallow to deep is effectively realized, the accuracy of a detection result is further improved, and image data after image data enhancement processing is used as input of an anomaly detection model, so that the generalization capability of the anomaly detection model can be effectively enhanced.

Description

Network abnormal flow detection method based on improved VGG16 and image enhancement
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a network abnormal flow detection method based on improved VGG16 and image enhancement.
Background
With the development of technology, various applications of network communication are becoming more and more popular in people's life, and demands for network communication are also increasing, so security of network communication is also increasing.
The conventional network defense detection system mostly adopts expert rules or machine learning to detect abnormal traffic, wherein: expert rules have a certain artificial subjective factor, the detection accuracy is poor; machine learning often uses network models such as a Recurrent Neural Network (RNN) and a long and short time memory network (LSTM) to perform feature learning on abnormal data of one-dimensional time sequence signals, however, the depth of the models is shallow, and it is difficult to learn high-dimensional features in the data, so that the problem of low detection accuracy often occurs when detecting actual data of network traffic.
Disclosure of Invention
In view of the above, in order to solve the above-mentioned problems, an object of the present invention is to provide a network abnormal traffic detection method based on improved VGG16 and image enhancement.
In order to achieve the above purpose, the present invention provides the following technical solutions:
a network anomaly traffic detection method based on improved VGG16 and image enhancement, comprising:
the one-dimensional network flow data acquired in a preset time period is converted into a two-dimensional gray scale map through normalization processing;
preprocessing the two-dimensional gray scale map by an ImageDataGenerator to obtain enhanced sample image data;
constructing an anomaly detection model through an improved VGG16 network fused with a convolution attention module, and training the anomaly detection model by utilizing the enhanced sample image data;
and applying the anomaly detection model to real-time detection of network anomaly traffic.
Preferably, the one-dimensional network traffic data includes a normal time sequence traffic signal and an abnormal time sequence traffic signal.
Preferably, the normalization conversion formula is as follows:
where P (i) is a feature value after normalization, N (i) is a feature value before normalization, and Min (N) and Max (N) are the minimum and maximum values, respectively, of the feature values.
Preferably, the anomaly detection model comprises a feature extraction layer based on a VGG16 network, a feature enhancement layer based on a convolution attention module, and a feature classification layer based on a Softmax classifier.
Preferably, the feature extraction layer is used for extracting data features from the enhanced sample image data, and the feature extraction layer comprises five convolution layers and a pooling layer which are matched with each other.
Preferably, the feature enhancement layer is used for screening and fusing the data features extracted by the third layer, the fourth layer and the fifth layer in the feature extraction layer to obtain new enhancement features.
Preferably, the step of obtaining new reinforcing features comprises:
taking the data features extracted by the convolution layer of the third layer in the feature extraction layer as a first input;
taking the data features extracted by the convolution layer in the fourth layer in the feature extraction layer as a second input;
screening the first input and the second input respectively to obtain a first characteristic vector and a second characteristic vector;
and firstly splicing and fusing the first feature vector and the second feature vector by using an Add function to obtain a fused feature, and then fusing the fused feature with the data feature extracted by the convolution layer at the fifth layer in the feature extraction layer to obtain a new reinforced feature.
Preferably, when the first input and the second input are screened, screening is performed based on the channel attention and the spatial attention of the convolution attention module.
Preferably, the screening formula based on the channel attention is as follows:
M c (F) =σ (MLP (AvgPooling (F))+mlp (MaxPooling (F))); wherein sigma is a sigmoid function; f is input and F.epsilon.R C×H×W ;M c (F) To filter the output channel eigenvector and M c (F)∈R C×1×1
Preferably, the screening formula based on the spatial attention is as follows:
M s (F)=σ(f 7×7 ([AvgPooling(F);MaxPooling(F)]) A) is provided; wherein sigma is a sigmoid function; f is input, and F.epsilon.R C×H×W ;M s (F) To filter out the output space feature vector, and M s (F)∈R 1×H×W
Compared with the prior art, the invention has the following beneficial effects:
according to the network abnormal flow detection method, the VGG16 network is improved in a mode of being integrated with the convolution attention module, and an abnormal detection model is built on the basis of the improved VGG16 network, so that full extraction of self-feature fusion of the network from shallow to deep is realized, and the accuracy of a detection result is effectively ensured; the one-dimensional network flow signal normalization processing of each network node is converted into a two-dimensional gray image, the two-dimensional gray image is enhanced based on an image data generator image processing technology, and the image characteristics after the enhancement processing are used as the input of an anomaly detection model, so that the generalization capability of the model is effectively enhanced.
Drawings
FIG. 1 is a flow chart of a method for detecting network abnormal traffic according to the present invention;
FIG. 2 is a block diagram of an anomaly detection model of the present invention;
FIG. 3 is a block diagram of a convolution attention module of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, the network abnormal traffic detection method based on improved VGG16 and image enhancement provided by the invention comprises the following steps:
s1, continuously acquiring one-dimensional network flow data in a preset time period;
specifically, data acquisition starts from 0:00 until 23:55, wherein every 5min is a sampling point, n samples are acquired in total, each sample is a signal segment containing 288 sampling points, and the acquired one-dimensional network traffic data comprises a normal time sequence traffic signal and an abnormal time sequence traffic signal.
S2, carrying out normalization processing on the one-dimensional network flow data and converting the one-dimensional network flow data into a two-dimensional gray scale map;
the normalization processing formula is:where P (i) is a feature value after normalization, N (i) is a feature value before normalization, and Min (N) and Max (N) are the minimum and maximum values, respectively, of the feature values.
S3, dividing the two-dimensional gray scale image obtained by conversion into a training set and a verification set;
as shown in the following table, it is assumed that 1000 data samples are included in one-dimensional network traffic data of a normal time sequence traffic signal and an abnormal time sequence traffic signal, respectively, and a training set and a verification set are randomly divided according to a ratio of 4:1;
s4, preprocessing the two-dimensional gray scale map through an ImageDataGenerator to obtain enhanced sample image data.
S5, constructing an abnormality detection model through an improved VGG16 network fused with a convolution attention module, and training the abnormality detection model by utilizing the enhanced sample image data (training set);
as shown in fig. 2, the anomaly detection model includes a feature extraction layer based on the VGG16 network, a feature enhancement layer based on the convolution attention module, and a feature classification layer based on the Softmax classifier;
specific:
a) The feature extraction layer takes a VGG16 network as a main network structure, and specifically comprises five convolution layers and a pooling layer which are matched with each other;
the convolution layer (conv 3-64/conv3-128/conv3-256/conv3-512/conv 3-512) carries out convolution operation on the input data, extracts the local characteristics of the input data, takes the output as the input of the next layer, and each convolution kernel has the same size. Is provided withMapping of the output characteristics for the kth layer mth convolution kernel,>is a weight matrix>For the local input feature of the kth layer c-th convolution operation, # denotes the convolution operation, # is->For bias, the convolution layer operation can be described by the following formula:
pooling layer (maxpool) reduced transfusionThe size of the input features expands the sensing field, realizes translational invariance, rotational invariance and scale invariance of input, and can reduce the number of network parameters. Is provided withThe jth pooling value mapped for the kth layer ith input,/th layer of k>For the local input feature of the jth pooling operation of the kth layer, w is the width of the pooling area, the pooling layer working process can be described by the following formula:
b) The feature enhancement layer takes a convolution attention module as a feature screening basis, takes data features extracted by the convolution layers of the third layer and the fourth layer in the feature extraction layer as (first/second) input, and screens to obtain (first/second) feature vectors;
as shown in fig. 3, the convolution attention module consists of channel attention and spatial attention, whereby the filtering is performed from the channel dimension and the spatial dimension, respectively, when performing feature filtering:
screening for channel dimension features: let the input feature map be F, F ε R C×H×W The method comprises the steps of carrying out a first treatment on the surface of the Let the channel feature vector be M c (F) And M is c (F)∈R C×1×1 . The specific channel attention procedure can be described by the following formula:
M c (F)=σ(MLP(AvgPooling(F))+MLP(MaxPooling(F)));
regarding spatial dimension feature screening: let the input feature map be F, F ε R C×H×W The method comprises the steps of carrying out a first treatment on the surface of the Set a space feature vector M s (F),M s (F)∈R 1×H×W . The specific spatial attention process can be described by the following formula:
M s (F)=σ(f 7×7 ([AvgPooling(F);MaxPooling(F)]));
the sigma is a sigmoid function, and f 7×7 Represented as a convolution kernel size of 7 x 7 in the feature enhancement layer.
And splicing and fusing the screened (first/second) feature vectors from shallow to deep by using an Add function to obtain fusion features, and then fusing the fusion features with data features extracted by the convolution layer at the fifth layer in the feature extraction layer to obtain new reinforcement features. Specifically, based on feature fusion of Add function, let feature one be X' = [ X ] 1 ,x 2 ,x 3 ,…,x n ]Feature two is Y' = [ Y ] 1 ,y 2 ,y 3 ,…,y n ]New feature F after fusion 1 Add (X ', Y') =x '+ iY', where i represents a fusion coefficient.
c) And inputting the reinforced features combined with the features of the different layers into a feature classification layer based on a Softmax classifier, so as to obtain classification results, and completing training of the anomaly detection model.
S6, inputting a verification set into the trained abnormal detection model, outputting a classification detection result (normal or abnormal binary classification label) by the abnormal detection model through a feature classification layer (Softmax classifier), and judging the detection accuracy of the trained abnormal detection model based on the verification set, so that the detection accuracy of the abnormal detection model is effectively ensured.
S7, applying the anomaly detection model to network anomaly traffic real-time detection;
collecting one-dimensional network flow data in a real-time network state, and converting the one-dimensional network flow data into a two-dimensional gray scale map through normalization processing;
performing image enhancement pretreatment on the two-dimensional gray scale image through an ImageDataGenerator;
and inputting the image data subjected to the enhanced pretreatment into the anomaly detection model, and correspondingly outputting to obtain a detection result about the real-time network state.
In summary, the one-dimensional network time sequence flow signal is converted into the two-dimensional gray level diagram, then image enhancement processing is carried out based on an image data generator image processing technology, and then full extraction of self-feature fusion from shallow to deep is realized on an enhanced image through an improved VGG16 model fused with a convolution attention module, so that network abnormal flow detection with high precision and high efficiency is realized.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (10)

1. The network abnormal flow detection method based on the improved VGG16 and the image enhancement is characterized by comprising the following steps:
the one-dimensional network flow data acquired in a preset time period is converted into a two-dimensional gray scale map through normalization processing;
preprocessing the two-dimensional gray scale map by an ImageDataGenerator to obtain enhanced sample image data;
constructing an anomaly detection model through an improved VGG16 network fused with a convolution attention module, and training the anomaly detection model by utilizing the enhanced sample image data;
and applying the anomaly detection model to real-time detection of network anomaly traffic.
2. The network anomaly traffic detection method based on improved VGG16 and image enhancement of claim 1, wherein: the one-dimensional network traffic data includes a normal timing traffic signal and an abnormal timing traffic signal.
3. The network anomaly traffic detection method based on improved VGG16 and image enhancement of claim 1, wherein the normalization process transformation formula is as follows:
wherein P (i) is a characteristic value after normalization and N (i) is a characteristic value before normalizationThe sign values, min (N) and Max (N), are the minimum and maximum values, respectively, of the feature values.
4. The network anomaly traffic detection method based on improved VGG16 and image enhancement of claim 1, wherein: the anomaly detection model includes a feature extraction layer based on a VGG16 network, a feature enhancement layer based on a convolution attention module, and a feature classification layer based on a Softmax classifier.
5. The network anomaly traffic detection method based on improved VGG16 and image enhancement of claim 4, wherein: the feature extraction layer is used for extracting data features from the enhanced sample image data, and comprises five convolution layers and a pooling layer which are matched with each other.
6. The network anomaly traffic detection method based on improved VGG16 and image enhancement of claim 5, wherein: the characteristic reinforcing layer is used for screening and fusing the data characteristics extracted by the third layer, the fourth layer and the fifth layer in the characteristic extracting layer so as to obtain new reinforcing characteristics.
7. The method for detecting network anomaly traffic based on improved VGG16 and image enhancement of claim 6, wherein the step of obtaining new enhancement features comprises:
taking the data features extracted by the convolution layer of the third layer in the feature extraction layer as a first input;
taking the data features extracted by the convolution layer in the fourth layer in the feature extraction layer as a second input;
screening the first input and the second input respectively to obtain a first feature vector and a second feature vector;
and firstly splicing and fusing the first feature vector and the second feature vector by using an Add function to obtain a fused feature, and then fusing the fused feature with the data feature extracted by the convolution layer at the fifth layer in the feature extraction layer to obtain a new reinforced feature.
8. The network anomaly traffic detection method based on improved VGG16 and image enhancement of claim 7, wherein: and when the first input and the second input are screened, screening is respectively carried out based on the channel attention and the space attention of the convolution attention module.
9. The network anomaly traffic detection method based on improved VGG16 and image enhancement of claim 8, wherein: the screening formula based on the channel attention is as follows:
M c (F) =σ (MLP (AvgPooling (F))+mlp (MaxPooling (F))); wherein sigma is s igmoid function
A number; f is input, and F.epsilon.R C×H×W ;M c (F) To filter the output channel characteristic vector, and M c (F)∈R C×1×1
10. The network anomaly traffic detection method based on improved VGG16 and image enhancement of claim 8, wherein: the screening formula based on the spatial attention is as follows:
M s (F)=σ(f 7×7 ([AvgPooling(F);MaxPooling(F)]) A) is provided; wherein sigma is an s igmoid function; f is input, and F.epsilon.R C×H×W ;M s (F) To filter out the output space feature vector, and M s (F)∈R 1×H×W
CN202310956833.4A 2023-08-01 2023-08-01 Network abnormal flow detection method based on improved VGG16 and image enhancement Pending CN116958701A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310956833.4A CN116958701A (en) 2023-08-01 2023-08-01 Network abnormal flow detection method based on improved VGG16 and image enhancement

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310956833.4A CN116958701A (en) 2023-08-01 2023-08-01 Network abnormal flow detection method based on improved VGG16 and image enhancement

Publications (1)

Publication Number Publication Date
CN116958701A true CN116958701A (en) 2023-10-27

Family

ID=88452769

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310956833.4A Pending CN116958701A (en) 2023-08-01 2023-08-01 Network abnormal flow detection method based on improved VGG16 and image enhancement

Country Status (1)

Country Link
CN (1) CN116958701A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118115797A (en) * 2024-03-07 2024-05-31 浙江省交通运输科学研究院 Bridge structure health monitoring data anomaly detection method based on deep learning

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118115797A (en) * 2024-03-07 2024-05-31 浙江省交通运输科学研究院 Bridge structure health monitoring data anomaly detection method based on deep learning

Similar Documents

Publication Publication Date Title
CN113191215B (en) Rolling bearing fault diagnosis method integrating attention mechanism and twin network structure
CN110287849B (en) Lightweight depth network image target detection method suitable for raspberry pi
CN112991354B (en) High-resolution remote sensing image semantic segmentation method based on deep learning
CN108734208B (en) Multi-source heterogeneous data fusion system based on multi-mode deep migration learning mechanism
CN111814661B (en) Human body behavior recognition method based on residual error-circulating neural network
CN109993100B (en) Method for realizing facial expression recognition based on deep feature clustering
CN106897738A (en) A kind of pedestrian detection method based on semi-supervised learning
CN112766229B (en) Human face point cloud image intelligent identification system and method based on attention mechanism
CN112950780B (en) Intelligent network map generation method and system based on remote sensing image
CN114818774A (en) Intelligent gearbox fault diagnosis method based on multi-channel self-calibration convolutional neural network
CN112766283B (en) Two-phase flow pattern identification method based on multi-scale convolution network
CN111161224A (en) Casting internal defect grading evaluation system and method based on deep learning
CN112488963A (en) Method for enhancing crop disease data
CN111967361A (en) Emotion detection method based on baby expression recognition and crying
CN116011507A (en) Rare fault diagnosis method for fusion element learning and graph neural network
CN116863237A (en) Image classification method and device based on category related feature reconstruction
CN113435276A (en) Underwater sound target identification method based on antagonistic residual error network
CN116958701A (en) Network abnormal flow detection method based on improved VGG16 and image enhancement
CN116152678A (en) Marine disaster-bearing body identification method based on twin neural network under small sample condition
CN117593666B (en) Geomagnetic station data prediction method and system for aurora image
CN118051831B (en) Underwater sound target identification method based on CNN-transducer cooperative network model
CN114295967A (en) Analog circuit fault diagnosis method based on migration neural network
CN105809200A (en) Biologically-inspired image meaning information autonomous extraction method and device
CN117710841A (en) Small target detection method and device for aerial image of unmanned aerial vehicle
CN117011219A (en) Method, apparatus, device, storage medium and program product for detecting quality of article

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination