CN-116668318-B - Network attack prediction method, device, computer equipment and storage medium

Abstract

The invention discloses a network attack prediction method, a device, computer equipment and a storage medium, which belong to the technical field of network security, wherein the method comprises the steps of preprocessing a network flow data set, modeling a time sequence and analyzing data characteristics; dividing a network flow data set into a normal flow data set and an attack flow data set according to network flow, initializing improved wolf algorithm parameters, constructing a prediction model, initializing prediction model parameters, obtaining an optimal wolf first candidate by using a GWO search strategy, obtaining an optimal wolf another candidate by using a DLH search strategy, selecting the optimal candidate, updating X i (t) by using the optimal candidate, judging whether iteration is performed to the maximum iteration times, obtaining optimal parameter combination of the prediction model, training the prediction model, obtaining the optimized converged prediction model, and further identifying abnormality caused by network attack. The method in the invention can identify the abnormality caused by the network attack.

Inventors

• QIU SHAOMING
• WANG YAHUI
• Lv Yana
• CHEN FEN
• ZHAO JIANCHENG

Assignees

• 大连大学

Dates

Publication Date

20260505

Application Date

20230529

Claims (10)

1. 1. A network attack prediction method, comprising: s1, acquiring a network flow data set: s2, preprocessing the network flow data set; s3, modeling a time sequence of the preprocessed network flow data set to obtain a time sequence; s4, carrying out data feature analysis on the time sequence to obtain a feature analysis result; s5, based on the characteristic analysis result, dividing the network flow data set into a normal flow data set and an attack flow data set according to the network flow; S6, initializing improved gray wolf algorithm parameters; S7, constructing a prediction model and initializing parameters of the prediction model; S8, obtaining an optimal first wolf candidate X IGWO (t+1) by using a wolf optimization algorithm GWO search strategy; S9, obtaining another candidate X IDLH (t+1) of the optimal gray wolf by using a hunting DLH searching strategy; S10, comparing the fitness value of the first candidate X IGWO (t+1) and the fitness value of the other candidate X IDLH (t+1), and selecting the optimal candidate; s11, judging whether the fitness value of the optimal candidate item is smaller than X i (t); s12, if yes, updating X i (t) with the most preferred candidate, otherwise, keeping X i (t) unchanged in a matrix Pop, wherein X i (t) represents the position of the ith wolf in the t-th iteration; s13, judging whether iteration is performed to the maximum iteration number, if the iteration number does not reach the execution of the next step, otherwise, adding 1 to the iteration number, and jumping to S8; s14, obtaining an optimal parameter combination of the prediction model; s15, training the prediction model based on the optimal parameter combination to obtain an optimized converged prediction model; s16, identifying the abnormality caused by the network attack based on the optimized converged prediction model.
2. 2. The network attack prediction method according to claim 1, wherein the network traffic data set includes internet traffic ec_data, network traffic DARPA99, and DDOS attack data set DARPA00.
3. 3. The network attack prediction method according to claim 2, wherein the preprocessing of the network traffic data set specifically comprises the following steps: For the ec_data carrying out normalization treatment; Performing data sampling operation on the DARPA99 data set and the DARPA00 data set at a time interval of 1min to obtain the number of data packets per min as IP data packet statistical characteristics IPDCF: Wherein T i+1 -T i ＝1min,P t is a data packet.
4. 4. The network attack prediction method according to claim 3, wherein the step of performing data feature analysis on the time series to obtain a feature analysis result specifically comprises the steps of: Sampling the IPDCF at a time interval Δt=1min, calculating IPDCF value of each sampling, and obtaining a period T after m times of sampling: T(M,Δt)={IPDCF,i=1,2,...,M} Where M is the dataset length, Δt=1 min.
5. 5. The network attack prediction method according to claim 1, wherein the initializing the modified wolf algorithm parameters specifically comprises the following steps: Randomly generating a wolf group, wherein the total number N=50, the maximum iteration number Maxiter =10, the number D of the problems is the number D=4 of BiLSTM optimizing parameters, the hidden layer unit numbers neurons and neurons of BiLSTM, the forgetting rate dropout and the batch size batch-size correspond to parameter coordinates of individual positions of the wolf group, and setting upper and lower limits ub= [200,200,0.9,10] and lb= [32,32,0.1,1]; the position of the i-th wolf in the t-th iteration is expressed as: X i (t)＝{x i1 ,x i2 ,…,x iD }0≤i≤N Wherein the whole population of wolves is stored in a matrix Pop having N rows and D columns, D being the dimension of the problem.
6. 6. The cyber attack prediction method according to claim 1, wherein the searching for the optimal first candidate X IGWO (t+1) using the wolf optimization algorithm GWO includes the steps of: Dividing wolves into 4 grades according to fitness values, wherein alpha is taken as an optimal solution, beta is taken as a suboptimal solution, delta is taken as an optimal solution, omega is taken as a candidate solution, the hunting process is guided by alpha, beta and delta, omega follows alpha, beta and delta to advance towards a prey, and the position of the prey corresponds to the solution of the problem; selecting three wolves alpha, beta and delta with the minimum fitness value to perform GWO search, and updating the positions of other wolves omega to obtain a first candidate X IGWO (t+1); the optimal Hunting DLH search strategy for another candidate X IDLH (t+1) is specifically formulated as follows: X IDLH,d (t+1)＝X i,d (t)+rand×(X n,d (t)-X r,d (t)) Wherein X n,d (t) is a random neighbor selected from a neighborhood N i (t) constructed from a DLH search strategy, X r,d (t) is a random wolf selected from a matrix Pop, and X i,d (t) represents the position of the ith wolf in the d-th dimension in the t-th iteration; N i (t)＝{X i,d (t)|D i (X i (t),X j (t))≤R i (t),X j (t)∈Pop} R i (t)＝||X i (t)-X IGWO (t+1)|| Wherein D i is the Euclidean distance between X i (t) and X j (t), R i (t) is the radius of the neighborhood, X i (t) represents the position of the i-th wolf in the t-th iteration, and X j (t) represents the position of the j-th wolf in the t-th iteration.
7. 7. The network attack prediction method according to claim 4, wherein the identifying of anomalies caused by network attacks based on the optimized converged prediction model specifically comprises the steps of: inputting the attack flow data set into the optimized convergent prediction model, and carrying out an attack experiment; statistical analysis is carried out on IPDCF value intervals of the normal stream and the predicted stream to obtain [ a, b ] and [ c, d ] value intervals of the normal stream and the predicted stream IPDCF; Obtaining a maximum value Z of IPDCF value intervals [ c, d ] of the predicted stream; calculating an average error A of IPDCF values of the predicted flow and IPDCF values of a normal network, and setting a threshold U=Z+A; When the deviation X of the actual value and the predicted value is larger than or equal to a preset threshold value U, the abnormal flow is considered, and the network attack behavior can be judged, and when the deviation of the actual value and the predicted value is smaller than the preset threshold value U, the normal network congestion is considered to occur.
8. 8. A network attack prediction apparatus, comprising: the network flow data set acquisition module is used for acquiring a network flow data set; the processing module is used for preprocessing the network flow data set; the time sequence modeling module is used for performing time sequence modeling on the preprocessed network flow data set to obtain a time sequence; The feature analysis module is used for carrying out data feature analysis on the time sequence to obtain a feature analysis result; the network flow data set dividing module is used for dividing the network flow data set into a normal flow data set and an attack flow data set according to the network flow based on the characteristic analysis result; The initialization module is used for initializing and improving the parameters of the gray wolf algorithm; the prediction model construction module is used for constructing a prediction model and initializing parameters of the prediction model; A first candidate determination module for obtaining an optimal wolf first candidate X IGWO (t+1) using a wolf optimization algorithm GWO search strategy; a second candidate determination module for obtaining an optimal wolf another candidate X IDLH (t+1) using a hunting DLH search strategy; A comparison module for comparing the fitness value of the first candidate X IGWO (t+1) and the another candidate X IDLH (t+1), and selecting the optimal candidate; The first judging module is used for judging whether the fitness value of the optimal candidate item is smaller than X i (t); An updating module for updating X i (t) with the most preferred candidate when yes, otherwise X i (t) remains unchanged in the matrix Pop; The second judging module is used for judging whether iteration is performed to the maximum iteration number, if the iteration number does not reach the execution next step, otherwise, the iteration number is increased by 1, and the first candidate determining module is skipped; the optimal parameter combination determining module is used for obtaining an optimal parameter combination of the prediction model; the training module is used for training the prediction model based on the optimal parameter combination to obtain a prediction model converged after optimization; and the network attack identification module is used for identifying the abnormality caused by the network attack based on the optimized converged prediction model.
9. 9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the method of any of claims 1 to 7 when executing the computer program.
10. 10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the method of any of claims 1 to 7.

Description

Network attack prediction method, device, computer equipment and storage medium Technical Field The present invention relates to the field of network security technologies, and in particular, to a method and apparatus for predicting a network attack, a computer device, and a storage medium. Background Network security is of paramount importance, because network security includes all forms of data security and information security, and with the continuous development of network information technology, information leakage, phishing, etc. occur continuously, people enjoy the convenience of the network, and at the same time, recognize the importance of network security more and more. Existing security schemes include firewall, data encryption, intrusion detection systems, and other technologies. The firewall and the data encryption are passive security protection technologies, network security can be protected only after network attack occurs, and the intrusion detection system is an active security protection technology, and can effectively sense network attack by monitoring the network in real time, so as to provide response decisions for security management staff. DoS and DDoS attacks are attacks that occur non-periodically based on time sequences, and consume network bandwidth and system resources by making and sending large amounts of useless data, so that the attacked host cannot normally communicate with the outside world. DoS and DDoS attacks include a very wide variety of types, including UDP flooding, ACK type, DNS amplification request, NTP amplification type, TCP flooding, HTTP flooding, SYN flooding, etc., and the purpose of these attacks is to consume bandwidth, memory and CPU resources of the server, so that the server can only reject or provide services with poor performance due to resource exhaustion. Disclosure of Invention The invention aims to provide a network attack prediction method, a network attack prediction device, computer equipment and a storage medium, which are used for identifying anomalies caused by network attacks and reducing the problems of information leakage and resource waste caused by the network attacks. In order to achieve the above object, the present invention provides the following solutions: in a first aspect, the present invention provides a network attack prediction method, including: S1, acquiring a network flow data set; s2, preprocessing the network flow data set; s3, modeling a time sequence of the preprocessed network flow data set to obtain a time sequence; s4, carrying out data feature analysis on the time sequence to obtain a feature analysis result; s5, based on the characteristic analysis result, dividing the network flow data set into a normal flow data set and an attack flow data set according to the network flow; S6, initializing improved gray wolf algorithm parameters; S7, constructing a prediction model and initializing parameters of the prediction model; S8, obtaining an optimal first wolf candidate X IGWO (t+1) by using a wolf optimization algorithm GWO search strategy; S9, obtaining another candidate X IDLH (t+1) of the optimal gray wolf by using a hunting DLH searching strategy; S10, comparing the fitness value of the first candidate X IGWO (t+1) and the fitness value of the other candidate X IDLH (t+1), and selecting the optimal candidate; s11, judging whether the fitness value of the optimal candidate item is smaller than X i (t); S12, if yes, updating X i (t) with the most preferred candidate, otherwise, keeping X i (t) unchanged in the matrix Pop, wherein X i (t) represents the position of the ith wolf in the t-th iteration; s13, judging whether iteration is performed to the maximum iteration number, if the iteration number does not reach the execution of the next step, otherwise, adding 1 to the iteration number, and jumping to S8; s14, obtaining an optimal parameter combination of the prediction model; s15, training the prediction model based on the optimal parameter combination to obtain an optimized converged prediction model; s16, identifying the abnormality caused by the network attack based on the optimized converged prediction model. Optionally, the network traffic data set includes internet traffic ec_data, network traffic DARPA99, and DDOS attack data set DARPA00. Optionally, preprocessing the network traffic data set specifically includes the following steps: For the ec_data carrying out normalization treatment; Performing data sampling operation on the DARPA99 data set and the DARPA00 data set at a time interval of 1min to obtain the number of data packets per min as IP data packet statistical characteristics IPDCF: Wherein T i+1-Ti＝1min,Pt is a data packet. Optionally, performing data feature analysis on the time sequence to obtain a feature analysis result specifically includes the following steps: Sampling the IPDCF at a time interval Δt=1min, calculating IPDCF value of each sampling, and obtaining a period T after m times of