CN-120358061-B - Threat behavior detection method based on fuzzy enhancement polynomial neural network

Abstract

A threat behavior detection method based on a fuzzy enhancement polynomial neural network comprises the steps of combining fuzzy C-means clustering with the polynomial neural network, designing an adaptive optimization mechanism, introducing an entropy activation function, realizing dynamic edge weighting and extracting fuzzy enhancement characteristics, and designing an adaptive optimization algorithm for threat behavior detection. According to the invention, the self-adaptive fuzzy enhancement polynomial neural network is designed to construct the efficient threat behavior detection model, so that the accurate identification of the complex threat mode in the network traffic is realized, and the detection precision and efficiency are effectively improved. In addition, through the generation of the fuzzy rule, the visualization of the thinking process of the neural network is realized, and the transparency and the interpretability of the system are improved. Compared with the traditional method, the method has the advantages of higher detection accuracy and adaptability, improves the recognition capability of complex attack modes, adapts to different network environments, and is suitable for threat detection scenes in complex network traffic.

Inventors

• Luan Yuqian
• HUANG WEI
• ZHANG WEIYI
• XU ZHILEI
• ZHU LIEHUANG

Assignees

• 北京理工大学

Dates

Publication Date

20260508

Application Date

20250429

Claims (5)

1. 1. A threat behavior detection method based on a fuzzy enhancement polynomial neural network comprises the following steps: Step 1, preprocessing data and extracting features, namely preprocessing training data and test data, wherein the preprocessing comprises data reading, data format conversion, feature extraction and tag coding so as to ensure the consistency of the data and provide correct input for subsequent model training; Step 2, fuzzy clustering and similarity calculation, namely performing fuzzy clustering on the data by adopting a fuzzy C-means clustering FCM algorithm, so as to effectively divide the data into a plurality of fuzzy categories, obtaining a similarity matrix by using a cosine similarity method to calculate the similarity between data points in the process, and then adjusting the connection strength between nodes by a dynamic weighting method based on the calculated similarity matrix to further improve the accuracy and robustness of clustering, so as to ensure that nodes with higher similarity can have stronger connection; Step 3, self-adaptive optimization and model configuration, wherein important parameters in fuzzy clustering, a clustering number c and a fuzzy index m are dynamically adjusted through a self-adaptive optimization algorithm SSOA, so that structural parameters of a neural network are optimized, the optimal parameters are automatically selected according to the characteristics of network flow by the optimization algorithm, so that the adaptability and the accuracy of the model are improved, the parameters are dynamically adjusted through monitoring the adaptability in the training process in the optimization process, the model can be automatically adjusted according to different data characteristics, and the maximization of the training effect is ensured; Step 4, training the feature expansion and the neural network, constructing a feature set with higher expression capacity based on features obtained by a fuzzy clustering algorithm and a polynomial feature expansion technology, transmitting the feature set as input into the neural network for training, and selecting a proper activation function according to the complexity of input data by using a self-adaptive entropy activation function, so that the learning capacity of a model is improved, and a complex threat mode can be better processed; step 4.1, feature expansion and combination, at this stage, combining the feature obtained by fuzzy clustering with polynomial features to expand the feature space, specifically, we expand the original feature by polynomial to increase the nonlinear representation capability of the feature, and these polynomial features are generated by the following formula: , Wherein X is the original characteristic of the object, Is the ith power of the original feature, n is the highest power of the required polynomial, in this way we convert the original feature set into a more complex feature space to improve the learning ability of the model to complex patterns, then we splice the fuzzy clustering result with these extended features to form a new feature set: , Generating a clustering rule, namely generating a corresponding rule through a fuzzy clustering result, wherein each rule is expressed as a condition-result structure, and specifically comprises the following steps: , Wherein, the The characteristics are represented by the features of the image, A range of values representing the characteristic is indicated, The target class is respectively judged to be potential attack or normal behavior; specifically, for each cluster, conditions are generated by computing feature ranges for the data points, which would have similar feature ranges for the data points in the same cluster, by which rules are created indicating which feature value combinations correspond to attacks or normal behavior; Step 4.3, constructing a neural network structure, namely constructing a neural network model according to the optimized parameter configuration at the stage, wherein the structure of the model comprises an input layer, a plurality of hidden layers and an output layer, each hidden layer uses an adaptive activation function, the activation function selects a ReLU or Sigmoid activation mode based on the entropy value of input data, and the structure of the neural network is expressed as: , Wherein, the Represent the first The output of the layer is provided with, Respectively represent the first The weight and bias of the layers are such that, Is the function of the activation and, During training, the Adam optimizer is used for back propagation and weight updating to minimize the loss function, using cross entropy loss for the two classes of tasks: , Wherein, the Is a real tag that is not a real tag, Is a predicted value of the current value, Is the number of samples; Step 4.4, training and optimizing the neural network, namely, training the neural network through training data, adopting an Adam optimizer and setting proper learning rate during training, carrying out iterative training for a plurality of times by combining an adaptive entropy activation function, optimizing a model by calculating a loss function and updating network weight during each training until the model converges or reaches the set maximum iteration number, and gradually reducing the learning rate by using a learning rate scheduler to further optimize the convergence speed and stability of the model; And 5, evaluating and verifying the model, performing comprehensive performance evaluation on the model after training, calculating various evaluation indexes including accuracy, confusion matrix and classification report, verifying the performance of the model in threat behavior detection through the indexes, comparing the result with the existing method, and finally, storing the trained model and performing practical application verification on the model.
2. 2. The method for detecting threat behavior based on fuzzy-enhanced polynomial neural network according to claim 1, wherein the step 1 of preprocessing the data and extracting the features, preprocessing the training data and the test data, including reading the data, converting the data format, extracting the features and encoding the labels, to ensure the consistency of the data, and providing correct input for the subsequent model training comprises the following specific steps: Step 1.1, loading the existing data set or generating a new data set, firstly, checking whether a stored training set and a test set exist or not, if so, directly loading the existing data set, and if not, generating the new data set by analyzing the PCAP file; Step 1.2, obtaining and analyzing PCAP files, obtaining all PCAP files under a specified directory through a glob function, sequentially analyzing each file, generating a binary stream record by using a WSL tool call argus command, and extracting feature data by using a ra command; step 1.3, data cleaning and label generation, namely generating labels according to the characteristics of each data packet through a generate_label function, judging whether the traffic is of an attack type according to traffic characteristics, and generating corresponding attack labels together with normal traffic: , here dpkts is the number of packets at the destination end, proto is a protocol type, if the condition is satisfied, the tag is attack type 1, otherwise, the tag is normal flow 0, and a similar condition judgment mode is adopted for other attack types; Step 1.4, data merging and column processing, namely adding the analysis result of each file into a total DATAFRAME, removing unnecessary columns, avoiding processing excessive class values, deleting rows containing null values, encoding protocol columns, processing all non-numerical protocol types, and ensuring data consistency; step 1.5, tag coding of category variables in a dataset, converting non-numerical features, protocol types and source addresses into numerical types for subsequent model use, and coding the category variables through LabelEncoder: ; Step 1.6, data scaling and resampling, carrying out standardization processing on the numerical value characteristics in the data set, scaling by MinMaxScaler to normalize all characteristic values to between 0 and 1, and resampling by ADASYN to ensure the equalization of category distribution and prevent the unbalance of the data from affecting the performance of the model; ; Step 1.7, dividing a training set and a testing set, dividing data into the training set and the testing set according to a ratio of 7:3, ensuring that a model can be trained and verified, and finally, storing the data set comprising the training set and the testing set into a local file for subsequent loading and use; Step 1.8, feature extraction and standardization, wherein the feature is subjected to standardization processing through MinMaxScaler, so that each feature value of data is ensured to be in the same scale, deviation caused by different magnitudes of the features during model training is avoided, and equal contribution of each feature to the model is ensured; Step 1.9, label coding and data partitioning, label coding all non-numerical features, and partitioning the data set into training and testing sets, which ensures that the model can adapt to different traffic types and can be effectively learned and evaluated in training and testing stages.
3. 3. The threat behavior detection method based on the fuzzy enhancement polynomial neural network according to claim 1, wherein step2 is characterized in that fuzzy clustering and similarity calculation are introduced, fuzzy clustering is carried out on data by adopting a fuzzy C-means clustering FCM algorithm, so that the data are effectively divided into a plurality of fuzzy categories, in the process, a cosine similarity method is used for obtaining a similarity matrix to calculate similarity among data points, and then, based on the calculated similarity matrix, the connection strength among nodes is adjusted by a dynamic weighting method, so that the clustering accuracy and robustness are further improved, and the nodes with higher similarity can be more strongly connected, and the method comprises the following specific steps: Step 2.1, calculating a similarity matrix, namely firstly, calculating the similarity between data points, wherein one of common similarity measurement methods is cosine similarity (Cosine Similarity), and the formula is as follows: , Wherein, the And Is a feature vector of two data points, And Respectively their euclidean norms, while Is the dot product of the two vectors, and a similarity matrix is obtained by calculating cosine similarity between all data points, and each element in the matrix represents the similarity between two data points; Step 2.2, dynamically weighting the similarity matrix, namely dynamically weighting the similarity after the similarity matrix is calculated, wherein the weighting aims to strengthen the connection between data points with higher similarity and reduce the influence between the points with lower similarity through an attenuation factor, and the weighting formula is as follows: , Wherein, the Is the weighted similarity between data point i and data point j, Is the original similarity value obtained by cosine similarity calculation, The method is an attenuation factor, the value is between 0 and 1, the weighting process enables the connection with high similarity to be more prominent, and the connection with low similarity to be weakened, so that the quality of clustering is improved; Step 2.3, fuzzy C-means clustering FCM, clustering data using FCM algorithm, the goal of FCM is to optimize membership matrix by minimizing an objective function And a cluster center The mathematical expression of the objective function is: , Wherein: Is a data point To the cluster center Is a membership of a data point Clustering pairs Is between 0 and 1; Is a fuzzy index, controls the fuzzy degree of clustering, and is larger Values are such that membership matrix Smoother, smaller The value makes the clustering more accurate; Is a data point To the cluster center Euclidean distance between the data points and the clustering center represents the similarity degree of the data points and the clustering center; is the number of clusters that are to be formed, Is the number of data points; updating membership matrix by continuous iteration And a cluster center Until the objective function converges, updating the membership matrix by the FCM algorithm every iteration, so that the membership of the data points is distributed among clusters more reasonably; Step 2.4, outputting fuzzy clustering result, namely outputting final membership matrix after clustering is completed And a cluster center Membership matrix Each element of (3) Representing data points Clustering pairs Membership of (C), final cluster center Is the "average" feature of the data points in each cluster, which represents the central location of each cluster.
4. 4. The threat behavior detection method based on fuzzy enhancement polynomial neural network according to claim 1, wherein step 3 is self-adaptive optimization and model configuration, the clustering number c and the fuzzy index m in fuzzy clustering are dynamically adjusted through a self-adaptive optimization algorithm SSOA, so as to optimize the structural parameters of the neural network, the optimization algorithm automatically selects the most suitable parameters according to the characteristics of network flow, thereby improving the adaptability and accuracy of the model, the optimization process dynamically adjusts the parameters by monitoring the adaptability in the training process, so that the model can be automatically adjusted according to different data characteristics, and the maximization of training effect is ensured, and the specific steps are as follows: step 3.1, setting preliminary model parameters, namely firstly setting preliminary model parameters, wherein the preliminary model parameters comprise clustering parameters and clustering numbers in a fuzzy C-means clustering algorithm Fuzzy index And neural network structural parameters, using common empirical values, or selecting these parameters by simple heuristic methods, fuzzy index Setting the clustering number between 1.5 and 2.5 Preliminary setting is carried out according to the characteristics of the data, and a reasonable value is selected through cross verification; Step 3.2, dynamically adjusting key parameters of the model by using an adaptive optimization algorithm SSOA, wherein the key parameters comprise the number of clusters through the adaptive optimization algorithm SSOA Fuzzy index The goal of the adaptive optimization algorithm is to minimize the loss function of the model, and find the best configuration by automatic adjustment of different hyper-parameters, SSOA search the best solution by simulating the behavior of the population of particles in nature, and the update rules of the particles are expressed by the following formulas: , , Indicating particles In the first place The speed of the generation of the new product, Indicating particles In the first place The location of the generation(s), Is a particle The optimal position of the device itself is determined, As a global optimum position for the device, And Is the acceleration constant of the vehicle, which is, And Is a random value, ranging from 0,1, The model parameters can be adjusted by iterative optimization SSOA so as to minimize a loss function, thereby obtaining the optimal model configuration; Step 3.3, the adaptability function and parameter adjustment, wherein in the self-adaptive optimization process, the performance of the adaptability function evaluation model needs to be defined, the adaptability function is related to the prediction accuracy, the loss value and the F1 score index of the model, and the adaptability function is expressed as: , Wherein, the Is the loss function of the device, Is the predicted value of the model and, The method is a real label, the optimization algorithm minimizes loss by adjusting model parameters, so that the fitness is improved, the fitness monitoring allows us to dynamically adjust parameters in the particle swarm algorithm, if the optimization process fails to converge in an initial stage, the exploration capacity is enhanced by increasing inertia weight or adjusting acceleration constant, and in a later stage, the convergence of the acceleration algorithm is facilitated by reducing the inertia weight; Step 3.4, outputting parameter optimization results, namely obtaining optimal model parameters finally through self-adaptive optimization, and at the moment, optimizing the clustering number Fuzzy index Layer number of neural network Number of neurons per layer And decision thresholds, which can be adapted to the requirements of specific data sets and tasks, the optimization results provide the best parameter configuration for subsequent model training and prediction.
5. 5. The threat behavior detection method based on fuzzy enhancement polynomial neural network according to claim 1, wherein the model evaluation and verification in step 5 is performed, after training is completed, comprehensive performance evaluation is performed on the model, various evaluation indexes including accuracy, confusion matrix and classification report are calculated, through the indexes, the performance of the model in threat behavior detection is verified, the result is compared with the existing method, finally, the trained model is saved, and practical application verification of the model is performed, and the specific steps are that: step 5.1, evaluating the generated rules, namely evaluating the accuracy of a model in the model evaluation, checking the effect of the generated clustering rules, wherein each rule can correspond to a behavior mode, and the formula of the generated rules is as follows: Generating a rule for each cluster, verifying the accuracy and reliability of the rule through a test set, judging whether the generated rule is reasonable or not through the following conditions, and if the generated rule does not accord with expectations, correcting the system and slightly adjusting the rule range to obtain more diversified and accurate rules; And 5.2, calculating model evaluation indexes, namely evaluating the model by using a test set after training is finished, wherein the evaluation indexes comprise accuracy, confusion matrix, accuracy, recall rate and F1 score, and an accuracy formula is as follows: , wherein TP (True Positive) is true positive, TN (True Negative) is true negative, FP (False Positive) is false positive, FN (False Negative) is false negative, and in addition, F1 score is used to comprehensively consider accuracy and recall: , The calculation formulas of the Precision and Recall rate (Recall) are respectively: ; Step 5.2, comparing the performance of the model with other existing threat detection methods.

Description

Threat behavior detection method based on fuzzy enhancement polynomial neural network Technical Field The invention relates to the field of network security, in particular to a threat behavior detection method of a fuzzy enhanced polynomial neural network. Background Network security and threat detection are two truly existing factors that are commonly ignored in existing network traffic analysis studies, and few studies are in depth explored for diverse threat behaviors in complex network traffic. However, the improvement of the accuracy and efficiency of threat behavior detection, relying on the basis of classical machine learning algorithms and deep learning models, such as classical clustering algorithms and neural network techniques, has received a great deal of attention. In addition, fuzzy clustering technology has been successfully applied to the fields of pattern recognition and anomaly detection, which lays a foundation for threat detection in network traffic. More importantly, the thinking process of neural networks is often "black-box" and difficult to interpret. And through the generation of the fuzzy rule, the visualization of the thinking process of the neural network can be realized, and the transparency and the interpretability of the system are increased. In summary, it is urgent to design a new method to solve the problem of threat behavior detection in a complex network environment, and meanwhile, a fuzzy enhancement polynomial neural network technology is adopted to construct a threat detection model, and a visual neural network thinking process is generated through fuzzy rules, so that the method is a feasible solution. Disclosure of Invention The invention provides a threat behavior detection method of a fuzzy enhancement polynomial neural network, which aims to overcome the defects of the existing threat behavior detection method in coping with complex attack modes and improving detection transparency by introducing the fuzzy enhancement polynomial neural network. The technical scheme adopted by the invention is as follows: a threat behavior detection method based on a fuzzy enhancement polynomial neural network comprises the following steps: Step 1, preprocessing data and extracting features, namely preprocessing training data and test data, wherein the preprocessing comprises data reading, data format conversion, feature extraction and tag coding so as to ensure the consistency of the data and provide correct input for subsequent model training; And 2, calculating the fuzzy clustering and similarity. Fuzzy clustering is carried out on the data by adopting a fuzzy C-means clustering (FCM) algorithm, so that the data are effectively divided into a plurality of fuzzy categories. In this process, a cosine similarity method is typically used to obtain a similarity matrix to calculate the similarity between data points. Then, based on the calculated similarity matrix, the connection strength between the nodes is adjusted through a dynamic weighting method, so that the accuracy and the robustness of clustering are further improved, and the nodes with higher similarity can be more strongly connected; And 3, self-adaptive optimization and model configuration. And dynamically adjusting important parameters (such as a cluster number c and a fuzzy index m) in fuzzy clustering through an adaptive optimization algorithm (SSOA), so as to optimize structural parameters (such as the number of network layers, the number of neurons per layer and the like) of the neural network. The optimization algorithm can automatically select the most suitable parameters according to the characteristics of network flow, so that the adaptability and accuracy of the model are improved. The optimization process dynamically adjusts parameters by monitoring the adaptability in the training process, so that the model can be automatically adjusted according to different data characteristics, and the training effect is ensured to be maximized; And step 4, feature expansion and neural network training. Based on the feature obtained by the fuzzy clustering algorithm and the polynomial feature expansion technology, a feature set with higher expression capacity is constructed and is transmitted into a neural network as input for training. By using the adaptive entropy activation function, the network can select an appropriate activation function (such as ReLU or Sigmoid) according to the complexity of input data, so that the learning capacity of a model is improved, and the model can better process complex threat modes; and 5, evaluating and verifying the model. After training, the model is subjected to comprehensive performance evaluation, and various evaluation indexes including accuracy, confusion matrix, classification report and the like are calculated. Through the indexes, the performance of the model in threat behavior detection is verified, and the result is compared with the existing method, so that the advantages of