Search

CN-121396684-B - Network intrusion detection method, device, computer equipment and storage medium

CN121396684BCN 121396684 BCN121396684 BCN 121396684BCN-121396684-B

Abstract

The invention belongs to the field of information security, and relates to a network intrusion detection method, a device, computer equipment and a storage medium, wherein the method comprises the steps of collecting historical flow data and carrying out structural pretreatment on the historical flow data; based on the difference between the normal flow, namely the most classes and the attack flow, namely the minority classes, a new synthesized minority class sample is generated through active boundary oversampling, a branch convolution neural network model is built, independent branch networks are designed for different protocol layers to distinguish normal flow from various abnormal flow, supervised training is carried out on the branch convolution neural network model, model parameters are optimized, the trained and optimized branch convolution neural network model is deployed to a production environment to carry out real-time flow intrusion detection, and prediction feedback and new network threat samples of the branch convolution neural network model in a real environment are continuously collected. The method can optimize the active boundary, has strong controllability and safety, and can perform intelligent identification of the characteristics of the protocol layer.

Inventors

  • QI JIANHUAI
  • ZHANG LI
  • HU JINHUA
  • SONG JING
  • XU GUOQIAN

Assignees

  • 深圳市永达电子信息股份有限公司

Dates

Publication Date
20260512
Application Date
20251225

Claims (10)

  1. 1. A method for network intrusion detection, comprising the steps of: Collecting historical flow data, and carrying out structural preprocessing on the historical flow data; according to the preprocessed historical flow data, generating a new synthesized minority class sample through active boundary oversampling based on the difference between the normal flow, namely a majority class, and the attack flow, namely a minority class; constructing a branch convolutional neural network model, designing independent branch networks for different protocol layers, and realizing the joint identification of complex modes crossing the protocol layers by a fusion and classification mechanism to distinguish normal traffic from various abnormal traffic; Performing supervised training on the constructed branch convolutional neural network model by using the balanced training data, optimizing model parameters, evaluating on a test set with original distribution maintained, and performing iterative optimization on the model according to the result; Deploying the branch convolutional neural network model with optimized training to a production environment, and performing real-time flow intrusion detection; And continuously collecting prediction feedback and new network threat samples of the branch convolutional neural network model in a real environment, and updating and optimizing the branch convolutional neural network model by using the information.
  2. 2. The network intrusion detection method according to claim 1, wherein the step of collecting historical traffic data and performing a structured preprocessing on the historical traffic data specifically comprises: Collecting the historical flow data; carrying out protocol analysis on the historical flow data to construct a multi-protocol layer feature matrix; And carrying out data set division and preprocessing according to the multi-protocol layer feature matrix.
  3. 3. The network intrusion detection method according to claim 1, wherein the step of generating new synthesized minority class samples by active boundary oversampling based on a difference between a normal traffic, i.e., a majority class, and an attack traffic, i.e., a minority class, according to the preprocessed historical traffic data specifically comprises: carrying out boundary minority sample identification according to the preprocessed historical flow data; Generating a security direction synthesis sample according to the identified boundary minority sample; And (5) carrying out quality verification and screening on the synthesized sample.
  4. 4. The network intrusion detection method according to claim 1, wherein the step of constructing a branch convolutional neural network model, designing independent branch networks for different protocol layers, and realizing joint identification of complex modes across protocol layers by a fusion and classification mechanism, and distinguishing normal traffic from various abnormal traffic comprises the following steps: carrying out multi-protocol layer input splitting and branch design; Performing cross-branch feature fusion; after the fusion layer, the classification head is connected to construct an output layer.
  5. 5. The network intrusion detection method according to claim 1, wherein the step of performing supervised training on the constructed branch convolutional neural network model using the balanced training data, optimizing model parameters, evaluating on a test set that maintains an original distribution, and performing iterative optimization on the model according to the result specifically comprises: carrying out loss function design and model compiling; training strategies are adopted to monitor the training process; and performing multidimensional performance evaluation and model tuning.
  6. 6. The network intrusion detection method according to claim 1, wherein the step of deploying the trained and optimized branch convolutional neural network model to a production environment to perform real-time traffic intrusion detection specifically comprises: deploying the branch convolutional neural network model with optimized training to a production environment, and capturing network flow data in real time; Loading the trained branch convolutional neural network model into a memory, constructing an inference pipeline, and predicting a feature matrix generated in real time; And converting the detection result of the branch convolutional neural network model into alarm information, and executing response actions according to a predefined security policy.
  7. 7. The network intrusion detection method according to any one of claims 1 to 6, wherein the step of continuously collecting the predicted feedback of the branch convolutional neural network model in the real environment and the new network threat samples, and updating and optimizing the branch convolutional neural network model using the information specifically comprises: Continuously collecting feedback data of the branch convolutional neural network model in a real environment, and performing sample library management; Based on the three-dimensional evaluation system, monitoring the performance of the branch convolutional neural network model; And performing incremental updating and safe deployment of the branch convolutional neural network model.
  8. 8. A network intrusion detection device, comprising: The preprocessing module is used for collecting historical flow data and carrying out structural preprocessing on the historical flow data; The generation module is used for generating a new synthesized minority class sample through active boundary oversampling based on the difference between the normal flow, namely the majority class, and the attack flow, namely the minority class according to the preprocessed historical flow data; The identification module is used for constructing a branch convolutional neural network model, designing independent branch networks for different protocol layers, and realizing the joint identification of a complex mode crossing the protocol layers by a fusion and classification mechanism to distinguish normal traffic from various abnormal traffic; The optimizing module is used for performing supervised training on the constructed branch convolutional neural network model by using the balanced training data, optimizing model parameters, evaluating on a test set with original distribution maintained, and performing iterative optimization on the model according to the result; The detection module is used for deploying the branch convolutional neural network model which is well trained and optimized to a production environment and carrying out real-time flow intrusion detection; And the updating module is used for continuously collecting the prediction feedback of the branch convolutional neural network model in the real environment and the new network threat sample, and updating and optimizing the branch convolutional neural network model by utilizing the information.
  9. 9. A computer device comprising a memory and a processor, the memory having stored therein computer readable instructions which when executed by the processor implement the steps of the network intrusion detection method according to any one of claims 1 to 7.
  10. 10. A computer readable storage medium having stored thereon computer readable instructions which when executed by a processor implement the steps of the network intrusion detection method according to any one of claims 1 to 7.

Description

Network intrusion detection method, device, computer equipment and storage medium Technical Field The present invention relates to the field of information security technologies, and in particular, to a network intrusion detection method, a network intrusion detection device, a computer device, and a storage medium. Background Although convolutional neural networks perform well in intrusion detection, challenges remain, with class imbalance problems being a key factor that is prevalent in network intrusion detection and that severely impacts detection performance. In an actual network environment, normal traffic typically occupies a substantial portion (most classes) of network traffic, while abnormal traffic and attack behavior (few classes) are relatively rare. This unbalanced distribution can lead to detection models that pay excessive attention to the majority class, while ignoring the minority class attack behaviour that is critical to network security. Disclosure of Invention In order to solve the technical problems, the invention provides a network intrusion detection method, which adopts the following technical scheme that the method comprises the following steps: Collecting historical flow data, and carrying out structural preprocessing on the historical flow data; according to the preprocessed historical flow data, generating a new synthesized minority class sample through active boundary oversampling based on the difference between the normal flow, namely a majority class, and the attack flow, namely a minority class; constructing a branch convolutional neural network model, designing independent branch networks for different protocol layers, and realizing the joint identification of complex modes crossing the protocol layers by a fusion and classification mechanism to distinguish normal traffic from various abnormal traffic; Performing supervised training on the constructed branch convolutional neural network model by using the balanced training data, optimizing model parameters, evaluating on a test set with original distribution maintained, and performing iterative optimization on the model according to the result; Deploying the branch convolutional neural network model with optimized training to a production environment, and performing real-time flow intrusion detection; And continuously collecting prediction feedback and new network threat samples of the branch convolutional neural network model in a real environment, and updating and optimizing the branch convolutional neural network model by using the information. Preferably, the step of collecting historical traffic data and performing structural preprocessing on the historical traffic data specifically includes: Collecting the historical flow data; carrying out protocol analysis on the historical flow data to construct a multi-protocol layer feature matrix; And carrying out data set division and preprocessing according to the multi-protocol layer feature matrix. Preferably, the step of generating a new synthesized minority class sample by active boundary oversampling based on a class gap between a normal traffic, i.e. a majority class, and an attack traffic, i.e. a minority class, according to the preprocessed historical traffic data specifically includes: carrying out boundary minority sample identification according to the preprocessed historical flow data; Generating a security direction synthesis sample according to the identified boundary minority sample; And (5) carrying out quality verification and screening on the synthesized sample. Preferably, the step of constructing a branch convolutional neural network model, designing independent branch networks for different protocol layers, and realizing the joint identification of complex modes across protocol layers by a fusion and classification mechanism, wherein the step of distinguishing normal traffic from various abnormal traffic specifically comprises the following steps: carrying out multi-protocol layer input splitting and branch design; Performing cross-branch feature fusion; after the fusion layer, the classification head is connected to construct an output layer. Preferably, the step of performing supervised training on the constructed branch convolutional neural network model by using the balanced training data, optimizing model parameters, evaluating on a test set with original distribution maintained, and performing iterative optimization on the model according to the result specifically includes: carrying out loss function design and model compiling; training strategies are adopted to monitor the training process; and performing multidimensional performance evaluation and model tuning. Preferably, the step of deploying the trained and optimized branch convolutional neural network model to a production environment to perform real-time flow intrusion detection specifically includes: deploying the branch convolutional neural network model with optimized training to a produc