Search

CN-121984749-A - Intrusion detection method based on visual self-attention mechanism

CN121984749ACN 121984749 ACN121984749 ACN 121984749ACN-121984749-A

Abstract

The invention discloses an intrusion detection method based on a visual self-attention mechanism, which belongs to the technical field of intrusion detection and comprises the specific procedures of preprocessing intrusion detection data to obtain key features of intrusion detection, carrying out data conversion on the key features to obtain RGB image data, introducing a multi-scale feature fusion network into an encoder of the visual self-attention mechanism, and carrying out multi-scale space-time feature capturing and flow image label distribution on the RGB image data. The method has the advantages of eliminating redundant features and identifying key features by introducing correlation coefficients and characteristic correlation thresholds in the data preprocessing process, and simultaneously, realizing accurate identification of complex and difficult-to-classify attacks in the data set by introducing a multi-scale feature fusion network in an encoder of a visual self-attention mechanism, along with generalization capability and strong universality.

Inventors

  • XIAO YEQIU
  • WANG PEIHUA
  • WANG YICHUAN
  • LIU XIAOXUE
  • LIU YU
  • CAI XINHUA

Assignees

  • 西安理工大学

Dates

Publication Date
20260505
Application Date
20260130

Claims (9)

  1. 1. An intrusion detection method based on a visual self-attention mechanism, comprising: acquiring network flow data and performing data preprocessing to obtain key characteristics of intrusion detection; Performing data conversion on the key features to obtain RGB image data; performing label distribution of flow images on the RGB image data to obtain an RGB flow image data set with attack type labels; Introducing a multi-scale feature fusion network into an encoder of a visual self-attention mechanism, extracting multi-scale space-time features from RGB flow images with attack class labels, and obtaining discrimination features capable of representing network flow attack behaviors from the multi-scale space-time features by using the visual self-attention mechanism; based on the corresponding relation between the distinguishing characteristics and the attack class labels of the RGB flow image data, outputting an attack detection result of the corresponding image, and realizing the identification of the attack behavior in the network flow.
  2. 2. The intrusion detection method based on a visual self-attention mechanism as set forth in claim 1, wherein the step of obtaining network traffic data for data preprocessing to obtain key features of intrusion detection comprises: calculating correlation coefficients rho among all features of a network flow data set, introducing a correlation threshold alpha among the features, and screening to obtain candidate features with redundant features removed; and calculating mutual information between the candidate features and the multiple types of labels, introducing a mutual information threshold beta, and screening to obtain key features of eliminating irrelevant features.
  3. 3. The intrusion detection method based on a visual self-attention mechanism of claim 1, wherein the data conversion of the key features to obtain RGB image data specifically comprises: The key features are converted into 24-bit RGB color space by adopting a linear mapping mode; Constructing a two-dimensional network, wherein each column of the two-dimensional network represents a key feature, and each row represents flow data changing with time; and mapping the 24-bit RGB color space to the pixel points of the two-dimensional grid to obtain RGB image data of the network flow data.
  4. 4. The intrusion detection method based on a visual self-attention mechanism as recited in claim 3, wherein the specific process of performing traffic image label distribution on the RGB image data to obtain the RGB traffic image dataset with the attack class label comprises: Acquiring RGB image data, grouping continuous network traffic samples in the RGB image data by setting a sliding window, and constructing network traffic sample mapping in the sliding window into an RGB traffic image with a fixed size, wherein each network traffic sample in the RGB traffic image carries an original attack type label; the method comprises the steps of obtaining original attack type labels of all network traffic samples in a sliding window, distributing labels of corresponding RGB traffic images according to attack composition conditions of the network traffic samples in the window, and generating an RGB traffic image data set with attack type labels.
  5. 5. The intrusion detection method based on a visual self-attention mechanism according to claim 4, wherein the specific rule for performing label distribution on the corresponding RGB traffic image according to the attack composition condition of the network traffic sample in the window is as follows: When all network traffic samples in the window are normal traffic, marking the RGB traffic image as a normal class; when at least one attack traffic sample is contained in the window, marking the RGB traffic image as a corresponding attack category; and when a plurality of attack traffic samples are simultaneously contained in the window, a plurality of attack category labels are distributed to the RGB traffic image.
  6. 6. The intrusion detection method based on a visual self-attention mechanism of claim 1 wherein the multi-scale feature fusion network comprises three parallel feature extraction paths A, B, C and a fusion module, wherein, Path a is a local and line feature extraction path that uses two continuous convolution layers to generate a 64-channel feature map of RGB image data; Path B is a mesoscale global context extraction path for feature refinement of the generated RGB image data using a 3 x 3 convolution kernel; The path C is a lightweight multi-scale branch path, realizes characteristic projection by matching 1X 1 convolution with batch normalization and ReLU activation, and adopts 3X 3 cavity convolution to enlarge receptive field to generate a 64-channel characteristic map with spatial context characteristics; And the fusion module is used for carrying out path splicing on 64 channel characteristics of the path A, the path B and the path C, carrying out characteristic reconstruction and channel compression through twice 1 multiplied by 1 convolution, and generating multi-scale space-time characteristics.
  7. 7. An intrusion detection system based on a visual self-attention mechanism, comprising: The processing module is used for preprocessing the acquired network flow data set to obtain key characteristics of intrusion detection; The conversion module is used for carrying out data conversion on the key features to obtain RGB image data; The label distribution module is used for carrying out label distribution of the flow image on the RGB image data to obtain an RGB flow image data set with attack type labels; The feature extraction module is used for introducing a multi-scale feature fusion network into an encoder of the visual self-attention mechanism, extracting multi-scale space-time features of RGB flow images with attack class labels, and obtaining discrimination features capable of representing network flow attack behaviors from the multi-scale space-time features by using the visual self-attention mechanism; and the output module is used for outputting an attack detection result of the corresponding image based on the corresponding relation between the discrimination characteristics and the attack class labels of the RGB flow image data.
  8. 8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of a visual self-attention mechanism based intrusion detection method.
  9. 9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of a visual self-attention mechanism based intrusion detection method.

Description

Intrusion detection method based on visual self-attention mechanism Technical Field The invention relates to the technical field of intrusion detection, in particular to an intrusion detection method based on a visual self-attention mechanism. Background As network attack technology continues to evolve, ensuring robust network security has become a fundamental requirement for network defense. Intrusion detection systems have been widely deployed in the fields of military communications, power grids, cloud infrastructure, and the like, by virtue of their ability to identify and respond to unauthorized activities. However, as network threats become increasingly complex and diversified, conventional intrusion detection systems are always facing challenges that persist, such as high false alarm rates, and inadequate adaptability to new attacks. Therefore, improving the detection capability and reliability of the intrusion detection system has become a key problem to be solved in modern network security protection. From a detection method perspective, intrusion detection systems can generally be divided into two categories, anomaly-based detection and feature-based detection. The former can identify abnormal modes by modeling normal system behaviors so as to discover the previously unknown attacks, but the problem of higher false alarm rate often exists, and the latter relies on predefined attack characteristics, and can realize lower false alarm rate but can not effectively detect new or evolving threats. In recent years, deep learning methods have shown significant potential in the field of intrusion detection, as they can automatically extract discriminative features and model nonlinear correlations in large-scale network data. To address these challenges, more and more research is beginning to explore the transformation of network traffic into image representations, thereby exploiting the spatial and structural laws inherent in traffic data with visual models. By this representation, a visual self-attention mechanism is introduced as a focus technique for capturing complex dependencies between traffic, and thanks to its global self-attention mechanism, the visual self-attention mechanism can effectively model remote correlations that are often ignored by traditional convolutional networks, thereby enhancing the interpretability and adaptability of intrusion detection. However, current intrusion detection methods based on visual self-attention mechanisms are still limited by problems of redundancy and noise characteristics, adaptation to flow diversity, sensitivity to class imbalance, and the like, and have unstable detection effects on potential threats. Therefore, it is needed to propose a novel intrusion detection framework and method for effectively improving the detection accuracy and robustness of hidden intrusion in a complex network environment. Disclosure of Invention Aiming at the problems, the application aims to provide an intrusion detection method based on a visual self-attention mechanism, which is characterized in that a correlation coefficient and a characteristic correlation threshold value are introduced in the data preprocessing process to perform feature selection so as to eliminate redundant features and identify key features, and meanwhile, a multi-scale feature fusion network is introduced in an encoder of the visual self-attention mechanism to realize accurate identification of complex and difficult-to-classify attacks in data set, so that the intrusion detection system has the advantages of generalization capability and strong universality, and the intrusion detection system can effectively bridge the modal difference between original network data and a visual model to provide structured high-quality input for the visual self-attention mechanism, thereby fully releasing the potential of the visual self-attention mechanism in intrusion detection and improving the detection accuracy of complex intrusions and potential threats. In order to achieve the above purpose, the technical scheme adopted by the invention is as follows: In a first aspect, an embodiment of the present application provides an intrusion detection method based on a visual self-attention mechanism, including: acquiring network flow data and performing data preprocessing to obtain key characteristics of intrusion detection; Performing data conversion on the key features to obtain RGB image data; performing label distribution of flow images on the RGB image data to obtain an RGB flow image data set with attack type labels; Introducing a multi-scale feature fusion network into an encoder of a visual self-attention mechanism, extracting multi-scale space-time features from RGB flow images with attack class labels, and obtaining discrimination features capable of representing network flow attack behaviors from the multi-scale space-time features by using the visual self-attention mechanism; based on the corresponding relati