CN-122027200-A - Double-layer anomaly detection method for multi-threat attack

Abstract

The invention relates to the technical field of network security, in particular to a multi-threat attack-oriented double-layer anomaly detection method, which comprises the following steps of dividing original binary network flow into flow character units according to N bytes by adopting a sliding window method, coding the flow character into 256-dimensional vectors through a Payload2Vec model, inputting the vectors into a double-layer BiLSTM network, aggregating locally trained LSTM self-encoder model parameters by adopting a FedAvg algorithm, smoothing training data through Grubbs criteria, setting a detection threshold value theta by utilizing LSTM self-encoder reconstruction error distribution, judging to be anomaly when new data errors exceed theta, and obtaining an abnormal flow judgment result. The method solves the problems that the traditional rule matching and machine learning method cannot timely find and block the high-concealment malicious flow attack, cannot fully extract the high-concealment flow data characteristics, and has unidirectional LSTM long-term memory attenuation, data island and difficulty in accurately setting an abnormality detection threshold.

Inventors

• Request for anonymity

Assignees

• 上海飞旗网络技术股份有限公司

Dates

Publication Date

20260512

Application Date

20251229

Claims (9)

1. 1. The multi-threat attack-oriented double-layer anomaly detection method is characterized by comprising the following steps of: Dividing the original binary network flow into flow character units according to N bytes by adopting a sliding window method, and obtaining a flow character string sequence by controlling the step length S to be smaller than the window size N and reserving the characteristic; The method comprises the steps of encoding flow characters into 256-dimensional vectors through a Payload2Vec model, capturing relevance among the characters through unsupervised training, and calculating cosine distance measurement similarity after dimension reduction to obtain a flow character vector library; Inputting the vector into a double-layer BiLSTM network, and learning a context dependency relationship through forward and backward propagation to solve the problem of long-term memory attenuation of the unidirectional LSTM, so as to obtain a vector sequence integrating the context characteristics; calculating the attention weight among characters through a multi-head self-attention mechanism, extracting a feature subset of the correlation, and reducing the calculation complexity through parallel operation to obtain a weighted feature attention matrix; aggregating locally trained LSTM self-encoder model parameters by adopting FedAvg algorithm, and iteratively updating a global model through a cloud server to solve the problem of data island and obtain a federal anomaly detection cloud model; and smoothing training data by using Grubbs criteria, setting a detection threshold value theta by using LSTM self-encoder reconstruction error distribution, and judging that the data is abnormal when the new data error exceeds theta to obtain an abnormal flow judgment result.
2. 2. The method for detecting double-layer anomaly facing multi-threat attack according to claim 1, wherein the method for dividing the original binary network traffic into traffic character units according to N bytes by using a sliding window method, and obtaining a traffic character string sequence by controlling a step length S to be smaller than a window size N retention feature comprises the following steps: processing the original binary network flow by adopting a sliding window method, setting the window size as N bytes, sliding the window byte by byte on binary data and intercepting the content by controlling the sliding step S to be smaller than the window size N; Ensuring that adjacent windows have data overlap, and reserving implicit features in original flow; and taking the N bytes of data intercepted by each window as a flow character unit, and splicing a plurality of continuous character units in sequence to obtain a flow character string sequence.
3. 3. The method for detecting double-layer anomaly facing multi-threat attack according to claim 1, wherein the method for encoding the flow character into 256-dimensional vector by the Payload2Vec model, capturing the relevance among characters by using unsupervised training, calculating cosine distance measurement similarity after dimension reduction, and obtaining a flow character vector library comprises the following steps: Carrying out vectorization processing on flow characters by adopting a Payload2Vec model, initializing each character into a single-hot coding form, and updating model weights by predicting character context through unsupervised training; automatically extracting implicit association features among characters, and compressing original Gao Weidu by thermal coding into 256-dimensional continuous vectors; And performing dimension reduction processing on the vectors, and quantifying the semantic similarity degree of the vectors by calculating cosine distance between every two vectors to obtain a flow character vector library comprising character association information.
4. 4. The multi-threat attack oriented double-layer anomaly detection method of claim 1, wherein the inputting of vectors into a double-layer BiLSTM network solves the problem of unidirectional LSTM long-term memory decay by learning context dependency through forward and backward propagation, and obtains a vector sequence integrating context features, comprising the following steps: Processing the flow character vector by adopting a double-layer BiLSTM network, inputting the flow character vector into a double-layer BiLSTM network, and respectively extracting the characteristics of the vector from the forward direction and the reverse direction by adopting a double-layer BiLSTM network; learning a context dependency relationship through forward and backward propagation BiLSTM to obtain an enhanced vector sequence considering long-term dependency and local characteristics; a multi-head self-attention mechanism is introduced, features with higher correlation are extracted by calculating the similarity between any two characters in a sentence, the influence of distance on feature extraction is reduced, and a multi-head mechanism is adopted to enable a classification model to learn behaviors and features so as to obtain more representative feature representation.
5. 5. The multi-threat attack oriented double-layer anomaly detection method according to claim 1, wherein the steps of calculating the attention weight among characters by a multi-head self-attention mechanism, extracting the feature subset of the correlation, reducing the calculation complexity by parallel operation, and obtaining the weighted feature attention matrix include the following steps: adopting a federal learning paradigm to start a model training process, downloading an up-to-date model from a server by a participant, developing model training by using local data, waiting for the training to finish, and uploading the encryption gradient to the server; The server adopts FedAvg algorithm to aggregate the uploaded gradients, updates model parameters and returns the updated model to the participants; Through loop iteration until the model converges, calculating the attention weight among characters through a multi-head self-attention mechanism in the model, and extracting a feature subset of the correlation; and the complexity is reduced by adopting parallel operation, and the processing results are integrated to obtain the weighted feature attention matrix.
6. 6. The multi-threat attack-oriented double-layer anomaly detection method according to claim 1, wherein the locally trained LSTM self-encoder model parameters are aggregated by adopting FedAvg algorithm, a global model is iteratively updated through a cloud server, the problem of data islanding is solved, and a federal anomaly detection cloud model is obtained, and the method comprises the following steps: adopting an LSTM self-encoder to perform abnormal flow detection work, collecting normal flow data, calculating a reconstruction error of input feature vector data of the LSTM self-encoder, determining a reconstruction error distribution, and setting a detection threshold value theta; during training, the reconstruction error of the new input data is compared with a threshold value theta, and when the reconstruction error is larger than the threshold value theta, the abnormal flow is judged, and the high-concealment abnormal flow can be identified; and uploading locally trained LSTM self-encoder model parameters to a cloud server by adopting FedAvg algorithm to aggregate, and iteratively updating a global model by the cloud server to obtain the federal anomaly detection cloud model.
7. 7. The method for detecting double-layer anomalies for multi-threat attack according to claim 1, wherein the training data is smoothed by Grubbs criteria, a detection threshold θ is set by using LSTM self-encoder reconstruction error distribution, and when a new data error exceeds θ, it is determined that anomalies are generated, and an anomaly flow determination result is obtained, comprising the steps of: Adopting a fine tuning strategy, fedPAD to freeze lower-layer LSTM self-encoder model and Dropout layer parameters, and adjusting full-connection layer and linear layer parameters to fit local data distribution; smoothing the training data by using Grubbs criteria, calculating a reconstruction error distribution by using an LSTM self-encoder, and setting a detection threshold value theta according to the reconstruction error distribution; and continuously evaluating the performance of the model, adjusting the model structure and parameters according to the actual detection effect, ensuring the stability and accuracy of the model, and judging that the model is abnormal when the new data error exceeds theta to obtain an abnormal flow judgment result.
8. 8. The multi-threat attack-oriented double-layer anomaly detection method of claim 4, wherein the training dataset of the classification model is represented as: Wherein D represents training data, X is a network traffic byte sequence after data preprocessing, and G is a label of data X.
9. 9. The multi-threat attack oriented double-layer anomaly detection method of claim 7, wherein FedPAD uses a federal learning paradigm for distributed encryption model training and sharing, and uses a neural network based on LSTM time series prediction as a cloud and mechanism model in a FedPAD process, and learning targets of the cloud and mechanism model are respectively expressed as: , , wherein, And Representing all parameters to be learned (i.e. weights and deviations), The loss function is represented by a function of the loss, The number of the mechanism is indicated as the number, Representing data from global and An instance of time series data for an organization, And Is the size of the data set.

Description

Double-layer anomaly detection method for multi-threat attack Technical Field The invention belongs to the technical field of network security, and particularly relates to a multi-threat attack-oriented double-layer anomaly detection method. Background In the technical field of network safety, high-concealment flow anomaly detection is a key link for guaranteeing network space safety. With the rapid development of network technology, malicious attack means are increasingly complex and various, and high-concealment malicious traffic attacks are more frequent, so that a serious challenge is brought to network security. Traditional high-concealment flow anomaly detection methods mainly rely on rule matching and machine learning techniques. However, these methods have significant drawbacks. On one hand, the rule matching mode needs to preset a large number of rules, and is difficult to update in real time against the continuously changing novel attacks, so that the attack behaviors of high hidden malicious traffic cannot be found and blocked in time. On the other hand, the traditional machine learning method has the defect of data feature extraction, and is difficult to fully mine complex and hidden data features in high hidden flow, so that the detection accuracy is not high. In addition, the network environment is increasingly complex, the data sources are wide and dispersed, the data of different organizations or institutions often have the problem of data island, the data sharing and collaborative analysis are difficult to realize, and the detection effect is further limited. Meanwhile, the key problems of relevance among characters, context dependency relationship, extraction of feature subsets and the like in high hidden flow cannot be effectively solved by the traditional method. In order to overcome the defects of the traditional algorithm, the invention innovatively provides a double-layer anomaly detection framework for high hidden traffic of a multi-source network. The framework adopts a two-stage detection method, firstly utilizes a payload embedding model based on flow characters to detect whether the flow is high hidden flow, and then judges whether the flow is abnormal by means of an abnormal detection model based on federal learning so as to improve the detection capability of high hidden malicious flow and effectively cope with increasingly complex network security threat. Disclosure of Invention Aiming at the current situation, the invention provides a multi-threat attack-oriented double-layer anomaly detection method, which can solve the problems that the traditional rule matching and machine learning method cannot timely find and block high-hidden malicious traffic attacks, cannot fully extract high-hidden traffic data characteristics, and has the defects of unidirectional LSTM long-term memory attenuation, data island and difficulty in accurately setting anomaly detection threshold values. In order to achieve the above purpose, the present invention adopts the following technical scheme: The multi-threat attack-oriented double-layer anomaly detection method comprises the steps of dividing original binary network flow into flow character units according to N bytes by adopting a sliding window method, obtaining a flow character string sequence by keeping the characteristics through controlling the step length S to be smaller than the window size N, encoding the flow characters into 256-dimensional vectors by using a Payload2Vec model, capturing correlations among characters by using unsupervised training, calculating cosine distance measurement similarity after dimension reduction to obtain a flow character vector library, inputting the vectors into a double-layer BiLSTM network, solving a unidirectional LSTM long-term memory attenuation problem by learning context dependence through forward and backward propagation, obtaining a vector sequence integrating context characteristics, calculating attention weights among the characters by using a multi-head self-attention mechanism, extracting a characteristic subset of the correlations, reducing calculation complexity by parallel operation, obtaining a weighted characteristic attention matrix, aggregating LSTM self-encoder model parameters of local training by using a FedAvg algorithm, updating a global model by iteration of a cloud server, obtaining an anomaly detection cloud model, obtaining anomaly detection data by using a Grubb criterion training data, setting error self-encoding error reconstruction to be more than a new anomaly decision threshold value when the anomaly decision result is obtained. The method comprises the steps of processing original binary network traffic by a sliding window method, setting the size of the window to be N bytes, sliding the window on binary data byte by byte and intercepting content by controlling the sliding step S to be smaller than the size N of the window, ensuring that adjacent windows have data overl