Search

CN-122027222-A - Network traffic intrusion detection method, device, apparatus, storage medium and computer program product

CN122027222ACN 122027222 ACN122027222 ACN 122027222ACN-122027222-A

Abstract

The application provides a network traffic intrusion detection method, a device, equipment, a storage medium and a computer program product, wherein the method comprises the steps of obtaining a traffic sample set of network traffic and a granularity value of each sample feature corresponding to the network traffic set, sorting a plurality of sample features based on the granularity value of each sample feature to obtain a feature priority list comprising a plurality of sample features sorted according to the granularity value, sequentially selecting one sample feature from the feature priority list, adding the first feature set, calculating the score of the current first feature set after adding the first feature set each time, judging whether the score of the current first feature set meets a first constraint condition, if so, stopping selecting the sample feature, adding the first feature set, determining the first feature set currently meeting the first constraint condition as a second feature set, classifying the network traffic through the second feature set to obtain a network traffic intrusion detection result, and improving detection accuracy.

Inventors

  • BA JING
  • LIU JING

Assignees

  • 中移(苏州)软件技术有限公司
  • 中国移动通信集团有限公司

Dates

Publication Date
20260512
Application Date
20260112

Claims (10)

  1. 1. A method for intrusion detection of network traffic, the method comprising: The method comprises the steps of obtaining a flow sample set of network flow and a sample feature set corresponding to the network flow set, wherein the flow sample set comprises a plurality of flow samples, the sample feature set comprises a plurality of sample features, and the plurality of flow samples are in one-to-one correspondence with the plurality of sample features; calculating the granularity value of the plurality of sample features based on the flow sample set to obtain the granularity value of each sample feature; Sorting the plurality of sample features based on the granularity value of each sample feature to obtain a feature priority list, wherein the feature priority list comprises a plurality of sample features sorted according to the granularity value; sequentially selecting one sample feature from the feature priority list to be added into a first feature set, and calculating the score of the current first feature set after each time of adding into the first feature set; judging whether the score of the first feature set meets a first constraint condition or not, if so, stopping selecting sample features to add into the first feature set, and determining the first feature set currently meeting the first constraint condition as a second feature set; and classifying the network traffic through the second feature set to obtain a network traffic intrusion detection result.
  2. 2. The method of claim 1, wherein the performing a granularity value calculation on the plurality of sample features based on the set of traffic samples comprises: And calculating the granularity value of each sample feature in the sample feature set on the flow sample set to obtain the granularity value of each sample feature.
  3. 3. The method of claim 2, wherein said calculating a granularity value for each sample feature in said set of sample features over said set of traffic samples comprises: determining a total number of the set of traffic samples and a total number squared value; Classifying the flow sample set through each sample feature to obtain a plurality of equivalence classes, wherein the sample feature values in each equivalence class are the same; the number of flow samples in the equivalence class corresponding to each flow sample is calculated, Summing the quantity of the flow samples in the equivalence class corresponding to all the flow samples to obtain an accumulated sum; A granularity value for each sample feature is calculated based on a ratio of the accumulated sum to the total number squared value.
  4. 4. A method according to claim 3, wherein said classifying said set of traffic samples by each sample feature comprises: If the values of any two flow samples in the flow sample set on the sample characteristics are the same, classifying the any two flow samples into the same equivalence class until a plurality of equivalence classes of the flow sample set about the sample characteristics are obtained, wherein the equivalence classes are mutually disjoint.
  5. 5. The method of claim 1, wherein before sequentially selecting one sample feature from the feature priority list for addition to the first feature set, the method further comprises: Constructing the first feature set; Initializing the first feature set as an empty set.
  6. 6. The method of claim 5, wherein said calculating a score for the current first feature set comprises: a score of the current first feature set is calculated based on a first criterion, the first criterion being used to map the first feature set to the score, the score being a real value.
  7. 7. A network traffic intrusion detection device, the device comprising: the system comprises a data acquisition module, a network flow acquisition module and a network flow analysis module, wherein the data acquisition module is used for acquiring a flow sample set of the network flow and a sample feature set corresponding to the network flow, the flow sample set comprises a plurality of flow samples, the sample feature set comprises a plurality of sample features, and the plurality of flow samples are in one-to-one correspondence with the plurality of sample features; The network traffic intrusion detection system comprises a traffic sample collection, a data processing module, a feature priority list, a first feature collection and a network traffic intrusion detection result, wherein the traffic sample collection is used for carrying out granularity value calculation on a plurality of sample features to obtain granularity values of each sample feature, sorting the plurality of sample features based on the granularity values of each sample feature to obtain the feature priority list, the feature priority list comprises a plurality of sample features sorted according to the granularity values, sequentially selecting one sample feature from the feature priority list to be added into the first feature collection, calculating the score of the current first feature collection after each time the first feature collection is added, judging whether the score of the current first feature collection meets a first constraint condition, if so, stopping selecting the sample feature to be added into the first feature collection, determining the first feature collection which meets the first constraint condition currently as a second feature collection, and classifying the network traffic through the second feature collection to obtain the network traffic intrusion detection result.
  8. 8. An electronic device comprising a processor and a memory for storing a computer program capable of running on the processor, Wherein the processor is adapted to perform the steps of the method of any of claims 1 to 6 when the computer program is run.
  9. 9. A storage medium having stored thereon a computer program, which when executed by a processor performs the steps of the method according to any of claims 1 to 6.
  10. 10. A computer program product comprising a computer program, characterized in that the computer program, when executed by a processor, implements the steps of the method according to any one of claims 1 to 6.

Description

Network traffic intrusion detection method, device, apparatus, storage medium and computer program product Technical Field The present application relates to the field of network security, and in particular, to a network traffic intrusion detection method, apparatus, device, storage medium, and computer program product. Background With the wide application of the internet of things equipment, network traffic data is increasingly complex, and intrusion detection becomes an important means for guaranteeing network security. The traditional intrusion detection method mainly comprises two types of abnormal detection and misuse detection, wherein the former is used for identifying deviation behaviors based on normal behavior patterns, and the latter is used for matching depending on known attack characteristics. However, as attack means continuously evolve, the traditional method has the problems of poor adaptability, high false alarm rate, high updating and maintaining cost and the like when dealing with unknown attacks. In the prior art, lightweight detection is preferably realized through multi-round feature screening and model, but the feature screening process is complicated, and the problem of insufficient generalization capability can still exist in a dynamically-changed network environment. Disclosure of Invention The embodiment of the application provides a network traffic intrusion detection method, a device, equipment, a storage medium and a computer program product, which can improve the security of an Internet of things network through a feature selection method and enhance the performance of an intrusion detection system by identifying and classifying normal and antagonistic network behaviors. The technical scheme of the embodiment of the application is realized as follows: The embodiment of the application provides a network traffic intrusion detection method, which comprises the following steps: The method comprises the steps of obtaining a flow sample set of network flow and a sample feature set corresponding to the network flow set, wherein the flow sample set comprises a plurality of flow samples, the sample feature set comprises a plurality of sample features, and the plurality of flow samples are in one-to-one correspondence with the plurality of sample features; calculating the granularity value of the plurality of sample features based on the flow sample set to obtain the granularity value of each sample feature; Sorting the plurality of sample features based on the granularity value of each sample feature to obtain a feature priority list, wherein the feature priority list comprises a plurality of sample features sorted according to the granularity value; sequentially selecting one sample feature from the feature priority list to be added into a first feature set, and calculating the score of the current first feature set after each time of adding into the first feature set; judging whether the score of the first feature set meets a first constraint condition or not, if so, stopping selecting sample features to add into the first feature set, and determining the first feature set currently meeting the first constraint condition as a second feature set; and classifying the network traffic through the second feature set to obtain a network traffic intrusion detection result. The embodiment of the application provides a network flow intrusion detection device, which comprises: the system comprises a data acquisition module, a network flow acquisition module and a network flow analysis module, wherein the data acquisition module is used for acquiring a flow sample set of the network flow and a sample feature set corresponding to the network flow, the flow sample set comprises a plurality of flow samples, the sample feature set comprises a plurality of sample features, and the plurality of flow samples are in one-to-one correspondence with the plurality of sample features; The network traffic intrusion detection system comprises a traffic sample collection, a data processing module, a feature priority list, a first feature collection and a network traffic intrusion detection result, wherein the traffic sample collection is used for carrying out granularity value calculation on a plurality of sample features to obtain granularity values of each sample feature, sorting the plurality of sample features based on the granularity values of each sample feature to obtain the feature priority list, the feature priority list comprises a plurality of sample features sorted according to the granularity values, sequentially selecting one sample feature from the feature priority list to be added into the first feature collection, calculating the score of the current first feature collection after each time the first feature collection is added, judging whether the score of the current first feature collection meets a first constraint condition, if so, stopping selecting the sample feature to be added into t