Network Abnormal Behavior Detection Based On Deep Feature Learning

With the development of information construction in China,the continuous improvement of network infrastructure and the popularization of various network applications have brought us a lot of convenience.At the same time,various network abnormal behaviors that attempt to invade or destroy the network are also increasing.Network abnormal behavior detection is conducive to timely warning and response to abnormal situations,which helps to avoid or reduce the loss caused by abnormal behavior.How to effectively detect network abnormal behavior has become an important research topic in the field of network security.In recent years,packet-based network abnormal behavior detection and flow-based network abnormal behavior detection are two very popular research directions.This paper takes the network packets and flows as the research objects,and studies two aspects,i.e.,packet-based and flow-based network abnormal behavior detection.The existing packet-based network abnormal behavior detection methods can automatically extract the abnormal features of packets based on machine learning model.However,when these models are faced with the abnormal packets with scattered abnormal features,they are often difficult to extract the associated abnormal information in packets.To solve this problem,this paper proposes a network abnormal behavior detection system based on deep packet analysis,which can learn and detect the long-term dependency information in the packet.The system proposes a block sequence construction method to effectively express the high-dimensional information and potential sequence information of packets.On the basis of block sequence construction,the proposed system uses a neural network branch based on LSTM and CNN and a neural network branch based on multi-head self-attention mechanism to learn the potential association information in block sequence from local and global perspectives.Finally,the proposed system uses neural network based on additive attention mechanism fuses the output features of two neural network branches to detect abnormal packets.The proposed system does not need expert knowledge,and can detect packets in millisecond level.The detection performance of the proposed system is better than other comparison methods.The annotation or generation of flow-based abnormal network behavior samples mostly needs in-depth expert knowledge,so it is very difficult to obtain a large number of actual abnormal samples for supervised training in the actual scene.Although the existing methods based on unsupervised or semi-supervised can detect anomalies without a large number of labeled abnormal samples,the performance of the methods is often limited due to the insufficient use of relevant knowledge in the labeled samples or over-fitting a small number of abnormal samples.To solve the above problems,this paper proposes a network anomaly detection scheme based on flow feature encoding,which encodes the input samples as a more effective feature representation for anomaly detection.In this scheme,an autoencoder is used to obtain the encoding representation of input samples,which makes the difference between abnormal samples and normal samples more significant.On the basis of the flow feature encoding,a network abnormal behavior detection model based on semi-supervised learning is used to fuse the encoding representation of samples.A small number of labeled abnormal samples and a large number of unlabeled samples are used to train the anomaly detection model.Experimental results show that the proposed scheme has better performance than several methods in recent years.