Research On Network Abnormal Traffic Detection Technology Based On Convolutional Neural Network And SimHash

With the continuous development and progressing of computer and communication technology,the Internet,originally used only for military purposes,has gradually entered society and become an important part of people's production and life.At the same time,network attacks such as denial of service attacks or viruses have brought tremendous hidden dangers to cyberspace security.As an effective means of detecting network attacks,network anomaly detection has attracted more and more attentions of researchers in recent years.In the past research works,most of the detection models are trained on the extracted feature vectors,which leads to the problem that final classification performance of the model is greatly affected by the design of traffic feature vectors.To circumvent this effect as much as possible,many researchers have chosen to use artificial neural networks to detect anomalies in traffic data.However,most of the detection models are based on one-dimensional convolutional neural networks,and the construction of the neural network is complicated,which leads to the disadvantage that the detection rate is not high enough or the detection speed is not fast.In addition,due to the inherent length limitations of neural network models.most network models can only accept fixed-length inputs.This caused it to be unable to detect malicious behaviors which hidden behind the network session.Aiming at the problem that the detection rate is not high enough or the detection speed is not fast,this paper proposes a network traffic anomaly detection model based on two-dimensional convolution neural network.The model directly treats multiple sets of data packets that make up a network session into a gray-scale two-dimensional image.First,the one-dimensional convolution kernel and pooling in the direction of the packet are used for calculation.Then the classification is completed by fully connected layers and softmax.The former is able to extract features within the packet and speed up the calculation.The latter could extract the overall characteristics of the session.The experimental results show that the model achieves a higher detection rate while maintaining a lower detection rate when comparing with the newer network anomaly detection models such as HAST-? and TR-IDS on the ISCX2012 dataset.Furthermore,the detection speed can be improved by about three times.Aiming at the problem that only part of the traffic data is used in the session.We introduced the SimHash value calculation process in the preprocessing stage of the above model,which replaces the data part of the network packets with the SimHash value,so that a fixed-length string could hold the characteristic information of the entire packet.After the replacement,the detection model can implement attack detection that does not depend on the original traffic data and only relies on the generated SimHash value.Experiments on the ISCX2012 dataset show that after the replacement,the detection rate of this model is slightly reduced,but the function of the anomaly detection can still be effectively performed.For sensitive networks that cannot save traffic data,the storage of SimHash values can provide data support for the analysis of currently unknown attacks by new detection models in the future,and can also be used as a technical means for network traffic attack forensics.For non-sensitive networks that can store traffic data.SimHash will also significantly reduce the amount of data that needs to be saved when the network is running at full speed,thereby increasing the number of network sessions that can be saved in a fixed storage space.