Research And Implementation Of Lightweight Network Traffic Anomaly Detection Method Based On Deep Learning

The evolution of cyberspace from the information-oriented Internet to ubiquitous network has aggravated the sophistication of cyberattacks and the vulnerabilities of cybersecurity.Network traffic anomaly detection has been a critical security countermeasure to identity attacks or potential risks in cyberspace.Deep learning methods own the superiorities of non-linear representation ability of highdimensional data,which can boost the accuracy and robustness of network traffic anomaly detection without prior knowledge.Despite the remarkable performance of deep learning methods in network traffic anomaly detection,there are several problems that remain to be addressed.The sophistication,scale,and destructiveness of network attacks increase the accuracy demand of network traffic anomaly detection;the exponential increase trend of network traffic,the high frequency of network attacks,and the edge-side storage and computation pressure increase the immediacy demand of network traffic anomaly detection;The imbalance of network traffic data in the practical network environment makes deep learning methods commonly confronted with the problem of long-tail effect.Focused on deep learning-based lightweight network traffic anomaly detection methods,the main work is as follows.For the problems of limited representation ability and weak generalization ability of current deep learning-based network traffic anomaly detection methods,a network traffic anomaly detection method based on Multi Spatial-Temporal Residual Network(MSSTRNet)is proposed.Combining multi-scale one-dimensional convolution and long short-term memory network,the representation ability is enhanced.By identity mapping,the deep feature extraction is implemented,the problems of vanishing/exploding gradients,the over-fitting and network degradation are prevented,and the convergence speed of the model is accelerated.Focal Loss(FL)is introduced to the fine-grained anomaly detection tasks instead of cross entropy loss,and softening factor is proposed to prevent high false alarms derived from over-focusing the tail data.The visualizations of data preprocessing result suggest that,compared with standardization,normalization has better capability to separate the abnormal traffic data from the normal traffic data;the results of performance evaluation experiment reveal that,by inserting identity mapping,the convergence speed of the model can be accelerated,the performance of network traffic anomaly detection can be boosted,and the network degradation problem can be efficiently addressed;the results of contrast experiment indicate the spatial and temporal extraction methods can reinforce the representation and generalization ability of our model,and the performance metrics of our model is better than that of several current deep learning models.For the problems of poor adaption ability to practical environments and difficulty of deployment of current deep learning-based network traffic anomaly detection methods,a lightweight network traffic anomaly detection method based on spatial-temporal knowledge distillation is proposed.On the basis of Knowledge Distillation(KD),backbones of anomaly detection adopt spatial-temporal neural networks,with MSSTRNet as the teacher network and Lightweight and Efficient Network(LENet)as the student network,and the abundant implicit knowledge of MSSTRNet is transferred to the lightweight LENet through KD.Analogous to MSSTRNet,to alleviate the long tail effect in finegrained detection tasks,FL is introduced to the KD process.The ablation experiments present the optimal parameters of KD for fine-grained anomaly detection tasks;KD validation experiments suggest that the KD method can effectively boost the accuracy of network traffic anomaly detection,enhance the rare attack detection ability to a certain extent,and obtain a lightweight student network with the competitive or even superior accuracy than the teacher’s model,and significantly reduce the memory consumption and time overhead;the validation experiments on the effectiveness of spatiotemporal feature extraction reveal that it is difficult to obtain high accuracy performance by only focusing on the local spatial features of network traffic,and it is essential to combine the global temporal features to enhance the detection performance;the comparison experimental results suggest that the method presents better comprehensive performance than several current lightweight models.For the current demands of network security situational awareness,a lightweight network traffic anomaly detection system based on deep learning is designed and implemented.The system combines the "cloud-edge-end" collaborative framework and sets routing rules to make packets of device side forward through edge nodes,so that edge sides can monitor the local network.In the offline stage,MSSTRNet pre-training and LENet distillation are driven by offline network traffic data,and are iteratively updated in the cloud;in the online stage,lightweight LENet is loaded to reach highly accurate,low false alarm,low misses and timely network traffic anomaly detection,the detection results are stored in the database,and the data analysis visualization results are presented.Therefore,the system can simultaneously satisfy the requirements of accurate and timely network traffic anomaly detection,alleviate the problem of long-tail effect at the algorithm level,and can effectively adapt to the current network attack and defense game demands.