Nothing Special   »   [go: up one dir, main page]

CN112417446A - Software defined network anomaly detection architecture - Google Patents

Software defined network anomaly detection architecture Download PDF

Info

Publication number
CN112417446A
CN112417446A CN202011460949.1A CN202011460949A CN112417446A CN 112417446 A CN112417446 A CN 112417446A CN 202011460949 A CN202011460949 A CN 202011460949A CN 112417446 A CN112417446 A CN 112417446A
Authority
CN
China
Prior art keywords
layer
data
model
cnn
anomaly detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011460949.1A
Other languages
Chinese (zh)
Inventor
庞希愚
孟庆兰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Jiaotong University
Original Assignee
Shandong Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Jiaotong University filed Critical Shandong Jiaotong University
Priority to CN202011460949.1A priority Critical patent/CN112417446A/en
Publication of CN112417446A publication Critical patent/CN112417446A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Biophysics (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Computational Linguistics (AREA)
  • Artificial Intelligence (AREA)
  • Mathematical Physics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of network completion, in particular to a software defined network anomaly detection framework with better detection effect, which comprises a data acquisition module, a Software Defined Network (SDN), a data transmission module and an anomaly detection module; the data acquisition module acquires flow; the SDN separates a control plane from a data forwarding plane in the SDN network; the data transmission module is mainly used for classifying the flow, finding abnormal flow and acquiring an abnormal detection report; the anomaly detection module is mainly used for carrying out feature extraction and flow classification on the acquired flow; the invention combines the bidirectional gating recursion unit and the convolutional neural network, constructs the software defined network anomaly detection system structure, and continuously optimizes the software defined network anomaly detection system structure, thereby ensuring the network safety as much as possible and improving the reliability of the detection system structure.

Description

Software defined network anomaly detection architecture
Technical Field
The invention relates to the technical field of network completion, in particular to a software defined network anomaly detection framework.
Background
With the increasing popularity of the internet, the degree of informatization is also increasing. In addition, the number of internet users is also rapidly increasing, and more convenient lives can be sought through the internet. Since people's lives depend on the network greatly, the traditional network architecture cannot meet the current network traffic demand. In addition, some abnormal situations may be encountered, such as web attacks, pop-up advertising windows, network outages during online transactions, etc. Once a problem occurs, not only the user experience is affected, but also more serious loss is caused, and even the safety of individuals or countries is threatened. Particularly, in the network information era, the higher the network scale and complexity is, the more common and diversified the abnormal phenomenon of network traffic will be, and how to effectively detect the abnormal situation becomes a hot problem.
Network anomaly detection is a classification process that separates network traffic into normal traffic and abnormal traffic. This process needs to be performed without affecting the normal operation of the user. Once abnormal traffic is detected, it needs to react immediately to ensure a better user experience. The traditional abnormal detection method mainly distinguishes by setting a threshold value, and once the flow is lower than the threshold value, the flow is considered to be normal flow; otherwise, it is determined to be abnormal. Although this approach is simple and low cost, performance is still poor in current and future increasingly complex network environments. The occurrence of the machine learning technology provides an algorithm with higher performance for anomaly detection to a certain extent, particularly the deep learning technology overcomes the defect that the traditional machine learning needs to manually set a related value, and realizes automatic extraction, but the prior art still has the problem that anomaly cannot be effectively detected due to the scale and complexity of a network.
Disclosure of Invention
In view of the above disadvantages, the present invention aims to provide a software-defined network anomaly detection architecture, in which a deep learning technique is used in an anomaly detection module to assist in anomaly classification, and a bidirectional gating recursion unit BGRU and a convolutional neural network CNN technique are combined to improve the performance of a detection architecture.
The technical scheme adopted by the invention for solving the technical problems is as follows:
a software defined network anomaly detection architecture comprises a data acquisition module, a Software Defined Network (SDN), a data transmission module and an anomaly detection module; the data acquisition module is mainly used for acquiring flow; the SDN mainly separates a control plane from a data forwarding plane in the SDN, controls the whole network resource through the control plane and sends an instruction to the data forwarding plane to complete data forwarding, and provides a telescopic and dynamic system structure for the detection work of an abnormality detection module; the data transmission module is mainly used for classifying the flow, finding abnormal flow, acquiring an abnormal detection report, updating the abnormal flow under the condition of not influencing a client and ensuring that the normal flow can be continuously diffused; the anomaly detection module is mainly used for carrying out feature extraction and flow classification on the collected flow.
Further, the data forwarding plane acquires flow information of the data acquisition module through an OpenFlow protocol, then transmits the information to a controller of the control layer to extract features, and finally transmits the information back to the anomaly detection module.
Further, the SDN comprises an application layer, a control layer, and an infrastructure layer; the infrastructure layer forwards the flow in the switch by using the network equipment, collects flow state information and feeds the flow state information back to an upper control layer through an interface; after the information reaches the control layer, the controller at the control layer arranges and processes state information and network resources, interacts with the upper application layer, and realizes control of network exchange through an interface for application programs and deployment of various services, such as cloud computing, intrusion detection systems, intrusion prevention systems, security monitoring and load balancing.
Because the convolutional neural network CNN has higher classification capability, the accuracy of abnormal flow classification can be improved by adding the CNN into the abnormal detection module; in addition, the network traffic anomaly is dynamic, and needs relatively quick response time, so that the time step needs to be considered, and the SDN anomaly detection system structure is optimized by combining the bidirectional gating recursion units BGRU and CNN, and the monitoring precision is improved. The detection model of the abnormality detection module adopts a BGRU-CNN model, and the BGRU-CNN model comprises an input layer, a BGRU layer, a CNN layer and a classifier; the input layer is used for inputting data information; the BGRU layer is mainly used for controlling input data through an update gate and a reset gate to realize time sequence characteristic extraction of flow; the CNN layer mainly extracts the characteristics of the information flow; the classifier is used for classifying the characteristic value information obtained by the CNN.
Specifically, the BGRU model in the BGRU layer is constructed by embedding a gated cyclic unit GRU into a bidirectional cyclic neural network so as to capture information in both positive and negative directions; the GRU comprises an updating gate and a resetting gate, and a gate control mechanism is used for controlling input and information needing to be stored so as to predict at the current time step; the update gate mainly defines the amount of memory previously saved to the current time step, and the reset gate combines the new information with the previous information; the two gating vectors determine which information can be used as the output of the GRU, and the information can be stored in the sequence for a long time, so that the information cannot be eliminated along with the time, and cannot be deleted because of being irrelevant to prediction; the bidirectional recurrent neural network can process information more flexibly by adding a hidden layer for passing information from back to front, and the hidden state of the bidirectional recurrent neural network at each time step depends on subsequences before and after the time step (including the input of the current time step).
Furthermore, the CNN layer selects subdata from the input information, then extracts local features of the subdata, the local features form feature values of all data, and the CNN layer structurally comprises a plurality of convolution layers, a pooling layer and a full-connection layer; the convolution layer is mainly used for local sensing and weight sharing, namely upper layer features are extracted to carry out convolution operation with convolution kernels, so that features after convolution are obtained, the smaller the convolution kernels are, the more complex the model is, and the more comprehensive the extracted feature information is; the pooling layer is used for sampling operations, typically using maximum pooling or average pooling, before which the number of extracted features does not change; the full-connection layer is used for integrating the features after the convolution for many times, then normalization is carried out, a probability is output for various classification conditions, and the classifier classifies the features according to the probability obtained by the full-connection layer. Compared with other networks, the network has the greatest advantages that under the condition that the network depth is the same, the parameters are fewer, and the data are easier to train; meanwhile, as long as the data set is large enough, the precision of the method can be greatly improved.
On this basis, three modules of the SDN network need to be tested, and the detection process is as follows:
s1: preprocessing data; the method comprises the steps of carrying out data conversion on original data, and then carrying out standardization and normalization; because the collected data may have different measurement scales, directly inputting the model increases the processing difficulty, and therefore the data needs to be preprocessed and standardized;
s2, dividing a data set generated after data preprocessing into a training set and a testing set;
s3, inputting the training set into a BGRU-CNN model and a continuous optimization model, and achieving an optimal state through learning training;
and S4, inputting the test set into the BGRU-CNN model, and verifying the detection effect.
When the CNN layer obtains the characteristic value information, classifying the characteristic value information by using a Softmax function, wherein the formula (1) is as follows:
Figure BDA0002831718600000051
wherein z is the output of the previous layer, Softmax is the input, the dimension is C, S is the probability that the prediction object belongs to the second CCC class, and e is the base number of the natural logarithm function in mathematics.
The performance of the model is then verified by accuracy a, accuracy P, recall R, F1 scores, and the confusion matrix values. The first four indices can be expressed by formula (2), formula (3), formula (4), and formula (5):
Figure BDA0002831718600000052
Figure BDA0002831718600000053
Figure BDA0002831718600000054
Figure BDA0002831718600000055
in the formula: TP, namely True Positive represents the model to judge the correct attack packet quantity; TN, namely True Negative represents the number of normal data packets judged to be correct by the model; FP, namely False Positive, represents the number of normal data packets which are judged by the model to be wrong; FN, namely False Negative represents the number of attack packets which are judged by the model to be wrong; f1 is scored as the average value of the accuracy and the recall ratio and is used for accurately evaluating the model; the confusion matrix matches the model classification results with the actual situation.
The invention has the technical effects that:
compared with the prior art, the software defined network anomaly detection architecture combines the bidirectional gating recursion unit BGRU and the convolutional neural network CNN to construct a software defined network SDN anomaly detection architecture, and is optimized continuously, network safety is guaranteed as far as possible, and reliability of the detection architecture is improved. The result shows that the network architecture provided by the invention can greatly improve the detection precision, the performance of the network architecture is different due to different CNN layer numbers, when a double-layer CNN structure is selected, the performance of the network architecture is the best in all algorithm models, particularly, the precision of BGRU-CNN-2 reaches 98.7%, and the effectiveness of the method is verified. Under deep learning, the BGRU-CNN model is used for exploring and optimizing SDN abnormity detection, and the method has important significance for future information transmission safety and improvement of network service quality.
Drawings
FIG. 1 is a schematic diagram of the overall architecture of the present invention;
FIG. 2 is a schematic diagram of a Software Defined Network (SDN) architecture of the present invention;
FIG. 3 is a schematic diagram of the BGRU-CNN model architecture of the present invention;
FIG. 4 is a schematic diagram of the CNN architecture of the convolutional neural network of the present invention;
FIG. 5 is a schematic diagram of the anomaly detection process of the present invention;
FIG. 6 is a comparison of accuracy for each algorithm model of the present invention;
FIG. 7 is a graph comparing recall rates of various algorithm models of the present invention;
FIG. 8 is a comparison graph of the overall performance evaluation of the algorithm models of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings of the specification.
Example 1:
as shown in fig. 1, the software defined network anomaly detection architecture according to this embodiment includes a data acquisition module, a software defined network SDN, a data transmission module, and an anomaly detection module; the data acquisition module is mainly used for acquiring flow; the SDN mainly separates a control plane from a data forwarding plane in the SDN, controls the whole network resource through the control plane and sends an instruction to the data forwarding plane to complete data forwarding, and provides a telescopic and dynamic system structure for the detection work of an abnormality detection module; the data transmission module is mainly used for classifying the flow, finding abnormal flow, acquiring an abnormal detection report, updating the abnormal flow under the condition of not influencing a client and ensuring that the normal flow can be continuously diffused; the anomaly detection module is mainly used for carrying out feature extraction and flow classification on the collected flow.
Specifically, the data forwarding plane acquires flow information of the data acquisition module through an OpenFlow protocol, then transmits the information to a controller of the control layer to extract features, and finally transmits the information back to the anomaly detection module.
As shown in fig. 2, the SDN includes an application layer, a control layer, and an infrastructure layer; the infrastructure layer forwards the flow in the switch by using the network equipment, collects flow state information and feeds the flow state information back to an upper control layer through an Application Program Interface (API); after the information reaches the control layer, the controller at the control layer arranges and processes state information and network resources, interacts with the upper application layer, and realizes control of network exchange through an interface for application programs and deployment of various services, such as cloud computing, intrusion detection systems, intrusion prevention systems, security monitoring and load balancing.
Because the convolutional neural network CNN has higher classification capability, the accuracy of abnormal flow classification can be improved by adding the CNN into the abnormal detection module; in addition, the network traffic anomaly is dynamic, and needs relatively quick response time, so that the time step needs to be considered, and the SDN anomaly detection system structure is optimized by combining the bidirectional gating recursion units BGRU and CNN, and the monitoring precision is improved. As shown in fig. 3, the detection model of the abnormality detection module adopts a BGRU-CNN model, which includes an input layer, a BGRU layer, a CNN layer, and a classifier; the input layer is used for inputting data information; the BGRU layer is mainly used for controlling input data through an update gate and a reset gate to realize time sequence characteristic extraction of flow; the CNN layer mainly extracts the characteristics of the information flow; the classifier is used for classifying the characteristic value information obtained by the CNN.
The construction of the BGRU model in the BGRU layer is to embed a gate control cycle unit GRU into a bidirectional cyclic neural network so as to capture information in both positive and negative directions; the GRU comprises an updating gate and a resetting gate, and a gate control mechanism is used for controlling input and information needing to be stored so as to predict at the current time step; the update gate mainly defines the amount of memory previously saved to the current time step, and the reset gate combines the new information with the previous information; the two gating vectors determine which information can be used as the output of the GRU, and the information can be stored in the sequence for a long time, so that the information cannot be eliminated along with the time, and cannot be deleted because of being irrelevant to prediction; the bidirectional recurrent neural network can process information more flexibly by adding a hidden layer for passing information from back to front, and the hidden state of the bidirectional recurrent neural network at each time step depends on subsequences before and after the time step (including the input of the current time step).
As shown in fig. 3 and 4, the CNN layer selects sub-data from the input information, and then extracts local features thereof, where a plurality of local features form feature values of all data, and the structure thereof includes a plurality of convolution layers, a pooling layer, and a full connection layer; in fig. 4, C1 and C3 represent convolutional layers, which are mainly used for local sensing and weight sharing, that is, upper layer features are extracted to perform convolution operation with convolution kernels, so as to obtain convolved features, and the smaller the convolution kernels are, the more complex the model is, and the more comprehensive the extracted feature information is; s2 and S4 are pooling layers, which are used for sampling operations, typically using maximum pooling or average pooling, before which the number of extracted features does not change; the fully-connected layer is used for integrating the features after multiple convolutions, then normalization is carried out, a probability is output for various classification conditions, the classifier is used for classifying according to the probability obtained by the fully-connected layer, and NN in figure 4 represents an output layer and represents output data of the network. Compared with other networks, the network has the greatest advantages that under the condition that the network depth is the same, the parameters are fewer, and the data are easier to train; meanwhile, as long as the data set is large enough, the precision of the method can be greatly improved.
On this basis, three modules of the SDN network need to be tested, as shown in fig. 5, the anomaly detection process is as follows:
s1: preprocessing data; the method comprises the steps of carrying out data conversion on original data, and then carrying out standardization and normalization; because the collected data may have different measurement scales, directly inputting the model increases the processing difficulty, and therefore the data needs to be preprocessed and standardized;
s2, dividing a data set generated after data preprocessing into a training set and a testing set;
s3, inputting the training set into a BGRU-CNN model and a continuous optimization model, and achieving an optimal state through learning training;
and S4, inputting the test set into the BGRU-CNN model, and verifying the detection effect.
When the CNN layer obtains the characteristic value information, classifying the characteristic value information by using a Softmax function, wherein the formula (1) is as follows:
Figure BDA0002831718600000101
wherein z is the output of the previous layer, Softmax is the input, the dimension is C, S is the probability that the prediction object belongs to the second CCC class, and e is the base number of the natural logarithm function in mathematics.
The performance of the model is then verified by accuracy a, accuracy P, recall R, F1 scores, and the confusion matrix values. The first four indices can be expressed by formula (2), formula (3), formula (4), and formula (5):
Figure BDA0002831718600000102
Figure BDA0002831718600000103
Figure BDA0002831718600000104
Figure BDA0002831718600000105
in the formula: TP (true Positive) represents the number of attack packets judged by the model correctly; TN (TN negative) represents the number of normal data packets judged by the model to be correct; FP (false positive) represents the number of normal data packets which are judged by the model to be wrong; FN (false negative) represents the number of attack packets which are judged by the model to be wrong; f1 is scored as the average value of the accuracy and the recall ratio and is used for accurately evaluating the model; the confusion matrix is mainly used for matching the model classification result with the actual situation.
The software-defined network anomaly detection architecture of the embodiment is trained and tested on a Windows 10 system with Intel (R) i5-7500, 3.40GHz and 8GB memories, and the learning rate is set to 0.00001. In addition, optimization is carried out by using an optimizer such as SGD, Adam, RMSProp, Adadelta and the like.
Using KDD99 and the KSL-KDD dataset for analysis, the following different algorithmic models were compared: only a BGRU layer; one layer, two layers and three layers of CNN, a BGRU-CNN-1 structure (single-layer CNN), a BGRU-CNN-2 structure (two-layer CNN) and a BGRU-CNN-3 structure (three-layer CNN). When the accuracy, precision, recall rate and F1 score of the data set are evaluated, the accuracy of KDD99 and KSL-KDD data sets are found to reach more than 97%; the accuracy rate reaches more than 99.4 percent, the recall rate is 96.69 percent and 97.31 percent respectively, and the F1 score is 0.9804 and 0.9856 respectively. Thus, while each time the data sets are trained, the results will be different, the two data sets will yield better results when using the BGRU-CNN model. In addition, the overall performance index of KSL-KDD is slightly superior to that of KDD. Thus, the present embodiment uses the KSL-KDD dataset to accomplish subsequent work.
After passing through the Soft-max classifier, the data set can be classified into 5 types: normal, DOS, U2R, R2L, Probe. When the BGRU-CNN model is used for analysis, 5 different abnormal conditions are compared, and the comparison result is as follows:
the accuracy is analyzed, the obtained result is shown in FIG. 6, and as can be seen from FIG. 6, the accuracy of BGRU-CNN-2 is obviously superior to that of other models, and the accuracy of Normal, DOS and Probe is higher than that of other two models; by comparing BGRU-CNN-1, BGRU-CNN-2 and BGRU-CNN-3, more CNN convolution layers are not necessarily helpful for obtaining better results, and the results show that the accuracy of BGRU-CNN-3 is lower than that of BGRU-CNN-2, and the performance of the model after mixing BGRU and CNN is obviously better than that of the model using BGRU and CNN independently;
the recall ratio is analyzed, the result is shown in fig. 7, and as can be seen from fig. 7, the recall ratio of the BGRU-CNN-2 reaches the maximum value in Normal, DOS, U2R and Probe categories, and the recall ratio of the BGRU-CNN hybrid model is higher than that of the simple algorithm.
The algorithm model is tested and evaluated on a test set, the overall performance of the algorithm model is evaluated, and the obtained result is shown in fig. 8, and the result of the structural evaluation of fig. 8 shows that the performance of the BGRU-CNN hybrid algorithm model is superior to that of the simple algorithm model, wherein the BGRU-CNN-2 is superior to the BGRU-CNN-1 and BGRU-CNN-3 models; of all simple algorithms, the two-layer CNN algorithm model is superior to the other algorithms. Therefore, the double-layered CNN structure can exhibit a good classification effect. When combined with BGRU, the test works best in all algorithm models.
In summary, a better effect can be obtained by selecting an appropriate number of CNN layers. In addition, the performance of combining the BGRU and CNN algorithms is obviously superior to that of other algorithms. The BGRU-CNN hybrid algorithm can better perform anomaly detection, the effectiveness of the hybrid algorithm is proved, and the algorithm model is applied to SDN anomaly detection, so that the service quality of network flow is improved.
In the application process, the SDN can rapidly deploy various networks, adapt to different network requirements and meet the updating of service requirements; the SDN can manage the whole network in a centralized way, the global situation is focused, and the change of the whole network environment is controllable; the SDN system structure can realize dynamic programming and configuration, and automatically distribute and process service requests, thereby reducing error rate and optimizing service availability and reliability.
The above embodiments are only specific examples of the present invention, and the protection scope of the present invention includes but is not limited to the product forms and styles of the above embodiments, and any suitable changes or modifications made by those skilled in the art according to the claims of the present invention shall fall within the protection scope of the present invention.

Claims (8)

1.一种软件定义网络异常检测架构,其特征在于:包括数据采集模块、软件定义网络SDN、数据传输模块和异常检测模块;所述数据采集模块对流量进行采集;所述SDN将SDN网络中的控制平面与数据转发平面分离,通过控制平面控制整个网络资源并向数据转发平面发送指令完成数据转发,为异常检测模块的检测工作提供可伸缩的、动态的体系结构;所述数据传输模块对流量进行分类,发现异常流量,获取异常检测报告,在不影响客户的情况下更新异常流量;所述异常检测模块对采集到的流量进行特征提取和流量分类。1. A software-defined network anomaly detection architecture, characterized in that: comprising a data acquisition module, a software-defined network SDN, a data transmission module and an anomaly detection module; the data acquisition module collects traffic; The control plane is separated from the data forwarding plane. The control plane controls the entire network resources and sends instructions to the data forwarding plane to complete data forwarding, providing a scalable and dynamic architecture for the detection work of the anomaly detection module. The traffic is classified, abnormal traffic is found, an abnormality detection report is obtained, and abnormal traffic is updated without affecting customers; the abnormality detection module performs feature extraction and traffic classification on the collected traffic. 2.根据权利要求1所述的软件定义网络异常检测架构,其特征在于:所述SDN包括应用层、控制层和基础设施层;所述基础设施层利用网络设备转发交换机中的流量,收集流量状态信息,通过接口反馈给上层控制层;信息到达控制层后,在控制层的控制器将安排和处理状态信息和网络资源,与上层应用层交互,为应用程序和部署各种服务,控制器通过接口实现对网络交换的控制。2. The software-defined network anomaly detection architecture according to claim 1, characterized in that: the SDN comprises an application layer, a control layer and an infrastructure layer; the infrastructure layer utilizes a network device to forward traffic in a switch and collect traffic The status information is fed back to the upper control layer through the interface; after the information reaches the control layer, the controller in the control layer will arrange and process the status information and network resources, interact with the upper application layer, and deploy various services for the application program and the controller. The control of network switching is realized through the interface. 3.根据权利要求2所述的软件定义网络异常检测架构,其特征在于:所述数据转发平面通过OpenFlow协议获取数据采集模块的流量信息,然后将该信息传递给控制层的控制器提取特征,最后将信息传回异常检测模块。3. software-defined network anomaly detection architecture according to claim 2, is characterized in that: described data forwarding plane obtains the flow information of data acquisition module by OpenFlow protocol, then transfers this information to the controller of control layer to extract characteristic, Finally, the information is passed back to the anomaly detection module. 4.根据权利要求1-3任一项所述的软件定义网络异常检测架构,其特征在于:所述异常检测模块的检测模型采用BGRU-CNN模型,所述BGRU-CNN模型包括输入层、BGRU层、CNN层和分类器;所述输入层用于数据信息输入;所述BGRU层通过更新门和复位门控制输入数据,实现流量的时序特征提取;所述CNN层提取信息流的特征;所述分类器用于对CNN获得的特征值信息进行分类。4. the software-defined network abnormality detection architecture according to any one of claims 1-3, is characterized in that: the detection model of described abnormality detection module adopts BGRU-CNN model, and described BGRU-CNN model comprises input layer, BGRU layer, CNN layer and classifier; the input layer is used for data information input; the BGRU layer controls the input data by updating the gate and the reset gate, and realizes the time series feature extraction of the flow; the CNN layer extracts the characteristics of the information flow; The classifier described above is used to classify the eigenvalue information obtained by CNN. 5.根据权利要求4所述的软件定义网络异常检测架构,其特征在于:所述CNN层包括多个卷积层、池化层和全连接层;所述卷积层用于局部感知和权值共享,即提取上层特征与卷积核进行卷积运算,从而得到卷积后的特征;所述池化层用于采样操作;所述全连接层用于将多次卷积后的特征进行整合,然后进行归一化,对各种分类情况都输出一个概率;所述分类器根据全连接层得到的概率进行分类。5. The software-defined network anomaly detection architecture according to claim 4, characterized in that: the CNN layer comprises a plurality of convolutional layers, pooling layers and fully connected layers; the convolutional layers are used for local perception and weighting. Value sharing, that is, extracting upper-layer features and convolution kernels for convolution operation to obtain convolutional features; the pooling layer is used for sampling operations; the fully-connected layer is used to perform multiple convolutions on features. Integrate, then normalize, and output a probability for each classification situation; the classifier classifies according to the probability obtained by the fully connected layer. 6.根据权利要求5所述的软件定义网络异常检测架构,其特征在于:所述CNN层获得特征值信息时,使用Softmax函数对特征值信息进行分类,如式(1)所示:6. The software-defined network anomaly detection architecture according to claim 5, wherein: when the CNN layer obtains the eigenvalue information, the eigenvalue information is classified using a Softmax function, as shown in formula (1):
Figure FDA0002831718590000021
Figure FDA0002831718590000021
 其中,z是上一层的输出,Softmax的输入,维度为C,S为预测对象属于第CCC类的概率,e为数学中自然对数函数的底数。Among them, z is the output of the previous layer, the input of Softmax, the dimension is C, S is the probability that the predicted object belongs to the CCC class, and e is the base of the natural logarithmic function in mathematics. 7.根据权利要求4或5或6所述的软件定义网络异常检测架构,其特征在于:对SDN网络的三个模块进行测试,检测过程如下:7. The software-defined network anomaly detection architecture according to claim 4 or 5 or 6, characterized in that: three modules of the SDN network are tested, and the detection process is as follows: S1:数据预处理;包括对原始数据进行数据转换,然后进行标准化和规范化;S1: Data preprocessing; including data transformation of the original data, followed by normalization and normalization; S2、数据预处理后产生的数据集分为训练集和测试集;S2. The data set generated after data preprocessing is divided into training set and test set; S3、将训练集输入到BGRU-CNN模型和不断优化模型,通过学习训练达到最优状态;S3. Input the training set into the BGRU-CNN model and continuously optimize the model, and achieve the optimal state through learning and training; S4、将测试集输入到BGRU-CNN模型,验证其检测效果。S4. Input the test set to the BGRU-CNN model to verify its detection effect. 8.根据权利要求7所述的软件定义网络异常检测架构,其特征在于:通过准确率A、准确率P、召回率R、F1得分和混淆矩阵值对模型的性能进行验证;前四个指标可用式(2)、式(3)、式(4)、式(5)表示:8. The software-defined network anomaly detection framework according to claim 7, characterized in that: the performance of the model is verified by accuracy rate A, accuracy rate P, recall rate R, F1 score and confusion matrix value; the first four indicators It can be represented by formula (2), formula (3), formula (4) and formula (5):
Figure FDA0002831718590000031
Figure FDA0002831718590000031
Figure FDA0002831718590000032
Figure FDA0002831718590000032
Figure FDA0002831718590000033
Figure FDA0002831718590000033
Figure FDA0002831718590000034
Figure FDA0002831718590000034
 式中:TP,即True Positive表示模型判断正确的攻击包数量;TN,即True Negative表示模型判断正确的正常数据包的数量;FP,即False Positive表示模型判断错误的正常数据包的数量;FN,即False Negative表示模型判断错误的攻击包的数量;F1得分为准确率和召回率的平均值,用于准确评价模型;混淆矩阵将模型分类结果与实际情况进行匹配。In the formula: TP, that is, True Positive means the number of attack packets correctly judged by the model; TN, means True Negative means the number of normal data packets judged correctly by the model; FP, means False Positive means the number of normal data packets judged incorrectly by the model; FN , that is, False Negative indicates the number of attack packets that the model judges wrongly; the F1 score is the average of the accuracy and recall rate, which is used to accurately evaluate the model; the confusion matrix matches the model classification results with the actual situation.
CN202011460949.1A 2020-12-12 2020-12-12 Software defined network anomaly detection architecture Pending CN112417446A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011460949.1A CN112417446A (en) 2020-12-12 2020-12-12 Software defined network anomaly detection architecture

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011460949.1A CN112417446A (en) 2020-12-12 2020-12-12 Software defined network anomaly detection architecture

Publications (1)

Publication Number Publication Date
CN112417446A true CN112417446A (en) 2021-02-26

Family

ID=74775643

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011460949.1A Pending CN112417446A (en) 2020-12-12 2020-12-12 Software defined network anomaly detection architecture

Country Status (1)

Country Link
CN (1) CN112417446A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113240098A (en) * 2021-06-16 2021-08-10 湖北工业大学 Fault prediction method and device based on hybrid gated neural network and storage medium
CN114675999A (en) * 2022-03-25 2022-06-28 苏州浪潮智能科技有限公司 Data recovery method, data recovery device, electronic device, and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107885999A (en) * 2017-11-08 2018-04-06 华中科技大学 A kind of leak detection method and system based on deep learning
CN109376242A (en) * 2018-10-18 2019-02-22 西安工程大学 Text Classification Algorithms Based on Variants of Recurrent Neural Networks and Convolutional Neural Networks
CN109981691A (en) * 2019-04-30 2019-07-05 山东工商学院 A kind of real-time ddos attack detection system and method towards SDN controller
CN110784481A (en) * 2019-11-04 2020-02-11 重庆邮电大学 DDoS detection method and system based on neural network in SDN network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107885999A (en) * 2017-11-08 2018-04-06 华中科技大学 A kind of leak detection method and system based on deep learning
CN109376242A (en) * 2018-10-18 2019-02-22 西安工程大学 Text Classification Algorithms Based on Variants of Recurrent Neural Networks and Convolutional Neural Networks
CN109981691A (en) * 2019-04-30 2019-07-05 山东工商学院 A kind of real-time ddos attack detection system and method towards SDN controller
CN110784481A (en) * 2019-11-04 2020-02-11 重庆邮电大学 DDoS detection method and system based on neural network in SDN network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
周枫等: ""基于BGRU池的卷积神经网络文本分类模型"", 《计算机科学》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113240098A (en) * 2021-06-16 2021-08-10 湖北工业大学 Fault prediction method and device based on hybrid gated neural network and storage medium
CN114675999A (en) * 2022-03-25 2022-06-28 苏州浪潮智能科技有限公司 Data recovery method, data recovery device, electronic device, and storage medium

Similar Documents

Publication Publication Date Title
CN107426741B (en) Wireless sensor network fault diagnosis method based on immune mechanism
WO2017143921A1 (en) Multi-sampling model training method and device
CN106845526B (en) A kind of relevant parameter Fault Classification based on the analysis of big data Fusion of Clustering
CN109309630A (en) A network traffic classification method, system and electronic device
CN109639734B (en) Abnormal flow detection method with computing resource adaptivity
CN114615093A (en) Anonymous network traffic identification method and device based on traffic reconstruction and inheritance learning
CN107423190B (en) A kind of log data abnormal direction identification method and device
CN111291817A (en) Image recognition method and device, electronic equipment and computer readable medium
US20220294686A1 (en) Root-cause analysis and automated remediation for Wi-Fi authentication failures
CN111784994B (en) Fire detection method and device
CN111343147B (en) Network attack detection device and method based on deep learning
CN107493277A (en) The online method for detecting abnormality of big data platform based on maximum information coefficient
CN108334758A (en) A kind of detection method, device and the equipment of user's ultra vires act
CN111931179A (en) Cloud malware detection system and method based on deep learning
CN108683564B (en) A Reliability Evaluation Method of Network Simulation System Based on Multidimensional Decision Attributes
CN112417446A (en) Software defined network anomaly detection architecture
CN113408548A (en) Transformer abnormal data detection method and device, computer equipment and storage medium
CN111898577B (en) Image detection method, device, equipment and computer readable storage medium
CN108920953A (en) A kind of malware detection method and system
CN118713991A (en) A fault prediction method and system based on observable data
US20220345356A1 (en) Determining a root-cause of a network access failure and conducting remediation
CN111970151A (en) Flow fault positioning method and system for virtual and container network
CN113093695A (en) Data-driven SDN controller fault diagnosis system
US20230409422A1 (en) Systems and Methods for Anomaly Detection in Multi-Modal Data Streams
CN118113999A (en) Data analysis method, device, equipment and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210226