基于端口注意力与通道空间注意力的网络异常流量检测  被引量：4

作　　者：肖斌[1] 甘昀 汪敏 张兴鹏 王照星 XIAO Bin;GAN Yun;WANG Min;ZHANG Xingpeng;WANG Zhaoxing(School of Computer Science and Software Engineering,Southwest Petroleum University,Chengdu Sichuan 610500,China;School of Electrical Engineering and Information,Southwest Petroleum University,Chengdu Sichuan 610500,China;PetroChina Chuanqing Drilling Engineering Company Limited,Chengdu Sichuan 610066,China)

机构地区：[1]西南石油大学计算机与软件学院,成都610500 [2]西南石油大学电气信息学院,成都610500 [3]中国石油川庆钻探工程有限公司,成都610066

出　　处：《计算机应用》2024年第4期1027-1034,共8页journal of Computer Applications

基　　金：四川省科技计划项目(2022JDRC0009);西南石油大学自然科学“启航计划”项目(2022QHZ023)。

摘　　要：网络异常流量检测是网络安全保护重要组成部分之一。目前,基于深度学习的异常流量检测方法都是将端口号属性与其他流量属性同等对待,忽略了端口号的重要性。为了提高异常流量检测性能,借鉴注意力思想,提出一个卷积神经网络(CNN)结合端口注意力模块(PAM)和通道空间注意力模块(CBAM)的网络异常流量检测模型。首先,将原始网络流量作为PAM的输入,分离得到端口号属性送入全连接层,得到学习后的端口注意力权重值,并与其他流量属性点乘,输出端口注意力后的流量数据;其次,将流量数据转换成灰度图,利用CNN和CBAM更充分地提取特征图在通道和空间上的信息;最后,使用焦点损失函数解决数据不平衡的问题。所提PAM具有参数量少、即插即用和普遍适用的优点。在CICIDS2017数据集上,所提模型的异常流量检测二分类任务准确率为99.18%,多分类任务准确率为99.07%,对只有少数训练样本的类别也有较高的识别率。Network abnormal traffic detection is an important part of network security protection.At present,abnormal traffic detection methods based on deep learning treat the port number attribute the same as other traffic attributes,ignoring the importance of the port number.Considering the idea of attention,a novel abnormal traffic detection module based on Convolutional Neural Network(CNN)combining Port Attention Module(PAM)and Convolutional Block Attention Module(CBAM)was proposed to improve the performance of abnormal traffic detection.Firstly,the original network traffic was taken as the input of PAM,the port number attribute was separated and sent to the full connected layer,and the learned port attention weight value was obtained,and the traffic data after port attention was output by dot-multiplying with other traffic attributes.Then,the traffic data was converted into a grayscale map,and CNN and CBAM were used to extract the the channel and space information of the feature map more fully.Finally,the focus loss function was used to solve the problem of data imbalance.The proposed PAM has the advantages of few parameters,plug and play,and universal applicability.The accuracy of the proposed model is 99.18%for the binary-class classification task of abnormal traffic detection and 99.07%for the multi-class classification task on the CICIDS2017 dataset,and it also has a high recognition rate for classes with only a few training samples.

关 键 词：异常流量检测 注意力机制 数据不平衡 轻量级网络 通道空间注意力模块 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]