[go: up one dir, main page]

CN114039794B - Abnormal traffic detection model training method and device based on semi-supervised learning - Google Patents

Abnormal traffic detection model training method and device based on semi-supervised learning Download PDF

Info

Publication number
CN114039794B
CN114039794B CN202111412298.3A CN202111412298A CN114039794B CN 114039794 B CN114039794 B CN 114039794B CN 202111412298 A CN202111412298 A CN 202111412298A CN 114039794 B CN114039794 B CN 114039794B
Authority
CN
China
Prior art keywords
training
training sample
current
sample set
marked
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111412298.3A
Other languages
Chinese (zh)
Other versions
CN114039794A (en
Inventor
吴斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202111412298.3A priority Critical patent/CN114039794B/en
Publication of CN114039794A publication Critical patent/CN114039794A/en
Application granted granted Critical
Publication of CN114039794B publication Critical patent/CN114039794B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • G06F18/2155Generating training patterns; Bootstrap methods, e.g. bagging or boosting characterised by the incorporation of unlabelled data, e.g. multiple instance learning [MIL], semi-supervised techniques using expectation-maximisation [EM] or naïve labelling

Landscapes

  • Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Physics & Mathematics (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Traffic Control Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本说明书的实施例提供了一种基于半监督学习的异常流量检测模型训练方法及装置。在该方法中,获取异常流量检测模型的训练样本集,训练样本集包括有标记训练样本集和无标记训练样本集;通过使用当前训练样本集来对当前异常流量检测模型进行半监督学习训练,直到满足训练结束条件,该训练结束条件包括:当前模型训练过程中针对当前无标记训练样本集的异常预测率相对于上一模型训练过程中针对当前无标记训练样本集的异常预测率的变化率不大于预定阈值。利用该方法,可以在保护数据隐私的情况下实现模型训练。

The embodiments of the present specification provide a method and device for training an abnormal traffic detection model based on semi-supervised learning. In this method, a training sample set of the abnormal traffic detection model is obtained, and the training sample set includes a labeled training sample set and an unlabeled training sample set; the current abnormal traffic detection model is trained by semi-supervised learning by using the current training sample set until the training end condition is met, and the training end condition includes: the change rate of the abnormal prediction rate for the current unlabeled training sample set in the current model training process relative to the abnormal prediction rate for the current unlabeled training sample set in the previous model training process is not greater than a predetermined threshold. Using this method, model training can be achieved while protecting data privacy.

Description

Abnormal flow detection model training method and device based on semi-supervised learning
Technical Field
The embodiment of the specification relates to the field of Internet, in particular to an abnormal flow detection model training method and device based on semi-supervised learning.
Background
With the rapid development of network technology, the network technology has been integrated into aspects of people's life, such as network driving, network ticket purchasing, etc. But the network brings convenience to people and also brings risks to life of people, such as risks of disclosure of private information of users.
Currently, hackers can continuously adjust the attack mode for the operator server to bypass security facilities such as firewalls and the like to invade the access server. However, the security protection policy of the operator is generally difficult to cover the whole area due to the diversity of attack risk types, and cannot prevent diversified abnormal traffic.
In view of the above problems, there is currently no preferred solution in the industry.
Disclosure of Invention
In view of the above problems, the embodiments of the present disclosure provide a method and apparatus for training an abnormal traffic detection model based on semi-supervised learning. By using the method and the device, the abnormal flow detection model is trained by adopting a semi-supervised learning mode, the marked training sample set is enriched in the continuous model training process, and whether the training process is ended or not is determined by aiming at the change rate of the abnormal prediction rate, so that the performance of the abnormal flow detection model can be guaranteed while the marked training samples are applied as little as possible, the abnormal flow can be effectively detected, and the data privacy is protected.
According to one aspect of the embodiment of the specification, the method comprises the steps of obtaining a training sample set of an abnormal flow detection model, wherein the training sample set comprises a marked training sample set and an unmarked training sample set, each training sample in the marked training sample set is provided with access flow characteristic data and marking data, each training sample in the unmarked training sample set is provided with access flow characteristic data, performing semi-supervised learning training on the current abnormal flow detection model based on the current training sample set until a training end condition is met, marking at least one training sample to be marked in the current unmarked training sample set to add the current marked training sample set to perform a next model training process when the training end condition is not met, and the training end condition comprises that the abnormal prediction rate of the current unmarked training sample set in the current model training process is not greater than a preset threshold value relative to the abnormal prediction rate of the current unmarked training sample set in the previous model training process.
Optionally, in one example of the above aspect, the method may further include clustering training samples in the training sample set when a training end condition is not met, and determining the at least one training sample to be marked from the current unmarked training sample set according to the clustering result.
Optionally, in one example of the above aspect, determining the at least one training sample to be marked from the current unlabeled training sample set according to the clustering result may include determining the clustering result in the current unlabeled training sample set as a training sample of outliers as the at least one training sample to be marked.
Optionally, in one example of the above aspect, determining the at least one training sample to be marked from the current non-marking training sample set according to the clustering result may include selecting at least one target cluster from each cluster in the clustering result, and determining the non-marking training sample in the at least one target cluster as the at least one training sample to be marked.
Optionally, in one example of the above aspect, selecting at least one target cluster from each of the clusters of the cluster results includes determining, for each of the clusters of the cluster results, a marked sample duty cycle of marked training samples in the cluster among the total marked training samples, and determining the at least one target cluster from the marked sample duty cycles of each cluster.
Optionally, in one example of the above aspect, determining the training samples in the current unlabeled exemplar set that are within a predetermined classification probability interval as the at least one training sample to be labeled when a training end condition is not met.
Optionally, in one example of the above aspect, when the training end condition is not met, an active learning mode is used to label at least one training sample in the current label-free training sample set to join the current labeled training sample set for a next model training process.
According to another aspect of the embodiment of the specification, an abnormal flow detection model training device based on semi-supervised learning is provided, and the abnormal flow detection model training device comprises a training sample set acquisition unit, a model training unit and a model training unit, wherein the training sample set acquisition unit acquires a training sample set of an abnormal flow detection model, the training sample set comprises a marked training sample set and an unmarked training sample set, each training sample in the marked training sample set is provided with access flow characteristic data and marking data, each training sample in the unmarked training sample set is provided with access flow characteristic data, the model training unit performs semi-supervised learning training on a current abnormal flow detection model based on the current training sample set until a training end condition is met, and at least one to-be-marked training sample in the current unmarked training sample set is marked with the current marked training sample set to perform a next model training process when the training end condition is not met, and the training end condition comprises that the abnormal prediction rate of the current unmarked training sample set in the current model training process is not greater than a preset threshold value relative to the abnormal prediction rate of the current unmarked training sample set in the previous model training process.
Optionally, in one example of the above aspect, the model training unit may include a model prediction module providing a current training sample set to a current abnormal traffic detection model to perform abnormal prediction to determine a current abnormal prediction rate for each current unlabeled training sample in the current unlabeled training sample set, a change rate determination module determining a change rate of the current abnormal prediction rate for each current unlabeled training sample relative to a previous abnormal prediction rate for each current unlabeled training sample in a previous model training process, and a sample labeling module labeling at least one to-be-labeled training sample in the current unlabeled training sample set to add a current labeled training sample set to perform a next model training process when the determined change rate is greater than a predetermined threshold, wherein the model prediction module, the change rate determination module, and the sample labeling module operate in a loop until the training end condition is satisfied.
Alternatively, in one example of the above aspect, the sample marking module may include a sample to be marked determination submodule that determines at least one training sample to be marked from the current unlabeled training sample set, and a sample marking submodule that marks the determined at least one training sample to be marked to join the current labeled training sample set.
Optionally, in one example of the above aspect, the to-be-marked sample determination submodule clusters training samples in the training sample set, and determines the at least one to-be-marked training sample from the current unmarked training sample set according to the clustering result.
Optionally, in one example of the above aspect, the to-be-marked sample determination submodule determines, as the at least one to-be-marked training sample, a training sample in which the clustering result in the current unlabeled training sample set is an outlier.
Optionally, in one example of the above aspect, the to-be-marked sample determination submodule selects at least one target cluster from each cluster in the cluster result, and determines a non-marked training sample in the at least one target cluster as the at least one to-be-marked training sample.
Optionally, in one example of the above aspect, the to-be-marked sample determining submodule determines, for each cluster in the cluster results, a marked sample ratio of marked training samples in the cluster in the total marked training samples, and determines the at least one target cluster according to the marked sample ratio of each cluster.
Optionally, in one example of the above aspect, the to-be-marked sample determination submodule may determine a training sample in the current unlabeled sample set that is within a predetermined classification probability interval as the at least one to-be-marked training sample.
According to another aspect of embodiments of the present specification, there is also provided an electronic device comprising at least one processor, and a memory storing instructions that, when executed by the at least one processor, cause the at least one processor to perform the abnormal traffic detection model training method based on semi-supervised learning as described above.
According to another aspect of embodiments of the present specification, there is also provided a machine-readable storage medium storing executable instructions that, when executed, cause the machine to perform the abnormal traffic detection model training method based on semi-supervised learning as described above.
Drawings
A further understanding of the nature and advantages of the embodiments herein may be realized by reference to the following drawings. In the drawings, similar components or features may have the same reference numerals. The accompanying drawings are included to provide a further understanding of embodiments of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain, without limitation, the embodiments of the invention. In the drawings:
FIG. 1 illustrates a flowchart of an example of a semi-supervised learning based abnormal flow detection model training method, according to an embodiment of the present disclosure;
FIG. 2 shows a flowchart of an example of a process of labeling training samples to be labeled when the training end condition is not met according to an embodiment of the present disclosure;
FIG. 3 illustrates a flowchart of one example of a process of determining training samples to be marked from a current set of unmarked training samples, according to an embodiment of the present disclosure;
FIG. 4 illustrates a flowchart of one example of determining training samples to be labeled based on clustering results according to an embodiment of the present disclosure;
FIG. 5 illustrates a flow chart of an example of selecting at least one target cluster from among the individual clusters in the cluster result, according to an embodiment of the disclosure;
FIG. 6 shows a block diagram of an example of an abnormal flow detection model training apparatus based on semi-supervised learning, according to an embodiment of the present disclosure;
FIG. 7 shows a block diagram of an example of a model training unit according to an embodiment of the present disclosure;
FIG. 8 illustrates a block diagram of an example of a sample marking module according to an embodiment of the present disclosure;
FIG. 9 shows a hardware architecture diagram of an example of an electronic device trained based on a semi-supervised learning abnormal traffic detection model, according to an embodiment of the present disclosure, and
Fig. 10 shows an architectural diagram of an example of an abnormal flow detection apparatus based on an abnormal flow detection model suitable for application of the embodiments of the present specification.
Detailed Description
The subject matter described herein will be discussed below with reference to example embodiments. It should be appreciated that these embodiments are discussed only to enable a person skilled in the art to better understand and thereby practice the subject matter described herein, and are not limiting of the scope, applicability, or examples set forth in the claims. Changes may be made in the function and arrangement of elements discussed without departing from the scope of the embodiments herein. Various examples may omit, replace, or add various procedures or components as desired. In addition, features described with respect to some examples may be combined in other examples as well.
As used herein, the term "comprising" and variations thereof mean open-ended terms, meaning "including, but not limited to. The term "based on" means "based at least in part on". The terms "one embodiment" and "an embodiment" mean "at least one embodiment. The term "another embodiment" means "at least one other embodiment". The terms "first," "second," and the like, may refer to different or the same object. Other definitions, whether explicit or implicit, may be included below. Unless the context clearly indicates otherwise, the definition of a term is consistent throughout this specification.
The term "active learning" may mean that which samples need to be labeled by an algorithm is actively proposed, and after the samples are labeled manually, the samples are added into a training sample set to perform training. The term "clustering" refers to an analysis process that groups a collection of physical or abstract objects into multiple classes of similar objects, which can be used to measure similarity between different data in a data source, and to classify the data source into different clusters.
Furthermore, the term "abnormal traffic" may represent abnormal access requests for the server, such as malicious attack requests or blackout access requests, etc.
FIG. 1 illustrates a flowchart of an example of a semi-supervised learning based abnormal flow detection model training method, according to an embodiment of the present disclosure.
As shown in flow 100 of fig. 1, a training sample set of an abnormal flow detection model is obtained, the training sample set including a labeled training sample set and an unlabeled training sample set, at block 110. Specifically, each of the labeled training samples has access to traffic feature data and labeled data, and each of the unlabeled training samples in the set of training samples has access to traffic feature data and no corresponding labeled data. Here, the access traffic characteristic data may be characteristic data of information such as URL, HTTP request, and user attribute, for example, URL length, URL content information, URL information entropy, HTTP request header, HTTP request body information, and the like.
Furthermore, the marker data for the training samples in the marked training sample set comprises a positive label for indicating that there is a risk of abnormal traffic and a negative label for indicating that there is no risk of abnormal traffic, that is, the marked training sample set comprises a positive label training sample and a negative label training sample. In some embodiments, when the positive and negative label training samples differ significantly, a sample balancing approach may be employed to balance the number of positive and negative label samples. Illustratively, when the number ratio of positive label training samples to negative label training samples in the labeled training sample set is lower than a set proportion threshold, upsampling is performed on the positive label training samples to expand the number of positive label training samples.
Next, semi-supervised learning training may be performed on the current abnormal flow detection model based on the current training sample set, i.e., the operations of blocks 120 through 150 are performed in a loop until a training end condition is satisfied, the training end condition including a rate of change of the abnormal prediction rate for the current unlabeled training sample set during the current model training relative to the abnormal prediction rate for the current unlabeled training sample set during the previous model training being no greater than a predetermined threshold. Here, in the model training process of different rounds, the training sample sets used by the abnormal flow detection model are different, so that the trained abnormal flow detection model is different, and further, for each unmarked training sample in the current unmarked training sample set, the abnormal prediction rates of the current abnormal flow detection model and the previous abnormal flow detection model may also change.
Specifically, in block 120, the current set of training samples is provided to a current abnormal traffic detection model for abnormal prediction to determine a current abnormal prediction rate for each current unlabeled training sample in the current unlabeled training sample set. Here, the current anomaly prediction rate may be an anomaly prediction rate obtained by performing anomaly prediction for each unlabeled training sample in the current unlabeled training sample set using the current anomaly traffic detection model.
Next, in block 130, the rate of change of the current anomaly prediction rate for each current unlabeled training sample relative to the last anomaly prediction rate for each current unlabeled training sample in the last model training process is determined. Here, as the model training process continues, the unlabeled training sample set used in the different model training processes is different. For example, if there are 80 unlabeled training samples in the current unlabeled training sample set and there may be 100 unlabeled training samples in the last unlabeled training sample set, the current abnormal traffic detection model and the last abnormal traffic detection model may be used to determine an abnormal prediction rate of each of the 80 unlabeled training samples in the current unlabeled training sample set, and calculate a difference value of the two abnormal prediction rates of the respective unlabeled training samples, and calculate a change rate of the abnormal rate from the difference value of the abnormal prediction rates of the respective unlabeled training samples (i.e., the 80 unlabeled training samples) in the current unlabeled training sample set, for example, an average value of the difference values of the abnormal prediction rates of the respective unlabeled training samples may be calculated as the change rate of the abnormal rate.
Next, in block 140, a determination is made as to whether the determined rate of change is greater than a predetermined threshold. Here, the predetermined threshold value may be predetermined through experience or a plurality of experiments. If the rate of change is greater than the predetermined threshold in block 140, the operations of block 150 are performed. In addition, when the iterative training operation of the first round is performed, there is no rate of change of the abnormal prediction rate, at which time the subsequent operation such as block 150 may be performed directly.
At block 150, at least one training sample to be marked in the current unmarked training sample set may be marked to add the current marked training sample set to obtain an adjusted training sample set, and then return to block 120 to perform the next model training process with the adjusted training sample set as the current training sample set.
If the rate of change is not greater than the predetermined threshold in block 140, the training is ended.
As described above, the set of labeled training samples corresponding to the model training procedure of the next round may be more abundant than the set of labeled training samples corresponding to the model training procedure of the previous round. Thus, if a richer labeled training sample set is used during the model training process for the current round, but no more significant change or optimization effect is achieved on the predicted outcome relative to the previous model training process (i.e., the rate of change of the abnormal prediction rate corresponding to the current unlabeled training sample set is lower), then it may be determined that this model has substantially converged. Conversely, if the newly added labeled training samples cause larger fluctuations in the prediction results corresponding to the continuous two-round model training process, it is indicated that the model may need further optimization, for example, more new labeled training samples may need to be added.
FIG. 2 shows a flowchart of an example of a process of labeling training samples to be labeled when the training end condition is not met according to an embodiment of the present disclosure.
As shown in flow 200 of fig. 2, at block 210, at least one training sample to be marked is determined from a current unmarked training sample set. For example, the training samples to be marked may be determined from the current unmarked training sample set in a random manner or in a specific manner.
Next, in block 220, the determined at least one training sample to be marked is marked to join the currently marked training sample set. Accordingly, the at least one unlabeled labeled training sample is removed from the current unlabeled training sample set, thereby yielding a new current unlabeled training sample set and a new current labeled training sample set.
In one example of an embodiment of the present specification, when the training end condition is not met, at least one training sample in the current unlabeled training sample set may be labeled in an active learning manner to join the current labeled training sample set for the next model training process. For example, at least one training sample to be marked in the current set of unmarked training samples may be determined based on various sample selection algorithms (e.g., clustering algorithms or other selection algorithms) and provided to an expert or developer for marking the respective markers by the expert or developer and updating the marked training sample set and the unmarked training sample set. Therefore, in the model training process of each round, the unmarked training samples are screened and marked in an active learning mode to enrich the marked training sample set until the model converges, so that the abnormal flow detection model can be ensured to have higher performance.
FIG. 3 illustrates a flowchart of an example of a process of determining training samples to be marked from a current unmarked training sample set when the training end condition is not met, according to embodiments of the present description.
As in flow 300 of fig. 3, training samples in a training sample set are clustered in block 310. For example, various types of clustering algorithms such as K-means algorithm, density clustering algorithm, and the like may be employed for clustering.
Next, in block 320, at least one training sample to be marked is determined from the current unmarked training sample set according to the clustering result. Here, the clustering result may be a cluster and/or an outlier determined by a clustering algorithm.
In one example of an embodiment of the present specification, a training sample in which a clustering result in a current unlabeled training sample set is an outlier may be determined as at least one training sample to be labeled. Here, the training samples corresponding to the outliers are significantly different from the training sample groups corresponding to other clusters, and samples of previously ignored or unknown abnormal traffic types are more easily found from the current unlabeled training samples corresponding to the outliers. Furthermore, by labeling the current unmarked training samples corresponding to the discrete points, the recognition capability of the abnormal flow detection model for more samples of previously ignored or unknown abnormal types can be improved, and the performance of the model can be improved.
FIG. 4 illustrates a flowchart of an example of determining training samples to be labeled based on clustering results according to an embodiment of the present disclosure.
As in flow 400 of fig. 4, at block 410, at least one target cluster is selected from among the clusters in the cluster result. For example, clusters that are large enough (e.g., exceed a threshold) may be selected as target clusters based on the size of the clusters. It will be appreciated that the target clusters may also be selected in other ways, more details of which will be discussed below.
Next, in block 420, unlabeled training samples in the at least one target cluster are determined as at least one training sample to be labeled. Therefore, the training samples to be marked, which are determined based on the target clusters, have commonalities, so that research personnel or experts can label the corresponding marking data on the training samples more easily, and the burden of manual marking work can be effectively reduced.
FIG. 5 illustrates a flow chart of an example of selecting at least one target cluster from among the individual clusters in the clustered results, according to an embodiment of the present disclosure.
As shown in flow 500 of fig. 5, at block 510, for each cluster in the cluster result, a marked sample duty cycle of marked training samples in the cluster among the total marked training samples is determined. Here, the number of marked training samples contained in each of the clusters in the cluster result may be different, e.g. 100 marked samples in the first cluster and 2 marked samples in the second cluster (i.e. marked samples with too low a ratio), resulting in a situation where the marked samples are out of distribution over the different clusters.
Next, in block 520, at least one target cluster is determined based on the marked sample duty cycle of each cluster. For example, clusters with marked sample duty ratios below a set scale threshold may be determined as target clusters. Therefore, the method can ensure that the proportion of marked samples in the target clusters is low, and the clusters are selected as the target clusters, so that the method can help to balance the number of marked training samples in different clusters, and the generalization capability of the model is improved.
It should be noted that, in the embodiment of the present disclosure, in addition to determining the training samples to be marked by clustering as in fig. 3-5, other manners may be used to determine the training samples to be marked.
In one example of the embodiment of the present specification, when the training end condition is not satisfied, a training sample in the current unlabeled exemplar set that is within the predetermined classification probability interval is determined as at least one training sample to be labeled. Here, the predetermined classification probability interval may be used to distinguish between an abnormal flow sample and a normal flow sample according to an abnormal rate of the sample. For example, when the predicted abnormality rate for the sample may be a value selected from 0 to 1, the predetermined classification probability interval may be 0.45 to 0.55 around 0.5. Therefore, at least one unlabeled training sample corresponding to the preset classification probability interval is selected for labeling, labeled training samples are enriched, and the recognition capability of the abnormal flow detection model for the normal data sample and the abnormal data sample can be improved.
Fig. 6 shows a block diagram of an example of an abnormal flow detection model training apparatus based on semi-supervised learning according to an embodiment of the present specification.
As shown in fig. 6, the model training apparatus 600 includes a training sample set acquisition unit 610 and a model training unit 620.
The training sample set obtaining unit 610 is configured to obtain a training sample set of the abnormal flow detection model, where the training sample set includes a labeled training sample set and an unlabeled training sample set, each of the labeled training samples has access flow characteristic data and labeled data, and each of the unlabeled training sample set has access flow characteristic data. The operation of training sample set acquisition unit 610 may be as described above with reference to block 110 in fig. 1.
The model training unit 620 is configured to perform semi-supervised learning training on the current abnormal traffic detection model based on the current training sample set until a training end condition is met, where when the training end condition is not met, marking at least one to-be-marked training sample in the current unmarked training sample set to join the current marked training sample set to perform a next model training process, the training end condition includes that a change rate of an abnormal prediction rate for the current unmarked training sample set in the current model training process relative to an abnormal prediction rate for the current unmarked training sample set in the previous model training process is not greater than a predetermined threshold. The operation of model training unit 620 may refer to the operations described above with reference to blocks 120-150 in fig. 1.
Fig. 7 shows a block diagram of a model training unit according to an embodiment of the present specification.
As shown in fig. 7, the model training unit 620 includes a model prediction module 710, a rate of change determination module 720, and a sample marking module 730.
Model prediction module 710 is configured to provide the current set of training samples to the current abnormal traffic detection model for abnormal prediction to determine a current abnormal prediction rate for each current unlabeled training sample in the current unlabeled training sample set. The operation of the model prediction module 710 may refer to the operation described above with reference to block 120 in fig. 1.
The rate of change determination module 720 is configured to determine a rate of change of a current anomaly prediction rate for the respective current unlabeled training samples relative to a previous anomaly prediction rate for the respective current unlabeled training samples during a previous model training process. The operation of the rate of change determination module 720 may refer to the operation described above with reference to block 130 in fig. 1.
The sample tagging module 730 is configured to tag at least one training sample to be tagged in the current untagged training sample set to join the current tagged training sample set for a next model training process when the determined rate of change is greater than a predetermined threshold, wherein the model prediction module 710, the rate of change determination module 720, and the sample tagging module operate in a loop until a training end condition is met. The operation of the sample marking module 730 may refer to the operations described above with reference to blocks 140 and 150 of fig. 1.
Fig. 8 shows a block diagram of an example of a sample marking module according to an embodiment of the present disclosure.
As shown in fig. 8, the sample marking module 730 includes a sample determination sub-module 731 to be marked and a sample marking sub-module 732.
The to-be-marked sample determination sub-module 731 is configured to determine at least one to-be-marked training sample from the current set of unmarked training samples. The operation of the sample determination sub-module 731 to be marked may be referred to the operation of block 210 described above with reference to fig. 2.
The sample tagging sub-module 732 is configured to tag the determined at least one training sample to be tagged with a tag to join the currently tagged training sample set. The operation of the sample tagging sub-module 732 may refer to the operation of the block 220 described above with reference to fig. 2.
In one example of an embodiment of the present specification, the to-be-marked sample determination sub-module 731 clusters training samples in the training sample set and determines the at least one to-be-marked training sample from the current non-marked training sample set according to the clustering result. For more details on the example of an embodiment of the present description, reference may be made to the operation of the flow 300 described above with reference to fig. 3.
Further, in one example, the to-be-marked sample determination sub-module 731 may determine the clustering result in the current unlabeled training sample set as a training sample of outliers as the at least one to-be-marked training sample.
In another example, the to-be-marked sample determination sub-module 731 may select at least one target cluster from among the clusters in the clustering result, and determine the unlabeled training samples in the at least one target cluster as the at least one to-be-marked training sample. For more details on this embodiment, reference may be made to the operations of flow 400 described above with reference to fig. 4.
Alternatively, the to-be-marked sample determination submodule 731 may determine, for each cluster in the cluster results, a marked sample duty ratio of marked training samples in the cluster among the total marked training samples, and determine the at least one target cluster according to the marked sample duty ratio of each cluster. For more details, reference may be made to the operation of the flow 500 described above with reference to fig. 5.
Additionally, optionally, in one example, the to-be-marked sample determination sub-module 731 may further determine that the training samples in the current unlabeled sample set that lie within the predetermined classification probability interval are at least one to-be-marked training sample.
Embodiments of a method and apparatus for training an abnormal traffic detection model based on semi-supervised learning according to embodiments of the present specification are described above with reference to fig. 1 through 8. The details mentioned in the above description of the method embodiments apply equally to the embodiments of the device of the present description. The training method of the abnormal flow detection model based on semi-supervised learning can be realized by adopting hardware, or can be realized by adopting software or a combination of hardware and software.
Fig. 9 shows a hardware configuration diagram of an example of an electronic device 900 trained based on a semi-supervised learning abnormal traffic detection model according to an embodiment of the present disclosure. As shown in fig. 9, the electronic device 900 may include at least one processor 910, memory (e.g., non-volatile memory) 920, memory 930, and a communication interface 940, with the at least one processor 910, memory 920, memory 930, and communication interface 940 being connected together via a bus 960. The at least one processor 910 executes at least one computer-readable instruction (i.e., the elements described above as being implemented in software) stored or encoded in memory.
In one embodiment, computer-executable instructions are stored in a memory that when executed cause the at least one processor 910 to obtain a training sample set of an abnormal traffic detection model, the training sample set comprising a marked training sample set and an unmarked training sample set, each of the marked training samples having access traffic characteristic data and marking data, each of the unmarked training sample set having access traffic characteristic data, semi-supervised learning training the current abnormal traffic detection model based on the current training sample set until a training end condition is met, wherein marking at least one to-be-marked training sample in the current unmarked training sample set with a mark to add the current marked training sample set for a next model training process is performed when the training end condition is not met, the training end condition comprising a rate of change of an abnormal prediction rate for the current unmarked training sample set relative to an abnormal prediction rate for the current unmarked training sample set in a previous model training process is not greater than a predetermined threshold.
It should be appreciated that the computer-executable instructions stored in memory 920, when executed, cause at least one processor 910 to perform the various operations and functions described above in connection with fig. 1-8 in various embodiments of the present description.
In this description, electronic device 900 may include, but is not limited to, personal computers, server computers, workstations, desktop computers, laptop computers, notebook computers, mobile electronic devices, smart phones, tablet computers, cellular phones, personal Digital Assistants (PDAs), handsets, messaging devices, wearable electronic devices, consumer electronic devices, and the like.
According to one embodiment, a program product, such as a machine-readable medium, is provided. The machine-readable medium may have instructions (i.e., elements described above implemented in software) that, when executed by a machine, cause the machine to perform the various operations and functions described above in connection with fig. 1-8 in various embodiments of the specification. In particular, a system or apparatus provided with a readable storage medium having stored thereon software program code implementing the functions of any of the above embodiments may be provided, and a computer or processor of the system or apparatus may be caused to read out and execute instructions stored in the readable storage medium.
In this case, the program code itself read from the readable medium may implement the functions of any of the above-described embodiments, and thus the machine-readable code and the readable storage medium storing the machine-readable code form part of the present invention.
Examples of readable storage media include floppy disks, hard disks, magneto-optical disks, optical disks (e.g., CD-ROMs, CD-R, CD-RWs, DVD-ROMs, DVD-RAMs, DVD-RWs), magnetic tapes, nonvolatile memory cards, and ROMs. Alternatively, the program code may be downloaded from a server computer or cloud by a communications network.
Fig. 10 shows an architectural diagram of an example of an abnormal flow detection apparatus based on an abnormal flow detection model suitable for application of the embodiments of the present specification.
As shown in fig. 10, in this architecture 1000, at least one client may send an access request to a server 1020 over a network 1010 to request access to data in the server. Here, the client may be a terminal device such as a desktop 1032, a notebook 1034, and a mobile phone 1036. In addition, the server 1020 provides services through private data sets. In one example of the present description, the private data set is stored on the server 1020, and in another example of the present description, the server 1020 may make a remote call to the private data set. In some application scenarios, a hacker may use a client and use multiple attack modes to steal private information through the server 1020, which provides a great challenge for security of data privacy.
In embodiments of the present description, the abnormal traffic detection apparatus 1040 may identify whether the access request belongs to abnormal traffic by locally or remotely invoking the abnormal traffic detection model, and may perform a corresponding security policy operation (e.g., not performing a response, or alerting) on the abnormal traffic. Here, the abnormal flow rate detection model is an abnormal flow rate detection model trained using the method described in fig. 1.
It will be appreciated by those skilled in the art that various changes and modifications may be made to the embodiments of the invention above without departing from the spirit thereof. Accordingly, the scope of the invention should be limited only by the attached claims.
It should be noted that not all the steps and units in the above flowcharts and the system configuration diagrams are necessary, and some steps or units may be omitted according to actual needs. The order of execution of the steps is not fixed and may be determined as desired. The apparatus structures described in the above embodiments may be physical structures or logical structures, that is, some units may be implemented by the same physical entity, or some units may be implemented by multiple physical entities, or may be implemented jointly by some components in multiple independent devices.
In the above embodiments, the hardware units or modules may be implemented mechanically or electrically. For example, a hardware unit, module or processor may include permanently dedicated circuitry or logic (e.g., a dedicated processor, FPGA or ASIC) to perform the corresponding operations. The hardware unit or processor may also include programmable logic or circuitry (e.g., a general purpose processor or other programmable processor) that may be temporarily configured by software to perform the corresponding operations. The particular implementation (mechanical, or dedicated permanent, or temporarily set) may be determined based on cost and time considerations.
The detailed description set forth above in connection with the appended drawings describes exemplary embodiments, but does not represent all embodiments that may be implemented or fall within the scope of the claims. The term "exemplary" used throughout this specification means "serving as an example, instance, or illustration," and does not mean "preferred" or "advantageous over other embodiments. The detailed description includes specific details for the purpose of providing an understanding of the described technology. However, the techniques may be practiced without these specific details. In some instances, well-known structures and devices are shown in block diagram form in order to avoid obscuring the concepts of the described embodiments.
The previous description of the disclosure is provided to enable any person skilled in the art to make or use the disclosure. Various modifications to the disclosure will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other variations without departing from the scope of the disclosure. Thus, the disclosure is not limited to the examples and designs described herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (12)

1. An abnormal flow detection model training method based on semi-supervised learning comprises the following steps:
Acquiring a training sample set of an abnormal flow detection model, wherein the training sample set comprises a marked training sample set and an unmarked training sample set, each training sample in the marked training sample set has access flow characteristic data and marking data, and each training sample in the unmarked training sample set has access flow characteristic data;
performing semi-supervised learning training on the current abnormal flow detection model by using a current training sample set until a training end condition is met, wherein when the training end condition is not met, at least one training sample to be marked in the current unmarked training sample set is marked with a mark so as to add the current marked training sample set to obtain an adjusted training sample set, taking the adjusted training sample set as the current training sample set to perform a next model training process,
The training end condition includes that a change rate of an abnormal prediction rate for a current unlabeled training sample set in a current model training process relative to an abnormal prediction rate for the current unlabeled training sample set in a previous model training process is not greater than a predetermined threshold,
Further comprises:
When the training end condition is not met,
Clustering training samples in the training sample set;
Determining the at least one training sample to be marked from the current unmarked training sample set according to a clustering result, wherein the clustering result comprises outliers and various clusters,
Wherein determining the at least one training sample to be marked from the current unmarked training sample set according to the clustering result comprises:
and determining the training samples with the clustering results in the current unmarked training sample set as outliers as the at least one training sample to be marked.
2. The abnormal traffic detection model training method of claim 1, wherein determining the at least one training sample to be marked from the current unlabeled training sample set based on the clustering result further comprises:
Selecting at least one target cluster from each cluster in the cluster result, and
And determining the unlabeled training samples in the at least one target cluster as the at least one training sample to be labeled.
3. The abnormal traffic detection model training method of claim 2, wherein selecting at least one target cluster from among the clusters in the cluster result comprises:
determining the mark sample duty ratio of the mark training samples in the cluster in the total mark training samples aiming at each cluster in the cluster result;
And determining the at least one target cluster according to the marked sample duty ratio of each cluster.
4. The abnormal traffic detection model training method of claim 1, further comprising:
And when the training ending condition is not met, determining the training samples in the current unmarked training sample set which are positioned in a preset classification probability interval as the at least one training sample to be marked.
5. The abnormal flow detection model training method according to any one of claims 1 to 4, wherein when a training end condition is not met, an active learning mode is adopted to label at least one training sample in the current label-free training sample set to add the current labeled training sample set for a next model training process.
6. An abnormal flow detection model training device based on semi-supervised learning, comprising:
The system comprises a training sample set acquisition unit, a detection unit and a detection unit, wherein the training sample set comprises a marked training sample set and an unmarked training sample set, each training sample in the marked training sample has access flow characteristic data and mark data, and each training sample in the unmarked training sample set has access flow characteristic data;
A model training unit for performing semi-supervised learning training on the current abnormal flow detection model by using the current training sample set until a training end condition is satisfied, wherein when the training end condition is not satisfied, at least one training sample to be marked in the current unmarked training sample set is marked with a mark to add the current marked training sample set to obtain an adjusted training sample set, the adjusted training sample set is used as the current training sample set to perform a next model training process,
The training end condition includes that a change rate of an abnormal prediction rate for a current unlabeled training sample set in a current model training process relative to an abnormal prediction rate for the current unlabeled training sample set in a previous model training process is not greater than a predetermined threshold,
Wherein the model training unit comprises a sample marking module for marking at least one training sample to be marked in the current unmarked training sample set to join the current marked training sample set when the training ending condition is not satisfied,
The sample marking module includes:
A sample to be marked determining submodule for clustering training samples in the training sample set, determining the training sample with the clustering result in the current unmarked training sample set as an outlier as the at least one training sample to be marked, and
And the sample marking sub-module marks the determined at least one training sample to be marked so as to add the current marked training sample set.
7. The abnormal flow detection model training apparatus of claim 6, wherein said model training unit further comprises:
The model prediction module is used for providing the current training sample set to the current abnormal flow detection model to conduct abnormal prediction so as to determine the current abnormal prediction rate of each current unlabeled training sample in the current unlabeled training sample set;
a change rate determining module for determining a change rate of a current abnormal prediction rate of each current unlabeled training sample relative to a previous abnormal prediction rate for each current unlabeled training sample in a previous model training process,
When the determined change rate is greater than a predetermined threshold, the sample marking module marks at least one training sample to be marked in the current unmarked training sample set to join the current marked training sample set for a next model training process,
The model prediction module, the change rate determination module and the sample marking module operate circularly until the training ending condition is met.
8. The abnormal flow detection model training apparatus of claim 6 wherein said sample to be marked determination submodule further:
Selecting at least one target cluster from each cluster in the cluster result, and
And determining the unlabeled training samples in the at least one target cluster as the at least one training sample to be labeled.
9. The abnormal flow detection model training apparatus of claim 8 wherein said sample to be marked determination submodule:
determining the mark sample duty ratio of the mark training samples in the cluster in the total mark training samples aiming at each cluster in the cluster result;
And determining the at least one target cluster according to the marked sample duty ratio of each cluster.
10. The abnormal flow detection model training apparatus of claim 6 wherein said sample to be marked determination submodule further:
and determining the training samples in the current unlabeled sample set, which are positioned in a preset classification probability interval, as the at least one training sample to be labeled.
11. An electronic device, comprising:
at least one processor, and
A memory storing instructions that, when executed by the at least one processor, cause the at least one processor to perform the method of any of claims 1 to 5.
12. A machine-readable storage medium storing executable instructions that, when executed, cause the machine to perform the method of any one of claims 1 to 5.
CN202111412298.3A 2019-12-11 2019-12-11 Abnormal traffic detection model training method and device based on semi-supervised learning Active CN114039794B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111412298.3A CN114039794B (en) 2019-12-11 2019-12-11 Abnormal traffic detection model training method and device based on semi-supervised learning

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111412298.3A CN114039794B (en) 2019-12-11 2019-12-11 Abnormal traffic detection model training method and device based on semi-supervised learning
CN201911264853.5A CN110933102B (en) 2019-12-11 2019-12-11 Abnormal flow detection model training method and device based on semi-supervised learning

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN201911264853.5A Division CN110933102B (en) 2019-12-11 2019-12-11 Abnormal flow detection model training method and device based on semi-supervised learning

Publications (2)

Publication Number Publication Date
CN114039794A CN114039794A (en) 2022-02-11
CN114039794B true CN114039794B (en) 2024-12-03

Family

ID=69858887

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201911264853.5A Active CN110933102B (en) 2019-12-11 2019-12-11 Abnormal flow detection model training method and device based on semi-supervised learning
CN202111412298.3A Active CN114039794B (en) 2019-12-11 2019-12-11 Abnormal traffic detection model training method and device based on semi-supervised learning

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN201911264853.5A Active CN110933102B (en) 2019-12-11 2019-12-11 Abnormal flow detection model training method and device based on semi-supervised learning

Country Status (1)

Country Link
CN (2) CN110933102B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114205245B (en) * 2020-09-17 2025-03-21 华为技术服务有限公司 Abnormal link detection method, device and storage medium
CN114362973B (en) * 2020-09-27 2023-02-28 中国科学院软件研究所 K-means and FCM clustering combined flow detection method and electronic device
CN113218537B (en) * 2021-05-25 2024-04-05 中国南方电网有限责任公司超高压输电公司广州局 Training method, training device, training equipment and training storage medium for temperature anomaly detection model
CN113484817A (en) * 2021-06-30 2021-10-08 国网上海市电力公司 Intelligent electric energy meter automatic verification system abnormity detection method based on TSVM model
CN116226651A (en) * 2021-12-02 2023-06-06 中国联合网络通信集团有限公司 Flow detection method, device, equipment and storage medium
CN114697139B (en) * 2022-05-25 2022-09-02 杭州海康威视数字技术股份有限公司 Equipment anomaly detection and training method, system and device based on feature migration
CN115001791B (en) * 2022-05-27 2024-02-06 北京天融信网络安全技术有限公司 Attack resource labeling method and device
CN119961584A (en) * 2023-11-08 2025-05-09 杭州阿里云飞天信息技术有限公司 Sample processing method, system and electronic device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104156438A (en) * 2014-08-12 2014-11-19 德州学院 Unlabeled sample selection method based on confidence coefficients and clustering
CN108154178A (en) * 2017-12-25 2018-06-12 北京工业大学 Semi-supervised support attack detection method based on improved SVM-KNN algorithms
CN109902582A (en) * 2019-01-28 2019-06-18 舒糖讯息科技(深圳)有限公司 A kind of classification of motion method, apparatus, storage medium and terminal device
CN109934354A (en) * 2019-03-12 2019-06-25 北京信息科技大学 An abnormal data detection method based on active learning

Family Cites Families (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7366705B2 (en) * 2004-04-15 2008-04-29 Microsoft Corporation Clustering based text classification
CN101989289B (en) * 2009-08-06 2014-05-07 富士通株式会社 Data clustering method and device
CN101980480B (en) * 2010-11-04 2012-12-05 西安电子科技大学 Semi-supervised anomaly intrusion detection method
CN101980202A (en) * 2010-11-04 2011-02-23 西安电子科技大学 Semi-supervised classification methods for imbalanced data
US20130097103A1 (en) * 2011-10-14 2013-04-18 International Business Machines Corporation Techniques for Generating Balanced and Class-Independent Training Data From Unlabeled Data Set
US9317781B2 (en) * 2013-03-14 2016-04-19 Microsoft Technology Licensing, Llc Multiple cluster instance learning for image classification
US9781150B1 (en) * 2016-09-30 2017-10-03 Cylance Inc. Man in the middle attack detection using active learning
CN108108866A (en) * 2016-11-24 2018-06-01 阿里巴巴集团控股有限公司 Method and device for risk control
CN108304427B (en) * 2017-04-28 2020-03-17 腾讯科技(深圳)有限公司 User passenger group classification method and device
CN107194428A (en) * 2017-05-26 2017-09-22 重庆师范大学 A kind of integrated self-training method based on neighbour's density and semi-supervised KNN
CN107276805B (en) * 2017-06-19 2020-06-05 北京邮电大学 Sample prediction method and device based on intrusion detection model and electronic equipment
CN107392015B (en) * 2017-07-06 2019-09-17 长沙学院 A kind of intrusion detection method based on semi-supervised learning
CN108520272B (en) * 2018-03-22 2020-09-04 江南大学 Semi-supervised intrusion detection method for improving Cantonese algorithm
CN108665158A (en) * 2018-05-08 2018-10-16 阿里巴巴集团控股有限公司 A kind of method, apparatus and equipment of trained air control model
CN109299668B (en) * 2018-08-30 2021-10-19 中国科学院遥感与数字地球研究所 A hyperspectral image classification method based on active learning and cluster analysis

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104156438A (en) * 2014-08-12 2014-11-19 德州学院 Unlabeled sample selection method based on confidence coefficients and clustering
CN108154178A (en) * 2017-12-25 2018-06-12 北京工业大学 Semi-supervised support attack detection method based on improved SVM-KNN algorithms
CN109902582A (en) * 2019-01-28 2019-06-18 舒糖讯息科技(深圳)有限公司 A kind of classification of motion method, apparatus, storage medium and terminal device
CN109934354A (en) * 2019-03-12 2019-06-25 北京信息科技大学 An abnormal data detection method based on active learning

Also Published As

Publication number Publication date
CN110933102A (en) 2020-03-27
CN110933102B (en) 2021-10-26
CN114039794A (en) 2022-02-11

Similar Documents

Publication Publication Date Title
CN114039794B (en) Abnormal traffic detection model training method and device based on semi-supervised learning
US11676408B2 (en) Identification of neural-network-generated fake images
Zhou et al. Coverless image steganography using partial-duplicate image retrieval
Hu et al. Anomaly detection using local kernel density estimation and context-based regression
CN108491805B (en) Identity authentication method and device
US20220172476A1 (en) Video similarity detection method, apparatus, and device
US20230224232A1 (en) System and method for extracting identifiers from traffic of an unknown protocol
CN109614517B (en) Video classification method, device, equipment and storage medium
AU2014341919B2 (en) Systems and methods for facial representation
WO2019085941A1 (en) Key frame extraction method and apparatus, and storage medium
JP6231688B2 (en) Method and system for generating application specific models for selective protection of critical applications
US20180300535A1 (en) Media content enrichment using an adapted object detector
CN115039379B (en) System and method for determining device attributes using a hierarchy of classifiers
US12062105B2 (en) Utilizing multiple stacked machine learning models to detect deepfake content
KR101647691B1 (en) Method for hybrid-based video clustering and server implementing the same
CN108491794A (en) The method and apparatus of face recognition
JP2020515983A (en) Target person search method and device, device, program product and medium
BR102016007265A2 (en) MULTIMODAL AND REAL-TIME METHOD FOR SENSITIVE CONTENT FILTERING
Yan et al. Multiscale convolutional neural networks for hand detection
CN104504335B (en) Fishing APP detection methods and system based on page feature and URL features
US9332031B1 (en) Categorizing accounts based on associated images
WO2013064722A1 (en) Method and apparatus for querying media based on media characteristics
KR20220046692A (en) Photo processing methods, devices, appliances, storage media and computer programs
EP2786308A1 (en) Method for performing face recognition in a radio access network
CN113610936B (en) Color temperature determining method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant