Network abnormal traffic detection based on port attention and convolutional block attention module

doi:10.11772/j.issn.1001-9081.2023050649

Journal of Computer Applications ›› 2024, Vol. 44 ›› Issue (4): 1027-1034.DOI: 10.11772/j.issn.1001-9081.2023050649

• The 9th National Conference on Intelligent Information Processing（NCIIP 2023） • Previous Articles Next Articles

Network abnormal traffic detection based on port attention and convolutional block attention module

Bin XIAO¹, Yun GAN¹, Min WANG², Xingpeng ZHANG¹(), Zhaoxing WANG³

^1.School of Computer Science and Software Engineering，Southwest Petroleum University，Chengdu Sichuan 610500，China
^2.School of Electrical Engineering and Information，Southwest Petroleum University，Chengdu Sichuan 610500，China
^3.PetroChina Chuanqing Drilling Engineering Company Limited，Chengdu Sichuan 610066，China

Received:2023-05-24 Revised:2023-07-08 Accepted:2023-07-14 Online:2024-04-22 Published:2024-04-10
Contact: Xingpeng ZHANG
About author:XIAO Bin， born in 1978， M. S.， professor. His research interests include software engineering， enterprise informatization.
GAN Yun， born in 1998， M. S. candidate. His research interests include network abnormal traffic detection.
WANG Min， born in 1980， M. S.， professor. Her research interests include active learning， signal and information processing.
ZHANG Xingpeng， born in 1989， Ph. D.， lecturer. His research interests include computer vision， object detection and segmentation.
WANG Zhaoxing， born in 1982， senior engineer. His research interests include industrial informatization， big data application.
Supported by:
Sichuan Science and Technology Program(2022JDRC0009);Natural Science “Sailing Plan” Project of Southwest Petroleum University(2022QHZ023)

基于端口注意力与通道空间注意力的网络异常流量检测

肖斌¹, 甘昀¹, 汪敏², 张兴鹏¹(), 王照星³

^1.西南石油大学计算机与软件学院，成都 610500
^2.西南石油大学电气信息学院，成都 610500
^3.中国石油川庆钻探工程有限公司，成都 610066

通讯作者: 张兴鹏
作者简介:肖斌（1978—），男，重庆人，教授，硕士，CCF会员，主要研究方向：软件工程、企业信息化
甘昀（1998—），男，四川广安人，硕士研究生，主要研究方向：网络异常流量检测
汪敏（1980—），女，湖南邵阳人，教授，硕士，CCF会员，主要研究方向：主动学习、信号和信息处理
张兴鹏（1989—），男，山东济南人，讲师，博士，CCF会员，主要研究方向：计算机视觉、目标检测和分割 xpzhang@swpu.edu.cn
王照星（1982—），男，甘肃兰州人，高级工程师，主要研究方向：工业信息化、大数据应用。
基金资助:
四川省科技计划项目(2022JDRC0009);西南石油大学自然科学“启航计划”项目(2022QHZ023)

Abstract

Abstract:

Network abnormal traffic detection is an important part of network security protection. At present， abnormal traffic detection methods based on deep learning treat the port number attribute the same as other traffic attributes， ignoring the importance of the port number. Considering the idea of attention， a novel abnormal traffic detection module based on Convolutional Neural Network （CNN） combining Port Attention Module （PAM） and Convolutional Block Attention Module （CBAM） was proposed to improve the performance of abnormal traffic detection. Firstly， the original network traffic was taken as the input of PAM， the port number attribute was separated and sent to the full connected layer， and the learned port attention weight value was obtained， and the traffic data after port attention was output by dot-multiplying with other traffic attributes. Then， the traffic data was converted into a grayscale map， and CNN and CBAM were used to extract the the channel and space information of the feature map more fully. Finally， the focus loss function was used to solve the problem of data imbalance. The proposed PAM has the advantages of few parameters， plug and play， and universal applicability. The accuracy of the proposed model is 99.18% for the binary-class classification task of abnormal traffic detection and 99.07% for the multi-class classification task on the CICIDS2017 dataset， and it also has a high recognition rate for classes with only a few training samples.

Key words: abnormal traffic detection, attention mechanism, data imbalance, lightweight network, Convolutional Block Attention Module (CBAM)

摘要：

网络异常流量检测是网络安全保护重要组成部分之一。目前，基于深度学习的异常流量检测方法都是将端口号属性与其他流量属性同等对待，忽略了端口号的重要性。为了提高异常流量检测性能，借鉴注意力思想，提出一个卷积神经网络（CNN）结合端口注意力模块（PAM）和通道空间注意力模块（CBAM）的网络异常流量检测模型。首先，将原始网络流量作为PAM的输入，分离得到端口号属性送入全连接层，得到学习后的端口注意力权重值，并与其他流量属性点乘，输出端口注意力后的流量数据；其次，将流量数据转换成灰度图，利用CNN和CBAM更充分地提取特征图在通道和空间上的信息；最后，使用焦点损失函数解决数据不平衡的问题。所提PAM具有参数量少、即插即用和普遍适用的优点。在CICIDS2017数据集上，所提模型的异常流量检测二分类任务准确率为99.18%，多分类任务准确率为99.07%，对只有少数训练样本的类别也有较高的识别率。

关键词: 异常流量检测, 注意力机制, 数据不平衡, 轻量级网络, 通道空间注意力模块

CLC Number:

TP393

Bin XIAO, Yun GAN, Min WANG, Xingpeng ZHANG, Zhaoxing WANG. Network abnormal traffic detection based on port attention and convolutional block attention module[J]. Journal of Computer Applications, 2024, 44(4): 1027-1034.

肖斌, 甘昀, 汪敏, 张兴鹏, 王照星. 基于端口注意力与通道空间注意力的网络异常流量检测[J]. 《计算机应用》唯一官方网站, 2024, 44(4): 1027-1034.

Figures/Tables 12

References 31

1	中国互联网络信息中心. 第51 次中国互联网发展统计报告［R/OL］. ［2023-06-03］. ’s internet development［R/OL］. ［2023-06-03］. .
2	AHMED M， MAHMOOD A， HU J. A survey of network anomaly detection techniques［J］. Journal of Network and Computer Applications， 2016， 60： 19-31. 10.1016/j.jnca.2015.11.016
3	BIERSACK E， CALLEGARI C， MATIJASEVIC M. Data Traffic Monitoring and Analysis： From Measurement， Classification， and Anomaly Detection to Quality of Experience［M］. Heidelberg： Springer， 2013： 21-29. 10.1007/978-3-642-36784-7
4	DHOTE Y， AGRAWAL S， DEEN A J. A survey on feature selection techniques for internet traffic classification ［C］// Proceedings of the 2015 International Conference on Computational Intelligence and Communication Networks. Piscataway： IEEE， 2015： 1375-1380. 10.1109/cicn.2015.267
5	ZHANG H， LU G， QASSRAWI M T， et al. Feature selection for optimizing traffic classification［J］. Computer Communications， 2012， 35（12）： 1457-1471. 10.1016/j.comcom.2012.04.012
6	WANG W， ZHU M， ZENG X， et al. Malware traffic classification using convolutional neural network for representation learning ［C］// Proceedings of the 2017 International Conference on Information Networking. Piscataway： IEEE， 2017： 712-717. 10.1109/icoin.2017.7899588
7	白雪. 基于DBN的网络流量分类的研究［D］. 呼和浩特：内蒙古大学，2015： 28-51.
	BAI X. Research on internet traffic classification using DBN［D］. Hohhot： Inner Mongolia University， 2015： 28-51.
8	AGARAP A F M. A neural network architecture combining gated recurrent unit and support vector machine for intrusion detection in network traffic data ［C］// Proceedings of the 2018 10th International Conference on Machine Learning and Computing. New York： ACM， 2018： 26-30. 10.1145/3195106.3195117
9	ROOPAK M， TIAN G Y， CHAMBERS J. Deep learning models for cуber security in IoT networks ［C］// Proceedings of the 2019 Annual Computing and Communication Workshop and Conference. Piscataway： IEEE， 2019： 0452-0457. 10.1109/ccwc.2019.8666588
10	WOO S， PARK J， LEE J-Y， et al. CBAM： convolutional block attention module ［C］// Proceedings of the 2018 European Conference on Computer Vision. Cham： Springer， 2018：3-19. 10.1007/978-3-030-01234-2_1
11	SHARAFALDIN I， LASHKARI A H， GHORBANI A. Toward generating a new intrusion detection dataset and intrusion traffic characterization ［C］// Proceedings of the 4th International Conference on Information Systems Security and Privacy. ［S.l.］： SciTePress， 2018： 108-116. 10.5220/0006639801080116
12	ANDERSON J P. Computer security threat monitoring and surveillance ［EB/OL］. ［2023-05-01］. .
13	BAMAKAN S M H， WANG H， SHI Y. Ramp loss k-support vector classification-regression： a robust and sparse multi-class approach to the intrusion detection problem［J］. Knowledge-Based Systems， 2017， 126： 113-126. 10.1016/j.knosys.2017.03.012
14	JHA S， TAN K， Al MAXION R. Markov chains， classifiers， and intrusion detection ［C］// Proceedings of the 14th IEEE Computer Security Foundations Workshop. Piscataway： IEEE， 2001： 206-219. 10.1109/csfw.2001.930131
15	SHON T， MOON J. A hybrid machine learning approach to network anomaly detection［J］. Information Sciences， 2007， 177（18）： 3799-3821. 10.1016/j.ins.2007.03.025
16	PAN X， LUO Y， XU Y. K-nearest neighbor based structural twin support vector machine［J］. Knowledge-Based Systems， 2015， 88： 34-44. 10.1016/j.knosys.2015.08.009
17	YIN C， ZHU Y， FEI J， et al. A deep learning approach for intrusion detection using recurrent neural networks［J］. IEEE Access， 2017， 5： 21954-21961. 10.1109/access.2017.2762418
18	RHODE M， BURNAP P， JONES K. Early-stage malware prediction using recurrent neural networks［J］. Computers & Security， 2018， 77： 578- 594. 10.1016/j.cose.2018.05.010
19	DORIGUZZI-CORIN R， MILLAR S， SCOTT-HAYWARD S， et al. Lucid： a practical，lightweight deep learning solution for DDoS attack detection［J］. IEEE Transactions on Network and Service Management， 2020， 17（2）： 876-889. 10.1109/tnsm.2020.2971776
20	BONTEMPS L， CAO V L， McDERMOTT J， et al. Collective anomaly detection based on long short-term memory recurrent neural network ［C］// Proceedings of the 2016 Internet Conference on Future Data and Security Engineering. Cham： Springer， 2016： 141-152. 10.1007/978-3-319-48057-2_9
21	KHAN R U， ZHANG X， KUMAR R， et al. Evaluating the performance of ResNet model based on image recognition ［C］// Proceedings of the 2018 International Conference on Computing and Artificial Intelligence. New York： ACM， 2018： 86-90. 10.1145/3194452.3194461
22	LIU Y， SHAO Z， HOFFMANN N. Global attention mechanism： retain information to enhance channel-spatial interactions［EB/OL］. （2021-12-10）［2023-05-01］. .
23	HOU Q， ZHOU D， FENG J. Coordinate attention for efficient mobile network design ［C］// Proceedings of the 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2021： 13708-13717. 10.1109/cvpr46437.2021.01350
24	HU J， SHEN L， ALBANIE S， et al. Squeeze-and-excitation networks ［EB/OL］. （2019-05-16）［2023-05-01］. . 10.1109/cvpr.2018.00745
25	WANG Q， WU B， ZHU P， et al. ECA-Net： efficient channel attention for deep convolutional neural networks ［C］// Proceedings of the 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2020： 11531-11539. 10.1109/cvpr42600.2020.01155
26	王锁成，陈世平. 一种基于残差网络改进的异常流量入侵检测模型［J］. 小型微型计算机系统， 2023， 44（12）： 2757-2764.
	WANG S C， CHEN S P. Improved abnormal traffic intrusion detection model based on residual network［J］. Journal of Chinese Computer Systems， 2023， 44（12）： 2757-2764.
27	LeCUN Y， BOTTOU L， BENGIO Y， et al. Gradient based learning applied to document recognition［J］. Proceedings of IEEE， 1998， 86（11）： 2278-2324. 10.1109/5.726791
28	YAO Y， SU L， LU Z. DeepGFL： deep feature learning via graph for attack detection on flow-based network traffic ［C］// Proceedings of the 2018 IEEE Military Communications Conference. Piscataway： IEEE， 2018： 579-584. 10.1109/milcom.2018.8599821
29	杭梦鑫，陈伟，张仁杰. 基于改进的一维卷积神经网络的异常流量检测［J］. 计算机应用， 2021， 41（2）： 433-440.
	HANG M X， CHEN W， ZHANG R J. Abnormal flow detection based on improved one-dimensional convolutional neural network［J］. Journal of Computer Applications， 2021， 41（2）： 433-440.
30	尹梓诺，马海龙，胡涛. 基于联合注意力机制和一维卷积神经网络双向长短期记忆网络模型的流量异常检测方法［J］. 电子与信息学报， 2023， 45（10）： 3719-3728.
	YIN Z N， MA H L， HU T. A traffic anomaly detection method based on the joint model of attention mechanism and one-dimensional convolutional neural network-bidirectional long short term memory［J］. Journal of Electronics & Information Technology， 2023， 45（10）： 3719-3728.
31	VERKERKEN M， D’HOOGE L， SUDYANA D， et al. A novel multi-stage approach for hierarchical intrusion detection［J］. IEEE Transactions on Network and Service Management， 2023， 20（3）： 3915-3929. 10.1109/tnsm.2023.3259474

端口号	正常流量数	异常流量数	异常概率/%
53	957 812	0	0.00
443	505 087	240	0.05
80	235 536	382 288	61.88
123	23 879	0	0.00
22	10 781	6 140	36.29
137	7 913	0	0.00
21	5 332	8 178	60.53
445	1 932	179	8.48
8080	1 356	1 415	51.06
444	0	256	100.00

端口号	正常流量数	异常流量数	异常概率/%
53	957 812	0	0.00
443	505 087	240	0.05
80	235 536	382 288	61.88
123	23 879	0	0.00
22	10 781	6 140	36.29
137	7 913	0	0.00
21	5 332	8 178	60.53
445	1 932	179	8.48
8080	1 356	1 415	51.06
444	0	256	100.00

注意力模块	准确率/%	参数量/10⁶
不使用注意力	97.04	0.184
GAM^［22］	98.35	0.237
CA^［23］	98.61	0.193
SE^［24］	98.83	0.185
ECA^［25］	99.02	0.185
CBAM	99.18	0.186

注意力模块	准确率/%	参数量/10⁶
不使用注意力	97.04	0.184
GAM^［22］	98.35	0.237
CA^［23］	98.61	0.193
SE^［24］	98.83	0.185
ECA^［25］	99.02	0.185
CBAM	99.18	0.186

模型	Acc/%	Pr/%	Re/%	F₁/%	FPR	参数量/10⁶
CNN	97.04	99.56	96.76	98.14	1.77	0.184
1D-CNN+LSTM^［9］	97.40	99.69	97.08	98.37	1.26	1.217
ResNet50	92.95	99.04	92.39	95.60	4.33	25.560
CBAM-ResNet50^［26］	96.70	98.61	97.25	97.93	1.85	28.090
本文模型	99.18	99.79	99.18	99.48	0.84	0.186

Network abnormal traffic detection based on port attention and convolutional block attention module

基于端口注意力与通道空间注意力的网络异常流量检测

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 12

References 31

Related Articles 15

Recommended Articles

Metrics

PAM			全连接层
隐藏层1	隐藏层2	准确率/%	隐藏层1	隐藏层2	准确率/%
4	8	97.95	16	32	98.52
8	8	98.63	32	32	98.71
8	16	99.07	32	64	99.07
16	16	98.84	64	32	98.86
16	8	98.89	64	64	98.64
32	32	98.21	64	128	98.48

类别	Acc	Pr	F₁
BENIGN	99.87	99.27	99.57
Bot	98.80	88.67	93.46
DDoS	99.86	99.71	99.78
GoldenEye	67.81	84.13	75.09
Hulk	97.42	97.38	97.40
SlowHTTP	84.56	95.86	89.86
SlowLoris	75.61	98.79	85.66
FtpPatator	99.01	97.41	98.20
Heartbleed	100.00	92.85	96.29
Infiltration	61.53	100.00	76.19
PortScan	92.01	99.90	95.79
SSH-Patator	97.99	96.89	97.44
WebAttack	98.69	94.79	96.70

模型	Acc
RF	96.04
KNN	95.60
Naive Bayes	86.51
CNN	96.73
ResNet50	87.19
LeNet^［27］	78.21
CBAM-ResNet50	92.92
DeepGFL^［28］	94.85
AFM-ICNN-1D^［29］	98.16
1DCNN-BiLSTM^［30］	98.65
Multi-Stage Approach^［31］	98.77
本文模型	99.07

Backbone	PAM	CBAM	准确率
Backbone	PAM	CBAM	二分类	多分类
CNN			97.04	96.73
	√		98.69	98.14
		√	98.67	98.52
	√	√	99.18	99.07
ResNet18			95.31	93.50
	√		96.23	94.98
		√	97.01	95.42
	√	√	97.95	96.39

[1]	Quan YUAN, Changping CHEN, Ze CHEN, Linfeng ZHAN. Twice attention mechanism distantly supervised relation extraction based on BERT [J]. Journal of Computer Applications, 2024, 44(4): 1080-1085.
[2]	Xinyuan YOU, Heng WANG. Monaural speech enhancement based on gated dilated convolutional recurrent network [J]. Journal of Computer Applications, 2024, 44(4): 1317-1324.
[3]	Rong HUANG, Junjie SONG, Shubo ZHOU, Hao LIU. Image aesthetic quality evaluation method based on self-supervised vision Transformer [J]. Journal of Computer Applications, 2024, 44(4): 1269-1276.
[4]	Jie GUO, Jiayu LIN, Zuhong LIANG, Xiaobo LUO, Haitao SUN. Recommendation method based on knowledge‑awareness and cross-level contrastive learning [J]. Journal of Computer Applications, 2024, 44(4): 1121-1127.
[5]	Pengfei ZHANG, Litao HAN, Hengjian FENG, Hongmei LI. Point cloud semantic segmentation based on attention mechanism and global feature optimization [J]. Journal of Computer Applications, 2024, 44(4): 1086-1092.
[6]	Tianhua CHEN, Jiaxuan ZHU, Jie YIN. Bird recognition algorithm based on attention mechanism [J]. Journal of Computer Applications, 2024, 44(4): 1114-1120.
[7]	Lijun XU, Hui LI, Zuyang LIU, Kansong CHEN, Weixuan MA. 3D-GA-Unet： MRI image segmentation algorithm for glioma based on 3D-Ghost CNN [J]. Journal of Computer Applications, 2024, 44(4): 1294-1302.
[8]	Haihan WANG, Yan ZHU. Offensive speech detection with irony mechanism [J]. Journal of Computer Applications, 2024, 44(4): 1065-1071.
[9]	Tao SUN, Zhangtian DUAN, Haonan ZHU, Peihao GUO, Heli SUN. Social event recommendation method based on unexpectedness metric [J]. Journal of Computer Applications, 2024, 44(3): 760-766.
[10]	Yongfeng DONG, Jiaming BAI, Liqin WANG, Xu WANG. Chinese named entity recognition combining prior knowledge and glyph features [J]. Journal of Computer Applications, 2024, 44(3): 702-708.
[11]	Rui JIANG, Wei LIU, Cheng CHEN, Tao LU. Asymmetric unsupervised end-to-end image deraining network [J]. Journal of Computer Applications, 2024, 44(3): 922-930.
[12]	Aiguo SHANG, Xinjuan ZHU. Joint approach of intent detection and slot filling based on multi-task learning [J]. Journal of Computer Applications, 2024, 44(3): 690-695.
[13]	Yuliang ZHENG, Yunhua CHEN, Weijie BAI, Pinghua CHEN. Vehicle target detection by fusing event data and image frames [J]. Journal of Computer Applications, 2024, 44(3): 931-937.
[14]	Kui ZHAO, Huiqi QIU, Xu LI, Zhifei XU. Real-time pulmonary nodule detection algorithm combining attention and multipath fusion [J]. Journal of Computer Applications, 2024, 44(3): 945-952.
[15]	Zijie HUANG, Yang OU, Degang JIANG, Cailing GUO, Bailin LI. Lightweight deep learning algorithm for weld seam surface quality detection of traction seat [J]. Journal of Computer Applications, 2024, 44(3): 983-988.