Network abnormal traffic detection based on port attention and convolutional block attention module

doi:10.11772/j.issn.1001-9081.2023050649

Journal of Computer Applications ›› 2024, Vol. 44 ›› Issue (4): 1027-1034.DOI: 10.11772/j.issn.1001-9081.2023050649

Special Issue: 第九届全国智能信息处理学术会议（NCIIP 2023）

• The 9th National Conference on Intelligent Information Processing（NCIIP 2023） • Previous Articles Next Articles

Network abnormal traffic detection based on port attention and convolutional block attention module

Bin XIAO¹, Yun GAN¹, Min WANG², Xingpeng ZHANG¹(), Zhaoxing WANG³

^1.School of Computer Science and Software Engineering，Southwest Petroleum University，Chengdu Sichuan 610500，China
^2.School of Electrical Engineering and Information，Southwest Petroleum University，Chengdu Sichuan 610500，China
^3.PetroChina Chuanqing Drilling Engineering Company Limited，Chengdu Sichuan 610066，China

Received:2023-05-24 Revised:2023-07-08 Accepted:2023-07-14 Online:2024-04-22 Published:2024-04-10
Contact: Xingpeng ZHANG
About author:XIAO Bin， born in 1978， M. S.， professor. His research interests include software engineering， enterprise informatization.
GAN Yun， born in 1998， M. S. candidate. His research interests include network abnormal traffic detection.
WANG Min， born in 1980， M. S.， professor. Her research interests include active learning， signal and information processing.
ZHANG Xingpeng， born in 1989， Ph. D.， lecturer. His research interests include computer vision， object detection and segmentation.
WANG Zhaoxing， born in 1982， senior engineer. His research interests include industrial informatization， big data application.
Supported by:
Sichuan Science and Technology Program(2022JDRC0009);Natural Science “Sailing Plan” Project of Southwest Petroleum University(2022QHZ023)

基于端口注意力与通道空间注意力的网络异常流量检测

肖斌¹, 甘昀¹, 汪敏², 张兴鹏¹(), 王照星³

^1.西南石油大学计算机与软件学院，成都 610500
^2.西南石油大学电气信息学院，成都 610500
^3.中国石油川庆钻探工程有限公司，成都 610066

通讯作者: 张兴鹏
作者简介:肖斌（1978—），男，重庆人，教授，硕士，CCF会员，主要研究方向：软件工程、企业信息化
甘昀（1998—），男，四川广安人，硕士研究生，主要研究方向：网络异常流量检测
汪敏（1980—），女，湖南邵阳人，教授，硕士，CCF会员，主要研究方向：主动学习、信号和信息处理
张兴鹏（1989—），男，山东济南人，讲师，博士，CCF会员，主要研究方向：计算机视觉、目标检测和分割 xpzhang@swpu.edu.cn
王照星（1982—），男，甘肃兰州人，高级工程师，主要研究方向：工业信息化、大数据应用。
基金资助:
四川省科技计划项目(2022JDRC0009);西南石油大学自然科学“启航计划”项目(2022QHZ023)

Abstract

Abstract:

Network abnormal traffic detection is an important part of network security protection. At present， abnormal traffic detection methods based on deep learning treat the port number attribute the same as other traffic attributes， ignoring the importance of the port number. Considering the idea of attention， a novel abnormal traffic detection module based on Convolutional Neural Network （CNN） combining Port Attention Module （PAM） and Convolutional Block Attention Module （CBAM） was proposed to improve the performance of abnormal traffic detection. Firstly， the original network traffic was taken as the input of PAM， the port number attribute was separated and sent to the full connected layer， and the learned port attention weight value was obtained， and the traffic data after port attention was output by dot-multiplying with other traffic attributes. Then， the traffic data was converted into a grayscale map， and CNN and CBAM were used to extract the the channel and space information of the feature map more fully. Finally， the focus loss function was used to solve the problem of data imbalance. The proposed PAM has the advantages of few parameters， plug and play， and universal applicability. The accuracy of the proposed model is 99.18% for the binary-class classification task of abnormal traffic detection and 99.07% for the multi-class classification task on the CICIDS2017 dataset， and it also has a high recognition rate for classes with only a few training samples.

Key words: abnormal traffic detection, attention mechanism, data imbalance, lightweight network, Convolutional Block Attention Module (CBAM)

摘要：

网络异常流量检测是网络安全保护重要组成部分之一。目前，基于深度学习的异常流量检测方法都是将端口号属性与其他流量属性同等对待，忽略了端口号的重要性。为了提高异常流量检测性能，借鉴注意力思想，提出一个卷积神经网络（CNN）结合端口注意力模块（PAM）和通道空间注意力模块（CBAM）的网络异常流量检测模型。首先，将原始网络流量作为PAM的输入，分离得到端口号属性送入全连接层，得到学习后的端口注意力权重值，并与其他流量属性点乘，输出端口注意力后的流量数据；其次，将流量数据转换成灰度图，利用CNN和CBAM更充分地提取特征图在通道和空间上的信息；最后，使用焦点损失函数解决数据不平衡的问题。所提PAM具有参数量少、即插即用和普遍适用的优点。在CICIDS2017数据集上，所提模型的异常流量检测二分类任务准确率为99.18%，多分类任务准确率为99.07%，对只有少数训练样本的类别也有较高的识别率。

关键词: 异常流量检测, 注意力机制, 数据不平衡, 轻量级网络, 通道空间注意力模块

CLC Number:

TP393

Bin XIAO, Yun GAN, Min WANG, Xingpeng ZHANG, Zhaoxing WANG. Network abnormal traffic detection based on port attention and convolutional block attention module[J]. Journal of Computer Applications, 2024, 44(4): 1027-1034.

肖斌, 甘昀, 汪敏, 张兴鹏, 王照星. 基于端口注意力与通道空间注意力的网络异常流量检测[J]. 《计算机应用》唯一官方网站, 2024, 44(4): 1027-1034.

Figures/Tables 12

References 31

1	中国互联网络信息中心. 第51 次中国互联网发展统计报告［R/OL］. ［2023-06-03］. ’s internet development［R/OL］. ［2023-06-03］. .
2	AHMED M， MAHMOOD A， HU J. A survey of network anomaly detection techniques［J］. Journal of Network and Computer Applications， 2016， 60： 19-31. 10.1016/j.jnca.2015.11.016
3	BIERSACK E， CALLEGARI C， MATIJASEVIC M. Data Traffic Monitoring and Analysis： From Measurement， Classification， and Anomaly Detection to Quality of Experience［M］. Heidelberg： Springer， 2013： 21-29. 10.1007/978-3-642-36784-7
4	DHOTE Y， AGRAWAL S， DEEN A J. A survey on feature selection techniques for internet traffic classification ［C］// Proceedings of the 2015 International Conference on Computational Intelligence and Communication Networks. Piscataway： IEEE， 2015： 1375-1380. 10.1109/cicn.2015.267
5	ZHANG H， LU G， QASSRAWI M T， et al. Feature selection for optimizing traffic classification［J］. Computer Communications， 2012， 35（12）： 1457-1471. 10.1016/j.comcom.2012.04.012
6	WANG W， ZHU M， ZENG X， et al. Malware traffic classification using convolutional neural network for representation learning ［C］// Proceedings of the 2017 International Conference on Information Networking. Piscataway： IEEE， 2017： 712-717. 10.1109/icoin.2017.7899588
7	白雪. 基于DBN的网络流量分类的研究［D］. 呼和浩特：内蒙古大学，2015： 28-51.
	BAI X. Research on internet traffic classification using DBN［D］. Hohhot： Inner Mongolia University， 2015： 28-51.
8	AGARAP A F M. A neural network architecture combining gated recurrent unit and support vector machine for intrusion detection in network traffic data ［C］// Proceedings of the 2018 10th International Conference on Machine Learning and Computing. New York： ACM， 2018： 26-30. 10.1145/3195106.3195117
9	ROOPAK M， TIAN G Y， CHAMBERS J. Deep learning models for cуber security in IoT networks ［C］// Proceedings of the 2019 Annual Computing and Communication Workshop and Conference. Piscataway： IEEE， 2019： 0452-0457. 10.1109/ccwc.2019.8666588
10	WOO S， PARK J， LEE J-Y， et al. CBAM： convolutional block attention module ［C］// Proceedings of the 2018 European Conference on Computer Vision. Cham： Springer， 2018：3-19. 10.1007/978-3-030-01234-2_1
11	SHARAFALDIN I， LASHKARI A H， GHORBANI A. Toward generating a new intrusion detection dataset and intrusion traffic characterization ［C］// Proceedings of the 4th International Conference on Information Systems Security and Privacy. ［S.l.］： SciTePress， 2018： 108-116. 10.5220/0006639801080116
12	ANDERSON J P. Computer security threat monitoring and surveillance ［EB/OL］. ［2023-05-01］. .
13	BAMAKAN S M H， WANG H， SHI Y. Ramp loss k-support vector classification-regression： a robust and sparse multi-class approach to the intrusion detection problem［J］. Knowledge-Based Systems， 2017， 126： 113-126. 10.1016/j.knosys.2017.03.012
14	JHA S， TAN K， Al MAXION R. Markov chains， classifiers， and intrusion detection ［C］// Proceedings of the 14th IEEE Computer Security Foundations Workshop. Piscataway： IEEE， 2001： 206-219. 10.1109/csfw.2001.930131
15	SHON T， MOON J. A hybrid machine learning approach to network anomaly detection［J］. Information Sciences， 2007， 177（18）： 3799-3821. 10.1016/j.ins.2007.03.025
16	PAN X， LUO Y， XU Y. K-nearest neighbor based structural twin support vector machine［J］. Knowledge-Based Systems， 2015， 88： 34-44. 10.1016/j.knosys.2015.08.009
17	YIN C， ZHU Y， FEI J， et al. A deep learning approach for intrusion detection using recurrent neural networks［J］. IEEE Access， 2017， 5： 21954-21961. 10.1109/access.2017.2762418
18	RHODE M， BURNAP P， JONES K. Early-stage malware prediction using recurrent neural networks［J］. Computers & Security， 2018， 77： 578- 594. 10.1016/j.cose.2018.05.010
19	DORIGUZZI-CORIN R， MILLAR S， SCOTT-HAYWARD S， et al. Lucid： a practical，lightweight deep learning solution for DDoS attack detection［J］. IEEE Transactions on Network and Service Management， 2020， 17（2）： 876-889. 10.1109/tnsm.2020.2971776
20	BONTEMPS L， CAO V L， McDERMOTT J， et al. Collective anomaly detection based on long short-term memory recurrent neural network ［C］// Proceedings of the 2016 Internet Conference on Future Data and Security Engineering. Cham： Springer， 2016： 141-152. 10.1007/978-3-319-48057-2_9
21	KHAN R U， ZHANG X， KUMAR R， et al. Evaluating the performance of ResNet model based on image recognition ［C］// Proceedings of the 2018 International Conference on Computing and Artificial Intelligence. New York： ACM， 2018： 86-90. 10.1145/3194452.3194461
22	LIU Y， SHAO Z， HOFFMANN N. Global attention mechanism： retain information to enhance channel-spatial interactions［EB/OL］. （2021-12-10）［2023-05-01］. .
23	HOU Q， ZHOU D， FENG J. Coordinate attention for efficient mobile network design ［C］// Proceedings of the 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2021： 13708-13717. 10.1109/cvpr46437.2021.01350
24	HU J， SHEN L， ALBANIE S， et al. Squeeze-and-excitation networks ［EB/OL］. （2019-05-16）［2023-05-01］. . 10.1109/cvpr.2018.00745
25	WANG Q， WU B， ZHU P， et al. ECA-Net： efficient channel attention for deep convolutional neural networks ［C］// Proceedings of the 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2020： 11531-11539. 10.1109/cvpr42600.2020.01155
26	王锁成，陈世平. 一种基于残差网络改进的异常流量入侵检测模型［J］. 小型微型计算机系统， 2023， 44（12）： 2757-2764.
	WANG S C， CHEN S P. Improved abnormal traffic intrusion detection model based on residual network［J］. Journal of Chinese Computer Systems， 2023， 44（12）： 2757-2764.
27	LeCUN Y， BOTTOU L， BENGIO Y， et al. Gradient based learning applied to document recognition［J］. Proceedings of IEEE， 1998， 86（11）： 2278-2324. 10.1109/5.726791
28	YAO Y， SU L， LU Z. DeepGFL： deep feature learning via graph for attack detection on flow-based network traffic ［C］// Proceedings of the 2018 IEEE Military Communications Conference. Piscataway： IEEE， 2018： 579-584. 10.1109/milcom.2018.8599821
29	杭梦鑫，陈伟，张仁杰. 基于改进的一维卷积神经网络的异常流量检测［J］. 计算机应用， 2021， 41（2）： 433-440.
	HANG M X， CHEN W， ZHANG R J. Abnormal flow detection based on improved one-dimensional convolutional neural network［J］. Journal of Computer Applications， 2021， 41（2）： 433-440.
30	尹梓诺，马海龙，胡涛. 基于联合注意力机制和一维卷积神经网络双向长短期记忆网络模型的流量异常检测方法［J］. 电子与信息学报， 2023， 45（10）： 3719-3728.
	YIN Z N， MA H L， HU T. A traffic anomaly detection method based on the joint model of attention mechanism and one-dimensional convolutional neural network-bidirectional long short term memory［J］. Journal of Electronics & Information Technology， 2023， 45（10）： 3719-3728.
31	VERKERKEN M， D’HOOGE L， SUDYANA D， et al. A novel multi-stage approach for hierarchical intrusion detection［J］. IEEE Transactions on Network and Service Management， 2023， 20（3）： 3915-3929. 10.1109/tnsm.2023.3259474

端口号	正常流量数	异常流量数	异常概率/%
53	957 812	0	0.00
443	505 087	240	0.05
80	235 536	382 288	61.88
123	23 879	0	0.00
22	10 781	6 140	36.29
137	7 913	0	0.00
21	5 332	8 178	60.53
445	1 932	179	8.48
8080	1 356	1 415	51.06
444	0	256	100.00

端口号	正常流量数	异常流量数	异常概率/%
53	957 812	0	0.00
443	505 087	240	0.05
80	235 536	382 288	61.88
123	23 879	0	0.00
22	10 781	6 140	36.29
137	7 913	0	0.00
21	5 332	8 178	60.53
445	1 932	179	8.48
8080	1 356	1 415	51.06
444	0	256	100.00

注意力模块	准确率/%	参数量/10⁶
不使用注意力	97.04	0.184
GAM^［22］	98.35	0.237
CA^［23］	98.61	0.193
SE^［24］	98.83	0.185
ECA^［25］	99.02	0.185
CBAM	99.18	0.186

注意力模块	准确率/%	参数量/10⁶
不使用注意力	97.04	0.184
GAM^［22］	98.35	0.237
CA^［23］	98.61	0.193
SE^［24］	98.83	0.185
ECA^［25］	99.02	0.185
CBAM	99.18	0.186

模型	Acc/%	Pr/%	Re/%	F₁/%	FPR	参数量/10⁶
CNN	97.04	99.56	96.76	98.14	1.77	0.184
1D-CNN+LSTM^［9］	97.40	99.69	97.08	98.37	1.26	1.217
ResNet50	92.95	99.04	92.39	95.60	4.33	25.560
CBAM-ResNet50^［26］	96.70	98.61	97.25	97.93	1.85	28.090
本文模型	99.18	99.79	99.18	99.48	0.84	0.186

Network abnormal traffic detection based on port attention and convolutional block attention module

基于端口注意力与通道空间注意力的网络异常流量检测

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 12

References 31

Related Articles 15

Recommended Articles

Metrics

PAM			全连接层
隐藏层1	隐藏层2	准确率/%	隐藏层1	隐藏层2	准确率/%
4	8	97.95	16	32	98.52
8	8	98.63	32	32	98.71
8	16	99.07	32	64	99.07
16	16	98.84	64	32	98.86
16	8	98.89	64	64	98.64
32	32	98.21	64	128	98.48

类别	Acc	Pr	F₁
BENIGN	99.87	99.27	99.57
Bot	98.80	88.67	93.46
DDoS	99.86	99.71	99.78
GoldenEye	67.81	84.13	75.09
Hulk	97.42	97.38	97.40
SlowHTTP	84.56	95.86	89.86
SlowLoris	75.61	98.79	85.66
FtpPatator	99.01	97.41	98.20
Heartbleed	100.00	92.85	96.29
Infiltration	61.53	100.00	76.19
PortScan	92.01	99.90	95.79
SSH-Patator	97.99	96.89	97.44
WebAttack	98.69	94.79	96.70

模型	Acc
RF	96.04
KNN	95.60
Naive Bayes	86.51
CNN	96.73
ResNet50	87.19
LeNet^［27］	78.21
CBAM-ResNet50	92.92
DeepGFL^［28］	94.85
AFM-ICNN-1D^［29］	98.16
1DCNN-BiLSTM^［30］	98.65
Multi-Stage Approach^［31］	98.77
本文模型	99.07

Backbone	PAM	CBAM	准确率
Backbone	PAM	CBAM	二分类	多分类
CNN			97.04	96.73
	√		98.69	98.14
		√	98.67	98.52
	√	√	99.18	99.07
ResNet18			95.31	93.50
	√		96.23	94.98
		√	97.01	95.42
	√	√	97.95	96.39

[1]	Zhiqiang ZHAO, Peihong MA, Xinhong HEI. Crowd counting method based on dual attention mechanism [J]. Journal of Computer Applications, 2024, 44(9): 2886-2892.
[2]	Jing QIN, Zhiguang QIN, Fali LI, Yueheng PENG. Diagnosis of major depressive disorder based on probabilistic sparse self-attention neural network [J]. Journal of Computer Applications, 2024, 44(9): 2970-2974.
[3]	Liting LI, Bei HUA, Ruozhou HE, Kuang XU. Multivariate time series prediction model based on decoupled attention mechanism [J]. Journal of Computer Applications, 2024, 44(9): 2732-2738.
[4]	Kaipeng XUE, Tao XU, Chunjie LIAO. Multimodal sentiment analysis network with self-supervision and multi-layer cross attention [J]. Journal of Computer Applications, 2024, 44(8): 2387-2392.
[5]	Pengqi GAO, Heming HUANG, Yonghong FAN. Fusion of coordinate and multi-head attention mechanisms for interactive speech emotion recognition [J]. Journal of Computer Applications, 2024, 44(8): 2400-2406.
[6]	Zhonghua LI, Yunqi BAI, Xuejin WANG, Leilei HUANG, Chujun LIN, Shiyu LIAO. Low illumination face detection based on image enhancement [J]. Journal of Computer Applications, 2024, 44(8): 2588-2594.
[7]	Shangbin MO, Wenjun WANG, Ling DONG, Shengxiang GAO, Zhengtao YU. Single-channel speech enhancement based on multi-channel information aggregation and collaborative decoding [J]. Journal of Computer Applications, 2024, 44(8): 2611-2617.
[8]	Li LIU, Haijin HOU, Anhong WANG, Tao ZHANG. Generative data hiding algorithm based on multi-scale attention [J]. Journal of Computer Applications, 2024, 44(7): 2102-2109.
[9]	Song XU, Wenbo ZHANG, Yifan WANG. Lightweight video salient object detection network based on spatiotemporal information [J]. Journal of Computer Applications, 2024, 44(7): 2192-2199.
[10]	Dahai LI, Zhonghua WANG, Zhendong WANG. Dual-branch low-light image enhancement network combining spatial and frequency domain information [J]. Journal of Computer Applications, 2024, 44(7): 2175-2182.
[11]	Wenliang WEI, Yangping WANG, Biao YUE, Anzheng WANG, Zhe ZHANG. Deep learning model for infrared and visible image fusion based on illumination weight allocation and attention [J]. Journal of Computer Applications, 2024, 44(7): 2183-2191.
[12]	Wu XIONG, Congjun CAO, Xuefang SONG, Yunlong SHAO, Xusheng WANG. Handwriting identification method based on multi-scale mixed domain attention mechanism [J]. Journal of Computer Applications, 2024, 44(7): 2225-2232.
[13]	Huanhuan LI, Tianqiang HUANG, Xuemei DING, Haifeng LUO, Liqing HUANG. Public traffic demand prediction based on multi-scale spatial-temporal graph convolutional network [J]. Journal of Computer Applications, 2024, 44(7): 2065-2072.
[14]	Dianhui MAO, Xuebo LI, Junling LIU, Denghui ZHANG, Wenjing YAN. Chinese entity and relation extraction model based on parallel heterogeneous graph and sequential attention mechanism [J]. Journal of Computer Applications, 2024, 44(7): 2018-2025.
[15]	Xiaolu WANG, Wangfei QIAN. Gait recognition method based on two-branch convolutional network [J]. Journal of Computer Applications, 2024, 44(6): 1965-1971.