Research on the Impact of Combining Big Data and Deep Learning Technology on Network Security Information Security Protection

With the continuous development of network technology, network security has become a topic of increasing concern. With the popularization and expanding use of the Internet, network security has become a serious problem for many people [1–3]. Among the traditional network security technologies, firewall, intrusion detection and anti-virus technologies have been the mainstream. However, as the scale of the Internet expands, these traditional technologies will become more and more difficult to ensure the security of the network, and big data technology and deep learning technology become an important means to realize network security protection [4–7].

With the generation of a large amount of data and the progress of technology, big data technology has provided new opportunities and means for the field of network security. Using big data analytics, key information can be extracted from huge data for threat identification and prediction [8–10]. By analyzing massive amounts of network logs and data traffic, network security experts can more accurately monitor network behavior and identify potential threats. Big data can also help us understand different types of attack patterns and take protective measures in advance, thus effectively avoiding network attacks [11–13]. And in the network security analysis technology, deep learning-based technology has received great attention. In recent years, deep learning has developed rapidly and become an important technology for processing network security data. Deep learning-based cybersecurity big data analysis technology adopts a special algorithm and technology, which can self-learn and recognize the characteristics of data in the process of data processing, so as to better predict cyber threats [14–17].

The network information security monitoring and protection system based on big data technology is of great significance and value in the current network security field. It realizes real-time monitoring and risk prediction of network security status through the collection, processing and analysis of big data, so as to make timely reaction and response to possible network threats. Literature [18] examines the application of big data technology in communication network control. By building a network security control platform test environment, the experimental results point out that the information and communication security control platform based on big data technology has the function of real-time monitoring of network status and node reconfiguration, in addition to the ability to accurately collect sensor data. Literature [19] discusses the current development status of computer network security, as well as the characteristics and utilization of big data technology, and proposes the realization and application of network security based on big data technology. Literature [20] emphasizes the importance of big data technology and mentions the optimization of big data technology and other measures to effectively ensure the quality and economic benefits of the development of online and offline statistical data and analytical technology based on the current situation in the process of analyzing data collection and analysis. Literature [21] explores the characteristics of big data such as “authenticity” and “diversity” in network traffic and attacks. With the assistance of R language and its functions, data sets including numerical data were examined. Data duplicate detection and deletion, missing value detection and data quality analysis are implemented. Literature [22] proposes an approach to analyze network traffic using big data techniques, which is based on the processing of traffic data in the HDFS environment, transferring it to the Hive database and analyzing it using Hive queries, which in turn detects the transmission of malicious data on the network. The results of this approach for detecting attacks in a sample dataset are also provided. Literature [23] describes the methods of network intrusion detection, deep learning, and traditional data mining, as well as the methodology and subsequent evaluation criteria for big data analytics in network intrusion, and outlines the shortcomings exposed by these methods in intrusion detection. Literature [24] emphasizes that big data has changed the landscape of information security tools for network monitoring and security, but in the eternal arms race of attack and defense, stakeholders need to continually seek new ways to mitigate and even contain sophisticated cyberattacks.

With the rapid development of the Internet, network security has been increasingly emphasized. Whether it is individuals or enterprises, security is the focus of their attention. Deep learning technology through the learning and analysis of a large amount of data, it can find malicious code, prevent network attacks, has become a major tool in the field of network security. Literature [25] explored the application of deep learning in computer network information security. Through the overview of network information security and deep learning, it analyzes the application of deep learning in computer network information security, including the application of the status quo, including the application of many aspects of the application, and its research results have a certain value for the research in this field. Literature [26] emphasizes the importance of strengthening information security prevention efforts. Therefore the implementation of appropriate protection strategies to safeguard the security and integrity of network information becomes necessary, and on the basis of exploring the information security issues of computer networks, protective measures based on deep learning algorithms are proposed. Literature [27] affirms the importance of network security protection, points out the advantages and shortcomings of using deep learning and machine learning, and suggests research directions for deep learning and machine learning in network security. Literature [28] emphasized that combining deep learning and machine learning techniques with cyber-attacks can achieve a response strategy to solve cyber security problems. The adoption of deep learning to enhance cybersecurity and the challenges of integrating deep learning into cybersecurity are described. Literature [29] emphasizes the importance of information security for businesses. Based on the field of intrusion detection, an efficient and intelligent intrusion detection model is designed by combining deep learning techniques, which can be applied in the field of network intrusion detection. Literature [30] classifies, analyzes and summarizes the application of deep learning in the field of network security, and compares it with traditional techniques, indicating the difficulties faced by deep learning. The findings reveal that deep learning has shown better results in individual aspects of cyber security. Literature [31] describes the important role of intrusion detection systems. It emphasized that machine learning and deep learning provide highly desirable results for developing intrusion detection systems and elucidated the intrusion detection systems, deep learning models commonly used by professionals and the challenges they will face.

In this paper, the concept and basic structure of intrusion detection systems are introduced, and then a real-time network information monitoring system based on fuzzy equivalence processing and correlation analysis is constructed. After that, after the introduction of deep learning technology and its monitoring principle, the real-time network security and information security detection model (GAN-LSTM) based on deep learning technology is constructed, and the parameters of GAN-LSTM detection model are determined. Finally, the GAN-LSTM model was used to detect and analyze LDoS and data flow sequences that affect network security and information security, in order to achieve network information security protection.

2

Network security real-time monitoring and intrusion detection system construction

2.1

Basic concepts of intrusion detection systems

According to the operating status of the monitoring system, intrusion detection can identify illegal behaviors in the system and take steps to ensure the security of system resources. Intrusion detection system is different from other security defense technology products, Intrusion Detection System [32–33] (IDS) is composed of a software system and a hardware system, which is a kind of active defense security defense products. Intrusion detection systems have five main functions: monitoring and analyzing network connections or system operations; checking the basic configuration and security vulnerabilities of network devices or hosts; identifying unknown intrusions and intercepting them; evaluating the overall completeness of the system; and auditing intrusions.

2.2

Basic Structure of Intrusion Detection System

An intrusion detection system is generally deployed between firewalls and core switches, which is the key entrance and exit of intranet and extranet data, and detects external attack behaviors from the source. It can effectively cope with the attack behavior from the external network and improve the basic network security architecture. The workflow diagram of the intrusion detection system is shown in Figure 1. First, the detector collects feature information from the operating system or network, then, analyzes the collected feature information to determine whether the operation or connection is an attack, if it is an attack, an attack event will be generated, and finally, it is handed over to the response module for processing, which may be handled in different ways by different intrusion detection systems, and is mainly used to intercept the attack by cutting off the connection, shutting down the process, and reporting to the police.

2.3

Real-time monitoring methods for network data information security

1)

Correlation analysis of network data information security factors

In this paper, we use fuzzy equivalence processing in big data technology to cluster situational factors in network data information. Let there is a fuzzy relationship between two non-empty sets Q and P, at this time the strength of association between the two can be expressed as: 1 $Q \cap P = {(q, p) | q \in Q, p \in P}$ where q and p are subsets of two non-empty sets, respectively.

Considering that the network data information is relatively dynamic, therefore, it is necessary to correct the processing of Q and P. In this paper, we utilize big data technology to calculate the correction degree, which can be expressed as: 2 $α = β (\frac{Q \cap P}{Q} + \frac{Q \cap P}{P})$

Where, α is the degree of correction: β is the correlation coefficient.

In this way, the relationship between network data information security factors is obtained.

2)

Network data information security abnormal behavior determination

Assuming that there are m network data information security behavior feature vector values in the network data information security behavior feature vector O = O₁, O₂ ⋯ O_m, and the total value of network data information security behavior feature vector is O_m+1, obtain the S neighboring points that are closest to it, and form the following set formula: 3 $A = {O_{m + 1}, S}$

Where A is a subset consisting of the total value of the network data information security behavior feature vector O_m+1 and S neighboring points. The labeled normal behavioral feature vector of network data information security is set to B, and the gray correlation between vector A and vector B is calculated: 4 $λ_{r} = \frac{1}{m} \sum_{r = 1}^{m} λ_{r} (c, l)$

Where λ_r is the gray correlation between vector A and vector B : c, l represents the number of rows and columns of the gray correlation vector. Calculate the gray correlation λ_r between vector A and vector B, the larger λ, the higher the correlation between vector A and vector B, it indicates that the network data information security behavior is normal behavior: on the contrary, the smaller λ, the lower the correlation between vector A and vector B, it indicates that the network data information security behavior is abnormal behavior.

3

Deep learning-based information security detection frameworks

3.1

Deep learning techniques

Deep learning has better performance in feature learning compared to traditional machine learning methods, which can automatically learn deep features of data. However, traditional machine learning methods rely on manual design of features, and the amount of feature engineering is enormous. Deep learning is capable of automatically discovering high-dimensional effective features in deep networks and executing linear transformations to enhance prediction accuracy. The intrusion detection process based on deep learning is shown in Fig. 2.

1)

Long and Short-Term Memory Neural Networks:

The RNN model is good at processing sequential data, it can learn events that have intervals in the time-series data or there is a delay situation, but when there is a huge amount of data input, the model’s learning ability may decrease dramatically.LSTM [34] is a special kind of RNN model designed to solve the problem of gradient vanishing.The LSTM model adopts the specified memory unit to replace the original hidden in RNN model. Layer, which improves the ability to retain temporal information and long-term memory.LSTM is suitable for processing temporal data with long distance dependencies.The network structure of LSTM is shown in Figure 3.

Input gates, forgetting gates, and output gates can determine the information stored in memory, the storage time, and the read time, respectively. The number of adaptive parameters is reduced by combining the storage units into blocks as far as the task allows, allowing them to share the same gates. In the following equation σ is the sigmoid activation function, ⊗ is the element level multiplication which uses the tanh function with a value range of [-1, 1] as the activation function, x represents the input, i is the input gate, o is the output gate, c is the memory cell, b represents the bias amount, and h represents the output.The learning process of the gate mechanism of LSTM is as follows:

(1)

The first step of LSTM is the forgetting gate selects the information to keep and discard the cell state as needed. The formula combines h_r−1 and x_i, W·[x₁,x₂ …, x_n] is defined as $\sum_{i} = 1^{n} k_{i} \cdot x_{i}$ and is a linear combination. σ is a typical activation function and is defined as $\frac{1}{1 + e^{- x}}$ . f_t If the output is equal to 1, the network retains c_t−1 the information completely, and if the output is equal to 0, it discards it all. Then there are: 5 $f_{t} = σ (W_{f} \cdot [h_{t - 1}, x_{t}] + b_{f})$

(2)

The second step selects the new information stored in the cell state. The input gate is created using the sigmoid function combining h_i−1 and x_i i_i, tanh The layer creates a new candidate value c_i by the following equation. then there are: 6 ${\begin{array}{l} i_{t} = σ (W_{i} \cdot [h_{t - 1}, x_{t}] + b_{i}) \\ c_{t} = σ (W_{c} \cdot [h_{t - 1}, x_{t}] + b_{c}) \end{array}$

Update the unit status by combining the two outputs using the following command: 7 $c_{t} = f_{t} \times c_{t - 1} + i_{t} \times c_{t - 1}$

(3)

Finally, the output is computed by running a sigmoid layer. This layer determines the cell state information of the output and the memory is updated as: 8 $o_{t} = σ (W_{o} \cdot [h_{t - 1}, x_{t}] + b_{o})$ 9 $h_{t} = o_{t} \times \tanh (c_{t})$

The main problem with RNNs is gradient vanishing and inability to learn contextual information over longer time spans, i.e., they are limited by the network in the time period between obtaining the input data and using the input data for prediction. As a result, RNNs are unable to learn from remote dependencies, but gate designs in LSTMs can solve the gradient fading problem in recurrent neural networks and better capture long term dependencies over long intervals in a time series.

2)

Classifiers

SVM and Softmax are two commonly used classifiers in computer vision. Both Support Vector Machine and Softmax classifiers are linear classifiers with very similar specific structures and results in practical applications, but with some subtle differences.

(1)

SVM

Support Vector Machines, also known as Support Vector Networks, were originally proposed for binary classification and are mainly used to learn deep features in machine learning models.SVM is a linear classifier that classifies pre-extracted data by giving a specific score for each data as a basis for evaluation.SVM solves the problem of nonlinear separability by introducing a kernel function, which allows the transformation of feature vectors into a high-dimensional space.

Assuming training set S = {x_i,y_i}, where feature vector x ∈ R^d, labeled scalar y_i ∈ {–1,1}, the SVM searches for hyperplanes that satisfy the following constraints on optimization: 10 $\arg \min_{w, φ, b} \frac{1}{2} w^{T} * w + C \sum_{i = 1}^{π} φ_{i}$ 11 $s u b j e c t \cdot t o : {\begin{array}{l} y_{i} (w^{T} * x_{i} + b) \geq 1 - φ_{i} \\ φ_{i} \geq 0, i = 1, 2, ..., m \end{array}$ where w is the weight vector of x, b is the intercept of the hyperplane, vector φ contains slack variables, and C is the penalty parameter for the trade-off between maximizing the geometric interval, and minimizing the classification error.

The core of the SVM method of classification is the idea of maximizing the classification margins, and the goal is to divide the feature space into optimal hyperplanes, and SVM shows classification advantages in binary classification problems.

(2)

Softmax

Softmax is known as polynomial logistic regression and has classification advantages in dealing with N -dimensional vectors.Jarrett proposed the use of Softmax for object recognition classification, which makes it play an important role in deep learning.Rifai and Krizhevsky et al. further optimized Softmax.R proposed a DNN-based IoMT intrusion detection algorithm using Softmax for classification to improve accuracy, which led to a breakthrough in the application of Softmax in deep learning. With the continuous development in the field of computer vision, Softmax has been widely used in deep learning.

Softmax function is to transform the input n-dimensional vector, into a n-dimensional vector output.The output function of Softmax classifier is as follows: 12 $a_{i}^{W} = \frac{e^{Z_{i} W}}{\sum_{j = 1}^{n} e^{Z_{j}^{n}}}, i = 1, 2, ..., n$ where the ist input value is $Z_{i}^{w}$ and $a_{i}^{w}$ is the probability value of the classifier’s ith class output. The number of target categories classified by the classifier is n, 2 in the classification problem, n = 2. The input data x are calculated by the hypothesis function of the classifier to calculate the probability of belonging to each category j, p =(y = j / x). The hypothesis function is a n - dimensional vector which represents the number of categories, for the summation of the asked quantity of 1 represents the number of categories in terms of the probability of classification is l. The hypothesis function of the classifier is: 13 $p_{ϕ} (x^{(i)}) = [\begin{matrix} h (y^{(i)} = 11 x^{i}; θ) \\ h (y^{(i)} = 21 x^{i}; θ) \\ ... \\ h (y^{(i)} = t 1 x^{i}; θ) \end{matrix}] = \frac{1}{\sum_{j = 1}^{i} e^{θ_{j}^{T} X^{(i)}}} [\begin{matrix} e^{θ_{1}^{W_{X}^{(i)}}} \\ e^{θ_{2}^{W_{X}^{(i)}}} \\ ... \\ e^{θ_{i}^{W_{X}^{(i)}}} \end{matrix}]$ where $\frac{1}{\sum_{j = 1}^{l} e^{θ_{j}^{2} x^{(i)}}}$ denotes the normalization of the probability distribution such that the sum of all probabilities is 1. where θ₁,θ₂,…,θ_i is the parameter of the model. The Softmax function is a maximizing function if the parameters θ→∞ are considered θ to take different finite values.

3.2

Generating Adversarial Network Principles

The training principle of GAN is to mix the fake samples made by the generative model into the real samples organized by real data collection marking, as a new input to the discriminative model, which judges the attribution of the samples, determines whether it is the generative model or the real model, and improves its own discriminative ability in the process.

The GAN network can be defined as the great optimization problem given by Eq. (14) assuming that x represents the data samples, p(z) represents the input noise, G(z) represents the noisy data processed by the generator, and D(x) represents the samples x are real samples, not generated samples. Therefore, the samples generated by the generative model have the lowest rate of being recognized and the discriminative model has the highest discriminative ability, and these two points can be considered as the optimization objective of the GAN.

The objective function is thus defined: 14 $\min_{G} \max_{D} (D, G) = E_{x \sim P_{s o u} (x)} [L o g D (x)] + E_{z \sim P_{s}} [L o g (1 - D (G (z)))]$

From the above equation, it can be seen that during the GAN training process, the discriminator D should be improved to be able to analyze the differences between the real sample and the generated sample, and improve the judgment, which means that the objective function of Eq. (14) has to be taken to the maximum, i.e., MAX(D(x)) and MIN(D(G(z))) : The generated model G needs to be continuously trained to evolve and to be able to mimic the features of the real sample and to hide from the eyes of the discriminator model. This implies that the objective function of Eq. (14) is to be taken to its minimum value, i.e., MAX(D(x)) minimizes and MIN(D(G(z))).

Incorporating semi-supervised learning methods into GANs allows for the full utilization of unlabeled sample data to assist supervised learning in training classification. It is no longer possible for a human to recognize whether an image is from the real dataset MNIST or from an image sample generated by a generative model.

As shown in Equation (15), for multiclassification data with labeled samples, L_Sapenised denotes the objective function of supervised learning, i.e., the ability to correctly predict. Then there are: 15 $L = - E_{x, y \sim P_{d e a} (x, y)} [\log_{P_{d e a d}} (y | x)] - E_{x \sim G} [\log_{P_{d e a d}} (y = K + 1 | x)]$ 16 $L_{S a p e r i s e d} = - E_{x, y \sim P_{d e a} (x, y)} \log p_{M o d e l} (y | x, y < K + 1)$ 17 $\begin{array}{l} L_{a a S a p e r v i s e d} = - {E_{x \sim P_{d e s} (x)} [1 - \log p_{M o d e l} (y = K + 1 | x)] \\ + E_{x \sim G} \log [p_{M o d e l} (y = K + 1 | x)]} \end{array}$ 18 $L = L_{Sapervised} + L_{anSapervised}$

For unlabeled sample data, L_mSeperised denotes the loss function for unsupervised learning, and p_Model (y = K + 1 | x_j) denotes the sample x_j is the probability of generating the sample, which is equal to the objective function of the GAN when you plug D(x) = 1 – p_.Model (y = K + 1 | x_j ) into an expression L_unSporviscd, as shown in Equation (19): 19 $L_{anSapervised} = - {E_{x \sim P_{and} (x)} \log D (x) + E_{x \sim G} \log (1 - D (G (x)))}$

3.3

Information Security Network Detection Model Based on GAN-LSTM

In this paper, we propose a deep learning based real-time network detection model (GAN-LSTM) [35], the framework for training the GAN-LSTM model is shown in Fig. 4. It mainly contains the following steps:

In the first step, the network packets in the dataset are merged and reduced to network data streams. According to the quintet, i.e., “Source_IP”, “Destination_IP”, “Source_Port”, “Destination_Port” and ‘Protocol’, network packets are merged and restored.

In the second step, the features of the network data stream are extracted. The features are selected by considering the similarities and anomalies in the packet header, packet content, stream duration, stream flag bits, and so on.

The third step is to process the data feature values. The non-numerical feature values are transformed into a numerical feature value and all these feature value problems are processed by normalization method.

The fourth step, train the model. First lock the parameters of generator G and train the classifier D. Then lock the parameters of classifier D and train the generator G. The equilibrium is reached after several trainings.

The fifth step, test classification. The data in the test set is fed into the trained classifier to evaluate the model’s metrics, such as accuracy, precision, f1 score, and false alarm rate.

4

Results and analysis of GAN-LSTM detection of network attacks

The convergence of the model is first confirmed, i.e., the value of the loss function is checked after each iteration. The relationship between the loss function and the number of iterations during training is shown in Figure 5. The results show that in the first 9 iterations, the value of the loss function decreases rapidly, and after 9 iterations, the value of the loss function stabilizes. Therefore, we set the number of iterations to 9 to start the subsequent experiments. The other hyperparameters of the hybrid neural network are determined by experience and experimental debugging, and the values of the hyperparameters are shown as follows. max=800, BGRU cell is 64, FC cell number is 48, batch size is 32, iteration number is 9, learning rate is 0.005, β₁ =0.90, and β₂ =0.999. The detection experiments are conducted on each dataset that contains only one type of attack, and then the detection results for each type of attack are obtained. The detection results are obtained for each type of attack, and then experiments are conducted on the “Overall” dataset to obtain the detection results for 6 types of attacks at a time.

4.1

Large Sample Detection Experiment

In this paper, we use the GAN-LSTM method to detect the targets of six types of attacks (LDoS), namely, Slowloris, Slow POST, Slow Read, Pwnloris, Torshammer, and Httpbog.The detection results of the six LDoS attacks are shown in Table 1. As shown in Table 1, the “Average” column refers to the average of the detection results of the six attacks, while the “Overall” column refers to the results of using the “Overall” dataset to detect the six attacks at the same time. The average detection rate and F-measure value of the six LDoS attacks are 98.27% and 97.93%, respectively. The attack with the highest detection rate is Slow POST with 99.83%, while the attack with the lowest detection rate is Httpbog with 97.05%. The reason for this result may be related to the fact that Slow POST is easily detected because it is characterized by obvious periodic changes in the time-frequency domain. On the other hand, Httpbog is more difficult to be detected because it is not characterized by obvious periodic changes in the time-frequency domain. The detection rate of “overall” reaches 96.85%, which is less different from the result of detecting one attack alone, so it can be seen that the proposed detection method is universal and can effectively extract the features of LDoS attacks to complete the detection.

Table 1.

Test results of six LDoS attacks

Attack type	Accuracy (%)	DR (%)	FPR (%)	Precision (%)	F-measure
Slowloris	98.77	99.02	2.17	97.01	0.9897
Slow POST	99.83	98.91	2.14	95.99	0.9859
Slow Read	97.82	98.95	2.19	96.61	0.9794
Pwnloris	98.05	98.68	1.88	96.07	0.9792
Torshammer	98.09	99.06	2.04	95.97	0.9676
Httpbog	97.05	99.02	2.09	97.97	0.9741
Mean	98.27	98.94	2.085	96.60	0.9793
Total	96.85	96.09	3.12	98.71	0.9738

Since the part containing the LDoS attack was only 60 seconds out of the 120 seconds sample, we wanted to be able to confirm whether the attack was accurately detected. Therefore, we chose we selected 2 representative samples for analysis, and used GAN-LSTM to calculate the activation values of the last layer of Conv 6 of the convolutional neural network and put them on the graph for comparison with the time domain and time-frequency domain graphs. In order to facilitate the comparison on the graphs, the time of attack traffic insertion in these two samples starts from the 30th second and ends at the 90th second. While the actual detection is being done, the position of the attack traffic insertion is being randomized.

The time-domain and Conv 6 activation plots of the Pwnloris attack sample are shown in Fig. 6, (a) and (b) show the time-domain and Conv 6 activation plots, respectively In the figure, there is a strong interference of normal traffic between 30 and 90 seconds, but it does not cause an excessive activation of Conv 6, which specifically activates in the time interval that contains only the attack. From the observation of the time-frequency domain plot, it is possible that Conv 6 is activated by some features in the high-frequency part.

The activation plots of Slow POST attack samples in time domain and Conv 6 are shown in Fig. 7, (a) and (b) are the activation plots of time domain and Conv 6, respectively. The results show that the Slow POST attack is almost completely masked due to the high intensity of normal traffic as the background, and the naked eye cannot directly find the obvious attack features from both the time domain and time-frequency domain plots. However, the activation map of Conv 6 shows that the detection method proposed in this paper can still accurately find where the attack is located, and the results show that the higher activation region of Conv 6 corresponds exactly to the periodic peak of the masked attack. With the GAN-LSTM algorithm, we verified that the proposed detection algorithm can accurately detect the location of LDoS attack traffic without excluding the interference of normal traffic.

4.2

Small Sample Detection Experiments

The small-sample detection experiments still use the dataset containing 6 types of LDoS attacks for “leave-one-sample-type detection”, i.e., 5 types of LDoS attacks are used as the data source for the meta-training set, and the remaining 1 type is used as the data source for the meta-testing set. From the number of combinations C(6.5) = 6, there are 6 such combinations of 6 choices of 5, and there are 6 sets of parallel experiments, each of which corresponds to the detection of one type of attack. We repeat each group of experiments 200 times for statistics, and for each task, take K = 6 or 12, i.e., the number of samples for each attack is 5 or 10, to simulate the small sample scenario. The detection results of the 6 LDoS attacks in the small sample scenario are shown in Table 2, which summarizes the detection results for the 6 LDoS attacks with K=5 and K=10. The following 2 conclusions can be obtained: 1)

For the detection of LDoS attacks in small sample scenarios, the detection results of different attack types vary greatly. For the 5 types of attacks, Slowloris, Slow POST, Slow Read, Pwnloris and Torshammer, the detection results are better, with the highest detection rate of 99.94% and the lowest of 91.81%, while for the Httpbog attack, the detection rate is only 65.30%. We think there are 2 reasons for this. Firstly, Httpbog attacks have weaker intensity and periodicity characteristics, and are relatively more stealthy; secondly, Httpbog attacks are the only attack among these 6 attacks that is carried out on Windows systems. Therefore, the attack traffic of Httpbog is more different from the other 5 attacks, and the priori knowledge obtained by GAN-LSTM from the other 5 attacks is not enough to detect this attack.

2)

The detection system is insensitive to the number of samples K. This is the same as the conclusion for small-sample detection on network data streams, where the number of samples K of each sample is reduced from 12 to 6. The reduction in the number of samples results in only a 3.66% reduction in the average detection rate. The above conclusions show that the small-sample detection method based on the deep learning framework can effectively detect most of the LDoS attacks in small-sample scenarios, but it is weak in detecting the more stealthy LDoS attacks such as Httpbog. Therefore, there is still room for improvement of such a detection method, and if there are more attack traffic data under different scenarios for training, GAN-LSTM can obtain more comprehensive prior knowledge and the detection effect will be better.

Table 2.

The results of the six LDoS attacks in the scene

Sample number	Attack type	Accuracy (%)	DR (%)	FPR (%)	Precision (%)	F-measure
K=6	Slowloris	96.46	95.07	3.82	96.67	0.9727
	Slow POST	93.97	96.29	8.43	91.52	0.9432
	Slow Read	93.26	92.86	4.19	96.71	0.9514
	Pwnloris	99.94	99.53	1.53	98.26	0.9952
	Torshammer	91.81	93.19	7.67	92.13	0.9319
	Httpbog	65.30	62.11	29.86	78.56	0.7061
	Mean	90.12	89.84	9.25	92.31	0.9168
K=12	Slowloris	97.56	95.48	1.72	99.23	0.9815
	Slow POST	94.61	93.43	3.28	96.97	0.9552
	Slow Read	95.37	95.74	4.66	95.35	0.9633
	Pwnloris	98.01	98.86	1.57	98.68	0.9969
	Torshammer	94.88	93.74	4.29	95.39	0.9566
	Httpbog	68.96	66.93	28.45	74.02	0.7118
	Mean	91.57	90.7	7.33	93.27	0.9276

4.3

Detecting HTTPS encrypted traffic

Our proposed deep learning GAN-LSTM attack detection method relies only on the temporal statistical information of network traffic rather than the specific content of the traffic, in addition to the fact that it does not require manually designed feature extraction methods. Therefore, the proposed detection method can theoretically also detect encrypted traffic. At the application layer, HTTPS extends HTTP to enable traffic encryption. For low rate denial of service attacks on HTTPS servers, there are fewer studies, and GAN-LSTM attack tools specifically for HTTPS are not yet publicly available, but due to the higher computational complexity of encryption algorithms, HTTPS is more susceptible to low rate denial of service attacks.HTTPS protects user privacy, but it is unfavorable for network intrusion detection, and without decrypting the data packets without decrypting the packet, traditional detection methods based on packet content fail. However, from the point of view of bypass analysis, network traffic changes over time, which also leaks information. Our proposed method only requires the temporal statistics of the network traffic to detect it. We built an HTTPS server on the experimental platform and tested the applicability of the existing GAN-LSTM attack tools, among which Slowloris, Pwnloris and Httpbog tools can support launching LDoS attacks on HTTPS servers.

The detection results for three types of LDoS attacks supporting HTTPS encryption are shown in Table 3. The experimental results show an average detection rate of 95.50% and an average F-value of 0.9521 for the three types of HTTPS encryption-enabled LDoS attacks, which indicates that the proposed detection method can be used to detect encrypted traffic. This result is slightly worse than the previous attack detection results for HTTP servers, which indicates that there are differences between HTTPS-encrypted LDoS attack traffic and unencrypted ones, and these differences are yet to be further explored in real-world scenarios to improve the detection algorithms.

Table 3.

Test results for three LDoS attacks that support HTTPS encryption

Attack type	Accuracy (%)	DR (%)	FPR (%)	Precision (%)	F-measure
Slowloris	96.23	94.95	2.57	95.14	0.9606
Pwnloris	95.48	98.76	7.62	90.88	0.9589
Httpbog	94.79	97.16	7.36	88.18	0.9368
Mean	95.50	96.96	5.85	91.40	0.9521
Total	94.03	96.65	7.75	91.26	0.9513

5

Results and analysis of GAN-LSTM detection of data stream sequences

5.1

Data Stream Serialization Processing

In the captured web data streams of digital library websites, the data tends to be organized in the form of events. Its temporal distribution is not well characterized. For this reason, we need to complete two tasks serialization and periodic decomposition of the data streams before performing cluster analysis on the captured data. Data with the same timestamp is counted as missing values for each type of event at that moment in time instead. In this way, the data of unequal lengths before is transformed into a time series of equal intervals, and the length of the newly formed series is determined by the number of timestamps in the sampling time interval. Different temporal aggregation granularities can be selected according to the specific situation in the application to achieve the purpose of increasing clustering accuracy or reducing computational overhead.

The result of the distribution of web service data streams with a time span of two weeks is shown in Figure 8. Its is the data distribution in days for certain events with a range of two weeks captured by Sniffer Pro. Different curves represent different sequences of web service data streams. Obviously, the sequences show certain ups and downs in general, with some periodic characteristics, thus showing certain trends of change. Due to the random characteristics of the network users initiating service requests and the system itself, which in turn makes the shapes of the sequences not completely consistent.

5.2

Periodic Decomposition of Data Stream Sequences

The periodic sequence obtained after decomposition is shown in Figure 9. Which shows the experimental results obtained after decomposing several data flow sequences in a particular day by the above method. It can be noticed that from around 1 hour to 6 hours, the data flow fluctuates rather slowly and most of the website’s services are in a low state. From 7 hours to 22 hours, the data flow fluctuates significantly and peaks around 18 hours. By analyzing this, it can be essentially attributed to the changes in the number of user visits that the corresponding website services receive. From a general point of view, the data exchanges carried out by most of the services during the day show a certain regularity and a clear cyclical character.

5.3

Clustering of data series across network information security

The sequences of each information stream in the sampled dataset are arranged in time-stamped order and clustered by their trend averages, periodic terms, and connectivity statistics. The results of the periodic trend clustering of network information are shown in Fig. 10. It can be found that each network service is clustered into 3 classes when the distance between classes is about 0.03-2.94. It matches the actual situation of the three classes of Slowloris, Pwnloris, and Httpbog attacks that are suitable for HTTPS detection studied in this paper. It strongly proves the effectiveness of clustering techniques under deep learning detection techniques for data flow analysis in network and information security. Meanwhile, based on the various attributes of the resulting clusters (e.g., the degree of intraclass identity and interclass dissimilarity), the general characteristics of the network information security data flow during the normal operation of a website are revealed, which is of great use in practical applications. For example, in the application of network security management, it is possible to extract the eigenvalues of the data flow to be evaluated according to the characteristics of abnormal data bursts, irregularity, and non-periodicity, compare them with the attributes of the identified normal classes, and finally obtain the results of the data flow security evaluation.

6

Conclusion

In this paper, we first constructed a real-time network security monitoring intrusion detection system, after which we constructed an information security network detection model (GAN-LSTM) based on deep learning, and finally analyzed and evaluated the network security detection and information security detection results with this model. The main conclusions are as follows: 1)

The detection rate and F-measure average of the six LDoS attacks are 98.27% and 0.9793, respectively, and the accuracy of their detection rates are above 97%. The results of large-sample detection experiments show that Conv 6 can activate the time interval of specific attacks and accurately detect the location where the LDoS attack traffic is located when there is a strong normal traffic interference between 30 and 90 seconds. The results of the small-sample detection experiments show that the detection rate of the GAN-LSTM model is greater than 90% for all five attacks, namely Slowloris, Slow POST, Slow Read, Pwnloris, and Torshammer. Furthermore, the GAN-LSTM detection system is not affected by the principal number K. When the number of samples is reduced by half, its detection rate only decreases by 3.66%. And the GAN-LSTM model is effective in detecting LDoS attacks that support HTTPS encryption, and its detection rate and F-value mean value reach 95.50% and 0.9521, respectively.

2)

The sequences show some ups and downs in general, from 1 hour to around 6 hours, the data flow fluctuates rather gently, and most of the services of the website are in a low state. From 7 hours to 22 hours, the data flow fluctuates considerably and peaks around 18 hours. This shows that the data flow sequence exhibits a certain regularity, and the periodicity characteristic is obvious. Each web service is aggregated into 3 classes at an inter-class distance of about 0.03-2.94, which is consistent with the three classes of Slowloris, Pwnloris, and Httpbog attacks suitable for HTTPS detection.

Language:: English

Publication timeframe:: 1 times per year
Journal Subjects:: Life Sciences, Life Sciences, other, Mathematics, Applied Mathematics, General Mathematics, Physics, Physics, other

Journal RSS Feed

Research on the Impact of Combining Big Data and Deep Learning Technology on Network Security Information Security Protection

Xingmeng Wang

Published Online: Mar 19, 2025

Received: Nov 14, 2024

Accepted: Feb 12, 2025

DOI: https://doi.org/10.2478/amns-2025-0439

KeywordsFuzzy Equivalent Processing, Correlation Analysis, GAN-LSTM, Data Stream Sequence, Network Security

© 2025 Xingmeng Wang, published by Sciendo

This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

Keywords
Fuzzy Equivalent Processing, Correlation Analysis, GAN-LSTM, Data Stream Sequence, Network Security