深度学习 dns tunnel检测 使用统计特征 全连接网络——精度99.8%
代码如下:
import numpy as np
import tflearn
from tflearn.layers.core import dropout
from tflearn.layers.normalization import batch_normalization
from tflearn.data_utils import to_categorical
from sklearn.model_selection import train_test_split
from sklearn.metrics import classification_report, confusion_matrix
import sys class EarlyStoppingCallback(tflearn.callbacks.Callback):
def __init__(self, val_acc_thresh):
""" Note: We are free to define our init function however we please. """
# Store a validation accuracy threshold, which we can compare against
# the current validation accuracy at, say, each epoch, each batch step, etc.
self.val_acc_thresh = val_acc_thresh def on_epoch_end(self, training_state):
"""
This is the final method called in trainer.py in the epoch loop.
We can stop training and leave without losing any information with a simple exception.
"""
#print dir(training_state)
print("Terminating training at the end of epoch", training_state.epoch)
if training_state.val_acc >= self.val_acc_thresh and training_state.acc_value >= self.val_acc_thresh:
raise StopIteration def on_train_end(self, training_state):
"""
Furthermore, tflearn will then immediately call this method after we terminate training,
(or when training ends regardless). This would be a good time to store any additional
information that tflearn doesn't store already.
"""
print("Successfully left training! Final model accuracy:", training_state.acc_value)
cols = ["label", "flow_cnt", "len(srcip_arr)", "len(dstip_arr)", "subdomain_num", "uniq_subdomain_ratio", "np.average(dns_request_len_arr)", "np.average(dns_reply_len_arr)", "np.average(subdomain_tag_num_arr)", "np.average(subdomain_len_arr)", "np.average(subdomain_weird_len_arr)", "np.average(subdomain_entropy_arr)", "A_rr_type_ratio", "incommon_rr_type_rato", "valid_ipv4_ratio", "uniq_valid_ipv4_ratio", "request_reply_ratio", "np.max(dns_request_len_arr)", "np.max(dns_reply_len_arr)", "np.max(subdomain_tag_num_arr)", "np.max(subdomain_len_arr)", "np.max(subdomain_weird_len_arr)", "np.max(subdomain_entropy_arr)", "avg_distance", "std_distance"]
#unwanted_cols = set(["uniq_subdomain_ratio", "incommon_rr_type_rato"])
unwanted_cols = set(["uniq_subdomain_ratio", "incommon_rr_type_rato", "np.max(dns_reply_len_arr)", "request_reply_ratio", "uniq_valid_ipv4_ratio", "A_rr_type_ratio"])
wanted_cols = set(['label', 'flow_cnt', 'len(srcip_arr)', 'len(dstip_arr)',
'subdomain_num',
'np.average(dns_request_len_arr)', 'np.average(dns_reply_len_arr)',
'A_rr_type_ratio',
'valid_ipv4_ratio',
'request_reply_ratio', 'np.max(dns_request_len_arr)',
'np.max(dns_reply_len_arr)']) def parse_line(s):
s = s.replace("(", "").replace(")", "").replace("[", "").replace("]", "")
#dat = [float(_) for i,_ in enumerate(s.split(",")) if cols[i] not in unwanted_cols]
dat = [float(_) for i,_ in enumerate(s.split(",")) if cols[i] in wanted_cols]
return dat if __name__ == "__main__":
training_data = []
with open("feature_with_dnn_todo.dat") as f:
training_data = [parse_line(line) for line in f] #sys.exit(0) X = training_data
org_labels = [1 if int(x[0])==2.0 else 0 for x in X]
labels = to_categorical(org_labels, nb_classes=2)
data = [x[1:] for x in X]
input_dim = len(data[0]) X = data
Y = labels print "X len:", len(X), "Y len:", len(Y)
trainX, testX, trainY, testY = train_test_split(X, Y, test_size=0.2, random_state=42)
print trainX[0]
print trainY[0]
print testX[-1]
print testY[-1] # Build neural network
net = tflearn.input_data(shape=[None, input_dim])
net = batch_normalization(net)
net = tflearn.fully_connected(net, input_dim)
net = tflearn.fully_connected(net, 128, activation='tanh')
net = dropout(net, 0.5)
net = tflearn.fully_connected(net, 2, activation='softmax')
net = tflearn.regression(net, optimizer='adam', learning_rate=0.001,
loss='categorical_crossentropy', name='target')
# Define model
model = tflearn.DNN(net)
# Start training (apply gradient descent algorithm)
# Initialize our callback with desired accuracy threshold.
early_stopping_cb = EarlyStoppingCallback(val_acc_thresh=0.998)
try:
model.fit(trainX, trainY, validation_set=(testX, testY), n_epoch=500, batch_size=8, show_metric=True, callbacks=early_stopping_cb)
except StopIteration as e:
print "pass"
filename = 'tf_model/dns_tunnel2_998.tflearn'
model.save(filename)
model.load(filename) y_predict_list = model.predict(X)
y_predict = []
for i in y_predict_list:
#print i[0]
if i[0] >= 0.5:
y_predict.append(0)
else:
y_predict.append(1) print(classification_report(org_labels, y_predict))
print confusion_matrix(org_labels, y_predict)
结果:
('Terminating training at the end of epoch', 175)
Training Step: 309936 | total loss: 0.00695 | time: 4.371s
| Adam | epoch: 176 | loss: 0.00695 - acc: 0.9988 | val_loss: 0.00661 - val_acc: 0.9991 -- iter: 14084/14084
--
('Terminating training at the end of epoch', 176)
('Successfully left training! Final model accuracy:', 0.9987633228302002)
pass
precision recall f1-score support
0 1.00 1.00 1.00 16529
1 0.97 0.99 0.98 1076
avg / total 1.00 1.00 1.00 17605
从混淆矩阵看,还是非常不错的!
[[16497 32]
[ 8 1068]]
输入数据样例:
(2.0,[39.0,1.0,2.0,38.0,0.974358974359,85.0,86.6666666667,3.0,30.0,0.0,3.84923785837,1.0,0.0,0.512820512821,0.025641025641,0.00150829562594,85.0,169.0,3.0,30.0,0.0,3.98989809546,2.54054054054,1.15301237879])
(2.0,[4437.0,3.0,10.0,13.0,0.00292990759522,48.554428668,45.3955375254,1.92307692308,91.3846153846,0.0,3.69230769231,0.972954699121,0.0,0.0,0.0,2.32087487699e-05,138.0,138.0,2.0,100.0,0.0,4.0,15.25,30.5753849799])
(2.0,[115.0,4.0,8.0,11.0,0.095652173913,99.2260869565,47.0347826087,2.0,74.7272727273,0.0,4.24137616275,0.0,0.0,0.0,0.0,0.000438173692052,131.0,131.0,2.0,82.0,0.0,4.3128598958,7.9,14.1594491418])
(2.0,[177.0,2.0,8.0,11.0,0.0621468926554,88.3389830508,35.6327683616,2.0,66.0,0.0,4.17962650637,0.0,0.0,0.0,0.0,0.000319774878486,115.0,115.0,2.0,66.0,0.0,4.17962650637,2.0,0.0])
(2.0,[38.0,7.0,6.0,23.0,0.605263157895,59.0263157895,120.473684211,1.0,20.5652173913,0.0,3.55684374229,0.657894736842,0.0,0.0263157894737,0.0263157894737,0.00222915737851,65.0,267.0,1.0,26.0,0.0,3.97366068969,14.7727272727,3.20414246338])
(2.0,[232.0,4.0,8.0,18.0,0.0775862068966,94.5301724138,39.9224137931,2.0,71.3333333333,0.0,4.19859571366,0.0,0.0,0.0,0.0,0.000227987779855,131.0,131.0,2.0,82.0,0.0,4.28968752349,5.47058823529,11.241298057])
(2.0,[90.0,3.0,8.0,12.0,0.133333333333,97.6,63.7222222222,2.0,74.0,0.0,4.23623035806,0.0,0.0,0.0,0.0,0.000569216757741,131.0,131.0,2.0,82.0,0.0,4.3128598958,7.36363636364,13.6066342594])
(2.0,[419.0,1.0,2.0,355.0,0.847255369928,72.9403341289,88.2816229117,3.0,30.0,0.0,3.80441789011,1.0,0.0,0.980906921241,0.00238663484487,0.000163601858517,74.0,90.0,3.0,30.0,0.0,4.05656476213,1.86440677966,0.654172884041])
(2.0,[132.0,2.0,8.0,12.0,0.0909090909091,83.446969697,38.446969697,2.0,66.0,0.0,4.15523801434,0.0,0.0,0.0,0.0,0.000453926463913,115.0,115.0,2.0,66.0,0.0,4.15523801434,2.0,0.0])
(2.0,[12399.0,9.0,8.0,48.0,0.00387127994193,131.489636261,63.534236632,2.0,86.5416666667,0.0,4.29632333151,0.92402613114,0.0,0.0,0.0,3.06684495259e-06,143.0,143.0,2.0,94.0,0.0,4.37237921923,7.34042553191,13.9897783289])
(2.0,[13659.0,11.0,11.0,55.0,0.00402664909583,131.545574347,65.8218756864,2.0,88.3272727273,0.0,4.34545972513,0.933670107621,0.0,0.0,0.0,2.78275427e-06,145.0,145.0,2.0,96.0,0.0,4.48022025041,8.31481481481,15.5072552602])
(2.0,[187.0,2.0,5.0,94.0,0.502673796791,88.1229946524,139.229946524,1.98936170213,43.9042553191,0.0,4.27189155149,0.502673796791,0.0,0.0,0.0,0.000303416469446,111.0,701.0,2.0,67.0,0.0,4.56541251219,21.5161290323,7.83926277973])
(2.0,[13651.0,11.0,8.0,50.0,0.00366273533075,131.740458574,66.4286132884,1.98,76.26,0.0,4.30942940291,0.955461138378,0.0,0.0,0.0,2.78026611595e-06,145.0,145.0,2.0,96.0,0.0,4.43135478727,11.6734693878,19.406907833])
(2.0,[13867.0,6.0,8.0,48.0,0.00346145525348,131.98341386,66.6828441624,1.97916666667,83.8541666667,0.0,4.28707673609,0.946347443571,0.0,0.0,0.0,2.73192096662e-06,143.0,143.0,2.0,94.0,0.0,4.3688366088,5.53191489362,11.7361979849])
(2.0,[12882.0,10.0,8.0,58.0,0.00450240645862,130.423381463,63.3864306785,1.96551724138,76.7068965517,0.0,3.93103448276,0.938674118926,0.0,0.0,0.0,2.97598853411e-06,143.0,143.0,2.0,94.0,0.0,4.0,8.98245614035,16.8912841929])
(2.0,[258.0,3.0,2.0,76.0,0.294573643411,77.0,80.9263565891,3.0,29.0,0.0,3.75053197533,0.492248062016,0.0,0.259689922481,0.00387596899225,0.000251686298198,77.0,630.0,3.0,29.0,0.0,3.89246375375,2.74666666667,1.87682947784])
(2.0,[14147.0,12.0,8.0,52.0,0.00367569095921,131.023397187,64.6592210363,1.96153846154,79.8461538462,0.0,4.3284491183,0.922032939846,0.0,0.0,0.0,2.69747106693e-06,143.0,143.0,2.0,94.0,0.0,4.42489759102,11.0588235294,19.7974169089])
(2.0,[13970.0,9.0,8.0,70.0,0.0050107372942,131.400501074,66.2702219041,1.98571428571,82.3571428571,0.0,4.29402071493,0.919183965641,0.0,0.0,0.0,2.72380853805e-06,143.0,143.0,2.0,94.0,0.0,4.36589057319,7.26086956522,13.9778833316])
(2.0,[13431.0,8.0,8.0,48.0,0.00357382175564,131.08234681,65.0862184499,1.97916666667,73.8958333333,0.0,4.26146070383,0.951604497059,0.0,0.0,0.0,2.83999416097e-06,133.0,133.0,2.0,84.0,0.0,4.41617048851,7.82978723404,15.2752325593])
(2.0,[13196.0,7.0,8.0,50.0,0.00378902697787,131.38898151,65.7071082146,2.0,84.28,0.0,4.3113658841,0.921718702637,0.0,0.0,0.0,2.88382399676e-06,143.0,143.0,2.0,94.0,0.0,4.39200898112,7.0612244898,12.5004622988])
深度学习 dns tunnel检测 使用统计特征 全连接网络——精度99.8%的更多相关文章
- 手把手教你用深度学习做物体检测(五):YOLOv1介绍
"之前写物体检测系列文章的时候说过,关于YOLO算法,会在后续的文章中介绍,然而,由于YOLO历经3个版本,其论文也有3篇,想全面的讲述清楚还是太难了,本周终于能够抽出时间写一些YOLO算法 ...
- #Deep Learning回顾#之基于深度学习的目标检测(阅读小结)
原文链接:https://www.52ml.net/20287.html 这篇博文主要讲了深度学习在目标检测中的发展. 博文首先介绍了传统的目标检测算法过程: 传统的目标检测一般使用滑动窗口的框架,主 ...
- 基于深度学习的目标检测技术演进:R-CNN、Fast R-CNN,Faster R-CNN
基于深度学习的目标检测技术演进:R-CNN.Fast R-CNN,Faster R-CNN object detection我的理解,就是在给定的图片中精确找到物体所在位置,并标注出物体的类别.obj ...
- 基于深度学习的病毒检测技术无需沙箱环境,直接将样本文件转换为二维图片,进而应用改造后的卷积神经网络 Inception V4 进行训练和检测
话题 3: 基于深度学习的二进制恶意样本检测 分享主题:全球正在经历一场由科技驱动的数字化转型,传统技术已经不能适应病毒数量飞速增长的发展态势.而基于沙箱的检测方案无法满足 APT 攻击的检测需求,也 ...
- 手把手教你用深度学习做物体检测(六):YOLOv2介绍
本文接着上一篇<手把手教你用深度学习做物体检测(五):YOLOv1介绍>文章,介绍YOLOv2在v1上的改进.有些性能度量指标术语看不懂没关系,后续会有通俗易懂的关于性能度量指标的介绍文章 ...
- 基于深度学习的目标检测(object detection)—— rcnn、fast-rcnn、faster-rcnn
模型和方法: 在深度学习求解目标检测问题之前的主流 detection 方法是,DPM(Deformable parts models), 度量与评价: mAP:mean Average Precis ...
- VulDeePecker:基于深度学习的脆弱性检测系统
最近的两款软件,VUDDY和VulPecker,假阴性率高而假阳性率低,用于检测由代码克隆引发的漏洞.而如果用于非代码克隆引起的漏洞则会出现高误报率. 本文使用深度学习处理程序中的代码片段,不应由专家 ...
- 利用更快的r-cnn深度学习进行目标检测
此示例演示如何使用名为“更快r-cnn(具有卷积神经网络的区域)”的深度学习技术来训练对象探测器. 概述 此示例演示如何训练用于检测车辆的更快r-cnn对象探测器.更快的r-nnn [1]是r-cnn ...
- 基于深度学习的目标检测技术演进:R-CNN、Fast R-CNN、Faster R-CNN
object detection我的理解,就是在给定的图片中精确找到物体所在位置,并标注出物体的类别.object detection要解决的问题就是物体在哪里,是什么这整个流程的问题.然而,这个问题 ...
随机推荐
- 【ITOO 2】.NET 动态建库建表:使用SQL字符串拼接方式
导读:在最近接手的项目(高效云平台)中,有一个需求是要当企业用户注册时,给其动态的新建一个库和表.刚开始接手的时候,是一点头绪都没有,然后查了一些资料,也问了问上一版本的师哥师姐,终于有了点头绪.目前 ...
- PTA 05-树7 堆中的路径 (25分)
题目地址 https://pta.patest.cn/pta/test/15/exam/4/question/713 5-5 堆中的路径 (25分) 将一系列给定数字插入一个初始为空的小顶堆H[] ...
- bzoj1086 [SCOI2005]王室联邦 树分块
[bzoj1086][SCOI2005]王室联邦 2014年11月14日2,6590 Description “余”人国的国王想重新编制他的国家.他想把他的国家划分成若干个省,每个省都由他们王室联邦的 ...
- ES6__字符串、数组、对象的扩展
/** * 字符串的扩展 */ // 模板字符串 tab上面的反向符号 // 添加${} // let flag = true; // // let html = `<ul> // < ...
- ES6__数据结构 Set
/* 数据结构 Set */ /* *集合的基本概念:集合是由一组无序且唯一(即不能重复)的项组成的.这个数据结构使用了与有限集合相同的数学概念,应用在计算机的数据结构中. *特点:key 和 val ...
- python学习之-- shutil模块
shutil 模块功能:文件/文件夹的复制,压缩处理模块shutil.copyfileobj(fsrc,fdst[,length]):将文件内容拷贝到另一个文件中,也可以是部分内容举例:文件复制 im ...
- Codechef-BLACKCOM(树形背包dp)
题意: 给你一棵由 N 个节点构成的树 T.节点按照 1 到 N 编号,每个节点要么是白色,要么是黑色.有 Q 组询问,每组询问形如 (s, b).你需要检查是否存在一个连通子图,其大小恰好是 s,并 ...
- grunt安装,配置记录
进了新的公司,需要重构一个项目,从头开始.本人患懒癌已久,一直没有写博客的打算,也是因为资质还比较浅,写不出什么富有涵养的内容,后来想了想,就当自己的笔记吧.这次从新开始,未尝不是一个博客开始的好时机 ...
- asp.net core 集成JWT(二)token的强制失效,基于策略模式细化api权限
[前言] 上一篇我们介绍了什么是JWT,以及如何在asp.net core api项目中集成JWT权限认证.传送门:https://www.cnblogs.com/7tiny/p/11012035.h ...
- 利用NSA的MS17-010漏洞利用工具实现Win 7和Win Server 2008系统入侵
影子经纪人(Shadow Brokers)最近陆续曝光的NSA网络武器令人震惊,尽管这些工具是否出自国家级别黑客团队之手尚不清楚,但至少存在一个可以说明问题的事实:这些漏洞利用工具都能有效运行,且具有 ...