AI and Edge Computing-Driven Technologies for Knowledge Defined NetworkingView this Special Issue
[Retracted] Abnormal Access Behavior Detection of Ideological and Political MOOCs in Colleges and Universities
In many colleges and universities, MOOCs have been applied in many courses, including ideological and political course, which is very important for college students’ ideological and moral education. Ideological and political MOOCs break the limitations of time and space, and students can conveniently and quickly learn ideological and political courses through the network. However, due to the openness of MOOCs, there may be some abnormal access behaviors, affecting the normal process of MOOCs. Therefore, in this paper, we propose a detection method of abnormal access behavior of ideological and political MOOCs in colleges and universities. Based on deep learning, the network behavior detection model is established to distinguish whether the network behavior is normal, so as to detect the abnormal access network behavior. In order to prove the effectiveness and efficiency of the proposed algorithm, the algorithm is compared with the other two network abnormal behavior detection methods, and the results prove that the proposed method can effectively detect the abnormal access behavior in ideological and political MOOCs.
With the rapid development of information network technology and the popularization of its application, MOOCs have emerged as a new teaching mode based on Internet technology. Ideological and political MOOCs in colleges and universities apply ideological and political courses to MOOCs, breaking through limitations of time and space and greatly enhancing the pertinence and flexibility of education, which is very helpful for students to study ideological and political courses quickly and effectively. In addition to normal students learning MOOCs, there may be some abnormal network access behaviors, such as advertising and stealing students’ information. Abnormal network access will affect the normal progress of the course and pose a threat to students’ information security. Therefore, it is very necessary to detect the abnormal access behavior in ideological and political MOOCs to ensure the normal course and protect the information security of student users.
Throughout the traditional network security technology, it roughly includes identity authentication, encryption technology, and firewall technology. Authentication mainly verifies the actual identity of the current entity by verifying passwords, SMS, fingerprints, etc. Encryption technology mainly encrypts data through certain technical means, then transmits the encrypted data to the destination through the network, and finally decrypts the data. The technical methods mainly rely on encryption algorithms and keys . On the one hand, the encryption technology combines the original data with the key through the algorithm to generate the ciphertext; on the other hand, it also relies on the algorithm and the key to restore the encrypted file to the original data. Firewall technology is the creation of a network transmission protection barrier between networks that contains software and hardware devices . The barrier allows to block the intranet and extranet, thus preventing interference and attacks on the system by abnormal network behavior . It is not difficult to find that these techniques are mainly aimed at static prevention. They mainly secure the system by controlling the access rights of users or by mathematically encrypting their access rights . However, on the one hand, it cannot defend against attacks from within the system and monitor the attacks in real time. Therefore, the network abnormal behavior detection technology based on dynamic defense makes up for the shortages of traditional network security in these two aspects and becomes the focus of research on computer network security. Network abnormal behavior detection is the process of identifying and monitoring behaviors that attempt to access the network . It is a positive and dynamic way to protect the security behavior of a computer or network. By comparing the access network with the previously collected normal network access data, it determines whether the current access network is normal. The whole process of network abnormal detection is divided into three steps: first, collecting data, filtering the data, and sorting out the required information; second, building a model and establishing a discriminative model by training the collected data; third, abnormal behavior detection, apply the network data into the established model to detect whether the network is normal . At present, the development of deep learning, which is at the forefront of research, provides a new direction and breakthrough for the study of network anomaly detection.
Traditional network abnormal behavior detection methods mainly depend on features and rules and cannot automatically use historical data to detect the latest attacks on time. In the deep learning, unsupervised or semisupervised feature learning methods can be used instead of the traditional manual feature acquisition methods . The training process of deep learning is to abstract and generalize the initial data, form more abstract high-level features by combining low-level features, and then use these features to perform a distributed feature representation of the data. Deep learning observations can be represented in a variety of ways, such as vectors of pixel intensity values in images, and more abstract points can be represented as edges or specific shape regions, etc. In this paper, based on deep learning, we propose a deep learning-based network abnormal behavior detection method to detect the abnormal access behavior of university ideological and political MOOCs.
The rest paper is organized as follows. Section 2 gives the related work. Section 3 builds the models for the proposed problem. In Section 4, the deep learning-based abnormal network behavior detection is proposed. Section 5 reports the simulation results. This paper is concluded in Section 6.
2. Related Work
The intrusion detection system was first proposed by Denning in 1987 . This system described a real-time abnormal behavior detection system model that can detect computer misuse in the form of intrusion, infiltration, etc. Currently, although users have high expectations for intrusion detection systems, in practical applications, the current network abnormal behavior analysis model cannot solve the problem of high false alarm and leakage rates, and it also has problems such as the system is not easy to manage, has poor detection performance, has lack of automation, and has poor security performance. Therefore, the design of a truly effective intrusion detection system by improving network abnormal behavior detection algorithms has a central role in the field of network security.
Network abnormal behavior detection is mainly based on network traffic classification and network topology analysis, and research studies of network abnormal behavior are mainly divided into the following categories:(1)Research on abnormal detection of network traffic based on measurement learning Network traffic refers to the data transmitted on the network, which records a large number of user information. It plays an important role in the field of network security and is an important feature of network behavior detection. Jin and Yeung  proposed an algorithm model based on covariance analysis to detect abnormal traffic. In this algorithm, all packets in unit time were counted and classified according to different network protocols. The covariance matrix of each type was obtained, and the anomaly was detected according to the matrix. However, the algorithm needs a lot of complex mathematical calculations, which is easy to affect the use of normal network communication in anomaly detection. Barford et al.  proposed a detection algorithm based on multiscale analysis and wavelet transform, taking the time correlation between traffic data as the breakthrough point. However, this algorithm can only analyze the traffic data captured in a single link and can only complete the anomaly detection in that link. Due to the shortcomings of the above algorithm, Rubinstein et al.  proposed a network abnormal behavior detection method based on component analysis (PCA). This method transforms the original data into a traffic matrix and, based on the spatial difference of traffic data between different links, detects and processes the data in the subspace established by the algorithm. However, these algorithms have common shortcomings. On the one hand, when the data is large, the calculation of these algorithms is more complex and time-consuming. On the other hand, it is difficult to avoid the deviation caused by subjectivity in the feature extraction of network abnormal data, and it cannot completely rely on the algorithm to complete the feature extraction, classification, and detection of abnormal data.(2)Research on network abnormal behavior based on alarm transmission In the current environment of increasing network devices and network data, it has become an important method to quickly analyze the alarm transmission through monitoring the network to maintain the quality of network communication, especially for mass devices to conduct high-precision correlation analysis at the level of network topology to locate the alarm, which is very important to reduce the impact of the fault and improve the quality of network maintenance. Hu et al.  held that static alarm analysis was not enough to realize alarm location and used time sequence alarm information and corresponding dynamic time matrix to realize alarm correlation analysis, so as to complete alarm location. Karoly and Abonyi  took multiperiod alarm sequences to mine alarm data and complete the compression of alarm data. However, the above research studies have not focused on the network management data, especially when the types of terminal nodes are increasing and the alarm messages are massive and sparse, the redundancy of the algorithm mining results is high, and the alarm transmission analysis is difficult.(3)Research on network propagation model based on cascading failure Network abnormal behaviors are often accompanied by the movement and diffusion of abnormal points in the network, which spreads the failure of a single node to multiple nodes and causes greater losses. Cascading failure refers to that, after a node fails, the load on it is redistributed to its adjacent nodes according to the coupling relationship between nodes, which leads to an overload of the load on the adjacent nodes and then failure, which leads to a large area of network paralysis. Cascading failure may occur in any actual network system, such as communication network, computer network, and transportation network, which will lead to a sharp decline in network performance or even network system collapse. Motter and Lai  and Jin et al.  held that the overload of the network node or the edge was one of the most important reasons. They proposed a model to analyze the cascading overload fault caused by dynamic traffic redistribution. The results show that the network is vulnerable to this kind of cascading anomaly. Parshani et al.  established a network composed of connections and dependent links, introduced the model and analysis framework for the study of interdependent networks, and concluded that the wider the distribution, the more vulnerable the network becomes to the random failure of interdependent networks. Alessandro  suggested that, in addition to the topological connectivity links, the dependency relationship between network nodes also accelerates the propagation of network failures and affects the mechanism of cascading exceptions, and the relationships can be functional or logical.
Different from the above, this paper applies the abnormal access behavior detection into the field of ideological and political MOOCs. Besides, the simulation of this paper also depends on the real dataset. In particular, the abnormal access behavior detection method is improved by considering deep learning.
3. Problem Modeling
3.1. Network Access Behavior System Model
In the university ideological and political MOOCs network access system, as shown in Figure 1, each student can request network access from the server through the campus network to obtain video resources. In the system, the form of vector is used to represent the access of network users, and the network access behavior of each user is expressed as N = (ID, IP, URL, time), where ID is the ID of the requesting user, IP is the IP of the requesting user, URL is the requested URL, and time is the time of the requesting user browsing the website.
3.2. Network Abnormal Behavior Detection Model
Network abnormal behavior detection is the process of qualitatively identifying and detecting attempted network intrusions. It is an active and dynamic security behavior to protect the computer or network, rather than a passive emergency measure to work when the intrusion occurs. Network abnormal behavior detection works as follows. On the one hand, everything has common behavioral characteristics. On the other hand, abnormal behavior generally has serious differences compared with normal behavior. Then, to detect whether a network subject is attacked by the abnormal behavior, the current behavior can be compared with the previously collected normal behavior in a comprehensive manner to determine whether the current behavior is normal. Therefore, based on the common characteristics of normal behaviors and the difference of abnormal behaviors, we can quantitatively analyze these normal behaviors and thus find out the established rules of normal behaviors through the results.
The object of our algorithm is to identify the abnormal network access behavior. In this paper, the characteristics of different types of traffic are identified for multiclassification through the collection of network abnormal traffic and feature extraction. The whole process of the algorithm is as follows: first, collect the network abnormal traffic; then divide the traffic by tuple, the traffic contains different categories; and label the corresponding categories. Because the storage format of traffic data itself is hexadecimal code, it can be directly converted into a decimal value, and the fixed position value can be extracted from each traffic to form a high-dimensional vector to complete vectorization. The vectorized samples are sent to the traffic classification network composed of CNN for training. The detection process of network abnormal access behavior is shown in Figure 2.
4. Abnormal Network Behavior Detection Based on Deep Learning
Multilayer perceptron (MLP) is the foundation of deep neural network . However, it is difficult for multilayer perception to deal with the weight problem of hidden layers, and this problem can only be solved after the development of back propagation algorithm . With the rapid development of big data and cloud computing, deep neural networks have gradually become a hot topic in the field of machine learning and have achieved certain achievements in many fields. Convolutional neural network (CNN) is a representative algorithm of deep learning. In this paper, a network behavior detection model is built using CNN.
The essence of CNN is to use the nonlinear deep network structure to approximate the function, so as to express the mapping relationship from input to output. Compared with the traditional neural networks, CNN has changed the original way of maintaining the complete connection between neurons in each layer, but adopted a way of maintaining the partial connection between neurons in each layer. Therefore, CNN can learn the essential characteristics of the training set from a small number of samples.
In the algorithm proposed in this paper, the CNN network structure used is the network structure of Lenet-5  modified according to the data of abnormal behavioral features of the network. Lenet-5 is a convolutional neural network designed by Yan Lecun in 1998. It is mainly used for handwritten digit recognition and is one of the representative structures of CNN. Lenet-5 consists of 7 layers, as shown in Figure 3. In general, it is mainly divided into convolutional layer, pooling layer, and fully connected layer. Each layer includes a different number of training parameters. Meanwhile, each layer of Lenet-5 has multiple feature maps, and the input features are extracted by convolutional filters with multiple neurons per feature map. The whole neural network is trained by a backpropagation algorithm using the original image as data. Since the purpose of this paper is to detect whether the network access is normal or not, the structure of the model designed in this paper is divided into two categories: normal and abnormal.
4.1. Convolution Layer
In the convolution layer of the network, the weight represents the proportion of neurons connected to each other, which is usually expressed as a convolution kernel. In this layer, each neuron is connected to the upper layer by partial connection rather than full connection. Each feature map output by convolution layer is convoluted with the processed convolution kernel and the feature map of the previous layer, and the corresponding elements are accumulated and then an offset value is added. Finally, the result is processed by a sigmoid function. The convolution process is shown in Figure 4.
We assume that the number of convolution layers is 1, the convolution kernel is k, the feature map of the upper layer is Mj, and the offset value is b; the formula of the convolution layer is expressed as follows:
4.2. Pooling Layer
The pooling layer is the abstraction of local information. In the neural network, the pooling layer is used to process the feature map output from the upper layer. In this layer, the sampling operation will not change the number of the feature map, but will process the size of the map and reduce the feature map to a certain extent. According to the convolution layer, the mapping formula of the pooling layer is expressed aswhere the function represents the sampling function, which generally includes two methods: mean pooling and maximum pooling. In this paper, we use the maximum pooling method, which is shown in Figure 5.
4.3. Fully Connected Layer
The full connection layer is mainly used to calculate the data processed by the former convolution layer and sampling layer, and its calculation result is the output value of the network.
There are two independent convolution cores in CNN network. After the operation of each layer mentioned above and the softmax layer, each accessed network behavior will have a type of scoring output. Suppose there are N training segments, we take the nth training sample. Then, after passing through the network, the output will be On(t), and then, through the softmax layer, according to the data at time t of the sample, the score of category i is computed as follows:
The final loss function is computed as follows:
5. Simulations and Analysis
In this section, we conduct simulations on the proposed mechanism and analyze simulation results by comparing our mechanism with other two algorithms to show that our mechanism is effective and efficient to detect the abnormal access behavior in ideological and political MOOCs.
5.1. Experimental Preparation
5.1.1. Experimental Environment
The simulations are conducted on Python with a computer configured with Intel(R) core (TM)i5-9400F, CPU 2.90 GHZ, 8 GB RAM.
In this paper, experiments are based on real dataset to verify the effectiveness and efficiency of the proposed algorithm. The real dataset comes from the statistical ideological and political MOOCs website of a university. The website uses Apache as the server, including an abnormal sample dataset and a normal sample dataset. The abnormal sample dataset includes 3964 abnormal requests, and the normal sample includes 55059 normal requests. The detailed information of the experimental dataset is shown in Table 1.
5.1.3. Data Preprocessing
Before detecting the web log data, it is necessary to preprocess the log data. Data preprocessing is a very important step in log analysis. The purpose is to transform the collected original data into a data format suitable for analysis and delete the noise data which is easy to cause interference to the experiment. In this paper, data preprocessing mainly includes data cleaning and data normalization. Data cleaning includes log filtering, log parsing, and antiobfuscation.
(1) Data Cleaning. The network abnormal behavior analysis based on Web log is to obtain the original data information from the web server and then analyze the web log. However, because users are random in the process of browsing the website, the web log will generate a lot of useless information, that is, the log records not related to intrusion detection; only for the relevant and accurate log information and only through modeling and analysis can we get accurate detection results. For example, the log with GIF and JPEG suffixes is the special data returned by the server to the user. Therefore, if the HTTP request repeatedly contains the log with JPEG, GIF, and CSS suffixes, it needs to be cleared. These log files are actually documenting embedded in the website and not the web pages actually requested by users. When attackers launch attacks, they usually use js obfuscation, URL encoding, and Unicode encoding to hide the intrusion behavior. Before intrusion detection on the request attribute of Web log, it is necessary to perform antiobfuscation, URL decoding, and Unicode decoding on the HTTP request to expose attack mode and eliminate all interference factors of subsequent intrusion detection. Through the data cleaning process, Web logs are converted into reliable data for security analysis. In addition, we need to de-duplicate the HTTP requests of Web logs and delete the duplicate HTTP request records, which can prevent the deviation of detection results caused by overlearning certain types of samples.
(2) Data Normalization. All feature attributes of the dataset processed by feature engineering are digital vectors. However, the dimension level of each attribute is inconsistent, so it is necessary to normalize all feature attributes. The purpose is to unify each feature attribute to the same dimension level according to the statistical distribution of the original feature attributes so that the features of different dimensions can be compared, and the contribution of each dimension to the classification results is the same. In this experiment, the range transformation method is used to standardize the feature data so that all the data are classified into [0, 1]. Through this method, the influence of different dimension levels between the original data on the classification results is solved.
5.2. Evaluation Indicators
To evaluate the performance of abnormal detection algorithms, we consider the effectiveness, detection efficiency, and availability of the algorithm. The effectiveness mainly shows the detection accuracy and reliability of the algorithm, which is regarded as the main index to evaluate the intrusion detection system, and is also the purpose of the design and development of intrusion detection system. The detection efficiency considers the speed of data processing in the detection system, including the training stage and detection stage. Usability measures the stability and error recovery ability of the detection system itself.
In essence, the abnormal detection model is a classifier for normal requests and abnormal requests, so we can use the evaluation index of the classifier to evaluate the performance of the anomaly detection model. In the field of machine learning, the most commonly used evaluation indicators are accuracy, recall, and F1-measure. These evaluation indicators are used to evaluate the effectiveness of the detection algorithm proposed in this paper. The accuracy represents the number of samples correctly classified divided by the total number of samples. In general, the higher the accuracy, the better the classifier effect. The precision represents how many of the samples predicted as positive samples are true positive samples. The recall refers to the ratio of the number of positive samples correctly predicted to the total number of correct samples predicted. The F1-measure is a weighted summed average of precision and recall. When F1-measure is higher, the method is more effective. Accuracy, precision, recall, and F1-measure are computed as follows:(1)True positive cases (TP): the number of samples that are predicted to be positive cases and are actually positive cases, that is, the prediction is correct(2)True negative cases (TN): the number of samples predicted to be negative cases, which is also negative cases, that is, the prediction is correct(3)False positive cases (FP): the number of samples that are predicted to be positive cases but actually are negative cases, that is, the prediction is error(4)False negative cases (FN): the number of samples predicted as negative cases but actually are positive cases, that is, the prediction is error
5.3. Experimental Results
In order to prove the effectiveness and efficiency of the proposed algorithm, this paper compares the proposed algorithm with detection algorithms and with Belief Network (BN) and SVM under different data volumes, aiming at accuracy, precision, recall, and F1-measure.
Accuracy is computed by formula (5), and the comparison experimental results of accuracy are shown in Figure 6. As shown in the figure, it can be seen that compared with the other two methods, the accuracy of this algorithm is always the highest under different sizes of experimental data, which proves that the proposed algorithm performs best in terms of accuracy.
Precision is computed by formula (6), and the comparison experimental results of precision are shown in Figure 7. As shown in the figure, it can be seen that compared with the other two methods, the precision of this algorithm is always the highest under different amount of experimental data, which proves that the proposed algorithm performs best in terms of precision.
Recall is computed by formula (7), and the comparison experimental results of recall are shown in Figure 8. As shown in the figure, it can be seen that compared with the other two methods, the recall of this algorithm is always the highest under different amount of experimental data, which proves that the proposed algorithm performs best in terms of recall.
F1-measure is computed by formula (8), and the comparison comparative experimental results of F1-measure are shown in Figure 9. As shown in the figure, it can be seen that compared with the other two methods, the F1-measure of this algorithm is always the highest under different amount of experimental data, which proves that the proposed algorithm performs best in terms of F1-measure.
With the rapid development of information network technology and the popularization of its application, MOOCs have been used in many courses in many domestic colleges and universities, including the ideological and political education course, which is very important to the ideological and moral education of college students. Aiming at the possible network access behavior in ideological and political MOOCs in colleges and universities, we construct the abnormal network behavior detection model based on deep learning to detect whether the network behavior is normal. In order to prove the effectiveness and efficiency of this algorithm, the algorithm proposed in this paper is compared with the other two network abnormal behavior detection methods. The experimental results show that the proposed method can effectively detect the abnormal access behavior in ideological and political MOOCs. Compared with the anomaly detection method based on traditional classification algorithm, the method based on deep learning can adaptively detect the abnormal network access behavior and does not need to manually mark features. However, there are some limitations in this paper. The datasets used in the simulations are not complex enough, which makes the application of the system very limited. In the future work, we apply the abnormal network behavior detection model based on deep learning to more data by adjusting the network structure and parameters and further study different complex scenarios.
The data used to support the findings of this study are available from the corresponding author upon request.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
E. Biersack, C. Callegari, and M. Matijasevic, Data Traffic Monitoring and Analysis, Springer Berlin Heidelberg, Heidelberg, Germany, 2013.
C. Xue and X. Yan, “Software defect prediction based on improved deep forest algorithm,” Computer Science, vol. 45, no. 8, pp. 160–165, 2018.View at: Google Scholar
H. Wang, H. Chen, and S. Liu, “Intrusion detection system based on improved Naive Bayes algorithm,” Computer Science, vol. 41, no. 4, pp. 111–115, 2013.View at: Google Scholar
Z. Chen, C. Du, and L. Huang, “Improving image classification performance with automatically hierarchical label clustering,” in Proceedings of the 24th International Conference on Pattern Recognition, pp. 1863–1868, Beijing, China, 2018.View at: Google Scholar
Z. H. Zhou and J. Feng, “Deep forest: towards an alternative to deep neural networks,” in Proceedings of the Twenty-Sixth International Joint Conference on Artificial Intelligence, Melbourne, Australia, 2017.View at: Google Scholar
S. Jin and D. S. Yeung, “A covariance analysis model for DDo S attack detection,” in Proceedings of the IEEE International Conference on Communications, pp. 1882–1886, Paris, France, 2004.View at: Google Scholar
P. Barford, J. Kline, D. Plonka et al., “A signal analysis of network traffic anomalies,” in Proceedings of the ACM Sigcomm Internet Measurement Workshop 2002, vol. 1, no. 1, pp. 71–82, New York, NY, USA, 2002.View at: Google Scholar
V. Alessandro, “Complex networks: the fragility of interdependency,” Nature, vol. 464, no. 7291, 2010.View at: Google Scholar
K. Fukushima and S. Miyake, “Neocognitron: a self-organizing neural network model for a mechanism of visual pattern recognition,” in Competition and Cooperation in Neural Nets, S. Amari and M. A. Arbib, Eds., vol. 45, Springer, Berlin, Germany, 1982, Lecture Notes in Biomathematics.View at: Google Scholar