CN106534224B - Intelligent network attack detection method and device - Google Patents

Intelligent network attack detection method and device Download PDF

Info

Publication number
CN106534224B
CN106534224B CN201710050637.5A CN201710050637A CN106534224B CN 106534224 B CN106534224 B CN 106534224B CN 201710050637 A CN201710050637 A CN 201710050637A CN 106534224 B CN106534224 B CN 106534224B
Authority
CN
China
Prior art keywords
data
network
submodule
feature set
learning system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710050637.5A
Other languages
Chinese (zh)
Other versions
CN106534224A (en
Inventor
李克龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing Aoyang Technology Co ltd
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201710050637.5A priority Critical patent/CN106534224B/en
Publication of CN106534224A publication Critical patent/CN106534224A/en
Application granted granted Critical
Publication of CN106534224B publication Critical patent/CN106534224B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides an intelligent network attack detection method and a device, wherein the method comprises the following steps: converting the feature set of the preset system into a function and importing the function into the established mathematical model of the learning system; obtaining a base of the feature set through a sparse algorithm and obtaining a network protection feature set; constructing a cyclic neural network, and expanding and reasoning the basis functions in the network protection feature set to early warn a new network attack data packet of the variation; constructing a convolutional neural network to judge whether the data packet to be detected is harmful data; and adjusting the combination and the number of the basis functions according to the judgment result of the data packet to be detected by the preset system and the judgment result of the data packet to be detected by the learning system so as to evolve the mathematical model of the learning system. The network attack detection mode can early warn new network attack data packets of varieties through self-learning and self-adaptive capabilities, and has automatic expansion and intelligence.

Description

Intelligent network attack detection method and device
Technical field
The present invention relates to field of information security technology, in particular to a kind of intelligent network attack detection method and dress Put.
Background technology
With the continuous development of computer networking technology, the safety problem of computer network system becomes increasingly severe, The new attack mode of emergence causes network security problem to become more serious.In computer security technique field, tradition Network protection device IP S (Intrusion Prevention System, intrusion prevention system) be based on regular expression come The data characteristics of description malice connection, although this method is more accurate, efficient, manual maintenance amount is big, response lag, and And do not possess self-learning capability, early warning and the unknown attack of some mutation can not be detected.Therefore, a kind of intelligence how is realized Energy ground, the network attack detecting method of automation formula are urgently to be resolved hurrily.
The content of the invention
In view of this, it is an object of the invention to provide a kind of intelligent network attack detection method and device, with solution State problem.
Present pre-ferred embodiments provide a kind of intelligent network attack detection method, the described method includes:
The feature set of predetermined system is converted into function and is imported into the mathematical model of the learning system of foundation;
The base of the feature set is obtained by Corresponding Sparse Algorithm, and network protection feature set is obtained according to the base;
Recognition with Recurrent Neural Network is built, the basic function in the network protection feature set is extended and reasoning, with early warning The new network attack data packet of mutation;
Convolutional neural networks are built, to judge whether data to be tested bag is harmful data;
According to the predetermined system to the judging result of the data to be tested bag and the learning system to described to be checked Combination and quantity of the judging result of data packet to the basic function is surveyed to be adjusted with the mathematical modulo for the learning system of evolving Type.
Another preferred embodiment of the present invention provides a kind of intelligent network attack detecting device, and described device includes conversion mould Block, acquisition module, expansion module, judgment module and adjustment module;
The conversion module is used to the feature set of predetermined system is converted into function and imported into the learning system of foundation In mathematical model;
The acquisition module is used for the base that the feature set is obtained by Corresponding Sparse Algorithm, and obtains network according to the base and prevent Protect feature set;
The expansion module is used to build Recognition with Recurrent Neural Network, and the basic function in the network protection feature set is expanded Exhibition and reasoning, with the new network attack data packet of early warning mutation;
The judgment module is used to build convolutional neural networks, to judge whether data to be tested bag is harmful data;
The adjustment module is used for according to judging result of the predetermined system to the data to be tested bag and Learning system is adjusted with described in evolution combination and quantity of the judging result of the data to be tested bag to the basic function The mathematical model of learning system.
The intelligent network attack detection method and device that present pre-ferred embodiments provide, on the one hand by predetermined system Study and imitate to realize the grasp to existing network attack rule, and pass through the self study of Recognition with Recurrent Neural Network, adaptive Should be able to power, with the new network attack data packet of early warning mutation.On the other hand, by convolutional neural networks, to realize to network Effective detection of harmful data.The network attack detection mode, possesses automation autgmentability and intelligent.
To enable the above objects, features and advantages of the present invention to become apparent, preferred embodiment cited below particularly, and coordinate Appended attached drawing, is described in detail below.
Brief description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below will be to needed in the embodiment attached Figure is briefly described, it will be appreciated that the following drawings illustrate only certain embodiments of the present invention, therefore be not construed as pair The restriction of scope, for those of ordinary skill in the art, without creative efforts, can also be according to this A little attached drawings obtain other relevant attached drawings.
Fig. 1 is a kind of schematic block diagram for data processing equipment that present pre-ferred embodiments provide.
Fig. 2 is a kind of flow chart for intelligent network attack detection method that present pre-ferred embodiments provide.
Fig. 3 is the flow chart of the sub-step of step S105 in Fig. 2.
Fig. 4 is the flow chart of the sub-step of step S107 in Fig. 2.
Fig. 5 is the flow chart of the sub-step of step S109 in Fig. 2.
Fig. 6 is the functional block diagram for the intelligent network attack detecting device that present pre-ferred embodiments provide.
Fig. 7 is the functional block diagram for the expansion module that present pre-ferred embodiments provide.
Fig. 8 is the functional block diagram for the judgment module that present pre-ferred embodiments provide.
Fig. 9 is the functional block diagram for the adjustment module that present pre-ferred embodiments provide.
Icon:100- data processing equipments;110- intelligent network attack detecting devices;111- transformation models;112- is obtained Module;113- expansion modules;1131- acquisition submodules;1132- imports submodule;1133- rule generation submodules;1134- adds Gu submodule;114- judgment modules;1141- classification submodules;1142- handles submodule;1143- marks submodule;115- tune Mould preparation block;1151- setting up submodule;1152- contrasts submodule;1153- adjusts submodule;116- alarm modules;120- processing Device;130- memories.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, the technical solution in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is Part of the embodiment of the present invention, instead of all the embodiments.The present invention implementation being usually described and illustrated herein in the accompanying drawings The component of example can be arranged and designed with a variety of configurations.
It should be noted that:Similar label and letter represents similar terms in following attached drawing, therefore, once a certain Xiang Yi It is defined, then it further need not be defined and explained in subsequent attached drawing in a attached drawing.
Therefore, below the detailed description of the embodiment of the present invention to providing in the accompanying drawings be not intended to limit it is claimed The scope of the present invention, but be merely representative of the present invention selected embodiment.Based on the embodiments of the present invention, this area is common Technical staff's all other embodiments obtained without making creative work, belong to the model that the present invention protects Enclose.
A kind of as shown in Figure 1, schematic structure frame of the data processing equipment 100 provided for present pre-ferred embodiments Figure.The data processing equipment 100 includes intelligent network attack detecting device 110, processor 120 and memory 130.The number Can be computer or any other computing device with data-handling capacity according to processing equipment 100.
Directly or indirectly it is electrically connected between the memory 130 and processor 120, to realize the transmission of data or friendship Mutually.It is electrically connected for example, can be realized by one or more communication bus or signal wire.The intelligent network attack detecting device 110 can be stored in the memory 130 or be solidificated in institute including at least one in the form of software or firmware (firmware) State the software function module in the operating system (operating system, OS) of data processing equipment 100.The processor 120 be used to performing the executable module that is stored in memory 130, such as the intelligent network attack detecting device 110 includes Software function module or computer program.The processor 120 performs the function module or journey after execute instruction is received Sequence, the method performed by server that the stream process that following any embodiments of the present invention disclose defines can be applied to processor In 120, or realized by processor 120.
Referring to Fig. 2, it is the flow chart for the intelligent network attack detection method that present pre-ferred embodiments provide.It should say Bright, method of the present invention is not using Fig. 2 and particular order as shown below as limitation.Below by the tool shown in Fig. 2 Body flow and step are described in detail.
Step S101, is converted into function by the feature set of predetermined system and imported into the mathematical model of the learning system of foundation In.
Alternatively, the data packet in network includes some features, these are characterized in what can be split, wherein, tear open The minimum unit being divided into, i.e. referred to as base.In the present embodiment, the predetermined system is existing traditional network safeguard bag The legacy system contained.Traditional network safeguard is only capable of tearing network attack data packet open when carrying out network attack detection Divide and identify, it is difficult to which the regular data packet of mutation is given warning in advance and detected.Thus, in the present embodiment, it is necessary in mould Established on the basis of imitative study legacy system with self study, the learning system of adaptive ability.Legacy system and learning system Between there is approximate relation, the function of learning system is similar to legacy system.
For the ease of description, before formally learning system mathematical model is illustrated, by described by traditional regular expression Malice connection data characteristics carry out mathematical modeling.
Such as:Regular expression ' ^abc.* $ ', this regular expression will match with abc start arbitrary string.For Easy to description mathematical model, it is assumed that the regular expression can only handle 26 lowercases.That is the regular expression In ' .' be lowercase set (without empty element) an element.So with the serial number x-axis of element in character string, Using the set element represented by ' .' as y-axis.The pattern of above-mentioned matching regular expressions can be expressed with a piecewise function, Wherein, each piecewise function is a part in the pattern.
Alternatively, legacy system can analyze it and handle, be denoted as one after network packet is gathered The set of a complex piecewise function.In order to enable the learning system of foundation to learn to imitate legacy system, it is by tradition The piecewise function of characteristic feature collection is imported into the mathematical model of learning system in system.
Step S103, the base of the feature set is obtained by Corresponding Sparse Algorithm, and obtains network protection feature according to the base Collection.
Alternatively, the purpose of sparse expression is exactly come table in given super complete data set with atom as few as possible Registration evidence, can obtain the more succinct representation of data, so as to more easily obtain the information contained in data.
In the present embodiment, the base of feature set in legacy system is got using Corresponding Sparse Algorithm.The base is can group Into the indivisible minimum unit of whole feature set.Base according to getting forms and obtains a more succinct net of form Network protects feature set.
Step S105, builds Recognition with Recurrent Neural Network, the basic function in the network protection feature set is extended and pushed away Reason, with the new network attack data packet of early warning mutation.
In traditional Model of Neural Network, it is again to output layer from input layer to hidden layer, is to connect entirely between layers , the node between every layer is connectionless.This common neutral net can not but be solved for many problems.For example, will What the next word for predicting sentence is, the word used above is generally required, because before and after a sentence between word simultaneously It is not independent.In Recognition with Recurrent Neural Network, the current output of a sequence is also related to output above.Specific performance shape Formula can be remembered and be applied in the calculating currently exported to information above for network, i.e. the input of hidden layer not only includes The output of input layer also includes the output of last moment hidden layer.
Specifically, referring to Fig. 3, step S105 can include step S1051, step S1053, step S1055 and step Tetra- sub-steps of rapid S1057.
Step S1051, builds Recognition with Recurrent Neural Network, and the base letter in rule set is obtained from the network protection feature set Number.
In the network protection feature set, the similarity of homogeneous data is larger, and inhomogeneous data then similarity compared with It is small.Using machine learning method, the larger basic function of similarity is clustered, to get the basic function in rule set.
Step S1053, the basic function of acquisition is imported into the Recognition with Recurrent Neural Network.
Step S1055, according to the self-learning capability of the Recognition with Recurrent Neural Network, using passing through the Recognition with Recurrent Neural Network Data flow is so that Recognition with Recurrent Neural Network generation is directed to the mutation rule of data various types of in network.
Alternatively, Recognition with Recurrent Neural Network can be flowed through using substantial amounts of experimental data so that the Recognition with Recurrent Neural Network can produce The raw enough adaptability for being directed to mass data stream in network.Recognition with Recurrent Neural Network passes through extension according to the self-learning capability of itself And the mutation rule of the generation network attack data packet such as reasoning.For example, a kind of existing known network attack is to pass through replacement Some field in data packet, e.g., replaces with a or b or c, this substitute mode is harmful for what is known by certain field Substitute mode.Recognition with Recurrent Neural Network is by the learning ability of itself, to discover whether that the data packet of attack is by some Field replaces with the feature set of this form such as p or f.If being found that such alternative forms, by this kind of mutation rule into Row storage.
Step S1057, the Recognition with Recurrent Neural Network is reinforced with the new of early warning mutation according to the mutation of generation rule Network attack data packet.
Alternatively, the mutation rule of the network attack data packet of generation can be utilized to update Recognition with Recurrent Neural Network system, Enable the new network attack data packets of some mutation being likely to occur of Recognition with Recurrent Neural Network early warning.
Step S107, builds convolutional neural networks, to judge whether data to be tested bag is harmful data.
Specifically, referring to Fig. 4, step S107 can include step S1071, step S1073 and step S1075 tri- Sub-step.
Step S1071, builds convolutional neural networks, data to be tested bag is classified according to the distribution of the basic function Mark, belongs to the of a sort data to be tested bag and is built into a set.
Alternatively, in the present embodiment, each data to be tested bag is marked according to the distribution of basic function, for example, It is 1 by the packet marking for including a certain specific base, what is do not included is then labeled as 0.Then associated data to be tested bag can To form a set, such as a matrix.
Step S1073, the set of structure is cut or is extended, and it is described to be detected to form including for default size The new set of data packet.
Alternatively, in practical work process, convolutional neural networks are to have one for the form size of pending data Provisioning request.Therefore, it is necessary to which the form of the matrix formed to data packet and size turn before data packet detection is carried out Change.In the specific implementation, for example, the accessible matrix of convolutional neural networks is the matrix of n*n.When data to be tested bag is formed Matrix when being more than n*n, then need to cut the matrix, can be handled with forming the convolutional neural networks of the n*n of standard Matrix.When the matrix that data to be tested bag is formed is less than n*n, then need to be extended the matrix to form standard The matrix that the convolutional neural networks of n*n can be handled.Alternatively, in practical applications, it is accessible for convolutional neural networks Matrix size can carry out dynamic regulation, its concrete numerical value is not specifically limited in the present embodiment.
Step S1075, judges whether data to be tested bag is harmful data described in the new set, if harmful number According to then the data to be tested bag is marked and is stored.
According to the mutation rule for new network attack data packet of above-mentioned generation, to be checked after data conversion Data packet is surveyed to be detected.If the characterization rules of data packet to be detected judge that this is treated within the scope of the mutation rule of generation Detection data packet is harmful data.Also, the data to be tested bag is marked and stored, so as to subsequent treatment.
Step S109, according to judging result of the predetermined system to the data to be tested bag and the learning system pair Combination and quantity of the judging result of the data to be tested bag to the basic function are adjusted with the learning system of evolving Mathematical model.
Specifically, referring to Fig. 5, step S109 can include step S1091, step S1093 and step S1095 tri- Sub-step.
Step S1091, establishes bypass, so that the input number of the learning system and the predetermined system on the network interfaces According to consistent.
Obtain after model of learning system associating, it is necessary to which legacy system is established with model of learning system by the above process. Alternatively, it is necessary to establish bypass on the network interfaces so that the input data of legacy system and learning system is consistent.Also, Learning system is enabled to learn detection judging result of the legacy system to data to be tested bag.
Step S1093, by judging result of the predetermined system to the data to be tested bag and the learning system pair The judging result of the data to be tested bag is contrasted.
Step S1095, in the judging result of the learning system and the inconsistent judging result of the predetermined system, is adjusted The combination of the whole basic function and quantity are with the mathematical model for the learning system of evolving.
Alternatively, in the present embodiment, the learning system is to establish to form on the basis of learning by imitation legacy system. Legacy system is with learning system, it is necessary to be carried out to the basic function of learning system when inconsistent to the judging result of data to be tested bag Check, to confirm whether the basic function established careless mistake occurs, and adjust the combination of basic function and quantity in feature set, with this come into The mathematical model of one stepping chemistry learning system.
Step S111, detects the unknown data bag in real network environment using the learning system, is determined as existing During the data to be tested bag of harmful data, alarm is carried out.
Alternatively, after analog detection is carried out to the learning system of foundation, which can be applied true Network environment in detect the network attack in real network environment.If exist in the network environment and be determined as harmful data During data to be tested, then alarm is carried out.
It should be noted that in this step, judgement of the learning system to data to be tested bag in practical applications cannot As the absolute foundation for being determined as network attack.Because network system operationally, is present in complex environment, by it is many because Usually determine, some simple factor be difficult to determine network packet whether be harmful data, it is necessary to by multiple data packets and The state of whole network judges it.When detection device determines data to be tested bag to be harmful to completely, then without people Can directly it be judged to intervene.Simply judge that data to be tested bag can not be complete to be harmful using high probability in detection device When complete definite, then human intervention is needed to aid in carrying out network attack judgement.
Referring to Fig. 6, the function module frame of the intelligent network attack detecting device 110 provided for present pre-ferred embodiments Figure.The intelligent network attack detecting device 110 includes conversion module 111, acquisition module 112, expansion module 113, judges mould Block 114, adjustment module 115 and alarm module 116.The specific functional modules shown in Fig. 6 will be described in detail below.
The conversion module 111 is used to the feature set of predetermined system is converted into function and imported into the learning system of foundation Mathematical model in.Specifically, which can be used for performing the step S101 shown in Fig. 2, specific operating method Refer to the detailed description of step S101.
The acquisition module 112 is used for the base that the feature set is obtained by Corresponding Sparse Algorithm, and obtains net according to the base Network protects feature set.Specifically, which can be used for performing the step S103 shown in Fig. 2, specific operating method Refer to the detailed description of step S103.
The expansion module 113 be used for build Recognition with Recurrent Neural Network, to the basic function in the network protection feature set into Row extension and reasoning, with the new network attack data packet of early warning mutation.Specifically, which can be used for performing Fig. 2 Shown in step S105, specific operating method refers to the detailed description of step S105.
The judgment module 114 is used to build convolutional neural networks, to judge whether data to be tested bag is harmful data. Specifically, which can be used for performing the step S107 shown in Fig. 2, and specific operating method refers to step The detailed description of S107.
The adjustment module 115 is used for according to the predetermined system to the judging result of the data to be tested bag and described Learning system is adjusted to evolve combination and quantity of the judging result of the data to be tested bag to the basic function State the mathematical model of learning system.Specifically, which can be used for performing the step S109 shown in Fig. 2, specifically Operating method refers to the detailed description of step S109.
The alarm module 116 is used for using the unknown data bag in learning system detection real network environment, During in the presence of the data to be tested bag for being determined as harmful data, alarm is carried out.Specifically, which can be used for holding Step S111 shown in row Fig. 2, specific operating method refer to the detailed description of step S111.
Specifically, referring to Fig. 7, the expansion module 113 includes acquisition submodule 1131, imports submodule 1132, rule Then generate submodule 1133 and reinforce submodule 1134.
The acquisition submodule 1131 is used to build Recognition with Recurrent Neural Network, and rule is obtained from the network protection feature set The basic function of concentration.Specifically, which can be used for performing the step S1051 shown in Fig. 3, specific operation Method refers to the detailed description of step S1051.
The importing submodule 1132 is used to the basic function of acquisition importeding into the Recognition with Recurrent Neural Network.Specifically Ground, the importing submodule 1132 can be used for performing the step S1053 shown in Fig. 3, and specific operating method refers to step The detailed description of S1053.
The rule generation submodule 1133 is used for the self-learning capability according to the Recognition with Recurrent Neural Network, using passing through The data flow of Recognition with Recurrent Neural Network is stated so that Recognition with Recurrent Neural Network generation is directed to the mutation rule of data various types of in network Then.Specifically, rule generation submodule 1133 can be used for performing the step S1055 shown in Fig. 3, and specific operating method can With reference to the detailed description of step S1055.
The submodule 1134 of reinforcing is used to reinforce the Recognition with Recurrent Neural Network according to the mutation rule of generation with pre- The new network attack data packet of alert mutation.Specifically, the step of which can be used for performing shown in Fig. 3 S1057, specific operating method refer to the detailed description of step S1057.
Specifically, referring to Fig. 8, the judgment module 114 include classification submodule 1141, processing submodule 1142 and Mark submodule 1143.
The classification submodule 1141 is used to build convolutional neural networks, according to the distribution of the basic function by number to be detected Key words sorting is carried out according to bag, belongs to the of a sort data to be tested bag and is built into a set.Specifically, the classification submodule Block 1141 can be used for performing the step S1071 shown in Fig. 4, and specific operating method refers to the detailed description of step S1071.
The processing submodule 1142 is used to the set of structure is cut or be extended, and forms the bag of default size New set containing the data to be tested bag.Specifically, the step of which can be used for performing shown in Fig. 4 S1073, specific operating method refer to the detailed description of step S1073.
The mark submodule 1143 is used to judge whether data to be tested bag is harmful data described in the new set, If harmful data, then the data to be tested bag is marked and stored.Specifically, which can be used for The step S1075 shown in Fig. 4 is performed, specific operating method refers to the detailed description of step S1075.
Specifically, referring to Fig. 9, it is described adjustment module 115 include setting up submodule 1151, contrast submodule 1152 and Adjust submodule 1153.
The setting up submodule 1151 is used to establish bypass on the network interfaces, so that the learning system and described default The input data of system is consistent.Specifically, which can be used for performing the step S1091 shown in Fig. 5, specifically Operating method refer to the detailed description of step S1091.
The contrast submodule 1152 is used for judging result of the predetermined system to the data to be tested bag and institute Learning system is stated to contrast the judging result of the data to be tested bag.Specifically, which can be used for The step S1093 shown in Fig. 5 is performed, specific operating method refers to the detailed description of step S1093.
The adjustment submodule 1153 is used in the judging result of the learning system and the judgement knot of the predetermined system When fruit is inconsistent, combination and the quantity of the basic function are adjusted with the mathematical model for the learning system of evolving.Specifically, the tune Whole submodule 1153 can be used for performing the step S1095 shown in Fig. 5, and specific operating method refers to the detailed of step S1095 Thin description.
In conclusion intelligent network attack detection method provided by the invention and device, on the one hand by legacy system Study and imitate to realize the grasp to existing network attack rule, and pass through the self study of Recognition with Recurrent Neural Network, adaptive Should be able to power, with the new network attack data packet of early warning mutation.On the other hand, by convolutional neural networks, to realize to network Attack effective detection of harmful data.The network attack detection mode, possess automation extension and it is intelligent.
In several embodiments provided herein, it should be understood that disclosed apparatus and method, can also pass through Other modes are realized.Device embodiment described above is only schematical, for example, flow chart and block diagram in attached drawing Show the devices of multiple embodiments according to the present invention, method and computer program product architectural framework in the cards, Function and operation.At this point, each square frame in flow chart or block diagram can represent the one of a module, program segment or code Part, a part for the module, program segment or code include one or more and are used for realization holding for defined logic function Row instruction.It should also be noted that at some as in the implementation replaced, the function that is marked in square frame can also with different from The order marked in attached drawing occurs.For example, two continuous square frames can essentially perform substantially in parallel, they are sometimes It can perform in the opposite order, this is depending on involved function.It is it is also noted that every in block diagram and/or flow chart The combination of a square frame and block diagram and/or the square frame in flow chart, can use function or the dedicated base of action as defined in performing Realize, or can be realized with the combination of specialized hardware and computer instruction in the system of hardware.
In addition, each function module in each embodiment of the present invention can integrate to form an independent portion Point or modules individualism, can also two or more modules be integrated to form an independent part.
If the function is realized in the form of software function module and is used as independent production marketing or in use, can be with It is stored in a computer read/write memory medium.Based on such understanding, technical scheme is substantially in other words The part to contribute to the prior art or the part of the technical solution can be embodied in the form of software product, the meter Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be People's computer, server, or network equipment etc.) perform all or part of step of each embodiment the method for the present invention.
It should be noted that term " comprising ", "comprising" or its any other variant are intended to the bag of nonexcludability Contain, so that process, method, article or equipment including a series of elements not only include those key elements, but also including Other elements that are not explicitly listed, or further include as elements inherent to such a process, method, article, or device. In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that including the key element Process, method, also there are other identical element in article or equipment.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the invention, for the skill of this area For art personnel, the invention may be variously modified and varied.Within the spirit and principles of the invention, that is made any repaiies Change, equivalent substitution, improvement etc., should all be included in the protection scope of the present invention.It should be noted that:Similar label and letter exists Similar terms is represented in following attached drawing, therefore, once being defined in a certain Xiang Yi attached drawing, is then not required in subsequent attached drawing It is further defined and is explained.

Claims (6)

  1. A kind of 1. intelligent network attack detection method, it is characterised in that the described method includes:
    The feature set of predetermined system is converted into function and is imported into the mathematical model of the learning system of foundation;
    The feature set of the predetermined system is simplified by Corresponding Sparse Algorithm and forms the indivisible of the feature set to obtain Minimum unit, the base using the minimum unit as the feature set, network protection feature set is obtained according to the base;
    Recognition with Recurrent Neural Network is built, the basic function in the network protection feature set is extended and reasoning, with early warning mutation New network attack data packet;
    Convolutional neural networks are built, to judge whether data to be tested bag is harmful data;
    According to the predetermined system to the judging result of the data to be tested bag and the learning system to the number to be detected It is adjusted according to combination and quantity of the judging result of bag to the basic function with the mathematical model for the learning system of evolving;
    The structure Recognition with Recurrent Neural Network, is extended the basic function in the network protection feature set and reasoning, with early warning The step of new network attack data packet of mutation, including:
    Recognition with Recurrent Neural Network is built, the basic function in rule set is obtained from the network protection feature set;
    The basic function of acquisition is imported into the Recognition with Recurrent Neural Network;
    According to the self-learning capability of the Recognition with Recurrent Neural Network, using the data flow by the Recognition with Recurrent Neural Network so that described Recognition with Recurrent Neural Network generation is directed to the mutation rule of data various types of in network;
    The Recognition with Recurrent Neural Network is reinforced with the new network attack data packet of early warning mutation according to the mutation of generation rule;
    The structure convolutional neural networks, to judge the step of whether data to be tested bag is harmful data, including:
    Convolutional neural networks are built, data to be tested bag is subjected to key words sorting according to the distribution of the basic function, belongs to same The data to be tested bag of class is built into a set;
    The set of structure is cut or extended, forms the new collection comprising the data to be tested bag of default size Close;
    Judge whether data to be tested bag is harmful data described in the new set, if harmful data, then to described to be checked Data packet is surveyed to be marked and store.
  2. 2. intelligent network attack detection method according to claim 1, it is characterised in that the method further includes:Utilize Unknown data bag in the learning system detection real network environment, in the presence of the data to be tested bag for being determined as harmful data When, carry out alarm.
  3. 3. intelligent network attack detection method according to claim 1, it is characterised in that described according to the predetermined system Judging result and the learning system to the data to be tested bag are to the judging result of the data to be tested bag to described The step of combination of basic function and quantity are adjusted with the mathematical model for the learning system of evolving, including:
    Bypass is established on the network interfaces, so that the learning system is consistent with the input data of the predetermined system;
    By the predetermined system to the judging result of the data to be tested bag and the learning system to the data to be tested The judging result of bag is contrasted;
    In the judging result of the learning system and the inconsistent judging result of the predetermined system, the basic function is adjusted Combination and quantity are with the mathematical model for the learning system of evolving.
  4. 4. a kind of intelligent network attack detecting device, it is characterised in that described device includes conversion module, acquisition module, extension Module, judgment module and adjustment module;
    The conversion module is used to the feature set of predetermined system is converted into function and imported into the mathematics of the learning system of foundation In model;
    The acquisition module is used to simplify the feature set of the predetermined system by Corresponding Sparse Algorithm with described in being formed The indivisible minimum unit of feature set, the base using the minimum unit as the feature set, net is obtained according to the base Network protects feature set;
    The expansion module be used for build Recognition with Recurrent Neural Network, the basic function in the network protection feature set is extended and Reasoning, with the new network attack data packet of early warning mutation;
    The judgment module is used to build convolutional neural networks, to judge whether data to be tested bag is harmful data;
    The adjustment module is used for Unite and combination and quantity of the judging result of the data to be tested bag to the basic function are adjusted with the study of evolving The mathematical model of system;
    The expansion module includes acquisition submodule, imports submodule, rule generation submodule and reinforce submodule:
    The acquisition submodule is used to build Recognition with Recurrent Neural Network, and the base in rule set is obtained from the network protection feature set Function;
    The importing submodule is used to the basic function of acquisition importeding into the Recognition with Recurrent Neural Network;
    The rule generation submodule is used for the self-learning capability according to the Recognition with Recurrent Neural Network, and using passing through, the circulation is refreshing Data flow through network is so that Recognition with Recurrent Neural Network generation is directed to the mutation rule of data various types of in network;
    The submodule of reinforcing is used to reinforce the Recognition with Recurrent Neural Network according to the mutation rule of generation with early warning mutation New network attack data packet;
    The judgment module includes classification submodule, processing submodule and mark submodule;
    The classification submodule is used to build convolutional neural networks, carries out data to be tested bag according to the distribution of the basic function Key words sorting, belongs to the of a sort data to be tested bag and is built into a set;
    The processing submodule is used to the set of structure is cut or be extended, and forms being treated comprising described for default size Detect the new set of data packet;
    The mark submodule is used to judge whether data to be tested bag is harmful data described in the new set, if harmful Data, then be marked and store to the data to be tested bag.
  5. 5. intelligent network attack detecting device according to claim 4, it is characterised in that described device further includes alarm mould Block;
    The alarm module is used to, using the unknown data bag in learning system detection real network environment, existing judge For harmful data data to be tested bag when, carry out alarm.
  6. 6. intelligent network attack detecting device according to claim 4, it is characterised in that the adjustment module includes establishing Submodule, contrast submodule and adjustment submodule;
    The setting up submodule is used to establish bypass on the network interfaces, so that the learning system and the predetermined system is defeated It is consistent to enter data;
    The contrast submodule is used for Unite and the judging result of the data to be tested bag is contrasted;
    The adjustment submodule is used for inconsistent in the judging result of the learning system and the judging result of the predetermined system When, combination and the quantity of the basic function are adjusted with the mathematical model for the learning system of evolving.
CN201710050637.5A 2017-01-23 2017-01-23 Intelligent network attack detection method and device Active CN106534224B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710050637.5A CN106534224B (en) 2017-01-23 2017-01-23 Intelligent network attack detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710050637.5A CN106534224B (en) 2017-01-23 2017-01-23 Intelligent network attack detection method and device

Publications (2)

Publication Number Publication Date
CN106534224A CN106534224A (en) 2017-03-22
CN106534224B true CN106534224B (en) 2018-04-20

Family

ID=58337074

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710050637.5A Active CN106534224B (en) 2017-01-23 2017-01-23 Intelligent network attack detection method and device

Country Status (1)

Country Link
CN (1) CN106534224B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108156130B (en) * 2017-03-27 2020-12-08 上海观安信息技术股份有限公司 Network attack detection method and device
CN107819790A (en) * 2017-12-08 2018-03-20 中盈优创资讯科技有限公司 The recognition methods of attack message and device
CN108418792B (en) * 2018-01-29 2020-12-22 华北电力大学 Network escape behavior detection method based on deep cycle neural network
CN109302401B (en) * 2018-10-25 2021-07-09 国家电网有限公司 Information security protection method and device
CN109743303B (en) * 2018-12-25 2021-10-01 中国移动通信集团江苏有限公司 Application protection method, device, system and storage medium
CN111026917B (en) * 2019-11-07 2021-07-20 中国科学院计算技术研究所 Data packet classification method and system based on convolutional neural network
CN111865959B (en) * 2020-07-14 2021-04-27 南京聚铭网络科技有限公司 Detection method and device based on multi-source safety detection framework

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103748987B (en) * 2009-07-14 2011-01-12 北京理工大学 A kind of automatic update method of the attack knowledge based on fuzzy neural network
CN102789593A (en) * 2012-06-18 2012-11-21 北京大学 Intrusion detection method based on incremental GHSOM (Growing Hierarchical Self-organizing Maps) neural network
CN103179105A (en) * 2012-10-25 2013-06-26 四川省电力公司信息通信公司 Intelligent Trojan horse detecting device based on behavior features in network flows and method thereof
US8521667B2 (en) * 2010-12-15 2013-08-27 Microsoft Corporation Detection and categorization of malicious URLs
CN104486141A (en) * 2014-11-26 2015-04-01 国家电网公司 Misdeclaration self-adapting network safety situation predication method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101626322B (en) * 2009-08-17 2011-06-01 中国科学院计算技术研究所 Method and system of network behavior anomaly detection
CN102724199B (en) * 2012-06-26 2015-09-02 北京航空航天大学 Based on the intention recognition method of Bayesian Network Inference
CN104811452A (en) * 2015-04-30 2015-07-29 北京科技大学 Data mining based intrusion detection system with self-learning and classified early warning functions

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103748987B (en) * 2009-07-14 2011-01-12 北京理工大学 A kind of automatic update method of the attack knowledge based on fuzzy neural network
US8521667B2 (en) * 2010-12-15 2013-08-27 Microsoft Corporation Detection and categorization of malicious URLs
CN102789593A (en) * 2012-06-18 2012-11-21 北京大学 Intrusion detection method based on incremental GHSOM (Growing Hierarchical Self-organizing Maps) neural network
CN103179105A (en) * 2012-10-25 2013-06-26 四川省电力公司信息通信公司 Intelligent Trojan horse detecting device based on behavior features in network flows and method thereof
CN104486141A (en) * 2014-11-26 2015-04-01 国家电网公司 Misdeclaration self-adapting network safety situation predication method

Also Published As

Publication number Publication date
CN106534224A (en) 2017-03-22

Similar Documents

Publication Publication Date Title
CN106534224B (en) Intelligent network attack detection method and device
CN103870751B (en) Method and system for intrusion detection
CN109214191A (en) A method of utilizing deep learning forecasting software security breaches
Pham et al. Feature-based control chart pattern recognition
CN109685647A (en) The training method of credit fraud detection method and its model, device and server
CN107241226A (en) Fuzz testing method based on industry control proprietary protocol
WO2019022854A1 (en) Data2data: deep learning for time series representation and retrieval
CN104660464B (en) A kind of network anomaly detection method based on non-extension entropy
CN109447146A (en) Classified optimization method and device
CN107247653A (en) A kind of Fault Classification and device of data center's monitoring system
CN109818798A (en) A kind of wireless sensor network intruding detection system and method merging KPCA and ELM
Alghuried A model for anomalies detection in internet of things (IoT) using inverse weight clustering and decision tree
CN113434859B (en) Intrusion detection method, device, equipment and storage medium
CN114386538B (en) Method for marking wave band characteristics of KPI (Key performance indicator) curve of monitoring index
CN107679089A (en) A kind of cleaning method for electric power sensing data, device and system
CN108573228A (en) A kind of electric line foreign matter intrusion detection method and device
CN106953766A (en) A kind of alarm method and device
JP2019110513A (en) Anomaly detection method, learning method, anomaly detection device, and learning device
CN107046534A (en) A kind of network safety situation model training method, recognition methods and identifying device
CN107257351A (en) One kind is based on grey LOF Traffic anomaly detections system and its detection method
CN108200032A (en) A kind of data detection method, device and electronic equipment
Usmani et al. A review of unsupervised machine learning frameworks for anomaly detection in industrial applications
CN107111609A (en) Lexical analyzer for neural language performance identifying system
CN110188823A (en) A kind of Fault Tree Diagnosis Decision method and computer-readable medium
CN109525577A (en) Malware detection method based on HTTP behavior figure

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220429

Address after: 400000 15-4, unit 2, No. 99, Wuyi Road, Yuzhong District, Chongqing

Patentee after: Chongqing Aoyang Technology Co.,Ltd.

Address before: 400020 17-6, No. 360-21, Huaxin village, Jiangbei District, Chongqing

Patentee before: Yu Yang

Patentee before: Li Kelong