CN108881265B - Network attack detection method and system based on artificial intelligence - Google Patents

Network attack detection method and system based on artificial intelligence Download PDF

Info

Publication number
CN108881265B
CN108881265B CN201810714155.XA CN201810714155A CN108881265B CN 108881265 B CN108881265 B CN 108881265B CN 201810714155 A CN201810714155 A CN 201810714155A CN 108881265 B CN108881265 B CN 108881265B
Authority
CN
China
Prior art keywords
attack
network
data
response
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810714155.XA
Other languages
Chinese (zh)
Other versions
CN108881265A (en
Inventor
蒋劭捷
张鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Hongxiang Technical Service Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201810714155.XA priority Critical patent/CN108881265B/en
Publication of CN108881265A publication Critical patent/CN108881265A/en
Application granted granted Critical
Publication of CN108881265B publication Critical patent/CN108881265B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a network attack detection method and a system based on artificial intelligence, wherein the network attack detection method based on artificial intelligence comprises the following steps: collecting network data of a target host; extracting features to be detected from the network data; and importing the features to be detected into a pre-established artificial intelligence model, classifying the features to be detected through the artificial intelligence model, and determining whether the target host is under network attack and the attack type of the network attack according to the classification result. The network attack detection method and system based on artificial intelligence provided by the invention utilize artificial intelligence technology to detect network attack behaviors, thereby greatly avoiding the situation that an attacker bypasses and cannot detect the network attack behaviors, and further finding more network attacks.

Description

Network attack detection method and system based on artificial intelligence
Technical Field
The invention relates to the technical field of network security, in particular to a network attack detection method and system based on artificial intelligence.
Background
With the continuous development of computer technology and the continuous popularization of the internet, the form of network attack is endless, the network security problem is increasingly prominent, the social impact and the economic loss caused by the network attack are larger and larger, and new requirements and challenges are provided for network threat detection and defense. The network traffic anomaly is one of the main network security threats at present and is also a key object of network security monitoring. The network abnormal flow can be found quickly and accurately, malicious codes can be captured, analyzed, tracked and monitored accurately in time, and knowledge support can be provided for network security situation index evaluation and immune decision making, so that the overall response capability of a network security emergency organization is improved.
The traditional network attack detection method mainly describes the characteristics of the known network attack in a deterministic manner, forms corresponding rules and summarizes the rules into a characteristic library, and then compares the collected network data with the rules in the characteristic library one by one. If the collected network data matches the rules in the feature library during the one-to-one comparison, it indicates that it is an intrusion. The traditional network attack detection method can accurately detect the known network attack, but the method depends on the writing of rules, so the flexibility is poor, and the missing report rate is high.
Disclosure of Invention
The invention aims to solve the problems of poor flexibility and high missing report rate of the traditional network attack detection method.
The invention is realized by the following technical scheme:
a network attack detection method based on artificial intelligence comprises the following steps:
collecting network data of a target host;
extracting features to be detected from the network data;
and importing the features to be detected into a pre-established artificial intelligence model, classifying the features to be detected through the artificial intelligence model, and determining whether the target host is under network attack and the attack type of the network attack according to the classification result.
Optionally, the extracting the feature to be detected from the network data includes:
extracting request data from the network data, wherein the request data is used for initiating a request service to the target host;
and extracting the features to be detected from the request data.
Optionally, before the introducing the feature to be detected into the artificial intelligence model established in advance, the method further includes:
and establishing the artificial intelligence model.
Optionally, the establishing the artificial intelligence model includes:
collecting model training data;
extracting the characteristics of the known network attacks from the model training data to obtain attack characteristic data;
classifying the attack characteristic data to obtain a training sample;
and carrying out model training according to the training samples to obtain the artificial intelligence model.
Optionally, the collecting model training data includes:
and collecting one or more combinations of the attack data disclosed by the Internet, the vulnerability data disclosed by the Internet, the attack data collected by the target host and the vulnerability data collected by the target host.
Optionally, the performing model training according to the training sample includes:
and performing model training by adopting a naive Bayes algorithm according to the training sample.
Optionally, after determining the network attack on the target host and the attack type of the network attack according to the classification result, the method further includes:
detecting whether the network attack is successful;
and if the network attack is successful, obtaining the attack action of the successful network attack.
Optionally, the detecting whether the network attack is successful includes:
extracting features to be compared from the network data;
comparing the features to be compared with more than one attack response rule in a pre-established feature library one by one, wherein the attack response rule is formed according to first response data, and the first response data is used for responding to a successful attack request by an attacked host;
and if the features to be compared are matched with the attack response rule, judging that the network attack is successful.
Optionally, the extracting the features to be compared from the network data includes:
extracting second response data from the network data, wherein the second response data is used for the target host to answer the request service;
and extracting the features to be compared from the second response data.
Optionally, the extracting the features to be compared from the network data includes:
extracting request data and second response data from the network data, wherein the request data is used for initiating a request service to the target host, and the second response data is used for responding the request service by the target host;
and extracting the features to be compared from the request data and the second response data.
Optionally, before comparing the features to be compared with one or more attack response rules in a pre-established feature library one by one, the method further includes:
and establishing the feature library.
Optionally, the establishing the feature library includes:
creating a database;
correspondingly extracting more than one attack response characteristic from more than one first response data;
each attack response characteristic is described in a deterministic manner to form more than one attack response rule;
and storing the more than one attack response rule into the database to obtain the feature library.
Optionally, the feature library includes N sub-feature libraries, where N is an integer not less than 2, and the establishing the feature library includes:
creating N databases;
correspondingly extracting more than two attack response characteristics from more than two first response data;
each attack response characteristic is described in a deterministic manner to form more than two attack response rules;
and storing the attack response rules belonging to the same attack type in the more than two attack response rules into the same database to obtain the sub-feature library.
Optionally, the one-to-one comparison of the features to be compared with more than one attack response rule in a pre-established feature library includes:
and comparing the characteristics to be compared with more than one attack response rule in the sub-characteristic library corresponding to the attack type of the network attack one by one.
Optionally, the performing deterministic description on each attack response feature includes:
and performing deterministic description on each attack response characteristic by adopting a regular expression.
Optionally, the attack action of obtaining a successful network attack includes:
establishing an incidence relation between each attack response rule and an attack action in a feature library;
and determining the attack action corresponding to the attack response rule matched with the feature to be compared as the attack action of the successful network attack according to the incidence relation between each attack response rule and the attack action in the feature library.
Optionally, after the detecting whether the network attack is successful, the method further includes:
and generating alarm information, wherein the alarm information comprises the attack type of the network attack, whether the network attack is successful or not and the attack action of the successful network attack.
Optionally, after the generating the alarm information, the method further includes:
and sending the alarm information to a network manager through one or more combinations of mails, short messages, dialog boxes and instant messaging.
Optionally, after the generating the alarm information, the method further includes:
adding a corresponding attack chain tag to the alarm information according to the alarm content of the alarm information, wherein the attack chain tag is used for representing the attack stage of the network attack in an attack chain;
counting each attack chain label of the same attack event, and obtaining the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event;
and generating attack route information according to the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event, wherein the attack route information comprises the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event.
Optionally, the adding a corresponding attack chain tag to the alarm information according to the alarm content of the alarm information includes:
and determining an attack chain label corresponding to the alarm information from a pre-established label library according to the alarm content of the alarm information.
Optionally, the attack chain tag includes more than two levels, and adding a corresponding attack chain tag to the alarm information according to the alarm content of the alarm information includes:
and determining each level of label corresponding to the alarm information from a pre-established label library according to the alarm content of the alarm information, wherein the label library stores M attack chain labels, the M attack chain labels are divided into more than two levels, and M is an integer larger than 4.
Optionally, the attack route information further includes start and end times of each attack stage, and after the attack route information is generated according to the total number of network attacks in each attack stage of the attack event, the number of successful network attacks, and the attack action of the successful network attack, the method further includes:
and displaying the attack route information according to the sequence of the starting time of each attack stage.
Based on the same inventive concept, the invention also provides a network attack detection system based on artificial intelligence, which comprises:
the acquisition module is used for acquiring network data of the target host;
the first extraction module is used for extracting the features to be detected from the network data;
and the importing module is used for importing the characteristics to be detected into a pre-established artificial intelligence model, classifying the characteristics to be detected through the artificial intelligence model, and determining whether the target host is under network attack and the attack type of the network attack according to the classification result.
Optionally, the first extraction module includes:
a first extraction unit, configured to extract request data from the network data, where the request data is used to initiate a request service to the target host;
and the second extraction unit is used for extracting the features to be detected from the request data.
Optionally, the network attack detection system based on artificial intelligence further includes:
and the model creating module is used for creating the artificial intelligence model.
Optionally, the model creating module includes:
the collection module is used for collecting model training data;
the second extraction module is used for extracting the characteristics of the known network attack from the model training data to obtain attack characteristic data;
the classification module is used for classifying the attack characteristic data to obtain a training sample;
and the training module is used for carrying out model training according to the training samples to obtain the artificial intelligence model.
Optionally, the model training data includes one or more combinations of attack data published by the internet, vulnerability data published by the internet, attack data collected by the target host, and vulnerability data collected by the target host.
Optionally, the training module is a naive bayes algorithm module.
Optionally, the network attack detection system based on artificial intelligence further includes:
the detection module is used for detecting whether the network attack is successful;
and the attack action obtaining module is used for obtaining the attack action of the successful network attack when the network attack is successful.
Optionally, the detection module includes:
the third extraction module is used for extracting the features to be compared from the network data;
the comparison module is used for comparing the features to be compared with more than one attack response rule in a pre-established feature library one by one, wherein the attack response rules are formed according to first response data, and the first response data are used for responding to a successful attack request by an attacked host;
and the judging module is used for judging that the network attack is successful when the features to be compared are matched with the attack response rule.
Optionally, the third extraction module includes:
a third extracting unit, configured to extract second response data from the network data, where the second response data is used for the target host to answer the request service;
and the fourth extraction unit is used for extracting the features to be compared from the second response data.
Optionally, the third extraction module includes:
a fifth extracting unit, configured to extract request data and second response data from the network data, where the request data is used to initiate a request service to the target host, and the second response data is used for the target host to answer the request service;
a sixth extracting unit, configured to extract the feature to be compared from the request data and the second response data.
Optionally, the network attack detection system based on artificial intelligence further includes:
and the characteristic library creating module is used for creating the characteristic library.
Optionally, the feature library creating module includes:
the database creating module is used for creating a database;
the fourth extraction module is used for correspondingly extracting more than one attack response characteristic from more than one first response data;
the rule forming module is used for performing deterministic description on each attack response characteristic to form more than one attack response rule;
and the storage module is used for storing the more than one attack response rule into the database to obtain the feature library.
Optionally, the feature library includes N sub-feature libraries, where N is an integer not less than 2, and the feature library creating module includes:
the database creating module is used for creating N databases;
the fourth extraction module is used for correspondingly extracting more than two attack response characteristics from more than two pieces of first response data;
the rule forming module is used for performing deterministic description on each attack response characteristic to form more than two attack response rules;
and the storage module is used for storing the attack response rules belonging to the same attack type in the more than two attack response rules into the same database to obtain the sub-feature library.
Optionally, the comparison module is configured to compare the feature to be compared with one or more attack response rules in a sub-feature library corresponding to the attack type of the network attack one by one.
Optionally, the rule forming module is a regular expression writing module.
Optionally, the attack action obtaining module includes:
the incidence relation establishing module is used for establishing the incidence relation between each attack response rule and the attack action in the characteristic library;
and the attack action determining module is used for determining the attack action corresponding to the attack response rule matched with the feature to be compared as the attack action of the successful network attack according to the incidence relation between each attack response rule and the attack action in the feature library.
Optionally, the network attack detection system based on artificial intelligence further includes:
and the warning information generating module is used for generating warning information, wherein the warning information comprises the attack type of the network attack, whether the network attack is successful and the attack action of the successful network attack.
Optionally, the network attack detection system based on artificial intelligence further includes:
and the sending module is used for sending the alarm information to a network manager through one or more combinations of mails, short messages, dialog boxes and instant messaging.
Optionally, the network attack detection system based on artificial intelligence further includes:
the label adding module is used for adding a corresponding attack chain label to the alarm information according to the alarm content of the alarm information, wherein the attack chain label is used for representing the attack stage of the network attack in an attack chain;
the statistical module is used for counting each attack chain label of the same attack event and obtaining the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event;
and the route information generating module is used for generating attack route information according to the total network attack times, the successful network attack times and the successful attack actions of the network attack in each attack stage of the attack event, wherein the attack route information comprises the total network attack times, the successful network attack times and the successful attack actions of the network attack in each attack stage of the attack event.
Optionally, the tag adding module is configured to determine, according to the alarm content of the alarm information, an attack chain tag corresponding to the alarm information from a pre-established tag library.
Optionally, the attack chain tag includes more than two levels, and the tag adding module is configured to determine, according to the alarm content of the alarm information, each level of tag corresponding to the alarm information from a pre-established tag library, where the tag library stores M attack chain tags, the M attack chain tags are divided into more than two levels, and M is an integer greater than 4.
Optionally, the attack route information further includes start and end times of each attack stage, and the network attack detection system based on artificial intelligence further includes:
and the display module is used for displaying the attack route information according to the sequence of the starting time of each attack stage.
Based on the same inventive concept, the present invention also provides a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the above artificial intelligence-based network attack detection method.
Based on the same inventive concept, the invention further provides a computer device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the network attack detection method based on artificial intelligence.
Compared with the prior art, the invention has the following advantages and beneficial effects:
according to the network attack detection method and system based on artificial intelligence, provided by the invention, the network data of the target host is collected, the characteristics to be detected are extracted from the network data, the characteristics to be detected are imported into a pre-established artificial intelligence model, the characteristics to be detected are automatically classified through the artificial intelligence model, and whether the target host is under network attack and the attack type of the network attack are determined according to the classification result. The invention classifies the characteristics to be detected through the artificial intelligence model to detect whether the target host is attacked by the network, namely, the artificial intelligence technology is used for detecting the behavior of the network attack, and the detection does not depend on the rules in the characteristic library, so that the irregular detection of the network attack request is realized, the condition that an attacker can not detect the network attack by bypassing is greatly avoided, and more network attacks can be found.
Drawings
The accompanying drawings, which are included to provide a further understanding of the embodiments of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the principles of the invention. In the drawings:
FIG. 1 is a flow chart of a network attack detection method based on artificial intelligence according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of establishing an artificial intelligence model according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating detecting whether a network attack is successful according to an embodiment of the present invention;
FIG. 4 is a schematic flow chart of creating a feature library according to an embodiment of the present invention;
FIG. 5 is a schematic flow chart of creating a feature library according to another embodiment of the present invention;
FIG. 6 is a schematic diagram of attack route information according to an embodiment of the invention;
FIG. 7 is a schematic diagram of a tag library of an embodiment of the present invention.
Detailed Description
The invention provides a network attack detection method and system based on artificial intelligence, which are characterized in that the network data of a target host is collected, the characteristics to be detected are extracted from the network data and are imported into a pre-established artificial intelligence model, the artificial intelligence model automatically classifies the characteristics to be detected, and whether the target host is under network attack and the attack type of the network attack are determined according to the classification result. The network attack detection method and system based on artificial intelligence provided by the invention utilize artificial intelligence technology to detect the behavior of network attack, do not depend on rules in a feature library, and greatly avoid the situation that an attacker bypasses and cannot detect the network attack, thereby being capable of discovering more network attacks and reducing the missing report rate of network attack detection.
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to examples and accompanying drawings, and the exemplary embodiments and descriptions thereof are only used for explaining the present invention and are not meant to limit the present invention.
Example 1
The present embodiment provides a network attack detection method based on artificial intelligence, and fig. 1 is a schematic flow chart of the network attack detection method based on artificial intelligence, where the network attack detection method based on artificial intelligence includes:
step S11, collecting network data of the target host;
step S12, extracting the features to be detected from the network data;
step S13, the features to be detected are imported into a pre-established artificial intelligence model, the features to be detected are classified through the artificial intelligence model, and whether the target host is attacked by the network and the attack type of the network attack are determined according to the classification result.
Specifically, the target host may be a server providing various services, a personal computer capable of implementing specific functions, or other network devices capable of providing network services. The target host may receive request data sent by the terminal device and used for initiating a request service to the target host, perform corresponding data processing according to the request data to obtain second response data, that is, the second response data is used for the target host to respond to the request service, and feed back the second response data to the terminal device. The terminal device may be various electronic devices having a display function and supporting an interactive function, including but not limited to a smart phone, a tablet computer, a personal computer, a desktop computer, and the like. In a specific application scenario of the present invention for detecting a network attack, an attacker who initiates the network attack is usually a user who maliciously sends a large amount of data requests. The terminal device utilized by the attacker may be an electronic device with powerful computing functions, and may even be a server.
For the acquisition of the network data of the target host, the network data can be acquired by adopting a network sniffing mode or a network port mirroring mode. The network sniffing mode is to set the network card of the target host computer to be in a hybrid mode and capture the network data of the target host computer by calling a network packet intercepting tool. The network port mirroring mode is to map the acquisition port of the target host to another port and copy data in real time, so as to obtain the network data of the target host. Of course, the specific implementation manner of collecting the network data of the target host is not limited to the above two manners, and this embodiment does not limit this.
And after the network data are collected, extracting the features to be detected from the network data. The network data includes the request data and the second response data, and as described above, the request data is used to initiate a request service to the target host, and is data sent to the target host by a terminal device; the second response data is used for the target host to answer the request service, and is data sent by the target host to the terminal device. The feature to be detected may be obtained by directly extracting the feature of the request data from the network data, or may be obtained by extracting the request data from the network data first and then extracting the feature to be detected from the request data, which is not limited in this embodiment. The characteristics to be detected can comprise one or more of request time, IP information, port information, protocol type, packet sending frequency, mail address, file name and target URL address. It should be noted that the features to be detected can be flexibly set according to actual situations, and this embodiment does not limit this.
According to the difference of the transmission protocols adopted between the target host and the terminal device, for example, the transmission protocols include but are not limited to hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and the structure of the request data is also different. Taking an HTTP-type network request as an example, the request data includes the following three parts: a request line, which is composed of three parts of a method (e.g. POST), a Uniform Resource Identifier (URI), and a protocol version (e.g. HTTP 1.1); a request header for informing the target host of information requested by the terminal device, including but not limited to the browser type from which the request was made, a list of content types that the terminal device can identify, and the name of the requested host; a request body. After the network data is collected, analyzing each field in the HTTP request head, searching the field content needing to be detected, namely extracting the characteristics to be detected.
After the characteristics to be detected are obtained, the characteristics to be detected are led into a pre-established artificial intelligence model, and classification is carried out on the characteristics to be detected through the artificial intelligence model to obtain a classification result. The artificial intelligence model can be a machine learning classification model, such as a naive Bayes classification model, and can also be a deep learning classification model. If the classification result is that the to-be-detected features do not belong to any network attack of a known attack type and do not belong to a network attack of an unknown attack type, determining that the target host is not attacked by the network attack; if the classification result is that the to-be-detected feature belongs to a network attack of a certain known attack type, determining that the target host is subjected to the network attack of the attack type; and if the classification result is that the to-be-detected feature belongs to a network attack of an unknown attack type, determining that the target host is subjected to the network attack of the unknown attack type.
In the network attack detection method based on artificial intelligence provided by this embodiment, the features to be detected are imported into a pre-established artificial intelligence model, and the artificial intelligence model automatically classifies the features to be detected, so as to detect whether the target host is under network attack and the attack type of the target host under network attack. Because the artificial intelligence model is a classification model utilizing an artificial intelligence technology and has the capabilities of self-learning, self-organization, self-adaptation and the like, the novel or variant network attack can be effectively discovered, the defect that the traditional network attack detection method cannot detect unknown network attacks is effectively overcome, the whole network attack detection capability is improved, and the missing report rate can be reduced.
Further, before the features to be detected are imported into a pre-established artificial intelligence model, the artificial intelligence model also needs to be established. FIG. 2 is a schematic flow chart of the process of building the artificial intelligence model, which includes:
step S21, collecting model training data;
step S22, extracting the characteristics of the known network attack from the model training data to obtain attack characteristic data;
step S23, classifying the attack characteristic data to obtain a training sample;
and step S24, performing model training according to the training samples to obtain the artificial intelligence model.
Specifically, the model training data includes one or more combinations of internet published attack data, internet published vulnerability data, attack data collected by the target host, and vulnerability data collected by the target host. The attack data is extracted from the existing network attack case, and the vulnerability data is extracted from the existing vulnerability case. The attack data and the vulnerability data can be disclosed by the Internet, or can be analyzed and refined by the target host according to the network attack events suffered in the past.
After the model training data are obtained, extracting the characteristics of the known network attacks from the model training data to obtain attack characteristic data. Further, the extracted attack characteristic data may include one or more of request time, IP information, port information, protocol type, packet sending frequency, mail address, file name, and target URL address. It should be noted that the attack characteristic data can be flexibly set according to actual situations, and this embodiment does not limit this. After the attack characteristic data is obtained, classifying according to the attack type of the network attack to which the attack characteristic data belongs to form a training sample, wherein the attack type of the network attack comprises but is not limited to SQL injection attack and XSS attack.
And performing model training according to the training samples, namely calculating the occurrence frequency of the network attacks of each attack type in the training samples and the conditional probability estimation of each attack characteristic data division on the network attacks of each attack type, and recording the calculation result to obtain the artificial intelligence model. In this embodiment, the algorithm used for model training is a naive bayes algorithm. The naive Bayes algorithm has good performance on small-scale data, is suitable for multi-classification tasks and is suitable for incremental training. Of course, other machine learning classification algorithms or deep learning classification algorithms may also be used for model training, for example, a decision tree algorithm may also be used for model training, which is not limited in this embodiment.
Example 2
In this embodiment, another network attack detection method based on artificial intelligence is provided, and compared with the network attack detection method based on artificial intelligence provided in embodiment 1, after determining that the target host is attacked by the network attack and the attack type of the network attack according to the classification result, the method further includes: detecting whether the network attack is successful; and if the network attack is successful, obtaining the attack action of the successful network attack.
In this embodiment, whether the network attack is successful is detected by adopting a rule matching manner. Fig. 3 is a schematic flowchart of the process of detecting whether the network attack is successful according to this embodiment, where the detecting whether the network attack is successful includes:
step S31, extracting the features to be compared from the network data;
step S32, comparing the features to be compared with more than one attack response rule in a pre-established feature library one by one, wherein the attack response rule is formed according to first response data, and the first response data is used for responding to a successful attack request by an attacked host;
step S33, if the feature to be compared matches the attack response rule, determining that the network attack is successful.
Specifically, each successful network attack has its uniqueness, which is manifested primarily by the attacked host's response to a successful attack request. Therefore, the extraction of the features to be compared is to extract the features of the second response data. The extracting of the feature to be compared may be directly extracting the feature of the second response data from the network data, or may be extracting the second response data from the network data first and then extracting the feature to be compared from the second response data, which is not limited in this embodiment.
Taking an HTTP-type network response as an example, the second response data includes the following three parts: a status line consisting of three parts, a protocol version (e.g., HTTP 1.1), a status code, and a status code description; a response header including, but not limited to, the name of the application, the version of the application, the response body type, the response body length, and the encoding used for the response body; a response body. After the network data is collected, analyzing each field in the HTTP response head, searching the field content needing to be compared, and extracting the features to be compared.
Further, whether a network attack is successful or not can be judged, reverse derivation can be carried out from the perspective of an attacker, and the accuracy of identifying whether the network attack is successful or not is improved by responding to the characteristics of the content reverse-derivation attack request. Therefore, the feature to be compared may also be extracted from the second response data and the request data together. Specifically, the request data and the second response data may be extracted from the network data, and then the features to be compared may be extracted from the request data and the second response data. Still taking the HTTP type network request and the HTTP type network response as examples, after the network data is collected, analyzing each field in the HTTP request header and the HTTP response header, and finding out the content of the field to be compared, that is, extracting the feature to be compared.
And after the features to be compared are obtained, comparing the features to be compared with more than one attack response rule in the feature library one by one. Still taking an HTTP type transmission protocol as an example, if the feature to be compared matches with a certain attack response rule in the feature library, determining that the HTTP request is a malicious attack and the network attack on the target host is successful; if the feature to be compared cannot be matched with any attack response rule in the feature library, the HTTP request is judged to be invalid network attack, and the HTTP request can be directly ignored.
The feature library is pre-established, and the stored attack response rule is formed according to the first response data, wherein the first response data is used for responding to a successful attack request by the attacked host, namely, the attack response rule is pre-generated according to the response characteristic of the attack response corresponding to the existing successful attack request. Fig. 4 is a schematic flowchart of a process for creating the feature library provided in this embodiment, where the creating the feature library includes:
step S41, creating a database;
step S42, correspondingly extracting more than one attack response characteristic from more than one first response data;
step S43, each attack response characteristic is described in a deterministic manner to form more than one attack response rule;
step S44, storing the one or more attack response rules in the database, and obtaining the feature library.
Specifically, the database is created as a blank storage space. The first response data is used for the attacked host to respond to the successful attack request, and can be collected from the attack data disclosed by the internet and/or the attack data collected by the target host. For example, the attacker sends a floor () function error injection attack request to the attacked host, and the floor () function error injection attack request succeeds, and the response of the attacked host to the floor () function error injection attack request is the first response data. For the network attacks of the same attack type, the network attacks can be divided according to different specific attack actions. For example, for SQL injection attacks, the method further includes count () function error injection, rand () function error injection, floor () function error injection, and the like. For each network attack of the attack action, one first response data can be correspondingly collected, so that more than one attack response characteristic can be correspondingly extracted from more than one first response data, namely, one attack response characteristic can be correspondingly extracted from each first response data. Similar to the attack profile data, the attack response profile may include one or more of a request time, IP information, port information, protocol type, packet frequency, mail address, file name, and target URL address in combination. It should be noted that the attack response characteristics may also be flexibly set according to actual situations, and this embodiment does not limit this.
And after the attack response characteristics are obtained, performing deterministic description on each attack response characteristic, wherein the deterministic description is described according to a preset rule. In this embodiment, each attack response feature may be described deterministically by using a conventional regular expression, or complex logics such as an operation logic and a matching logic may be added to the regular expression, so as to improve the accuracy of the matching result. After the attack response rules are obtained, all the attack response rules are stored in the database, namely corresponding data are written in the blank storage space, and then the feature library is obtained.
Further, the feature library may further include N sub-feature libraries, each sub-feature library correspondingly stores all attack response rules of the same attack type, where N is an integer not less than 2. Based on this, fig. 5 is another schematic flow chart of establishing the feature library provided in this embodiment, where the establishing the feature library includes:
step S51, creating N databases;
step S52, correspondingly extracting more than two attack response characteristics from more than two first response data;
step S53, each attack response characteristic is described in a deterministic manner to form more than two attack response rules;
and step S54, storing the attack response rules belonging to the same attack type in the more than two attack response rules into the same database to obtain the sub-feature library.
Specifically, the steps S51 to S53 can refer to the descriptions of the steps S41 to S43, and are not repeated herein. After more than two attack response rules are obtained, according to the attack type to which each attack response rule belongs, the attack response rules belonging to the same attack type are stored in the same database, and the sub-feature library is obtained. In this embodiment, the sub-feature library may be a basic feature library, an SQL injection feature library, an XSS dynamic feature library, and a tool fingerprint library, where the basic feature library stores command features and file features, the SQL injection feature library stores features of an SQL injection attack, the XSS dynamic feature library stores features of an XSS dynamic attack, and the tool fingerprint library stores a mare connection fingerprint and a kitchen knife fingerprint. It should be noted that the sub-feature library can be flexibly set according to actual situations, and this embodiment does not limit this.
For the feature library established by the process shown in fig. 5, the comparing the features to be compared with one or more attack response rules in the pre-established feature library one by one specifically includes: and comparing the characteristics to be compared with more than one attack response rule in the sub-characteristic library corresponding to the attack type of the network attack one by one. For example, if the attack type of the network attack is SQL injection attack, the features to be compared are compared with more than one attack response rule in the SQL injection feature library one by one; and if the attack type of the network attack is XSS dynamic attack, comparing the characteristics to be compared with more than one attack response rule in an XSS dynamic characteristic library one by one. By setting the feature library into a plurality of sub-feature libraries, the number of attack response rules for comparing with the features to be compared can be reduced, and the comparison efficiency between the features to be compared and the attack response rules can be improved only by matching with the attack response rules in a certain sub-feature library.
And correspondingly obtaining an attack response rule for the network attack of each attack action, so that the attack action corresponding to the attack response rule matched with the feature to be compared is determined as the attack action of the successful network attack according to the incidence relation between each attack response rule and the attack action in the feature library by establishing the incidence relation between each attack response rule and the attack action in the feature library. For example, the attack action corresponding to the attack response rule matched with the feature to be compared is error-reported and injected as floor () function, and the attack action of the successful network attack is error-reported and injected as floor () function.
In the network attack detection method based on artificial intelligence provided by this embodiment, after determining that the target host is under the network attack and the attack type of the network attack, it is further detected whether the network attack is successful, and an attack action of the successful network attack is obtained. Therefore, the method and the device can effectively identify successful network attacks, thereby improving operation and maintenance efficiency and finding real bugs.
Example 3
Compared with the network attack detection method based on artificial intelligence provided in embodiment 2, the present embodiment provides another network attack detection method based on artificial intelligence, and after detecting whether the network attack is successful, alarm information may be further generated, where the alarm information includes an attack type of the network attack, whether the network attack is successful, and an attack action of the successful network attack. For example, when the target host is under SQL injection attack but the attack is unsuccessful, the alarm information may be "under SQL injection attack, attack is invalid"; when the target host is attacked by SQL injection and the attack is successful, the specific attack action is error injection by using a floor () function, and the alarm information can be 'the attack by SQL injection, the attack is successful, and the error injection by the floor () function'.
Further, after the alarm information is generated, the alarm information can be sent to a network manager. For example, the alarm information may be sent to a designated mailbox address by a mail, may be sent to a designated mobile terminal by a short message, may be directly displayed on the target host in a dialog box, and may be sent to a network manager by an instant messaging. Of course, the alarm information may be sent to the network manager in any one of the above manners, or may be sent to the network manager in any combination of several manners.
By generating the alarm information and sending the alarm information to a network manager, the network manager can intuitively master the network attack condition of the target host.
Example 4
Embodiment 3 adopts an alarm mode that one network attack corresponds to one alarm message, that is, when one network attack is detected, one alarm message is generated correspondingly. However, the isolated alarm information does not accurately reflect the security status of the target host, and such attack exposure does not provide a general assurance of the attack process. Therefore, the present embodiment provides another network attack detection method based on artificial intelligence. Compared with the network attack detection method based on artificial intelligence provided by the embodiment 3, after the alarm information is generated, the method further includes:
adding a corresponding attack chain tag to the alarm information according to the alarm content of the alarm information, wherein the attack chain tag is used for representing the attack stage of the network attack in an attack chain;
counting each attack chain label of the same attack event, and obtaining the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event;
and generating attack route information according to the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event, wherein the attack route information comprises the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event.
According to different attack stages of the network attack suffered by the target host, the alarm content of the alarm information is different, namely the alarm content of the alarm information reveals the attack purpose which is required to be realized by the network attack corresponding to the alarm information, and the alarm information with different alarm contents corresponds to different attack stages. Therefore, the attack stage can be determined according to the alarm content of the alarm information corresponding to the network attack suffered by the target host. Specifically, according to the alarm content of the alarm information, an attack chain tag corresponding to the alarm information is determined from a pre-established tag library. M attack chain labels are stored in the label stock, and each attack chain label correspondingly represents one attack stage in an attack chain. The attack chain refers to a series of cyclic processes of an attacker to detect damage to a target host, and generally consists of several different attack stages. For example, the attack chain may consist of six attack phases, namely a scout phase, an intrusion phase, a command control phase, a lateral penetration phase, a data leakage phase and a trace cleanup phase, i.e. M has a value of 6. Correspondingly, the M attack chain labels are a scout label, an intrusion label, a command control label, a transverse infiltration label, a data leakage label and a trace clearing label. Of course, the division of the attack chain is not limited to this manner, and may be flexibly set according to actual situations.
As mentioned above, the alarm information of different alarm contents corresponds to different attack stages, and each attack chain tag corresponds to one attack stage, so that the association relationship between the alarm information of different alarm contents and different attack chain tags can be pre-established according to the published network attack event. According to the alarm content of the alarm information, an attack chain label corresponding to the alarm information can be determined from a pre-established label library. Taking the attack type of the network attack in the alarm information as a PHP code execution attack as an example, regarding the PHP code execution attack, the PHP code execution attack is in a command control phase in an attack chain, so that an attack chain tag added to the alarm information is a "command control" tag. Further, the attack chain tag may be added as an attribute of the alarm information.
After adding corresponding attack chain tags to all the alarm information of an attack event, the total times of network attacks in each attack stage of the attack event can be obtained by counting the number of the same attack chain tags. For example, by counting the number of the reconnaissance labels, the total number of network attacks in the reconnaissance phase of the attack event can be obtained; and counting the number of the intrusion labels to obtain the total times of the network attacks in the intrusion stage of the attack event. Taking the example that the target host is attacked by the network for 10 times in the attack event, 10 pieces of alarm information are correspondingly generated, and the attack chain labels corresponding to the 10 pieces of alarm information are respectively: a scout tag, an intrusion tag, a scout tag, an intrusion tag, a command control tag, and a command control tag. By counting 10 attack chain labels, the target host is known to be attacked 3 times by the network in the reconnaissance phase, 4 times by the network in the intrusion phase and 3 times by the network in the command control phase.
For obtaining the successful network attack times in each attack stage of the attack event, the alarm information corresponding to the successful network attack can be screened out, and then the number of the same attack chain labels in the attack chain labels corresponding to the screened out alarm information is respectively counted, so that the successful network attack times in each attack stage of the attack event can be obtained. And combining the screened alarm information content to obtain the successful attack action of the network attack in each attack stage of the attack event.
And generating the attack route information after obtaining the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event. Further, the attack route information may further include start and end times of each attack stage, and after the attack route information is generated, the attack route information may be displayed according to a sequence of the start times of each attack stage. The starting time of each attack stage is the first network attack time of the attack stage, and the ending time of each attack stage is the last network attack time of the attack stage. Or taking the above target host is attacked by the network for 10 times, if the start-stop time of the reconnaissance phase is 2018-3-1503: 20-2018-3-1915: 12, the start-stop time of the invasion stage is 2018-3-1707: 38-2018-3-2105: 21, the starting time and the ending time of the command control phase are 2018-3-2014: 47-2018-3-2018: 21, the network attack route information generated according to the statistical result can be displayed as "2018-3-1503: 20-2018-3-1915: 12, a detection stage: 3 times; 2018-3-1707: 38-2018-3-2105: 21, invasion stage, 4 times; 2018-3-2014: 47-2018-3-2018: 21, command control phase, 4 times ". Of course, the attack route information may also include information such as an IP address of the target host and a duration of the entire attack event, as shown in fig. 6, which is not limited in this embodiment.
Further, since each attack stage in the attack chain may also be divided into several smaller attack stages, each smaller attack stage is also characterized by an attack chain tag. Correspondingly, the attack chain tag may include more than two levels, and adding a corresponding attack chain tag to the alarm information according to the alarm content of the alarm information includes: and determining each level of label corresponding to the alarm information from a pre-established label library according to the alarm content of the alarm information, wherein the label library stores M attack chain labels, the M attack chain labels are divided into more than two levels, and M is an integer larger than 4.
Fig. 7 is a schematic diagram of a tag library provided in this embodiment, where attack chain tags in the tag library are divided into three levels. The first-level labels comprise a reconnaissance label, an intrusion label, a command control label, a transverse permeation label, a data leakage label and a trace cleaning label. The secondary labels corresponding to the reconnaissance labels comprise port scanning labels, information leakage labels, IP scanning labels and sub-domain name collection labels; the secondary labels corresponding to the intrusion labels comprise a vulnerability detection label, a vulnerability utilization label, a service denial label, a brute force cracking label and a high-risk operation label; the secondary labels corresponding to the command control labels comprise a host controlled label, a hacker tool uploading label, a server transfer behavior label, a right-lifting label, a virus killing software closing label and a host information acquisition label; the transverse penetration label comprises an intranet investigation label, a sniffing attack label, an intranet vulnerability detection label and an intranet vulnerability utilization label; the secondary labels corresponding to the data leakage labels comprise file downloading labels and library dragging behavior labels; and the secondary labels corresponding to the trace clearing labels comprise a backdoor deleting label, a closing attack service label and a clearing log label. And the third-level label corresponding to the high-risk operation label comprises a database operation label and a weak password successful login label.
By setting the attack chain tags to multiple levels, the attack phases in the attack chain can be described in more detail, thereby presenting the network administrator with the entire process of the attack event in more detail. It should be noted that the tag library may be created by the target host, or may be created by another host, and the target host may directly invoke the tag library from another host when needing to add the corresponding attack chain tag. Furthermore, the corresponding attack chain label can be directly added to the alarm information without creating the label library.
After the attack route information is generated, the attack route information can be sent to a network manager in one or more combination modes of mails, short messages, dialog boxes and instant messaging. By adding the corresponding attack chain tag to the alarm information and counting the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event according to the attack chain tag, the attack event can be divided again according to the attack chain of the event, the whole process of the attack event can be presented to network management personnel in the attack stage from the perspective of big data analysis, and the chaos of an attack line is avoided.
Example 5
The embodiment provides a network attack detection system based on artificial intelligence, which comprises an acquisition module, a first extraction module and an import module.
Specifically, the acquisition module is used for acquiring network data of a target host; the first extraction module is used for extracting the features to be detected from the network data; the importing module is used for importing the features to be detected into a pre-established artificial intelligence model, classifying the features to be detected through the artificial intelligence model, and determining whether the target host is under network attack and the attack type of the network attack according to the classification result.
Further, the first extraction module comprises: a first extraction unit, configured to extract request data from the network data, where the request data is used to initiate a request service to the target host; and the second extraction unit is used for extracting the features to be detected from the request data.
Further, the network attack detection system based on artificial intelligence also comprises a model creation module, and the model creation module is used for establishing the artificial intelligence model. Specifically, the model creation module includes: the collection module is used for collecting model training data; the second extraction module is used for extracting the characteristics of the known network attack from the model training data to obtain attack characteristic data; the classification module is used for classifying the attack characteristic data to obtain a training sample; and the training module is used for carrying out model training according to the training samples to obtain the artificial intelligence model.
For a specific working principle of the artificial intelligence based network attack detection system, reference may be made to the description of step S11 to step S13 in embodiment 1, and this embodiment is not described herein again.
Example 6
In this embodiment, another artificial intelligence based network attack detection system is provided, and compared with the artificial intelligence based network attack detection system provided in embodiment 5, the artificial intelligence based network attack detection system further includes: the detection module is used for detecting whether the network attack is successful; and the attack action obtaining module is used for obtaining the attack action of the successful network attack when the network attack is successful.
Specifically, the detection module includes: the third extraction module is used for extracting the features to be compared from the network data; the comparison module is used for comparing the features to be compared with more than one attack response rule in a pre-established feature library one by one, wherein the attack response rules are formed according to first response data, and the first response data are used for responding to a successful attack request by an attacked host; and the judging module is used for judging that the network attack is successful when the features to be compared are matched with the attack response rule.
Further, the third extraction module may include: a third extracting unit, configured to extract second response data from the network data, where the second response data is used for the target host to answer the request service; and the fourth extraction unit is used for extracting the features to be compared from the second response data.
Further, the third extraction module may also include: a fifth extracting unit, configured to extract request data and second response data from the network data, where the request data is used to initiate a request service to the target host, and the second response data is used for the target host to answer the request service; a sixth extracting unit, configured to extract the feature to be compared from the request data and the second response data.
Further, the network attack detection system based on artificial intelligence further comprises: and the characteristic library creating module is used for creating the characteristic library. Specifically, the feature library creation module may include: the database creating module is used for creating a database; the fourth extraction module is used for correspondingly extracting more than one attack response characteristic from more than one first response data; the rule forming module is used for performing deterministic description on each attack response characteristic to form more than one attack response rule; and the storage module is used for storing the more than one attack response rule into the database to obtain the feature library. The feature library may include N sub-feature libraries, where N is an integer no less than 2. Based on this, the feature library creation module may also include: the database creating module is used for creating N databases; the fourth extraction module is used for correspondingly extracting more than two attack response characteristics from more than two pieces of first response data; the rule forming module is used for performing deterministic description on each attack response characteristic to form more than two attack response rules; and the storage module is used for storing the attack response rules belonging to the same attack type in the more than two attack response rules into the same database to obtain the sub-feature library.
Further, the attack action obtaining module includes: the incidence relation establishing module is used for establishing the incidence relation between each attack response rule and the attack action in the characteristic library; and the attack action determining module is used for determining the attack action corresponding to the attack response rule matched with the feature to be compared as the attack action of the successful network attack according to the incidence relation between each attack response rule and the attack action in the feature library.
For a specific working principle of the artificial intelligence based network attack detection system, reference may be made to the description of step S31 to step S33 in embodiment 2, and this embodiment is not described herein again.
Example 7
In this embodiment, another artificial intelligence based network attack detection system is provided, and compared with the artificial intelligence based network attack detection system provided in embodiment 6, the artificial intelligence based network attack detection system further includes: and the warning information generating module is used for generating warning information, wherein the warning information comprises the attack type of the network attack, whether the network attack is successful and the attack action of the successful network attack. Further, the network attack detection system based on artificial intelligence further includes: and the sending module is used for sending the alarm information to a network manager through one or more combinations of mails, short messages, dialog boxes and instant messaging.
The specific working principle of the artificial intelligence-based network attack detection system may refer to the description of each step in embodiment 3, which is not described herein again.
Example 8
In this embodiment, another artificial intelligence based network attack detection system is provided, and compared with the artificial intelligence based network attack detection system provided in embodiment 8, the artificial intelligence based network attack detection system further includes:
the label adding module is used for adding a corresponding attack chain label to the alarm information according to the alarm content of the alarm information, wherein the attack chain label is used for representing the attack stage of the network attack in an attack chain;
the statistical module is used for counting each attack chain label of the same attack event and obtaining the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event;
and the route information generating module is used for generating attack route information according to the total network attack times, the successful network attack times and the successful attack actions of the network attack in each attack stage of the attack event, wherein the attack route information comprises the total network attack times, the successful network attack times and the successful attack actions of the network attack in each attack stage of the attack event.
Further, the attack chain tags include more than two levels, and the tag adding module is configured to determine, according to the alarm content of the alarm information, each level of tags corresponding to the alarm information from a pre-established tag library, where the tag library stores M attack chain tags, the M attack chain tags are divided into more than two levels, and M is an integer greater than 4.
Further, the attack route information further includes start and stop times of each attack stage, and the artificial intelligence based network attack detection system further includes: and the display module is used for displaying the attack route information according to the sequence of the starting time of each attack stage.
The specific working principle of the artificial intelligence-based network attack detection system may refer to the description of each step in embodiment 4, which is not described herein again.
Example 9
This embodiment provides a computer-readable storage medium, on which a computer program is stored, and any one of the artificial intelligence based network attack detection methods provided in embodiments 1 to 4 of the present invention may be stored in one computer-readable storage medium if it is implemented in the form of a software functional unit and sold or used as an independent product. Based on such understanding, the invention implements all or part of the processes in any one of the artificial intelligence based network attack detection methods provided in embodiments 1 to 4, and can also be implemented by instructing related hardware through a computer program. The computer program may be stored in a computer readable storage medium, which when executed by a processor, may implement the steps of the various method embodiments described above.
Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying said computer program code, medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, etc. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
The invention discloses a1, a network attack detection method based on artificial intelligence, comprising:
collecting network data of a target host;
extracting features to be detected from the network data;
and importing the features to be detected into a pre-established artificial intelligence model, classifying the features to be detected through the artificial intelligence model, and determining whether the target host is under network attack and the attack type of the network attack according to the classification result.
A2, the method for detecting network attack based on artificial intelligence according to A1, wherein the extracting features to be detected from the network data includes:
extracting request data from the network data, wherein the request data is used for initiating a request service to the target host;
and extracting the features to be detected from the request data.
A3, the method for detecting network attack based on artificial intelligence according to A1, wherein before the step of importing the features to be detected into a pre-established artificial intelligence model, the method further comprises:
and establishing the artificial intelligence model.
A4, the method for artificial intelligence based network attack detection according to A3, wherein the establishing the artificial intelligence model comprises:
collecting model training data;
extracting the characteristics of the known network attacks from the model training data to obtain attack characteristic data;
classifying the attack characteristic data to obtain a training sample;
and carrying out model training according to the training samples to obtain the artificial intelligence model.
A5, the method for artificial intelligence based cyber attack detection according to A4, wherein the collecting model training data includes:
and collecting one or more combinations of the attack data disclosed by the Internet, the vulnerability data disclosed by the Internet, the attack data collected by the target host and the vulnerability data collected by the target host.
A6, the method for detecting cyber attack based on artificial intelligence according to A4, wherein the training of the model according to the training samples includes:
and performing model training by adopting a naive Bayes algorithm according to the training sample.
A7, the method for detecting network attack based on artificial intelligence according to any one of A1 to A6, further comprising, after determining the target host is under the network attack and the attack type of the network attack according to the classification result:
detecting whether the network attack is successful;
and if the network attack is successful, obtaining the attack action of the successful network attack.
A8, the method for artificial intelligence based network attack detection according to A7, wherein the detecting whether the network attack is successful comprises:
extracting features to be compared from the network data;
comparing the features to be compared with more than one attack response rule in a pre-established feature library one by one, wherein the attack response rule is formed according to first response data, and the first response data is used for responding to a successful attack request by an attacked host;
and if the features to be compared are matched with the attack response rule, judging that the network attack is successful.
A9, the method for detecting network attack based on artificial intelligence according to A8, wherein the extracting features to be compared from the network data includes:
extracting second response data from the network data, wherein the second response data is used for the target host to answer the request service;
and extracting the features to be compared from the second response data.
A10, the method for detecting network attack based on artificial intelligence, according to A8, A, the extracting features to be compared from the network data comprises:
extracting request data and second response data from the network data, wherein the request data is used for initiating a request service to the target host, and the second response data is used for responding the request service by the target host;
and extracting the features to be compared from the request data and the second response data.
A11, before comparing the features to be compared with one or more attack response rules in a pre-established feature library, according to the method for detecting network attack based on artificial intelligence described in A8, further comprising:
and establishing the feature library.
A12, the method for artificial intelligence based network attack detection according to A11, wherein the establishing the feature library includes:
creating a database;
correspondingly extracting more than one attack response characteristic from more than one first response data;
each attack response characteristic is described in a deterministic manner to form more than one attack response rule;
and storing the more than one attack response rule into the database to obtain the feature library.
A13, the method for detecting network attack based on artificial intelligence according to A11, wherein the feature library includes N sub-feature libraries, N is an integer not less than 2, and the establishing the feature library includes:
creating N databases;
correspondingly extracting more than two attack response characteristics from more than two first response data;
each attack response characteristic is described in a deterministic manner to form more than two attack response rules;
and storing the attack response rules belonging to the same attack type in the more than two attack response rules into the same database to obtain the sub-feature library.
A14, according to the artificial intelligence-based network attack detection method of A13, the one-to-one comparison of the features to be compared with one or more attack response rules in a pre-established feature library includes:
and comparing the characteristics to be compared with more than one attack response rule in the sub-characteristic library corresponding to the attack type of the network attack one by one.
A15, the method for detecting network attack based on artificial intelligence according to A12 or A13, wherein the deterministically describing each attack response feature comprises:
and performing deterministic description on each attack response characteristic by adopting a regular expression.
A16, the method for detecting network attack based on artificial intelligence according to A12 or A13, wherein the attack action for obtaining successful network attack includes:
establishing an incidence relation between each attack response rule and an attack action in a feature library;
and determining the attack action corresponding to the attack response rule matched with the feature to be compared as the attack action of the successful network attack according to the incidence relation between each attack response rule and the attack action in the feature library.
A17, the method for detecting network attack based on artificial intelligence according to the A7, further comprising after the detecting whether the network attack is successful:
and generating alarm information, wherein the alarm information comprises the attack type of the network attack, whether the network attack is successful or not and the attack action of the successful network attack.
A18, the method for detecting network attack based on artificial intelligence according to the A17, further comprising, after the generating the alarm information:
and sending the alarm information to a network manager through one or more combinations of mails, short messages, dialog boxes and instant messaging.
A19, the method for detecting network attack based on artificial intelligence according to the A17, further comprising, after the generating the alarm information:
adding a corresponding attack chain tag to the alarm information according to the alarm content of the alarm information, wherein the attack chain tag is used for representing the attack stage of the network attack in an attack chain;
counting each attack chain label of the same attack event, and obtaining the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event;
and generating attack route information according to the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event, wherein the attack route information comprises the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event.
A20, the method for detecting network attack based on artificial intelligence according to A19, wherein the adding of the corresponding attack chain label to the alarm information according to the alarm content of the alarm information includes:
and determining an attack chain label corresponding to the alarm information from a pre-established label library according to the alarm content of the alarm information.
A21, the method for detecting network attack based on artificial intelligence according to A19, wherein the attack chain labels include more than two levels, and the adding corresponding attack chain labels to the alarm information according to the alarm content of the alarm information includes:
and determining each level of label corresponding to the alarm information from a pre-established label library according to the alarm content of the alarm information, wherein the label library stores M attack chain labels, the M attack chain labels are divided into more than two levels, and M is an integer larger than 4.
A22, the method for detecting network attacks based on artificial intelligence according to a19, wherein the attack route information further includes start and stop times of each attack stage, and after the attack route information is generated according to the total number of network attacks, the number of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event, the method further includes:
and displaying the attack route information according to the sequence of the starting time of each attack stage.
The invention also discloses B23, a network attack detecting system based on artificial intelligence, comprising:
the acquisition module is used for acquiring network data of the target host;
the first extraction module is used for extracting the features to be detected from the network data;
and the importing module is used for importing the characteristics to be detected into a pre-established artificial intelligence model, classifying the characteristics to be detected through the artificial intelligence model, and determining whether the target host is under network attack and the attack type of the network attack according to the classification result.
B24, the system for artificial intelligence based network attack detection according to B23, wherein the first extraction module comprises:
a first extraction unit, configured to extract request data from the network data, where the request data is used to initiate a request service to the target host;
and the second extraction unit is used for extracting the features to be detected from the request data.
B25, the system for detecting network attack based on artificial intelligence according to B23, further comprising:
and the model creating module is used for creating the artificial intelligence model.
B26, the system for artificial intelligence based network attack detection according to B25, the model creation module comprising:
the collection module is used for collecting model training data;
the second extraction module is used for extracting the characteristics of the known network attack from the model training data to obtain attack characteristic data;
the classification module is used for classifying the attack characteristic data to obtain a training sample;
and the training module is used for carrying out model training according to the training samples to obtain the artificial intelligence model.
B27, the system for detecting artificial intelligence-based cyber attack according to B26, wherein the model training data includes one or more combinations of internet published attack data, internet published vulnerability data, attack data collected by the target host and vulnerability data collected by the target host.
B28, the artificial intelligence based network attack detection system according to B26, wherein the training module is a naive Bayes algorithm module.
B29, the system for detecting artificial intelligence based network attack according to any one of B23 to B28, further comprising:
the detection module is used for detecting whether the network attack is successful;
and the attack action obtaining module is used for obtaining the attack action of the successful network attack when the network attack is successful.
B30, the system for artificial intelligence based network attack detection according to B29, the detection module comprising:
the third extraction module is used for extracting the features to be compared from the network data;
the comparison module is used for comparing the features to be compared with more than one attack response rule in a pre-established feature library one by one, wherein the attack response rules are formed according to first response data, and the first response data are used for responding to a successful attack request by an attacked host;
and the judging module is used for judging that the network attack is successful when the features to be compared are matched with the attack response rule.
B31, the system for artificial intelligence based network attack detection according to B30, the third extraction module comprising:
a third extracting unit, configured to extract second response data from the network data, where the second response data is used for the target host to answer the request service;
and the fourth extraction unit is used for extracting the features to be compared from the second response data.
B32, the system for artificial intelligence based network attack detection according to B30, the third extraction module comprising:
a fifth extracting unit, configured to extract request data and second response data from the network data, where the request data is used to initiate a request service to the target host, and the second response data is used for the target host to answer the request service;
a sixth extracting unit, configured to extract the feature to be compared from the request data and the second response data.
B33, the system for detecting network attack based on artificial intelligence according to B30, further comprising:
and the characteristic library creating module is used for creating the characteristic library.
B34, the system for artificial intelligence based network attack detection according to B33, the feature library creation module comprising:
the database creating module is used for creating a database;
the fourth extraction module is used for correspondingly extracting more than one attack response characteristic from more than one first response data;
the rule forming module is used for performing deterministic description on each attack response characteristic to form more than one attack response rule;
and the storage module is used for storing the more than one attack response rule into the database to obtain the feature library.
B35, the system for detecting network attack based on artificial intelligence according to B33, wherein the feature library comprises N sub-feature libraries, N is an integer not less than 2, and the feature library creating module comprises:
the database creating module is used for creating N databases;
the fourth extraction module is used for correspondingly extracting more than two attack response characteristics from more than two pieces of first response data;
the rule forming module is used for performing deterministic description on each attack response characteristic to form more than two attack response rules;
and the storage module is used for storing the attack response rules belonging to the same attack type in the more than two attack response rules into the same database to obtain the sub-feature library.
B36, according to the system for detecting network attacks based on artificial intelligence described in B35, the comparison module is used for comparing the features to be compared with more than one attack response rule in a sub-feature library corresponding to the attack type of the network attacks one by one.
B37, the system for artificial intelligence based network attack detection according to B34 or B35, wherein the rule forming module is a regular expression writing module.
B38, the system for artificial intelligence based network attack detection according to B34 or B35, the attack action obtaining module comprises:
the incidence relation establishing module is used for establishing the incidence relation between each attack response rule and the attack action in the characteristic library;
and the attack action determining module is used for determining the attack action corresponding to the attack response rule matched with the feature to be compared as the attack action of the successful network attack according to the incidence relation between each attack response rule and the attack action in the feature library.
B39, the system for detecting network attack based on artificial intelligence according to B29, further comprising:
and the warning information generating module is used for generating warning information, wherein the warning information comprises the attack type of the network attack, whether the network attack is successful and the attack action of the successful network attack.
B40, the system for detecting network attack based on artificial intelligence according to B39, further comprising:
and the sending module is used for sending the alarm information to a network manager through one or more combinations of mails, short messages, dialog boxes and instant messaging.
B41, the system for detecting network attack based on artificial intelligence according to B39, further comprising:
the label adding module is used for adding a corresponding attack chain label to the alarm information according to the alarm content of the alarm information, wherein the attack chain label is used for representing the attack stage of the network attack in an attack chain;
the statistical module is used for counting each attack chain label of the same attack event and obtaining the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event;
and the route information generating module is used for generating attack route information according to the total network attack times, the successful network attack times and the successful attack actions of the network attack in each attack stage of the attack event, wherein the attack route information comprises the total network attack times, the successful network attack times and the successful attack actions of the network attack in each attack stage of the attack event.
B42, the system for detecting network attack based on artificial intelligence according to B41, wherein the label adding module is used for determining an attack chain label corresponding to the alarm information from a pre-established label library according to the alarm content of the alarm information.
B43, according to the network attack detection system based on artificial intelligence described in B41, the attack chain labels include more than two levels, the label adding module is used for determining labels at each level corresponding to the alarm information from a label library established in advance according to the alarm content of the alarm information, wherein M attack chain labels are stored in the label library, the M attack chain labels are divided into more than two levels, and M is an integer greater than 4.
B44, the system for detecting cyber attack based on artificial intelligence according to B41, wherein the attack route information further includes start and stop times of each attack stage, further including:
and the display module is used for displaying the attack route information according to the sequence of the starting time of each attack stage.
The invention also discloses C45, a computer readable storage medium, and a computer program stored thereon, which when executed by a processor, implements the artificial intelligence based network attack detection method described in any one of A1-A22.
The invention also discloses D46 and computer equipment, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the artificial intelligence based network attack detection method of any one of A1-A22.

Claims (40)

1. A network attack detection method based on artificial intelligence is characterized by comprising the following steps:
collecting network data of a target host;
extracting features to be detected from the network data;
importing the features to be detected into a pre-established artificial intelligence model, classifying the features to be detected through the artificial intelligence model, and determining whether the target host is under network attack and the attack type of the network attack according to the classification result;
after determining the network attack and the attack type of the network attack on the target host according to the classification result, the method further comprises the following steps:
detecting whether the network attack is successful;
if the network attack is successful, acquiring the attack action of the successful network attack;
after the detecting whether the network attack is successful, further comprising:
generating alarm information, wherein the alarm information comprises an attack type of the network attack, whether the network attack is successful or not and an attack action of the successful network attack;
after the generating of the alarm information, the method further comprises:
adding a corresponding attack chain tag to the alarm information according to the alarm content of the alarm information, wherein the attack chain tag is used for representing the attack stage of the network attack in an attack chain;
counting each attack chain label of the same attack event, and obtaining the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event;
and generating attack route information according to the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event, wherein the attack route information comprises the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event.
2. The method according to claim 1, wherein the extracting the features to be detected from the network data comprises:
extracting request data from the network data, wherein the request data is used for initiating a request service to the target host;
and extracting the features to be detected from the request data.
3. The method according to claim 1, further comprising, before importing the features to be detected into a pre-established artificial intelligence model:
and establishing the artificial intelligence model.
4. The method according to claim 3, wherein the establishing the artificial intelligence model comprises:
collecting model training data;
extracting the characteristics of the known network attacks from the model training data to obtain attack characteristic data;
classifying the attack characteristic data to obtain a training sample;
and carrying out model training according to the training samples to obtain the artificial intelligence model.
5. The method according to claim 4, wherein the collecting model training data comprises:
and collecting one or more combinations of the attack data disclosed by the Internet, the vulnerability data disclosed by the Internet, the attack data collected by the target host and the vulnerability data collected by the target host.
6. The method according to claim 4, wherein the performing model training according to the training samples comprises:
and performing model training by adopting a naive Bayes algorithm according to the training sample.
7. The method according to claim 1, wherein the detecting whether the network attack is successful comprises:
extracting features to be compared from the network data;
comparing the features to be compared with more than one attack response rule in a pre-established feature library one by one, wherein the attack response rule is formed according to first response data, and the first response data is used for responding to a successful attack request by an attacked host;
and if the features to be compared are matched with the attack response rule, judging that the network attack is successful.
8. The method according to claim 7, wherein the extracting features to be compared from the network data comprises:
extracting second response data from the network data, wherein the second response data is used for the target host to answer the request service;
and extracting the features to be compared from the second response data.
9. The method according to claim 7, wherein the extracting features to be compared from the network data comprises:
extracting request data and second response data from the network data, wherein the request data is used for initiating a request service to the target host, and the second response data is used for responding the request service by the target host;
and extracting the features to be compared from the request data and the second response data.
10. The method according to claim 7, further comprising, before comparing the features to be compared with one or more attack response rules in a pre-established feature library, one-to-one comparing:
and establishing the feature library.
11. The method according to claim 10, wherein the establishing the feature library comprises:
creating a database;
correspondingly extracting more than one attack response characteristic from more than one first response data;
each attack response characteristic is described in a deterministic manner to form more than one attack response rule;
and storing the more than one attack response rule into the database to obtain the feature library.
12. The method according to claim 10, wherein the feature library comprises N sub-feature libraries, N is an integer not less than 2, and the establishing the feature library comprises:
creating N databases;
correspondingly extracting more than two attack response characteristics from more than two first response data;
each attack response characteristic is described in a deterministic manner to form more than two attack response rules;
and storing the attack response rules belonging to the same attack type in the more than two attack response rules into the same database to obtain the sub-feature library.
13. The method according to claim 12, wherein the comparing the features to be compared with one or more attack response rules in a pre-established feature library one by one comprises:
and comparing the characteristics to be compared with more than one attack response rule in the sub-characteristic library corresponding to the attack type of the network attack one by one.
14. The artificial intelligence based network attack detection method according to claim 11 or 12, wherein the deterministically describing each attack response feature comprises:
and performing deterministic description on each attack response characteristic by adopting a regular expression.
15. The method according to claim 11 or 12, wherein the attack action for obtaining a successful network attack comprises:
establishing an incidence relation between each attack response rule and an attack action in a feature library;
and determining the attack action corresponding to the attack response rule matched with the feature to be compared as the attack action of the successful network attack according to the incidence relation between each attack response rule and the attack action in the feature library.
16. The method according to claim 1, further comprising, after the generating the alarm information:
and sending the alarm information to a network manager through one or more combinations of mails, short messages, dialog boxes and instant messaging.
17. The method according to claim 1, wherein the adding a corresponding attack chain tag to the alarm information according to the alarm content of the alarm information comprises:
and determining an attack chain label corresponding to the alarm information from a pre-established label library according to the alarm content of the alarm information.
18. The method according to claim 1, wherein the attack chain labels include more than two levels, and adding the corresponding attack chain labels to the alarm information according to the alarm content of the alarm information comprises:
and determining each level of label corresponding to the alarm information from a pre-established label library according to the alarm content of the alarm information, wherein the label library stores M attack chain labels, the M attack chain labels are divided into more than two levels, and M is an integer larger than 4.
19. The method according to claim 1, wherein the attack route information further includes start and stop times of each attack stage, and after generating the attack route information according to the total number of network attacks, the number of successful network attacks, and the attack actions of the successful network attacks in each attack stage of the attack event, the method further comprises:
and displaying the attack route information according to the sequence of the starting time of each attack stage.
20. A network attack detection system based on artificial intelligence, comprising:
the acquisition module is used for acquiring network data of the target host;
the first extraction module is used for extracting the features to be detected from the network data;
the importing module is used for importing the characteristics to be detected into a pre-established artificial intelligence model, classifying the characteristics to be detected through the artificial intelligence model, and determining whether the target host is under network attack and the attack type of the network attack according to the classification result;
the detection module is used for detecting whether the network attack is successful;
the attack action obtaining module is used for obtaining the attack action of the successful network attack when the network attack is successful;
the warning information generating module is used for generating warning information, wherein the warning information comprises the attack type of the network attack, whether the network attack is successful and the attack action of the successful network attack;
the label adding module is used for adding a corresponding attack chain label to the alarm information according to the alarm content of the alarm information, wherein the attack chain label is used for representing the attack stage of the network attack in an attack chain;
the statistical module is used for counting each attack chain label of the same attack event and obtaining the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event;
and the route information generating module is used for generating attack route information according to the total network attack times, the successful network attack times and the successful attack actions of the network attack in each attack stage of the attack event, wherein the attack route information comprises the total network attack times, the successful network attack times and the successful attack actions of the network attack in each attack stage of the attack event.
21. The system of claim 20, wherein the first extraction module comprises:
a first extraction unit, configured to extract request data from the network data, where the request data is used to initiate a request service to the target host;
and the second extraction unit is used for extracting the features to be detected from the request data.
22. The system of claim 20, further comprising:
and the model creating module is used for creating the artificial intelligence model.
23. The system of claim 22, wherein the model creation module comprises:
the collection module is used for collecting model training data;
the second extraction module is used for extracting the characteristics of the known network attack from the model training data to obtain attack characteristic data;
the classification module is used for classifying the attack characteristic data to obtain a training sample;
and the training module is used for carrying out model training according to the training samples to obtain the artificial intelligence model.
24. The system according to claim 23, wherein the model training data comprises one or more combinations of internet published attack data, internet published vulnerability data, attack data collected by the target host, and vulnerability data collected by the target host.
25. The system according to claim 23, wherein the training module is a naive bayes algorithm module.
26. The system according to claim 20, wherein the detection module comprises:
the third extraction module is used for extracting the features to be compared from the network data;
the comparison module is used for comparing the features to be compared with more than one attack response rule in a pre-established feature library one by one, wherein the attack response rules are formed according to first response data, and the first response data are used for responding to a successful attack request by an attacked host;
and the judging module is used for judging that the network attack is successful when the features to be compared are matched with the attack response rule.
27. The system according to claim 26, wherein the third extraction module comprises:
a third extracting unit, configured to extract second response data from the network data, where the second response data is used for the target host to answer the request service;
and the fourth extraction unit is used for extracting the features to be compared from the second response data.
28. The system according to claim 26, wherein the third extraction module comprises:
a fifth extracting unit, configured to extract request data and second response data from the network data, where the request data is used to initiate a request service to the target host, and the second response data is used for the target host to answer the request service;
a sixth extracting unit, configured to extract the feature to be compared from the request data and the second response data.
29. The system of claim 26, further comprising:
and the characteristic library creating module is used for creating the characteristic library.
30. The system of claim 29, wherein the feature library creation module comprises:
the database creating module is used for creating a database;
the fourth extraction module is used for correspondingly extracting more than one attack response characteristic from more than one first response data;
the rule forming module is used for performing deterministic description on each attack response characteristic to form more than one attack response rule;
and the storage module is used for storing the more than one attack response rule into the database to obtain the feature library.
31. The system according to claim 29, wherein the feature library comprises N sub-feature libraries, N being an integer not less than 2, and the feature library creating module comprises:
the database creating module is used for creating N databases;
the fourth extraction module is used for correspondingly extracting more than two attack response characteristics from more than two pieces of first response data;
the rule forming module is used for performing deterministic description on each attack response characteristic to form more than two attack response rules;
and the storage module is used for storing the attack response rules belonging to the same attack type in the more than two attack response rules into the same database to obtain the sub-feature library.
32. The system according to claim 31, wherein the comparison module is configured to compare the features to be compared with one or more attack response rules in a sub-feature library corresponding to the attack type of the cyber attack.
33. An artificial intelligence based network attack detection system according to claim 30 or 31, wherein the rule formation module is a regular expression writing module.
34. An artificial intelligence based network attack detection system according to claim 30 or 31, wherein the attack action obtaining module comprises:
the incidence relation establishing module is used for establishing the incidence relation between each attack response rule and the attack action in the characteristic library;
and the attack action determining module is used for determining the attack action corresponding to the attack response rule matched with the feature to be compared as the attack action of the successful network attack according to the incidence relation between each attack response rule and the attack action in the feature library.
35. The system of claim 20, further comprising:
and the sending module is used for sending the alarm information to a network manager through one or more combinations of mails, short messages, dialog boxes and instant messaging.
36. The system according to claim 20, wherein the tag adding module is configured to determine an attack chain tag corresponding to the alarm information from a pre-established tag library according to the alarm content of the alarm information.
37. The system according to claim 20, wherein the attack chain tags include two or more levels, the tag adding module is configured to determine, according to the alarm content of the alarm information, each level of tags corresponding to the alarm information from a pre-established tag library, where the tag library stores M attack chain tags, the M attack chain tags are divided into two or more levels, and M is an integer greater than 4.
38. The system according to claim 20, wherein the attack route information further includes start and stop times of each attack stage, further comprising:
and the display module is used for displaying the attack route information according to the sequence of the starting time of each attack stage.
39. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements an artificial intelligence based network attack detection method according to any one of claims 1 to 19.
40. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements a method for artificial intelligence based detection of network attacks according to any one of claims 1 to 19 when executing the program.
CN201810714155.XA 2018-06-29 2018-06-29 Network attack detection method and system based on artificial intelligence Active CN108881265B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810714155.XA CN108881265B (en) 2018-06-29 2018-06-29 Network attack detection method and system based on artificial intelligence

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810714155.XA CN108881265B (en) 2018-06-29 2018-06-29 Network attack detection method and system based on artificial intelligence

Publications (2)

Publication Number Publication Date
CN108881265A CN108881265A (en) 2018-11-23
CN108881265B true CN108881265B (en) 2021-02-12

Family

ID=64296727

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810714155.XA Active CN108881265B (en) 2018-06-29 2018-06-29 Network attack detection method and system based on artificial intelligence

Country Status (1)

Country Link
CN (1) CN108881265B (en)

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109714329A (en) * 2018-12-24 2019-05-03 成都蜀道易信科技有限公司 Low rate DDoS detection method based on Bayesian network under a kind of cloud environment
CN109714342B (en) * 2018-12-28 2021-07-20 国家电网有限公司 Protection method and device for electronic equipment
CN111385271A (en) * 2018-12-29 2020-07-07 北京奇虎科技有限公司 Network attack detection method, device and system
CN109862037B (en) * 2019-03-22 2021-08-10 泰康保险集团股份有限公司 Block chain-based data equipment management method, device, medium and electronic equipment
CN110602029B (en) * 2019-05-15 2022-06-28 上海云盾信息技术有限公司 Method and system for identifying network attack
CN110213287B (en) * 2019-06-12 2020-07-10 北京理工大学 Dual-mode intrusion detection device based on integrated machine learning algorithm
CN110636076B (en) * 2019-10-12 2021-06-11 北京安信天行科技有限公司 Host attack detection method and system
CN110839033A (en) * 2019-11-18 2020-02-25 广州安加互联科技有限公司 Network attack identification method, system and terminal
CN113194080A (en) * 2021-04-25 2021-07-30 江苏欣业大数据科技有限公司 Network security system based on cloud computing and artificial intelligence
CN113839963B (en) * 2021-11-25 2022-02-15 南昌首页科技发展有限公司 Network security vulnerability intelligent detection method based on artificial intelligence and big data
CN114338202A (en) * 2021-12-30 2022-04-12 奇安信科技集团股份有限公司 Network attack result detection method and device, computing equipment and storage medium
CN114401152B (en) * 2022-03-23 2022-07-01 北京金睛云华科技有限公司 SQL injection attack detection method based on Bayesian penalty characteristic selection
CN114844721B (en) * 2022-06-06 2023-12-29 肇庆小鹏新能源投资有限公司广州分公司 Attack detection method and system, vehicle and computer readable storage medium
CN116056087B (en) * 2023-03-31 2023-06-09 国家计算机网络与信息安全管理中心 Network attack detection method, device and equipment
CN116743508B (en) * 2023-08-15 2023-11-14 四川新立高科科技有限公司 Method, device, equipment and medium for detecting network attack chain of power system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106453417A (en) * 2016-12-05 2017-02-22 国网浙江省电力公司电力科学研究院 Network attack target prediction method based on neighbor similarity
CN107046518A (en) * 2016-02-05 2017-08-15 阿里巴巴集团控股有限公司 The detection method and device of network attack
CN107577945A (en) * 2017-09-28 2018-01-12 阿里巴巴集团控股有限公司 URL attack detection methods, device and electronic equipment

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105471882A (en) * 2015-12-08 2016-04-06 中国电子科技集团公司第三十研究所 Behavior characteristics-based network attack detection method and device
CN107483425B (en) * 2017-08-08 2020-12-18 北京盛华安信息技术有限公司 Composite attack detection method based on attack chain
CN107483458A (en) * 2017-08-29 2017-12-15 杭州迪普科技股份有限公司 The recognition methods of network attack and device, computer-readable recording medium
CN107659583B (en) * 2017-10-27 2020-08-04 深信服科技股份有限公司 Method and system for detecting attack in fact

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107046518A (en) * 2016-02-05 2017-08-15 阿里巴巴集团控股有限公司 The detection method and device of network attack
CN106453417A (en) * 2016-12-05 2017-02-22 国网浙江省电力公司电力科学研究院 Network attack target prediction method based on neighbor similarity
CN107577945A (en) * 2017-09-28 2018-01-12 阿里巴巴集团控股有限公司 URL attack detection methods, device and electronic equipment

Also Published As

Publication number Publication date
CN108881265A (en) 2018-11-23

Similar Documents

Publication Publication Date Title
CN108881265B (en) Network attack detection method and system based on artificial intelligence
CN108471429B (en) Network attack warning method and system
CN108683687B (en) Network attack identification method and system
CN108881263B (en) Network attack result detection method and system
CN108833186B (en) Network attack prediction method and device
CN108833185B (en) Network attack route restoration method and system
US20200296116A1 (en) Security system for detection and mitigation of malicious communications
US10686829B2 (en) Identifying changes in use of user credentials
US11425148B2 (en) Identifying malicious network devices
US10721245B2 (en) Method and device for automatically verifying security event
US9154516B1 (en) Detecting risky network communications based on evaluation using normal and abnormal behavior profiles
CN103368979B (en) Network security verifying device based on improved K-means algorithm
US11496495B2 (en) System and a method for detecting anomalous patterns in a network
Tufan et al. Anomaly-based intrusion detection by machine learning: A case study on probing attacks to an institutional network
Krishnaveni et al. Ensemble approach for network threat detection and classification on cloud computing
CN114915479B (en) Web attack stage analysis method and system based on Web log
CN110188538B (en) Method and device for detecting data by adopting sandbox cluster
CN111049786A (en) Network attack detection method, device, equipment and storage medium
CN111049783A (en) Network attack detection method, device, equipment and storage medium
CN111221625A (en) File detection method, device and equipment
Marchetti et al. Identification of correlated network intrusion alerts
Zali et al. Real-time attack scenario detection via intrusion detection alert correlation
US10419449B1 (en) Aggregating network sessions into meta-sessions for ranking and classification
Ebrahimi et al. Automatic attack scenario discovering based on a new alert correlation method
US11436323B2 (en) Detecting anomalies in software service usage activity

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220810

Address after: 300450 No. 9-3-401, No. 39, Gaoxin 6th Road, Binhai Science Park, Binhai New Area, Tianjin

Patentee after: 3600 Technology Group Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230627

Address after: 1765, floor 17, floor 15, building 3, No. 10 Jiuxianqiao Road, Chaoyang District, Beijing 100015

Patentee after: Beijing Hongxiang Technical Service Co.,Ltd.

Address before: 300450 No. 9-3-401, No. 39, Gaoxin 6th Road, Binhai Science Park, Binhai New Area, Tianjin

Patentee before: 3600 Technology Group Co.,Ltd.