CN113422785A - Malicious attack detection method and system based on network traffic and readable storage medium - Google Patents

Malicious attack detection method and system based on network traffic and readable storage medium Download PDF

Info

Publication number
CN113422785A
CN113422785A CN202110957842.6A CN202110957842A CN113422785A CN 113422785 A CN113422785 A CN 113422785A CN 202110957842 A CN202110957842 A CN 202110957842A CN 113422785 A CN113422785 A CN 113422785A
Authority
CN
China
Prior art keywords
misjudgment
target
network traffic
event
malicious attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110957842.6A
Other languages
Chinese (zh)
Other versions
CN113422785B (en
Inventor
张晓亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Centre Biology Co ltd
Original Assignee
Beijing Centre Biology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Centre Biology Co ltd filed Critical Beijing Centre Biology Co ltd
Priority to CN202110957842.6A priority Critical patent/CN113422785B/en
Publication of CN113422785A publication Critical patent/CN113422785A/en
Application granted granted Critical
Publication of CN113422785B publication Critical patent/CN113422785B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Computational Linguistics (AREA)
  • Algebra (AREA)
  • Evolutionary Computation (AREA)
  • Data Mining & Analysis (AREA)
  • Biophysics (AREA)
  • Biomedical Technology (AREA)
  • Virology (AREA)
  • Molecular Biology (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Probability & Statistics with Applications (AREA)
  • Pure & Applied Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

According to the malicious attack detection method, system and readable storage medium based on network traffic, a target network traffic event is obtained, and a preset network model is adopted to judge the target network traffic event to obtain a judgment result, wherein the judgment result is that the malicious attack is included or the malicious attack is not included; inquiring a corresponding misjudgment database according to the judgment result to obtain a plurality of target misjudgment events corresponding to the target network traffic events; calculating the similarity between each target misjudgment event and the target network traffic event; if a target misjudgment event with the similarity larger than a preset threshold exists in the plurality of target misjudgment events, judging that the judgment result is misjudgment and modifying the judgment result; therefore, the judgment accuracy is improved, and the network security can be improved.

Description

Malicious attack detection method and system based on network traffic and readable storage medium
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a malicious attack detection method and system based on network flow and a readable storage medium.
Background
With the continuous development of network technology, network security becomes more and more important. In the operation process of the server, if a large amount of flow data is gushed for a long time, the pressure of the server is enhanced, and the server is badly crashed in severe cases. At present, when network flow data with an attack intention is judged, a pre-trained mathematical model is often adopted for judgment, but the misjudgment rate is high when the mathematical model is judged, and some normal large-flow data without the attack intention is easily blocked.
In view of the above problems, no effective technical solution exists at present.
Disclosure of Invention
In order to solve at least one technical problem, the invention provides a malicious attack detection method and system based on network traffic and a readable storage medium, which can improve network security.
In order to achieve the above object, the present invention provides a malicious attack detection method based on network traffic, including:
acquiring a target network traffic event, and judging the target network traffic event by adopting a preset network model to obtain a judgment result, wherein the judgment result is that malicious attack is included or malicious attack is not included;
inquiring a corresponding misjudgment database according to the judgment result to obtain a plurality of target misjudgment events corresponding to the target network traffic events;
calculating the similarity between each target misjudgment event and the target network traffic event;
and if the target misjudgment events with the similarity larger than a preset threshold exist in the plurality of target misjudgment events, judging that the judgment result is misjudgment and modifying the judgment result.
Optionally, in the method for detecting a malicious attack based on network traffic according to the embodiment of the present application, the querying a corresponding misjudgment database according to the determination result to obtain a plurality of target misjudgment events corresponding to the target network traffic event includes:
if the judgment result is that the target network traffic event comprises a malicious attack, inquiring a first misjudgment database to obtain a plurality of first target misjudgment events corresponding to the target network traffic event; the first target misjudgment event is that the network flow event which does not comprise the malicious attack is judged to comprise the malicious attack;
if the judgment result is that the target network traffic event does not include the malicious attack, inquiring a second misjudgment database to obtain a plurality of second target misjudgment events corresponding to the target network traffic event; the second target misjudgment event is to judge the network traffic event including the malicious attack as not including the malicious attack.
Optionally, in the method for detecting a malicious attack based on network traffic according to the embodiment of the present application, the querying a first false positive database to obtain a plurality of first target false positive events corresponding to the target network traffic event includes:
acquiring type information and data volume size information of the target network traffic event;
and acquiring a plurality of corresponding first target misjudgment events from the first misjudgment database according to the type information and the data size information, wherein the first target misjudgment events have the same type as the target network traffic events and have the same data size in the same data size interval.
Optionally, in the method for detecting malicious attacks based on network traffic according to the embodiment of the present application, the calculating a similarity between each target false positive event and the target network traffic event includes: and calculating the cosine similarity of each target misjudgment event and the target network flow event.
Optionally, in the method for detecting malicious attack based on network traffic according to the embodiment of the present application, determining a target network traffic event by using a preset network model to obtain a determination result includes:
acquiring the type of the traffic data corresponding to the target network traffic event;
selecting a corresponding preset network model according to the type of the flow data;
and judging the target network traffic event according to the preset network model to obtain a judgment result.
Optionally, in the malicious attack detection method based on network traffic according to the embodiment of the present application, the method further includes:
acquiring the misjudgment rate of each type of network traffic event within preset time, wherein each type of network traffic event corresponds to one misjudgment rate;
and updating the preset network model corresponding to each type of network traffic event exceeding the misjudgment rate threshold value based on the corresponding type of misjudgment event, wherein the corresponding type of misjudgment event is used as sample data during updating.
Optionally, in the method for detecting malicious attack based on network traffic according to the embodiment of the present application, the obtaining a target network traffic event includes:
acquiring an initial flow event in a first preset time period;
acquiring a flow data curve graph in a preset time period, wherein the preset time period comprises the first preset time period;
and if the flow data curve graph and the initial flow event meet preset conditions, the initial flow event is a target network flow event.
In a second aspect, the present application further provides a malicious attack detection system based on network traffic, where the system includes: the malicious attack detection method based on the network flow is implemented by the following steps when being executed by the processor:
acquiring a target network traffic event, and judging the target network traffic event by adopting a preset network model to obtain a judgment result, wherein the judgment result is that malicious attack is included or malicious attack is not included;
inquiring a corresponding misjudgment database according to the judgment result to obtain a plurality of target misjudgment events corresponding to the target network traffic events;
calculating the similarity between each target misjudgment event and the target network traffic event;
and if the target misjudgment events with the similarity larger than a preset threshold exist in the plurality of target misjudgment events, judging that the judgment result is misjudgment and modifying the judgment result.
Optionally, in the system for detecting malicious attacks based on network traffic according to the embodiment of the present application, when executed by the processor, the method further includes:
if the judgment result is that the target network traffic event comprises a malicious attack, inquiring a first misjudgment database to obtain a plurality of first target misjudgment events corresponding to the target network traffic event; the first target misjudgment event is that the network flow event which does not comprise the malicious attack is judged to comprise the malicious attack;
if the judgment result is that the target network traffic event does not include the malicious attack, inquiring a second misjudgment database to obtain a plurality of second target misjudgment events corresponding to the target network traffic event; the second target misjudgment event is to judge the network traffic event including the malicious attack as not including the malicious attack.
In a third aspect, the present application further provides a computer-readable storage medium, where the computer-readable storage medium includes a malicious attack detection method program based on network traffic, and when the malicious attack detection method program based on network traffic is executed by a processor, the steps of the malicious attack detection method based on network traffic as described in any one of the above are implemented.
As can be seen from the above, the malicious attack detection method and system based on network traffic, provided by the embodiment of the present application, obtain a determination result by obtaining a target network traffic event and determining the target network traffic event by using a preset network model, where the determination result includes a malicious attack or does not include a malicious attack; inquiring a corresponding misjudgment database according to the judgment result to obtain a plurality of target misjudgment events corresponding to the target network traffic events; calculating the similarity between each target misjudgment event and the target network traffic event; if a target misjudgment event with the similarity larger than a preset threshold exists in the plurality of target misjudgment events, judging that the judgment result is misjudgment and modifying the judgment result; therefore, the judgment accuracy is improved, and the network security can be improved.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
FIG. 1 is a flow chart of a malicious attack detection method based on network traffic according to the present invention;
fig. 2 is a block diagram illustrating a malicious attack detection system based on network traffic according to the present invention.
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, a more particular description of the invention will be rendered by reference to the appended drawings. It should be noted that the embodiments and features of the embodiments of the present application may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, however, the present invention may be practiced in other ways than those specifically described herein, and therefore the scope of the present invention is not limited by the specific embodiments disclosed below.
Fig. 1 is a flowchart of a malicious attack detection method based on network traffic in some embodiments of the present invention. The malicious attack detection method based on the network flow comprises the following steps:
s101, obtaining a target network traffic event, and judging the target network traffic event by adopting a preset network model to obtain a judgment result, wherein the judgment result is that the target network traffic event comprises malicious attack or does not comprise the malicious attack.
S102, inquiring a corresponding misjudgment database according to the judgment result to obtain a plurality of target misjudgment events corresponding to the target network flow events.
S103, calculating the similarity between each target misjudgment event and the target network flow event.
S104, if the target misjudgment events with the similarity larger than a preset threshold exist in the plurality of target misjudgment events, the judgment result is misjudgment and the judgment result is modified.
In step S101, the target network traffic event refers to a large traffic inrush that suddenly occurs, and may be a normal traffic inrush or a malicious traffic attack. If not, excessive traffic surges can cause the server to crash. Therefore, the target network traffic event needs to be judged by adopting a pre-trained preset network model to judge whether the target network traffic event includes malicious attacks.
In step S102, different misjudgment databases need to be used for detecting whether the target network traffic event is misjudged according to different judgment results, where the misjudgment may be to judge the network traffic event that does not include the malicious attack as including the malicious attack, or judge the network traffic event that includes the malicious attack as not including the malicious attack. If the judgment result is that the malicious attack is not included, the misjudgment event which does not include the malicious attack needs to be judged to judge whether the misjudgment is performed, and if the judgment result is that the malicious attack is included, the misjudgment event which includes the malicious attack needs to be judged to detect whether the misjudgment is performed.
In step S103, the similarity may be cosine similarity or similarity based on euclidean distance.
In step S104, the preset threshold may be set according to actual needs, or may be based on empirical values obtained through multiple experiments. And if the judgment result is misjudgment and the judgment result is malicious attack, modifying the judgment result into that the malicious attack is not included. And if the judgment result is that the malicious attack is not included, modifying the judgment result to include the malicious attack.
In some embodiments, this step of obtaining the target network traffic event may include:
s1011, acquiring an initial flow event in a first preset time period; s1012, acquiring a flow data curve graph in a preset time period, wherein the preset time period comprises the first preset time period; and S1013, if the traffic data curve and the initial traffic event meet preset conditions, the initial traffic event is a target network traffic event.
For example, the first preset time period is 20 seconds, the preset time period is 5 minutes, and if the traffic of the first preset time period is found to suddenly increase to the current traffic, the initial traffic event may be used as the target network traffic event.
In step S101, determining a target network traffic event by using a preset network model to obtain a determination result, including: s1014, acquiring the type of the traffic data corresponding to the target network traffic event; s1015, selecting a corresponding preset network model according to the type of the flow data; and S1016, judging the target network traffic event according to the preset network model to obtain a judgment result. The type refers to a data type, such as a scrambling code, a character string, a number, data, a control command, and the like. Different types of flow data are pre-trained with corresponding preset network models, namely neural network models.
In some embodiments, in step S102, the following sub-steps may be included:
s1021, if the judgment result is that the malicious attack is included, inquiring a first misjudgment database to obtain a plurality of first target misjudgment events corresponding to the target network traffic event; the first target misjudgment event is that the network flow event which does not comprise the malicious attack is judged to comprise the malicious attack;
s1022, if the judgment result indicates that the malicious attack is not included, querying a second misjudgment database to obtain a plurality of second target misjudgment events corresponding to the target network traffic event; the second target misjudgment event is to judge the network traffic event including the malicious attack as not including the malicious attack.
In step S1021, type information and data size information of the target network traffic event are obtained; and acquiring a plurality of corresponding first target misjudgment events from the first misjudgment database according to the type information and the data size information, wherein the first target misjudgment events have the same type as the target network traffic events and have the same data size in the same data size interval. The difference of the data amount in the same data amount interval is not more than 100 MB. The type information is mainly determined based on the data type in the traffic.
In step S1022, the type information and the data size information of the target network traffic event are obtained; and acquiring a plurality of corresponding second target misjudgment events from the second misjudgment database according to the type information and the data size information, wherein the second target misjudgment events have the same type as the target network traffic events and have the same data size in the same data size interval. The difference of the data amount in the same data amount interval is not more than 100 MB. The type information is mainly determined based on the data type in the traffic.
Wherein, in some embodiments, the method further comprises the steps of:
s105, obtaining the misjudgment rate of each type of network traffic event within the preset time, wherein each type of network traffic event corresponds to one misjudgment rate;
and S106, updating the preset network model corresponding to each type of network traffic event exceeding the misjudgment rate threshold value based on the corresponding type of misjudgment event, and taking the corresponding type of misjudgment event as sample data during updating.
Different misjudgment rate thresholds are set for different types of network traffic events, and are mainly set based on the judgment difficulty degree of the types of network traffic. During updating, if the a model corresponding to the network traffic event of type a needs to be updated, the a model should be retrained by the misjudged network traffic event in the network traffic event of type a, so as to update. Therefore, the preset network model is continuously optimized, the misjudgment rate can be reduced, and the beneficial effect of improving the judgment accuracy rate is achieved.
As can be seen from the above, the malicious attack detection method based on network traffic obtains a target network traffic event, and judges the target network traffic event by using a preset network model to obtain a judgment result, where the judgment result includes a malicious attack or does not include a malicious attack; inquiring a corresponding misjudgment database according to the judgment result to obtain a plurality of target misjudgment events corresponding to the target network traffic events; calculating the similarity between each target misjudgment event and the target network traffic event; if a target misjudgment event with the similarity larger than a preset threshold exists in the plurality of target misjudgment events, judging that the judgment result is misjudgment and modifying the judgment result; therefore, the judgment accuracy is improved, and the network security can be improved.
According to the embodiment of the invention, the method further comprises the following steps:
acquiring a data curve graph of the initial flow event in the preset time period;
extracting a plurality of slope change rate steep increasing/steep decreasing values of the data curve in a first preset time period based on the data curve graph, and obtaining sine values of the slope change rate steep increasing/steep decreasing values;
obtaining three maximum sine values of the plurality of slope rate ramp up/ramp down values, labeled as initial target slope change values of the data plot;
comparing a threshold value according to the initial target slope change value and a preset slope change value;
if the initial target slope change value is larger than a preset threshold value, triggering a target network flow event response;
and if the initial target slope change values are all smaller than a preset threshold value, not triggering the response of the target network flow event.
It should be noted that, slope calculation is performed according to the data curve graph of the initial flow event in the preset time period, a point with a large change in slope change rate, that is, a slope change rate steeply increasing/steeply decreasing value, the slope change rate sine value of the extracted point is calculated, three maximum sine values are screened out and marked as initial target slope change values, threshold comparison is performed on the three initial target slope change values and the preset slope change values, if the comparison result is greater than the preset slope change value, the data curve graph stimulates an event response mechanism, the flow event belongs to the flow event triggering the target network flow event response, and if the comparison result is not greater than the preset slope change value, the response is not triggered, and whether the change of the flow event belongs to the target network flow event response or not can be judged according to the processing on the data curve graph.
According to the embodiment of the invention, the method further comprises the following steps:
modifying according to the misjudgment result of the target network flow event;
if the target network traffic event is misjudged to comprise malicious attacks, updating the target network traffic event to a first misjudgment database;
if the target network traffic event is misjudged not to include malicious attacks, updating the target network traffic event to a second misjudgment database;
and correcting the misjudgment rate of the network traffic event of the type according to the type of the target network traffic event, and updating sample data in a corresponding preset network model according to the target network event.
It should be noted that, the misjudgment database, the misjudgment rate and the network model and the sample are updated according to the misjudgment result of the target network traffic event to realize the synchronization of the database and the model, if the target network traffic event is misjudged to include the malicious attack, the target network traffic event is updated to the first misjudgment database, the sample including the malicious attack is added to the network traffic event which does not include the malicious attack, if the target network traffic event is misjudged to not include the malicious attack, the target network traffic event is updated to the second misjudgment database, the sample including the malicious attack which is misjudged to not include the malicious attack is added, the misjudgment rate of the network traffic event of the corresponding type is corrected according to the type of the target network traffic event, and the sample is updated in the corresponding preset network model according to the target network event to update the sample data, and the misjudgment rate and the network model are updated in time, and the accuracy of the network flow event detection and judgment method is ensured.
According to the embodiment of the invention, the method further comprises the following steps:
comparing the similarity of the target network flow event and the target misjudgment event with a preset threshold value;
if the comparison result of the similarity threshold of the target network traffic event is misjudgment, setting the misjudgment modification result of the target network traffic event as an initial modification result;
if the initial modification result of the target network flow event does not include malicious attacks, detecting the target network event in a second misjudgment database to check whether the judged initial modification result is mismodified to include no malicious attacks;
if the initial modification result of the target network flow event includes malicious attack, detecting the target network event in a first misjudgment database to check whether the judged initial modification result is mismodified to include the malicious attack;
if the detected initial modification result has no error modification, taking the initial modification result as a target modification result;
and if the detected initial modification result is modified by mistake, reselecting the network model for detection according to the initial modification result.
It should be noted that, in order to ensure the accuracy of detecting and judging the network flow event, the target network flow event with misjudgment is reversely re-detected according to the judgment and correction result before the judgment and correction result to ensure the correctness of the judgment and correction, the specific method is to set the result to be modified, which is judged as misjudgment according to the target network flow event, as the initial modification result, detect the initial modification result in the corresponding database, if the initial modification result of the target network flow event does not include malicious attacks, the target network event is detected in the second misjudgment database to check whether the initial modification result of the judgment is erroneously modified to not include the malicious attacks, if the initial modification result of the target network flow event includes the malicious attacks, the target network event is detected in the first misjudgment database, and if the initial modification result is detected to have the error modification, the network model is reselected according to the initial modification result, and the redetection is carried out.
Referring to fig. 2, the present application further provides a malicious attack detection system based on network traffic, including: a memory 21 and a processor 22, where the memory 21 includes a malicious attack detection method program based on network traffic, and when executed by the processor 22, the malicious attack detection method based on network traffic implements the following steps:
acquiring a target network traffic event, and judging the target network traffic event by adopting a preset network model to obtain a judgment result, wherein the judgment result is that malicious attack is included or malicious attack is not included; inquiring a corresponding misjudgment database according to the judgment result to obtain a plurality of target misjudgment events corresponding to the target network traffic events; calculating the similarity between each target misjudgment event and the target network traffic event; and if the target misjudgment events with the similarity larger than a preset threshold exist in the plurality of target misjudgment events, judging that the judgment result is misjudgment and modifying the judgment result.
The target network traffic event refers to a large traffic data inrush which suddenly occurs, and may be a normal traffic inrush or a malicious traffic attack. If not, excessive traffic surges can cause the server to crash. Therefore, the target network traffic event needs to be judged by adopting a pre-trained preset network model to judge whether the target network traffic event includes malicious attacks.
And detecting whether the target network traffic event is misjudged by adopting different misjudgment databases according to different judgment results, wherein the misjudgment can be that the network traffic event which does not include the malicious attack is judged to include the malicious attack, or the network traffic event which includes the malicious attack is judged to not include the malicious attack. If the judgment result is that the malicious attack is not included, the misjudgment event which does not include the malicious attack needs to be judged to judge whether the misjudgment is performed, and if the judgment result is that the malicious attack is included, the misjudgment event which includes the malicious attack needs to be judged to detect whether the misjudgment is performed.
The similarity may be cosine similarity or similarity based on euclidean distance.
The preset threshold may be set according to actual needs, or may be based on empirical values obtained through multiple experiments. And if the judgment result is misjudgment and the judgment result is malicious attack, modifying the judgment result into that the malicious attack is not included. And if the judgment result is that the malicious attack is not included, modifying the judgment result to include the malicious attack.
In some embodiments, the malicious attack detection method based on network traffic, when executed by the processor 22, implements the following steps:
acquiring an initial flow event in a first preset time period; acquiring a flow data curve graph in a preset time period, wherein the preset time period comprises the first preset time period; and if the flow data curve graph and the initial flow event meet preset conditions, the initial flow event is a target network flow event.
For example, the first preset time period is 20 seconds, the preset time period is 5 minutes, and if the traffic of the first preset time period is found to suddenly increase to the current traffic, the initial traffic event may be used as the target network traffic event.
When executed by the processor 22, the malicious attack detection method based on network traffic realizes the following steps: acquiring the type of the traffic data corresponding to the target network traffic event; selecting a corresponding preset network model according to the type of the flow data; and judging the target network traffic event according to the preset network model to obtain a judgment result. The type refers to a data type, such as a scrambling code, a character string, a number, data, a control command, and the like. Different types of flow data are pre-trained with corresponding preset network models, namely neural network models.
Wherein, in some embodiments, when the malicious attack detection method based on network traffic is executed by the processor 22, the following steps are implemented:
if the judgment result is that the target network traffic event comprises a malicious attack, inquiring a first misjudgment database to obtain a plurality of first target misjudgment events corresponding to the target network traffic event; the first target misjudgment event is that the network flow event which does not comprise the malicious attack is judged to comprise the malicious attack; if the judgment result is that the target network traffic event does not include the malicious attack, inquiring a second misjudgment database to obtain a plurality of second target misjudgment events corresponding to the target network traffic event; the second target misjudgment event is to judge the network traffic event including the malicious attack as not including the malicious attack.
Acquiring type information and data volume size information of the target network traffic event; and acquiring a plurality of corresponding first target misjudgment events from the first misjudgment database according to the type information and the data size information, wherein the first target misjudgment events have the same type as the target network traffic events and have the same data size in the same data size interval. The difference of the data amount in the same data amount interval is not more than 100 MB. The type information is mainly determined based on the data type in the traffic.
Acquiring type information and data volume size information of the target network traffic event; and acquiring a plurality of corresponding second target misjudgment events from the second misjudgment database according to the type information and the data size information, wherein the second target misjudgment events have the same type as the target network traffic events and have the same data size in the same data size interval. The difference of the data amount in the same data amount interval is not more than 100 MB. The type information is mainly determined based on the data type in the traffic.
Wherein, in some embodiments, the malicious attack detection method based on network traffic is implemented by the processor 22 to realize the following steps:
acquiring the misjudgment rate of each type of network traffic event within preset time, wherein each type of network traffic event corresponds to one misjudgment rate; and updating the preset network model corresponding to each type of network traffic event exceeding the misjudgment rate threshold value based on the corresponding type of misjudgment event, wherein the corresponding type of misjudgment event is used as sample data during updating.
Different misjudgment rate thresholds are set for different types of network traffic events, and are mainly set based on the judgment difficulty degree of the types of network traffic. During updating, if the a model corresponding to the network traffic event of type a needs to be updated, the a model should be retrained by the misjudged network traffic event in the network traffic event of type a, so as to update. Therefore, the preset network model is continuously optimized, the misjudgment rate can be reduced, and the beneficial effect of improving the judgment accuracy rate is achieved.
As can be seen from the above, the malicious attack detection system based on network traffic obtains a target network traffic event, and determines the target network traffic event by using a preset network model to obtain a determination result, where the determination result includes a malicious attack or does not include a malicious attack; inquiring a corresponding misjudgment database according to the judgment result to obtain a plurality of target misjudgment events corresponding to the target network traffic events; calculating the similarity between each target misjudgment event and the target network traffic event; if a target misjudgment event with the similarity larger than a preset threshold exists in the plurality of target misjudgment events, judging that the judgment result is misjudgment and modifying the judgment result; therefore, the judgment accuracy is improved, and the network security can be improved.
According to the embodiment of the invention, the method further comprises the following steps:
acquiring a data curve graph of the initial flow event in the preset time period;
extracting a plurality of slope change rate steep increasing/steep decreasing values of the data curve in a first preset time period based on the data curve graph, and obtaining sine values of the slope change rate steep increasing/steep decreasing values;
obtaining three maximum sine values of the plurality of slope rate ramp up/ramp down values, labeled as initial target slope change values of the data plot;
comparing a threshold value according to the initial target slope change value and a preset slope change value;
if the initial target slope change value is larger than a preset threshold value, triggering a target network flow event response;
and if the initial target slope change values are all smaller than a preset threshold value, not triggering the response of the target network flow event.
It should be noted that, slope calculation is performed according to the data curve graph of the initial flow event in the preset time period, a point with a large change in slope change rate, that is, a slope change rate steeply increasing/steeply decreasing value, the slope change rate sine value of the extracted point is calculated, three maximum sine values are screened out and marked as initial target slope change values, threshold comparison is performed on the three initial target slope change values and the preset slope change values, if the comparison result is greater than the preset slope change value, the data curve graph stimulates an event response mechanism, the flow event belongs to the flow event triggering the target network flow event response, and if the comparison result is not greater than the preset slope change value, the response is not triggered, and whether the change of the flow event belongs to the target network flow event response or not can be judged according to the processing on the data curve graph.
According to the embodiment of the invention, the method further comprises the following steps:
modifying according to the misjudgment result of the target network flow event;
if the target network traffic event is misjudged to comprise malicious attacks, updating the target network traffic event to a first misjudgment database;
if the target network traffic event is misjudged not to include malicious attacks, updating the target network traffic event to a second misjudgment database;
and correcting the misjudgment rate of the network traffic event of the type according to the type of the target network traffic event, and updating sample data in a corresponding preset network model according to the target network event.
It should be noted that, the misjudgment database, the misjudgment rate and the network model and the sample are updated according to the misjudgment result of the target network traffic event to realize the synchronization of the database and the model, if the target network traffic event is misjudged to include the malicious attack, the target network traffic event is updated to the first misjudgment database, the sample including the malicious attack is added to the network traffic event which does not include the malicious attack, if the target network traffic event is misjudged to not include the malicious attack, the target network traffic event is updated to the second misjudgment database, the sample including the malicious attack which is misjudged to not include the malicious attack is added, the misjudgment rate of the network traffic event of the corresponding type is corrected according to the type of the target network traffic event, and the sample is updated in the corresponding preset network model according to the target network event to update the sample data, and the misjudgment rate and the network model are updated in time, and the accuracy of the network flow event detection and judgment method is ensured.
According to the embodiment of the invention, the method further comprises the following steps:
comparing the similarity of the target network flow event and the target misjudgment event with a preset threshold value;
if the comparison result of the similarity threshold of the target network traffic event is misjudgment, setting the misjudgment modification result of the target network traffic event as an initial modification result;
if the initial modification result of the target network flow event does not include malicious attacks, detecting the target network event in a second misjudgment database to check whether the judged initial modification result is mismodified to include no malicious attacks;
if the initial modification result of the target network flow event includes malicious attack, detecting the target network event in a first misjudgment database to check whether the judged initial modification result is mismodified to include the malicious attack;
if the detected initial modification result has no error modification, taking the initial modification result as a target modification result;
and if the detected initial modification result is modified by mistake, reselecting the network model for detection according to the initial modification result.
It should be noted that, in order to ensure the accuracy of detecting and judging the network flow event, the target network flow event with misjudgment is reversely re-detected according to the judgment and correction result before the judgment and correction result to ensure the correctness of the judgment and correction, the specific method is to set the result to be modified, which is judged as misjudgment according to the target network flow event, as the initial modification result, detect the initial modification result in the corresponding database, if the initial modification result of the target network flow event does not include malicious attacks, the target network event is detected in the second misjudgment database to check whether the initial modification result of the judgment is erroneously modified to not include the malicious attacks, if the initial modification result of the target network flow event includes the malicious attacks, the target network event is detected in the first misjudgment database, and if the initial modification result is detected to have the error modification, the network model is reselected according to the initial modification result, and the redetection is carried out.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units; can be located in one place or distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: a mobile storage device, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Alternatively, the integrated unit of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or a part contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims (10)

1. A malicious attack detection method based on network traffic is characterized by comprising the following steps:
acquiring a target network traffic event, and judging the target network traffic event by adopting a preset network model to obtain a judgment result, wherein the judgment result is that malicious attack is included or malicious attack is not included;
inquiring a corresponding misjudgment database according to the judgment result to obtain a plurality of target misjudgment events corresponding to the target network traffic events;
calculating the similarity between each target misjudgment event and the target network traffic event;
and if the target misjudgment events with the similarity larger than a preset threshold exist in the plurality of target misjudgment events, judging that the judgment result is misjudgment and modifying the judgment result.
2. The method according to claim 1, wherein the querying a corresponding misjudgment database according to the determination result to obtain a plurality of target misjudgment events corresponding to the target network traffic event comprises:
if the judgment result is that the target network traffic event comprises a malicious attack, inquiring a first misjudgment database to obtain a plurality of first target misjudgment events corresponding to the target network traffic event; the first target misjudgment event is that the network flow event which does not comprise the malicious attack is judged to comprise the malicious attack;
if the judgment result is that the target network traffic event does not include the malicious attack, inquiring a second misjudgment database to obtain a plurality of second target misjudgment events corresponding to the target network traffic event; the second target misjudgment event is to judge the network traffic event including the malicious attack as not including the malicious attack.
3. The method according to claim 2, wherein the querying a first false positive database to obtain a plurality of first target false positive events corresponding to the target network traffic event comprises:
acquiring type information and data volume size information of the target network traffic event;
and acquiring a plurality of corresponding first target misjudgment events from the first misjudgment database according to the type information and the data size information, wherein the first target misjudgment events have the same type as the target network traffic events and have the same data size in the same data size interval.
4. The method according to claim 1, wherein the calculating the similarity between each target false positive event and the target network traffic event comprises: and calculating the cosine similarity of each target misjudgment event and the target network flow event.
5. The method for detecting malicious attacks based on network traffic according to claim 1, wherein the step of judging the target network traffic event by using a preset network model to obtain a judgment result comprises the steps of:
acquiring the type of the traffic data corresponding to the target network traffic event;
selecting a corresponding preset network model according to the type of the flow data;
and judging the target network traffic event according to the preset network model to obtain a judgment result.
6. The method of claim 1, further comprising:
acquiring the misjudgment rate of each type of network traffic event within preset time, wherein each type of network traffic event corresponds to one misjudgment rate;
and updating the preset network model corresponding to each type of network traffic event exceeding the misjudgment rate threshold value based on the corresponding type of misjudgment event, wherein the corresponding type of misjudgment event is used as sample data during updating.
7. The method according to claim 1, wherein the obtaining a target network traffic event comprises:
acquiring an initial flow event in a first preset time period;
acquiring a flow data curve graph in a preset time period, wherein the preset time period comprises the first preset time period;
and if the flow data curve graph and the initial flow event meet preset conditions, the initial flow event is a target network flow event.
8. A malicious attack detection system based on network traffic, the system comprising: the malicious attack detection method based on the network flow is implemented by the following steps when being executed by the processor:
acquiring a target network traffic event, and judging the target network traffic event by adopting a preset network model to obtain a judgment result, wherein the judgment result is that malicious attack is included or malicious attack is not included;
inquiring a corresponding misjudgment database according to the judgment result to obtain a plurality of target misjudgment events corresponding to the target network traffic events;
calculating the similarity between each target misjudgment event and the target network traffic event;
and if the target misjudgment events with the similarity larger than a preset threshold exist in the plurality of target misjudgment events, judging that the judgment result is misjudgment and modifying the judgment result.
9. The system according to claim 8, wherein the network traffic-based malicious attack detection method further comprises the following steps when executed by the processor:
if the judgment result is that the target network traffic event comprises a malicious attack, inquiring a first misjudgment database to obtain a plurality of first target misjudgment events corresponding to the target network traffic event; the first target misjudgment event is that the network flow event which does not comprise the malicious attack is judged to comprise the malicious attack;
if the judgment result is that the target network traffic event does not include the malicious attack, inquiring a second misjudgment database to obtain a plurality of second target misjudgment events corresponding to the target network traffic event; the second target misjudgment event is to judge the network traffic event including the malicious attack as not including the malicious attack.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium includes a network traffic-based malicious attack detection method program, and when the network traffic-based malicious attack detection method program is executed by a processor, the steps of a network traffic-based malicious attack detection method according to any one of claims 1 to 7 are implemented.
CN202110957842.6A 2021-08-20 2021-08-20 Malicious attack detection method and system based on network traffic and readable storage medium Active CN113422785B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110957842.6A CN113422785B (en) 2021-08-20 2021-08-20 Malicious attack detection method and system based on network traffic and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110957842.6A CN113422785B (en) 2021-08-20 2021-08-20 Malicious attack detection method and system based on network traffic and readable storage medium

Publications (2)

Publication Number Publication Date
CN113422785A true CN113422785A (en) 2021-09-21
CN113422785B CN113422785B (en) 2021-11-09

Family

ID=77719816

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110957842.6A Active CN113422785B (en) 2021-08-20 2021-08-20 Malicious attack detection method and system based on network traffic and readable storage medium

Country Status (1)

Country Link
CN (1) CN113422785B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114079579A (en) * 2021-10-21 2022-02-22 北京天融信网络安全技术有限公司 Malicious encrypted flow detection method and device
CN114760087A (en) * 2022-02-21 2022-07-15 北京交通大学 DDoS attack detection method and system in software defined industrial internet
CN115632832A (en) * 2022-09-30 2023-01-20 温州佳润科技发展有限公司 Big data attack processing method and system applied to cloud service

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106790292A (en) * 2017-03-13 2017-05-31 摩贝(上海)生物科技有限公司 The web application layer attacks detection and defence method of Behavior-based control characteristic matching and analysis
CN107483502A (en) * 2017-09-28 2017-12-15 深信服科技股份有限公司 A kind of method and device for detecting remaining attack
CN108881123A (en) * 2017-05-12 2018-11-23 上海赛特斯信息科技股份有限公司 Malicious traffic stream identifying system and method
CN110086767A (en) * 2019-03-11 2019-08-02 中国电子科技集团公司电子科学研究院 A kind of hybrid intrusion detection system and method
WO2019205300A1 (en) * 2018-04-26 2019-10-31 平安科技(深圳)有限公司 Poc attack detection method and apparatus, computer device and storage medium
US20200007566A1 (en) * 2016-12-29 2020-01-02 NSFOCUS Information Technology Co., Ltd. Network traffic anomaly detection method and apparatus
CN111835777A (en) * 2020-07-20 2020-10-27 深信服科技股份有限公司 Abnormal flow detection method, device, equipment and medium
CN112152968A (en) * 2019-06-27 2020-12-29 北京数安鑫云信息技术有限公司 Network threat detection method and device
CN112565183A (en) * 2020-10-29 2021-03-26 中国船舶重工集团公司第七0九研究所 Network flow abnormity detection method and device based on flow dynamic time warping algorithm
CN112637194A (en) * 2020-12-18 2021-04-09 北京天融信网络安全技术有限公司 Security event detection method and device, electronic equipment and storage medium

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200007566A1 (en) * 2016-12-29 2020-01-02 NSFOCUS Information Technology Co., Ltd. Network traffic anomaly detection method and apparatus
CN106790292A (en) * 2017-03-13 2017-05-31 摩贝(上海)生物科技有限公司 The web application layer attacks detection and defence method of Behavior-based control characteristic matching and analysis
CN108881123A (en) * 2017-05-12 2018-11-23 上海赛特斯信息科技股份有限公司 Malicious traffic stream identifying system and method
CN107483502A (en) * 2017-09-28 2017-12-15 深信服科技股份有限公司 A kind of method and device for detecting remaining attack
WO2019205300A1 (en) * 2018-04-26 2019-10-31 平安科技(深圳)有限公司 Poc attack detection method and apparatus, computer device and storage medium
CN110086767A (en) * 2019-03-11 2019-08-02 中国电子科技集团公司电子科学研究院 A kind of hybrid intrusion detection system and method
CN112152968A (en) * 2019-06-27 2020-12-29 北京数安鑫云信息技术有限公司 Network threat detection method and device
CN111835777A (en) * 2020-07-20 2020-10-27 深信服科技股份有限公司 Abnormal flow detection method, device, equipment and medium
CN112565183A (en) * 2020-10-29 2021-03-26 中国船舶重工集团公司第七0九研究所 Network flow abnormity detection method and device based on flow dynamic time warping algorithm
CN112637194A (en) * 2020-12-18 2021-04-09 北京天融信网络安全技术有限公司 Security event detection method and device, electronic equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
潘学功: "基于用户信任值的一种检测和防御DDoS攻击模型初探", 《煤炭技术》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114079579A (en) * 2021-10-21 2022-02-22 北京天融信网络安全技术有限公司 Malicious encrypted flow detection method and device
CN114079579B (en) * 2021-10-21 2024-03-15 北京天融信网络安全技术有限公司 Malicious encryption traffic detection method and device
CN114760087A (en) * 2022-02-21 2022-07-15 北京交通大学 DDoS attack detection method and system in software defined industrial internet
CN114760087B (en) * 2022-02-21 2023-02-24 北京交通大学 DDoS attack detection method and system in software defined industrial internet
CN115632832A (en) * 2022-09-30 2023-01-20 温州佳润科技发展有限公司 Big data attack processing method and system applied to cloud service
CN115632832B (en) * 2022-09-30 2023-09-12 上海豹云网络信息服务有限公司 Big data attack processing method and system applied to cloud service

Also Published As

Publication number Publication date
CN113422785B (en) 2021-11-09

Similar Documents

Publication Publication Date Title
CN113422785B (en) Malicious attack detection method and system based on network traffic and readable storage medium
KR102047782B1 (en) Method and apparatus for recognizing cyber threats using correlational analytics
CN110620905A (en) Video monitoring method and device, computer equipment and storage medium
KR20030049078A (en) Intrusion detection method using adaptive rule estimation in nids
CN101360023A (en) Exception detection method, apparatus and system
US20170171188A1 (en) Non-transitory computer-readable recording medium, access monitoring method, and access monitoring apparatus
CN111753290A (en) Software type detection method and related equipment
CN106845217B (en) Detection method for malicious behaviors of android application
CN113378161A (en) Security detection method, device, equipment and storage medium
CN109067716B (en) Method and system for identifying dark chain
CN106682512B (en) Method, device and system for preventing program from being modified
CN113923039B (en) Attack equipment identification method and device, electronic equipment and readable storage medium
CN105138321A (en) Terminal control method and system
CN115834156A (en) Abnormal behavior detection method based on web access log
CN106572083A (en) Log processing method and system
CN112163217B (en) Malware variant identification method, device, equipment and computer storage medium
CN111741004B (en) Network security situation awareness method and related device
CN112861124A (en) Terminal anti-intrusion detection method and device
KR20220170687A (en) Method, apparatus, computer-readable storage medium and computer program for detecting attack data
JP5454166B2 (en) Access discrimination program, apparatus, and method
JP2009163604A (en) Unauthorized user detecting device, collusion-secure code generating device, and program
CN112052449A (en) Malicious file identification method, device, equipment and storage medium
CN116305130B (en) Dual-system intelligent switching method, system and medium based on system environment recognition
KR101541282B1 (en) Apparatus and method for automatically determining malignant code using weighted method
CN115622730A (en) Training method of face attack detection model, face attack detection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant