CN113824745A - Network safety emergency disposal system based on recurrent neural network model - Google Patents

Network safety emergency disposal system based on recurrent neural network model Download PDF

Info

Publication number
CN113824745A
CN113824745A CN202111405123.XA CN202111405123A CN113824745A CN 113824745 A CN113824745 A CN 113824745A CN 202111405123 A CN202111405123 A CN 202111405123A CN 113824745 A CN113824745 A CN 113824745A
Authority
CN
China
Prior art keywords
module
data
risk
neural network
network model
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111405123.XA
Other languages
Chinese (zh)
Inventor
付泽远
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University WHU
Original Assignee
Wuhan University WHU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University WHU filed Critical Wuhan University WHU
Priority to CN202111405123.XA priority Critical patent/CN113824745A/en
Publication of CN113824745A publication Critical patent/CN113824745A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Artificial Intelligence (AREA)
  • Molecular Biology (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computational Linguistics (AREA)
  • Biophysics (AREA)
  • Virology (AREA)
  • Biomedical Technology (AREA)

Abstract

The invention discloses a network safety emergency disposal system based on a recurrent neural network model, which comprises the following modules: the management center module is used for carrying out system management and completing the connection and calling of all modules; the knowledge database module is used for storing risk data and expert knowledge data and updating the risk data and the expert knowledge data regularly; the data acquisition module is used for monitoring and acquiring network data in real time; the risk detection tool module is used for carrying out security detection on the network data and detecting and classifying abnormal data; the risk analysis and processing module is used for analyzing, matching and processing the abnormal data; the data protection module is used for protecting the local data after the abnormal data is detected; and the remote connection auxiliary module is used for realizing remote assistance in processing the security event. Has the advantages that: the cyclic neural network model is constructed by utilizing the risk database, so that the risks can be rectified and corrected in time, and the flow of emergency treatment vulnerability detection and rectification is greatly reduced.

Description

Network safety emergency disposal system based on recurrent neural network model
Technical Field
The invention relates to the technical field of network security, in particular to a network security emergency disposal system based on a recurrent neural network model.
Background
Nowadays, the internet has already formed a scale, changes people's study, work and life style more and more deeply, even influences the whole social process, and the application of internet is towards the pluralism, and netizen's scale continues to be the trend of continuing to develop fast. At the present stage, the network security situation in China is severe and complex, the network security events are more complex, cloud computing further falls to the ground along with the rapid development of the mobile internet, the NFV (network function virtualization) technology is mature and commercial, the security risk is further expanded under a huge IT framework, the occurrence probability and the protection range of security events such as intrusion attack, webpage tampering, DDoS and the like are increased, and new potential safety hazards are also generated. This also puts new demands on safety protection technology, safety risk management, and emergency disposal means.
In the emergency disposal process of dealing with safety events in various places, a one-key emergency disposal platform is gradually established, so that the emergency disposal of the safety events is realized, and the overall safety emergency response capability is improved. The prior art still has certain defects, namely, the main discussion of the network security event is the analysis link of the network security event, and the emergency disposal link is not described too much, in the actual operation, the emergency disposal link of the network security event is usually disposed in a manual mode, and is greatly influenced by personal factors, for example, the manual disposal efficiency is unstable, and the efficiency is high or low; the manual treatment process is not uniform, the consumed time is long, the treatment result is inaccurate, and the management of the treatment result is inconvenient.
An effective solution to the problems in the related art has not been proposed yet.
Disclosure of Invention
Aiming at the problems in the related art, the invention provides a network security emergency disposal system based on a recurrent neural network model, so as to overcome the technical problems in the prior related art.
Therefore, the invention adopts the following specific technical scheme:
a network security emergency disposal system based on a recurrent neural network model, the system comprising the following modules:
the management center module is used for carrying out system management and completing the connection and calling of all modules;
the knowledge database module is used for storing risk data and expert knowledge data and updating the risk data and the expert knowledge data regularly;
the data acquisition module is used for monitoring and acquiring network data in real time;
the risk detection tool module is used for carrying out security detection on the network data and detecting and classifying abnormal data;
the risk analysis and processing module is used for analyzing, matching and processing the abnormal data;
the data protection module is used for protecting the local data after the abnormal data is detected;
and the remote connection auxiliary module is used for realizing remote assistance in processing the security event.
Further, the risk data stored by the knowledge database module comprises webpage tampering, domain name hijacking, intrusion attack, viruses, trojans and malicious codes, and the expert knowledge is a solution corresponding to the risk data.
Further, the network data collected by the data collection module includes website source codes, operating system logs, website webpage access logs and middleware log information.
Further, the risk detection tool module comprises a system vulnerability verification tool, a website vulnerability verification tool, a database vulnerability verification tool, a virus detection tool, a Trojan horse detection tool and a malicious code detection tool.
Furthermore, the risk analysis and processing module comprises a recurrent neural network model construction module, a recurrent neural network model prediction analysis module, a risk information extraction module, a risk processing module and a data transmission module;
the system comprises a cyclic neural network model building module, a cyclic neural network model evaluation module, a risk information extraction module, a risk processing module and a remote connection auxiliary module, wherein the cyclic neural network model building module is used for building a cyclic neural network model, the cyclic neural network model evaluation module is used for analyzing and predicting abnormal data, the risk information extraction module is used for processing the abnormal data and obtaining clue trees and attacker information, the risk processing module is used for matching risks and repairing the risks in time, and the data transmission module is used for transmitting expert knowledge data, the clue trees and the attacker information to the remote connection auxiliary module.
Further, the risk analysis and processing module is used for analyzing, matching and processing the abnormal data and comprises the following steps:
the cyclic neural network model building module respectively builds a cyclic neural network model by using different types of risk data stored in the knowledge database module and trains the cyclic neural network model;
the cyclic neural network model prediction analysis module receives the abnormal data detected by the risk detection tool module, extracts query parameters, and inputs the query parameters into a corresponding cyclic neural network model according to the type of the query parameters to perform analysis prediction;
the risk processing module matches the prediction result, and if the knowledge database module has corresponding expert knowledge, the system is automatically repaired and manually corrected; if the prediction result does not exist, the prediction result is uploaded to a data transmission module;
the risk information extraction module extracts clue trees and attacker information in the abnormal data;
and the data transmission module sends the prediction result, the clue tree and the attacker information to a remote connection auxiliary module.
Further, the structure of the recurrent neural network model is as follows:
Figure 100002_DEST_PATH_IMAGE001
wherein, U, W, V, b, c are parameters of the model needing to be updated by learning, x is a sequence of input marked as
Figure 100002_DEST_PATH_IMAGE002
Figure 100002_DEST_PATH_IMAGE003
Representing the input at time t, s being an implicit element, labelled
Figure 100002_DEST_PATH_IMAGE004
Figure 100002_DEST_PATH_IMAGE005
Hidden layer states for time tAs inputs to the next layer, i.e. two for each layer of the model, one is
Figure 100002_DEST_PATH_IMAGE006
One is the state of the upper layer
Figure 100002_DEST_PATH_IMAGE007
Figure 100002_DEST_PATH_IMAGE008
Representing the output at time t, f is a non-linear activation function tanh, expressed as
Figure 100002_DEST_PATH_IMAGE009
Wherein e is a natural constant as the base number of the activation function, z is an exponent of e, and the value range is all real numbers.
Further, the improved recurrent neural network model comprises a three-layer structure, namely an input layer, a hidden layer and an output layer. For each input vector
Figure 100002_DEST_PATH_IMAGE010
The calculation is carried out, and at each calculation, the generated result can be simultaneously used as the input of the next calculation, namely:
Figure 100002_DEST_PATH_IMAGE011
where V, like W, is a trainable weight matrix.
The construction and training of the recurrent neural network model specifically comprises the following steps:
step one, forgetting: according to ht-1And xtForgetting gate f for calculating t timet
Figure 100002_DEST_PATH_IMAGE012
Wherein WfAnd bfFor trainable parameters, σ (-) isSigmoid activates the function so that ftIs (0,1), thereby controlling the cell state Ct-1The change of (2): if ft→ 1, represents Ct-1Can be almost entirely reserved; on the contrary, if ft→ 0, represents Ct-1Almost totally forgotten;
step two, inputting: according to ht-1And xtCalculating the input content at time t
Figure 100002_DEST_PATH_IMAGE013
Figure 100002_DEST_PATH_IMAGE014
At the same time, the calculation input gate itThe calculation method comprises the following steps:
Figure 100002_DEST_PATH_IMAGE015
where σ (-) is a Sigmoid activation function, such that itIs (0,1), thereby controlling the input
Figure 100002_DEST_PATH_IMAGE016
A change in (c); according to the forgetting gate, the input gate and the input content, the cell state is changed:
Figure 100002_DEST_PATH_IMAGE017
wherein the content of the first and second substances,
Figure 100002_DEST_PATH_IMAGE018
for multiplication by bit, i.e. using ftForgetting the content of the Ct, and discarding unnecessary information; followed by
Figure 100002_DEST_PATH_IMAGE019
Providing new useful information, using itInput of control information, will outputThe entered information is added to the forgotten cell state to form a cell state C at time tt
Step three, outputting: and outputting the information hidden in the cell state in the form of an implicit unit, wherein the output gate is as follows:
Figure DEST_PATH_IMAGE020
the output ht of t is therefore:
Figure DEST_PATH_IMAGE021
wherein the output htBoth as an implicit state output at time t and as an input at time t + 1.
Furthermore, the data protection module comprises a filtering driving module, a reading module and an uploading module;
the filtering driving module is used for acquiring a data backup request and obtaining incremental metadata; the reading module is used for reading corresponding incremental data from the disk according to the incremental metadata; the uploading module is used for uploading the read incremental data to a backup server and triggering the backup server to backup the incremental data.
Further, the remote connection auxiliary module comprises an authorization authentication module, a remote connection module and an auxiliary tool module;
the authorization authentication module is used for performing authorization authentication between the server side and the management center module in remote connection; the remote connection module is used for remotely connecting the management center module and the server side; the auxiliary tool module is used for providing a professional emergency tool for network security, which is indicated by a network security expert, and assisting in handling network security emergency events.
Furthermore, the emergency tool comprises an emergency disposal host, which is used for completing the checking, disposal and management work of the network security emergency event with the assistance of an expert end based on the virus feature library; the video device is used for acquiring video signals and transmitting video signals of an emergency disposal site; and the audio device is used for collecting the audio signals of the emergency disposal site and transmitting the audio signals.
The invention has the beneficial effects that: by constructing the cyclic neural network model by using the risk database, the model can analyze and predict abnormal data acquired by real-time monitoring, so that risks can be rectified and corrected in time, the flow of emergency treatment leak detection and rectification is greatly reduced, and the efficiency is improved; the system is constantly ensured to be in a risk detection state by matching with a real-time data acquisition module, so that the system safety is effectively ensured; meanwhile, continuous data without local cache can be protected in time through the data protection module adopted after the vulnerability occurs, the cloud server is synchronized, and data loss and damage are prevented; finally, the efficiency of risk rectification and assistance efficiency are effectively improved through the auxiliary effect of the remote connection auxiliary module, comprehensive rectification and repair of risk vulnerabilities are realized, the efficiency of solving system problems is improved, and the network safety is guaranteed to the maximum extent.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a system block diagram of a network security emergency disposal system based on a recurrent neural network model according to an embodiment of the present invention.
In the figure:
1. a management center module; 2. a knowledge database module; 3. a data acquisition module; 4. a risk detection tool module; 5. a risk analysis and processing module; 6. a data protection module; 7. and remotely connecting the auxiliary module.
Detailed Description
According to an embodiment of the invention, a network security emergency disposal system based on a recurrent neural network model is provided.
The present invention will be further described with reference to the accompanying drawings and specific embodiments, as shown in fig. 1, a network security emergency disposal system based on a recurrent neural network model according to an embodiment of the present invention includes the following modules:
the management center module 1 is used for carrying out system management and completing the connection and calling of all modules;
the knowledge database module 2 is used for storing risk data and expert knowledge data and updating the risk data and the expert knowledge data regularly;
the risk data stored by the knowledge database module 2 comprise webpage tampering, domain name hijacking, intrusion attack, viruses, trojans and malicious codes, and the expert knowledge is a solution corresponding to the risk data.
The data acquisition module 3 is used for monitoring and acquiring network data in real time;
the network data collected by the data collection module 3 comprises website source codes, operating system logs, website webpage access logs and middleware log information.
The risk detection tool module 4 is used for carrying out security detection on the network data and detecting and classifying abnormal data;
the risk detection tool module 4 comprises a system vulnerability verification tool, a website vulnerability verification tool, a database vulnerability verification tool, a virus detection tool, a Trojan horse detection tool and a malicious code detection tool.
The risk analysis and processing module 5 is used for analyzing, matching and processing the abnormal data;
the risk analysis and processing module 5 comprises a recurrent neural network model construction module, a recurrent neural network model prediction analysis module, a risk information extraction module, a risk processing module and a data transmission module;
the system comprises a cyclic neural network model building module, a cyclic neural network model evaluation module, a risk information extraction module, a risk processing module and a remote connection auxiliary module 7, wherein the cyclic neural network model building module is used for building a cyclic neural network model, the cyclic neural network model evaluation module is used for analyzing and predicting abnormal data, the risk information extraction module is used for processing the abnormal data and obtaining clue trees and attacker information, the risk processing module is used for matching risks and repairing risks in time, and the data transmission module is used for transmitting expert knowledge data, the clue trees and the attacker information to the remote connection auxiliary module 7.
The risk analysis and processing module 5 is used for analyzing, matching and processing abnormal data, and comprises the following steps:
the cyclic neural network model building module respectively builds a cyclic neural network model by using the risk data of different types stored in the knowledge database module 2 and trains the cyclic neural network model;
the cyclic neural network model prediction analysis module receives abnormal data detected by the risk detection tool module 4, extracts query parameters, and inputs the query parameters into a corresponding cyclic neural network model according to the type of the query parameters to perform analysis prediction;
the risk processing module matches the prediction result, and if the knowledge database module 2 has corresponding expert knowledge, the system is automatically repaired and manually corrected; if the prediction result does not exist, the prediction result is uploaded to a data transmission module;
the risk information extraction module extracts clue trees and attacker information in the abnormal data;
the data transmission module sends the prediction result, the clue tree and the attacker information to a remote connection auxiliary module 7.
The structure of the recurrent neural network model is as follows:
Figure DEST_PATH_IMAGE022
wherein, U, W, V, b, c are parameters of the model needing to be updated by learning, x is a sequence of input marked as
Figure DEST_PATH_IMAGE023
Figure DEST_PATH_IMAGE024
Representing the input at time t, S being an implicit element, labelled
Figure DEST_PATH_IMAGE025
Figure DEST_PATH_IMAGE026
For the hidden layer state at time t, as the input of the next layer, i.e. there are two inputs for each layer of the model, one is
Figure DEST_PATH_IMAGE027
One is the state of the upper layer
Figure DEST_PATH_IMAGE028
Figure DEST_PATH_IMAGE029
Representing the output at time t, f is a non-linear activation function tanh, expressed as
Figure DEST_PATH_IMAGE030
Wherein e is a natural constant as the base number of the activation function, z is an exponent of e, and the value range is all real numbers.
The original cyclic neural network model can only remember information in a short time under most conditions, and cannot achieve an ideal training effect. Further, the improved recurrent neural network model includes a three-layer structure, i.e., an input layer, a hidden layer, and an output layer. For each input vector
Figure 654843DEST_PATH_IMAGE010
The calculation is carried out, and at each calculation, the generated result can be simultaneously used as the input of the next calculation, namely:
Figure DEST_PATH_IMAGE031
where V, like W, is a trainable weight matrix.
The construction and training of the recurrent neural network model specifically comprises the following steps:
step one, forgetting: according to ht-1And xtMeter for measuringForgetting door f for calculating t momentt
Figure 9468DEST_PATH_IMAGE012
Wherein WfAnd bfFor trainable parameters, σ (-) is a Sigmoid activation function, such that ftIs (0,1), thereby controlling the cell state Ct-1The change of (2): if ft→ 1, represents Ct-1Can be almost entirely reserved; on the contrary, if ft→ 0, represents Ct-1Almost totally forgotten;
step two, inputting: according to ht-1And xtCalculating the input content at time t
Figure DEST_PATH_IMAGE032
Figure DEST_PATH_IMAGE033
At the same time, the calculation input gate itThe calculation method comprises the following steps:
Figure DEST_PATH_IMAGE034
where σ (-) is a Sigmoid activation function, such that itIs (0,1), thereby controlling the input
Figure DEST_PATH_IMAGE035
A change in (c); according to the forgetting gate, the input gate and the input content, the cell state is changed:
Figure DEST_PATH_IMAGE036
wherein the content of the first and second substances,
Figure DEST_PATH_IMAGE037
for multiplication by bit, i.e. using ftTo CtForgetting the content and abandoning unnecessary information; followed by
Figure DEST_PATH_IMAGE038
Providing new useful information, using itControlling the input of information, adding the input information to the forgotten cell state to form a cell state C at time tt. Step three, outputting: and outputting the information hidden in the cell state in the form of an implicit unit, wherein the output gate is as follows:
Figure DEST_PATH_IMAGE039
the output ht of t is therefore:
Figure DEST_PATH_IMAGE040
wherein the output htBoth as an implicit state output at time t and as an input at time t + 1.
The data protection module 6 is used for protecting the local data after the abnormal data are detected;
the data protection module 6 comprises a filtering driving module, a reading module and an uploading module;
the filtering driving module is used for acquiring a data backup request and obtaining incremental metadata; the reading module is used for reading corresponding incremental data from the disk according to the incremental metadata; the uploading module is used for uploading the read incremental data to a backup server and triggering the backup server to backup the incremental data.
And the remote connection auxiliary module 7 is used for realizing remote assistance processing of the security event.
The remote connection auxiliary module 7 comprises an authorization authentication module, a remote connection module and an auxiliary tool module;
the authorization authentication module is used for performing authorization authentication between a server side and the management center module 1 in remote connection; the remote connection module is used for remotely connecting the management center module 1 with a server side; the auxiliary tool module is used for providing a professional emergency tool for network security, which is indicated by a network security expert, and assisting in handling network security emergency events.
The emergency tool comprises an emergency disposal host, and is used for completing the inspection, disposal and management work of the network security emergency event with the assistance of an expert end based on a virus feature library; the video device is used for acquiring video signals and transmitting video signals of an emergency disposal site; and the audio device is used for collecting the audio signals of the emergency disposal site and transmitting the audio signals.
In summary, by means of the technical scheme of the invention, the cyclic neural network model is constructed by utilizing the risk database, so that the model can be analyzed and predicted according to abnormal data obtained by real-time monitoring, the risks can be corrected and corrected in time, the emergency processing leak detection and correction processes are greatly reduced, and the efficiency is improved; the system is constantly ensured to be in a risk detection state by matching with a real-time data acquisition module, so that the system safety is effectively ensured; meanwhile, continuous data without local cache can be protected in time through the data protection module adopted after the vulnerability occurs, the cloud server is synchronized, and data loss and damage are prevented; finally, the efficiency of risk rectification and assistance efficiency are effectively improved through the auxiliary effect of the remote connection auxiliary module, comprehensive rectification and repair of risk vulnerabilities are realized, the efficiency of solving system problems is improved, and the network safety is guaranteed to the maximum extent.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (10)

1. A network safety emergency disposal system based on a recurrent neural network model is characterized by comprising the following modules:
the management center module is used for carrying out system management and completing the connection and calling of all modules;
the knowledge database module is used for storing risk data and expert knowledge data and updating the risk data and the expert knowledge data regularly;
the data acquisition module is used for monitoring and acquiring network data in real time;
the risk detection tool module is used for carrying out security detection on the network data and detecting and classifying abnormal data;
the risk analysis and processing module is used for analyzing, matching and processing the abnormal data;
the data protection module is used for protecting the local data after the abnormal data is detected;
and the remote connection auxiliary module is used for realizing remote assistance in processing the security event.
2. The system of claim 1, wherein the risk data stored by the knowledge database module comprises webpage tampering, domain name hijacking, intrusion attack, viruses, trojans and malicious codes, and the expert knowledge is a solution corresponding to the risk data;
the network data collected by the data collection module comprises website source codes, operating system logs, website webpage access logs and middleware log information.
3. The cyber security emergency disposal system based on the recurrent neural network model according to claim 1, wherein the risk detection tool module includes a system vulnerability verification tool, a website vulnerability verification tool, a database vulnerability verification tool, a virus detection tool, a Trojan horse detection tool, and a malicious code detection tool.
4. The cyber security emergency disposal system based on the recurrent neural network model according to claim 1, wherein the risk analyzing and processing module comprises a recurrent neural network model constructing module, a recurrent neural network model predicting and analyzing module, a risk information extracting module, a risk processing module, and a data transmitting module;
the system comprises a cyclic neural network model building module, a cyclic neural network model evaluation module, a risk information extraction module, a risk processing module and a remote connection auxiliary module, wherein the cyclic neural network model building module is used for building a cyclic neural network model, the cyclic neural network model evaluation module is used for analyzing and predicting abnormal data, the risk information extraction module is used for processing the abnormal data and obtaining clue trees and attacker information, the risk processing module is used for matching risks and repairing the risks in time, and the data transmission module is used for transmitting expert knowledge data, the clue trees and the attacker information to the remote connection auxiliary module.
5. The cyber security emergency disposal system based on the recurrent neural network model according to claim 4, wherein the risk analysis and processing module for analyzing, matching and processing the abnormal data comprises the following steps:
the cyclic neural network model building module respectively builds a cyclic neural network model by using different types of risk data stored in the knowledge database module and trains the cyclic neural network model;
the cyclic neural network model prediction analysis module receives the abnormal data detected by the risk detection tool module, extracts query parameters, and inputs the query parameters into a corresponding cyclic neural network model according to the type of the query parameters to perform analysis prediction;
the risk processing module matches the prediction result, and if the knowledge database module has corresponding expert knowledge, the system is automatically repaired and manually corrected; if the prediction result does not exist, the prediction result is uploaded to a data transmission module;
the risk information extraction module extracts clue trees and attacker information in the abnormal data;
and the data transmission module sends the prediction result, the clue tree and the attacker information to a remote connection auxiliary module.
6. The system of claim 5, wherein the recurrent neural network model has the following structure:
Figure DEST_PATH_IMAGE001
wherein, U, W, V, b, c are parameters of the model needing to be updated by learning, x is a sequence of input marked as
Figure DEST_PATH_IMAGE002
Figure DEST_PATH_IMAGE003
Representing the input at time t, S being an implicit element, labelled
Figure DEST_PATH_IMAGE004
Figure DEST_PATH_IMAGE005
For the hidden layer state at time t, as the input of the next layer, i.e. there are two inputs for each layer of the model, one is
Figure DEST_PATH_IMAGE006
One is the state of the upper layer
Figure DEST_PATH_IMAGE007
Figure DEST_PATH_IMAGE008
Representing the output at time t, f is a non-linear activation function tanh, expressed as
Figure DEST_PATH_IMAGE009
Wherein e is a natural constant as the base number of the activation function, z is an exponent of e, and the value range is all real numbers.
7. The network security emergency disposal system based on the recurrent neural network model as claimed in claim 5, wherein the constructing and training of the recurrent neural network model specifically includes the following steps:
step one, forgetting: according to ht-1And xtForgetting gate f for calculating t timet
Figure DEST_PATH_IMAGE010
Wherein WfAnd bfFor trainable parameters, σ (-) is a Sigmoid activation function, such that ftIs (0,1), thereby controlling the cell state Ct-1The change of (2): if ft→ 1, represents Ct-1Can be almost entirely reserved; on the contrary, if ft→ 0, represents Ct-1Almost totally forgotten;
step two, inputting: according to ht-1And xtCalculating the input content at time t
Figure DEST_PATH_IMAGE011
Figure DEST_PATH_IMAGE012
At the same time, the calculation input gate itThe calculation method comprises the following steps:
Figure DEST_PATH_IMAGE013
where σ (-) is a Sigmoid activation function, such that itIs (0,1), thereby controlling the input
Figure DEST_PATH_IMAGE014
A change in (c); according to the forgetting gate, the input gate and the input content, the cell state is changed:
Figure DEST_PATH_IMAGE015
wherein the content of the first and second substances,
Figure DEST_PATH_IMAGE016
for multiplication by bit, i.e. using ftTo CtForgetting the content and abandoning unnecessary information; followed by
Figure DEST_PATH_IMAGE017
Providing new useful information, using itControlling the input of information, adding the input information to the forgotten cell state to form a cell state C at time tt
Step three, outputting: and outputting the information hidden in the cell state in the form of an implicit unit, wherein the output gate is as follows:
Figure DEST_PATH_IMAGE018
thus output h of ttComprises the following steps:
Figure DEST_PATH_IMAGE019
wherein the output htBoth as an implicit state output at time t and as an input at time t + 1.
8. The system of claim 1, wherein the data protection module comprises a filter driving module, a reading module and an uploading module;
the filtering driving module is used for acquiring a data backup request and obtaining incremental metadata; the reading module is used for reading corresponding incremental data from the disk according to the incremental metadata; the uploading module is used for uploading the read incremental data to a backup server and triggering the backup server to backup the incremental data.
9. The cyber security emergency treatment system based on the recurrent neural network model according to claim 1, wherein the remote connection auxiliary module comprises an authorization authentication module, a remote connection module, an auxiliary tool module;
the authorization authentication module is used for performing authorization authentication between the server side and the management center module in remote connection; the remote connection module is used for remotely connecting the management center module and the server side; the auxiliary tool module is used for providing a professional emergency tool for network security, which is indicated by a network security expert, and assisting in handling network security emergency events.
10. The system of claim 9, wherein the emergency tool comprises an emergency disposal host for completing the inspection, disposal and management of the network security emergency event with the assistance of an expert based on the virus feature library; the video device is used for acquiring video signals and transmitting video signals of an emergency disposal site; and the audio device is used for collecting the audio signals of the emergency disposal site and transmitting the audio signals.
CN202111405123.XA 2021-11-24 2021-11-24 Network safety emergency disposal system based on recurrent neural network model Pending CN113824745A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111405123.XA CN113824745A (en) 2021-11-24 2021-11-24 Network safety emergency disposal system based on recurrent neural network model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111405123.XA CN113824745A (en) 2021-11-24 2021-11-24 Network safety emergency disposal system based on recurrent neural network model

Publications (1)

Publication Number Publication Date
CN113824745A true CN113824745A (en) 2021-12-21

Family

ID=78918178

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111405123.XA Pending CN113824745A (en) 2021-11-24 2021-11-24 Network safety emergency disposal system based on recurrent neural network model

Country Status (1)

Country Link
CN (1) CN113824745A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114584358A (en) * 2022-02-25 2022-06-03 安捷光通科技成都有限公司 Intelligent network security system, device and storage medium based on Bayesian regularization
CN114826783A (en) * 2022-06-28 2022-07-29 睿至科技集团有限公司 Big data based prediction method and system
CN115622799A (en) * 2022-11-29 2023-01-17 南京科讯次元信息科技有限公司 Safety architecture system based on network isolation system

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100162396A1 (en) * 2008-12-22 2010-06-24 At&T Intellectual Property I, L.P. System and Method for Detecting Remotely Controlled E-mail Spam Hosts
CN102882884A (en) * 2012-10-13 2013-01-16 山东电力集团公司电力科学研究院 Honeynet-based risk prewarning system and method in information production environment
CN106713365A (en) * 2017-02-28 2017-05-24 郑州云海信息技术有限公司 Cloud environment-based network security system
CN108989336A (en) * 2018-08-19 2018-12-11 杭州安恒信息技术股份有限公司 A kind of emergency disposal system and emergence treating method for network safety event
CN109525597A (en) * 2018-12-26 2019-03-26 安徽网华信息科技有限公司 It is a kind of can remote assistance operation network security emergency disposal system
CN109697614A (en) * 2017-10-23 2019-04-30 北京京东金融科技控股有限公司 For detecting the method and device of fraud data
CN109861995A (en) * 2019-01-17 2019-06-07 安徽谛听信息科技有限公司 A kind of safe big data intelligent analysis method of cyberspace, computer-readable medium
CN110324308A (en) * 2019-05-17 2019-10-11 国家工业信息安全发展研究中心 Network security emergency disposal system
CN111404909A (en) * 2020-03-10 2020-07-10 上海豌豆信息技术有限公司 Security detection system and method based on log analysis

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100162396A1 (en) * 2008-12-22 2010-06-24 At&T Intellectual Property I, L.P. System and Method for Detecting Remotely Controlled E-mail Spam Hosts
CN102882884A (en) * 2012-10-13 2013-01-16 山东电力集团公司电力科学研究院 Honeynet-based risk prewarning system and method in information production environment
CN106713365A (en) * 2017-02-28 2017-05-24 郑州云海信息技术有限公司 Cloud environment-based network security system
CN109697614A (en) * 2017-10-23 2019-04-30 北京京东金融科技控股有限公司 For detecting the method and device of fraud data
CN108989336A (en) * 2018-08-19 2018-12-11 杭州安恒信息技术股份有限公司 A kind of emergency disposal system and emergence treating method for network safety event
CN109525597A (en) * 2018-12-26 2019-03-26 安徽网华信息科技有限公司 It is a kind of can remote assistance operation network security emergency disposal system
CN109861995A (en) * 2019-01-17 2019-06-07 安徽谛听信息科技有限公司 A kind of safe big data intelligent analysis method of cyberspace, computer-readable medium
CN110324308A (en) * 2019-05-17 2019-10-11 国家工业信息安全发展研究中心 Network security emergency disposal system
CN111404909A (en) * 2020-03-10 2020-07-10 上海豌豆信息技术有限公司 Security detection system and method based on log analysis

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
谭宇宁等: "LSTM网络模型在 Web 服务器资源消耗预测中的应用研究", 《计算机系统应用》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114584358A (en) * 2022-02-25 2022-06-03 安捷光通科技成都有限公司 Intelligent network security system, device and storage medium based on Bayesian regularization
CN114584358B (en) * 2022-02-25 2023-10-13 安捷光通科技成都有限公司 Intelligent network security system, device and storage medium based on Bayesian regularization
CN114826783A (en) * 2022-06-28 2022-07-29 睿至科技集团有限公司 Big data based prediction method and system
CN115622799A (en) * 2022-11-29 2023-01-17 南京科讯次元信息科技有限公司 Safety architecture system based on network isolation system
CN115622799B (en) * 2022-11-29 2023-03-14 南京科讯次元信息科技有限公司 Safety architecture system based on network isolation system

Similar Documents

Publication Publication Date Title
CN113824745A (en) Network safety emergency disposal system based on recurrent neural network model
CN112905421B (en) Container abnormal behavior detection method of LSTM network based on attention mechanism
CN105471882A (en) Behavior characteristics-based network attack detection method and device
CN112016602B (en) Method, equipment and storage medium for analyzing correlation between power grid fault cause and state quantity
CN112995161B (en) Network security situation prediction system based on artificial intelligence
CN107451476A (en) Webpage back door detection method, system, equipment and storage medium based on cloud platform
Li et al. Analyzing host security using D‐S evidence theory and multisource information fusion
CN104615936B (en) Cloud platform VMM layer behavior monitoring method
CN112765578B (en) Method for realizing safety privacy calculation based on browser client
CN111754241A (en) User behavior perception method, device, equipment and medium
CN115567235A (en) Network security emergency disposal system and application method
CN115348080B (en) Comprehensive analysis system and method for vulnerability of network equipment based on big data
CN115622738A (en) RBF neural network-based safety emergency disposal system and method
CN116112283A (en) CNN-LSTM-based power system network security situation prediction method and system
CN112637108A (en) Internal threat analysis method and system based on anomaly detection and emotion analysis
CN109508544B (en) Intrusion detection method based on MLP
CN115134159B (en) Safety alarm analysis optimization method
CN116545679A (en) Industrial situation security basic framework and network attack behavior feature analysis method
CN116015861A (en) Data detection method and device, electronic equipment and storage medium
CN115801366A (en) Attack detection method and device, electronic equipment and computer readable storage medium
CN115600211A (en) CNN-BilSTM multi-label classification-based intelligent contract unknown vulnerability detection method
CN114756850A (en) Data acquisition method, device, equipment and storage medium
CN112597490A (en) Security threat arrangement response method and device, electronic equipment and readable storage medium
KR102562665B1 (en) Social advanced persistent threat detection system and method based on attacker group similarity
CN115473675B (en) Network security situation awareness method, device, electronic equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20211221

RJ01 Rejection of invention patent application after publication