CN114357436A - Intrusion detection system and method combining user behavior portrait with equipment resource monitoring - Google Patents
Intrusion detection system and method combining user behavior portrait with equipment resource monitoring Download PDFInfo
- Publication number
- CN114357436A CN114357436A CN202110914277.5A CN202110914277A CN114357436A CN 114357436 A CN114357436 A CN 114357436A CN 202110914277 A CN202110914277 A CN 202110914277A CN 114357436 A CN114357436 A CN 114357436A
- Authority
- CN
- China
- Prior art keywords
- user
- user behavior
- behavior
- resource utilization
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides an intrusion detection system and method combining user behavior portraits and equipment resource monitoring, which comprises a user behavior portraits module, a user behavior portraits module and a user behavior portraits module, wherein the user behavior portraits module is used for judging whether the operation of a user accords with the historical behavior characteristics of the user; the equipment resource utilization monitoring module is used for judging whether the system resources have abnormal use conditions or not; and the system safety detection module is used for judging whether the work in the system is normal or not and whether an alarm needs to be given to a system administrator or not according to the abnormal activity information given by the user behavior portrait module and/or the equipment resource utilization monitoring module. The intrusion detection system combining the user behavior image and the equipment resource monitoring further improves the functions of the intrusion detection system, reduces the probability of errors and ensures the safety of the system.
Description
Technical Field
The invention relates to the field of network security, in particular to an intrusion detection system and method combining user behavior images and equipment resource monitoring.
Background
The computer structure tends to be simple and convenient, easily carries, and technological innovation promotes the rapid development of network, and network security becomes emerging subject gradually, and network security has deepened each aspect of life, is that the collection computer science, network technology, communication technology, information security technique are as an organic whole, to the large-scale of network, development that the complexity is high changes, through the monitoring to the network, looks over the department, uses, reduces the probability that the network invasion takes place, reduces the danger that property information reveals. At present, the main modes of network intrusion include hacker intrusion, system backdoor intrusion, computer virus intrusion, denial of service attack, internal disclosure, logic bomb, information loss, password cracking and other modes.
Disclosure of Invention
The invention aims to provide an intrusion detection system and method combining user behavior images and equipment resource monitoring.
In order to achieve the purpose, the invention adopts a technical scheme that: an intrusion detection system that combines user behavior imagery with device resource monitoring, comprising: the user behavior portrait module is used for collecting user related information of the access system, modeling portrait of user behaviors and judging whether the behavior operations of the user are normal or not; and the equipment resource utilization detection module is used for collecting service resource information called by a user, modeling the utilization condition of the equipment resources of the system and judging whether the resource utilization condition of the current system is normal or not.
Further, the intrusion detection system further comprises: and the system security detection module integrates the detection results of the user behavior portrait module and the equipment resource utilization detection module and is used for comprehensively judging the security condition of the current system.
Further, the user behavior representation module further comprises: the user behavior acquisition unit is used for acquiring user behavior log information including but not limited to a login IP of a user, user login duration, a user content browsing sequence, a user actual operation sequence and the like; the user behavior modeling unit is used for extracting common behavior characteristics from the user logs sent to the user behavior modeling unit, carrying out statistical portrayal on the behaviors of each user and generating a user behavior sequence library; and the user behavior detection unit calculates the deviation of the user behavior by using a mode matching method and a Mahalanobis distance method.
Further, the device resource utilization detecting module further includes: the device resource utilization acquisition unit is used for collecting resource utilization information of the server, including but not limited to CPU resources, GPU resources, calling conditions and load rates of hard disk resources and the like; and the equipment resource utilization detection unit is used for sending the resource utilization information to the equipment resource utilization monitoring system, and comparing the utilization condition and the use sequence of the historical resources of the server with the utilization condition of the equipment resources of the current system so as to judge whether the resources in the current system are abused or maliciously used.
In order to achieve the purpose, the invention adopts another technical scheme that: an intrusion detection method that combines user behavior portrayal with device resource monitoring, the method comprising: carrying out intrusion security detection on the access of the user; determining whether the user's behavior corresponds to a role assigned to the user and a historical behavior representation of the user; analyzing the utilization condition of system resources accessed by a user; and monitoring whether the resource utilization condition of the system in the operation is normal or not.
Further, the intrusion detection method further comprises the following steps: and when the user behavior does not conform to the historical behavior habit of user behavior portrait modeling or the called system resource utilization condition is abnormal, giving an alarm.
Compared with the prior art, the invention has the beneficial effects that: the intrusion detection system combining the user behavior portrait with the equipment resource monitoring further improves the functions of the intrusion detection system, reduces the probability of error occurrence and ensures the safety of the system. Meanwhile, the user behavior portrait module can better identify the users with abnormal behaviors by modeling the user portrait; the device resource utilization monitoring module can more rapidly discover the abnormal use of the device resources, and ensure the safety of the system resources.
Therefore, by introducing the method for user behavior portrayal and monitoring equipment resource utilization, intrusion detection from users to resources is realized, users with abnormal behaviors and system resources used abnormally can be found more quickly, the safety of the system users and the system resources is ensured, and the safety problem of the internal resources of the system when the internal resources of the system face normal users disguised by attackers and the system resources are called maliciously is solved
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of an intrusion detection system according to embodiment 1 of the present disclosure;
fig. 2 is a schematic workflow diagram of an intrusion retrieval system according to embodiment 1 of the present disclosure.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Example 1
Fig. 1 shows a schematic structural diagram of an intrusion detection system according to embodiment 1 of the present disclosure.
Referring to fig. 1, an embodiment 1 of the present disclosure introduces an intrusion detection system that combines user behavior images and device resource monitoring, including: the user behavior portrait module 101 is used for collecting user related information of the access system, modeling portrait of user behaviors and judging whether behavior operations of the user are normal or not; the device resource utilization detection module 102 is configured to collect service resource information called by a user, model a utilization condition of a system device resource, and determine whether a resource utilization condition of a current system is normal; the system security detection module 103 integrates the results of the user behavior representation module 101 and the device resource utilization detection module 102, and is used for comprehensively judging the security condition of the current system.
The system security detection module 103 is configured to determine whether the system is working normally according to the abnormal activities of the user behavior representation module 101 and the device resource utilization detection module 102, and is specifically represented as follows: the system security detection module 103 obtains results from the user behavior representation module 101 and the device resource utilization detection module 102, and is used for detecting whether the work in the system is normal or not so as to improve the security; and simultaneously, alarming abnormal calling of abnormal users and system resources in the system, wherein the main purpose of the alarming is to detect and prevent illegal users from usurping roles or abusing system resources, so that the behavior of damaging system resource information is caused.
The user behavior representation module 101 is configured to collect information related to a user accessing the system, perform representation modeling on a behavior of the user, and determine whether a behavior operation of the user is normal. Specifically, after a user logs in, related information is collected by a user behavior portrait module; modeling according to the historical behaviors of the user to generate a user portrait; and judging whether the current user behavior is abnormal. The user behavior representation module 101 may determine that a suspicious user with an abnormal behavior pattern exists in the current system, and instruct the system security detection module 103 to provide different levels of alarms to the system administrator according to different suspicious levels of the suspicious user.
It should be noted that the device resource utilization detecting module 102 is configured to collect service resource information called by a user, model a utilization condition of a system device resource, and determine whether a resource utilization condition of a current system is normal. Specifically, when a user calls a service in the system, the use of the device resource is necessarily generated, and if the system resource is abnormally consumed, there is a high probability that the system is invaded and an attacker makes a malicious use of the device resource. The device resource utilization detection module 102 may determine whether the resource usage in the current system is abnormal, and direct the subsequent system security detection module 103 to alert a system administrator regarding the abnormal usage of the device resource.
Further, the user behavior representation module 101 further includes a user behavior acquisition unit 1011 for recording and acquiring user behaviors.
It should be noted that from the time when the user applies for access to the system to the time when the user enters the system to the time when the user operates the system, actions are recorded by the user behavior acquisition unit 1011 at a time, and a sequence of contents including, but not limited to, a login IP of the user, a login duration of the user, a user content browsing sequence, a user actual operation sequence, and the like is generated. Therefore, for effective user access, the user behavior representation module 101 performs modeling detection on the user, and records the behavior of the user through the user behavior acquisition unit 1011.
Further, the user behavior representation module 101 further includes a user behavior modeling unit 1012 for recording and collecting user behaviors. Therefore, for effective user access, the user behavior is recorded through the user behavior acquisition unit 1011, and the user is modeled through the user behavior modeling unit 1012, so that a user behavior sequence library is generated.
Further, the user behavior representation module 101 further includes a user behavior detection unit 1013, which calculates the deviation of the user behavior by using a pattern matching method and a mahalanobis distance method. Therefore, for effective user access, the user behavior is recorded through the user behavior acquisition unit 1011, and the user behavior sequence library generated by the user behavior modeling unit 1012 is analyzed through the user behavior detection unit 1013, so as to determine whether the user behavior is abnormal.
Further, the device resource utilization detecting module 102 further includes a device resource utilization collecting unit 1021, configured to record and collect resource utilization information of the device.
It should be noted that when the user calls the service in the system, the usage of the device resource is certainly generated, and the device resource utilization information collected by the device resource utilization collecting unit 1021 includes, but is not limited to, the calling condition and the load rate of the CPU resource, the GPU resource, and the hard disk resource. Thus, for efficient system resource call access, the device resource utilization detecting module 102 may utilize the device resource utilization acquiring unit 1021 for recording.
Further, the device resource utilization detecting module 102 further includes a device resource utilization detecting unit 1022, configured to detect the resource utilization information generated by the device resource utilization acquiring unit 1021.
It should be noted that the device resource utilization acquiring unit 1021 sends the resource utilization information to the device resource utilization detecting unit 1022, and the device resource utilization detecting unit 1022 compares the utilization condition and the usage sequence of the historical resource of the server with the utilization condition of the device resource of the current system, and determines whether the resource in the current system is abused or maliciously used and whether the current system is safe by combining a customizable warning threshold.
Example 2
The embodiment 2 of the present disclosure introduces an intrusion detection method combining user behavior images and device resource monitoring, including: carrying out intrusion security detection on the access of the user; determining whether the user's behavior corresponds to a role assigned to the user and a historical behavior representation of the user; analyzing the utilization condition of system resources accessed by a user; and monitoring whether the resource utilization condition of the system in the operation is normal or not.
Therefore, by implementing the intrusion detection method combining the user behavior portrait with the device resource monitoring described in this embodiment 2, the purpose of guaranteeing system security is achieved, the technical effects of detecting abnormal behaviors of the user based on the user image, monitoring and detecting internal resource invocation of the system, and timely alarming an administrator for the system under attack are achieved, and the technical problem of malicious abuse of internal system resources when the internal resource information of the system is invaded by an unknown strange user is solved.
Furthermore, the intrusion detection method combining the user behavior portrait with the equipment resource monitoring further comprises the following steps: and modeling the user behavior portrait by combining the user role with the user behavior. Therefore, for effective user access, the safety of the current user is judged by representing the user behavior and monitoring the current user behavior.
Furthermore, the intrusion detection method combining the user behavior portrait with the equipment resource monitoring further comprises the following steps: and monitoring the utilization condition of the system equipment resources. Therefore, by referring to the use condition of the system resource accessed by the user, the historical condition and the self-defined threshold value, the identification of the abnormal calling of the system equipment resource is facilitated.
Furthermore, the intrusion detection method combining the user behavior portrait with the equipment resource monitoring also comprises the following steps: and when the user behavior does not conform to the historical behavior habit of user behavior portrait modeling or the called system resource utilization condition is abnormal, giving an alarm.
The intrusion detection system and method combining the user behavior portrayal and the equipment resource utilization monitoring, which are disclosed by the embodiment of the disclosure, have the following performances:
(1) the safety of the system is ensured.
Malicious users avoid the blockage of a firewall and enter an intrusion detection system, and the intrusion detection system starts to detect the behavior patterns of the users and simultaneously analyzes the behavior patterns by combining the use condition of system resources, so that the probability of illegal user intrusion is reduced. The intrusion detection system combining the user behavior portrait with the equipment resource monitoring is more complete in function, keeps the detection accuracy and reduces the probability of errors.
(2) And the confidentiality of resources inside the system is ensured.
In a system and method of intrusion detection that combines user behavioral portrayal with monitoring of device resource utilization. Analyzing the user behavior through the user behavior image, and once the user state abnormity is detected, alarming to a system administrator; the equipment resource utilization monitoring module monitors the distribution and the use degree of system resources, and the safety of the system is ensured. Once suspicious user behaviors or abnormal system resource calls are found, so that the hidden danger of network security is eliminated in the shortest time by combining the modern intrusion detection technology, in the process, patch updating can be carried out on part of internal important software by using proper maintenance software, and an administrator can modify the configuration of an intrusion detection system if necessary so as to meet the requirements of clients and improve the detection efficiency.
(3) Ensuring the integrity of the system.
When the user disguised by the attacker accesses the internal resources of the system, the internal configuration is possibly modified, and a back door is inserted, so that the detection of an intrusion detection system is avoided, and the convenience of entering next time is realized. The behaviors of the operations are different from those of normal users and can be detected by the user behavior representation module; meanwhile, some malicious programs may abnormally call system resources, and these abnormal situations may be identified by the device resource utilization monitoring module. The system security detection module integrates the information of the user behavior portrait module and the equipment resource utilization monitoring module to rapidly alarm a system administrator, and a rapid reaction mechanism for confidential documents is completed.
Based on the information, compared with the prior art, the method has the beneficial effects that: the intrusion detection system combining the user behavior portrait with the equipment resource monitoring further improves the functions of the intrusion detection system, reduces the probability of error occurrence and ensures the safety of the system. Meanwhile, the user behavior portrait module detects the accessed user behavior, and the equipment resource utilization monitoring module detects the system service equipment resources called by the user, so that the confidentiality of the internal resources of the system is ensured. In addition, the intrusion detection system combining the user behavior portrait with the equipment resource monitoring can quickly react to normal users disguised by malicious attackers and abnormal system equipment resource calling, so that the integrity of the system is ensured.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (6)
1. An intrusion detection system that combines user behavior imagery with device resource monitoring, comprising:
the user behavior portrait module (101) is used for collecting user related information of the access system, modeling portrait of user behaviors and judging whether behavior operations of the user are normal or not;
and the equipment resource utilization detection module (102) is used for collecting service resource information called by a user, modeling the utilization condition of the equipment resources of the system and judging whether the resource utilization condition of the current system is normal or not.
2. The intrusion detection system according to claim 1, wherein the intrusion detection system is configured to combine user behavior imagery with device resource monitoring, and further configured to: the system also comprises a system security detection module (103), which integrates the results of the user behavior representation module (101) and the equipment resource utilization detection module (102) and is used for comprehensively judging the security condition of the current system.
3. The intrusion detection system according to claim 1 where the user behavior representation module (101) further comprises:
the user behavior acquisition unit (1011) is used for acquiring user behavior log information, including but not limited to a login IP of a user, user login duration, a user content browsing sequence, a user actual operation sequence and the like;
the user behavior modeling unit (1012) is used for extracting common behavior characteristics from the user logs sent to the user behavior modeling unit, carrying out statistical portrayal on the behaviors of each user and generating a user behavior sequence library;
and a user behavior detection unit (1013) which calculates the bias of the user behavior by using a pattern matching method and a Mahalanobis distance method.
4. The intrusion detection system according to claim 1, wherein the device resource utilization detection module (102) further comprises:
the device resource utilization acquisition unit (1021) is used for collecting resource utilization information of the device, wherein the resource utilization information comprises but is not limited to CPU resources, GPU resources, calling conditions and load rates of hard disk resources and the like;
and the equipment resource utilization detection unit (1022) sends the resource utilization information to the equipment resource utilization monitoring system, and compares the utilization condition and the use sequence of the historical resources of the server with the utilization condition of the equipment resources of the current system so as to judge whether the resources in the current system are abused or maliciously used.
5. An intrusion detection method combining user behavior imaging and device resource monitoring, for use in the system of claim 1, the method comprising:
carrying out intrusion security detection on the access of the user;
determining whether the user's behavior corresponds to a historical behavioral representation of the user and assigned to the user's role;
analyzing the utilization condition of system resources accessed by a user;
and monitoring whether the resource utilization condition of the system in the operation is normal or not.
6. The intrusion detection method with combination of a user behavior representation and device resource monitoring of claim 5, further comprising the steps of: and when the user behavior does not conform to the historical behavior habit of user behavior portrait modeling or the called system resource utilization condition is abnormal, giving an alarm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110914277.5A CN114357436A (en) | 2021-08-10 | 2021-08-10 | Intrusion detection system and method combining user behavior portrait with equipment resource monitoring |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110914277.5A CN114357436A (en) | 2021-08-10 | 2021-08-10 | Intrusion detection system and method combining user behavior portrait with equipment resource monitoring |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114357436A true CN114357436A (en) | 2022-04-15 |
Family
ID=81095483
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110914277.5A Pending CN114357436A (en) | 2021-08-10 | 2021-08-10 | Intrusion detection system and method combining user behavior portrait with equipment resource monitoring |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114357436A (en) |
-
2021
- 2021-08-10 CN CN202110914277.5A patent/CN114357436A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2040435B1 (en) | Intrusion detection method and system | |
| US7934103B2 (en) | Detecting and countering malicious code in enterprise networks | |
| CN113660224B (en) | Situation awareness defense method, device and system based on network vulnerability scanning | |
| US20040205419A1 (en) | Multilevel virus outbreak alert based on collaborative behavior | |
| US20030084323A1 (en) | Network intrusion detection system and method | |
| CN112787992A (en) | Method, device, equipment and medium for detecting and protecting sensitive data | |
| Pradhan et al. | Intrusion detection system (IDS) and their types | |
| WO2021098313A1 (en) | Blockchain-based host security monitoring method and apparatus, medium and electronic device | |
| CN111327601A (en) | Abnormal data response method, system, device, computer equipment and storage medium | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| CN111556473A (en) | Abnormal access behavior detection method and device | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| US11372971B2 (en) | Threat control | |
| US20210367958A1 (en) | Autonomic incident response system | |
| US7093297B2 (en) | Method and apparatus for monitoring a network data processing system | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| CN113676486A (en) | Edge internet of things proxy security policy | |
| Vigna et al. | Host-based intrusion detection | |
| CN112347484A (en) | Software vulnerability detection method, device, equipment and computer readable storage medium | |
| KR20130033161A (en) | Intrusion detection system for cloud computing service | |
| CN115085956B (en) | Intrusion detection method, intrusion detection device, electronic equipment and storage medium | |
| CN114357436A (en) | Intrusion detection system and method combining user behavior portrait with equipment resource monitoring | |
| CN113360907A (en) | Hacker intrusion prevention method based on IDES and NIDES | |
| Wu et al. | A novel approach to trojan horse detection by process tracing | |
| US11126713B2 (en) | Detecting directory reconnaissance in a directory service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |