CN115378746A - Network intrusion detection rule generation method, device, equipment and storage medium - Google Patents

Network intrusion detection rule generation method, device, equipment and storage medium Download PDF

Info

Publication number
CN115378746A
CN115378746A CN202211319480.9A CN202211319480A CN115378746A CN 115378746 A CN115378746 A CN 115378746A CN 202211319480 A CN202211319480 A CN 202211319480A CN 115378746 A CN115378746 A CN 115378746A
Authority
CN
China
Prior art keywords
network intrusion
intrusion detection
detection rule
network
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211319480.9A
Other languages
Chinese (zh)
Other versions
CN115378746B (en
Inventor
马维士
沈传宝
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Siji Network Security Beijing Co ltd
Beijing Huayuan Information Technology Co Ltd
Original Assignee
State Grid Siji Network Security Beijing Co ltd
Beijing Huayuan Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Siji Network Security Beijing Co ltd, Beijing Huayuan Information Technology Co Ltd filed Critical State Grid Siji Network Security Beijing Co ltd
Priority to CN202211319480.9A priority Critical patent/CN115378746B/en
Publication of CN115378746A publication Critical patent/CN115378746A/en
Application granted granted Critical
Publication of CN115378746B publication Critical patent/CN115378746B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The embodiment of the disclosure provides a method, a device, equipment and a storage medium for generating a network intrusion detection rule, and relates to the technical field of network security. The method comprises the following steps: analyzing abnormal flow data of a target network system to obtain a flow field, extracting characteristics of the flow field to obtain flow characteristics, determining a candidate network intrusion detection rule from a network intrusion detection rule knowledge graph according to the flow characteristics, wherein the knowledge graph is constructed according to a network intrusion entity relation group, and adjusting the candidate network intrusion detection rule according to the flow field to generate the target network intrusion detection rule. In this way, appropriate target network intrusion detection rules may be automatically and quickly generated based on a network intrusion detection rule knowledge-graph.

Description

Network intrusion detection rule generation method, device, equipment and storage medium
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for generating a network intrusion detection rule.
Background
In recent years, network intrusion events are frequent, and trojan, worm and lasso intrusion on the internet appears endlessly, which poses serious threats to network security. Therefore, intrusion detection is required to be performed on the network system to discover intrusion behavior in time. However, in the current network intrusion detection, the efficiency is low because the network intrusion detection rules are manually compiled mainly by the personal ability and experience of security personnel. Therefore, how to improve the generation efficiency of the network intrusion detection rule becomes a technical problem to be solved urgently at present.
Disclosure of Invention
The present disclosure provides a method, an apparatus, a device and a storage medium for generating a network intrusion detection rule, which can automatically and rapidly generate a suitable target network intrusion detection rule based on a network intrusion detection rule knowledge graph.
In a first aspect, an embodiment of the present disclosure provides a method for generating a network intrusion detection rule, where the method includes:
analyzing abnormal flow data of a target network system to obtain a flow field;
extracting the characteristics of the flow field to obtain flow characteristics;
determining candidate network intrusion detection rules from a network intrusion detection rule knowledge graph according to the flow characteristics; the network intrusion detection rule knowledge graph is a knowledge graph constructed according to a network intrusion entity relationship group, wherein the network intrusion entity relationship group comprises a network intrusion flow characteristic entity and a corresponding attribute thereof, a network intrusion detection rule entity and a corresponding attribute thereof, and an incidence relation between the network intrusion flow characteristic entity and the network intrusion detection rule entity;
and adjusting the candidate network intrusion detection rules according to the flow field to generate target network intrusion detection rules.
In some implementations of the first aspect, the establishing of the network intrusion detection rule knowledge-graph includes the steps of:
acquiring network intrusion historical data;
extracting knowledge from network intrusion historical data to obtain a network intrusion entity relationship group;
and carrying out knowledge fusion and knowledge processing on the network intrusion entity relation group to obtain a network intrusion detection rule knowledge graph.
In some implementations of the first aspect, determining the candidate network intrusion detection rules from the network intrusion detection rule knowledge-graph based on traffic characteristics includes:
determining one or more network intrusion detection rules matched with the flow characteristics from a network intrusion detection rule knowledge graph according to the flow characteristics;
calculating the detection rate of each network intrusion detection rule;
and determining the network intrusion detection rule with the detection rate meeting the preset intrusion detection condition as a candidate network intrusion detection rule.
In some implementation manners of the first aspect, adjusting the candidate network intrusion detection rule according to the traffic field to generate the target network intrusion detection rule includes:
carrying out type matching on the flow field and the field in the candidate network intrusion detection rule;
and replacing the corresponding field in the candidate network intrusion detection rule by using the flow field matched with the field type in the candidate network intrusion detection rule to generate the target network intrusion detection rule.
In some implementations of the first aspect, the method further comprises:
carrying out intrusion detection test on the adjusted candidate network intrusion detection rule by using analog traffic data, wherein the analog traffic data is generated by simulating abnormal traffic data;
and if the intrusion detection test is passed, taking the adjusted candidate network intrusion detection rule as a target network intrusion detection rule.
In some implementations of the first aspect, the traffic data of the target network system is obtained by bypassing the packet capture.
In some implementations of the first aspect, the flow characteristic includes: one or more of a network five tuple feature, an operating system feature, an open service feature, a service component feature, and a component version feature.
In a second aspect, an embodiment of the present disclosure provides a network intrusion detection rule generating apparatus, where the apparatus includes:
the analysis module is used for analyzing the abnormal flow data of the target network system to obtain a flow field;
the extraction module is used for extracting the characteristics of the flow field to obtain the flow characteristics;
the determining module is used for determining candidate network intrusion detection rules from the network intrusion detection rule knowledge graph according to the flow characteristics; the network intrusion detection rule knowledge graph is a knowledge graph constructed according to a network intrusion entity relationship group, wherein the network intrusion entity relationship group comprises a network intrusion flow characteristic entity and a corresponding attribute thereof, a network intrusion detection rule entity and a corresponding attribute thereof, and an incidence relation between the network intrusion flow characteristic entity and the network intrusion detection rule entity;
and the adjusting module is used for adjusting the candidate network intrusion detection rule according to the flow field to generate a target network intrusion detection rule.
In a third aspect, an embodiment of the present disclosure provides an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method as described above.
In a fourth aspect, the disclosed embodiments provide a non-transitory computer readable storage medium having stored thereon computer instructions for causing a computer to perform the method as described above.
In the method, the candidate network intrusion detection rules can be automatically matched from the network intrusion detection rule knowledge graph based on the flow characteristics of the abnormal flow data, and the candidate network intrusion detection rules are adjusted according to the flow fields of the abnormal flow data, so that the appropriate target network intrusion detection rules are quickly generated, and the generation efficiency of the network intrusion detection rules is further improved.
It should be understood that the statements herein reciting aspects are not intended to limit the critical or essential features of the embodiments of the present disclosure, nor are they intended to limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of embodiments of the present disclosure will become more apparent upon consideration of the following detailed description, taken in conjunction with the accompanying drawings. The accompanying drawings are included to provide a further understanding of the present disclosure, and are not intended to limit the disclosure thereto, and the same or similar reference numerals will be used to indicate the same or similar elements, where:
FIG. 1 illustrates a schematic diagram of an exemplary operating environment in which embodiments of the present disclosure can be implemented;
fig. 2 is a flowchart illustrating a method for generating network intrusion detection rules according to an embodiment of the present disclosure;
fig. 3 is a block diagram illustrating a network intrusion detection rule generating apparatus according to an embodiment of the present disclosure;
FIG. 4 sets forth a block diagram of an exemplary electronic device capable of implementing embodiments of the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions in the embodiments of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some, but not all embodiments of the present disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without inventive step, are intended to be within the scope of the present disclosure.
In addition, the term "and/or" herein is only one kind of association relationship describing the association object, and means that there may be three kinds of relationships, for example, a and/or B, and may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
In view of the problems in the background art, embodiments of the present disclosure provide a method, an apparatus, a device, and a storage medium for generating a network intrusion detection rule.
Specifically, the abnormal flow data of the target network system may be analyzed to obtain a flow field, and feature extraction may be performed on the flow field to obtain a flow feature, and a candidate network intrusion detection rule may be determined from a network intrusion detection rule knowledge graph according to the flow feature, where the knowledge graph is constructed according to a network intrusion entity relationship group, and the network intrusion entity relationship group includes a network intrusion flow feature entity and a corresponding attribute thereof, a network intrusion detection rule entity and a corresponding attribute thereof, and an association relationship between the network intrusion flow feature entity and the network intrusion detection rule entity, and the candidate network intrusion detection rule may be adjusted according to the flow field to generate the target network intrusion detection rule.
In this way, the candidate network intrusion detection rules can be automatically matched from the network intrusion detection rule knowledge graph based on the flow characteristics of the abnormal flow data, and the candidate network intrusion detection rules are adjusted according to the flow fields of the abnormal flow data, so that the appropriate target network intrusion detection rules are quickly generated, and the generation efficiency of the network intrusion detection rules is further improved.
The method, apparatus, device and storage medium for generating network intrusion detection rules according to the embodiments of the present disclosure are described in detail with reference to the accompanying drawings.
Fig. 1 illustrates a schematic diagram of an exemplary operating environment in which embodiments of the present disclosure can be implemented, and as shown in fig. 1, an electronic device 110, a target network system 120 may be included in the operating environment 100.
The electronic device 110 may be a mobile electronic device or a non-mobile electronic device. For example, the Mobile electronic device may be a tablet Computer, a notebook Computer, a palmtop Computer, an Ultra-Mobile Personal Computer (UMPC), or the like, and the non-Mobile electronic device may be a Personal Computer (PC), a supercomputer, a server, or the like. The target network system 120 is a network system that needs network intrusion detection, and may be a network system of an enterprise, a factory, a campus, or other groups, and is not limited herein.
As an example, the electronic device 110 may obtain the abnormal traffic data of the target network system 120 in real time by a bypass packet capturing manner, analyze the abnormal traffic data to obtain a traffic field, perform feature extraction on the traffic field to obtain traffic features (e.g., a network quintuple feature, an operating system feature, an open service feature, a service component feature, a component version feature, and the like), and determine candidate network intrusion detection rules (i.e., network intrusion detection rules associated with the network intrusion traffic features matched with the traffic features) from the network intrusion detection rule knowledge graph according to the traffic features.
The network intrusion detection rule knowledge map is a knowledge map, namely a knowledge base, constructed according to a network intrusion entity relationship group, wherein the network intrusion entity relationship group comprises a network intrusion flow characteristic entity and corresponding attributes thereof, a network intrusion detection rule entity and corresponding attributes thereof, and an incidence relation between the network intrusion flow characteristic entity and the network intrusion detection rule entity. Here, the network intrusion traffic feature entity and the corresponding attribute thereof are used for representing the network intrusion traffic feature, the network intrusion detection rule entity and the corresponding attribute thereof are used for representing the network intrusion detection rule, and the association relationship between the network intrusion traffic feature entity and the network intrusion detection rule entity is used for representing the association relationship between the network intrusion traffic feature and the network intrusion detection rule.
And then, the determined candidate network intrusion detection rules are adaptively adjusted according to the traffic field, so that the target network intrusion detection rules suitable for the target network system 120 are quickly generated, and the generation efficiency of the network intrusion detection rules is improved.
The network intrusion detection rule generating method provided by the embodiment of the present disclosure will be described in detail below, wherein an execution subject of the network intrusion detection rule generating method may be the electronic device 110.
Fig. 2 shows a flowchart of a network intrusion detection rule generation method provided by an embodiment of the present disclosure, and as shown in fig. 2, the network intrusion detection rule generation method 200 may include the following steps:
s210, analyzing the abnormal flow data of the target network system to obtain a flow field.
In some embodiments, the switch in the target network system may be configured, and then bypass packet capture is performed through a mirror interface of the switch, so as to quickly obtain abnormal traffic data of the target network system, and then Deep packet analysis (DPI) is performed on the abnormal traffic data to obtain a traffic field.
And S220, performing feature extraction on the flow field to obtain flow features.
In some embodiments, the flow characteristics may be obtained by performing characteristic extraction on the flow field through a preset characteristic extraction algorithm.
Illustratively, the flow characteristics may include: one or more of a network five tuple characteristic (i.e., source address, source port, destination address, destination port, protocol), an operating system characteristic, an open service characteristic, a service component characteristic, and a component version characteristic, without limitation.
And S230, determining candidate network intrusion detection rules from the network intrusion detection rule knowledge graph according to the traffic characteristics.
The network intrusion detection rule knowledge map is a knowledge map, namely a knowledge base, which is constructed according to a network intrusion entity relationship group, wherein the network intrusion entity relationship group comprises a network intrusion flow characteristic entity and corresponding attributes thereof, a network intrusion detection rule entity and corresponding attributes thereof, and an incidence relation between the network intrusion flow characteristic entity and the network intrusion detection rule entity. Here, the network intrusion traffic feature entity and the corresponding attribute thereof are used for representing the network intrusion traffic feature, the network intrusion detection rule entity and the corresponding attribute thereof are used for representing the network intrusion detection rule, and the association relationship between the network intrusion traffic feature entity and the network intrusion detection rule entity is used for representing the association relationship between the network intrusion traffic feature and the network intrusion detection rule.
Illustratively, the establishing of the network intrusion detection rule knowledge graph may include the steps of:
and acquiring network intrusion history data, for example, acquiring the network intrusion history data from a network intrusion history database (such as a traffic library and a rule library), a network security forum, an encyclopedia, news information or a conversation.
And then carrying out knowledge extraction (entity extraction, relationship extraction and attribute extraction) on the network intrusion historical data to obtain a network intrusion entity relationship group, and further carrying out knowledge fusion and knowledge processing on the network intrusion entity relationship group to obtain a network intrusion detection rule knowledge map.
Therefore, a knowledge base participating in network intrusion detection rule generation can be quickly constructed by utilizing a large amount of network intrusion historical data.
In some embodiments, one or more network intrusion detection rules matched with the traffic characteristics, that is, one or more network intrusion detection rules associated with the network intrusion traffic characteristics matched with the traffic characteristics, may be determined from the network intrusion detection rule knowledge graph according to the traffic characteristics, then the detection rate of each network intrusion detection rule is calculated, and the network intrusion detection rule having the detection rate satisfying the preset intrusion detection condition is determined as the candidate network intrusion detection rule. The preset intrusion detection condition may be that the network intrusion detection rule with the largest detection rate is selected as the candidate network intrusion detection rule.
Furthermore, the false alarm rate and the false alarm rate of each network intrusion detection rule can be calculated, and the network intrusion detection rule with the detection rate, the false alarm rate and the false alarm rate meeting the preset intrusion detection conditions is determined as a candidate network intrusion detection rule. Here, the preset intrusion detection condition may be that a network intrusion detection rule with the highest detection rate among network intrusion detection rules with the missing report rate and the false report rate respectively greater than corresponding preset thresholds is selected as a candidate network intrusion detection rule.
Therefore, the network intrusion detection rule with a prominent detection effect can be selected as the candidate network intrusion detection rule from the determined at least one network intrusion detection rule based on the detection index, and the detection capability of the subsequent target network intrusion detection rule is further improved.
S240, adjusting the candidate network intrusion detection rule according to the flow field to generate a target network intrusion detection rule.
In some embodiments, the traffic field and the field in the candidate network intrusion detection rule may be subjected to type matching, and the traffic field matched with the field type in the candidate network intrusion detection rule is used to replace the corresponding field in the candidate network intrusion detection rule, so as to generate the target network intrusion detection rule.
For example, the network five tuple field in the traffic field is used to replace the network five tuple field in the candidate network intrusion detection rule.
Therefore, the corresponding field in the determined candidate network intrusion detection rule can be replaced through the flow field of the abnormal flow data corresponding to the target network system, so that the candidate network intrusion detection rule is more suitable for the current target network system, the network intrusion detection rule does not need to be generated from the beginning, and the generation efficiency is greatly improved.
Further, in order to further ensure the detection capability of the target network intrusion detection rule, the adjusted candidate network intrusion detection rule may be subjected to an intrusion detection test by using analog traffic data, where the analog traffic data is generated by simulating abnormal traffic data, and if the intrusion detection test passes, the adjusted candidate network intrusion detection rule may be determined to meet the intrusion detection requirement, and then the adjusted candidate network intrusion detection rule is used as the target network intrusion detection rule.
According to the embodiment of the disclosure, the candidate network intrusion detection rules can be automatically matched from the network intrusion detection rule knowledge graph based on the flow characteristics of the abnormal flow data, and the candidate network intrusion detection rules are adjusted according to the flow fields of the abnormal flow data, so that the appropriate target network intrusion detection rules are quickly generated, and the generation efficiency of the network intrusion detection rules is further improved.
The following may be combined with a specific embodiment to describe the network intrusion detection rule generation method provided in the present disclosure in detail, specifically as follows:
(1) And rapidly acquiring abnormal flow data of the target network system in a bypass packet capturing mode, and then performing DPI on the abnormal flow data to obtain a flow field.
(2) And extracting the characteristics of the flow field to obtain the flow characteristics.
(3) And determining one or more network intrusion detection rules matched with the flow characteristics from the network intrusion detection rule knowledge graph according to the flow characteristics, then calculating the detection rate of each network intrusion detection rule, and determining the network intrusion detection rules with the detection rates meeting preset intrusion detection conditions as candidate network intrusion detection rules.
(4) And performing type matching on the traffic field and the field in the candidate network intrusion detection rule, and replacing the corresponding field in the candidate network intrusion detection rule by using the traffic field matched with the field type in the candidate network intrusion detection rule.
(5) And carrying out intrusion detection test on the adjusted candidate network intrusion detection rule by using the analog flow data, if the intrusion detection test is passed, determining that the adjusted candidate network intrusion detection rule meets the intrusion detection requirement, taking the adjusted candidate network intrusion detection rule as a target network intrusion detection rule, and waiting for subsequent calling.
It should be noted that for simplicity of description, the above-mentioned method embodiments are described as a series of acts, but those skilled in the art should understand that the present disclosure is not limited by the described order of acts, as some steps may be performed in other orders or simultaneously according to the present disclosure. Further, those skilled in the art should also appreciate that the embodiments described in the specification are exemplary embodiments and that acts and modules referred to are not necessarily required by the disclosure.
The above is a description of embodiments of the method, and the embodiments of the apparatus are described below to further illustrate the aspects of the disclosure.
Fig. 3 shows a block diagram of a network intrusion detection rule generating device according to an embodiment of the present disclosure, and as shown in fig. 3, the network intrusion detection rule generating device 300 may include:
the parsing module 310 is configured to parse the abnormal traffic data of the target network system to obtain a traffic field.
And an extracting module 320, configured to perform feature extraction on the traffic field to obtain a traffic feature.
And the determining module 330 is configured to determine candidate network intrusion detection rules from the network intrusion detection rule knowledge graph according to traffic characteristics. The network intrusion detection rule knowledge graph is a knowledge graph constructed according to a network intrusion entity relationship group, wherein the network intrusion entity relationship group comprises a network intrusion flow characteristic entity and corresponding attributes thereof, a network intrusion detection rule entity and corresponding attributes thereof, and an incidence relation between the network intrusion flow characteristic entity and the network intrusion detection rule entity.
And the adjusting module 340 is configured to adjust the candidate network intrusion detection rule according to the traffic field, and generate a target network intrusion detection rule.
In some embodiments, the establishing of the network intrusion detection rule knowledge graph comprises the following steps:
and acquiring network intrusion historical data.
And extracting knowledge from the network intrusion historical data to obtain a network intrusion entity relationship group.
And carrying out knowledge fusion and knowledge processing on the network intrusion entity relation group to obtain a network intrusion detection rule knowledge graph.
In some embodiments, the determining module 330 is specifically configured to:
and determining one or more network intrusion detection rules matched with the traffic characteristics from the network intrusion detection rule knowledge graph according to the traffic characteristics.
And calculating the detection rate of each network intrusion detection rule.
And determining the network intrusion detection rule with the detection rate meeting the preset intrusion detection condition as a candidate network intrusion detection rule.
In some embodiments, the adjusting module 340 is specifically configured to:
and performing type matching on the flow field and the field in the candidate network intrusion detection rule.
And replacing the corresponding field in the candidate network intrusion detection rule by using the flow field matched with the field type in the candidate network intrusion detection rule to generate the target network intrusion detection rule.
In some embodiments, the network intrusion detection rule generating device 300 further includes:
and the test module is used for carrying out intrusion detection test on the adjusted candidate network intrusion detection rule by using the analog traffic data, wherein the analog traffic data is generated by simulating the abnormal traffic data.
And the processing module is used for taking the adjusted candidate network intrusion detection rule as a target network intrusion detection rule if the intrusion detection test passes.
In some embodiments, the traffic data of the target network system is obtained by bypassing the packet capture.
In some embodiments, the flow characteristics include: one or more of a network quintuple feature, an open service feature, a service component feature, and a component version feature.
It can be understood that each module/unit in the network intrusion detection rule generating device 300 shown in fig. 3 has a function of implementing each step in the network intrusion detection rule generating method 200 provided by the embodiment of the present disclosure, and can achieve the corresponding technical effect, and for brevity, no further description is provided herein.
FIG. 4 illustrates a block diagram of an electronic device that may be used to implement embodiments of the present disclosure. Electronic device 400 is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device 400 may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not intended to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 4, the electronic device 400 may include a computing unit 401, which may perform various appropriate actions and processes according to a computer program stored in a Read Only Memory (ROM) 402 or a computer program loaded from a storage unit 408 into a Random Access Memory (RAM) 403. In the RAM403, various programs and data required for the operation of the electronic device 400 can also be stored. The computing unit 401, ROM402, and RAM403 are connected to each other via a bus 404. An input/output (I/O) interface 405 is also connected to bus 404.
A number of components in the electronic device 400 are connected to the I/O interface 405, including: an input unit 406 such as a keyboard, a mouse, or the like; an output unit 407 such as various types of displays, speakers, and the like; a storage unit 408, such as a magnetic disk, optical disk, or the like; and a communication unit 409 such as a network card, modem, wireless communication transceiver, etc. The communication unit 409 allows the electronic device 400 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
Computing unit 401 may be a variety of general and/or special purpose processing components with processing and computing capabilities. Some examples of the computing unit 401 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various dedicated Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, and so forth. The computing unit 401 performs the various methods and processes described above, such as the method 200. For example, in some embodiments, the method 200 may be implemented as a computer program product comprising a computer program tangibly embodied in a computer-readable medium, such as the storage unit 408. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 400 via the ROM402 and/or the communication unit 409. When the computer program is loaded into RAM403 and executed by computing unit 401, one or more steps of method 200 described above may be performed. Alternatively, in other embodiments, the computing unit 401 may be configured to perform the method 200 by any other suitable means (e.g., by means of firmware).
The various embodiments described above herein may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a computer-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a computer-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It should be noted that the present disclosure also provides a non-transitory computer readable storage medium storing computer instructions, where the computer instructions are used to enable a computer to execute the method 200 and achieve the corresponding technical effects achieved by the method according to the embodiments of the present disclosure, and for brevity, the detailed description is omitted here.
Additionally, the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the method 200.
To provide for interaction with a user, the above-described embodiments may be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The embodiments described above may be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user may interact with an implementation of the systems and techniques described herein), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the Internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server with a combined blockchain.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present disclosure may be executed in parallel, sequentially or in different orders, and are not limited herein as long as the desired results of the technical solutions disclosed in the present disclosure can be achieved.
The above detailed description should not be construed as limiting the scope of the disclosure. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present disclosure should be included in the scope of protection of the present disclosure.

Claims (10)

1. A method for generating network intrusion detection rules, the method comprising:
analyzing abnormal flow data of a target network system to obtain a flow field;
extracting the characteristics of the flow field to obtain flow characteristics;
determining candidate network intrusion detection rules from a network intrusion detection rule knowledge graph according to the traffic characteristics; the network intrusion detection rule knowledge graph is a knowledge graph constructed according to a network intrusion entity relationship group, wherein the network intrusion entity relationship group comprises a network intrusion flow characteristic entity and corresponding attributes thereof, a network intrusion detection rule entity and corresponding attributes thereof, and an incidence relation between the network intrusion flow characteristic entity and the network intrusion detection rule entity;
and adjusting the candidate network intrusion detection rule according to the flow field to generate a target network intrusion detection rule.
2. The method of claim 1, wherein the establishing of the network intrusion detection rule knowledge-graph comprises the steps of:
acquiring network intrusion historical data;
extracting knowledge from the network intrusion historical data to obtain the network intrusion entity relationship group;
and carrying out knowledge fusion and knowledge processing on the network intrusion entity relationship group to obtain the network intrusion detection rule knowledge map.
3. The method of claim 1, wherein determining candidate network intrusion detection rules from a network intrusion detection rule knowledge-graph based on the traffic characteristics comprises:
determining one or more network intrusion detection rules matched with the traffic characteristics from the network intrusion detection rule knowledge graph according to the traffic characteristics;
calculating the detection rate of each network intrusion detection rule;
and determining the network intrusion detection rule with the detection rate meeting the preset intrusion detection condition as the candidate network intrusion detection rule.
4. The method of claim 1, wherein the adjusting the candidate network intrusion detection rules according to the traffic field to generate target network intrusion detection rules comprises:
performing type matching on the flow field and the field in the candidate network intrusion detection rule;
and replacing the corresponding field in the candidate network intrusion detection rule by using the flow field matched with the field type in the candidate network intrusion detection rule to generate a target network intrusion detection rule.
5. The method of claim 1, further comprising:
carrying out intrusion detection test on the adjusted candidate network intrusion detection rule by using analog traffic data, wherein the analog traffic data is generated by simulating the abnormal traffic data;
and if the intrusion detection test is passed, taking the adjusted candidate network intrusion detection rule as a target network intrusion detection rule.
6. The method according to any one of claims 1 to 5, wherein the traffic data of the target network system is obtained by bypassing packet grabbing.
7. The method of any of claims 1-5, wherein the flow characteristics comprise: one or more of a network five tuple feature, an operating system feature, an open service feature, a service component feature, and a component version feature.
8. A network intrusion detection rule generating apparatus, the apparatus comprising:
the analysis module is used for analyzing the abnormal flow data of the target network system to obtain a flow field;
the extraction module is used for extracting the characteristics of the flow field to obtain flow characteristics;
the determining module is used for determining candidate network intrusion detection rules from a network intrusion detection rule knowledge graph according to the flow characteristics; the network intrusion detection rule knowledge map is a knowledge map constructed according to a network intrusion entity relationship group, wherein the network intrusion entity relationship group comprises a network intrusion flow characteristic entity and corresponding attributes thereof, a network intrusion detection rule entity and corresponding attributes thereof, and an incidence relation between the network intrusion flow characteristic entity and the network intrusion detection rule entity;
and the adjusting module is used for adjusting the candidate network intrusion detection rule according to the flow field to generate a target network intrusion detection rule.
9. An electronic device, characterized in that the electronic device comprises:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein, the first and the second end of the pipe are connected with each other,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-7.
10. A non-transitory computer readable storage medium having stored thereon computer instructions for causing a computer to perform the method of any one of claims 1-7.
CN202211319480.9A 2022-10-26 2022-10-26 Network intrusion detection rule generation method, device, equipment and storage medium Active CN115378746B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211319480.9A CN115378746B (en) 2022-10-26 2022-10-26 Network intrusion detection rule generation method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211319480.9A CN115378746B (en) 2022-10-26 2022-10-26 Network intrusion detection rule generation method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN115378746A true CN115378746A (en) 2022-11-22
CN115378746B CN115378746B (en) 2022-12-23

Family

ID=84073501

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211319480.9A Active CN115378746B (en) 2022-10-26 2022-10-26 Network intrusion detection rule generation method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115378746B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070214504A1 (en) * 2004-03-30 2007-09-13 Paolo Milani Comparetti Method And System For Network Intrusion Detection, Related Network And Computer Program Product
CN111177417A (en) * 2020-04-13 2020-05-19 中国人民解放军国防科技大学 Security event correlation method, system and medium based on network security knowledge graph
CN114357190A (en) * 2021-12-30 2022-04-15 绿盟科技集团股份有限公司 Data detection method and device, electronic equipment and storage medium
CN114615052A (en) * 2022-03-10 2022-06-10 南京理工大学 Intrusion detection method and system based on knowledge compilation

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070214504A1 (en) * 2004-03-30 2007-09-13 Paolo Milani Comparetti Method And System For Network Intrusion Detection, Related Network And Computer Program Product
CN111177417A (en) * 2020-04-13 2020-05-19 中国人民解放军国防科技大学 Security event correlation method, system and medium based on network security knowledge graph
CN114357190A (en) * 2021-12-30 2022-04-15 绿盟科技集团股份有限公司 Data detection method and device, electronic equipment and storage medium
CN114615052A (en) * 2022-03-10 2022-06-10 南京理工大学 Intrusion detection method and system based on knowledge compilation

Also Published As

Publication number Publication date
CN115378746B (en) 2022-12-23

Similar Documents

Publication Publication Date Title
CN107809331B (en) Method and device for identifying abnormal flow
US10320827B2 (en) Automated cyber physical threat campaign analysis and attribution
US9369364B2 (en) System for analysing network traffic and a method thereof
CN112491877A (en) User behavior sequence anomaly detection method, terminal and storage medium
US11074652B2 (en) System and method for model-based prediction using a distributed computational graph workflow
WO2018027226A1 (en) Detection mitigation and remediation of cyberattacks employing an advanced cyber-decision platform
CN115883187A (en) Method, device, equipment and medium for identifying abnormal information in network traffic data
CN114157480A (en) Method, device, equipment and storage medium for determining network attack scheme
CN115589339B (en) Network attack type identification method, device, equipment and storage medium
CN114697247B (en) Fault detection method, device, equipment and storage medium of streaming media system
CN115378746B (en) Network intrusion detection rule generation method, device, equipment and storage medium
CN115314322A (en) Vulnerability detection confirmation method, device, equipment and storage medium based on flow
CN113590447B (en) Buried point processing method and device
CN113452700B (en) Method, device, equipment and storage medium for processing safety information
CN115333783A (en) API call abnormity detection method, device, equipment and storage medium
CN113553370A (en) Abnormality detection method, abnormality detection device, electronic device, and readable storage medium
CN115296917B (en) Asset exposure surface information acquisition method, device, equipment and storage medium
CN113627412A (en) Target area detection method, target area detection device, electronic equipment and medium
CN112883816A (en) Information pushing method and device
CN114791996B (en) Information processing method, device, system, electronic equipment and storage medium
CN115102728B (en) Scanner identification method, device, equipment and medium for information security
CN116094772A (en) Interface attack detection method and device, electronic equipment and storage medium
CN116248340A (en) Interface attack detection method and device, electronic equipment and storage medium
CN117668833A (en) Abnormal operation identification method, device, electronic equipment and storage medium
CN115632855A (en) Network intrusion detection system, method, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant