CN101431416B - Synergistic learning invasion detection method used for data gridding - Google Patents

Synergistic learning invasion detection method used for data gridding Download PDF

Info

Publication number
CN101431416B
CN101431416B CN2008102439075A CN200810243907A CN101431416B CN 101431416 B CN101431416 B CN 101431416B CN 2008102439075 A CN2008102439075 A CN 2008102439075A CN 200810243907 A CN200810243907 A CN 200810243907A CN 101431416 B CN101431416 B CN 101431416B
Authority
CN
China
Prior art keywords
intrusion
data
node
collaborative
local
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2008102439075A
Other languages
Chinese (zh)
Other versions
CN101431416A (en
Inventor
王汝传
周何骏
任勋益
付雄
邓松
季一木
易侃
杨明慧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Post and Telecommunication University
Original Assignee
Nanjing Post and Telecommunication University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Post and Telecommunication University filed Critical Nanjing Post and Telecommunication University
Priority to CN2008102439075A priority Critical patent/CN101431416B/en
Publication of CN101431416A publication Critical patent/CN101431416A/en
Application granted granted Critical
Publication of CN101431416B publication Critical patent/CN101431416B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

一种应用于数据网格的协同学习入侵检测方法,它汲取了当前入侵检测领域分布式检测和集成学习等热门技术的优点,将异常检测和特征检测方法结合起来,采用BP神经网络协同学习,优势互补,使基于该方法设计的入侵检测系统能够更好地应用于数据网格环境。该方法根据数据网格中不同种类节点的安全需求,在中心节点上部署多个BP神经网络集成的强检测器,并且随时搜集来自各地的新型入侵样本特征,确保了中心节点上重要副本的安全性。同时在中心节点上部署协同入侵分析引擎,为众普通节点提供协同检测服务,中心节点组织很多个普通节点一起参与协同计算,能够检测出原来单个节点所无法判断的怀疑数据,提高了普通节点的安全性。

Figure 200810243907

A collaborative learning intrusion detection method applied to data grids, which absorbs the advantages of popular technologies such as distributed detection and integrated learning in the field of intrusion detection, combines anomaly detection and feature detection methods, and adopts BP neural network collaborative learning, The advantages are complementary, so that the intrusion detection system designed based on this method can be better applied to the data grid environment. According to the security requirements of different types of nodes in the data grid, this method deploys multiple strong detectors integrated by BP neural network on the central node, and collects the characteristics of new intrusion samples from various places at any time, ensuring the security of important copies on the central node sex. At the same time, a collaborative intrusion analysis engine is deployed on the central node to provide collaborative detection services for ordinary nodes. The central node organizes many ordinary nodes to participate in collaborative computing, which can detect suspicious data that cannot be judged by a single node, and improves the security of ordinary nodes. safety.

Figure 200810243907

Description

一种应用于数据网格的协同学习入侵检测方法 A Collaborative Learning Intrusion Detection Method Applied to Data Grid

技术领域technical field

本发明是一种应用于数据网格的基于BP神经网络协同学习的入侵检测方法。主要用于检测来自网络的针对网格中数据节点的攻击,属于数据网格技术和入侵检测技术的交叉领域。The invention is an intrusion detection method based on cooperative learning of BP neural network applied to data grid. It is mainly used to detect attacks on data nodes in the grid from the network, and belongs to the cross field of data grid technology and intrusion detection technology.

背景技术Background technique

随着近年来高速网络技术以及计算网格技术的迅速发展,人们对大规模的数据共享的需求越来越强烈,当前一些存储技术,如网络附属存储NAS、存储区域网络SAN、机群存储、对象存储等,由于其封闭性、独立性和相对较高的成本、存储与扩展能力不足,导致其难以在广域网下共享日趋庞大的数据量,另一方面,在广域网上仍然存在着大量闲置存储空间未能得到有效利用。数据网格正是一个以数据为主要资源的理想的虚拟存储系统,可为各种网格应用提供良好的支持。一方面,利用网格环境的高效处理能力可以实现大规模数据的有效整合,并有效地利用已有的众多的数据资源;同时,也可以利用数据网格系统高效的数据管理能力,为网格内实现数据库资源的有效管理、分布数据的集成优化以及大数据的分析处理等提供强有力的支持。With the rapid development of high-speed network technology and computing grid technology in recent years, people's demand for large-scale data sharing has become increasingly strong. Some current storage technologies, such as network-attached storage NAS, storage area network SAN, cluster storage, object Storage, etc., due to its closedness, independence, relatively high cost, and insufficient storage and expansion capabilities, it is difficult to share an increasingly large amount of data under the WAN. On the other hand, there is still a large amount of idle storage space on the WAN not being used effectively. Data grid is an ideal virtual storage system with data as the main resource, which can provide good support for various grid applications. On the one hand, using the efficient processing capability of the grid environment can realize the effective integration of large-scale data and effectively utilize the existing numerous data resources; It provides strong support for the effective management of database resources, the integration and optimization of distributed data, and the analysis and processing of big data.

在广域网络上部署计算,安全保证是至关重要的。网格安全机制将提供基本的安全保护验证机制,以验证合法的用户和资源,并为其他安全服务提供接口,允许用户选择不同的安全策略、安全级别和加密方法,提供底层基础的安全设施,这是网格计算的要求和特点。入侵检测系统作为继防火墙之后网络安全的第二道防线也被进一步扩展到网格环境中,作为网格底层GSI之上的又一道防线,部署于计算网格的入侵检测原型系统已初见雏形,这些系统大多是以上层安全服务的形式检测网格用户的行为轮廓来发现和阻止恶意用户的攻击以保证网格的安全。然而在数据网格中情况有所不同,为了提高数据服务质量,数据网格中使用了大量的数据副本,这些副本分布存储在广域范围内异构的节点上,毫无疑问,数据冗余度越大,给攻击者提供的攻击点就越多,攻击者对数据网格的攻击首先会从网络上针对某些关键节点发起,进而破坏整个数据网格。如果不能保证每个存储重要数据的节点计算机的安全,也就不能保证数据网格整体的安全。可是现有的入侵检测技术绝大多数都是针对单机的操作系统和网络的,而应用于计算网格的入侵检测系统又部署于网格上层针对整个网格的用户,缺乏对单个节点网络安全的考虑,不适合数据网格的特殊情况。目前有关数据网格的研究和开发还处于起步阶段,对网格数据安全的研究就更少了,且现在已经提出的很少几种数据网格入侵检测模型都是照搬计算网格中的入侵检测技术,而没有考虑存储数据的节点面临的来自网络的攻击。When computing is deployed over a wide area network, security assurance is critical. The grid security mechanism will provide a basic security protection verification mechanism to verify legitimate users and resources, and provide interfaces for other security services, allowing users to choose different security policies, security levels and encryption methods, and provide underlying security facilities. This is the requirement and characteristic of grid computing. The intrusion detection system, as the second line of defense of network security after the firewall, has been further extended to the grid environment. As another line of defense on top of the underlying GSI of the grid, the prototype system of intrusion detection deployed on the computing grid has begun to take shape. , most of these systems detect the grid user's behavior profile in the form of upper-level security services to discover and prevent malicious users' attacks to ensure the security of the grid. However, the situation is different in the data grid. In order to improve the quality of data services, a large number of data copies are used in the data grid. These copies are distributed and stored on heterogeneous nodes in a wide area. There is no doubt that data redundancy The greater the degree, the more attack points are provided for the attacker. The attacker's attack on the data grid will first be launched from the network on some key nodes, and then destroy the entire data grid. If the security of each node computer storing important data cannot be guaranteed, the security of the data grid as a whole cannot be guaranteed. However, most of the existing intrusion detection technologies are aimed at stand-alone operating systems and networks, and the intrusion detection systems applied to the computing grid are deployed on the upper layer of the grid to target the users of the entire grid, lacking network security for a single node. considerations that are not suitable for the special case of data grids. At present, the research and development of data grid is still in its infancy, and the research on grid data security is even less, and the few data grid intrusion detection models that have been proposed now are all intrusion detection models in the computing grid. detection techniques without considering the attacks from the network faced by the nodes storing the data.

近年来分布式入侵检测技术有了很大发展,然而这样的系统或者需要有一个统一的控制中心来分析处理各个关键检测点上传来的安全事件,或者采用agent技术来独立或协同处理分布的节点上的事件。由于网格中节点数量庞大,使用集中处理引擎会导致处理中心负荷太重,且无法避免单点失效问题,使用agent技术没有充分发挥网格异构环境下各agent的优势互补且很难解决agent之间的信任问题。可见已存在的各种分布式入侵检测技术不适合数据网格的特殊环境。In recent years, distributed intrusion detection technology has made great progress. However, such a system either requires a unified control center to analyze and process security events from each key detection point, or uses agent technology to independently or collaboratively process distributed nodes. events on . Due to the large number of nodes in the grid, the use of a centralized processing engine will lead to a heavy load on the processing center, and the problem of single point failure cannot be avoided. The use of agent technology does not give full play to the complementary advantages of each agent in the grid heterogeneous environment and it is difficult to solve the problem of agent failure. trust issues among them. It can be seen that the existing distributed intrusion detection techniques are not suitable for the special environment of data grid.

在入侵检测领域集成学习也是近年来的研究热点,它是将很多个独立训练的弱学习器如BP神经网络集成起来得到一个强学习器以提高检测率,但这种方法主要还是用于单机的入侵检测。因此研究一种适合数据网格环境的入侵检测方法具有重要意义。In the field of intrusion detection, integrated learning is also a research hotspot in recent years. It integrates many independently trained weak learners such as BP neural network to obtain a strong learner to improve the detection rate, but this method is mainly used for stand-alone intrusion detection. Therefore, it is of great significance to study an intrusion detection method suitable for the data grid environment.

发明内容Contents of the invention

技术问题:本发明的目的是提供一种应用于数据网格的入侵检测方法,检测来自网络的针对网格中数据节点的攻击。Technical problem: The purpose of the present invention is to provide an intrusion detection method applied to a data grid to detect attacks from the network targeting data nodes in the grid.

技术方案:本发明是一种协同学习的入侵检测方法,基于BP神经网络,通过数据网格中各个异构节点上的神经网络互相学习、优势互补来提高各数据节点的安全性,有效地抵御来自网络的攻击。Technical solution: The present invention is an intrusion detection method based on collaborative learning. Based on BP neural network, the neural networks on each heterogeneous node in the data grid learn from each other and complement each other to improve the security of each data node and effectively resist Attacks from the network.

一、体系结构1. Architecture

根据复杂网络科学理论,现实世界中的网络(互联网、网格)具有无标度特性,数据网格作为一个广域自组织的动态网络,其拓扑结构也应该符合无标度网络模型:少数中心节点度很大,其上连接着许多普通节点。因此数据网格的典型拓扑结构如图1所示,其中中心节点上一般用来存储重要的数据副本(根副本),其安全性至关重要。为了减少安全开销,重点保护关键数据节点的安全,分别设计中心节点和普通节点上的入侵检测模块如下:According to the theory of complex network science, the network (Internet, grid) in the real world has scale-free characteristics. As a wide-area self-organized dynamic network, the topology of the data grid should also conform to the scale-free network model: few centers The node degree is very large, and many ordinary nodes are connected to it. Therefore, the typical topology of the data grid is shown in Figure 1, in which the central node is generally used to store important data copies (root copies), and its security is very important. In order to reduce security overhead and focus on protecting the security of key data nodes, the intrusion detection modules on the central node and common nodes are designed as follows:

图2给出了中心节点入侵检测模块的体系结构,它的功能部件主要包括本地数据采集器、新型入侵样本接收器、协同请求服务代理、数据预处理及格式转换器、本地集成入侵分析引擎(检测器)、入侵样本特征库、协同入侵分析引擎、新型入侵样本发送器、响应告警器。Figure 2 shows the architecture of the central node intrusion detection module. Its functional components mainly include local data collectors, new intrusion sample receivers, collaborative request service agents, data preprocessing and format converters, and local integrated intrusion analysis engines ( detector), intrusion sample feature library, collaborative intrusion analysis engine, new intrusion sample sender, and response alarm.

下面我们给出几个具体部分的说明:Below we give a description of several specific parts:

本地数据采集器:从本地网段上采集网络数据包,以检测来自本地网络的攻击。Local data collector: Collect network data packets from the local network segment to detect attacks from the local network.

新型入侵样本接收器:接收其他节点发送过来的已检测判断出为攻击的数据样本。New intrusion sample receiver: Receives data samples sent by other nodes that have been detected and judged to be attacks.

协同请求服务代理:接收某普通节点发送过来的无法判断的怀疑样本,再以广播的方式转发给本中心节点直连的所有普通节点以协同分析,将协同入侵分析引擎的最终判断结果返回给发起协同请求的节点。Collaborative request service agent: Receive the suspicious sample that cannot be judged sent by a common node, and then broadcast it to all common nodes directly connected to the central node for collaborative analysis, and return the final judgment result of the collaborative intrusion analysis engine to the initiator Nodes that coordinate requests.

数据预处理及格式转换器:由于数据网格的异构性,各节点计算机的检测器所处理的网络数据包的格式及检测的字段不同,转换器将接收到的数据转换成统一的适合本地节点上的检测器处理的格式,并进行适当的预处理以提高检测效率。Data preprocessing and format converter: Due to the heterogeneity of the data grid, the format and detected fields of the network data packets processed by the detectors of each node computer are different, and the converter converts the received data into a unified format suitable for local The format that the detectors on the nodes handle, and do proper preprocessing to improve the detection efficiency.

本地集成入侵分析引擎:是中心节点的主要入侵检测部件,为了确保中心节点的安全,检测器采用多个独立训练的BP神经网络集成的检测方式,形成强的本地检测能力。Local integrated intrusion analysis engine: It is the main intrusion detection component of the central node. In order to ensure the security of the central node, the detector adopts the integrated detection method of multiple independently trained BP neural networks to form a strong local detection capability.

入侵样本特征库:存储普通节点提交的新型入侵样本特征,与本地集成入侵分析引擎配合工作,对于分析引擎收到的待检测数据,首先与特征库中已有的入侵样本特征比对,若未发现异常,再由分析引擎的集成BP神经网络检测。Intrusion sample feature library: store the new intrusion sample features submitted by ordinary nodes, and work with the local integrated intrusion analysis engine. For the data to be detected received by the analysis engine, it is first compared with the existing intrusion sample features in the feature library. Anomalies are found and then detected by the integrated BP neural network of the analysis engine.

协同入侵分析引擎:接收来自协同请求服务代理的数据,为普通节点提供协同检测服务。Cooperative intrusion analysis engine: receives data from the cooperative request service agent, and provides cooperative detection services for common nodes.

新型入侵样本发送器:将在本地节点上发现的新类型的入侵样本发送给其他节点以供其作检测参考。New intrusion sample sender: Send new types of intrusion samples found on the local node to other nodes for their detection reference.

响应告警器:在发现来自网络的针对本节点的攻击时,发出入侵告警促使系统采取措施阻止入侵行为。Response alarm: When an attack on the node from the network is found, an intrusion alarm is issued to prompt the system to take measures to prevent the intrusion.

图3给出了普通节点入侵检测模块的体系结构,由于它的重要性不如中心节点,安全需求比中心节点低,因此其入侵分析引擎只使用了两个BP神经网络协作检测,而且由于普通节点的度很小,计算性能不如中心节点,所以除了进行本地的检测和在空闲时为响应与之相连的中心节点的要求参与某次协同检测计算外不承担为其他节点提供协同检测服务的义务。它的功能部件主要包括本地数据采集器、数据预处理及格式转换器、本地入侵分析引擎(检测器)、本地入侵样本特征库、新型入侵样本发送器、协同通信服务器、响应告警器。其中本地数据采集器、数据预处理及格式转换器、新型入侵样本发送器、响应告警器的作用与中心节点的相同,不再赘述,略有不同的是检测器和特征库,另外由于其经常要通过中心节点向其他节点发出协同检测请求,故需要增加协同通信服务器,现分别说明如下:Figure 3 shows the architecture of the common node intrusion detection module. Since it is not as important as the central node, its security requirements are lower than that of the central node, so its intrusion analysis engine only uses two BP neural network cooperative detection, and because the common node The degree is very small, and the computing performance is not as good as that of the central node. Therefore, in addition to performing local detection and responding to the requirements of the central node connected to it to participate in a certain cooperative detection calculation when idle, it does not undertake the obligation to provide cooperative detection services for other nodes. Its functional components mainly include local data collector, data preprocessing and format converter, local intrusion analysis engine (detector), local intrusion sample feature library, new intrusion sample sender, cooperative communication server, and response alarm device. Among them, the functions of local data collector, data preprocessing and format converter, new intrusion sample sender, and response alarm are the same as those of the central node, and will not be described in detail. The difference is the detector and feature library. To send a cooperative detection request to other nodes through the central node, it is necessary to add a cooperative communication server, which is explained as follows:

本地入侵分析引擎:普通节点的检测引擎采用两个独立的BP神经网络协作检测的方式,其中一个BP网络为主检测器,另一个为辅助检测器。实际检测时,若两个网络都判断为正常,则看作正常数据;若两个网络都判断为异常,则看作入侵数据;若一个判断为正常而另一个判断为异常,则作为暂时无法判决的怀疑数据,通过协同通信服务器将怀疑样本发送给其所连接的中心节点,再由中心节点联合其他多个普通节点提供协同检测服务以作出最终的判断。Local intrusion analysis engine: The detection engine of ordinary nodes adopts the cooperative detection method of two independent BP neural networks, one of which is the main detector and the other is the auxiliary detector. In actual detection, if both networks are judged to be normal, it is regarded as normal data; if both networks are judged to be abnormal, it is regarded as intrusion data; The suspicious data of the judgment, through the cooperative communication server, sends the suspicious samples to the central node connected to it, and then the central node cooperates with other common nodes to provide cooperative detection services to make a final judgment.

本地入侵样本特征库:怀疑样本若经协同检测得出的最终结果确实是一种入侵,则提取其特征存储于本地入侵样本特征库中,在以后的检测中先检查特征库,若和其中的某条记录匹配,则直接判断为入侵,无须再次进行协同检测,以减少安全开销。Local intrusion sample feature library: If the final result of the suspected sample is indeed an intrusion after collaborative detection, its features will be extracted and stored in the local intrusion sample feature library, and the feature library will be checked first in the subsequent detection. If a record matches, it is directly judged as an intrusion, and there is no need to perform collaborative detection again to reduce security overhead.

协同通信服务器:将本节点无法判断的怀疑样本发送给远程中心节点,提出协同服务请求或者响应某中心节点的要求,接收其发来的怀疑数据,提交给本机上的入侵分析引擎分析,再向中心节点返回分析引擎的计算结果。Cooperative communication server: Send the suspected samples that cannot be judged by this node to the remote central node, put forward a cooperative service request or respond to the request of a certain central node, receive the suspicious data sent by it, submit it to the intrusion analysis engine on the local machine for analysis, and then Return the calculation results of the analysis engine to the central node.

二、方法流程2. Method flow

一种应用于数据网格的协同学习入侵检测方法通过数据网格中各个异构节点上的BP神经网络协同学习、优势互补来提高各数据节点的安全性,有效地抵御来自网络的攻击,具体如下:A collaborative learning intrusion detection method applied to data grid improves the security of each data node through collaborative learning and complementary advantages of BP neural network on each heterogeneous node in the data grid, and effectively resists attacks from the network. as follows:

普通节点本地入侵检测流程:Common node local intrusion detection process:

步骤1:本地数据采集器实时采集网络数据包,Step 1: The local data collector collects network data packets in real time,

步骤2:数据预处理及格式转换器提取采集到的数据包的各属性特征,进行预处理并转化成适合本节点机的格式,Step 2: Data preprocessing and format converter Extract the attributes and characteristics of the collected data packets, perform preprocessing and convert them into a format suitable for the node machine,

步骤3:转化后的数据送本地入侵分析引擎,由两个BP检测器分别检测,Step 3: The converted data is sent to the local intrusion analysis engine, which is detected by two BP detectors respectively.

步骤4:若两个检测器均判为正常数据normal,则判为正常数据,结束本轮检测,转步骤1继续采集网络数据包;若两个检测器均判断为攻击attack,则启动响应告警器,警告发现本地网络入侵,转步骤5;若两个检测器的判断结果不一致,转步骤6,Step 4: If both detectors judge the normal data as normal, then judge it as normal data, end the current round of detection, and go to step 1 to continue collecting network data packets; if both detectors judge it as an attack attack, start a response alarm Detector, warning that local network intrusion is found, go to step 5; if the judgment results of the two detectors are inconsistent, go to step 6,

步骤5:新型入侵样本发送器将攻击数据样本发送给本节点直连的中心节点的新型入侵样本接收器,告知中心节点这里发现了一种入侵,结束本轮检测,转步骤1继续采集网络数据包,Step 5: The new intrusion sample sender sends the attack data sample to the new intrusion sample receiver of the central node directly connected to the node, informs the central node that an intrusion has been found here, ends the current round of detection, and proceeds to step 1 to continue collecting network data Bag,

步骤6:本地入侵分析引擎连接本地入侵样本特征库,查询特征库中是否有与该数据匹配的攻击特征样本,若有,则启动响应告警器,警告发现本地网络入侵,转步骤1继续采集网络数据包;若没有,则认为是可疑数据,送协同通信服务器,转步骤7,Step 6: The local intrusion analysis engine connects to the local intrusion sample signature database, and checks whether there is an attack signature sample matching the data in the signature database. If there is, the response alarm will be activated to warn of local network intrusion, and go to step 1 to continue collecting the network. data packet; if not, it is considered as suspicious data, sent to the cooperative communication server, and then step 7,

步骤7:协同通信服务器将该怀疑样本发往与该节点直连的一个中心节点的协同请求服务代理,提出协同服务请求,Step 7: The collaborative communication server sends the suspected sample to a collaborative request service agent of a central node directly connected to the node, and proposes a collaborative service request,

步骤8:协同通信服务器接收到协同请求服务代理返回的结果,提交给检测器,Step 8: The cooperative communication server receives the result returned by the cooperative request service agent and submits it to the detector,

步骤9:检测器接收并查看返回结果,若为正常数据,则转步骤1继续采集网络数据包;若为攻击数据,则启动响应告警器,警告发现本地网络入侵,同时把该攻击样本的特征存储到本地入侵样本特征库中,转步骤1继续采集网络数据包;Step 9: The detector receives and checks the returned results. If it is normal data, go to step 1 to continue collecting network data packets; if it is attack data, start the response alarm to warn that local network intrusion is found, and at the same time record the characteristics of the attack sample Store it in the local intrusion sample signature database, and go to step 1 to continue collecting network data packets;

普通节点参与协同计算工作流程:Ordinary nodes participate in the collaborative computing workflow:

步骤21:协同通信服务器接收到中心节点的协同请求服务代理发来的来自其他节点的怀疑数据和协同计算要求,询问本地入侵分析引擎的状态是否空闲,Step 21: The collaborative communication server receives the suspicious data and collaborative computing requirements from other nodes sent by the collaborative request service agent of the central node, and inquires whether the status of the local intrusion analysis engine is idle,

步骤22:若本地入侵分析引擎状态为繁忙,无暇参与协同计算,则不响应中心节点的要求,丢弃数据包,结束该流程;否则转步骤23,Step 22: If the local intrusion analysis engine is busy and has no time to participate in collaborative computing, it will not respond to the request of the central node, discard the data packet, and end the process; otherwise, go to step 23,

步骤23:协同通信服务器将接收来自中心节点的怀疑数据提交给入侵分析引擎,Step 23: The cooperative communication server submits the suspicious data received from the central node to the intrusion analysis engine,

步骤24:由分析引擎的主检测器检测该怀疑数据,结果返回给协同通信服务器,Step 24: detect the suspected data by the main detector of the analysis engine, and return the result to the collaborative communication server,

步骤25:协同通信服务器将本节点的计算结果发送给中心节点的协同请求服务代理;Step 25: The cooperative communication server sends the calculation result of the node to the cooperative request service agent of the central node;

中心节点本地入侵检测工作流程:Central node local intrusion detection workflow:

步骤31:本地数据采集器实时采集网络数据包,Step 31: The local data collector collects network data packets in real time,

步骤32:数据预处理及格式转换器提取采集到的数据包的各属性特征,进行预处理并转化成适合本节点机的格式,Step 32: Data preprocessing and format converter Extract the attributes and characteristics of the collected data packets, perform preprocessing and convert them into a format suitable for the node machine,

步骤33:转化后的数据送本地集成入侵分析引擎,由集成检测器检测,Step 33: The converted data is sent to the local integrated intrusion analysis engine for detection by the integrated detector,

步骤34:若检测结果为正常normal,则转步骤35;若为异常,则启动响应告警器,警告发现本地网络入侵,转步骤36,Step 34: If the detection result is normal, go to step 35; if it is abnormal, start the response alarm to warn of local network intrusion, go to step 36,

步骤35:入侵分析引擎连接入侵样本特征库,查询特征库中是否有与该数据匹配的攻击特征样本,若有,则启动响应告警器,警告发现本地网络入侵,转步骤36;若没有,则认为是正常数据,结束本轮检测,转步骤31继续采集网络数据包,Step 35: The intrusion analysis engine connects to the intrusion sample signature database, and inquires whether there is an attack signature sample matching the data in the signature database. If yes, start the response alarm to warn that a local network intrusion is found, and go to step 36; if not, then Consider it to be normal data, end the current round of detection, go to step 31 to continue collecting network data packets,

步骤36:新型入侵样本发送器将攻击数据样本发送给与本中心节点直连的其他中心节点的新型入侵样本接收器,告知这里发现了一种入侵,结束本轮检测,转步骤31继续采集网络数据包;Step 36: The new-type intrusion sample sender sends the attack data sample to the new-type intrusion sample receivers of other central nodes directly connected to the central node, notifying that an intrusion has been found here, end the current round of detection, and go to step 31 to continue collecting the network data pack;

中心节点搜集新型入侵样本特征流程:The central node collects new intrusion sample feature flow:

步骤41:新型入侵样本接收器接收到来自其他节点或本机上协同请求服务代理提交的已检测出的攻击数据,将数据提交给集成检测器,Step 41: The new-type intrusion sample receiver receives the detected attack data submitted by other nodes or the cooperative request service agent on the local machine, and submits the data to the integrated detector,

步骤42:集成检测器对数据进行检测,若检测结果也为攻击attack,则结束流程;否则,进入下一步,Step 42: The integrated detector detects the data, if the detection result is also an attack, the process ends; otherwise, enter the next step,

步骤43:集成检测器连接入侵样本特征库,查询特征库中是否有与该数据匹配的攻击特征样本,若有,则结束流程;若没有,则认为是一种新发现的入侵,进入下一步,Step 43: The integrated detector connects to the intrusion sample signature database, and checks whether there is an attack signature sample matching the data in the signature database. If there is, the process ends; if not, it is regarded as a newly discovered intrusion, and proceeds to the next step ,

步骤44:把该攻击样本的特征存储到入侵样本特征库中;Step 44: store the feature of the attack sample in the intrusion sample feature database;

中心节点提供协同检测服务流程:The central node provides collaborative detection service process:

步骤51:协同请求服务代理接收到某普通节点发来的怀疑样本和协同服务请求,Step 51: The collaborative request service agent receives a suspicious sample and a collaborative service request from a common node,

步骤52:服务代理以广播的方式向本节点所连接的所有普通节点发出该怀疑数据和协同计算要求,Step 52: The service agent broadcasts the suspicious data and collaborative computing requirements to all common nodes connected to the node,

步骤53:服务代理接收所有作出响应的节点返回的计算结果,提交给协同入侵分析引擎,Step 53: The service agent receives the calculation results returned by all the responding nodes and submits them to the collaborative intrusion analysis engine,

步骤54:协同入侵分析引擎统计服务代理提交给它的各响应节点的协同检测结果,对此怀疑数据若判断为攻击的节点的数量大于等于判断为正常的节点的数量num(attack)>=num(normal),则判断为攻击,否则判断为正常。Step 54: The cooperative intrusion analysis engine counts the cooperative detection results of each response node submitted to it by the service agent, and if the suspected data is judged as the number of attacking nodes is greater than or equal to the number of normal nodes num(attack)>=num (normal), it is judged as an attack, otherwise it is judged as normal.

步骤55:协同入侵分析引擎向服务代理返回判断结果,Step 55: The cooperative intrusion analysis engine returns the judgment result to the service agent,

步骤56:服务代理检查接收到的结果,若为正常,则将其直接返回发出协同服务请求的节点;若为异常,除了将结果返回发出协同服务请求的节点外,还将确认为攻击的数据样本发给本地的新型入侵样本接收器,报告发现了一种新的入侵。Step 56: The service agent checks the received result, if it is normal, it will directly return it to the node that issued the collaborative service request; if it is abnormal, in addition to returning the result to the node that issued the collaborative service request, it will also confirm the data as the attack The sample is sent to the local new intrusion sample receiver, reporting the discovery of a new intrusion.

中心节点入侵检测模块的功能部件主要包括本地数据采集器、新型入侵样本接收器、协同请求服务代理、数据预处理及格式转换器、本地集成入侵分析引擎、入侵样本特征库、协同入侵分析引擎、新型入侵样本发送器、响应告警器;普通节点入侵检测模块的功能部件主要包括本地数据采集器、数据预处理及格式转换器、本地入侵分析引擎、本地入侵样本特征库、新型入侵样本发送器、协同通信服务器、响应告警器。The functional components of the central node intrusion detection module mainly include local data collector, new intrusion sample receiver, collaborative request service agent, data preprocessing and format converter, local integrated intrusion analysis engine, intrusion sample feature library, collaborative intrusion analysis engine, New intrusion sample sender, response alarm device; the functional components of the common node intrusion detection module mainly include local data collector, data preprocessing and format converter, local intrusion analysis engine, local intrusion sample feature library, new intrusion sample sender, Cooperate with the communication server and respond to the alarm.

有益效果:使用该方案有如下优点:Beneficial effect: using this scheme has the following advantages:

1.极大地保证了数据网格中心节点的安全性、抗毁性。由于实验研究已经证明弱学习器的集成可以形成强大的检测能力,在中心节点上部署的集成学习器能够有效的保证数据中心的安全,同时中心节点实时地搜集来自其他节点(包括中心节点和普通节点)发现的新型入侵特征,随时学习其他节点的“经验”,使其特征库的知识越来越丰富、全面,这种设计把异常检测和特征检测结合起来,强大的异常检测器配合全面丰富的特征检测,优势互补,使得数据网格具有很强的抗针对性打击的能力。1. It greatly guarantees the security and invulnerability of the central node of the data grid. Since the experimental research has proved that the integration of weak learners can form a strong detection ability, the integrated learner deployed on the central node can effectively ensure the security of the data center, and the central node collects information from other nodes (including the central node and ordinary node) discovers new intrusion features, and learns the "experience" of other nodes at any time, making the knowledge of its feature library more and more abundant and comprehensive. This design combines anomaly detection and feature detection, and powerful anomaly detectors cooperate with comprehensive enrichment The feature detection and complementary advantages make the data grid have a strong ability to resist targeted attacks.

2.有效地提高了普通节点的网络安全。虽然普通节点因为自身性能的局限,不可能部署强大的检测器,但本发明巧妙地利用了数据网格节点的异构性和各自的优势,因为普通节点物理上的广域分布,位于多种多样的虚拟组织和网段内,安全级别不同,各自采集的网络数据包差别很大,遇到的攻击类型有很大不同,可能某节点的检测器对一种经常针对自身的攻击很容易检测而这种攻击却是另一些节点很少遇到且不易检测的。普通节点通过中心节点提供的协同检测服务,可以和很多其他的普通节点协同学习,取长补短,大大提高了自身的检测能力。2. Effectively improve the network security of ordinary nodes. Although ordinary nodes cannot deploy powerful detectors due to their own performance limitations, the present invention cleverly utilizes the heterogeneity and respective advantages of data grid nodes, because ordinary nodes are physically distributed in a wide area and located in multiple In various virtual organizations and network segments, the security level is different, the network data packets collected by each are very different, and the types of attacks encountered are very different. It may be easy for the detector of a certain node to detect an attack that often targets itself However, this kind of attack is rarely encountered by other nodes and is not easy to detect. Ordinary nodes can learn collaboratively with many other ordinary nodes through the collaborative detection service provided by the central node, learn from each other, and greatly improve their own detection capabilities.

3.降低了数据网格的安全开销。由于每个节点上的入侵检测模块各自独立地检测本地的入侵,对于自己确定无疑的数据由各节点自己处理,不需要统一的中央处理器,在数据网格环境下实现了真正意义上的分布式入侵检测;对于经协同检测确认为攻击的怀疑样本,及时提取攻击特征存储在本地特征库中,以后再遇到此类攻击,就可以直接查找特征库,无须再次进行协同计算,降低了安全开销。3. Reduce the security overhead of the data grid. Since the intrusion detection module on each node independently detects local intrusions, the data that is certain for itself is processed by each node itself, without the need for a unified central processing unit, and a true distribution is realized in the data grid environment Type intrusion detection; for suspected samples confirmed as attacks by collaborative detection, the attack signatures are extracted in time and stored in the local signature database. When encountering such attacks in the future, you can directly search the signature database without performing collaborative calculations again, which reduces security. overhead.

附图说明Description of drawings

图1是根据复杂网络理论简化的数据网格典型拓扑结构图。Figure 1 is a simplified diagram of a typical topology of a data grid based on complex network theory.

图2是中心节点入侵检测模块的体系结构图。Figure 2 is the architecture diagram of the intrusion detection module of the central node.

图3是普通节点入侵检测模块的体系结构图。Fig. 3 is the architecture diagram of common node intrusion detection module.

图4是普通节点本地入侵检测流程图。Fig. 4 is a flow chart of local intrusion detection of common nodes.

图5是普通节点参与协同计算流程图。Fig. 5 is a flow chart of common nodes participating in collaborative computing.

图6是中心节点本地入侵检测流程图。Fig. 6 is a flow chart of the local intrusion detection of the central node.

图7是中心节点搜集新型入侵样本特征流程图。Fig. 7 is a flow chart of collecting new intrusion sample features by the central node.

图8是中心节点提供协同检测服务流程图。Fig. 8 is a flow chart of the central node providing cooperative detection service.

具体实施方式Detailed ways

1、普通节点入侵检测流程1. Ordinary node intrusion detection process

普通节点上的本地入侵分析引擎由两个BP神经网络构成,两个网络是独立训练的,指定其中任一个网络为主检测器,另一个则为辅助检测器。两个检测器协作检测本地采集的网络数据包,其中主检测器除了进行本地检测外,还参与和其他节点上主检测器的协同入侵检测。对于本地的网络数据,只有当主辅两个检测器都判断为正常时才确定为正常数据,若两个检测器判断结果有分歧则作为怀疑数据样本由协同通信服务器发往该节点所直连的一个中心节点,由中心节点上的协同入侵分析引擎提供协同检测服务。任何普通节点只要发现入侵行为都要将入侵数据发给与其相连的中心节点,给中心节点的检测提供参考。The local intrusion analysis engine on a normal node is composed of two BP neural networks. The two networks are trained independently. One of them is designated as the main detector and the other as the auxiliary detector. The two detectors cooperate to detect the network data packets collected locally, and the main detector not only performs local detection, but also participates in cooperative intrusion detection with the main detector on other nodes. For local network data, only when the primary and secondary detectors are judged to be normal, it is determined to be normal data. If the judgment results of the two detectors are different, it will be sent as a suspected data sample by the cooperative communication server to the node directly connected. A central node of , the collaborative intrusion analysis engine on the central node provides collaborative detection services. As long as any common node finds an intrusion behavior, it must send the intrusion data to the central node connected to it to provide reference for the detection of the central node.

普通节点本地入侵检测主要工作流程(见图4):The main workflow of local intrusion detection of ordinary nodes (see Figure 4):

step1:本地数据采集器实时采集网络数据包。Step1: The local data collector collects network data packets in real time.

step2:数据预处理及格式转换器提取采集到的数据包的各属性特征,进行预处理并转化成适合本节点机的格式。Step2: Data preprocessing and format converter Extract the attributes and characteristics of the collected data packets, perform preprocessing and convert them into a format suitable for the node machine.

step3:转化后的数据送本地入侵分析引擎,由两个BP检测器分别检测。Step3: The converted data is sent to the local intrusion analysis engine, which is detected by two BP detectors.

step4:若两个检测器均判为正常数据(normal),则判为正常数据,结束本轮检测,转step1继续采集网络数据包;若两个检测器均判断为攻击(attack),则启动响应告警器,警告发现本地网络入侵,转step5;若两个检测器的判断结果不一致,转step6。Step4: If both detectors judge as normal data (normal), then judge as normal data, end the current round of detection, go to step1 to continue collecting network data packets; if both detectors judge as attack (attack), start Respond to the alarm, if the local network intrusion is detected, go to step5; if the judgment results of the two detectors are inconsistent, go to step6.

step5:新型入侵样本发送器将攻击数据样本发送给本节点直连的中心节点的新型入侵样本接收器,告知中心节点这里发现了一种入侵,结束本轮检测,转step1继续采集网络数据包。Step5: The new intrusion sample sender sends the attack data sample to the new intrusion sample receiver of the central node directly connected to the node, informs the central node that an intrusion has been found here, ends the current round of detection, and turns to step1 to continue collecting network data packets.

step6:本地入侵分析引擎连接本地入侵样本特征库,查询特征库中是否有与该数据匹配的攻击特征样本,若有,则启动响应告警器,警告发现本地网络入侵,转step1继续采集网络数据包;若没有,则认为是可疑数据,送协同通信服务器,转step7。Step6: The local intrusion analysis engine connects to the local intrusion sample signature database, and checks whether there is an attack signature sample matching the data in the signature database. If there is, the response alarm will be activated to warn of local network intrusion, and go to step1 to continue collecting network data packets. ; If not, it is considered as suspicious data, sent to the collaborative communication server, and transferred to step7.

step7:协同通信服务器将该怀疑样本发往与该节点直连的一个中心节点的协同请求服务代理,提出协同服务请求。Step7: The collaborative communication server sends the suspected sample to a collaborative request service agent of a central node directly connected to the node, and proposes a collaborative service request.

step8:协同通信服务器接收到协同请求服务代理返回的结果,提交给检测器。Step8: The cooperative communication server receives the result returned by the cooperative request service agent and submits it to the detector.

step9:检测器接收并查看返回结果,若为正常数据,则转step1继续采集网络数据包;若为攻击数据,则启动响应告警器,警告发现本地网络入侵,同时把该攻击样本的特征存储到本地入侵样本特征库中,转step1继续采集网络数据包。Step9: The detector receives and checks the returned results. If it is normal data, it will go to step 1 to continue collecting network data packets; if it is attack data, it will start the response alarm to warn of local network intrusion, and store the characteristics of the attack sample in In the local intrusion sample signature database, go to step 1 and continue to collect network data packets.

普通节点参与协同计算工作流程(见图5):Ordinary nodes participate in the collaborative computing workflow (see Figure 5):

step1:协同通信服务器接收到中心节点的协同请求服务代理发来的来自其他节点的怀疑数据和协同计算要求,询问本地入侵分析引擎的状态是否空闲。Step1: The collaborative communication server receives suspicious data and collaborative computing requirements from other nodes sent by the collaborative request service agent of the central node, and inquires whether the status of the local intrusion analysis engine is idle.

step2:若本地入侵分析引擎状态为繁忙,无暇参与协同计算,则不响应中心节点的要求,丢弃数据包,结束该流程;否则转step3。Step2: If the local intrusion analysis engine is busy and has no time to participate in collaborative computing, it will not respond to the request of the central node, discard the data packet, and end the process; otherwise, go to step3.

step3:协同通信服务器将接收来自中心节点的怀疑数据提交给入侵分析引擎。Step3: The collaborative communication server will receive the suspected data from the central node and submit it to the intrusion analysis engine.

step4:由分析引擎的主检测器检测该怀疑数据,结果返回给协同通信服务器。Step4: The suspicious data is detected by the main detector of the analysis engine, and the result is returned to the collaborative communication server.

step5:协同通信服务器将本节点的计算结果发送给中心节点的协同请求服务代理。Step5: The cooperative communication server sends the calculation result of this node to the cooperative request service agent of the central node.

2、中心节点入侵检测流程2. Central node intrusion detection process

中心节点上部署的是由很多个BP网络集成的强检测器,并且其实时搜集来自其他节点上已经被检测出的入侵数据特征存入特征库中,其上的特征库存储着全网格各处所发现的所有新型攻击特征,因此中心节点不需要与其他节点协同检测本地入侵,由于其强大的计算能力及很大的连通度可以很方便地为网格中的普通节点提供协同检测服务。The central node is deployed with a strong detector integrated by many BP networks, and it collects the detected intrusion data features from other nodes in real time and stores them in the feature library. Therefore, the central node does not need to cooperate with other nodes to detect local intrusions. Because of its powerful computing power and high connectivity, it can easily provide cooperative detection services for ordinary nodes in the grid.

中心节点本地入侵检测工作流程(见图6):Central node local intrusion detection workflow (see Figure 6):

step1:本地数据采集器实时采集网络数据包。Step1: The local data collector collects network data packets in real time.

step2:数据预处理及格式转换器提取采集到的数据包的各属性特征,进行预处理并转化成适合本节点机的格式。Step2: Data preprocessing and format converter Extract the attributes and characteristics of the collected data packets, perform preprocessing and convert them into a format suitable for the node machine.

step3:转化后的数据送本地集成入侵分析引擎,由集成检测器检测。Step3: The transformed data is sent to the local integrated intrusion analysis engine for detection by the integrated detector.

step4:若检测结果为正常(normal),则转step5;若为异常,则启动响应告警器,警告发现本地网络入侵,转step6。Step4: If the detection result is normal, go to step5; if it is abnormal, start a response alarm to warn of local network intrusion, go to step6.

step5:入侵分析引擎连接入侵样本特征库,查询特征库中是否有与该数据匹配的攻击特征样本,若有,则启动响应告警器,警告发现本地网络入侵,转step6;若没有,则认为是正常数据,结束本轮检测,转step1继续采集网络数据包。Step5: The intrusion analysis engine connects to the intrusion sample signature database, and checks whether there is an attack signature sample matching the data in the signature database. If there is, the response alarm will be activated to warn of local network intrusion, and go to step6; if not, it will be considered For normal data, end the current round of detection and go to step 1 to continue collecting network data packets.

step6:新型入侵样本发送器将攻击数据样本发送给与本中心节点直连的其他中心节点的新型入侵样本接收器,告知这里发现了一种入侵,结束本轮检测,转step1继续采集网络数据包。Step6: The new intrusion sample sender sends the attack data samples to the new intrusion sample receivers of other central nodes directly connected to the central node, and informs that an intrusion has been found here, ends the current round of detection, and continues to collect network data packets in step1 .

中心节点搜集新型入侵样本特征流程(见图7):The central node collects the characteristic flow of new intrusion samples (see Figure 7):

step1:新型入侵样本接收器接收到来自其他节点或本机上协同请求服务代理提交的已检测出的攻击数据,将数据提交给集成检测器。Step1: The new intrusion sample receiver receives the detected attack data submitted by other nodes or cooperative request service agents on the local machine, and submits the data to the integrated detector.

step2:集成检测器对数据进行检测,若检测结果也为攻击(attack),则结束流程;否则,进入下一步。Step2: The integrated detector detects the data. If the detection result is also an attack, the process ends; otherwise, go to the next step.

step3:集成检测器连接入侵样本特征库,查询特征库中是否有与该数据匹配的攻击特征样本,若有,则结束流程;若没有,则认为是一种新发现的入侵,进入下一步。Step3: The integrated detector connects to the intrusion sample signature database, and queries whether there is an attack signature sample matching the data in the signature database. If there is, the process ends; if not, it is regarded as a newly discovered intrusion, and proceeds to the next step.

step4:把该攻击样本的特征存储到入侵样本特征库中。Step4: Store the features of the attack sample in the intrusion sample feature database.

中心节点提供协同检测服务流程(见图8):The central node provides collaborative detection service process (see Figure 8):

step1:协同请求服务代理接收到某普通节点发来的怀疑样本和协同服务请求。Step1: The collaborative request service agent receives a suspicious sample and a collaborative service request from a common node.

step2:服务代理以广播的方式向本节点所连接的所有普通节点发出该怀疑数据和协同计算要求。Step2: The service agent broadcasts the suspected data and collaborative computing requirements to all common nodes connected to the node.

step3:服务代理接收所有作出响应的节点返回的计算结果,提交给协同入侵分析引擎。Step3: The service agent receives the calculation results returned by all the responding nodes and submits them to the collaborative intrusion analysis engine.

step4:协同入侵分析引擎统计服务代理提交给它的各响应节点的协同检测结果,对此怀疑数据若判断为攻击的节点的数量大于等于判断为正常的节点的数量num(attack)>=num(normal),则判断为攻击,否则判断为正常。step4: The collaborative intrusion analysis engine counts the collaborative detection results of each response node submitted to it by the service agent. If the suspected data is judged as attacking nodes, the number is greater than or equal to the number of normal nodes num(attack)>=num( normal), it is judged as an attack, otherwise it is judged as normal.

step5:协同入侵分析引擎向服务代理返回判断结果。Step5: The cooperative intrusion analysis engine returns the judgment result to the service agent.

step6:服务代理检查接收到的结果,若为正常,则将其直接返回发出协同服务请求的节点;若为异常,除了将结果返回发出协同服务请求的节点外,还将确认为攻击的数据样本发给本地的新型入侵样本接收器,报告发现了一种新的入侵。Step6: The service agent checks the received result, if it is normal, it will directly return it to the node that issued the collaborative service request; if it is abnormal, in addition to returning the result to the node that issued the collaborative service request, it will also confirm the data sample as the attack Sent to the local new intrusion sample receiver, reporting the discovery of a new intrusion.

为了方便描述,我们假定数据网格实例的拓扑结构如图1所示,普通节点和中心节点的检测过程分别以ai和A为代表讲述,其他的节点检测过程与此相同,则其具体实施方式为:初始:在中心节点A、B、C及其各自的普通节点a1、a2、……、am;b1、b2、……、bn;c1、c2、……、ck上根据图2、图3的体系结构图分别建立各节点自身的入侵检测系统,并根据每个节点所处的实际网络环境的数据独立训练各自检测器上的BP神经网络(同一个节点检测器的各神经网络采用本节点训练数据集中独立随机抽取的数据子集训练,并取不同的约简属性子集,已保证训练得到的各神经网络的异构性),初始化各节点的特征库,初始库中只记录本地节点所遇到的几种最常见的入侵特征。For the convenience of description, we assume that the topological structure of the data grid instance is shown in Figure 1. The detection process of ordinary nodes and central nodes is represented by ai and A respectively. The detection process of other nodes is the same, and the specific implementation method It is: initial: on the central nodes A, B, C and their respective ordinary nodes a1, a2, ..., am; b1, b2, ..., bn; c1, c2, ..., ck according to Fig. 2, Fig. The architecture diagram of 3 establishes its own intrusion detection system for each node, and independently trains the BP neural network on each detector according to the data of the actual network environment where each node is located (each neural network of the same node detector uses this The training data subsets are independently randomly extracted from the node training data set, and different subsets of reduced attributes are taken to ensure the heterogeneity of each neural network obtained through training), and the feature library of each node is initialized. In the initial library, only the local Several of the most common intrusion signatures encountered by nodes.

普通节点ai的本地入侵检测:Local intrusion detection of common node ai:

(1)ai上的本地数据采集器实时采集网络数据包。(1) The local data collector on the AI collects network data packets in real time.

(2)数据预处理及格式转换器提取采集到的数据包的各属性特征,进行预处理并转化成适合本节点机的格式。(2) Data preprocessing and format converter Extract the attributes and characteristics of the collected data packets, perform preprocessing and convert them into a format suitable for the node machine.

(3)转化后的数据送本地入侵分析引擎,由两个BP检测器分别检测。(3) The transformed data is sent to the local intrusion analysis engine, which is detected by two BP detectors respectively.

(4)若两个检测器均判为正常数据(normal),则判为正常数据,结束本轮检测,转(1)继续采集网络数据包;若两个检测器均判断为攻击(attack),则启动响应告警器,警告发现本地网络入侵,转(5);若两个检测器的判断结果不一致,转(6)。(4) If both detectors judge as normal data (normal), then judge as normal data, end the current round of detection, go to (1) continue to collect network data packets; if both detectors judge as attack (attack) , then start the response alarm device to warn that local network intrusion is found, and go to (5); if the judgment results of the two detectors are inconsistent, go to (6).

(5)新型入侵样本发送器将攻击数据样本发送给A的新型入侵样本接收器,告知A这里发现了一种入侵,结束本轮检测,转(1)继续采集网络数据包。(5) The new-type intrusion sample sender sends the attack data sample to A's new-type intrusion sample receiver, and informs A that an intrusion has been found here, ends the current round of detection, and turns to (1) to continue collecting network data packets.

(6)本地入侵分析引擎连接本地入侵样本特征库,查询特征库中是否有与该数据匹配的攻击特征样本,若有,则启动响应告警器,警告发现本地网络入侵,转(1)继续采集网络数据包;若没有,则认为是可疑数据,送协同通信服务器,转(7)。(6) The local intrusion analysis engine connects to the local intrusion sample signature database, and checks whether there is an attack signature sample matching the data in the signature database. If there is, the response alarm will be activated to warn of local network intrusion, and go to (1) to continue collecting Network data packet; If not, then think that suspicious data, send cooperative communication server, turn (7).

(7)协同通信服务器将该怀疑样本发往A的协同请求服务代理,提出协同服务请求。(7) The cooperative communication server sends the suspected sample to A's cooperative request service agent, and makes a cooperative service request.

(8)协同通信服务器接收到协同请求服务代理返回的结果,提交给检测器。(8) The cooperative communication server receives the result returned by the cooperative request service agent and submits it to the detector.

(9)检测器接收并查看返回结果,若为正常数据,则转(1)继续采集网络数据包;若为攻击数据,则启动响应告警器,警告发现本地网络入侵,同时把该攻击样本的特征存储到本地入侵样本特征库中,转(1)继续采集网络数据包。(9) The detector receives and checks the returned result. If it is normal data, then turn to (1) to continue collecting network data packets; The signatures are stored in the local intrusion sample signature database, and turn to (1) to continue collecting network data packets.

ai参与协同计算工作流程:ai participates in collaborative computing workflow:

(1)协同通信服务器接收到A的协同请求服务代理发来的来自其他节点的怀疑数据和协同计算要求,询问本地入侵分析引擎的状态是否空闲。(1) The collaborative communication server receives suspicious data and collaborative computing requirements from other nodes sent by A's collaborative request service agent, and asks whether the local intrusion analysis engine is idle.

(2)若本地入侵分析引擎状态为繁忙,无暇参与协同计算,则不响应A的要求,丢弃数据包,结束该流程;否则转(3)。(2) If the state of the local intrusion analysis engine is busy and has no time to participate in collaborative computing, it will not respond to A's request, discard the data packet, and end the process; otherwise, go to (3).

(3)协同通信服务器将接收来自A的怀疑数据提交给入侵分析引擎。(3) The collaborative communication server submits the suspected data received from A to the intrusion analysis engine.

(4)由分析引擎的主检测器检测该怀疑数据,结果返回给协同通信服务器。(4) The suspicious data is detected by the main detector of the analysis engine, and the result is returned to the collaborative communication server.

(5)协同通信服务器将本节点的计算结果发送给A的协同请求服务代理。(5) The cooperative communication server sends the calculation result of this node to A's cooperative request service agent.

中心节点A的本地入侵检测:Local intrusion detection of central node A:

(1)A上的本地数据采集器实时采集网络数据包。(1) The local data collector on A collects network data packets in real time.

(2)数据预处理及格式转换器提取采集到的数据包的各属性特征,进行预处理并转化成适合本节点机的格式。(2) Data preprocessing and format converter Extract the attributes and characteristics of the collected data packets, perform preprocessing and convert them into a format suitable for the node machine.

(3)转化后的数据送本地集成入侵分析引擎,由集成检测器检测。(3) The transformed data is sent to the local integrated intrusion analysis engine for detection by the integrated detector.

(4)若检测结果为正常(normal),则转(5);若为异常,则启动响应告警器,警告发现本地网络入侵,转(6)。(4) If the detection result is normal (normal), then go to (5); if it is abnormal, start a response alarm to warn that local network intrusion is found, go to (6).

(5)入侵分析引擎连接入侵样本特征库,查询特征库中是否有与该数据匹配的攻击特征样本,若有,则启动响应告警器,警告发现本地网络入侵,转(6);若没有,则认为是正常数据,结束本轮检测,转(1)。(5) The intrusion analysis engine connects the intrusion sample feature library, and checks whether there is an attack feature sample matching the data in the query feature library, and if so, starts the response alarm device, warns that local network intrusion is found, and turns to (6); if not, Then it is considered as normal data, end the current round of detection, and turn to (1).

(6)新型入侵样本发送器将攻击数据样本发送给B和C上的新型入侵样本接收器,告知这里发现了一种入侵,转(1)。(6) The new-type intrusion sample sender sends the attack data sample to the new-type intrusion sample receivers on B and C, and informs that an intrusion has been found here, and turns to (1).

A搜集新型入侵样本特征:A collects the characteristics of new intrusion samples:

(1)A上的新型入侵样本接收器接收到来自B、C或本机上协同请求服务代理提交的已检测出的攻击数据,将数据提交给集成检测器。(1) The new intrusion sample receiver on A receives the detected attack data submitted by B, C or the cooperative request service agent on this machine, and submits the data to the integrated detector.

(2)集成检测器对数据进行检测,若检测结果也为攻击(attack),则结束流程;否则,进入(3)。(2) The integrated detector detects the data, and if the detection result is also an attack, the process ends; otherwise, enter (3).

(3)集成检测器连接入侵样本特征库,查询特征库中是否有与该数据匹配的攻击特征样本,若有,则结束流程;若没有,则认为是一种新发现的入侵,进入(4)。(3) The integrated detector connects to the intrusion sample feature library, and checks whether there is an attack feature sample matching the data in the feature library. If there is, the process ends; if not, it is considered to be a newly discovered intrusion, and enters (4 ).

(4)把该攻击样本的特征存储到入侵样本特征库中。(4) Store the feature of the attack sample into the intrusion sample feature database.

A提供协同检测服务过程:A provides collaborative detection service process:

(1)A上的协同请求服务代理接收到ai发来的怀疑样本和协同服务请求。(1) The collaborative request service agent on A receives the suspicious sample and collaborative service request from ai.

(2)服务代理以广播的方式向A所连接的所有普通节点a1、a2、……、am发出该怀疑数据和协同计算要求。(2) The service agent broadcasts the suspected data and collaborative computing requirements to all common nodes a1, a2, . . . , am connected to A.

(3)服务代理接收所有作出响应的节点返回的计算结果,提交给协同入侵分析引擎。(3) The service agent receives the calculation results returned by all the responding nodes and submits them to the collaborative intrusion analysis engine.

(4)协同入侵分析引擎统计服务代理提交给它的各响应节点的协同检测结果,对此怀疑数据若判断为攻击的节点的数量大于等于判断为正常的节点的数量num(attack)>=num(normal),则判断为攻击,否则判断为正常。(4) Cooperative intrusion analysis engine statistical service agent submits the cooperative detection results of each response node to it, if the suspected data is judged as the number of attacking nodes is greater than or equal to the number of normal nodes num(attack)>=num (normal), it is judged as an attack, otherwise it is judged as normal.

(5)协同入侵分析引擎向服务代理返回判断结果。(5) The cooperative intrusion analysis engine returns the judgment result to the service agent.

(6)服务代理检查接收到的结果,若为正常,则将其直接返回ai;若为异常,除了将结果返回ai外,还将确认为攻击的数据样本发给本地的新型入侵样本接收器,报告发现了一种新的入侵。(6) The service agent checks the received result, if it is normal, it will directly return it to ai; if it is abnormal, in addition to returning the result to ai, it will also send the data sample confirmed as attack to the local new intrusion sample receiver , reports the discovery of a new intrusion.

Claims (2)

1.一种应用于数据网格的协同学习入侵检测方法,其特征在于通过数据网格中各个异构节点上的BP神经网络协同学习、优势互补来提高各数据节点的安全性,有效地抵御来自网络的攻击,具体如下:1. A collaborative learning intrusion detection method applied to data grids, characterized in that the security of each data node is improved through collaborative learning and complementary advantages of BP neural networks on each heterogeneous node in the data grid, effectively resisting Attacks from the network, as follows: 普通节点本地入侵检测流程:Common node local intrusion detection process: 步骤1:普通节点本地数据采集器实时采集网络数据包,Step 1: The local data collector of common nodes collects network data packets in real time, 步骤2:普通节点数据预处理及格式转换器提取采集到的数据包的各属性特征,进行预处理并转化成适合本节点机的格式,Step 2: Common node data preprocessing and format converter Extract the attributes and characteristics of the collected data packets, perform preprocessing and convert them into a format suitable for the node machine, 步骤3:转化后的数据送本地入侵分析引擎,由两个BP检测器分别检测,Step 3: The converted data is sent to the local intrusion analysis engine, which is detected by two BP detectors respectively. 步骤4:若两个检测器均判为正常数据normal,则判为正常数据,结束本轮检测,转步骤1继续采集网络数据包;若两个检测器均判断为攻击attack,则启动普通节点响应告警器,警告发现本地网络入侵,转步骤5;若两个检测器的判断结果不一致,转步骤6,Step 4: If both detectors judge the normal data as normal, then judge it as normal data, end the current round of detection, go to step 1 to continue collecting network data packets; if both detectors judge as attack attack, start the normal node Respond to the alarm and warn that local network intrusion is found, go to step 5; if the judgment results of the two detectors are inconsistent, go to step 6, 步骤5:普通节点新型入侵样本发送器将攻击数据样本发送给本节点直连的中心节点的新型入侵样本接收器,告知中心节点这里发现了一种入侵,结束本轮检测,转步骤1继续采集网络数据包,Step 5: The new-type intrusion sample transmitter of the common node sends the attack data sample to the new-type intrusion sample receiver of the central node directly connected to the node, and informs the central node that an intrusion has been found here, ends the current round of detection, and continues to collect in step 1 network packets, 步骤6:本地入侵分析引擎连接普通节点本地入侵样本特征库,查询特征库中是否有与该数据匹配的攻击特征样本,若有,则启动普通节点响应告警器,警告发现本地网络入侵,转步骤1继续采集网络数据包;若没有,则认为是可疑数据,送协同通信服务器,转步骤7,Step 6: The local intrusion analysis engine connects to the local intrusion sample signature database of ordinary nodes, and checks whether there are any attack signature samples matching the data in the signature database. If so, it starts the ordinary node to respond to the alarm, warns that local network intrusions are found, and proceeds to step 1 Continue to collect network data packets; if not, then consider it suspicious data, send it to the collaborative communication server, go to step 7, 步骤7:协同通信服务器将该怀疑样本发往与该节点直连的一个中心节点的协同请求服务代理,提出协同服务请求,Step 7: The collaborative communication server sends the suspected sample to a collaborative request service agent of a central node directly connected to the node, and proposes a collaborative service request, 步骤8:协同通信服务器接收到协同请求服务代理返回的结果,提交给检测器,Step 8: The cooperative communication server receives the result returned by the cooperative request service agent and submits it to the detector, 步骤9:检测器接收并查看返回结果,若为正常数据,则转步骤1继续采集网络数据包;若为攻击数据,则启动普通节点响应告警器,警告发现本地网络入侵,同时把该攻击样本的特征存储到本地入侵样本特征库中,转步骤1继续采集网络数据包;Step 9: The detector receives and checks the returned results. If it is normal data, go to step 1 to continue collecting network data packets; if it is attack data, start the normal node to respond to the alarm, warn that the local network intrusion is found, and at the same time send the attack sample The signatures are stored in the local intrusion sample signature database, and go to step 1 to continue collecting network data packets; 普通节点参与协同计算工作流程:Ordinary nodes participate in the collaborative computing workflow: 步骤21:协同通信服务器接收到中心节点的协同请求服务代理发来的来自其他节点的怀疑数据和协同计算要求,询问本地入侵分析引擎的状态是否空闲,Step 21: The collaborative communication server receives the suspicious data and collaborative computing requirements from other nodes sent by the collaborative request service agent of the central node, and inquires whether the status of the local intrusion analysis engine is idle, 步骤22:若本地入侵分析引擎状态为繁忙,无暇参与协同计算,则不响应中心节点的要求,丢弃数据包,结束该流程;否则转步骤23,Step 22: If the local intrusion analysis engine is busy and has no time to participate in collaborative computing, it will not respond to the request of the central node, discard the data packet, and end the process; otherwise, go to step 23, 步骤23:协同通信服务器将接收来自中心节点的怀疑数据提交给本地入侵分析引擎,Step 23: The collaborative communication server submits the suspected data received from the central node to the local intrusion analysis engine, 步骤24:由本地入侵分析引擎的主检测器检测该怀疑数据,结果返回给协同通信服务器,Step 24: The main detector of the local intrusion analysis engine detects the suspected data, and the result is returned to the collaborative communication server, 步骤25:协同通信服务器将本节点的计算结果发送给中心节点的协同请求服务代理;Step 25: The cooperative communication server sends the calculation result of the node to the cooperative request service agent of the central node; 中心节点本地入侵检测工作流程:Central node local intrusion detection workflow: 步骤31:中心节点本地数据采集器实时采集网络数据包,Step 31: The local data collector of the central node collects network data packets in real time, 步骤32:中心节点数据预处理及格式转换器提取采集到的数据包的各属性特征,进行预处理并转化成适合本节点机的格式,Step 32: Central node data preprocessing and format converter Extract the attributes and characteristics of the collected data packets, perform preprocessing and convert them into a format suitable for the node machine, 步骤33:转化后的数据送中心节点本地集成入侵分析引擎,由集成检测器检测,Step 33: The transformed data is sent to the local integrated intrusion analysis engine of the central node, and is detected by the integrated detector. 步骤34:若检测结果为正常normal,则转步骤35;若为异常,则启动中心节点响应告警器,警告发现本地网络入侵,转步骤36,Step 34: If the detection result is normal, go to step 35; if it is abnormal, start the central node to respond to the alarm, warn that local network intrusion is found, go to step 36, 步骤35:中心节点本地集成入侵分析引擎连接中心节点入侵样本特征库,查询特征库中是否有与该数据匹配的攻击特征样本,若有,则启动中心节点响应告警器,警告发现本地网络入侵,转步骤36;若没有,则认为是正常数据,结束本轮检测,转步骤31继续采集网络数据包,Step 35: The local integrated intrusion analysis engine of the central node connects to the intrusion sample signature database of the central node, and inquires whether there is an attack signature sample matching the data in the signature database, and if so, starts the central node to respond to the alarm, and warns that a local network intrusion is found, Go to step 36; if not, then consider it to be normal data, end this round of detection, go to step 31 and continue to collect network data packets, 步骤36:中心节点新型入侵样本发送器将攻击数据样本发送给与本中心节点直连的其他中心节点的新型入侵样本接收器,告知这里发现了一种入侵,结束本轮检测,转步骤31继续采集网络数据包;Step 36: The new intrusion sample transmitter of the central node sends the attack data sample to the new intrusion sample receivers of other central nodes directly connected to the central node, informing that an intrusion has been found here, end the current round of detection, and go to step 31 to continue Collect network data packets; 中心节点搜集新型入侵样本特征流程:The central node collects new intrusion sample feature flow: 步骤41:新型入侵样本接收器接收到来自其他节点或本机上协同请求服务代理提交的已检测出的攻击数据,将数据提交给集成检测器,Step 41: The new-type intrusion sample receiver receives the detected attack data submitted by other nodes or the cooperative request service agent on the local machine, and submits the data to the integrated detector, 步骤42:集成检测器对数据进行检测,若检测结果也为攻击attack,则结束流程;否则,进入下一步,Step 42: The integrated detector detects the data, if the detection result is also an attack, the process ends; otherwise, enter the next step, 步骤43:集成检测器连接中心节点入侵样本特征库,查询特征库中是否有与该数据匹配的攻击特征样本,若有,则结束流程;若没有,则认为是一种新发现的入侵,进入下一步,Step 43: The integrated detector connects to the intrusion sample signature database of the central node, and checks whether there is an attack signature sample matching the data in the signature database. If there is, the process ends; if not, it is regarded as a newly discovered intrusion, and enters Next step, 步骤44:把该攻击样本的特征存储到中心节点入侵样本特征库中;Step 44: store the feature of the attack sample in the central node intrusion sample feature library; 中心节点提供协同检测服务流程:The central node provides collaborative detection service process: 步骤51:协同请求服务代理接收到某普通节点发来的怀疑样本和协同服务请求,Step 51: The collaborative request service agent receives a suspicious sample and a collaborative service request from a common node, 步骤52:协同请求服务代理以广播的方式向本节点所连接的所有普通节点发出该怀疑数据和协同计算要求,Step 52: The collaborative request service agent broadcasts the suspected data and collaborative computing requirements to all common nodes connected to this node, 步骤53:协同请求服务代理接收所有作出响应的节点返回的计算结果,提交给协同入侵分析引擎,Step 53: The cooperative request service agent receives the calculation results returned by all the responding nodes and submits them to the cooperative intrusion analysis engine, 步骤54:协同入侵分析引擎统计协同请求服务代理提交给它的各响应节点的协同检测结果,对此怀疑数据若判断为攻击的节点的数量大于等于判断为正常的节点的数量num(attack)>=num(normal),则判断为攻击,否则判断为正常,Step 54: The cooperative intrusion analysis engine counts the cooperative detection results of each response node submitted to it by the cooperative request service agent, if the suspected data is judged as the number of attacking nodes is greater than or equal to the number of normal nodes num(attack)> =num(normal), it is judged as an attack, otherwise it is judged as normal, 步骤55:协同入侵分析引擎向协同请求服务代理返回判断结果,Step 55: The collaborative intrusion analysis engine returns the judgment result to the cooperative request service agent, 步骤56:协同请求服务代理检查接收到的结果,若为正常,则将其直接返回发出协同服务请求的节点;若为异常,除了将结果返回发出协同服务请求的节点外,还将确认为攻击的数据样本发给本地的新型入侵样本接收器,报告发现了一种新的入侵。Step 56: The collaborative request service agent checks the received result, if it is normal, it will return it directly to the node that issued the collaborative service request; if it is abnormal, in addition to returning the result to the node that issued the collaborative service request, it will also be confirmed as an attack The data samples are sent to the local new intrusion sample receiver, and the report discovers a new intrusion. 2.根据权利要求1所述的一种应用于数据网格的协同学习入侵检测方法,其特征在于中心节点入侵检测模块的功能部件主要包括中心节点本地数据采集器、新型入侵样本接收器、协同请求服务代理、中心节点数据预处理及格式转换器、中心节点本地集成入侵分析引擎、中心节点入侵样本特征库、协同入侵分析引擎、中心节点新型入侵样本发送器、中心节点响应告警器;普通节点入侵检测模块的功能部件主要包括普通节点本地数据采集器、普通节点数据预处理及格式转换器、普通节点本地入侵分析引擎、普通节点本地入侵样本特征库、普通节点新型入侵样本发送器、协同通信服务器、普通节点响应告警器。2. A kind of collaborative learning intrusion detection method applied to data grid according to claim 1, characterized in that the functional components of the central node intrusion detection module mainly include central node local data collectors, new intrusion sample receivers, collaborative Request service agent, central node data preprocessing and format converter, central node local integrated intrusion analysis engine, central node intrusion sample feature library, collaborative intrusion analysis engine, central node new intrusion sample sender, central node response alarm device; common node The functional components of the intrusion detection module mainly include common node local data collectors, common node data preprocessing and format converters, common node local intrusion analysis engines, common node local intrusion sample signature databases, common node new intrusion sample transmitters, collaborative communication The server and ordinary nodes respond to the alarm.
CN2008102439075A 2008-12-10 2008-12-10 Synergistic learning invasion detection method used for data gridding Expired - Fee Related CN101431416B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2008102439075A CN101431416B (en) 2008-12-10 2008-12-10 Synergistic learning invasion detection method used for data gridding

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2008102439075A CN101431416B (en) 2008-12-10 2008-12-10 Synergistic learning invasion detection method used for data gridding

Publications (2)

Publication Number Publication Date
CN101431416A CN101431416A (en) 2009-05-13
CN101431416B true CN101431416B (en) 2011-04-20

Family

ID=40646597

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2008102439075A Expired - Fee Related CN101431416B (en) 2008-12-10 2008-12-10 Synergistic learning invasion detection method used for data gridding

Country Status (1)

Country Link
CN (1) CN101431416B (en)

Families Citing this family (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102195975A (en) * 2011-04-08 2011-09-21 上海电机学院 Intelligent NIPS (Network Intrusion Prevention System) framework for quantifying neural network based on mobile agent (MA) and learning vector
CN102801720B (en) * 2012-08-08 2015-04-08 浙江树人大学 Method for institution-governed and contract-ensured hierarchical synergetic self-organization
CN103036745A (en) * 2012-12-21 2013-04-10 北京邮电大学 Anomaly detection system based on neural network in cloud computing
CN103716204B (en) * 2013-12-20 2017-02-08 中国科学院信息工程研究所 Abnormal intrusion detection ensemble learning method and apparatus based on Wiener process
CN103731426A (en) * 2013-12-31 2014-04-16 曙光云计算技术有限公司 Intrusion alarming system based on virtual network
CN103973697B (en) * 2014-05-19 2017-03-29 重庆邮电大学 A kind of thing network sensing layer intrusion detection method
CN104883349A (en) * 2014-09-28 2015-09-02 北京匡恩网络科技有限责任公司 Network security regulation learning method and system
CN104796421A (en) * 2015-04-21 2015-07-22 西安工程大学 Multimedia network intrusion detecting method
CN105025031A (en) * 2015-07-30 2015-11-04 西安工程大学 A Network Intrusion Detection Method Based on Multimedia Rule Decomposition Linked List
CN105471854B (en) * 2015-11-18 2019-06-28 国网智能电网研究院 A kind of adaptive boundary method for detecting abnormality based on multistage strategy
TWI587252B (en) * 2016-06-27 2017-06-11 Evaluation Method and Serving Method of Learning Progress Based on Fuzzy Markup Language for Cooperative Learning
CN107662559A (en) * 2016-07-28 2018-02-06 奥迪股份公司 Alert control device and method
CN106131054B (en) * 2016-08-17 2019-07-09 国家计算机网络与信息安全管理中心 Network intrusions collaborative detection method based on secure cloud
CN108419303A (en) * 2018-03-15 2018-08-17 河北师范大学 Wireless Sensor Network Security Management System
CN109151051B (en) * 2018-09-12 2020-12-08 南昌航空大学 A data security enhancement method in cloud computing environment
CN109861988A (en) * 2019-01-07 2019-06-07 浙江大学 An Intrusion Detection Method for Industrial Control System Based on Integrated Learning
CN110572379B (en) * 2019-08-29 2020-09-18 深圳市网域科技技术有限公司 Network security oriented visualization big data situation awareness analysis system key technology
CN114765555A (en) * 2021-01-12 2022-07-19 华为技术有限公司 Network threat processing method and communication device
CN114793336A (en) * 2021-01-25 2022-07-26 腾讯科技(深圳)有限公司 Data processing method, related device and storage medium
CN113010884B (en) * 2021-02-23 2022-08-26 重庆邮电大学 Real-time feature filtering method in intrusion detection system
CN113242258B (en) * 2021-05-27 2023-11-14 安天科技集团股份有限公司 Threat detection method and device for host cluster
CN113315784A (en) * 2021-06-23 2021-08-27 深信服科技股份有限公司 Security event processing method, device, equipment and medium
CN114826698B (en) * 2022-04-08 2024-11-15 湖南旗语科技有限公司 A network security intrusion detection system based on blockchain technology

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1553293A (en) * 2003-12-19 2004-12-08 华中科技大学 Collaborative Intrusion Detection System Based on Distributed Data Mining
CN1668015A (en) * 2004-12-20 2005-09-14 华中科技大学 Large-Scale Network Security Defense System Based on Cooperative Intrusion Detection
US20070239999A1 (en) * 2002-01-25 2007-10-11 Andrew Honig Systems and methods for adaptive model generation for detecting intrusions in computer systems

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070239999A1 (en) * 2002-01-25 2007-10-11 Andrew Honig Systems and methods for adaptive model generation for detecting intrusions in computer systems
CN1553293A (en) * 2003-12-19 2004-12-08 华中科技大学 Collaborative Intrusion Detection System Based on Distributed Data Mining
CN1668015A (en) * 2004-12-20 2005-09-14 华中科技大学 Large-Scale Network Security Defense System Based on Cooperative Intrusion Detection

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
孙力娟等.基于智能技术的分布式实时入侵检测系统模型研究.《计算机应用》.2005,第25卷(第z1期),72-74. *

Also Published As

Publication number Publication date
CN101431416A (en) 2009-05-13

Similar Documents

Publication Publication Date Title
CN101431416B (en) Synergistic learning invasion detection method used for data gridding
Kumar et al. A Distributed framework for detecting DDoS attacks in smart contract‐based Blockchain‐IoT Systems by leveraging Fog computing
CN101719842B (en) A Distributed Network Security Early Warning Method Based on Cloud Computing Environment
CN111404914A (en) Ubiquitous power Internet of things terminal safety protection method under specific attack scene
CN107040517A (en) A kind of cognitive intrusion detection method towards cloud computing environment
CN103905440A (en) Network security situation awareness analysis method based on log and SNMP information fusion
CN102314521A (en) Distributed parallel Skyline inquiring method based on cloud computing environment
CN115296830B (en) Network collaborative attack modeling and hazard quantitative analysis method based on game theory
Fu et al. A distributed intrusion detection scheme for mobile ad hoc networks
Wu et al. Dynamic hierarchical distributed intrusion detection system based on multi-agent system
Li et al. Application of new active defense technology in power information network security
Lu et al. Power monitoring network security situation awareness system based on Knowledge Map
Leu et al. A DoS/DDoS attack detection system using chi-square statistic approach
CN104702610B (en) Route intruding detection system for moving Ad Hoc networks
CN104702609A (en) Ad Hoc network route intrusion detecting method based on friend mechanism
CN114048942B (en) IES-CPS system information-physical combination expected fault generation method, device, storage medium and computing equipment
Umashankar et al. Power efficient data fusion assurance scheme for sensor network using silent negative voting
Dandi et al. Blockchain-based node data detection scheme for the Internet of Things system
Chen DDoS Attack Target Detection based on AM+ BPNN
Li et al. Intrusion detection model based on hierarchical structure in wireless sensor networks
Ding¹ et al. Data Security of Tourism Information Promotion Platform Based on Cloud Computing
CN107612916A (en) Novel Distributed Intrusion Detection Method based on ant colony blending algorithm
Liu et al. Modeling and Analysis of Risk Propagation and Loss Causing Capacity for Key Nodes in Cyber-Physical Coupled Power Network
Jiang et al. Safe Storage of Distributed Double-Carbon Power Data Based on DBN Neural Network
Wang et al. Secure Data Aggregation Mechanism based on Constrained Supervision for Wireless Sensor Network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20090513

Assignee: Jiangsu Nanyou IOT Technology Park Ltd.

Assignor: NANJING University OF POSTS AND TELECOMMUNICATIONS

Contract record no.: 2016320000217

Denomination of invention: Synergistic learning invasion detection method used for data gridding

Granted publication date: 20110420

License type: Common License

Record date: 20161118

LICC Enforcement, change and cancellation of record of contracts on the licence for exploitation of a patent or utility model
EC01 Cancellation of recordation of patent licensing contract
EC01 Cancellation of recordation of patent licensing contract

Assignee: Jiangsu Nanyou IOT Technology Park Ltd.

Assignor: NANJING University OF POSTS AND TELECOMMUNICATIONS

Contract record no.: 2016320000217

Date of cancellation: 20180116

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110420