CN104519031A - Method and device for detecting malicious network behaviors - Google Patents

Method and device for detecting malicious network behaviors Download PDF

Info

Publication number
CN104519031A
CN104519031A CN201310461795.1A CN201310461795A CN104519031A CN 104519031 A CN104519031 A CN 104519031A CN 201310461795 A CN201310461795 A CN 201310461795A CN 104519031 A CN104519031 A CN 104519031A
Authority
CN
China
Prior art keywords
behavior
network
detected
categories
correlation degree
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310461795.1A
Other languages
Chinese (zh)
Other versions
CN104519031B (en
Inventor
郭代飞
隋爱芬
林冠洲
郭涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens Corp
Original Assignee
Siemens Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Corp filed Critical Siemens Corp
Priority to CN201310461795.1A priority Critical patent/CN104519031B/en
Publication of CN104519031A publication Critical patent/CN104519031A/en
Application granted granted Critical
Publication of CN104519031B publication Critical patent/CN104519031B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • G06F16/285Clustering or classification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明涉及一种用于恶意网络行为检测的方法和装置,该装置包括:计算模块,用于根据多个行为类别各自的特征参数,计算待检测的网络行为与所述多个行为类别的每一个的相关程度值,得到多个相关程度值,其中,所述多个行为类别包括正常行为类别和至少一个恶意行为类别,所述多个行为类别各自的特征参数预先利用已知的恶意网络行为和正常网络行为作为训练样本训练得到;以及,确定模块,用于根据所述多个相关程度值中的最大相关程度值是所述待检测的网络行为与所述正常行为类别的相关程度值还是所述待检测的网络行为与所述至少一个恶意行为类别的其中之一的相关程度值,确定所述待检测的行为属于正常网络行为或恶意网络行为。利用该方法和装置,能够提高对恶意网络行为检测的准确性。

The present invention relates to a method and device for malicious network behavior detection. The device includes: a calculation module, which is used to calculate the network behavior to be detected and each of the multiple behavior categories according to the respective characteristic parameters of the multiple behavior categories. A degree of correlation value is used to obtain a plurality of degree of correlation values, wherein the plurality of behavior categories include normal behavior categories and at least one malicious behavior category, and the respective characteristic parameters of the plurality of behavior categories utilize known malicious network behaviors in advance And the normal network behavior is obtained as a training sample training; and, the determining module is used to determine whether the maximum correlation degree value among the plurality of correlation degree values is the correlation degree value between the network behavior to be detected and the normal behavior category or The correlation degree value between the network behavior to be detected and one of the at least one malicious behavior category determines that the behavior to be detected belongs to normal network behavior or malicious network behavior. By using the method and device, the accuracy of detecting malicious network behavior can be improved.

Description

一种用于恶意网络行为检测的方法和装置A method and device for malicious network behavior detection

技术领域technical field

本发明涉及网络安全领域,尤其涉及一种用于恶意网络行为检测的方法和装置。The invention relates to the field of network security, in particular to a method and device for detecting malicious network behaviors.

背景技术Background technique

随着移动通信技术的进步,移动互联网得到了广泛发展。随之而来地,也出现了许多针对移动互联网的网络攻击,这对移动互联网和移动终端产生了极大的威胁。With the advancement of mobile communication technology, the mobile Internet has been extensively developed. Subsequently, there have also been many network attacks against the mobile Internet, which have created a great threat to the mobile Internet and mobile terminals.

传统上,使用基于签名的匹配技术来检测移动互联网中的恶意网络行为。然而,恶意网络行为并不是固定不变的,通常攻击者会对恶意网络行为做一些小的改变从而产生多态和变形的恶意网络行为,但是,使用基于签名的匹配技术并不能有效检测多态和变形的恶意网络行为。Traditionally, signature-based matching techniques are used to detect malicious network behaviors in the mobile Internet. However, malicious network behaviors are not fixed. Usually, attackers will make some small changes to malicious network behaviors to generate polymorphic and deformed malicious network behaviors. However, using signature-based matching techniques cannot effectively detect polymorphisms. and deformed malicious cyber behavior.

为此,人们提出了许多数据挖掘技术来检测多态和变形的恶意网络行为。虽然相对于基于签名的匹配技术,目前的数据挖掘技术能够更为有效地检测多态和变形的恶意网络行为,但是检测的准确性仍然不够高,时常会出现误检的情形。To this end, many data mining techniques have been proposed to detect polymorphic and deformed malicious network behaviors. Although compared with the signature-based matching technology, the current data mining technology can detect polymorphic and deformed malicious network behaviors more effectively, but the detection accuracy is still not high enough, and false detections often occur.

发明内容Contents of the invention

考虑到现有技术的上述问题,本发明实施例提出一种用于恶意网络行为检测的方法和装置,其能够提高对恶意网络行为检测的准确性。Considering the above-mentioned problems in the prior art, embodiments of the present invention propose a method and device for malicious network behavior detection, which can improve the accuracy of malicious network behavior detection.

按照本发明实施例的一种用于恶意网络行为检测的方法,包括:根据多个行为类别各自的特征参数,计算待检测的网络行为与所述多个行为类别的每一个的相关程度值,得到多个相关程度值,其中,所述多个行为类别包括正常行为类别和至少一个恶意行为类别,所述多个行为类别各自的特征参数预先利用已知的恶意网络行为和正常网络行为作为训练样本训练得到;以及,根据所述多个相关程度值中的最大相关程度值是所述待检测的网络行为与所述正常行为类别的相关程度值还是所述待检测的网络行为与所述至少一个恶意行为类别的其中之一的相关程度值,确定所述待检测的行为属于正常网络行为或恶意网络行为。A method for detecting malicious network behavior according to an embodiment of the present invention, comprising: calculating a correlation degree value between the network behavior to be detected and each of the multiple behavior categories according to respective characteristic parameters of the multiple behavior categories, A plurality of correlation degree values are obtained, wherein the plurality of behavior categories include normal behavior categories and at least one malicious behavior category, and the respective characteristic parameters of the plurality of behavior categories use known malicious network behaviors and normal network behaviors as training in advance sample training; and, according to whether the maximum correlation degree value among the plurality of correlation degree values is the correlation degree value between the network behavior to be detected and the normal behavior category or the network behavior to be detected and the at least The correlation degree value of one of the malicious behavior categories determines that the behavior to be detected belongs to normal network behavior or malicious network behavior.

其中,所述方法还包括:根据所述待检测的网络行为的行为特点,判定所述待检测的网络行为所属的行为种类;以及,从分别对应于不同的行为种类的多个行为识别模型中,选择与所判定的行为种类对应的行为识别模型,其中,所述多个行为识别模型的每一个包括所述多个行为类别各自的特征参数,其中,所述计算进一步包括:根据所选择的行为识别模型所包括的所述多个行为类别各自的特征参数,计算所述待检测的行为与所述多个行为类别的每一个的相关程度值,得到所述多个相关程度值。Wherein, the method further includes: according to the behavior characteristics of the network behavior to be detected, determining the behavior category to which the network behavior to be detected belongs; and, from a plurality of behavior recognition models respectively corresponding to different behavior categories , selecting a behavior recognition model corresponding to the determined behavior category, wherein each of the plurality of behavior recognition models includes the respective characteristic parameters of the plurality of behavior categories, wherein the calculation further includes: according to the selected The respective characteristic parameters of the multiple behavior categories included in the behavior recognition model are used to calculate the correlation degree value between the behavior to be detected and each of the multiple behavior categories to obtain the multiple correlation degree values.

其中,所述方法还包括:将作为所述训练样本的所述已知的恶意网络行为和正常网络行为划分为多个行为组,其中每一个行为组中的网络行为属于相同的行为种类;利用聚类算法将所述多个行为组中的每一个行为组所包括的网络行为聚类为多个子行为组,每一个子行为组所包括的网络行为属于所述多个行为类别的其中一个;以及,利用多分类器训练算法分别对所述多个行为组中的每一个行为组所包括的各个子行为组中的网络行为进行训练,得到所述多个行为识别模型。Wherein, the method further includes: dividing the known malicious network behaviors and normal network behaviors as the training samples into multiple behavior groups, wherein the network behaviors in each behavior group belong to the same behavior category; The clustering algorithm clusters the network behavior included in each behavior group in the plurality of behavior groups into a plurality of sub-behavior groups, and the network behavior included in each sub-behavior group belongs to one of the plurality of behavior categories; And, using a multi-classifier training algorithm to respectively train the network behaviors in each sub-behavior group included in each behavior group of the multiple behavior groups, so as to obtain the multiple behavior recognition models.

其中,所述待检测的网络行为被确定所属的行为与所述待检测的网络行为实际所属的行为不相同,以及,所述方法还包括:计算所述多个相关程度值中除了所述最大相关程度值之外的其它相关程度值的乘积;检查所述最大相关程度值与所计算的乘积的比值是否大于指定阈值;以及,如果检查结果为肯定,则利用增量学习算法使用所述待检测的网络行为进行自学习训练,以更新所述多个行为识别模型。Wherein, the behavior to which the network behavior to be detected is determined to belong is different from the behavior to which the network behavior to be detected actually belongs, and the method further includes: calculating The product of other relevance degree values than the degree of relevance value; check whether the ratio of the maximum degree of relevance value to the calculated product is greater than a specified threshold; and, if the result of the check is positive, use the incremental learning algorithm to use the The detected network behavior is subjected to self-learning training to update the plurality of behavior recognition models.

其中,所述行为种类包括传播行为、远程控制行为、攻击行为。Wherein, the types of behaviors include propagation behaviors, remote control behaviors, and attack behaviors.

按照本发明实施例的一种用于恶意网络行为检测的装置,包括:计算模块,用于根据多个行为类别各自的特征参数,计算待检测的网络行为与所述多个行为类别的每一个的相关程度值,得到多个相关程度值,其中,所述多个行为类别包括正常行为类别和至少一个恶意行为类别,所述多个行为类别各自的特征参数预先利用已知的恶意网络行为和正常网络行为作为训练样本训练得到;以及,确定模块,用于根据所述多个相关程度值中的最大相关程度值是所述待检测的网络行为与所述正常行为类别的相关程度值还是所述待检测的网络行为与所述至少一个恶意行为类别的其中之一的相关程度值,确定所述待检测的行为属于正常网络行为或恶意网络行为。A device for malicious network behavior detection according to an embodiment of the present invention includes: a calculation module, configured to calculate the network behavior to be detected and each of the multiple behavior categories according to the respective characteristic parameters of the multiple behavior categories Correlation degree value, obtain a plurality of correlation degree values, wherein, the plurality of behavior categories include normal behavior categories and at least one malicious behavior category, and the respective characteristic parameters of the plurality of behavior categories are pre-used using known malicious network behaviors and The normal network behavior is trained as a training sample; and, the determining module is configured to determine whether the maximum correlation degree value among the plurality of correlation degree values is the correlation degree value between the network behavior to be detected and the normal behavior category or the The correlation degree value between the network behavior to be detected and one of the at least one malicious behavior category, and determine that the behavior to be detected belongs to normal network behavior or malicious network behavior.

其中,所述装置还包括:判定模块,用于根据所述待检测的网络行为的行为特点,判定所述待检测的网络行为所属的行为种类;以及,选择模块,用于从分别对应于不同的行为种类的多个行为识别模型中,选择与所判定的行为种类对应的行为识别模型,其中,所述多个行为识别模型的每一个包括所述多个行为类别各自的特征参数,其中,所述计算模块进一步用于:根据所选择的行为识别模型所包括的所述多个行为类别各自的特征参数,计算所述待检测的行为与所述多个行为类别的每一个的相关程度值,得到所述多个相关程度值。Wherein, the device further includes: a determining module, configured to determine the behavior category of the network behavior to be detected according to the behavior characteristics of the network behavior to be detected; Among the multiple behavior recognition models of the behavior category, select the behavior recognition model corresponding to the determined behavior category, wherein each of the multiple behavior recognition models includes the respective characteristic parameters of the multiple behavior categories, wherein, The calculation module is further configured to: calculate the correlation degree value between the behavior to be detected and each of the multiple behavior categories according to the respective characteristic parameters of the multiple behavior categories included in the selected behavior recognition model , to obtain the multiple correlation degree values.

其中,所述装置还包括:划分模块,用于将作为所述训练样本的所述已知的恶意网络行为和正常网络行为划分为多个行为组,其中每一个行为组中的网络行为属于相同的行为种类;聚类模块,用于利用聚类算法将所述多个行为组中的每一个行为组所包括的网络行为聚类为多个子行为组,每一个子行为组所包括的网络行为属于所述多个行为类别的其中一个;以及,训练模块,用于利用多分类器训练算法分别对所述多个行为组中的每一个行为组所包括的各个子行为组中的网络行为进行训练,得到所述多个行为识别模型。Wherein, the device further includes: a division module, configured to divide the known malicious network behaviors and normal network behaviors as the training samples into a plurality of behavior groups, wherein the network behaviors in each behavior group belong to the same the type of behavior; the clustering module is used to use a clustering algorithm to cluster the network behavior included in each behavior group in the plurality of behavior groups into multiple sub-behavior groups, and the network behavior included in each sub-behavior group Belonging to one of the plurality of behavior categories; and, a training module, configured to use a multi-classifier training algorithm to respectively perform network behaviors in each sub-behavior group included in each behavior group in the plurality of behavior groups training to obtain the multiple behavior recognition models.

其中,所述待检测的网络行为被确定所属的行为与所述待检测的网络行为实际所属的行为不相同,以及,所述装置还包括:Wherein, the behavior to which the network behavior to be detected is determined to belong is different from the behavior to which the network behavior to be detected actually belongs, and the device further includes:

相乘模块,用于计算所述多个相关程度值中除了所述最大相关程度值之外的其它相关程度值的乘积;检查模块,用于检查所述最大相关程度值与所计算的乘积的比值是否大于指定阈值;以及,更新模块,用于如果检查结果为肯定,则利用增量学习算法使用所述待检测的网络行为进行自学习训练,以更新所述多个行为识别模型。The multiplication module is used to calculate the product of other correlation degree values except the maximum correlation degree value in the plurality of correlation degree values; the checking module is used to check the product of the maximum correlation degree value and the calculated product Whether the ratio is greater than a specified threshold; and an update module, configured to use an incremental learning algorithm to perform self-learning training using the network behavior to be detected to update the plurality of behavior recognition models if the check result is positive.

从上面的描述可以看出,本发明实施例的方案将网络行为的类别划分为包括正常行为类别和若干恶意行为类别在内的两个以上行为类别,而不是如现有技术那样的将网络行为的类别仅划分为正常行为类别和恶意行为类别的两个行为类别。网络行为类别划分越细,就能减少不同类别的行为之间的干扰,对待检测的行为的检测越准确,因此,与现有技术相比,本发明实施例的方案能够提高对恶意网络行为检测的准确性。It can be seen from the above description that the scheme of the embodiment of the present invention divides the category of network behavior into two or more behavior categories including normal behavior category and several malicious behavior categories, instead of dividing network behavior into The categories of are only divided into two behavior categories of normal behavior category and malicious behavior category. The finer the division of network behavior categories, the interference between different types of behaviors can be reduced, and the detection of the behavior to be detected is more accurate. Therefore, compared with the prior art, the solution of the embodiment of the present invention can improve the detection of malicious network behaviors. accuracy.

附图说明Description of drawings

本发明的其它特征、特点、优点和益处通过以下结合附图的详细描述将变得更加显而易见。Other features, features, advantages and benefits of the present invention will become more apparent from the following detailed description in conjunction with the accompanying drawings.

图1示出了按照本发明一个实施例的多分类器训练过程的示意图。Fig. 1 shows a schematic diagram of a multi-classifier training process according to an embodiment of the present invention.

图2示出了按照本发明一个实施例的行为分析过程的示意图。Fig. 2 shows a schematic diagram of a behavior analysis process according to an embodiment of the present invention.

图3示出了按照本发明一个实施例的自学习过程的示意图。Fig. 3 shows a schematic diagram of a self-learning process according to an embodiment of the present invention.

图4示出了按照本发明一个实施例的用于恶意网络行为检测的装置的示意图。Fig. 4 shows a schematic diagram of an apparatus for malicious network behavior detection according to an embodiment of the present invention.

图5示出了按照本发明一个实施例的用于恶意网络行为检测的设备的示意图。Fig. 5 shows a schematic diagram of a device for malicious network behavior detection according to an embodiment of the present invention.

具体实施方式Detailed ways

下面,将结合附图详细本发明的各个实施例。In the following, various embodiments of the present invention will be described in detail with reference to the accompanying drawings.

在本发明的实施例中,使用数据元组X={x1,x2,...,xk}(k为整数)来表征网络行为,其中,x1,x2,...,xk分别用于描述网络行为的不同特征属性,其可以基于与网络行为相关的分组取得。例如,x1,x2,...,xk可以是与网络行为相关的分组的TCP/IP头和应用层协议头中的关键字段、与网络行为相关的分组的统计学信息(例如,频次)和与网络行为相关的分组的主体部分中的关键字等。与网络行为相关的分组可以从移动终端、移动互联网中的网关设备(例如,通用分组无线服务技术(GPRS)系统中的网关GPRS支持节点(GGSN)或GPRS服务支持节点(SGSN)等)或移动互联网中的数据传输接口(例如,GGSN与SGSN之间的Gn接口等)等处捕获。每一个网络行为使用一个数据元组X来表示。In an embodiment of the present invention, a data tuple X={x 1 , x 2 ,...,x k } (k is an integer) is used to characterize network behavior, where x 1 , x 2 ,..., x k are respectively used to describe different characteristic attributes of network behavior, which can be obtained based on groups related to network behavior. For example, x 1 , x 2 ,..., x k can be key fields in the TCP/IP header and application layer protocol header of packets related to network behavior, statistical information of packets related to network behavior (such as , frequency) and keywords in the body of groups related to network behavior, etc. Packets related to network behavior can be sent from mobile terminals, gateway devices in the mobile Internet (for example, Gateway GPRS Support Nodes (GGSN) or Serving GPRS Support Nodes (SGSN) in General Packet Radio Service (GPRS) systems, etc.) or mobile The data transmission interface in the Internet (for example, the Gn interface between GGSN and SGSN, etc.) is captured. Each network action is represented by a data tuple X.

按照本发明一个实施例的用于恶意网络行为检测的方法包括多分类器训练过程、行为分析过程和自学习过程,这些过程可以在任何设备上实现。The method for malicious network behavior detection according to an embodiment of the present invention includes a multi-classifier training process, a behavior analysis process and a self-learning process, and these processes can be implemented on any device.

现在参见图1,其示出了按照本发明一个实施例的多分类器训练过程的示意图。在执行本实施例的多分类器训练过程之前,需要收集足够数量的已知的恶意网络行为和正常网络行为作为训练样本D。Referring now to FIG. 1 , it shows a schematic diagram of a multi-classifier training process according to an embodiment of the present invention. Before executing the multi-classifier training process of this embodiment, a sufficient number of known malicious network behaviors and normal network behaviors need to be collected as training samples D.

如图1所示,在方框100,根据网络行为的不同行为特点,将训练样本D划分为三个行为组D1、D2、D3。其中,行为组D1、D2、D3各自所包括的行为分别属于传播行为、远程控制行为和攻击行为这三种行为种类。As shown in FIG. 1 , at block 100 , according to different behavioral characteristics of network behaviors, the training sample D is divided into three behavioral groups D1 , D2 , D3 . Among them, the behaviors included in the behavior groups D1, D2, and D3 respectively belong to three types of behaviors: propagation behavior, remote control behavior and attack behavior.

其中,传播行为是指但不局限于以下行为:恶意或合法的程序被放置在网站上,包含有指向该恶意或合法的程序的网络链接的短消息被发送给移动终端以使得用户使用该网络链接(例如经由HTTP协议、FTP协议或电子邮件)从网站上下载该恶意或合法的软件,以及通过彩信主动向目标用户发送恶意程序等。Among them, the dissemination behavior refers to but is not limited to the following behaviors: a malicious or legal program is placed on a website, and a short message containing a network link pointing to the malicious or legal program is sent to a mobile terminal to enable users to use the network Links (such as via HTTP protocol, FTP protocol or email) download the malicious or legal software from the website, and actively send malicious programs to target users through MMS.

远程控制行为是指但不局限于以下行为:移动终端连接移动互联网中的服务器以更新或下载合法或恶意的程序、下载攻击目标信息及攻击指令等。Remote control behavior refers to but is not limited to the following behaviors: mobile terminals connect to servers in the mobile Internet to update or download legal or malicious programs, download attack target information and attack instructions, etc.

攻击行为是指但不局限于以下行为:移动终端经由例如SMS、MMS、蓝牙或移动互联网等各种通信通道访问其它移动终端。恶意的攻击行为包括隐私盗窃、隐私传播、访问收费的增值业务、自动联系其他移动终端、消费、针对其它终端或网络的DoS或DDoS攻击等。The attack behavior refers to but is not limited to the following behavior: a mobile terminal accesses other mobile terminals via various communication channels such as SMS, MMS, Bluetooth or mobile Internet. Malicious attacks include privacy theft, privacy dissemination, access to value-added services charged, automatic contact with other mobile terminals, consumption, DoS or DDoS attacks against other terminals or networks, etc.

在方框110,使用聚类算法将行为组D1、D2、D3的每一个行为组所包括的行为聚类为m+1(m为大于零的整数)个子行为组,每一个子行为组所包括的行为属于m+1个行为类别的其中一个。该m+1个行为类别包括正常行为类别C0和m个恶意行为类别C1、C2、...、Cm。这里,每一个恶意行为类别例如可以是属于相似恶意程序的行为或属于同一恶意程序家族的相似恶意行为等。In block 110, use a clustering algorithm to cluster the behaviors included in each behavior group D1, D2, D3 into m+1 (m is an integer greater than zero) sub-behavior groups, each sub-behavior group Included behaviors belong to one of the m+1 behavior categories. The m+1 behavior categories include normal behavior category C 0 and m malicious behavior categories C 1 , C 2 , . . . , C m . Here, each malicious behavior category may be, for example, behaviors belonging to similar malicious programs or similar malicious behaviors belonging to the same malicious program family.

在聚类之后,行为组D1包括子行为组D1 0、D1 1、D1 2、...、D1 m,它们各自所包括的行为分别属于行为类别C0、C1、C2、...、Cm;行为组D2包括子行为组D2 0、D2 1、D2 2、...、D2 m,它们各自所包括的行为分别属于行为类别C0、C1、C2、...、Cm;以及,行为组D3包括子行为组D3 0、D3 1、D3 2、...、D3 m,它们各自所包括的行为分别属于行为类别C0、C1、C2、...、Cm。这里,每一个行为种类所包括的行为都被划分为相同数量的行为类别,即m+1个行为类别,然而,本发明并不局限于此,在本发明的其它一些实施例中,各个行为种类所包括的行为被划分的行为类别的数量可以各不相同。After clustering, behavior group D1 includes sub-behavior groups D 1 0 , D 1 1 , D 1 2 , ..., D 1 m , and the behaviors included in them respectively belong to behavior categories C 0 , C 1 , and C 2 , ..., C m ; Behavior group D2 includes sub-behavior groups D 2 0 , D 2 1 , D 2 2 , ..., D 2 m , and the behaviors included in them respectively belong to behavior categories C 0 , C 1 , C 2 ,..., C m ; and, the behavior group D3 includes sub-behavior groups D 3 0 , D 3 1 , D 3 2 ,..., D 3 m , and the behaviors included in them respectively belong to the behavior category C 0 , C 1 , C 2 , . . . , C m . Here, the behaviors included in each behavior category are all divided into the same number of behavior categories, that is, m+1 behavior categories, however, the present invention is not limited thereto, and in some other embodiments of the present invention, each behavior The number of behavior categories into which the behaviors included in the category can vary.

这里,聚类算法可以是但不局限于利用代表点聚类算法(CURE:Clustering using Representatives)、平衡迭代削减聚类算法法(BIRCH)、基于密度的聚类算法(DBSCAN)、K-means聚类算法、K-medoids HFC聚类算法、K-pototypes算法、随机搜索聚类算法(CLARANS)、自动子空间聚类算法(CLIQUE9)等。Here, the clustering algorithm can be, but not limited to, using representative point clustering algorithm (CURE: Clustering using Representatives), balanced iterative reduction clustering algorithm (BIRCH), density-based clustering algorithm (DBSCAN), K-means clustering algorithm class algorithm, K-medoids HFC clustering algorithm, K-pototypes algorithm, random search clustering algorithm (CLARANS), automatic subspace clustering algorithm (CLIQUE9), etc.

在方框120,使用多分类器训练算法来对行为组D1、D2、D3的每一个行为组中的各个子行为组所包括的行为进行训练,得到三个分别对应于传播行为、远程控制行为和攻击行为的行为识别模型M1、M2和M3,其中,行为识别模型M1、M2和M3中的每一个包括行为类别C0、C1、C2、...、Cm各自的特征参数。其中,每一个行为类型的特征参数用于描述属于该行为类型的行为的特性。这里,多分类器训练算法可以是但不局限于多分类器朴素贝叶斯算法、多类型支持向量机(SVM:Support Vector Machine)算法、决策树、K最近邻算法(KNN)、向量空间模型法(VSM)、神经网络分类算法等。In block 120, use a multi-classifier training algorithm to train the behaviors included in each sub-behavior group in each behavior group D1, D2, D3, and obtain three behaviors corresponding to the communication behavior and the remote control behavior respectively. and behavior recognition models M1, M2, and M3 of aggressive behavior, wherein each of the behavior recognition models M1, M2, and M3 includes respective characteristic parameters of behavior categories C 0 , C 1 , C 2 , . . . , C m . Wherein, the characteristic parameter of each behavior type is used to describe the characteristic of the behavior belonging to the behavior type. Here, the multi-classifier training algorithm can be but not limited to multi-classifier Naive Bayesian algorithm, multi-type support vector machine (SVM: Support Vector Machine) algorithm, decision tree, K nearest neighbor algorithm (KNN), vector space model Method (VSM), neural network classification algorithm, etc.

下面,以多分类器朴素贝叶斯算法为例详细说明如何取得行为识别模型M1、M2和M3。Next, taking the multi-classifier Naive Bayes algorithm as an example, how to obtain the behavior recognition models M1, M2 and M3 will be described in detail.

多分类器朴素贝叶斯算法利用以下等式(1)来计算待检测的网络行为XD={x1 D,x2 D,...,xk D}属于行为类别Ci(i=0,1,2,...,m)的概率P(Ci|XD)。The multi-classifier Naive Bayesian algorithm uses the following equation (1) to calculate the network behavior to be detected X D ={x 1 D ,x 2 D ,...,x k D } belongs to the behavior category C i (i= 0,1,2,...,m) probability P(C i |X D ).

PP (( CC ii || Xx DD. )) == PP (( Xx DD. || CC ii )) PP (( CC ii )) PP (( Xx DD. )) -- -- -- (( 11 ))

如果P(Cf|XD)=max{P(C1|XD),P(C2|XD),...,P(Cm|XD)},则判定网络行为XD属于行为类别CfIf P(C f |X D )=max{P(C 1 |X D ),P(C 2 |X D ),...,P(C m |X D )}, then determine the network behavior X D Belongs to behavioral category C f .

由于P(XD)对所有行为类别Ci都是相同的,因此,为了方便计算,可以认为P(Ci|XD)=P(XD|Ci)P(Ci)。Since P(X D ) is the same for all behavior categories C i , for the convenience of calculation, it can be considered that P(C i |X D )=P(X D |C i )P(C i ).

通常,网络行为X的各个特征属性x1,x2,...,xk相互独立,因此,P(XD|Ci)P(Ci)可以用以下等式(2)来计算。Usually, each feature attribute x 1 , x 2 ,...,x k of network behavior X is independent of each other, therefore, P(X D |C i )P(C i ) can be calculated by the following equation (2).

PP (( Xx DD. || CC ii )) PP (( CC ii )) == PP (( xx 11 DD. || CC ii )) PP (( xx 22 DD. || CC ii )) .. .. .. PP (( xx kk DD. || CC ii )) PP (( CC ii )) == PP (( CC ii )) ΠΠ jj == 11 kk PP (( xx jj DD. || CC ii )) -- -- -- (( 22 ))

为了计算P(x1 D|Ci)、P(x2 D|Ci)、...、P(xk D|Ci),可以将网络行为X的每一个特征属性xj(j=1,2,...,k)划分为多个取值区间x’j 1、x’j 2、...、x’j z,z为整数且z>1(注意,X的特征属性x1,x2,...,xk各自所划分的取值区间的个数可以相同或不同),并预先利用训练样本计算得到P(x’j 1|Ci)、P(x’j 2|Ci)、...、P(x’j z|Ci)和P(Ci)。利用训练样本来计算得到P(x’j 1|Ci)、P(x’j 2|Ci)、...、P(x’j z|Ci)和P(Ci)对于本领域技术人员而言是公知,这里不再赘述。In order to calculate P(x 1 D |C i ), P(x 2 D |C i ), ..., P(x k D |C i ), each feature attribute x j (j =1,2,...,k) is divided into multiple value intervals x' j 1 , x' j 2 ,..., x' j z , z is an integer and z>1 (note that the characteristics of X attributes x 1 , x 2 ,...,x k can be divided into the same or different number of value intervals), and pre-calculated using training samples to obtain P(x' j 1 |C i ), P(x ' j 2 |C i ),..., P(x' j z |C i ) and P(C i ). Use training samples to calculate P(x' j 1 |C i ), P(x' j 2 |C i ),..., P(x' j z |C i ) and P(C i ) for this It is well known to those skilled in the art and will not be repeated here.

由于当待检测的网络行为XD的特征属性xj D的取值位于取值区间x’j u(1<=u<=z)时,P(xj D|Ci)=P(x’j u|Ci),因此,P(XD|Ci)P(Ci)可以利用以下等式(3)来计算得到。Since when the value of the characteristic attribute x j D of the network behavior X D to be detected is in the value interval x' j u (1<=u<=z), P(x j D |C i )=P(x ' j u |C i ), therefore, P(X D |C i )P(C i ) can be calculated using the following equation (3).

PP (( Xx DD. || CC ii )) PP (( CC ii )) == PP (( CC ii )) &Pi;&Pi; jj == 11 kk PP (( xx jj DD. || CC ii )) == PP (( CC ii )) &Pi;&Pi; jj == 11 kk PP (( xx ,, jj uu || CC ii )) -- -- -- (( 33 ))

综上所述,P(Ci|XD)可以利用以下等式(4)来计算。In summary, P(C i |X D ) can be calculated using the following equation (4).

PP (( CC ii || Xx DD. )) == PP (( CC ii )) &Pi;&Pi; jj == 11 kk PP (( xx ,, jj uu || CC ii )) -- -- -- (( 44 ))

在等式(4)中,x’j u是待检测的网络行为XD的特征属性xj D的取值所位于的取值区间。In equation (4), x' j u is the value interval in which the value of the characteristic attribute x j D of the network behavior X D to be detected is located.

其中,P(Ci|XD)就是待检测的网络行为XD与行为类别Ci的相关程度值,P(x’j 1|Ci)、P(x’j 2|Ci)、...、P(x’j z|Ci)和P(Ci)就是行为类别Ci的特征参数。Among them, P(C i |X D ) is the correlation degree value between the network behavior X D to be detected and the behavior category C i , P(x' j 1 |C i ), P(x' j 2 |C i ), ..., P(x' j z |C i ) and P(C i ) are the characteristic parameters of the behavior category C i .

本领域技术人员应当理解,如果使用与多分类器朴素贝叶斯算法不同的其它多分类器训练算法,则待检测的网络行为XD与行为类别Ci的相关程度值可以不是概率P(Ci|XD),例如,可以是待检测的网络行为XD与行为类别Ci的距离作为待检测的网络行为XD与行为类别Ci的相关程度值,在这种情况下,待检测的网络行为XD与行为类别Ci的距离越近,待检测的网络行为XD与行为类别Ci越相关。Those skilled in the art should understand that if other multi-classifier training algorithms different from the multi-classifier Naive Bayesian algorithm are used, the correlation degree value of the network behavior X D to be detected and the behavior category Ci may not be the probability P(C i |X D ), for example, can be the distance between the network behavior X D to be detected and the behavior category C i as the correlation degree value between the network behavior X D to be detected and the behavior category C i , in this case, the network behavior to be detected The closer the distance between the network behavior X D and the behavior category C i is, the more relevant the network behavior X D to be detected is to the behavior category C i .

对于行为识别模型M1,使用行为组D1中的子行为组D1 0、D1 1、D1 2、...、D1 m所包括的行为作为训练样本,计算得到行为识别模型M1中的行为类别C0、C1、C2、...、Cm各自的特征参数。For the behavior recognition model M1, use the behaviors included in the sub-behavior groups D 1 0 , D 1 1 , D 1 2 ,..., D 1 m in the behavior group D1 as training samples, and calculate the Respective characteristic parameters of behavior categories C 0 , C 1 , C 2 , . . . , C m .

对于行为识别模型M2,使用行为组D2中的子行为组D2 0、D2 1、D2 2、...、D2 m所包括的行为作为训练样本,计算得到行为识别模型M2中的行为类别C0、C1、C2、...、Cm各自的特征参数。For the behavior recognition model M2, use the behaviors included in the sub-behavior groups D 2 0 , D 2 1 , D 2 2 ,..., D 2 m in the behavior group D2 as training samples, and calculate the Respective characteristic parameters of behavior categories C 0 , C 1 , C 2 , . . . , C m .

对于行为识别模型M3,使用行为组D3中的子行为组D3 0、D3 1、D3 2、...、D3 m所包括的行为作为训练样本,计算得到行为识别模型M3中的行为类别C0、C1、C2、...、Cm各自的特征参数。For the behavior recognition model M3, the behaviors included in the sub-behavior groups D 3 0 , D 3 1 , D 3 2 ,..., D 3 m in the behavior group D3 are used as training samples to calculate the Respective characteristic parameters of behavior categories C 0 , C 1 , C 2 , . . . , C m .

现在参见图2,其示出了按照本发明一个实施例的行为分析过程的示意图。本实施例的行为分析过程用于分析待检测的网络行为Xd={x1 d,x2 d,...,xk d}是恶意网络行为还是正常网络行为。Referring now to FIG. 2 , it shows a schematic diagram of a behavior analysis process according to an embodiment of the present invention. The behavior analysis process in this embodiment is used to analyze whether the network behavior X d ={x 1 d , x 2 d , . . . , x k d } to be detected is a malicious network behavior or a normal network behavior.

如图2所示,在方框200,检查待检测的网络行为Xd是否包括在白名单列表中。其中,白名单列表记录了合法的网络行为。如果待检测的网络行为Xd包括在白名单列表中,则表明待检测的网络行为Xd是正常网络行为。As shown in FIG. 2, at block 200, it is checked whether the network behavior Xd to be detected is included in the whitelist. Among them, the white list records legal network behaviors. If the network behavior Xd to be detected is included in the whitelist, it indicates that the network behavior Xd to be detected is a normal network behavior.

如果方框200的检查结果为肯定,即:待检测的网络行为Xd包括在白名单列表中,则待检测的网络行为Xd是正常网络行为,流程结束。If the checking result of block 200 is affirmative, that is, the network behavior X d to be detected is included in the white list, then the network behavior X d to be detected is a normal network behavior, and the process ends.

在方框204,如果方框200的检查结果为否定,即:待检测的网络行为Xd未包括在白名单列表中,则利用基于签名的病毒扫描方法来检查待检测的网络行为Xd是否是恶意网络行为。In block 204, if the check result of block 200 is negative, that is: the network behavior X d to be detected is not included in the white list, then utilize the signature-based virus scanning method to check whether the network behavior X d to be detected is Is a malicious network behavior.

如果方框204的检查结果为肯定,即:检查发现待检测的网络行为Xd是恶意网络行为,则流程结束。If the checking result of block 204 is affirmative, that is, the checking finds that the network behavior X d to be detected is a malicious network behavior, then the process ends.

在方框208,如果方框204的检查结果为否定,即:检查发现待检测的网络行为Xd不是恶意网络行为,则根据待检测的网络行为Xd的行为特点,确定待检测的网络行为Xd所属的行为种类。这里,行为种类可以是传播行为、远程控制行为或攻击行为。In block 208, if the check result of block 204 is negative, that is: the check finds that the network behavior X d to be detected is not a malicious network behavior, then determine the network behavior to be detected according to the behavior characteristics of the network behavior X d to be detected The behavior category to which X d belongs. Here, the behavior type may be propagation behavior, remote control behavior or attack behavior.

在方框212,选择与待检测的网络行为Xd所属的行为种类对应的行为识别模型。其中,如果待检测的网络行为Xd所属的行为种类是传播行为,则选择行为识别模型M1;如果待检测的网络行为Xd所属的行为种类是远程控制行为,则选择行为识别模型M2;以及,如果待检测的网络行为Xd所属的行为种类是攻击行为,则选择行为识别模型M3。In block 212, a behavior recognition model corresponding to the behavior category to which the network behavior X d to be detected belongs is selected. Wherein, if the behavior category of the network behavior X d to be detected is a communication behavior, the behavior recognition model M1 is selected; if the behavior category of the network behavior X d to be detected is a remote control behavior, the behavior recognition model M2 is selected; and , if the behavior category of the network behavior X d to be detected is an attack behavior, then select the behavior recognition model M3.

在方框216,基于所选择的行为识别模型中的行为类别C0、C1、C2、...、Cm各自的特征参数,计算待检测的网络行为Xd分别属于行为类别C0、C1、C2、...、Cm的相关程度值,得到多个相关程度值。其中,C0是正常行为类别,而C1、C2、...、Cm是恶意行为类别。In block 216, based on the characteristic parameters of the behavior categories C 0 , C 1 , C 2 , ..., C m in the selected behavior recognition model, it is calculated that the network behavior X d to be detected belongs to the behavior category C 0 , C 1 , C 2 , . . . , C m to obtain a plurality of correlation degree values. Among them, C 0 is a normal behavior category, and C 1 , C 2 , . . . , C m are malicious behavior categories.

这里,如果所选择的行为识别模型中的行为类别C0、C1、C2、...、Cm各自的特征参数是利用多分类器朴素贝叶斯算法训练得到的,则可以利用前述等式(4)来计算待检测的网络行为Xd分别与行为类别C0、C1、C2、...、Cm的相关程度值。Here, if the respective feature parameters of the behavior categories C 0 , C 1 , C 2 , ..., C m in the selected behavior recognition model are obtained by using the multi-classifier Naive Bayesian algorithm, the aforementioned Equation (4) is used to calculate the degree of correlation between the network behavior X d to be detected and the behavior categories C 0 , C 1 , C 2 , . . . , C m .

在方框220,从该多个相关程度值中检索出最大相关程度值。At block 220, a maximum relevance value is retrieved from the plurality of relevance values.

在方框224,根据该最大相关程度值是待检测的网络行为Xd与行为类别C0的相关程度值还是待检测的网络行为Xd与恶意行为类别C1、C2、...、Cm的其中之一的相关程度值,确定待检测的网络行为Xd属于正常网络行为还是恶意网络行为。其中,如果该最大相关程度值是待检测的网络行为Xd与行为类别C0的相关程度值,则确定待检测的网络行为Xd是正常网络行为,以及,如果该最大相关程度值是待检测的网络行为Xd与恶意行为类别C1、C2、...、Cm的其中之一的相关程度值,则确定待检测的网络行为Xd是恶意网络行为。In block 224, according to whether the maximum correlation degree value is the correlation degree value between the network behavior X d to be detected and the behavior category C 0 or the network behavior X d to be detected and the malicious behavior categories C 1 , C 2 , . . . The correlation degree value of one of C m determines whether the network behavior X d to be detected is a normal network behavior or a malicious network behavior. Wherein, if the maximum correlation degree value is the correlation degree value between the network behavior Xd to be detected and the behavior category C0 , then it is determined that the network behavior Xd to be detected is a normal network behavior, and if the maximum correlation degree value is the network behavior to be detected The value of the degree of correlation between the detected network behavior X d and one of the malicious behavior categories C 1 , C 2 , . . . , C m determines that the network behavior X d to be detected is a malicious network behavior.

现在参见图3,其示出了按照本发明一个实施例的自学习过程的示意图。如图3所示,在方框300,根据网络行为XE的行为特点,确定网络行为XE所属的行为类别。这里,行为类别可以是传播行为、远程控制行为或攻击行为。网络行为XE是已知的基于白名单列表确定的正常网络行为或基于签名的病毒扫描方法确定的恶意网络行为,即网络行为XE实际属于正常网络行为或恶意网络行为。Referring now to FIG. 3 , it shows a schematic diagram of a self-learning process according to an embodiment of the present invention. As shown in FIG. 3 , in block 300 , according to the behavior characteristics of the network behavior X E , determine the behavior category to which the network behavior X E belongs. Here, the behavior category may be propagation behavior, remote control behavior or attack behavior. The network behavior X E is a known normal network behavior determined based on a whitelist or a malicious network behavior determined based on a signature-based virus scanning method, that is, the network behavior X E actually belongs to a normal network behavior or a malicious network behavior.

在方框304,选择与网络行为XE所属的行为种类对应的行为识别模型。其中,如果网络行为XE所属的行为种类是传播行为,则选择行为识别模型M1;如果网络行为XE所属的行为种类是远程控制行为,则选择行为识别模型M2;以及,如果网络行为XE所属的行为种类是攻击行为,则选择行为识别模型M3。In block 304, a behavior recognition model corresponding to the behavior category to which the network behavior X E belongs is selected. Among them, if the behavior category of the network behavior X E belongs to the communication behavior, then select the behavior recognition model M1; if the behavior category of the network behavior X E belongs to the remote control behavior, then select the behavior recognition model M2; and, if the network behavior X E If the type of behavior is aggressive behavior, the behavior recognition model M3 is selected.

在方框308,基于所选择的行为识别模型中的行为类别C0、C1、C2、...、Cm各自的特征参数,计算网络行为XE分别与行为类别C0、C1、C2、...、Cm的相关程度值,得到多个相关程度值G。其中,C0是正常行为类别,而C1、C2、...、Cm是恶意行为类别。In block 308, based on the characteristic parameters of the behavior categories C 0 , C 1 , C 2 , ..., C m in the selected behavior recognition model, calculate the network behavior X E and behavior categories C 0 , C 1 , C 2 , . . . , C m to obtain a plurality of correlation degree values G. Among them, C 0 is a normal behavior category, and C 1 , C 2 , . . . , C m are malicious behavior categories.

在方框312,从该多个相关程度值G中检索出最大相关程度值GmaxAt block 312 , a maximum correlation degree value G max is retrieved from the plurality of correlation degree values G .

在方框316,根据该最大相关程度值Gmax是网络行为XE与行为类别C0的相关程度值还是网络行为XE与恶意行为类别C1、C2、...、Cm的其中之一的相关程度值,确定网络行为XE属于正常网络行为还是恶意网络行为。In block 316, according to whether the maximum correlation degree value G max is the correlation degree value between network behavior X E and behavior category C 0 or one of network behavior X E and malicious behavior categories C 1 , C 2 , ..., C m The correlation degree value of one of , determines whether the network behavior X E belongs to a normal network behavior or a malicious network behavior.

在方框320,判断网络行为XE在方框316中被确定所属的行为与网络行为XE实际所属的行为是否相同。In block 320, it is determined whether the behavior that the network behavior X E is determined to belong to in block 316 is the same as the behavior that the network behavior X E actually belongs to.

如果方框320的判断结果为肯定,即网络行为XE被确定所属的行为与网络行为XE实际所属的行为相同,则流程结束。If the determination result of block 320 is affirmative, that is, the behavior that the network behavior X E is determined to belong to is the same as the behavior that the network behavior X E actually belongs to, then the process ends.

在方框324,如果方框320的判断结果为否定,即网络行为XE被确定所属的行为与网络行为XE实际所属的行为不相同,则计算该多个相关程度值G中除了该最大相关程度值Gmax之外的剩余相关程度值的乘积CJ。In block 324, if the judgment result of block 320 is negative, that is, the behavior that the network behavior X E is determined to belong to is not the same as the behavior that the network behavior X E actually belongs to, then calculate the multiple correlation degree values G except the maximum The product CJ of the remaining degree-of-correlation values other than the degree-of-correlation value Gmax .

在方框328,计算该最大相关程度值Gmax与乘积CJ的比值RIn block 328, the ratio R of the maximum correlation degree value Gmax to the product CJ is calculated

在方框332,判断该比值R是否大于指定阈值Th。At block 332, it is determined whether the ratio R is greater than a specified threshold Th.

如果方框332的判断结果为否定,即该比值R不大于指定阈值Th,则流程结束。If the judgment result of block 332 is negative, that is, the ratio R is not greater than the specified threshold Th, the process ends.

在方框336,如果方框332的判断结果为肯定,即该比值R大于指定阈值Th,则利用增量学习算法使用网络行为XE进行自学习训练,以更新行为识别模型M1、M2和M3。增量学习算法可以是但不局限于朴素贝叶斯增量学习算法。由于利用增量学习算法使用网络行为XE进行自学习训练以更新行为识别模型M1、M2和M3对本领域技术人员而言是公知,在此不再赘述。In block 336, if the judgment result of block 332 is affirmative, that is, the ratio R is greater than the specified threshold Th, then use the incremental learning algorithm to use the network behavior X E to carry out self-learning training to update the behavior recognition models M1, M2 and M3 . The incremental learning algorithm may be, but not limited to, a Naive Bayesian incremental learning algorithm. Since it is known to those skilled in the art to use the network behavior X E to perform self-learning training to update the behavior recognition models M1 , M2 and M3 , details will not be repeated here.

从以上描述可以看出,本发明实施例的方案将网络行为的类别划分为包括正常行为类别和若干恶意行为类别在内的两个以上行为类别,而不是如现有技术那样的将网络行为的类别仅划分为正常行为类别和恶意行为类别的两个行为类别。网络行为类别划分越细,就能减少不同类别的行为之间的干扰,对待检测的行为的检测越准确,因此,本发明实施例的方案能够提高对恶意网络行为检测的准确性。It can be seen from the above description that the solution of the embodiment of the present invention divides the categories of network behaviors into two or more behavior categories including normal behavior categories and several malicious behavior categories, instead of dividing network behavior categories into The categories are only divided into two behavior categories of normal behavior category and malicious behavior category. The finer the classification of network behaviors, the less interference between different types of behaviors, and the more accurate the detection of the behaviors to be detected. Therefore, the solutions in the embodiments of the present invention can improve the accuracy of detection of malicious network behaviors.

此外,本发明实施例的方案还将网络行为划分为不同行为种类,这也能就能减少不同种类的行为之间的相互干扰,从而也能提高检测准确性。In addition, the solutions of the embodiments of the present invention further divide network behaviors into different behavior types, which can also reduce mutual interference between different types of behaviors, thereby also improving detection accuracy.

其它变型other variants

本领域技术人员应当理解,虽然在上面的实施例中,行为种类是传播行为、远程控制行为和攻击行为,然而,本发明并不局限于此。在本发明的其它一些实施例中,行为种类也可以是传播行为、远程控制行为和攻击行为的其中两个,或者,行为种类也可以在包括传播行为、远程控制行为和攻击行为中的一个、两个或所有之外,还包括其它形式的行为种类。或者,由于传播行为、远程控制行为和攻击行为各自所包括的行为可以分为多个种类子类,因此,也可以将传播行为、远程控制行为和攻击行为各自所包括的行为种类子类作为行为种类看待,从而可以将行为分为更多的行为种类。Those skilled in the art should understand that although in the above embodiments, the types of behaviors are propagation behaviors, remote control behaviors and attack behaviors, the present invention is not limited thereto. In some other embodiments of the present invention, the behavior type may also be two of propagation behavior, remote control behavior and attack behavior, or the behavior type may also include one of propagation behavior, remote control behavior and attack behavior, In addition to two or all, other forms of behavioral categories are also included. Or, since the behaviors included in propagation behavior, remote control behavior and attack behavior can be divided into multiple subcategories, the behavior category subcategories included in propagation behavior, remote control behavior and attack behavior can also be used as behavior categories, so that behavior can be divided into more behavior categories.

本领域技术人员应当理解,虽然在上面的实施例中,将网络行为划分为不同的行为种类,并建立与不同的行为种类对应的行为识别模型,然而,本发明并不局限于此。在本发明的其它一些实施例中,也可以不将网络行为划分为多个不同的行为种类从而建立多个行为识别模型,而是只建立一个行为识别模型,该行为识别模型包括各个行为类别各自的特征参数。Those skilled in the art should understand that although in the above embodiments, network behaviors are divided into different behavior types and behavior recognition models corresponding to different behavior types are established, the present invention is not limited thereto. In some other embodiments of the present invention, network behaviors may not be divided into multiple different behavior categories to establish multiple behavior recognition models, but only one behavior recognition model is established, and the behavior recognition model includes each behavior category The characteristic parameters of .

本领域技术人员应当理解,虽然在上面的实施例中,行为分析过程包括使用白名单列表和基于签名的病毒扫描方法来检查待检测的网络行为是否是恶意网络行为的操作,然而,本发明并不局限于此。在本发明的其它一些实施例中,行为分析过程也可以不包括使用白名单列表和/或基于签名的病毒扫描方法来检查待检测的网络行为是否是恶意网络行为的操作。本领域技术人员应当理解,虽然在上面的实施例中,用于恶意网络行为检测的方法包括多分类器训练过程以获取行为识别模型,然而,本发明并不局限于此。在本发明的其它一些实施例中,用于恶意网络行为检测的方法也可以不包括多分类器训练过程,在这种情况下,由其它途径提供行为识别模型。Those skilled in the art should understand that although in the above embodiments, the behavior analysis process includes the operation of using a whitelist and a signature-based virus scanning method to check whether the network behavior to be detected is a malicious network behavior, however, the present invention does not It is not limited to this. In some other embodiments of the present invention, the behavior analysis process may not include the operation of checking whether the network behavior to be detected is a malicious network behavior by using a whitelist and/or a signature-based virus scanning method. Those skilled in the art should understand that although in the above embodiments, the method for malicious network behavior detection includes a multi-classifier training process to obtain a behavior recognition model, the present invention is not limited thereto. In some other embodiments of the present invention, the method for malicious network behavior detection may not include a multi-classifier training process. In this case, the behavior recognition model is provided by other means.

本领域技术人员应当理解,虽然在上面的实施例中,用于恶意网络行为检测的方法包括自学习过程,然而,本发明并不局限于此。在本发明的其它一些实施例中,用于恶意网络行为检测的方法也可以不包括自学习过程。Those skilled in the art should understand that although in the above embodiments, the method for detecting malicious network behavior includes a self-learning process, the present invention is not limited thereto. In some other embodiments of the present invention, the method for malicious network behavior detection may not include a self-learning process.

本领域技术人员应当理解,本发明的用于恶意网络行为检测的方法不但可以适用于移动互联网,还可以适用于其它类型的网络。Those skilled in the art should understand that the method for malicious network behavior detection of the present invention is not only applicable to the mobile Internet, but also applicable to other types of networks.

现在参见图4,其示出了按照本发明一个实施例的用于恶意网络行为检测的装置的示意图。图4所示的装置可以由硬件、软件或软硬结合的方式来实现。Referring now to FIG. 4 , it shows a schematic diagram of an apparatus for malicious network behavior detection according to an embodiment of the present invention. The device shown in FIG. 4 can be implemented by hardware, software, or a combination of hardware and software.

如图4所示,用于恶意网络行为检测的装置400可以包括计算模块404和确定模块408。其中,计算模块404用于根据多个行为类别各自的特征参数,计算待检测的网络行为与所述多个行为类别的每一个的相关程度值,得到多个相关程度值,其中,所述多个行为类别包括正常行为类别和若干恶意行为类别,所述多个行为类别各自的特征参数预先利用已知的恶意网络行为和正常网络行为作为训练样本训练得到,以及,确定模块408用于根据所述多个相关程度值中的最大相关程度值是所述待检测的网络行为与所述正常行为类别的相关程度值还是所述待检测的网络行为与所述若干恶意行为类别的其中之一的相关程度值,确定所述待检测的网络行为属于正常网络行为或恶意网络行为。As shown in FIG. 4 , an apparatus 400 for malicious network behavior detection may include a calculation module 404 and a determination module 408 . Wherein, the calculation module 404 is configured to calculate the correlation degree value between the network behavior to be detected and each of the multiple behavior categories according to the respective characteristic parameters of the multiple behavior categories, and obtain multiple correlation degree values, wherein the multiple Each behavior category includes a normal behavior category and several malicious behavior categories, and the respective characteristic parameters of the multiple behavior categories are obtained by using known malicious network behaviors and normal network behaviors as training samples in advance, and the determination module 408 is used to Is the maximum correlation value among the plurality of correlation degree values the correlation degree value between the network behavior to be detected and the normal behavior category or the correlation between the network behavior to be detected and one of the several malicious behavior categories The correlation degree value determines that the network behavior to be detected belongs to a normal network behavior or a malicious network behavior.

在一种实现方式中,装置400还可以包括判定模块412和选择模块416,其中,判定模块412用于根据所述待检测的网络行为的行为特点,判定所述待检测的网络行为所属的行为种类,选择模块416用于从分别对应于不同的行为种类的多个行为识别模型中,选择与所判定的行为种类对应的行为识别模型,其中,所述多个行为识别模型的每一个包括所述多个行为类别各自的特征参数,其中,计算模块404进一步用于:根据所选择的行为识别模型所包括的所述多个行为类别各自的特征参数,计算所述待检测的网络行为与所述多个行为类别的每一个的相关程度值,得到所述多个相关程度值。In one implementation, the device 400 may further include a determination module 412 and a selection module 416, wherein the determination module 412 is configured to determine the behavior to which the network behavior to be detected belongs according to the behavior characteristics of the network behavior to be detected category, the selection module 416 is used to select a behavior recognition model corresponding to the determined behavior category from a plurality of behavior recognition models respectively corresponding to different behavior categories, wherein each of the multiple behavior recognition models includes the The respective characteristic parameters of the plurality of behavior categories, wherein the calculation module 404 is further configured to: calculate the network behavior to be detected and the respective characteristic parameters of the plurality of behavior categories included in the selected behavior recognition model. The correlation degree value of each of the plurality of behavior categories is obtained to obtain the plurality of correlation degree values.

在另一种实现方式中,装置400还可以包括划分模块420、聚类模块424和训练模块428。其中,划分模块420用于将作为所述训练样本的所述已知的恶意网络行为和正常网络行为划分为多个行为组,其中每一个行为组中的网络行为属于相同的行为种类,聚类模块424用于利用聚类算法将所述多个行为组中的每一个行为组所包括的网络行为聚类为多个子行为组,每一个子行为组所包括的网络行为属于所述多个行为类别的其中一个,以及,训练模块428用于利用多分类器训练算法分别对所述多个行为组中的每一个行为组所包括的各个子行为组中的网络行为进行训练,得到所述多个行为识别模型。In another implementation manner, the apparatus 400 may further include a division module 420 , a clustering module 424 and a training module 428 . Wherein, the division module 420 is used to divide the known malicious network behaviors and normal network behaviors as the training samples into multiple behavior groups, wherein the network behaviors in each behavior group belong to the same behavior category, clustering Module 424 is used to use a clustering algorithm to cluster the network behaviors included in each behavior group in the plurality of behavior groups into a plurality of sub-behavior groups, and the network behavior included in each sub-behavior group belongs to the plurality of behaviors One of the categories, and the training module 428 is used to use a multi-classifier training algorithm to train the network behaviors in each sub-behavior group included in each behavior group in the multiple behavior groups, and obtain the multiple behavior groups. behavior recognition model.

在又一种实现方式中,所述待检测的网络行为被确定所属的行为与所述待检测的网络行为实际所属的行为不相同,以及,装置400还可以包括相乘模块432、检查模块436和更新模块440,其中,相乘模块432用于计算所述多个相关程度值中除了所述最大相关程度值之外的其它概率的乘积,检查模块436用于检查所述最大相关程度值与所计算的乘积的比值是否大于指定阈值,以及,更新模块440用于如果检查结果为肯定,则利用增量学习算法使用所述待检测的网络行为进行自学习训练,以更新所述多个行为识别模型。In yet another implementation, the behavior to which the network behavior to be detected is determined to belong is different from the behavior to which the network behavior to be detected actually belongs, and the device 400 may further include a multiplying module 432 and a checking module 436 and updating module 440, wherein the multiplication module 432 is used to calculate the product of other probabilities in the plurality of correlation degree values except the maximum correlation degree value, and the checking module 436 is used to check the maximum correlation degree value and Whether the calculated ratio of the product is greater than a specified threshold, and the update module 440 is configured to use the incremental learning algorithm to perform self-learning training using the network behavior to be detected to update the plurality of behaviors if the check result is affirmative Identify the model.

现在参见图5,其示出了按照本发明一个实施例的用于恶意网络行为检测的设备的示意图。如图5所示,设备500可以包括存储器510和与存储器510连接的处理器520。处理器520可以执行前述装置400中的各个模块所执行的操作。Referring now to FIG. 5 , it shows a schematic diagram of a device for malicious network behavior detection according to an embodiment of the present invention. As shown in FIG. 5 , the device 500 may include a memory 510 and a processor 520 connected to the memory 510 . The processor 520 may execute the operations performed by the various modules in the foregoing apparatus 400 .

本发明实施例还提供一种机器可读介质,其上存储可执行指令,当该可执行指令被执行时,使得机器实现处理器520所执行的操作。The embodiment of the present invention also provides a machine-readable medium on which executable instructions are stored, and when the executable instructions are executed, the machine implements operations performed by the processor 520 .

本领域技术人员应当理解,上面公开的各个实施例可以在不偏离发明实质的情况下做出各种变形和修改。因此,本发明的保护范围应当由所附的权利要求书来限定。Those skilled in the art should understand that various variations and modifications can be made to the above-disclosed embodiments without departing from the essence of the invention. Therefore, the protection scope of the present invention should be defined by the appended claims.

Claims (11)

1.一种用于恶意网络行为检测的方法,包括:1. A method for malicious network behavior detection, comprising: 根据多个行为类别各自的特征参数,计算待检测的网络行为与所述多个行为类别的每一个的相关程度值,得到多个相关程度值,其中,所述多个行为类别包括正常行为类别和至少一个恶意行为类别,所述多个行为类别各自的特征参数预先利用已知的恶意网络行为和正常网络行为作为训练样本训练得到;以及According to the respective characteristic parameters of multiple behavior categories, calculate the correlation degree value between the network behavior to be detected and each of the multiple behavior categories to obtain multiple correlation degree values, wherein the multiple behavior categories include normal behavior categories and at least one malicious behavior category, the feature parameters of each of the multiple behavior categories are pre-trained using known malicious network behaviors and normal network behaviors as training samples; and 根据所述多个相关程度值中的最大相关程度值是所述待检测的网络行为与所述正常行为类别的相关程度值还是所述待检测的网络行为与所述至少一个恶意行为类别的其中之一的相关程度值,确定所述待检测的行为属于正常网络行为或恶意网络行为。According to whether the maximum correlation degree value among the plurality of correlation degree values is the correlation degree value between the network behavior to be detected and the normal behavior category or the relationship between the network behavior to be detected and the at least one malicious behavior category One of the correlation degree values, it is determined that the behavior to be detected belongs to a normal network behavior or a malicious network behavior. 2.如权利要求1所述的方法,其中,还包括:2. The method of claim 1, further comprising: 根据所述待检测的网络行为的行为特点,判定所述待检测的网络行为所属的行为种类;以及According to the behavior characteristics of the network behavior to be detected, determine the type of behavior to which the network behavior to be detected belongs; and 从分别对应于不同的行为种类的多个行为识别模型中,选择与所判定的行为种类对应的行为识别模型,其中,所述多个行为识别模型的每一个包括所述多个行为类别各自的特征参数,From a plurality of behavior recognition models respectively corresponding to different behavior types, select a behavior recognition model corresponding to the determined behavior type, wherein each of the plurality of behavior recognition models includes the respective Characteristic Parameters, 其中,所述计算进一步包括:根据所选择的行为识别模型所包括的所述多个行为类别各自的特征参数,计算所述待检测的行为与所述多个行为类别的每一个的相关程度值,得到所述多个相关程度值。Wherein, the calculation further includes: according to the respective characteristic parameters of the multiple behavior categories included in the selected behavior recognition model, calculating the correlation degree value between the behavior to be detected and each of the multiple behavior categories , to obtain the multiple correlation degree values. 3.如权利要求2所述的方法,其中,还包括:3. The method of claim 2, further comprising: 将作为所述训练样本的所述已知的恶意网络行为和正常网络行为划分为多个行为组,其中每一个行为组中的网络行为属于相同的行为种类;dividing the known malicious network behaviors and normal network behaviors as the training samples into a plurality of behavior groups, wherein the network behaviors in each behavior group belong to the same behavior category; 利用聚类算法将所述多个行为组中的每一个行为组所包括的网络行为聚类为多个子行为组,每一个子行为组所包括的网络行为属于所述多个行为类别的其中一个;以及Using a clustering algorithm to cluster the network behaviors included in each of the multiple behavior groups into multiple sub-behavior groups, and the network behavior included in each sub-behavior group belongs to one of the multiple behavior categories ;as well as 利用多分类器训练算法分别对所述多个行为组中的每一个行为组所包括的各个子行为组中的网络行为进行训练,得到所述多个行为识别模型。Using a multi-classifier training algorithm to train the network behaviors in each sub-behavior group included in each behavior group of the multiple behavior groups to obtain the multiple behavior recognition models. 4.如权利要求3所述的方法,其中,4. The method of claim 3, wherein, 所述待检测的网络行为被确定所属的行为与所述待检测的网络行为实际所属的行为不相同,以及The behavior to which the network behavior to be detected is determined to belong is different from the behavior to which the network behavior to be detected actually belongs, and 所述方法还包括:The method also includes: 计算所述多个相关程度值中除了所述最大相关程度值之外的其它相关程度值的乘积;calculating a product of other relevance degree values in the plurality of relevance degree values except the maximum relevance degree value; 检查所述最大相关程度值与所计算的乘积的比值是否大于指定阈值;以及checking whether the ratio of said maximum correlation value to the calculated product is greater than a specified threshold; and 如果检查结果为肯定,则利用增量学习算法使用所述待检测的网络行为进行自学习训练,以更新所述多个行为识别模型。If the checking result is affirmative, use the network behavior to be detected to perform self-learning training by using an incremental learning algorithm, so as to update the multiple behavior recognition models. 5.如权利要求2所述的方法,其中,所述行为种类包括传播行为、远程控制行为、攻击行为。5. The method according to claim 2, wherein the behavior types include propagation behavior, remote control behavior, and attack behavior. 6.一种用于恶意网络行为检测的装置,包括:6. A device for malicious network behavior detection, comprising: 计算模块,用于根据多个行为类别各自的特征参数,计算待检测的网络行为与所述多个行为类别的每一个的相关程度值,得到多个相关程度值,其中,所述多个行为类别包括正常行为类别和至少一个恶意行为类别,所述多个行为类别各自的特征参数预先利用已知的恶意网络行为和正常网络行为作为训练样本训练得到;以及A calculation module, configured to calculate a correlation degree value between the network behavior to be detected and each of the multiple behavior categories according to the respective characteristic parameters of the multiple behavior categories, to obtain multiple correlation degree values, wherein the multiple behaviors The categories include normal behavior categories and at least one malicious behavior category, and the respective characteristic parameters of the plurality of behavior categories are pre-trained using known malicious network behaviors and normal network behaviors as training samples; and 确定模块,用于根据所述多个相关程度值中的最大相关程度值是所述待检测的网络行为与所述正常行为类别的相关程度值还是所述待检测的网络行为与所述至少一个恶意行为类别的其中之一的相关程度值,确定所述待检测的行为属于正常网络行为或恶意网络行为。A determining module, configured to determine whether the maximum correlation degree value among the plurality of correlation degree values is the correlation degree value between the network behavior to be detected and the normal behavior category or the network behavior to be detected and the at least one The correlation degree value of one of the malicious behavior categories determines that the behavior to be detected belongs to a normal network behavior or a malicious network behavior. 7.如权利要求6所述的装置,其中,还包括:7. The apparatus of claim 6, further comprising: 判定模块,用于根据所述待检测的网络行为的行为特点,判定所述待检测的网络行为所属的行为种类;以及A determination module, configured to determine the type of behavior to which the network behavior to be detected belongs according to the behavior characteristics of the network behavior to be detected; and 选择模块,用于从分别对应于不同的行为种类的多个行为识别模型中,选择与所判定的行为种类对应的行为识别模型,其中,所述多个行为识别模型的每一个包括所述多个行为类别各自的特征参数,A selection module, configured to select a behavior recognition model corresponding to the determined behavior category from a plurality of behavior recognition models respectively corresponding to different behavior categories, wherein each of the plurality of behavior recognition models includes the multiple The characteristic parameters of each behavior category, 其中,所述计算模块进一步用于:根据所选择的行为识别模型所包括的所述多个行为类别各自的特征参数,计算所述待检测的行为与所述多个行为类别的每一个的相关程度值,得到所述多个相关程度值。Wherein, the calculation module is further used to: calculate the correlation between the behavior to be detected and each of the multiple behavior categories according to the respective characteristic parameters of the multiple behavior categories included in the selected behavior recognition model degree value to obtain the plurality of correlation degree values. 8.如权利要求7所述的装置,其中,还包括:8. The apparatus of claim 7, further comprising: 划分模块,用于将作为所述训练样本的所述已知的恶意网络行为和正常网络行为划分为多个行为组,其中每一个行为组中的网络行为属于相同的行为种类;A division module, configured to divide the known malicious network behaviors and normal network behaviors as the training samples into a plurality of behavior groups, wherein the network behaviors in each behavior group belong to the same behavior category; 聚类模块,用于利用聚类算法将所述多个行为组中的每一个行为组所包括的网络行为聚类为多个子行为组,每一个子行为组所包括的网络行为属于所述多个行为类别的其中一个;以及A clustering module, configured to use a clustering algorithm to cluster the network behaviors included in each behavior group in the plurality of behavior groups into a plurality of sub-behavior groups, and the network behavior included in each sub-behavior group belongs to the plurality of behavior groups. one of the behavioral categories; and 训练模块,用于利用多分类器训练算法分别对所述多个行为组中的每一个行为组所包括的各个子行为组中的网络行为进行训练,得到所述多个行为识别模型。The training module is configured to use a multi-classifier training algorithm to respectively train the network behaviors in each sub-behavior group included in each behavior group of the multiple behavior groups, so as to obtain the multiple behavior recognition models. 9.如权利要求8所述的装置,其中,9. The apparatus of claim 8, wherein, 所述待检测的网络行为被确定所属的行为与所述待检测的网络行为实际所属的行为不相同,以及The behavior to which the network behavior to be detected is determined to belong is different from the behavior to which the network behavior to be detected actually belongs, and 所述装置还包括:The device also includes: 相乘模块,用于计算所述多个相关程度值中除了所述最大相关程度值之外的其它相关程度值的乘积;A multiplication module, configured to calculate the product of other correlation degree values in the plurality of correlation degree values except the maximum correlation degree value; 检查模块,用于检查所述最大相关程度值与所计算的乘积的比值是否大于指定阈值;以及A checking module, configured to check whether the ratio of the maximum correlation degree value to the calculated product is greater than a specified threshold; and 更新模块,用于如果检查结果为肯定,则利用增量学习算法使用所述待检测的网络行为进行自学习训练,以更新所述多个行为识别模型。An updating module, configured to use an incremental learning algorithm to perform self-learning training using the network behavior to be detected, so as to update the plurality of behavior recognition models if the checking result is positive. 10.一种用于恶意网络行为检测的设备,包括:10. A device for malicious network behavior detection, comprising: 存储器;以及storage; and 与所述存储器连接的处理器,用于执行权利要求1-5中的任意一个所包括的操作。A processor connected to the memory, configured to perform the operations included in any one of claims 1-5. 11.一种机器可读介质,其上存储有可执行指令,当该可执行指令被执行时,使得机器执行权利要求10中的处理器所执行的操作。11. A machine-readable medium having stored thereon executable instructions which, when executed, cause a machine to perform the operations performed by the processor of claim 10.
CN201310461795.1A 2013-09-30 2013-09-30 A kind of method and apparatus for hostile network behavioral value Active CN104519031B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310461795.1A CN104519031B (en) 2013-09-30 2013-09-30 A kind of method and apparatus for hostile network behavioral value

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310461795.1A CN104519031B (en) 2013-09-30 2013-09-30 A kind of method and apparatus for hostile network behavioral value

Publications (2)

Publication Number Publication Date
CN104519031A true CN104519031A (en) 2015-04-15
CN104519031B CN104519031B (en) 2018-03-09

Family

ID=52793768

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310461795.1A Active CN104519031B (en) 2013-09-30 2013-09-30 A kind of method and apparatus for hostile network behavioral value

Country Status (1)

Country Link
CN (1) CN104519031B (en)

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105426760A (en) * 2015-11-05 2016-03-23 工业和信息化部电信研究院 Detection method and apparatus for malicious android application
CN105760897A (en) * 2016-03-21 2016-07-13 合肥赛猊腾龙信息技术有限公司 Method and device for classifying files by using credibility classifier
CN105847302A (en) * 2016-05-31 2016-08-10 北京奇艺世纪科技有限公司 Abnormity detection method and device
CN106209845A (en) * 2016-07-12 2016-12-07 国家计算机网络与信息安全管理中心 A kind of malicious HTTP based on Bayesian Learning Theory request decision method
CN106469276A (en) * 2015-08-19 2017-03-01 阿里巴巴集团控股有限公司 The kind identification method of data sample and device
CN106777024A (en) * 2016-12-08 2017-05-31 北京小米移动软件有限公司 Recognize the method and device of malicious user
WO2017206499A1 (en) * 2016-05-31 2017-12-07 华为技术有限公司 Network attack detection method and attack detection apparatus
CN107528859A (en) * 2017-09-29 2017-12-29 北京神州绿盟信息安全科技股份有限公司 The defence method and equipment of a kind of ddos attack
CN107707547A (en) * 2017-09-29 2018-02-16 北京神州绿盟信息安全科技股份有限公司 The detection method and equipment of a kind of ddos attack
CN107832413A (en) * 2017-11-07 2018-03-23 电子科技大学 A kind of detection method of microblogging inactive users
CN108234472A (en) * 2017-12-28 2018-06-29 北京百度网讯科技有限公司 Detection method and device, computer equipment and the readable medium of Challenging black hole attack
CN108540472A (en) * 2018-04-08 2018-09-14 南京邮电大学 Android beats again packet malicious application detection device
CN108769079A (en) * 2018-07-09 2018-11-06 四川大学 A kind of Web Intrusion Detection Techniques based on machine learning
CN109067722A (en) * 2018-07-24 2018-12-21 湖南大学 A kind of LDoS detection method based on two steps cluster and detection lug analysis joint algorithm
CN109460784A (en) * 2018-10-22 2019-03-12 武汉极意网络科技有限公司 Access behavioural characteristic method for establishing model, equipment, storage medium and device
CN109587248A (en) * 2018-12-06 2019-04-05 腾讯科技(深圳)有限公司 User identification method, device, server and storage medium
CN109936525A (en) * 2017-12-15 2019-06-25 阿里巴巴集团控股有限公司 A kind of abnormal account preventing control method, device and equipment based on graph structure model
CN110532773A (en) * 2018-05-25 2019-12-03 阿里巴巴集团控股有限公司 Malicious access Activity recognition method, data processing method, device and equipment
WO2020010461A1 (en) * 2018-07-12 2020-01-16 Cyber Defence Qcd Corporation Systems and methods of cyber-monitoring which utilizes a knowledge database
WO2020062731A1 (en) * 2018-09-25 2020-04-02 平安科技(深圳)有限公司 Method and apparatus for updating white list based on cost function, and electronic device
CN110955890A (en) * 2018-09-26 2020-04-03 瑞数信息技术(上海)有限公司 Method and device for detecting malicious batch access behaviors and computer storage medium
CN111918280A (en) * 2019-05-07 2020-11-10 华为技术有限公司 Terminal information processing method, device and system
CN116341824A (en) * 2023-02-01 2023-06-27 江苏瑞莫德电气科技有限公司 Intelligent power grid transformer substation management system and method based on cloud computing

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060037077A1 (en) * 2004-08-16 2006-02-16 Cisco Technology, Inc. Network intrusion detection system having application inspection and anomaly detection characteristics
CN102571486A (en) * 2011-12-14 2012-07-11 上海交通大学 Traffic identification method based on bag of word (BOW) model and statistic features
CN102821002A (en) * 2011-06-09 2012-12-12 中国移动通信集团河南有限公司信阳分公司 Method and system for network flow anomaly detection

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060037077A1 (en) * 2004-08-16 2006-02-16 Cisco Technology, Inc. Network intrusion detection system having application inspection and anomaly detection characteristics
CN102821002A (en) * 2011-06-09 2012-12-12 中国移动通信集团河南有限公司信阳分公司 Method and system for network flow anomaly detection
CN102571486A (en) * 2011-12-14 2012-07-11 上海交通大学 Traffic identification method based on bag of word (BOW) model and statistic features

Cited By (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106469276B (en) * 2015-08-19 2020-04-07 阿里巴巴集团控股有限公司 Type identification method and device of data sample
CN106469276A (en) * 2015-08-19 2017-03-01 阿里巴巴集团控股有限公司 The kind identification method of data sample and device
CN105426760A (en) * 2015-11-05 2016-03-23 工业和信息化部电信研究院 Detection method and apparatus for malicious android application
CN105760897A (en) * 2016-03-21 2016-07-13 合肥赛猊腾龙信息技术有限公司 Method and device for classifying files by using credibility classifier
CN105760897B (en) * 2016-03-21 2019-08-20 合肥赛猊腾龙信息技术有限公司 A kind of method and device carrying out document classification using confidence level classifier
WO2017206499A1 (en) * 2016-05-31 2017-12-07 华为技术有限公司 Network attack detection method and attack detection apparatus
CN105847302B (en) * 2016-05-31 2019-04-12 北京奇艺世纪科技有限公司 A kind of method for detecting abnormality and device
CN105847302A (en) * 2016-05-31 2016-08-10 北京奇艺世纪科技有限公司 Abnormity detection method and device
CN106209845A (en) * 2016-07-12 2016-12-07 国家计算机网络与信息安全管理中心 A kind of malicious HTTP based on Bayesian Learning Theory request decision method
CN106777024A (en) * 2016-12-08 2017-05-31 北京小米移动软件有限公司 Recognize the method and device of malicious user
CN107528859A (en) * 2017-09-29 2017-12-29 北京神州绿盟信息安全科技股份有限公司 The defence method and equipment of a kind of ddos attack
CN107707547A (en) * 2017-09-29 2018-02-16 北京神州绿盟信息安全科技股份有限公司 The detection method and equipment of a kind of ddos attack
CN107528859B (en) * 2017-09-29 2020-07-10 北京神州绿盟信息安全科技股份有限公司 Defense method and device for DDoS attack
CN107832413A (en) * 2017-11-07 2018-03-23 电子科技大学 A kind of detection method of microblogging inactive users
CN109936525A (en) * 2017-12-15 2019-06-25 阿里巴巴集团控股有限公司 A kind of abnormal account preventing control method, device and equipment based on graph structure model
US11223644B2 (en) 2017-12-15 2022-01-11 Advanced New Technologies Co., Ltd. Graphical structure model-based prevention and control of abnormal accounts
US11102230B2 (en) 2017-12-15 2021-08-24 Advanced New Technologies Co., Ltd. Graphical structure model-based prevention and control of abnormal accounts
CN108234472A (en) * 2017-12-28 2018-06-29 北京百度网讯科技有限公司 Detection method and device, computer equipment and the readable medium of Challenging black hole attack
CN108540472A (en) * 2018-04-08 2018-09-14 南京邮电大学 Android beats again packet malicious application detection device
CN110532773A (en) * 2018-05-25 2019-12-03 阿里巴巴集团控股有限公司 Malicious access Activity recognition method, data processing method, device and equipment
CN110532773B (en) * 2018-05-25 2023-04-07 阿里巴巴集团控股有限公司 Malicious access behavior identification method, data processing method, device and equipment
CN108769079A (en) * 2018-07-09 2018-11-06 四川大学 A kind of Web Intrusion Detection Techniques based on machine learning
WO2020010461A1 (en) * 2018-07-12 2020-01-16 Cyber Defence Qcd Corporation Systems and methods of cyber-monitoring which utilizes a knowledge database
US12003515B2 (en) 2018-07-12 2024-06-04 Cyber Defence Qcd Corporation Systems and method of cyber-monitoring which utilizes a knowledge database
CN109067722B (en) * 2018-07-24 2020-10-27 湖南大学 A LDoS detection method based on two-step clustering and detection slice analysis joint algorithm
CN109067722A (en) * 2018-07-24 2018-12-21 湖南大学 A kind of LDoS detection method based on two steps cluster and detection lug analysis joint algorithm
WO2020062731A1 (en) * 2018-09-25 2020-04-02 平安科技(深圳)有限公司 Method and apparatus for updating white list based on cost function, and electronic device
CN110955890A (en) * 2018-09-26 2020-04-03 瑞数信息技术(上海)有限公司 Method and device for detecting malicious batch access behaviors and computer storage medium
CN110955890B (en) * 2018-09-26 2021-08-17 瑞数信息技术(上海)有限公司 Method and device for detecting malicious batch access behaviors and computer storage medium
CN109460784A (en) * 2018-10-22 2019-03-12 武汉极意网络科技有限公司 Access behavioural characteristic method for establishing model, equipment, storage medium and device
CN109587248A (en) * 2018-12-06 2019-04-05 腾讯科技(深圳)有限公司 User identification method, device, server and storage medium
CN109587248B (en) * 2018-12-06 2023-08-29 腾讯科技(深圳)有限公司 User identification method, device, server and storage medium
CN111918280B (en) * 2019-05-07 2022-07-22 华为技术有限公司 Method, device and system for processing terminal information
WO2020224509A1 (en) * 2019-05-07 2020-11-12 华为技术有限公司 Method, device and system for processing terminal information
CN111918280A (en) * 2019-05-07 2020-11-10 华为技术有限公司 Terminal information processing method, device and system
US12212966B2 (en) 2019-05-07 2025-01-28 Huawei Technologies Co., Ltd. Terminal information processing method and apparatus, and system
CN116341824A (en) * 2023-02-01 2023-06-27 江苏瑞莫德电气科技有限公司 Intelligent power grid transformer substation management system and method based on cloud computing

Also Published As

Publication number Publication date
CN104519031B (en) 2018-03-09

Similar Documents

Publication Publication Date Title
CN104519031B (en) A kind of method and apparatus for hostile network behavioral value
US10574681B2 (en) Detection of known and unknown malicious domains
US10846308B2 (en) Prioritized detection and classification of clusters of anomalous samples on high-dimensional continuous and mixed discrete/continuous feature spaces
JP6622928B2 (en) Accurate real-time identification of malicious BGP hijacking
US9769190B2 (en) Methods and apparatus to identify malicious activity in a network
US8762298B1 (en) Machine learning based botnet detection using real-time connectivity graph based traffic features
US8260914B1 (en) Detecting DNS fast-flux anomalies
US8418249B1 (en) Class discovery for automated discovery, attribution, analysis, and risk assessment of security threats
US20150326600A1 (en) Flow-based system and method for detecting cyber-attacks utilizing contextual information
EP2725512A1 (en) System and method for malware detection using multi-dimensional feature clustering
US11949701B2 (en) Network access anomaly detection via graph embedding
US20150188941A1 (en) Method and system for predicting victim users and detecting fake user accounts in online social networks
Bakhareva et al. Attack detection in enterprise networks by machine learning methods
Akbani et al. EMLTrust: an enhanced machine learning based reputation system for MANETs
Li et al. RTED-SD: A real-time edge detection scheme for sybil DDoS in the internet of vehicles
CN110351291B (en) DDoS attack detection method and device based on multi-scale convolutional neural network
CN108023868B (en) Malicious resource address detection method and device
CN101635658A (en) Method and system for detecting abnormality of network secret stealing behavior
Ashibani et al. A user authentication model for IoT networks based on app traffic patterns
Ajaeiya et al. Mobile apps identification based on network flows
Sedar et al. Reinforcement learning based misbehavior detection in vehicular networks
Mizuno et al. Botdetector: A robust and scalable approach toward detecting malware-infected devices
Zheng et al. Preprocessing method for encrypted traffic based on semisupervised clustering
Dikii et al. DoS attacks detection in MQTT networks
CN113114677B (en) Botnet detection method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant