CN107040517B - Cognitive intrusion detection method oriented to cloud computing environment - Google Patents

Cognitive intrusion detection method oriented to cloud computing environment Download PDF

Info

Publication number
CN107040517B
CN107040517B CN201710096368.6A CN201710096368A CN107040517B CN 107040517 B CN107040517 B CN 107040517B CN 201710096368 A CN201710096368 A CN 201710096368A CN 107040517 B CN107040517 B CN 107040517B
Authority
CN
China
Prior art keywords
cloud
intrusion
cognitive
data packet
unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710096368.6A
Other languages
Chinese (zh)
Other versions
CN107040517A (en
Inventor
亓晋
孙雁飞
谭虹
郭阳
王堃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Post and Telecommunication University
Original Assignee
Nanjing Post and Telecommunication University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Post and Telecommunication University filed Critical Nanjing Post and Telecommunication University
Priority to CN201710096368.6A priority Critical patent/CN107040517B/en
Publication of CN107040517A publication Critical patent/CN107040517A/en
Application granted granted Critical
Publication of CN107040517B publication Critical patent/CN107040517B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a cognitive intrusion detection method facing a cloud computing environment, which comprises a data preprocessing unit, a data packet detection unit, a database, a cognitive rule base, an intrusion detection engine unit event processing unit, a cloud cognitive inference engine and a statistical analysis unit, wherein a cloud cognitive inference learning module adopts a genetic algorithm to optimize a feature vector, so that the required training time and monitoring time are shorter than those of other methods, and secondly, the real-time online detection capability is stronger, and finally, the capabilities of cloud computing for large-scale parallel computing and large data volume processing are fully utilized in the cloud computing environment, so that the computing capability is greatly enhanced, and the system is safer and more efficient.

Description

Cognitive intrusion detection method oriented to cloud computing environment
Technical Field
The invention belongs to the field of cloud computing, and particularly relates to a cognitive intrusion detection method oriented to a cloud computing environment.
Background
Cloud computing has become a hot topic concerned by the current IT world, but the development of cloud computing also faces many key problems, and the security problem is the first to rush, and with the continuous popularization of cloud computing, the importance of the cloud computing shows a gradually rising trend, and the cloud computing has become a core factor restricting the development of cloud computing. The challenge of cloud security is reflected in 3 aspects: (1) data security, including data encryption and decryption, access control, transmission security and the like; (2) the service security comprises server security, security single sign-on, identity authentication, a trust model and the like; (3) and the security monitoring system is used for defending and preventing malicious intrusion behaviors and ensuring the data and privacy security of all users, and is a crucial link for cloud security.
The traditional passive defense method cannot timely judge and prevent network attacks, lacks cognitive ability for identifying known or unknown security attacks, and has no real-time property and intelligence and cannot meet the environment of cloud computing. Therefore, a more active and prior cognitive intrusion detection method is needed in a cloud computing environment to achieve rapid identification, early warning and protection against security attacks in the cloud computing environment.
In the prior art, document one (application number: 201510870283.X) provides an intrusion detection method based on cloud computing, which transfers an intrusion detection function from a traditional host to a cloud, and provides the intrusion detection function in a service form at the cloud. The core intrusion detection analysis service is arranged at the cloud end and is updated and maintained by a professional network security team of a cloud service provider. The complexity of the host end is simplified, and the maintenance cost is reduced. The main process is shown in fig. 1. The document is a fundamental patent for internet intrusion detection, and for an intrusion detection system, the cloud computing environment-based intrusion detection system enables the system to have the advantages of data concentration and sharing of a cloud database. The defects of the technology are as follows: (1) the intrusion detection engine, the intrusion detection comparison rule base and the intelligent anomaly detection are not specifically described; (2) the possible unknown intrusion behaviors obtained by comparison have no recognition capability, no corresponding solution is provided, the intrusion behaviors are simply used as new intrusion behaviors, and the cognitive ability on unknown attacks is not provided.
Document two (application number: 201610049716.X) provides an autonomous analysis intrusion detection method in a cloud computing environment, which detects a preprocessed data packet with abnormal network traffic in real time by using an improved BP neural network training intrusion detector, then identifies abnormal data, performs feature extraction on the obtained unknown intrusion behavior, identifies a new type of intrusion behavior in the following time, provides an autonomous analysis and detection idea, and has a high expansion rate. The main process is shown in fig. 2. The document is a relatively advanced patent for internet intrusion detection, and for an intrusion detection system, the cloud computing environment is based, known and unknown types of intrusion behaviors can be detected and fed back in time, a cloud database is supplemented, and the system detection and defense functions are improved. The defects of the technology are as follows: the method for extracting the characteristic value of the unknown intrusion behavior has great improvement space to improve the speed and the safety of the system.
Disclosure of Invention
Aiming at the problems that a passive defense strategy of a traditional Intrusion Detection System (Intrusion Detection System) model cannot timely judge and prevent known or unknown security attacks, the danger coefficient of the System is large and the like, the Intrusion Detection System with cognitive ability facing cloud computing is provided, and the specific scheme is as follows: a cognitive intrusion detection method facing a cloud computing environment comprises the following steps:
step1, a data preprocessing unit in a cloud computing environment receives a data packet with abnormal flow, carries out regularized preprocessing on data in the data packet so as to obtain a data packet file containing a characteristic vector, and sends the preprocessed data packet to a database and a data packet detection unit respectively;
step2, the database receives and stores a data packet file with characteristic vector data, and establishes a log record according to the stored data packet;
step3, establishing a cognitive rule base, wherein the cognitive rule base comprises known intrusion behavior characteristic data;
step3, the data packet detection unit carries out rule matching according to the information in the established cognitive rule base, if a matching rule is found to be met, an alarm is given to the intrusion detection engine unit, the intrusion detection engine unit sends an instruction to the event processing unit according to the received alarm information, and the event processing unit sends an alarm and cuts off a network after receiving the instruction;
step4, if the data packet detection unit does not find a matching rule which is in line with the data packet detection unit, the data packet detection unit indicates that the attack type in the data packet cannot be identified, and the data base transmits the information of the data packet to a cloud reasoning learning module for intrusion possibility evaluation;
step5, establishing a cloud rule, and when no network connection exists, establishing a cloud rule database by using the feature vector data stored in the database as a training sample by using the cloud cognitive inference engine;
step6, judging the unidentifiable attack types, when the network is connected, receiving the feature vector data of the data packet with the unidentifiable attack types by the cloud cognitive inference machine, optimally selecting the feature vector data by the cloud cognitive inference machine by adopting a feature vector extraction algorithm based on a genetic algorithm to obtain the most preferable invasion feature vector, comparing the invasion feature vector with an established operation and management station database, activating a plurality of qualitative cloud rules, carrying out uncertainty inference by the cloud cognitive inference machine, determining the invasion types, and sending the result to the invasion detection engine unit;
and 7, sending the intrusion feature vectors to the original cloud regularization database to be corrected and updated into a typed cloud regularization database.
Step 8, the intrusion characteristic vector is sent to a statistical analysis unit, the statistical analysis unit judges whether network intrusion is formed according to the log record of the intrusion characteristic vector, the judged result is sent to an intrusion detection engine unit and an event processing unit, and meanwhile, the data information of the intrusion characteristic vector is sent to a cognitive rule base for updating;
step 9, the intrusion detection engine unit receives the inference result from the cloud cognitive inference engine and the judgment result from the statistical analysis unit and sends an instruction to the event processing unit;
and step 10, the event processing unit sends out an alarm and cuts off the network after receiving the instructions from the intrusion detection engine unit and the statistical analysis unit.
Further, the specific steps of the feature vector extraction algorithm based on the genetic algorithm in step6 are as follows:
1) setting an evolution algebra g to be 0, and generating an initialization population P (g) comprising n individuals;
2) evaluating each individual in the population, calculating a respective fitness f (x);
3) according to the individual fitness f (x), two individuals are selected from the P (g) as parents (the larger the fitness value is, the larger the selection chance is), according to the cross probability, the two selected individuals are crossed to generate new offspring (if the cross probability is 0, namely, the cross probability is not carried out, the offspring is the complete copy of the parents), and then according to the mutation probability, the new offspring generates mutation at respective gene loci; repeating the steps to generate new individuals, and forming a new group P (g +1) by the finally generated individuals;
4) taking a newly generated population P (g +1) as a population required by subsequent evolution operation, and making an evolution algebra g be g + 1;
5) if the termination condition is satisfied, the algorithm is ended, and the best individual in the current population, namely the optimal solution, is returned
6) And if the termination condition is not met, jumping to the step 2) to continue the genetic algorithm.
Further, the uncertainty inference described in step6 specifically comprises the following steps:
step1, a set of unknown intrusion characteristic vectors (X) after data preprocessing1,X2…Xn) Each XiAccording to the 3En principle: | Ex-XiThe | less than 3En activation rule;
step2, each activated rule corresponds to a positive cloud generator inference output cloud drop (drop x)i,yi);
Step3, reverse cloud Generator on cloud drop (x)1,y1),…(xn,yn) Obtaining numerical characteristics of the virtual cloud on the basis of (1): exij,Enij,Heij
Step4, and x is addediSubstituting into the virtual cloud to obtain the certainty factor of the virtual cloud;
step5, for each xiRepeating the Step2-5 process to respectively obtain corresponding certainty degrees;
and Step6, determining the intrusion type according to the maximum certainty principle.
Further, in step 8, the statistical analysis processing unit measures n variable values at any given time to determine whether intrusion has occurred in the system by inference, where each of the Ni (i ═ 1,2, ·, n) variables represents characteristics of different aspects of the system, including the number of SYN packets, the number of times of user login failure, CPU usage, network traffic, and the like, Mi (i ═ 1,2, ·, n) is an expected value prediction of the data in a normal case, and a detection function defined at time t is:
wherein λ isiThe weight value representing the importance degree, namely the sensitivity degree, is more than 0, the smaller F (t), the closer the communication process is to the normal condition, and when F (t) exceeds a preset threshold value, the network intrusion is considered to occur.
Compared with the prior art, the cloud cognition inference learning module adopts a genetic algorithm to optimize the feature vector, so that the required training time and monitoring time are shorter than those of other methods, the real-time online detection capability is stronger, and finally, the capabilities of cloud computing for large-scale parallel computing and large data volume processing are fully utilized in the cloud computing environment, so that the computing capability is greatly enhanced, and the system is safer and more efficient.
Drawings
Fig. 1 is a flowchart of a cloud computing-based intrusion detection method according to the first document;
FIG. 2 is a flow diagram of a method for autonomic analysis intrusion detection in a document two-cloud computing environment;
FIG. 3 is a flow chart of a cognitive intrusion detection method for cloud computing;
FIG. 4 is a block diagram of an algorithm flow for feature vector extraction based on genetic algorithm acquisition;
FIG. 5 is a flow diagram of a specific inference algorithm of the cloud cognitive inference engine.
Detailed Description
Example 1
As shown in fig. 1, the intrusion detection system with cognitive capability facing cloud computing includes a cognitive detection module: the data preprocessing is responsible for collecting data streams in the network and generating data stream files in a certain format. The data packet detection carries out data packet detection on the preprocessed data stream, judges whether the data stream is in a known attack form or not according to the established cognitive rule base, and establishes an attack signature which accords with a certain rule for the known attack, wherein the attack signature comprises a processing mode, a transmission layer protocol type, an application layer protocol type, a port number, an IP address range, remark information and the like.
The cloud cognitive reasoning learning module: the cloud reasoning learning module is used for evaluating the possibility of intrusion. The input to the inference engine is divided into two parts: during a part of intrusion detection (online judgment), the collector provides the collected network feature vectors for the cloud cognitive inference engine to analyze and infer. When the network is connected, a plurality of characteristic vectors are collected by a collector, and in order to quickly acquire massive connection data in a cloud computing environment, the characteristic vectors are optimally selected by adopting a genetic algorithm, and an optimal characteristic individual is selected according to the adaptability value with high detection rate and low false alarm rate; and the other is that during sample training (off-line learning), the collector stores the preprocessed information into the database to provide information for the cloud cognitive inference engine, and then the cloud computing is adopted to evaluate the intrusion possibility.
A statistical analysis processing module: and the log records aiming at the virtual organization are used for real-time analysis and discovery of abnormal events. The intrusion detection engine synthesizes the alarm information of each system, sends an instruction to the event processing module after analysis, and completes the work of alarming, connection disconnection and the like.
The cognitive detection module comprises a data preprocessing unit, a data packet detection unit, an intrusion detection engine unit and a database; the cloud cognitive inference learning module comprises a cloud cognitive inference machine and a cloud regularization unit; the statistical analysis processing module comprises a statistical analysis unit and an event processing unit.
The design preprocessing unit is respectively connected with the data packet detection unit and the database, the data packet detection unit is connected with the intrusion detection engine unit, and the intrusion detection engine unit is connected with the event processing unit; the data base is connected with the cloud regularization unit, the cloud regularization unit is mutually connected with the cloud cognitive inference machine, the cloud cognitive inference machine is respectively connected with the cloud regularization unit, the intrusion detection engine unit and the statistical analysis unit, the statistical analysis unit is respectively connected with the cognitive rule base, the event processing unit and the intrusion detection engine unit, and the cognitive rule base is connected with the data packet detection unit.
As shown in fig. 1, fig. 2 and fig. 3, the cognitive intrusion detection method for a cloud computing environment based on the above system includes the following steps:
step1, a data preprocessing unit in a cloud computing environment receives a data packet with abnormal flow, carries out regularized preprocessing on data in the data packet so as to obtain a data packet file containing a characteristic vector, and sends the preprocessed data packet to a database and a data packet detection unit respectively;
step2, the database receives and stores a data packet file with characteristic vector data, and establishes a log record according to the stored data packet;
step3, establishing a cognitive rule base, wherein the cognitive rule base comprises known intrusion behavior characteristic data;
step3, the data packet detection unit carries out rule matching according to the information in the established cognitive rule base, if a matching rule is found to be met, an alarm is given to the intrusion detection engine unit, the intrusion detection engine unit sends an instruction to the event processing unit according to the received alarm information, and the event processing unit sends an alarm and cuts off a network after receiving the instruction;
step4, if the data packet detection unit does not find a matching rule which is in line with the data packet detection unit, the data packet detection unit indicates that the attack type in the data packet cannot be identified, and the data base transmits the information of the data packet to a cloud reasoning learning module for intrusion possibility evaluation;
step5, establishing a cloud rule, and when no network connection exists, establishing a cloud rule database by using the feature vector data stored in the database as a training sample by using the cloud cognitive inference engine;
step6, judging the unidentifiable attack types, when the network is connected, receiving the feature vector data of the data packet with the unidentifiable attack types by the cloud cognitive inference machine, optimally selecting the feature vector data by the cloud cognitive inference machine by adopting a feature vector extraction algorithm based on a genetic algorithm to obtain the most preferable invasion feature vector, comparing the invasion feature vector with an established operation and management station database, activating a plurality of qualitative cloud rules, carrying out uncertainty inference by the cloud cognitive inference machine, determining the invasion types, and sending the result to the invasion detection engine unit;
the feature vector extraction algorithm based on the genetic algorithm in the step6 specifically comprises the following steps:
1) setting an evolution algebra g to be 0, and generating an initialization population P (g) comprising n individuals;
2) evaluating each individual in the population, calculating a respective fitness f (x);
3) according to the individual fitness f (x), two individuals are selected from the P (g) as parents (the larger the fitness value is, the larger the selection chance is), according to the cross probability, the two selected individuals are crossed to generate new offspring (if the cross probability is 0, namely, the cross probability is not carried out, the offspring is the complete copy of the parents), and then according to the mutation probability, the new offspring generates mutation at respective gene loci; repeating the steps to generate new individuals, and forming a new group P (g +1) by the finally generated individuals;
4) taking a newly generated population P (g +1) as a population required by subsequent evolution operation, and making an evolution algebra g be g + 1;
5) if the termination condition is satisfied, the algorithm is ended, and the best individual in the current population, namely the optimal solution, is returned
6) And if the termination condition is not met, jumping to the step 2) to continue the genetic algorithm.
According to the calculation result of the steps, the original cloud rule can be corrected and updated, so that the adaptability of intrusion detection on the current network environment is improved.
The uncertainty inference described in step6 specifically comprises the following steps:
step1, a set of unknown intrusion characteristic vectors (X) after data preprocessing1,X2…Xn) Each XiAccording to the 3En principle: | Ex-XiThe | less than 3En activation rule;
step2, each activated rule corresponds to a positive cloud generator inference output cloud drop (drop x)i,yi);
Step3, reverse cloud Generator on cloud drop (x)1,y1),…(xn,yn) Obtaining numerical characteristics of the virtual cloud on the basis of (1): exij,Enij,Heij
Step4, and x is addediSubstituting into the virtual cloud to obtain the certainty factor of the virtual cloud;
step5, for each xiRepeating the Step2-5 process to respectively obtain corresponding certainty degrees;
and Step6, determining the intrusion type according to the maximum certainty principle.
And 7, sending the intrusion feature vectors to the original cloud regularization database to be corrected and updated into a typed cloud regularization database.
Step 8, the intrusion characteristic vector is sent to a statistical analysis unit, the statistical analysis unit judges whether network intrusion is formed according to the log record of the intrusion characteristic vector, the judged result is sent to an intrusion detection engine unit and an event processing unit, and meanwhile, the data information of the intrusion characteristic vector is sent to a cognitive rule base for updating;
in step 8, the statistical analysis processing unit measures n variable values at any given time to determine whether intrusion occurs in the system by inference, each Ni (i ═ 1,2, ·, n) variable represents characteristics of different aspects of the system, including SYN packet number, user login failure times, CPU usage rate, network traffic, and the like, Mi (i ═ 1,2, ·, n) is expected value prediction of the data under normal conditions, and a detection function defined at time t is:
wherein λ isiThe weight value representing the importance degree, namely the sensitivity degree, is more than 0, the smaller F (t), the closer the communication process is to the normal condition, and when F (t) exceeds a preset threshold value, the network intrusion is considered to occur.
Step 9, the intrusion detection engine unit receives the inference result from the cloud cognitive inference engine and the judgment result from the statistical analysis unit and sends an instruction to the event processing unit;
and step 10, the event processing unit sends out an alarm and cuts off the network after receiving the instructions from the intrusion detection engine unit and the statistical analysis unit.
Different from the traditional intrusion detection system, the cloud computing-oriented intrusion detection system with cognitive ability (CIDCC for short) does not adopt one-to-one matching, namely, a rule is activated by single feature matching, but a plurality of qualitative cloud intrusion rules are activated when an acquired intrusion feature vector is input, then the associated inference with uncertainty is realized through a cloud cognitive inference engine, and only a judgment result is output to an intrusion detection engine for making a decision correspondingly.
After the network connection starts, the inside of the intrusion detection system of the network firewall intercepts and captures data streams in the network, and data is preprocessed, namely the data streams in the network are collected to generate a data packet file with a certain format. Then, the data stream preprocessed by the packet inspection module is subjected to packet inspection.
All attacks on the data set provided in the cognitive rule base are mainly classified into 4 categories: DOS class, PROBE class, R2L class, and U2R class. Among them, the invasion types contained in the DOS class include land, Necapture, pod, teardrop, etc.; the PROBE class includes invasion types of nmap, portsweet, satan, mscan and ipssweet. And judging whether the data stream is in a known attack form or not according to the cognitive rule base. For known attacks, an attack signature conforming to a certain rule is established, and the attack signature consists of the following parts: processing modes (Assert warning, Disconnect, Track trace record), transport layer protocol types (TCP, UDP), application layer protocol types (FTP, HTTP, SSH, Telnet), port numbers, IP address ranges, remark information (Message), and the like. The experiment adopts 1% of the whole data set (total 50000 connection records), and simultaneously, 10 ten thousand records are randomly selected in the experiment as a training data set and a test set respectively in order to ensure the execution efficiency. The training sample only comprises three types of DOS, PROBE and R2L, and the rest data set is used for testing by replacing 2 ten thousand pieces of recorded data, wherein the recorded data comprise various attack types which appear in the training set and also comprise attack types which do not appear in the training set.
The detection result verifies that the system has better detection capability on unknown attacks and known attacks, and the new model provided by the system has higher ROC (optimum characteristic) value compared with the traditional intrusion detection model for the known attacks or the unknown attacks. Moreover, the cognitive intrusion monitoring model based on cloud computing has the following advantages: firstly, the characteristic vector is optimized by adopting the genetic algorithm of the method, so that the required training time and monitoring time are shorter than those of other methods, secondly, the real-time online detection capability is stronger, and finally, the capability of cloud computing for large-scale parallel computing and large data volume processing is fully utilized in the cloud computing environment, so that the computing capability is greatly enhanced, and the system is safer and more efficient.

Claims (3)

1. A cognitive intrusion detection method oriented to a cloud computing environment is characterized by comprising the following steps:
step1, a data preprocessing unit in a cloud computing environment receives a data packet with abnormal flow, carries out regularized preprocessing on data in the data packet so as to obtain a data packet file containing a characteristic vector, and sends the preprocessed data packet to a database and a data packet detection unit respectively;
step2, the database receives and stores a data packet file with characteristic vector data, and establishes a log record according to the stored data packet;
step3, establishing a cognitive rule base, wherein the cognitive rule base comprises known intrusion behavior characteristic data;
step4, the data packet detection unit carries out rule matching according to the information in the established cognitive rule base, if a matching rule is found to be met, an alarm is given to the intrusion detection engine unit, the intrusion detection engine unit sends an instruction to the event processing unit according to the received alarm information, and the event processing unit sends an alarm and cuts off a network after receiving the instruction;
step5, if the data packet detection unit does not find a matching rule which is in line with the data packet detection unit, the data packet detection unit indicates that the attack type in the data packet cannot be identified, and the data base transmits the information of the data packet to a cloud reasoning learning module for intrusion possibility evaluation;
step6, establishing a cloud rule, and when no network connection exists, establishing a cloud regularized database unit for the training sample by the cloud cognitive inference engine according to the characteristic vector data in the database;
step 7, judging the unidentifiable attack types, when the network is connected, receiving the feature vector data of the data packet with the unidentifiable attack types by the cloud cognitive inference engine, optimally selecting the feature vector data by the cloud cognitive inference engine by adopting a feature vector extraction algorithm based on a genetic algorithm to obtain the most preferable intrusion feature vector, comparing the intrusion feature vector with an established operation and management station database, activating a plurality of qualitative cloud rules, carrying out uncertainty inference by the cloud cognitive inference engine, determining the intrusion types, and sending the result to the intrusion detection engine unit;
step 8, the most preferable intrusion feature vector is sent to a cloud regularization database which is modified and updated into a model;
step 9, the most preferred intrusion characteristic vector is sent to a statistical analysis unit, the statistical analysis unit judges whether network intrusion is formed according to the log record of the intrusion characteristic vector, the judged result is sent to an intrusion detection engine unit and an event processing unit, and meanwhile, the data information of the most preferred intrusion characteristic vector is sent to a cognitive rule base for updating;
step 10, the intrusion detection engine unit receives the inference result from the cloud cognitive inference engine and the judgment result from the statistical analysis unit and sends an instruction to the event processing unit;
and 11, sending an alarm and cutting off a network after the event processing unit receives the instructions from the intrusion detection engine unit and the statistical analysis unit.
2. The cloud computing environment-oriented cognitive intrusion detection method according to claim 1, wherein the genetic algorithm-based feature vector extraction algorithm in the step6 specifically comprises the following steps:
1) setting an evolution algebra g to be 0, and generating an initialization population P (g) comprising n individuals;
2) evaluating each individual in the population, calculating a respective fitness f (x);
3) according to the individual fitness f (x), two individuals are selected from the P (g) as parents (the larger the fitness value is, the larger the selection chance is), according to the cross probability, the two selected individuals are crossed to generate new offspring (if the cross probability is 0, namely, the cross probability is not carried out, the offspring is the complete copy of the parents), and then according to the mutation probability, the new offspring generates mutation at respective gene loci; repeating the steps to generate new individuals, and forming a new group P (g +1) by the finally generated individuals;
4) taking a newly generated population P (g +1) as a population required by subsequent evolution operation, and making an evolution algebra g be g + 1;
5) if the termination condition is met, the algorithm is ended, and the best individual in the current group, namely the optimal solution, is returned;
6) and if the termination condition is not met, jumping to the step 2) to continue the genetic algorithm.
3. The cloud computing environment-oriented cognitive intrusion detection method according to claim 1, wherein the uncertainty inference in the step6 specifically comprises the following steps:
step1, a set of unknown intrusion characteristic vectors (X) after data preprocessing1,X2…Xn) Each XiAccording to the 3En principle: | Ex-XiThe | less than 3En activation rule;
step2, each activated rule corresponds to a positive cloud generator inference output cloud drop (drop x)i,yi) Wherein xi is the certainty of xi (X1, X2 … Xn);
step3, reverse cloud Generator on cloud drop (x)1,y1),…(xn,yn) Obtaining numerical characteristics of the virtual cloud on the basis of (1): exij,Enij,Heij
Step4, and x is addediSubstituting into the virtual cloud to obtain the certainty factor of the virtual cloud;
step5, for each xiRepeating the Step2-5 process to respectively obtain corresponding certainty degrees;
and Step6, determining the intrusion type according to the maximum certainty principle.
CN201710096368.6A 2017-02-22 2017-02-22 Cognitive intrusion detection method oriented to cloud computing environment Active CN107040517B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710096368.6A CN107040517B (en) 2017-02-22 2017-02-22 Cognitive intrusion detection method oriented to cloud computing environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710096368.6A CN107040517B (en) 2017-02-22 2017-02-22 Cognitive intrusion detection method oriented to cloud computing environment

Publications (2)

Publication Number Publication Date
CN107040517A CN107040517A (en) 2017-08-11
CN107040517B true CN107040517B (en) 2020-01-10

Family

ID=59533553

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710096368.6A Active CN107040517B (en) 2017-02-22 2017-02-22 Cognitive intrusion detection method oriented to cloud computing environment

Country Status (1)

Country Link
CN (1) CN107040517B (en)

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107623691A (en) * 2017-09-29 2018-01-23 长沙市智为信息技术有限公司 A kind of ddos attack detecting system and method based on reverse transmittance nerve network algorithm
CN107612948A (en) * 2017-11-08 2018-01-19 国网四川省电力公司信息通信公司 A kind of intrusion prevention system and method
CN107992746B (en) * 2017-12-14 2021-06-25 华中师范大学 Malicious behavior mining method and device
CN107835201A (en) * 2017-12-14 2018-03-23 华中师范大学 Network attack detecting method and device
CN108183902B (en) * 2017-12-28 2021-10-22 北京奇虎科技有限公司 Malicious website identification method and device
CN109756478A (en) * 2018-11-28 2019-05-14 国网江苏省电力有限公司南京供电分公司 A kind of abnormal multistage standby blocking-up method of industrial control system attack considering priority
CN109547455A (en) * 2018-12-06 2019-03-29 南京邮电大学 Industrial Internet of Things anomaly detection method, readable storage medium storing program for executing and terminal
CN110324348A (en) * 2019-07-08 2019-10-11 陈浩 A kind of information security of computer network monitoring system
CN110417823B (en) * 2019-09-25 2020-04-14 广东电网有限责任公司佛山供电局 Communication network intrusion detection method based on embedded feature selection architecture
CN112653651A (en) * 2019-10-11 2021-04-13 四川无国界信息技术有限公司 Vulnerability mining method based on cloud computing
CN112866175B (en) * 2019-11-12 2022-08-19 华为技术有限公司 Method, device, equipment and storage medium for reserving abnormal traffic types
CN113065127B (en) * 2021-02-24 2022-09-20 山东英信计算机技术有限公司 Database protection method, system and medium
CN114154160B (en) * 2022-02-08 2022-09-16 中国电子信息产业集团有限公司第六研究所 Container cluster monitoring method and device, electronic equipment and storage medium
CN115118500B (en) * 2022-06-28 2023-11-07 深信服科技股份有限公司 Attack behavior rule acquisition method and device and electronic equipment
CN116168805B (en) * 2023-01-20 2023-08-01 北京瑞帆科技有限公司 Thinking training device and cognitive training system for cognitive training
CN117273571B (en) * 2023-10-12 2024-04-02 江苏泓鑫科技有限公司 Intelligent port operation data management system and method based on blockchain

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924762A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Cloud security-based active defense method
CN102111420A (en) * 2011-03-16 2011-06-29 上海电机学院 Intelligent NIPS framework based on dynamic cloud/fire wall linkage
CN102123396A (en) * 2011-02-14 2011-07-13 恒安嘉新(北京)科技有限公司 Cloud detection method of virus and malware of mobile phone based on communication network
CN102663284A (en) * 2012-03-21 2012-09-12 南京邮电大学 Malicious code identification method based on cloud computing
CN102724176A (en) * 2012-02-23 2012-10-10 北京市计算中心 Intrusion detection system facing cloud calculating environment
CN104753920A (en) * 2015-03-01 2015-07-01 江西科技学院 Quantum genetic algorithm based intrusion detection method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030113727A1 (en) * 2000-12-06 2003-06-19 Girn Kanwaljit Singh Family history based genetic screening method and apparatus

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924762A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Cloud security-based active defense method
CN102123396A (en) * 2011-02-14 2011-07-13 恒安嘉新(北京)科技有限公司 Cloud detection method of virus and malware of mobile phone based on communication network
CN102111420A (en) * 2011-03-16 2011-06-29 上海电机学院 Intelligent NIPS framework based on dynamic cloud/fire wall linkage
CN102724176A (en) * 2012-02-23 2012-10-10 北京市计算中心 Intrusion detection system facing cloud calculating environment
CN102663284A (en) * 2012-03-21 2012-09-12 南京邮电大学 Malicious code identification method based on cloud computing
CN104753920A (en) * 2015-03-01 2015-07-01 江西科技学院 Quantum genetic algorithm based intrusion detection method

Also Published As

Publication number Publication date
CN107040517A (en) 2017-08-11

Similar Documents

Publication Publication Date Title
CN107040517B (en) Cognitive intrusion detection method oriented to cloud computing environment
Sriram et al. Network flow based IoT botnet attack detection using deep learning
Bendiab et al. IoT malware network traffic classification using visual representation and deep learning
Garcia et al. An empirical comparison of botnet detection methods
Mohapatra et al. Handling of man-in-the-middle attack in wsn through intrusion detection system
Sherazi et al. DDoS attack detection: A key enabler for sustainable communication in internet of vehicles
Liao et al. Network forensics based on fuzzy logic and expert system
Le et al. Data analytics on network traffic flows for botnet behaviour detection
Kshirsagar et al. Intrusion detection system using genetic algorithm and data mining: An overview
Haddadi et al. Botnet behaviour analysis using ip flows: with http filters using classifiers
Fadlil et al. Review of detection DDOS attack detection using naive bayes classifier for network forensics
CN110611640A (en) DNS protocol hidden channel detection method based on random forest
Pan et al. Anomaly based intrusion detection for building automation and control networks
Kumar et al. Deep in the dark: A novel threat detection system using darknet traffic
Ma et al. DDoS detection for 6G Internet of Things: Spatial-temporal trust model and new architecture
CN117544366A (en) Information risk assessment method suitable for security defense of power distribution network
Li et al. Traffic detection of transmission of botnet threat using bp neural network
Kholidy et al. Enhancing Security in 5G Networks: A Hybrid Machine Learning Approach for Attack Classification
Sadaf et al. A novel framework for detection and prevention of denial of service attacks on autonomous vehicles using fuzzy logic
Onur et al. Machine learning-based identification of cybersecurity threats affecting autonomous vehicle systems
Tian et al. A transductive scheme based inference techniques for network forensic analysis
Potteti et al. Intrusion detection system using hybrid Fuzzy Genetic algorithm
CN115225301B (en) Hybrid intrusion detection method and system based on D-S evidence theory
Dinh et al. Economic Denial of Sustainability (EDoS) detection using GANs in SDN-based cloud
Nicheporuk et al. A System for Detecting Anomalies and Identifying Smart Home Devices Using Collective Communication.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: Yuen Road Qixia District of Nanjing City, Jiangsu Province, No. 9 210023

Applicant after: Nanjing Post & Telecommunication Univ.

Address before: 210003 Gulou District, Jiangsu, Nanjing new model road, No. 66

Applicant before: Nanjing Post & Telecommunication Univ.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant