CN108345902B - Self-learning white list model base construction and white list detection method based on transaction characteristics - Google Patents
Self-learning white list model base construction and white list detection method based on transaction characteristics Download PDFInfo
- Publication number
- CN108345902B CN108345902B CN201810069650.XA CN201810069650A CN108345902B CN 108345902 B CN108345902 B CN 108345902B CN 201810069650 A CN201810069650 A CN 201810069650A CN 108345902 B CN108345902 B CN 108345902B
- Authority
- CN
- China
- Prior art keywords
- transaction
- white list
- self
- learning
- workflow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
A self-learning white list model library construction method based on transaction characteristics comprises the following steps: s1, generating a workflow based on the network action or the transaction; and S2, extracting transaction characteristics from the workflow. The transaction characteristics comprise a transaction horizontal characteristic and a transaction vertical characteristic; s3, constructing the self-learning white list model base based on the transaction characteristics. According to the self-learning white list model base construction method based on the transaction characteristics, the white list model base based on the transaction characteristics can be constructed through self-learning of a computer, the problems that manual entry is difficult and errors are easy to occur are solved, white list detection is further carried out through the self-learning white list model base, access safety of a service system can be greatly improved, white list detection can be conveniently applied to various fields, and therefore the safety detection technology is greatly improved.
Description
Technical Field
The invention relates to the technical field of networks, in particular to a self-learning white list model base construction method based on transaction characteristics and a self-learning white list detection method based on transaction characteristics.
Background
With the higher and higher requirements on security, the technology for detecting the white list of the operation flow of the mandatory access control service greatly improves the security in the face of a protected network system. The computer needs to determine which kind of service is from the complex network flow, and needs to shape a normal service model library existing in the transaction or workflow form, and then match the network flow service with the content of the normal service model library. The normal business model base can be manually input, but for a complex system, the workflow or the affairs are quite huge, the network flow needs to be analyzed and then manually input, and the operation is basically impossible, so that a self-learning white list model base construction method based on the affair characteristics is needed.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a method for constructing a self-learning white list model base based on transaction characteristics, aiming at the defects in the prior art, the method can construct the white list model base based on the transaction characteristics through self-learning of a computer, not only solves the problems of difficult manual entry and easy error, but also further uses the self-learning white list model base to detect the white list, can greatly improve the access security of a service system, enables the white list detection to be conveniently applied to various fields, and further greatly improves the security detection technology.
The technical scheme adopted by the invention for solving the technical problems is as follows: a self-learning white list model base construction method based on transaction characteristics is constructed, and comprises the following steps:
s1, generating a workflow based on the network action or the transaction;
s2, extracting transaction characteristics from the workflow, wherein the transaction characteristics comprise transaction transverse characteristics and transaction longitudinal characteristics;
s3, constructing the self-learning white list model base based on the transaction characteristics.
In the method for constructing the self-learning white list model base based on the transaction characteristics, the step S1 further includes:
s11, receiving the network action or transaction;
s12, recording and playing back the network action or thing, and capturing and packing the data stream generated in the playing back process;
s13, classifying the data flow to generate the workflow.
In the method for constructing the self-learning white list model base based on the transaction characteristics, the step S12 further includes:
s121, recording and playing back the network action or thing according to the set time and times;
and S122, capturing the data stream generated in the playback process by using a packet capturing tool and storing the data stream in a file.
In the method for constructing the self-learning white list model base based on the transaction characteristics, the step S13 further includes: and classifying the same or similar data streams by adopting a clustering algorithm, and taking the classified data sequences as the workflow generated by network actions or transactions.
In the method for constructing the self-learning white list model base based on the transaction characteristics, the step S2 further includes:
s21, setting different use cases for the workflow of the same network action or transaction and placing the different use cases in different groups;
s22, performing minimum similarity analysis on the feature data of the workflows in each group;
and S23, performing transaction feature extraction on the workflow of different use cases of the same network action or transaction.
In the method for constructing the self-learning white list model base based on the transaction characteristics, the step S22 further includes:
s221, comparing the transaction transverse features in the workflow;
s222, comparing the longitudinal characteristics of the transaction in the workflow;
wherein the transaction lateral feature is a transaction lateral white list feature and the transaction longitudinal feature is a longitudinal sequence feature.
In the method for constructing the self-learning white list model base based on the transaction characteristics, the step S3 further includes:
s31, automatically adding the transaction label corresponding to the transaction characteristics into the self-learning white list model library to construct the self-learning white list model library.
In the method for constructing the self-learning white list model base based on the transaction characteristics, the transaction label comprises: system name, sequence number, transaction content.
Another technical solution adopted by the present invention to solve the technical problem is to construct a computer-readable storage medium, on which a computer program is stored, wherein the computer program, when executed by a processor, implements the method for constructing the self-learning white list model base based on the transaction characteristics.
The invention solves the technical problem by adopting another technical scheme that a self-learning white list detection method based on transaction characteristics is constructed, and comprises the following steps:
s1, acquiring message characteristics of normal services;
s2, white list detection is carried out based on the self-learning white list model base and the message characteristics,
and the self-learning white list model library is constructed based on the self-learning white list model library construction method based on the transaction characteristics.
By implementing the self-learning white list model base construction method based on the transaction characteristics and the computer readable storage medium, the white list model base based on the transaction characteristics can be constructed through self-learning of a computer, so that the problems of difficult manual entry and easy error are solved, the white list detection is further carried out by using the self-learning white list model base, the access safety of a service system can be greatly improved, the white list detection can be conveniently applied to various fields, and the safety detection technology is greatly improved.
Drawings
The invention will be further described with reference to the accompanying drawings and examples, in which:
FIG. 1 is a flowchart of a self-learning white list model library construction method according to a first embodiment of the present invention;
FIG. 2 is a flow chart of a transaction characteristic based self-learning white list detection method according to a first embodiment of the present invention;
FIG. 3 is a schematic diagram of a message sequence generated by a network action or transaction;
FIG. 4 is a schematic diagram of transaction feature classification based on transactions;
FIG. 5 is a schematic diagram of transaction feature extraction for workflows of different use cases of the same network action or transaction.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The invention relates to a self-learning white list model base construction method based on transaction characteristics, which comprises the following steps: s1, generating a workflow based on the network action or the transaction; s2, extracting transaction characteristics from the workflow, S3, and constructing the self-learning white list model base based on the transaction characteristics. Wherein the transaction characteristics include a transaction lateral characteristic and a transaction longitudinal characteristic. The self-learning white list model base construction method based on the affair characteristics can construct the white list model base based on the affair characteristics through self-learning of a computer, and not only solves the problems of difficult manual entry and easy error.
Fig. 1 is a flowchart of a self-learning white list model library construction method according to a first embodiment of the present invention. As shown in fig. 1, in step S1, a workflow is generated based on the network action or transaction.
In a preferred embodiment of the present invention, the step S1 further includes the following steps S11-S13. In step S11, the network action or transaction is received. In the present invention, an action or transaction generates a series of message features. Fig. 3 is a schematic diagram of a message sequence generated by a network action or transaction. As shown in fig. 3, when the user performs the operation of the transaction 1, in step 1, the message feature a1 is generated, in step 2, the message feature B1 is generated, in step 3, the message feature C1 is generated, in step 4, the message feature D1 is generated, in step 5, the message feature E1 is generated, and in step 6, the message feature F1 is generated. Therefore, a complete packet capture is required for the network action or transaction and the packet is sorted. Therefore, in step S12, the network action or thing is recorded and played back, and the data stream generated during the playback is captured. Further, in step S12, the network action or thing can be recorded and played back according to the set time and times, and the data stream generated during the playback process is captured and stored in a file by using a capture tool. This is because the collected data consists of many transactions and many irrelevant data during the training process, so the data of each transaction needs to be separated from a huge stack of data. In the preferred embodiment of the invention, when transaction operation is carried out, each transaction can be recorded into one segment, a plurality of transactions can be recorded into a plurality of segments, then playback is carried out, the playback times can be set, different recorded segments can be played back randomly, all data streams generated in the playback process are stored in a file by using a packet capture tool, and the recording playback times and time can be set, so that the interference of useless packets is greatly reduced through effective transaction operation. In a preferred embodiment of the present invention, the network actions or things may be grouped prior to playback recording. Different network actions or things are put into different groups. In step S13, the data stream is classified to generate the workflow. In a preferred embodiment of the present invention, a clustering algorithm may be used to classify the same or similar data streams, and the classified data sequence is used as the workflow generated by the network action or transaction. FIG. 4 illustrates a transaction-based transaction feature classification diagram.
In step S2, transaction features are extracted from the workflow. In a preferred embodiment of the present invention, the step S2 further includes S21-S23. In step S21, different use cases are set for the workflow of the same network action or transaction and placed in different groups. In the invention, for the same transaction, such as the user registration process of the user, only parameters are different, or data filled in the same user registration is different, the same transaction can generate countless different network flows, if all characteristics are stored, huge space is consumed, so that the time consumption is further immeasurable, and all use cases cannot be collected at the same time, therefore, the transaction characteristics need to be abstracted, different use cases are set for the same transaction operation, and each use case is respectively put into different groups. In step S22, a least similarity analysis is performed on the feature data of the workflows in each group. In a preferred embodiment of the invention, the method comprises comparing transaction horizontal features in the workflow and comparing transaction vertical features in the workflow. Wherein the transaction lateral feature is a transaction lateral white list feature and the transaction longitudinal feature is a longitudinal sequence feature. In step S23, transaction feature extraction is performed for workflows of different use cases of the same network action or transaction. FIG. 5 illustrates transaction feature extraction for workflows of different use cases of the same network action or transaction.
In step S3, the self-learning white list model library is constructed based on the transaction characteristics. In a preferred embodiment of the present invention, the transaction tag corresponding to the transaction feature is automatically added to the self-learning white list model library to construct the self-learning white list model library. The transaction tag includes: system name, sequence number, transaction content.
By implementing the self-learning white list model base construction method based on the transaction characteristics, the white list model base based on the transaction characteristics can be constructed through the self-learning of a computer, and the problems of difficult manual entry and easy error are solved.
Another embodiment of the present invention provides a machine-readable storage and/or storage medium having stored thereon a machine code and/or a computer program having at least one code section for execution by a machine and/or a computer to cause the machine and/or computer to perform the steps of the transaction characteristic-based self-learning white list model library construction method described herein.
Fig. 2 is a flowchart of a transaction characteristic-based self-learning white list detection method according to a first embodiment of the present invention. As shown in fig. 2, in step S1, the message characteristics of the normal service are acquired. In step S2, white list detection is performed based on the self-learning white list model library and the message characteristics. In this preferred embodiment, the self-learning white list model library is constructed based on the self-learning white list model library construction method based on the transaction characteristics. In a preferred embodiment of the present invention, the method for detecting a self-learning white list based on transaction characteristics may further include performing self-learning white list detection based on transaction characteristics, detecting whether the transaction characteristics obtained by self-learning are correct, and detecting a range of the learned transaction characteristics by using a new use case (e.g., network action or transaction) test on the learned transaction characteristics.
In a further preferred embodiment of the present invention, the transaction characteristic-based self-learning white list detection method of the present invention comprises the following operation steps. In step S1, a business system environment, an automatic learning program, recorded software, and test cases are prepared. In this example, the test case may be a multiple network action or transaction. In step S2, the test cases are tested, and different cases are placed in different groups. In step S3, a recording/playback use case is recorded using the recording software, and a packet capturing tool is used to capture the packet, thereby generating different data stream packets. In step S4, after the different packages are collected, analysis is started using an automatic learning program and a connection is established with the model library. In step S5, after the analysis is completed, it is checked whether the transaction feature stream in the model library is generated normally. In step S6, a white list detection based on the transaction flow is performed to detect whether the learned feature is correct. In step S7, a new use case test is performed on the learned transaction features, and the range of the learned abstract features is detected.
By implementing the self-learning white list detection method based on the transaction characteristics, the self-learning white list model library is further used for white list detection, so that the access safety of a service system can be greatly improved, the white list detection can be conveniently applied to various fields, and the safety detection technology is greatly improved.
The description of the invention also describes the implementation of particular functions and their interrelationships by means of method steps. The boundaries and sequence of these method steps have been specifically defined herein for the convenience of the description. The boundaries and sequence of these functions and relationships may be redefined so that they function properly. These redefinitions of boundaries and order are intended to fall within the spirit and scope of the claimed invention.
The present invention may also be implemented by a computer program product, comprising all the features enabling the implementation of the methods of the invention, when loaded in a computer system. The computer program in this document refers to: any expression, in any programming language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following: a) conversion to other languages, codes or symbols; b) reproduced in a different format.
While the invention has been described with reference to specific embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted without departing from the scope of the invention. In addition, many modifications may be made to adapt a particular situation or material to the teachings of the invention without departing from its scope. Therefore, it is intended that the invention not be limited to the particular embodiment disclosed, but that the invention will include all embodiments falling within the scope of the appended claims.
Claims (4)
1. A self-learning white list model library construction method based on transaction characteristics is characterized by comprising the following steps:
s1, generating a workflow based on the network action or the transaction;
s2, extracting transaction characteristics from the workflow, wherein the transaction characteristics comprise transaction transverse characteristics and transaction longitudinal characteristics;
s3, constructing the self-learning white list model library based on the transaction characteristics;
the step S1 further includes:
s11, receiving the network action or transaction;
s12, recording and playing back the network action or thing, and capturing and packing the data stream generated in the playing back process;
s13, classifying the data flow to generate the workflow;
the step S12 further includes:
s121, recording and playing back the network action or thing according to the set time and times;
s122, a data stream generated in the playback process is captured by a capture tool and stored in a file;
the step S13 further includes: classifying the same or similar data streams by adopting a clustering algorithm, and taking the classified data sequences as the workflow generated by network actions or transactions;
the step S2 further includes:
s21, setting different use cases for the workflow of the same network action or transaction and placing the different use cases in different groups;
s22, performing minimum similarity analysis on the feature data of the workflows in each group;
s23, extracting the transaction characteristics of the workflow of different use cases of the same network action or transaction;
the step S22 further includes:
s221, comparing the transaction transverse features in the workflow;
s222, comparing the longitudinal characteristics of the transaction in the workflow;
wherein the transaction transverse feature is a transaction transverse white list feature and the transaction longitudinal feature is a longitudinal sequence feature;
the step S3 further includes:
s31, automatically adding the transaction label corresponding to the transaction characteristics into the self-learning white list model library to construct the self-learning white list model library.
2. The method for building the self-learning white list model base based on the transaction characteristics as claimed in claim 1, wherein the transaction label comprises: system name, sequence number, and transaction content.
3. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the transaction feature-based self-learning white-list model library construction method according to claim 1 or 2.
4. A self-learning white list detection method based on transaction characteristics is characterized by comprising the following steps:
s1, acquiring message characteristics of normal services;
s2, white list detection is carried out based on the self-learning white list model base and the message characteristics,
wherein the self-learning white list model library is constructed based on the transaction characteristic-based self-learning white list model library construction method of claim 1 or 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810069650.XA CN108345902B (en) | 2018-01-24 | 2018-01-24 | Self-learning white list model base construction and white list detection method based on transaction characteristics |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810069650.XA CN108345902B (en) | 2018-01-24 | 2018-01-24 | Self-learning white list model base construction and white list detection method based on transaction characteristics |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108345902A CN108345902A (en) | 2018-07-31 |
| CN108345902B true CN108345902B (en) | 2021-08-17 |
Family
ID=62961181
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810069650.XA Active CN108345902B (en) | 2018-01-24 | 2018-01-24 | Self-learning white list model base construction and white list detection method based on transaction characteristics |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108345902B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112260885B (en) * | 2020-09-22 | 2022-06-24 | 武汉思普崚技术有限公司 | Industrial control protocol automatic test method, system, device and readable storage medium |
| CN112417436A (en) * | 2020-10-15 | 2021-02-26 | 北京八分量信息科技有限公司 | Program white list updating method based on TCM software server |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101917419A (en) * | 2010-08-04 | 2010-12-15 | 安徽天虹数码技术有限公司 | Job network behavior fire wall |
| CN103581343A (en) * | 2013-11-28 | 2014-02-12 | 蓝盾信息安全技术股份有限公司 | Http (hyper text transport protocol) request recording method |
| CN104702584A (en) * | 2013-12-10 | 2015-06-10 | 中国科学院沈阳自动化研究所 | Modbus communication access control method based on rule self-learning |
| CN105991587A (en) * | 2015-02-13 | 2016-10-05 | 中国移动通信集团山西有限公司 | Intrusion detection method and system |
| CN106506486A (en) * | 2016-11-03 | 2017-03-15 | 上海三零卫士信息安全有限公司 | A kind of intelligent industrial-control network information security monitoring method based on white list matrix |
| CN106713077A (en) * | 2017-01-11 | 2017-05-24 | 北京瑞星信息技术股份有限公司 | Traffic playback method and system for proxy server |
| CN107277005A (en) * | 2017-06-13 | 2017-10-20 | 深圳市永达电子信息股份有限公司 | A kind of distributed operation flow detection method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040054715A1 (en) * | 2002-09-16 | 2004-03-18 | Paul Cesario | Capturing and replaying internet application transactions using an embedded browser |
| US7996515B2 (en) * | 2005-06-15 | 2011-08-09 | Bmc Software, Inc. | Network transaction discovery |
-
2018
- 2018-01-24 CN CN201810069650.XA patent/CN108345902B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101917419A (en) * | 2010-08-04 | 2010-12-15 | 安徽天虹数码技术有限公司 | Job network behavior fire wall |
| CN103581343A (en) * | 2013-11-28 | 2014-02-12 | 蓝盾信息安全技术股份有限公司 | Http (hyper text transport protocol) request recording method |
| CN104702584A (en) * | 2013-12-10 | 2015-06-10 | 中国科学院沈阳自动化研究所 | Modbus communication access control method based on rule self-learning |
| CN105991587A (en) * | 2015-02-13 | 2016-10-05 | 中国移动通信集团山西有限公司 | Intrusion detection method and system |
| CN106506486A (en) * | 2016-11-03 | 2017-03-15 | 上海三零卫士信息安全有限公司 | A kind of intelligent industrial-control network information security monitoring method based on white list matrix |
| CN106713077A (en) * | 2017-01-11 | 2017-05-24 | 北京瑞星信息技术股份有限公司 | Traffic playback method and system for proxy server |
| CN107277005A (en) * | 2017-06-13 | 2017-10-20 | 深圳市永达电子信息股份有限公司 | A kind of distributed operation flow detection method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108345902A (en) | 2018-07-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109509021B (en) | Behavior track-based anomaly identification method and device, server and storage medium | |
| CN106383852A (en) | Docker container-based log acquisition method and apparatus | |
| WO2019169760A1 (en) | Test case range determining method, device, and storage medium | |
| CN109194689B (en) | Abnormal behavior recognition method, device, server and storage medium | |
| CN113271237B (en) | Industrial control protocol analysis method and device, storage medium and processor | |
| CN103390163A (en) | Letter address automatic-collection method | |
| CN108345902B (en) | Self-learning white list model base construction and white list detection method based on transaction characteristics | |
| CN113051543B (en) | Cloud service security verification method and cloud service system in big data environment | |
| CN104618132A (en) | Generation method and generation device for application program recognition rule | |
| CN111177795A (en) | Method, device and computer storage medium for identifying video tampering by using block chain | |
| CN111338692A (en) | Vulnerability classification method and device based on vulnerability codes and electronic equipment | |
| CN110471945B (en) | Active data processing method, system, computer equipment and storage medium | |
| CN116346456A (en) | Business logic vulnerability attack detection model training method and device | |
| CN108629310B (en) | Engineering management supervision method and device | |
| CN114024761A (en) | Network threat data detection method and device, storage medium and electronic equipment | |
| CN113065447A (en) | Method and equipment for automatically identifying commodities in image set | |
| CN113468524A (en) | RASP-based machine learning model security detection method | |
| CN110399485B (en) | Data tracing method and system based on word vector and machine learning | |
| CN111539390A (en) | Small target image identification method, equipment and system based on Yolov3 | |
| CN106227502A (en) | A kind of method and device obtaining hard disk firmware version | |
| CN107391551B (en) | Web service data analysis method and system based on data mining | |
| CN106899447A (en) | The method and device that a kind of link determines | |
| CN110287699B (en) | Application program feature extraction method and device | |
| CN115422522A (en) | Abnormal equipment judgment reference establishment method, abnormal equipment identification method, abnormal equipment judgment reference establishment device, abnormal equipment identification device and abnormal equipment identification device | |
| CN105608006B (en) | A kind of program error detection method and system based on probabilistic model |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |