CN108347430A - Network invasion monitoring based on deep learning and vulnerability scanning method and device - Google Patents
Network invasion monitoring based on deep learning and vulnerability scanning method and device Download PDFInfo
- Publication number
- CN108347430A CN108347430A CN201810011225.5A CN201810011225A CN108347430A CN 108347430 A CN108347430 A CN 108347430A CN 201810011225 A CN201810011225 A CN 201810011225A CN 108347430 A CN108347430 A CN 108347430A
- Authority
- CN
- China
- Prior art keywords
- file
- database
- attack
- network
- malicious file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of network invasion monitorings based on deep learning and vulnerability scanning method and device, this method to include:It collects malice sample file and establishes malicious file database;Modeling is trained according to the behavior of malicious file in malicious file database using deep learning algorithm, and according to the new malice sample file of reception, the model incremental formula training monitored in real time obtains disaggregated model;By the malice sample file in malicious file database in varying environment dry run, and utilize the attack signature of IDS detection malice sample files;Malicious file database is analyzed using data mining algorithm, builds loophole attack pattern feature database, generates network attack packet, carries out network vulnerability scanning.
Description
Technical field
The invention belongs to the technical fields of network security, more particularly, to a kind of network invasion monitoring based on deep learning
With vulnerability scanning method and device.
Background technology
Network attack is quantitatively all sharply increased in scale in recent years, and intrusion detection and vulnerability scanning system have become
The indispensable system of enterprise network facility.The information system of State Grid Corporation of China is listed in key message infrastructure, and is considered as
The grand strategy resource of country protects the safety of key message infrastructure, has become current corporate networks Security Construction
Core content.However, the current intruding detection system to guarantee network security and vulnerability scanning system has the following problems:
(1) rule-based intruding detection system
The system that existing intruding detection system is all based on rule is detected according to known attack signature and is invaded, can be with
Directly detect intrusion behavior.But the effect of this method detection depends on the completeness of detection knowledge base.For this purpose, feature
Library must timely update, and it is very time-consuming to edit these rules, and be highly dependent on the known knowledge base invaded.In addition,
This method can not find unknown intrusion behavior, it is difficult to detect new invasion mode.
(2) vulnerability scanning system based on known bugs library
Existing vulnerability scanning system is all based on known vulnerability database, with existing vulnerability database scanning system one by one, looks for
To loophole present in network.The maintenance and update of vulnerability database expend a large amount of manpower, and real-time is poor, does not catch up with various
The speed that novel loophole occurs.It, can not be according to real system due to all scanning one time the loophole in existing vulnerability database
The case where scan loophole, it is not only time-consuming but also a large amount of Internet resources can be occupied.
For reply fast-developing ground new network attack technology, power system network facility is protected, should be had a set of real-time
What vulnerability database was combined by the intruding detection system of On-line monitor new network attack and a kind of automation with real system situation
Vulnerability-scanning technology.
Deep learning is derived from the research of artificial neural network, is indicated by combining the more abstract high level of low-level feature formation
Attribute classification or feature, to find that the distributed nature of data indicates.Deep learning is that one in machine learning research is new
Field, motivation are that foundation, simulation human brain carry out the neural network of analytic learning, it imitates the mechanism of human brain to explain number
According to, such as image, sound and text.Deep learning algorithm can excavate out profound contact between the feature for seeming unrelated,
Various information in network and the various states in host are connected, judge whether network is under attack or invades.
From general frame and process flow, the disaggregated model based on deep learning is a kind of spy of supervised learning
Although example, the disaggregated model based on deep learning have stronger generalization ability, detectability is than rule-based or feature inspection
Examining system and detecting system based on shallow-layer machine learning model are stronger, but not in the new attack pattern in face of emerging one after another
It can avoid will appear and fail to report.This is just needed using these new attack data sample re -training models to improve and optimizate detection effect
Fruit.However, in traditional supervised learning technology, it usually needs using comprising the new total data sample obtained including data into
The re -training of row model, it will consumption accounts for a large amount of computing resource and time, this is to be difficult to connect for deep learning model
It receives.
In conclusion how to pass through the artificial intelligence technology based on deep learning, big data digging technology in the prior art
Realize that power system network detects in real time, data flow audit and vulnerability scanning, promotion grid information system operation stability enhance
Company copes with the problem of defence capability of network attack, still lacks effective solution.
Invention content
For the deficiencies in the prior art, how solution passes through the artificial intelligence based on deep learning in the prior art
Technology, big data digging technology realize that power system network detects in real time, data flow is audited and vulnerability scanning, promote electric network information
The problem of system run all right, the defence capability of enhancing reply network attack, the present invention proposes a kind of based on deep learning
Network invasion monitoring and vulnerability scanning method and device.
The first object of the present invention is to provide a kind of network invasion monitoring based on deep learning and vulnerability scanning method.
To achieve the goals above, the present invention is using a kind of following technical solution:
A kind of network invasion monitoring and vulnerability scanning method, this method based on deep learning include:
It collects malice sample file and establishes malicious file database;
Modeling is trained according to the behavior of malicious file in malicious file database using deep learning algorithm, and according to
The new malice sample file received, the model incremental formula training monitored in real time, obtains disaggregated model;
By the malice sample file in malicious file database in varying environment dry run, and utilize IDS detection malice
The attack signature of sample file;
Malicious file database is analyzed using data mining algorithm, builds loophole attack pattern feature database, network is generated and attacks
Packet is hit, network vulnerability scanning is carried out.
Scheme as a further preference, in the method, the specific steps for collecting malice sample file include:Using more
Kind virtual machine environment, runs and is detected file, according to system environments, internal storage state and the file line after detected File Open
To determine whether file is malicious file, the detected file collection that will determine as malicious file is malice sample file.
Scheme as a further preference, in the method, using holding for dynamic sandbox detecting and alarm simulation application
The execution of attack code, obtains the content and intention of malice sample attack, and recorded, root in row and malicious file
Malicious file database is established according to the behavior of record;
The behavior recorded in the malicious file database is the behavior of harm system, including registry operations, file behaviour
Work, the operation of vulnerability exploit mode, API Calls sequence, network behavior, process threads.
Scheme as a further preference, in the method, using deep learning detection algorithm, by malicious file database
In malice sample file each behavior carry out normalizing quantization preliminary classification is obtained by neural network model repetitive exercise
Model.
Scheme as a further preference, in the method, when the new malice sample file of reception runs up to certain amount
The incremental training of preliminary classification model of Shi Zhihang;
When carrying out the incremental training of preliminary classification model, with different levels parameter in the middle part of more new model, other levels
Parameter is fixed.
Scheme as a further preference, in the method, the specific step of the model incremental formula training monitored in real time
Suddenly include:
When carrying out the incremental training of preliminary classification model, carried out periodically using additional verify data set pair model
Test, observe detected representation judgment models in validation data set and whether have and corresponding promoted or occur attacking for certain class
Over-fitting, the data set and state modulator of timely adjusting training;Confirm model more using more folding cross-validation methods simultaneously
New accuracy.
Scheme as a further preference, in the method, by the malice sample file in malicious file database not
It is run with environmental simulation, and includes using the specific steps of the attack signature of IDS detection malice sample files:
By the same malice sample file in malicious file database in varying environment dry run;
The pcap packets for parsing malice sample file in varying environment respectively, calculate the similarity of pcap packets in varying environment,
Obtain the highest two pcap packets of matching degree;
Calculating sifting goes out higher two tuple of character string of matching degree, obtains host information that may be present in message data,
Calculate the blank character between several host informations;
Find out matched character string and matched pattern by longest common subsequence algorithm, judge in matched character string whether
Including blank character, if intercepting out the matching string for only including single blank character comprising if;
Matching string and matched pattern importing IDS are detected to the attack signature of malicious file in actual production environment.
Scheme as a further preference generates network attack packet, carries out the specific of network vulnerability scanning in the method
Step includes:
Loophole attack pattern feature database is analyzed, test case, i.e. network attack are built using the attack pattern in feature database
Packet;
Network vulnerability scanning is carried out using test case, loophole is determined whether there is according to feedback result, is determined effective
Test case, and effective test case is established into vulnerability database, and automatically update vulnerability database.
The second object of the present invention is to provide a kind of computer readable storage medium.
To achieve the goals above, the present invention is using a kind of following technical solution:
A kind of computer readable storage medium, wherein being stored with a plurality of instruction, described instruction is suitable for by terminal device equipment
Processor load and execute following processing:
It collects malice sample file and establishes malicious file database;
Modeling is trained according to the behavior of malicious file in malicious file database using deep learning algorithm, and according to
The new malice sample file received, the model incremental formula training monitored in real time, obtains disaggregated model;
By the malice sample file in malicious file database in varying environment dry run, and utilize IDS detection malice
The attack signature of sample file;
Malicious file database is analyzed using data mining algorithm, builds loophole attack pattern feature database, network is generated and attacks
Packet is hit, network vulnerability scanning is carried out.
The third object of the present invention is to provide a kind of terminal device.
To achieve the goals above, the present invention is using a kind of following technical solution:
A kind of terminal device, including processor and computer readable storage medium, processor is for realizing each instruction;It calculates
Machine readable storage medium storing program for executing is suitable for being loaded by processor and executing following processing for storing a plurality of instruction, described instruction:
It collects malice sample file and establishes malicious file database;
Modeling is trained according to the behavior of malicious file in malicious file database using deep learning algorithm, and according to
The new malice sample file received, the model incremental formula training monitored in real time, obtains disaggregated model;
By the malice sample file in malicious file database in varying environment dry run, and utilize IDS detection malice
The attack signature of sample file;
Malicious file database is analyzed using data mining algorithm, builds loophole attack pattern feature database, network is generated and attacks
Packet is hit, network vulnerability scanning is carried out.
Beneficial effects of the present invention:
1, a kind of network invasion monitoring and vulnerability scanning method and device based on deep learning of the present invention, pass through
Artificial intelligence technology, big data digging technology based on deep learning realize that power system network detects in real time, data flow is audited
And vulnerability scanning, promote grid information system operation stability, the defence capability of enhancing company reply network attack.
2, a kind of network invasion monitoring and vulnerability scanning method and device based on deep learning of the present invention, to instruction
Practice data volume and be controlled such that the cost of incremental training is relatively low, and keep the equilibrium relation of different types of data, avoids making
It is affected to the detectability of original attack mode at updated model.
3, a kind of network invasion monitoring and vulnerability scanning method and device based on deep learning of the present invention, are being instructed
Model inspection ability is monitored in real time during white silk, whether effective monitoring can reach more preferable by the model of incremental training
Detectability, if maintained to the high detection rate of original attack mode while effectively identification new attack pattern.
4, a kind of network invasion monitoring and vulnerability scanning method and device based on deep learning of the present invention, according to
The new malice sample file received, the model incremental formula training monitored in real time, obtains disaggregated model, the malice subsequently generated
Paper sample can fully promote classification and Detection effect by disaggregated model automatic recognition classification;And it is novel by testing automatically
Loophole, automatically updates vulnerability database, finally realizes the significantly promotion of unknown bug excavation testing efficiency.
Description of the drawings
The accompanying drawings which form a part of this application are used for providing further understanding of the present application, and the application's shows
Meaning property embodiment and its explanation do not constitute the improper restriction to the application for explaining the application.
Fig. 1 is network invasion monitoring based on deep learning and the vulnerability scanning method flow diagram of the present invention;
Fig. 2 is supervised learning block schematic illustration;
Fig. 3 is the disaggregated model schematic diagram based on deep learning.
Specific implementation mode:
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
It is noted that following detailed description is all illustrative, it is intended to provide further instruction to the application.Unless another
It indicates, all technical and scientific terms that the present embodiment uses have and the application person of an ordinary skill in the technical field
Normally understood identical meanings.
It should be noted that term used herein above is merely to describe specific implementation mode, and be not intended to restricted root
According to the illustrative embodiments of the application.As used herein, unless the context clearly indicates otherwise, otherwise singulative
It is also intended to include plural form, additionally, it should be understood that, when in the present specification using term "comprising" and/or " packet
Include " when, indicate existing characteristics, step, operation, device, component and/or combination thereof.
It should be noted that flowcharts and block diagrams in the drawings show according to various embodiments of the present disclosure method and
The architecture, function and operation in the cards of system.It should be noted that each box in flowchart or block diagram can represent
A part for a part for one module, program segment, or code, the module, program segment, or code may include one or more
A executable instruction for realizing the logic function of defined in each embodiment.It should also be noted that some alternately
Realization in, the function that is marked in box can also occur according to the sequence different from being marked in attached drawing.For example, two connect
The box even indicated can essentially be basically executed in parallel or they can also be executed in a reverse order sometimes,
This depends on involved function.It should also be noted that each box in flowchart and or block diagram and flow chart
And/or the combination of the box in block diagram, it can be come using the dedicated hardware based system for executing defined functions or operations
It realizes, or can make to combine using a combination of dedicated hardware and computer instructions to realize.
In the absence of conflict, the features in the embodiments and the embodiments of the present application can be combined with each other with reference to
The invention will be further described with embodiment for attached drawing.
Embodiment 1:
The purpose of the present embodiment 1 is to provide a kind of network invasion monitoring based on deep learning and vulnerability scanning method.
To achieve the goals above, the present invention is using a kind of following technical solution:
As shown in Figure 1,
A kind of network invasion monitoring and vulnerability scanning method, this method based on deep learning include:
Step (1):It collects malice sample file and establishes malicious file database;
Step (2):It is trained and is built according to the behavior of malicious file in malicious file database using deep learning algorithm
Mould, and according to the new malice sample file of reception, the model incremental formula training monitored in real time obtains disaggregated model;
Step (3):By the malice sample file in malicious file database in varying environment dry run, and utilize IDS
Detect the attack signature of malice sample file;
Step (4):Malicious file database is analyzed using data mining algorithm, builds loophole attack pattern feature database, it is raw
At network attack package, network vulnerability scanning is carried out.
Step (1):Study the dynamic sandbox detection algorithm for the malicious file that various network attacks are utilized, analysis malice text
Malicious file database is established in part behavior;
The present embodiment the step of in (1), the specific steps for collecting malice sample file include:
Step (1-1):Using a variety of virtual machine environments, runs and be detected file, be according to after detected File Open
System environment, internal storage state and file behavior determine whether file is malicious file, will determine as the detected text of malicious file
Part is collected as malice sample file.
The attack of malice sample has used special special wooden horse mostly, and it is soft that these wooden horses can bypass the antivirus of defender's host
The detection of part can be propagated in limited a small range.This project uses a variety of virtual machine environments, runs and is detected file, monitoring
Various actions of system environments, internal storage state and file after File Open etc. are to determine whether file is malicious file.It dislikes
No matter document of anticipating is using which kind of loophole, no matter what is also utilized is known or unknown loophole, their some that be done malicious operations
Always there is certain similitude and feature mode.It is possible thereby to detect a variety of Nday attacks, unknown 0day can be equally detected
Attack, can detect executable file under windows systems, Linux, Android, pdf, doc, xls, rtf, docx, xlsx,
Most of common document file formats such as ppt, pptx, ppsx.
The present embodiment the step of in (1),
Step (1-2):Using attacking generation in the execution of dynamic sandbox detecting and alarm simulation application and malicious file
The execution of code, obtains the content and intention of malice sample attack, and recorded, and malice text is established according to the behavior of record
Part database;
The behavior recorded in the malicious file database is the behavior of harm system, including registry operations, file behaviour
Work, the operation of vulnerability exploit mode, API Calls sequence, network behavior, process threads.
Use the execution of attack code in the execution of dynamic sandbox detecting and alarm simulation application and malicious file, root
According to the content and intention of malice sample attack.The behavior of record includes registry operations, file operation, vulnerability exploit side
Formula, API Calls sequence, network behavior, process threads operation and the behavior of other harm systems, according to these behavior records,
Form malicious file database.
Step (2):The deep learning algorithm of polymorphic type malicious file classification and Detection is studied, realizes automatic detection malice text
Part, and to attacking classification of type;
The malicious file database detected according to sandbox, wherein there are many kinds of file types, however, these are different
There is file type completely different compositions structure, corresponding malicious file dramatically different feature will also be presented, it is therefore desirable to
Special detection procedure is designed for each file type.This project uses deep learning detection algorithm, by malicious file
Each behavior normalizing quantization, by neural network model repetitive exercise, obtain disaggregated model.The malicious file sample subsequently generated
Originally classification and Detection effect can fully be promoted by disaggregated model automatic recognition classification.
The disaggregated model of deep learning needs large-scale data sample to be trained construction, calculates and storage overhead is very big,
This training construction process cannot be frequently repeated in actual production to generate new model.However, network attack mode is complicated
It is changeable, some data samples failed to report and reported by mistake will necessarily be gradually accumulated during the use of attack detection system, or logical
It crosses other approach and obtains the sample of some novel attacks or malicious file, just need a kind of quick model modification optimization side at this time
Method, the labeled data sample for only using these new acquisitions carry out incremental training to having model, reach classification and Detection ability
It evolves, i.e., can effectively identify new attack pattern under the premise of keeping the detectability to original challenge model.
From general frame and process flow, the disaggregated model based on deep learning is a kind of spy of supervised learning
Example, therefore whole model training construction and grader applies with general supervised learning frame essentially identical, Fig. 2 and Fig. 3
Show the comparison of the two.Wherein include two crucial differences:First, deep learning does not need the step of manual features extraction
Suddenly, the characteristic extracting module that is, in figure;Second is that the update part of grader, general supervised learning usually requires to miss
Grouped data is added to original labeled data concentration and is completely newly trained to model, and trained expense is very big.
Although disaggregated model based on deep learning has stronger generalization ability, detectability is than rule-based or feature
Detecting system and detecting system based on shallow-layer machine learning model it is stronger, but in the new attack pattern in face of emerging one after another
When unavoidably will appear and fail to report.This is just needed using these new attack data sample re -training models to improve and optimizate detection
Effect.However, in traditional supervised learning technology, it usually needs it includes the new total data sample obtained including data to use
Carry out the re -training of model, it will consumption accounts for a large amount of computing resource and time, this is to be difficult to for deep learning model
Receive.
Therefore, fast to reach model using the new incremental training for obtaining data and a small amount of other data progress model
The effect of speed update optimization becomes a kind of deep learning scheme of optimization.
The control of amount of training data:When new attack data sample runs up to certain data volume (such as 200), can execute
The incremental training of model.It, can also be from original attack sample database other than using the attack data sample newly obtained
The data of the identical quantity of stochastical sampling are supplemented corresponding non-attack sample, collectively as the data set of incremental training.To training
The purpose that data volume is controlled is to make the cost of incremental training relatively low, and keep the equilibrium relation of different types of data,
It avoids that updated model is caused to be affected the detectability of original attack mode.
The part immobilization of model parameter:Total amount of data when due to incremental training is less, is not suitable for whole to deep learning
Body Model carries out large-scale parameter adjustment.Research experience according to deep learning in other application field, may be used fixation
The parameter constant of certain levels in multilayer neural network model, and only update the tuning (fine-tuning) of other parts parameter
Method.For example, the parameter of last full connection seed layer portion can be adjusted only, and fix the parameter of other all levels of front.
The monitoring of model inspection ability:Whether can reach better detectability by the model of incremental training, if
The high detection rate to original attack mode is maintained while effectively identifying new attack pattern, these are needed in the training process to mould
Type detectability is monitored in real time.Specific method is that additional verify data is continued on during incremental training
The set pair analysis model is periodically tested, and is accordingly carried by the way that whether detected representation judgment models of the observation in validation data set have
The over-fitting for the attack of certain class is risen or occurs, to the data set and state modulator of timely adjusting training.In addition, adopting
The accuracy of model modification is confirmed with the method for more folding cross validations.
The present embodiment the step of in (2),
Step (2-1):Using deep learning detection algorithm, by each of the malice sample file in malicious file database
Behavior carries out normalizing quantization and obtains preliminary classification model by neural network model repetitive exercise.
The present embodiment the step of in (2),
Step (2-2):A preliminary classification model is executed when the new malice sample file of reception runs up to certain amount
Incremental training;When carrying out the incremental training of preliminary classification model, with different levels parameter, other layers in the middle part of more new model
Secondary parameter is fixed.
The present embodiment the step of in (2), the specific steps of the model incremental formula training monitored in real time include:
When carrying out the incremental training of preliminary classification model, carried out periodically using additional verify data set pair model
Test, observe detected representation judgment models in validation data set and whether have and corresponding promoted or occur attacking for certain class
Over-fitting, the data set and state modulator of timely adjusting training;Confirm model more using more folding cross-validation methods simultaneously
New accuracy.
Step (3):Study the deep learning algorithm of polymorphic type malicious file network attack characteristic, automatic generating network behavior
Feature is realized and detects novel unknown attack behavior.
The present embodiment the step of in (3), the malice sample file in malicious file database is simulated in varying environment
Operation, and include using the specific steps of the attack signature of IDS detection malice sample files:
Step (3-1):By the same malice sample file in malicious file database in varying environment dry run;
Step (3-2):The pcap packets for parsing malice sample file in varying environment respectively, calculate pcap in varying environment
The similarity of packet obtains the highest two pcap packets of matching degree;
Step (3-3):Calculating sifting goes out higher two tuple of character string of matching degree, obtains that may be present in message data
Host information calculates the blank character between several host informations;
Step (3-4):Matched character string and matched pattern are found out by longest common subsequence algorithm, judges to match word
Symbol string in whether include blank character, if intercepted out comprising if only include single blank character a matching string;
Step (3-5):Matching string and matched pattern are imported into IDS and detect attacking for malicious file in actual production environment
Hit feature.
Malicious file attack, execution or it is latent when, can to server send relevant information, in this information often
Incidentally it is controlled some essential informations of host.Such as:User name, machine name, operating system version, language, time zone etc., memory is big
It is small, cpu frequency, check figure, the addresses Mac, vital document clip directory, if installation is killed soft, if installation fire wall, viral version,
Author information etc..
This project by being distributed to varying environment mould simultaneously by same stiff compacted (Botnet, the wooden horse, worm) sample of wood
Quasi- operation, ensure " reaching the standard grade " information of the stiff compacted transmission of wood it is different to greatest extent (such as hardware information, operating system, software, respectively
Kind configuration information etc..)." reaching the standard grade " information of the stiff compacted transmission of wood is included in pcap packets, by comparing in varying environment
Pcap packets parse the pcap packets under varying environment, obtain comprising dns information, domain-name information and each protocol data
Json files.By the similarity calculation to magnanimity Json data, the Hamming distances of different simhash are found out, as pcap packets
Similarity.
The distance matrix for constructing pcap packets finds out the highest two pcap packets of matching degree by iteration.Then to two
The protocol data of packet finds out corresponding Levenstein ratio, to filter out higher two tuple of character string of matching degree, obtains message
Host information that may be present in data, calculates the blank character between several host informations.
Find out matched character string and matched pattern by longest common subsequence algorithm, judge in matched character string whether
Including blank character, if intercepting out the matching string for only including single blank character comprising if.Matching string and pattern are imported into invasion
Detection device (IDS) can detect the attack signature of malicious file in actual production environment.
Step (4):The loophole attack pattern feature extraction algorithm based on data mining is studied, attacking in malicious file is extracted
Hit feature;And a kind of algorithm of automation structure loophole attack is studied, it is excavated with the attack signature of malicious file new in network
Type loophole.
Analyze the various attack patterns and feature in malicious file, for example, using agreement, port, transmission the letters such as field
Breath finds out distinctive contact between these information using data mining algorithm, builds loophole attack pattern feature database.
It is to find that host or system are for the validity using the fuzz testing bug excavation based on agreement, test case
It is no that there are the keys of unknown loophole.Traditional bug excavation test tends to rely on many years of experience of tester, testing efficiency
It is relatively low.This project is improved test software and is generated validity test use-case using the artificial intelligence approach of automation structure test case
Ability.The loophole attack pattern feature database established first by analyzing malicious file is built using these attack patterns and is tested
Use-case sends test case to host, server and the information system etc. in network, is determined whether there is according to feedback result
Loophole, and effective test case is established into vulnerability database.By testing novel loophole automatically, vulnerability database is automatically updated, finally in fact
The significantly promotion of existing unknown bug excavation testing efficiency.
The present embodiment the step of in (4), network attack packet is generated, the specific steps for carrying out network vulnerability scanning include:
Loophole attack pattern feature database is analyzed, test case, i.e. network attack are built using the attack pattern in feature database
Packet;
Network vulnerability scanning is carried out using test case, loophole is determined whether there is according to feedback result, is determined effective
Test case, and effective test case is established into vulnerability database, and automatically update vulnerability database.
Embodiment 2:
The purpose of the present embodiment 2 is to provide a kind of computer readable storage medium.
To achieve the goals above, the present invention is using a kind of following technical solution:
A kind of computer readable storage medium, wherein being stored with a plurality of instruction, described instruction is suitable for by terminal device equipment
Processor load and execute following processing:
Step (1):It collects malice sample file and establishes malicious file database;
Step (2):It is trained and is built according to the behavior of malicious file in malicious file database using deep learning algorithm
Mould, and according to the new malice sample file of reception, the model incremental formula training monitored in real time obtains disaggregated model;
Step (3):By the malice sample file in malicious file database in varying environment dry run, and utilize IDS
Detect the attack signature of malice sample file;
Step (4):Malicious file database is analyzed using data mining algorithm, builds loophole attack pattern feature database, it is raw
At network attack package, network vulnerability scanning is carried out.
Embodiment 3:
The purpose of the present embodiment 3 is to provide a kind of terminal device.
To achieve the goals above, the present invention is using a kind of following technical solution:
A kind of terminal device, including processor and computer readable storage medium, processor is for realizing each instruction;It calculates
Machine readable storage medium storing program for executing is suitable for being loaded by processor and executing following processing for storing a plurality of instruction, described instruction:
Step (1):It collects malice sample file and establishes malicious file database;
Step (2):It is trained and is built according to the behavior of malicious file in malicious file database using deep learning algorithm
Mould, and according to the new malice sample file of reception, the model incremental formula training monitored in real time obtains disaggregated model;
Step (3):By the malice sample file in malicious file database in varying environment dry run, and utilize IDS
Detect the attack signature of malice sample file;
Step (4):Malicious file database is analyzed using data mining algorithm, builds loophole attack pattern feature database, it is raw
At network attack package, network vulnerability scanning is carried out.
These computer executable instructions make the equipment execute according to each reality in the disclosure when running in a device
Apply method or process described in example.
In the present embodiment, computer program product may include computer readable storage medium, containing for holding
The computer-readable program instructions of row various aspects of the disclosure.Computer readable storage medium can be kept and store
By the tangible device for the instruction that instruction execution equipment uses.Computer readable storage medium for example can be-- but it is unlimited
In-- storage device electric, magnetic storage apparatus, light storage device, electromagnetism storage device, semiconductor memory apparatus or above-mentioned
Any appropriate combination.The more specific example (non exhaustive list) of computer readable storage medium includes:Portable computing
Machine disk, hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read only memory (EPROM or
Flash memory), static RAM (SRAM), Portable compressed disk read-only memory (CD-ROM), digital versatile disc
(DVD), memory stick, floppy disk, mechanical coding equipment, the punch card for being for example stored thereon with instruction or groove internal projection structure, with
And above-mentioned any appropriate combination.Computer readable storage medium used herein above is not interpreted instantaneous signal itself,
The electromagnetic wave of such as radio wave or other Free propagations, the electromagnetic wave propagated by waveguide or other transmission mediums (for example,
Pass through the light pulse of fiber optic cables) or pass through electric wire transmit electric signal.
Computer-readable program instructions described herein can be downloaded to from computer readable storage medium it is each calculate/
Processing equipment, or outer computer or outer is downloaded to by network, such as internet, LAN, wide area network and/or wireless network
Portion's storage device.Network may include copper transmission cable, optical fiber transmission, wireless transmission, router, fire wall, interchanger, gateway
Computer and/or Edge Server.Adapter or network interface in each calculating/processing equipment are received from network to be counted
Calculation machine readable program instructions, and the computer-readable program instructions are forwarded, for the meter being stored in each calculating/processing equipment
In calculation machine readable storage medium storing program for executing.
Computer program instructions for executing present disclosure operation can be assembly instruction, instruction set architecture (ISA)
Instruction, machine instruction, machine-dependent instructions, microcode, firmware instructions, condition setup data or with one or more programmings
Language arbitrarily combines the source code or object code write, the programming language include the programming language-of object-oriented such as
C++ etc., and conventional procedural programming languages-such as " C " language or similar programming language.Computer-readable program refers to
Order can be executed fully, partly be executed on the user computer, as an independent software package on the user computer
Execute, part on the user computer part on the remote computer execute or completely on a remote computer or server
It executes.In situations involving remote computers, remote computer can include LAN by the network-of any kind
(LAN) or wide area network (WAN)-is connected to subscriber computer, or, it may be connected to outer computer (such as utilize internet
Service provider is connected by internet).In some embodiments, believe by using the state of computer-readable program instructions
Breath comes personalized customization electronic circuit, such as programmable logic circuit, field programmable gate array (FPGA) or programmable logic
Array (PLA), the electronic circuit can execute computer-readable program instructions, to realize the various aspects of present disclosure.
It should be noted that although being referred to several modules or submodule of equipment in the detailed description above, it is this
Division is merely exemplary rather than enforceable.In fact, in accordance with an embodiment of the present disclosure, two or more above-described moulds
The feature and function of block can embody in a module.Conversely, the feature and function of an above-described module can be with
It is further divided into and is embodied by multiple modules.
Beneficial effects of the present invention:
1, a kind of network invasion monitoring and vulnerability scanning method and device based on deep learning of the present invention, pass through
Artificial intelligence technology, big data digging technology based on deep learning realize that power system network detects in real time, data flow is audited
And vulnerability scanning, promote grid information system operation stability, the defence capability of enhancing company reply network attack.
2, a kind of network invasion monitoring and vulnerability scanning method and device based on deep learning of the present invention, to instruction
Practice data volume and be controlled such that the cost of incremental training is relatively low, and keep the equilibrium relation of different types of data, avoids making
It is affected to the detectability of original attack mode at updated model.
3, a kind of network invasion monitoring and vulnerability scanning method and device based on deep learning of the present invention, are being instructed
Model inspection ability is monitored in real time during white silk, whether effective monitoring can reach more preferable by the model of incremental training
Detectability, if maintained to the high detection rate of original attack mode while effectively identification new attack pattern.
4, a kind of network invasion monitoring and vulnerability scanning method and device based on deep learning of the present invention, according to
The new malice sample file received, the model incremental formula training monitored in real time, obtains disaggregated model, the malice subsequently generated
Paper sample can fully promote classification and Detection effect by disaggregated model automatic recognition classification;And it is novel by testing automatically
Loophole, automatically updates vulnerability database, finally realizes the significantly promotion of unknown bug excavation testing efficiency.
The foregoing is merely the preferred embodiments of the application, are not intended to limit this application, for the skill of this field
For art personnel, the application can have various modifications and variations.Within the spirit and principles of this application, any made by repair
Change, equivalent replacement, improvement etc., should be included within the protection domain of the application.Therefore, the present invention is not intended to be limited to this
These embodiments shown in text, and it is to fit to widest range consistent with the principles and novel features disclosed in this article.
Claims (10)
1. a kind of network invasion monitoring and vulnerability scanning method based on deep learning, which is characterized in that this method includes:
It collects malice sample file and establishes malicious file database;
Modeling is trained according to the behavior of malicious file in malicious file database using deep learning algorithm, and according to reception
New malice sample file, monitored in real time model incremental formula training, obtain disaggregated model;
By the malice sample file in malicious file database in varying environment dry run, and malice sample is detected using IDS
The attack signature of file;
Malicious file database is analyzed using data mining algorithm, builds loophole attack pattern feature database, generates network attack packet,
Carry out network vulnerability scanning.
2. the method as described in claim 1, which is characterized in that in the method, collect the specific steps of malice sample file
Including:Using a variety of virtual machine environments, runs and be detected file, according to the system environments after detected File Open, memory shape
State and file behavior determine whether file is malicious file, and the detected file collection that will determine as malicious file is malice sample
This document.
3. method as claimed in claim 2, which is characterized in that in the method, answered using the simulation of dynamic sandbox detecting and alarm
With the execution of attack code in the execution of program and malicious file, the content and intention of malice sample attack are obtained, and
It is recorded, malicious file database is established according to the behavior of record;
The behavior recorded in the malicious file database is the behavior of harm system, including registry operations, file operation, leakage
Hole Land use systems, API Calls sequence, network behavior, process threads operation.
4. the method as described in claim 1, which is characterized in that in the method, will malice using deep learning detection algorithm
Each behavior of malice sample file in document data bank carries out normalizing quantization and is obtained by neural network model repetitive exercise
To preliminary classification model.
5. method as claimed in claim 4, which is characterized in that in the method, when the new malice sample file of reception accumulates
To the incremental training for executing a preliminary classification model when certain amount;
When carrying out the incremental training of preliminary classification model, with different levels parameter, the parameter of other levels in the middle part of more new model
It is fixed.
6. method as claimed in claim 5, which is characterized in that in the method, the model incremental formula instruction monitored in real time
Experienced specific steps include:
When carrying out the incremental training of preliminary classification model, periodically surveyed using additional verify data set pair model
Examination, observes whether the detected representation judgment models in validation data set have corresponding promotion or the mistake for the attack of certain class occur
Fitting phenomenon, the data set and state modulator of timely adjusting training;Confirm model modification using more folding cross-validation methods simultaneously
Accuracy.
7. the method as described in claim 1, which is characterized in that in the method, by the malice sample in malicious file database
This document is in varying environment dry run, and the specific steps of attack signature for detecting using IDS malice sample file include:
By the same malice sample file in malicious file database in varying environment dry run;
The pcap packets for parsing malice sample file in varying environment respectively, calculate the similarity of pcap packets in varying environment, obtain
The highest two pcap packets of matching degree;
Calculating sifting goes out higher two tuple of character string of matching degree, obtains host information that may be present in message data, calculates
Go out the blank character between several host informations;
Find out matched character string and matched pattern by longest common subsequence algorithm, judge in matched character string whether include
Blank character, if intercepted out comprising if only include single blank character a matching string;
Matching string and matched pattern importing IDS are detected to the attack signature of malicious file in actual production environment.
8. the method as described in claim 1, which is characterized in that in the method, generate network attack packet, carry out network hole
The specific steps of scanning include:
Loophole attack pattern feature database is analyzed, test case, i.e. network attack packet are built using the attack pattern in feature database;
Network vulnerability scanning is carried out using test case, loophole is determined whether there is according to feedback result, determines effective test
Use-case, and effective test case is established into vulnerability database, and automatically update vulnerability database.
9. a kind of computer readable storage medium, wherein being stored with a plurality of instruction, which is characterized in that described instruction is suitable for by terminal
The processor of equipment equipment loads and executes the method according to any one of claim 1-8.
10. a kind of terminal device, including processor and computer readable storage medium, processor is for realizing each instruction;It calculates
Machine readable storage medium storing program for executing is for storing a plurality of instruction, which is characterized in that described instruction is appointed for executing according in claim 1-8
Method described in one.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810011225.5A CN108347430B (en) | 2018-01-05 | 2018-01-05 | Network intrusion detection and vulnerability scanning method and device based on deep learning |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810011225.5A CN108347430B (en) | 2018-01-05 | 2018-01-05 | Network intrusion detection and vulnerability scanning method and device based on deep learning |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108347430A true CN108347430A (en) | 2018-07-31 |
| CN108347430B CN108347430B (en) | 2021-01-12 |
Family
ID=62960401
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810011225.5A Active CN108347430B (en) | 2018-01-05 | 2018-01-05 | Network intrusion detection and vulnerability scanning method and device based on deep learning |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108347430B (en) |
Cited By (46)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108965340A (en) * | 2018-09-25 | 2018-12-07 | 网御安全技术(深圳)有限公司 | A kind of industrial control system intrusion detection method and system |
| CN109146097A (en) * | 2018-09-21 | 2019-01-04 | 中国联合网络通信集团有限公司 | A kind of plant maintenance method and system, server-side and plant maintenance end |
| CN109255234A (en) * | 2018-08-15 | 2019-01-22 | 腾讯科技(深圳)有限公司 | Processing method, device, medium and the electronic equipment of machine learning model |
| CN109344622A (en) * | 2018-09-26 | 2019-02-15 | 杭州迪普科技股份有限公司 | The intrusion detection method and relevant device of loophole attack |
| CN109495443A (en) * | 2018-09-13 | 2019-03-19 | 中国科学院信息工程研究所 | The method and system of software attacks is extorted in a kind of Intrusion Detection based on host honey jar confrontation |
| CN109672666A (en) * | 2018-11-23 | 2019-04-23 | 北京丁牛科技有限公司 | A kind of network attack detecting method and device |
| CN109670306A (en) * | 2018-11-27 | 2019-04-23 | 国网山东省电力公司济宁供电公司 | Electric power malicious code detecting method, server and system based on artificial intelligence |
| CN109688159A (en) * | 2019-01-23 | 2019-04-26 | 平安科技(深圳)有限公司 | Network Isolation violation recognition methods, server and computer readable storage medium |
| CN109871683A (en) * | 2019-01-24 | 2019-06-11 | 深圳昂楷科技有限公司 | A kind of database protection system and method |
| CN109960934A (en) * | 2019-03-25 | 2019-07-02 | 西安电子科技大学 | A kind of malicious requests detection method based on CNN |
| CN110110525A (en) * | 2019-04-26 | 2019-08-09 | 北京中润国盛科技有限公司 | A kind of bug excavation method based on machine learning and deep learning |
| CN110516444A (en) * | 2019-07-23 | 2019-11-29 | 成都理工大学 | Cross-terminal cross-version Root attack detecting and guard system based on kernel |
| CN110602137A (en) * | 2019-09-25 | 2019-12-20 | 光通天下网络科技股份有限公司 | Malicious IP and malicious URL intercepting method, device, equipment and medium |
| CN110661795A (en) * | 2019-09-20 | 2020-01-07 | 哈尔滨安天科技集团股份有限公司 | Vector-level threat information automatic production and distribution system and method |
| CN110737894A (en) * | 2018-12-04 | 2020-01-31 | 哈尔滨安天科技集团股份有限公司 | Composite document security detection method and device, electronic equipment and storage medium |
| CN111026012A (en) * | 2019-11-29 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Method and device for detecting PLC firmware level bugs, electronic equipment and storage medium |
| CN111049784A (en) * | 2018-10-12 | 2020-04-21 | 北京奇虎科技有限公司 | Network attack detection method, device, equipment and storage medium |
| CN111090855A (en) * | 2019-12-26 | 2020-05-01 | 中科信息安全共性技术国家工程研究中心有限公司 | Intrusion detection method and device based on Linux host |
| CN111159111A (en) * | 2019-12-13 | 2020-05-15 | 深信服科技股份有限公司 | Information processing method, device, system and computer readable storage medium |
| WO2020142110A1 (en) * | 2018-12-31 | 2020-07-09 | Intel Corporation | Securing systems employing artificial intelligence |
| CN111400718A (en) * | 2020-03-06 | 2020-07-10 | 苏州浪潮智能科技有限公司 | Method and device for detecting system vulnerability and attack and related equipment |
| CN111435393A (en) * | 2019-01-14 | 2020-07-21 | 北京京东尚科信息技术有限公司 | Object vulnerability detection method, device, medium and electronic equipment |
| CN111737693A (en) * | 2020-05-09 | 2020-10-02 | 北京启明星辰信息安全技术有限公司 | Method for determining characteristics of malicious software, and method and device for detecting malicious software |
| CN111917781A (en) * | 2020-08-05 | 2020-11-10 | 湖南匡楚科技有限公司 | Intelligent internal malicious behavior network attack identification method and electronic equipment |
| CN111931187A (en) * | 2020-08-13 | 2020-11-13 | 深信服科技股份有限公司 | Component vulnerability detection method, device, equipment and readable storage medium |
| CN112052449A (en) * | 2019-06-06 | 2020-12-08 | 深信服科技股份有限公司 | Malicious file identification method, device, equipment and storage medium |
| CN112187730A (en) * | 2020-09-08 | 2021-01-05 | 华东师范大学 | Intrusion detection system |
| CN112202722A (en) * | 2020-09-08 | 2021-01-08 | 华东师范大学 | Intrusion detection method |
| CN112260989A (en) * | 2020-09-16 | 2021-01-22 | 湖南大学 | Power system and network malicious data attack detection method, system and storage medium |
| CN112269992A (en) * | 2020-06-01 | 2021-01-26 | 中国科学院信息工程研究所 | Real-time malicious sample detection method based on artificial intelligence processor and electronic device |
| CN112583820A (en) * | 2020-12-09 | 2021-03-30 | 南方电网科学研究院有限责任公司 | Power attack test system based on attack topology |
| CN112615819A (en) * | 2020-12-03 | 2021-04-06 | 北京锐服信科技有限公司 | Intrusion behavior detection method and system based on deep learning |
| CN113141360A (en) * | 2021-04-21 | 2021-07-20 | 建信金融科技有限责任公司 | Method and device for detecting network malicious attack |
| CN113177191A (en) * | 2021-04-16 | 2021-07-27 | 中国人民解放军战略支援部队信息工程大学 | Firmware function similarity detection method and system based on fuzzy matching |
| CN113282928A (en) * | 2021-06-11 | 2021-08-20 | 杭州安恒信息技术股份有限公司 | Malicious file processing method, device and system, electronic device and storage medium |
| CN113411356A (en) * | 2021-08-23 | 2021-09-17 | 北京华云安信息技术有限公司 | Vulnerability detection method, system, device and computer readable storage medium |
| CN113468538A (en) * | 2021-06-15 | 2021-10-01 | 江苏大学 | Vulnerability attack database construction method based on similarity measurement |
| CN113468524A (en) * | 2021-05-21 | 2021-10-01 | 天津理工大学 | RASP-based machine learning model security detection method |
| CN113691562A (en) * | 2021-09-15 | 2021-11-23 | 神州网云(北京)信息技术有限公司 | Method for implementing rule engine for accurately identifying malicious network communication |
| CN113839963A (en) * | 2021-11-25 | 2021-12-24 | 南昌首页科技发展有限公司 | Network security vulnerability intelligent detection method based on artificial intelligence and big data |
| CN114553525A (en) * | 2022-02-22 | 2022-05-27 | 国网河北省电力有限公司电力科学研究院 | Network security vulnerability mining method and system based on artificial intelligence |
| CN114710325A (en) * | 2022-03-17 | 2022-07-05 | 广州杰赛科技股份有限公司 | Method, device, equipment and storage medium for constructing network intrusion detection model |
| CN114866279A (en) * | 2022-03-24 | 2022-08-05 | 中国科学院信息工程研究所 | Vulnerability attack flow detection method and system based on HTTP request effective load |
| CN114912116A (en) * | 2022-05-18 | 2022-08-16 | 河南工业贸易职业学院 | Intelligent computer network information safety controller and control system |
| CN115130110A (en) * | 2022-07-08 | 2022-09-30 | 国网浙江省电力有限公司电力科学研究院 | Vulnerability mining method, device, equipment and medium based on parallel ensemble learning |
| CN115695046A (en) * | 2022-12-28 | 2023-02-03 | 广东工业大学 | Network intrusion detection method based on reinforcement ensemble learning |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102789593A (en) * | 2012-06-18 | 2012-11-21 | 北京大学 | Intrusion detection method based on incremental GHSOM (Growing Hierarchical Self-organizing Maps) neural network |
| CN104243407A (en) * | 2013-06-13 | 2014-12-24 | 华为技术有限公司 | Generation method and device for malicious software network intrusion detection feature codes |
| CN104486141A (en) * | 2014-11-26 | 2015-04-01 | 国家电网公司 | Misdeclaration self-adapting network safety situation predication method |
| US20160285904A1 (en) * | 2015-03-26 | 2016-09-29 | Tyco Fire & Security Gmbh | Home Network Intrusion Detection and Prevention System and Method |
| CN106778795A (en) * | 2015-11-24 | 2017-05-31 | 华为技术有限公司 | A kind of sorting technique and device based on incremental learning |
| US20170244737A1 (en) * | 2016-02-23 | 2017-08-24 | Zenedge, Inc. | Analyzing Web Application Behavior to Detect Malicious Requests |
-
2018
- 2018-01-05 CN CN201810011225.5A patent/CN108347430B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102789593A (en) * | 2012-06-18 | 2012-11-21 | 北京大学 | Intrusion detection method based on incremental GHSOM (Growing Hierarchical Self-organizing Maps) neural network |
| CN104243407A (en) * | 2013-06-13 | 2014-12-24 | 华为技术有限公司 | Generation method and device for malicious software network intrusion detection feature codes |
| CN104486141A (en) * | 2014-11-26 | 2015-04-01 | 国家电网公司 | Misdeclaration self-adapting network safety situation predication method |
| US20160285904A1 (en) * | 2015-03-26 | 2016-09-29 | Tyco Fire & Security Gmbh | Home Network Intrusion Detection and Prevention System and Method |
| CN106778795A (en) * | 2015-11-24 | 2017-05-31 | 华为技术有限公司 | A kind of sorting technique and device based on incremental learning |
| US20170244737A1 (en) * | 2016-02-23 | 2017-08-24 | Zenedge, Inc. | Analyzing Web Application Behavior to Detect Malicious Requests |
Cited By (68)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020034800A1 (en) * | 2018-08-15 | 2020-02-20 | 腾讯科技(深圳)有限公司 | Machine learning model processing method and device, medium and electronic device |
| CN109255234A (en) * | 2018-08-15 | 2019-01-22 | 腾讯科技(深圳)有限公司 | Processing method, device, medium and the electronic equipment of machine learning model |
| CN109495443A (en) * | 2018-09-13 | 2019-03-19 | 中国科学院信息工程研究所 | The method and system of software attacks is extorted in a kind of Intrusion Detection based on host honey jar confrontation |
| CN109495443B (en) * | 2018-09-13 | 2021-02-19 | 中国科学院信息工程研究所 | Method and system for resisting Lexong software attack based on host honeypot |
| CN109146097B (en) * | 2018-09-21 | 2021-02-02 | 中国联合网络通信集团有限公司 | Equipment maintenance method and system, server and equipment maintenance terminal |
| CN109146097A (en) * | 2018-09-21 | 2019-01-04 | 中国联合网络通信集团有限公司 | A kind of plant maintenance method and system, server-side and plant maintenance end |
| CN108965340A (en) * | 2018-09-25 | 2018-12-07 | 网御安全技术(深圳)有限公司 | A kind of industrial control system intrusion detection method and system |
| CN109344622A (en) * | 2018-09-26 | 2019-02-15 | 杭州迪普科技股份有限公司 | The intrusion detection method and relevant device of loophole attack |
| CN111049784B (en) * | 2018-10-12 | 2023-08-01 | 三六零科技集团有限公司 | Network attack detection method, device, equipment and storage medium |
| CN111049784A (en) * | 2018-10-12 | 2020-04-21 | 北京奇虎科技有限公司 | Network attack detection method, device, equipment and storage medium |
| CN109672666A (en) * | 2018-11-23 | 2019-04-23 | 北京丁牛科技有限公司 | A kind of network attack detecting method and device |
| CN109672666B (en) * | 2018-11-23 | 2021-12-14 | 北京丁牛科技有限公司 | Network attack detection method and device |
| CN109670306A (en) * | 2018-11-27 | 2019-04-23 | 国网山东省电力公司济宁供电公司 | Electric power malicious code detecting method, server and system based on artificial intelligence |
| CN110737894B (en) * | 2018-12-04 | 2022-12-27 | 安天科技集团股份有限公司 | Composite document security detection method and device, electronic equipment and storage medium |
| CN110737894A (en) * | 2018-12-04 | 2020-01-31 | 哈尔滨安天科技集团股份有限公司 | Composite document security detection method and device, electronic equipment and storage medium |
| WO2020142110A1 (en) * | 2018-12-31 | 2020-07-09 | Intel Corporation | Securing systems employing artificial intelligence |
| CN111435393B (en) * | 2019-01-14 | 2024-04-16 | 北京京东尚科信息技术有限公司 | Object vulnerability detection method, device, medium and electronic equipment |
| CN111435393A (en) * | 2019-01-14 | 2020-07-21 | 北京京东尚科信息技术有限公司 | Object vulnerability detection method, device, medium and electronic equipment |
| CN109688159B (en) * | 2019-01-23 | 2023-01-17 | 平安科技(深圳)有限公司 | Network isolation violation identification method, server and computer-readable storage medium |
| CN109688159A (en) * | 2019-01-23 | 2019-04-26 | 平安科技(深圳)有限公司 | Network Isolation violation recognition methods, server and computer readable storage medium |
| CN109871683A (en) * | 2019-01-24 | 2019-06-11 | 深圳昂楷科技有限公司 | A kind of database protection system and method |
| CN109871683B (en) * | 2019-01-24 | 2021-04-27 | 深圳昂楷科技有限公司 | Database protection system and method |
| CN109960934A (en) * | 2019-03-25 | 2019-07-02 | 西安电子科技大学 | A kind of malicious requests detection method based on CNN |
| CN110110525A (en) * | 2019-04-26 | 2019-08-09 | 北京中润国盛科技有限公司 | A kind of bug excavation method based on machine learning and deep learning |
| CN112052449A (en) * | 2019-06-06 | 2020-12-08 | 深信服科技股份有限公司 | Malicious file identification method, device, equipment and storage medium |
| CN110516444A (en) * | 2019-07-23 | 2019-11-29 | 成都理工大学 | Cross-terminal cross-version Root attack detecting and guard system based on kernel |
| CN110661795A (en) * | 2019-09-20 | 2020-01-07 | 哈尔滨安天科技集团股份有限公司 | Vector-level threat information automatic production and distribution system and method |
| CN110602137A (en) * | 2019-09-25 | 2019-12-20 | 光通天下网络科技股份有限公司 | Malicious IP and malicious URL intercepting method, device, equipment and medium |
| CN111026012A (en) * | 2019-11-29 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Method and device for detecting PLC firmware level bugs, electronic equipment and storage medium |
| CN111026012B (en) * | 2019-11-29 | 2023-01-31 | 安天科技集团股份有限公司 | Method and device for detecting PLC firmware level bugs, electronic equipment and storage medium |
| CN111159111A (en) * | 2019-12-13 | 2020-05-15 | 深信服科技股份有限公司 | Information processing method, device, system and computer readable storage medium |
| WO2021129201A1 (en) * | 2019-12-26 | 2021-07-01 | 中科信息安全共性技术国家工程研究中心有限公司 | Intrusion detection method and device based on linux host |
| CN111090855A (en) * | 2019-12-26 | 2020-05-01 | 中科信息安全共性技术国家工程研究中心有限公司 | Intrusion detection method and device based on Linux host |
| CN111400718A (en) * | 2020-03-06 | 2020-07-10 | 苏州浪潮智能科技有限公司 | Method and device for detecting system vulnerability and attack and related equipment |
| CN111400718B (en) * | 2020-03-06 | 2022-07-15 | 苏州浪潮智能科技有限公司 | Method and device for detecting system vulnerability and attack and related equipment |
| CN111737693A (en) * | 2020-05-09 | 2020-10-02 | 北京启明星辰信息安全技术有限公司 | Method for determining characteristics of malicious software, and method and device for detecting malicious software |
| CN112269992A (en) * | 2020-06-01 | 2021-01-26 | 中国科学院信息工程研究所 | Real-time malicious sample detection method based on artificial intelligence processor and electronic device |
| CN112269992B (en) * | 2020-06-01 | 2023-10-20 | 中国科学院信息工程研究所 | Real-time malicious sample detection method based on artificial intelligent processor and electronic device |
| CN111917781A (en) * | 2020-08-05 | 2020-11-10 | 湖南匡楚科技有限公司 | Intelligent internal malicious behavior network attack identification method and electronic equipment |
| CN111931187A (en) * | 2020-08-13 | 2020-11-13 | 深信服科技股份有限公司 | Component vulnerability detection method, device, equipment and readable storage medium |
| CN112202722A (en) * | 2020-09-08 | 2021-01-08 | 华东师范大学 | Intrusion detection method |
| CN112187730A (en) * | 2020-09-08 | 2021-01-05 | 华东师范大学 | Intrusion detection system |
| CN112260989A (en) * | 2020-09-16 | 2021-01-22 | 湖南大学 | Power system and network malicious data attack detection method, system and storage medium |
| CN112260989B (en) * | 2020-09-16 | 2021-07-30 | 湖南大学 | Power system and network malicious data attack detection method, system and storage medium |
| CN112615819A (en) * | 2020-12-03 | 2021-04-06 | 北京锐服信科技有限公司 | Intrusion behavior detection method and system based on deep learning |
| CN112583820A (en) * | 2020-12-09 | 2021-03-30 | 南方电网科学研究院有限责任公司 | Power attack test system based on attack topology |
| CN112583820B (en) * | 2020-12-09 | 2022-06-17 | 南方电网科学研究院有限责任公司 | Power attack testing system based on attack topology |
| CN113177191A (en) * | 2021-04-16 | 2021-07-27 | 中国人民解放军战略支援部队信息工程大学 | Firmware function similarity detection method and system based on fuzzy matching |
| CN113141360A (en) * | 2021-04-21 | 2021-07-20 | 建信金融科技有限责任公司 | Method and device for detecting network malicious attack |
| CN113468524B (en) * | 2021-05-21 | 2022-05-24 | 天津理工大学 | RASP-based machine learning model security detection method |
| CN113468524A (en) * | 2021-05-21 | 2021-10-01 | 天津理工大学 | RASP-based machine learning model security detection method |
| CN113282928A (en) * | 2021-06-11 | 2021-08-20 | 杭州安恒信息技术股份有限公司 | Malicious file processing method, device and system, electronic device and storage medium |
| CN113468538A (en) * | 2021-06-15 | 2021-10-01 | 江苏大学 | Vulnerability attack database construction method based on similarity measurement |
| CN113411356B (en) * | 2021-08-23 | 2021-12-10 | 北京华云安信息技术有限公司 | Vulnerability detection method, system, device and computer readable storage medium |
| CN113411356A (en) * | 2021-08-23 | 2021-09-17 | 北京华云安信息技术有限公司 | Vulnerability detection method, system, device and computer readable storage medium |
| CN113691562A (en) * | 2021-09-15 | 2021-11-23 | 神州网云(北京)信息技术有限公司 | Method for implementing rule engine for accurately identifying malicious network communication |
| CN113691562B (en) * | 2021-09-15 | 2024-04-23 | 神州网云(北京)信息技术有限公司 | Rule engine implementation method for accurately identifying malicious network communication |
| CN113839963A (en) * | 2021-11-25 | 2021-12-24 | 南昌首页科技发展有限公司 | Network security vulnerability intelligent detection method based on artificial intelligence and big data |
| CN114553525A (en) * | 2022-02-22 | 2022-05-27 | 国网河北省电力有限公司电力科学研究院 | Network security vulnerability mining method and system based on artificial intelligence |
| CN114710325A (en) * | 2022-03-17 | 2022-07-05 | 广州杰赛科技股份有限公司 | Method, device, equipment and storage medium for constructing network intrusion detection model |
| CN114710325B (en) * | 2022-03-17 | 2023-09-15 | 广州杰赛科技股份有限公司 | Method, device, equipment and storage medium for constructing network intrusion detection model |
| CN114866279A (en) * | 2022-03-24 | 2022-08-05 | 中国科学院信息工程研究所 | Vulnerability attack flow detection method and system based on HTTP request effective load |
| CN114912116B (en) * | 2022-05-18 | 2023-01-24 | 河南工业贸易职业学院 | Intelligent computer network information safety controller and control system |
| CN114912116A (en) * | 2022-05-18 | 2022-08-16 | 河南工业贸易职业学院 | Intelligent computer network information safety controller and control system |
| CN115130110A (en) * | 2022-07-08 | 2022-09-30 | 国网浙江省电力有限公司电力科学研究院 | Vulnerability mining method, device, equipment and medium based on parallel ensemble learning |
| CN115130110B (en) * | 2022-07-08 | 2024-03-19 | 国网浙江省电力有限公司电力科学研究院 | Vulnerability discovery method, device, equipment and medium based on parallel integrated learning |
| CN115695046B (en) * | 2022-12-28 | 2023-03-31 | 广东工业大学 | Network intrusion detection method based on reinforcement ensemble learning |
| CN115695046A (en) * | 2022-12-28 | 2023-02-03 | 广东工业大学 | Network intrusion detection method based on reinforcement ensemble learning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108347430B (en) | 2021-01-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108347430A (en) | Network invasion monitoring based on deep learning and vulnerability scanning method and device | |
| CN109347801B (en) | Vulnerability exploitation risk assessment method based on multi-source word embedding and knowledge graph | |
| CN110249331A (en) | For the successive learning of intrusion detection | |
| CN105653956B (en) | Android malware classification method based on dynamic behaviour dependency graph | |
| CN108200030A (en) | Detection method, system, device and the computer readable storage medium of malicious traffic stream | |
| US8490196B2 (en) | System and method for extending automated penetration testing to develop an intelligent and cost efficient security strategy | |
| CN104077531B (en) | System vulnerability appraisal procedure, device and system based on open vulnerability assessment language | |
| CN106716958A (en) | Lateral movement detection | |
| CN110278201B (en) | Security policy evaluation method and device, computer readable medium and electronic device | |
| CN111209570B (en) | Method for creating safe closed loop process based on MITER ATT & CK | |
| US20150135318A1 (en) | Method of detecting intrusion based on improved support vector machine | |
| CN110474906A (en) | Master based on closed loop feedback passively combines cyberspace target depth digging technology | |
| CN110765459A (en) | Malicious script detection method and device and storage medium | |
| CN104184728A (en) | Safety detection method and device for Web application system | |
| Gutiérrez‐Madroñal et al. | Evolutionary mutation testing for IoT with recorded and generated events | |
| CN114422224A (en) | Attack tracing-oriented threat information intelligent analysis method and system | |
| Li et al. | [Retracted] Intelligent Intrusion Detection Method of Industrial Internet of Things Based on CNN‐BiLSTM | |
| CN105938531A (en) | Identifying malicious web infrastructures | |
| CN116383833A (en) | Method and device for testing software program code, electronic equipment and storage medium | |
| Almazrouei et al. | A review on attack graph analysis for iot vulnerability assessment: challenges, open issues, and future directions | |
| CN117478433B (en) | Network and information security dynamic early warning system | |
| Dugyala et al. | [Retracted] Analysis of Malware Detection and Signature Generation Using a Novel Hybrid Approach | |
| CN110225009A (en) | It is a kind of that user's detection method is acted on behalf of based on communication behavior portrait | |
| CN111291378B (en) | Threat information judging and researching method and device | |
| Shakya et al. | Intrusion detection system using back propagation algorithm and compare its performance with self organizing map |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |