CN108718310B - Deep learning-based multilevel attack feature extraction and malicious behavior identification method - Google Patents
Deep learning-based multilevel attack feature extraction and malicious behavior identification method Download PDFInfo
- Publication number
- CN108718310B CN108718310B CN201810481076.9A CN201810481076A CN108718310B CN 108718310 B CN108718310 B CN 108718310B CN 201810481076 A CN201810481076 A CN 201810481076A CN 108718310 B CN108718310 B CN 108718310B
- Authority
- CN
- China
- Prior art keywords
- attack
- code
- data
- malicious
- layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000006399 behavior Effects 0.000 title claims abstract description 62
- 238000000605 extraction Methods 0.000 title claims abstract description 56
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000013135 deep learning Methods 0.000 title claims abstract description 36
- 230000007123 defense Effects 0.000 claims abstract description 39
- 238000013499 data model Methods 0.000 claims abstract description 26
- 238000012549 training Methods 0.000 claims abstract description 21
- 238000012545 processing Methods 0.000 claims abstract description 9
- 230000006870 function Effects 0.000 claims description 24
- 238000003062 neural network model Methods 0.000 claims description 18
- 230000001537 neural effect Effects 0.000 claims description 7
- 230000000007 visual effect Effects 0.000 claims description 6
- 238000001514 detection method Methods 0.000 abstract description 9
- 238000004458 analytical method Methods 0.000 description 17
- 239000011159 matrix material Substances 0.000 description 10
- 230000008569 process Effects 0.000 description 8
- 230000003068 static effect Effects 0.000 description 8
- 230000000875 corresponding effect Effects 0.000 description 7
- 238000013528 artificial neural network Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000005206 flow analysis Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 238000007781 pre-processing Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- POXUQBFHDHCZAD-MHTLYPKNSA-N (2r)-2-[(4s)-2,2-dimethyl-1,3-dioxolan-4-yl]-3,4-dihydroxy-2h-furan-5-one Chemical compound O1C(C)(C)OC[C@H]1[C@@H]1C(O)=C(O)C(=O)O1 POXUQBFHDHCZAD-MHTLYPKNSA-N 0.000 description 1
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000001149 cognitive effect Effects 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000009931 harmful effect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 210000003205 muscle Anatomy 0.000 description 1
- 210000005036 nerve Anatomy 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention discloses a deep learning-based multi-level attack feature extraction and malicious behavior identification method, which belongs to the technical field of network security and comprises the steps of training malicious codes in an attack behavior database by using a deep learning method to construct an attack data model of the malicious codes; processing the code to be detected in the network layer based on the attack data model to obtain the network layer data characteristics of the code to be detected; performing feature extraction on a code to be detected in a physical layer to obtain physical layer data features of the code to be detected; and determining whether the code to be detected is a malicious code or not by combining the data characteristics of the network layer and the data characteristics of the physical layer. The invention identifies the code by combining the data characteristics of the network layer and the data characteristics of the physical layer, effectively meets the requirement of high defense performance of the system and ensures the reliability of the defense of the system. The malicious code detection accuracy is effectively improved, and meanwhile the consumption of system detection time is effectively controlled.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a deep learning-based multi-level attack feature extraction and malicious behavior identification method.
Background
Malicious codes have the harmful effects of destroying infected computer data, operating invasive or destructive programs, destroying the safety and integrity of the infected computer data and the like, and become the main cause of information leakage of individuals and enterprises.
In the aspect of malicious code analysis, the existing dynamic behavior capturing method can comprehensively analyze the behavior operation of the botnet, but the system overhead is large, and the analysis period is long. The existing static disassembling mode obtains the botnet function call graph, and compares the instruction information with the similarity of the function call. In addition, no matter in a dynamic behavior capturing mode or a static disassembling mode, various features used in analysis are manually predefined features, whether the features are comprehensive or correct is determined by manual reservation, and the subjectivity is high.
Disclosure of Invention
The invention aims to provide a deep learning-based multi-level attack feature extraction and malicious behavior identification method so as to identify malicious codes with reliability and real-time performance.
In order to achieve the purpose, the invention adopts a multi-level attack feature extraction and malicious behavior identification method based on deep learning, which comprises the following steps:
training malicious codes in an attack behavior database by using a deep learning method to construct an attack data model of the malicious codes, wherein the malicious codes in the attack behavior database are the malicious codes which are analyzed statically and dynamically in advance;
processing the code to be detected in the network layer based on the attack data model to obtain the network layer data characteristics of the code to be detected;
performing feature extraction on a code to be detected in a physical layer to obtain physical layer data features of the code to be detected;
and determining whether the code to be detected is a malicious code or not by combining the data characteristics of the network layer and the data characteristics of the physical layer.
Preferably, the training the malicious codes in the attack behavior database by using the deep learning method to construct the attack data model of the malicious codes includes:
converting necessary attack characteristics of the malicious codes in the attack behavior database into constraint conditions;
constructing an attack target function of the malicious code according to the constraint condition;
solving the attack objective function by using a nonlinear iterative algorithm to obtain an attack vector of the malicious code;
and constructing the attack data model according to the attack vector of the malicious code.
Preferably, in the network layer, the processing the code to be tested based on the attack data model to obtain the network layer data characteristics of the code to be tested includes:
taking the behavior of the malicious code to be identified as the input of the attack data model to obtain a network layer attack vector corresponding to the behavior of the malicious code to be identified;
and taking the network layer attack vector as the input of a pre-constructed neural network model to obtain the data characteristics of the network layer.
Preferably, the method further comprises the following steps:
and matching the data characteristics of the network layer, and dividing the code to be detected into a normal code, a malicious code and an unknown code according to a matching result.
Preferably, in the physical layer, performing feature extraction on the code to be detected to obtain a physical layer data feature of the code to be detected, including:
when the defense level requirement is high and the defense instantaneity requirement is low, feature extraction is carried out on the physical layer data of the normal codes and the physical layer data of the unknown codes by adopting an attack feature extraction method based on a prime mover to respectively obtain the physical layer data features of the normal codes and the physical layer data features of the unknown codes;
and when the defense level requirement is high and the defense instantaneity requirement is high, performing feature extraction on the physical layer data of the unknown code by adopting an attack feature extraction method based on a prime mover to obtain the physical layer data feature of the unknown code.
Preferably, the method further comprises the following steps:
when the defense level requirement and the defense instantaneity requirement are both low, comparing the network layer data characteristics of the code to be tested with the attack characteristics in the attack characteristic database;
and when the network layer data characteristics of the code to be detected are matched with the attack characteristics in the attack characteristic database, determining whether the code to be detected is a malicious code or not, wherein the attack characteristics in the characteristic database are the characteristics of malicious codes in the attack behavior database.
Preferably, the building process of the pre-built neural network model comprises:
stacking k limited Boltzmann machines into a deep belief network, wherein k is a positive integer;
training data characteristic classification parameters of each neural unit in a Boltzmann machine limited by a first layer of a deep belief network in an unsupervised mode;
taking the hidden layer of the first layer of limited Boltzmann machine as a visual layer of a second layer to train the data characteristic classification parameters of each neural unit in the second layer of limited Boltzmann machine, and finishing the training of the parameters of each layer of limited Boltzmann machine to the top layer in sequence to obtain the initial parameters of the neural network model;
and carrying out supervision training on the initial parameters by using data with trapping characteristic labels, determining weight parameters of neural units in each layer of limited Boltzmann machine and intimacy between adjacent network layers, and constructing the neural network model.
Preferably, the obtaining of the network layer data features by using the network layer attack vector as an input of a pre-constructed neural network model includes:
in the neural network model, traversing a suspicious code sequence in a code to be tested and a malicious code sequence recorded in a system, and matching each character in the two sequences to obtain a matching result;
and traversing the matching result, and taking the longest public subsequence as the data characteristic of the network layer.
Preferably, the determining, by combining the network layer data characteristics and the physical layer data characteristics, whether the code to be tested is a malicious code includes:
comparing the network layer data characteristics and the physical layer data characteristics with the characteristics in the attack characteristic database respectively;
judging whether the data characteristics of the network layer are matched with the characteristics in the attack characteristic database or not, and judging whether the data characteristics of the physical layer are matched with the characteristics in the attack characteristic database or not;
and when at least one comparison result is matched, determining whether the code to be tested is malicious code.
Preferably, the method further comprises the following steps:
adding the code to be tested determined as the malicious code into the attack behavior database as newly-added data, and updating the attack behavior database;
and training the malicious codes in the updated attack behavior database by using a deep learning method so as to update the attack data model.
Compared with the prior art, the invention has the following technical effects: the method utilizes the deep learning function to train the known malicious codes, obtains the characteristics of the malicious codes, constructs the attack data model of the malicious codes and enhances the capability of the system for identifying the malicious codes. When an unknown code invades a system, the unknown code is identified, namely feature extraction is carried out, whether the features of the unknown code are matched with the features of the malicious code or not is judged, and whether the unknown code is the malicious code or not is preliminarily judged. And then, combining different defense levels of the system, performing feature extraction on the physical layer data of the unknown code, and effectively combining the features of the physical layer data to determine whether the unknown code is a malicious code. By the attack defense method of parallel multi-level feature extraction, the accuracy of malicious code identification is guaranteed to the greatest extent.
Drawings
The following detailed description of embodiments of the invention refers to the accompanying drawings in which:
FIG. 1 is a schematic flow chart of a deep learning-based multi-level attack feature extraction and malicious behavior identification method;
FIG. 2 is a diagram of a global model for multi-level deep learning;
FIG. 3 is a schematic diagram of static and dynamic feature extraction;
FIG. 4 is a diagram of an attack defense model without physical layer analysis;
FIG. 5 is a diagram of an attack defense model incorporating physical layer analysis and parameter coordination.
Detailed Description
To further illustrate the features of the present invention, refer to the following detailed description of the invention and the accompanying drawings. The drawings are for reference and illustration purposes only and are not intended to limit the scope of the present disclosure.
The basic idea of the scheme of the embodiment is as follows: when a system is invaded by a code to be detected, in the end-to-end transmission process of the code to be detected through a network, a neural network in deep learning is adopted in a network layer to extract the characteristics of network layer data, a characteristic extraction method based on a physical host is also adopted to extract the characteristics of the data of the code to be detected in a physical layer, and the category of the code to be detected is determined by combining the network layer data characteristics and the physical layer data characteristics according to the requirement of the defense level of the system. The following is explained by combining a specific technical scheme:
as shown in fig. 1, the present embodiment discloses a deep learning-based multi-level attack feature extraction and malicious behavior identification method, which includes the following steps S1 to S4:
s1, training the malicious codes in the attack behavior database by using a deep learning method to construct an attack data model of the malicious codes;
it should be noted that the malicious code in the attack behavior database is obtained through existing static analysis and dynamic analysis. And then, training the known malicious codes by using a deep learning method to construct an attack data model, so that the recognition capability and accuracy of the malicious codes can be enhanced.
S2, processing the code to be tested in the network layer based on the attack data model to obtain the network layer data characteristics of the code to be tested;
s3, extracting the characteristics of the code to be detected in the physical layer to obtain the physical layer data characteristics of the code to be detected;
and S4, determining whether the code to be detected is a malicious code or not by combining the network layer data characteristics and the physical layer data characteristics.
It should be noted that, feature extraction is performed on the same code to be detected in the network layer and the physical layer respectively, and by combining the data features of the network layer and the data features of the physical layer, when the requirement on system defense is high, the accuracy of malicious code identification can be effectively ensured, and the reliability of system defense is improved.
As a further description, the specific process of constructing the attack data model of the malicious code in step S1 is as follows:
(1) and (3) constructing a constraint condition:
firstly, malicious code data in an existing attack behavior database in a system is analyzed to obtain necessary attack features of the malicious code, and the necessary attack features of the malicious code are embodied as follows in the embodiment:
the method is characterized in that: an attacker has a certain grasp on the network topology structure of the attack system;
and (2) feature: an attacker has certain foreknowledge on a detection mechanism of an attack system;
and (3) feature: the attacker maximizes the attack profit of the attacker by modifying the relevant data around the attack system.
Taking an attack system as an intelligent power grid as an example, the necessary attack characteristics of the malicious code are specified as follows:
the method is characterized in that: an attacker has a certain grasp on a network topology structure in the smart grid;
and (2) feature: an attacker has certain foreknowledge on a detection mechanism of the smart grid;
and (3) feature: the attacker maximizes the attack profit of the attacker by modifying the measurement data of the surrounding neighbor electricity meters.
The three attack characteristics have certain universality, and the three characteristics are known characteristics by default and are converted into constraint conditions, specifically:
where a represents an attack vector at a certain stage, and H represents a Jacobian matrix used by an attacker (a topological structure representing power H ∈ Rm×n),
Represents the threshold of attack evaluation, | | | | represents the norm, and T represents the transpose of the attack vector a. M, N, the vector used by the operator for data transmission, the present embodiment M, N is represented by the diagonal vector as follows:
it should be noted that, no matter what kind of change is performed by an attacker, the behavior signal of the attack itself is detected, and if the secrecy of the attack is to be ensured, the attacker must consider these three constraints, so that the constraints are universal.
(2) And (3) constraining the attack objective function through constraint conditions:
the attack objective function is expressed as a lagrange multiplier according to the constraint conditions as follows:
L(a,λ1,λ2,λ3)=U(a)+λ1 Th1(a)+λ2 Th2(a)+λ3 Tg(a),
wherein the content of the first and second substances,
h2(a)=N(a+L),g(a)=aTMa,λ1、λ2、λ3and (b) respectively representing the weight of each of the three functions in the Lagrange multiplier method, only serving as a parameter and not needing to be solved, and U (a) representing an objective function.
Then, the original objective function minimum value problem is converted into a derivative problem through the partial derivative function of each parameter, namely, the solution of the derivative problem is carried out
When the function takes the minimum value, the specific values of the relevant parameters enable the objective function to meet the following requirements:
wherein, U (a)k) An objective function representing an attacker, dkRepresents the update weight per iteration, akRepresenting the attack vector in k iterations used in the objective function,
representing the second partial derivative, L (α)k,λk) Representing the attack objective function in the kth iteration,
denotes a partial derivative of a section, λkRespectively three function weights lambda in Lagrange multiplier method1、λ2、λ3The specific value taken in the kth iteration in the nonlinear iterative algorithm.
(3) And solving an attack vector capable of expressing attack behaviors by using a nonlinear iterative algorithm and an attack objective function under a characteristic constraint condition. The iterative algorithm detection process of the attack vector of the malicious code comprises the following steps:
(3-1) first determining an initial parameter value a0,λ0And the initialization state constant value H of the matrix H0,H0Is an m × n matrix and selects the parameter η ∈ (0,0.5), τ ∈ (0,1) within a given range;
(3-2) judging whether constraint conditions are met, if so, continuing to execute the step (3-3), and if not, stopping calculation;
(3-3) solving d by the transformed programming subproblemkA value;
(3-4) attack vector alphakInitial value of (a)01 brings the following equation:
judging whether the parameter is satisfied, if so, determining that the parameter value can be used, executing the step (3-5),
otherwise, the attack vector alpha is matchedkAnd (6) updating. Alpha is alphakUpdating to satisfy the formula αk=τkαkIn which τ isk∈(0,τ)。
Wherein D represents a diagonal matrix of C-order latitude, η represents a selected weight parameter,
is the adjustment function used to adjust the step size and can be expressed as:
r1、r2、r3the weight for adjusting the proportion of each parameter in the function can be set
Maximum value of (1) ri≤3。
(3-5) attack vector αkAfter the constraint condition is satisfied, the attack vector a is calculatedkIteration value a ofk+1=ak+αkdk。
To be further described, the step S2: in the network layer, processing the code to be tested based on the attack data model to obtain the network layer data characteristics of the code to be tested, which specifically comprises:
taking the behavior of the malicious code to be identified as the input of the attack data model to obtain a network layer attack vector corresponding to the behavior of the malicious code to be identified;
and taking the network layer attack vector as the input of a pre-constructed neural network model to obtain the data characteristics of the network layer.
Specifically, the construction process of the neural network model comprises the following steps:
the k limited Boltzmann machines can form a deep belief network in a stacking mode, the deep belief network is limited, data feature classification parameters of each nerve unit in the first layer of limited Boltzmann machines are trained in an unsupervised mode, feature parameters set by the second layer are trained by taking a hidden layer of the first layer of limited Boltzmann machines as a visual layer of the second layer, and thus the training of the parameters in each layer of limited Boltzmann machines is continuously completed upwards to obtain initial parameters of the feature extraction model.
And then carrying out supervised training on initial parameters of the model by using data with trapping characteristic labels to achieve fine adjustment of the initial parameters, thereby determining the final weight parameters of the neural units in each layer and the intimacy degree between adjacent network layers, and constructing the neural network model.
The energy function of the restricted boltzmann machine in the neural network can be expressed as:
wherein v isjJ-th element representing a visual layer vector v,hiUnit element, w, representing a hidden layer vector hijThe element of the weight matrix between the visible layer and the hidden layer unit is shown, n represents the number of hidden layers, and m represents the number of single bits in the visible layer. c. CjAnd diRespectively representing the weight of each element between the visible layer and the hidden layer, and then calculating the conditional probability of attack feature identification distributed in each hidden layer unit through the given weight of the hidden layer:
wherein sigm represents a curve function, and sigm (x) is 1/(1+ e)-x)。
Similarly, knowing the weight value occupied by each unit in the visual layer, the conditional probability of each unit in the visual layer for attacking feature recognition can be calculated:
after the initial training, in order to prevent the phenomenon of under-fitting or over-fitting of the data labels, a new round of updating of the weights of the visible layers and the hidden layers in the neural network is needed. Wherein, each unit weight update matrix between the visible layer and the hidden layer is expressed as:
wij=wij-R(<hivj>m-<hivj>n)
where < > represents the expected value obtained, and R represents the learning rate.
The bias updates between the respective hidden and visible layers can be expressed as:
and finally forming a neural network parameter aiming at the training data through continuous parameter updating so as to ensure the accuracy of attack identification.
Specifically, an extraction method based on the longest public subsequence is adopted, a character string sequence output by the neural network model is compared and matched with attack characteristics recorded in an attack system, and finally the longest public subsequence is selected as the attack characteristic which can represent the attack behavior most. The method can greatly shorten the identification time of the attack by extracting the features. The extraction process comprises the following steps:
definition 1: for sequence P ═ P1,p2,...,pmQ ═ Q1,q2,...,qnIf a sequence L is present ═ L }1,L2,...,LtAnd if the length of the subsequence which meets the condition that L belongs to X and L belongs to Y is not larger than L, the sequence L is the longest common subsequence of P and Q.
Definition 2: for a sequence X of length m and a sequence Y of length n, an m × n matrix is required to assist completion. The matrix records the matching condition between characters in two character strings, so that the storage space is defined as C, CijRepresenting the ith character of sequence X and the jth character of sequence Y.
The specific matching process is as follows:
(1) traversing the sequence X and the sequence Y, and matching each character in the sequence, wherein the following rules are required to be followed when matching:
(2) and after matching is finished, traversing the matching result, and finding out the maximum sub-matrix of which the diagonal lines in the storage space are all 1, wherein the character sequence corresponding to the sub-matrix is the required longest public sub-sequence.
If the character string sequence output from the neural network model does not have matched characteristic information with the character string sequence output from the database, the attack can be regarded as unknown attack, and the character sequence with the longest output from the neural network model is taken as the attack characteristic of the unknown attack.
To be more specific, in step S3: in the physical layer, feature extraction is carried out on the code to be detected to obtain physical layer data features of the code to be detected, a host-based attack feature extraction method, namely white box extraction, is adopted, the extraction process is the same as that in the prior art, namely, a malicious program which initiates an attack is reversely compiled into an assembly instruction, then the assembly instruction is tracked and analyzed to find out an attack instruction fragment, and then attack features are extracted from the assembly instruction.
To be further described, the step S4: and determining whether the code to be detected is a malicious code or not by combining the data characteristics of the network layer and the data characteristics of the physical layer. The specific process comprises the following steps:
comparing the data characteristics of the network layer and the data characteristics of the physical layer with the characteristics in the attack characteristic database respectively, wherein the characteristics in the attack characteristic database are the characteristics of malicious codes in the attack behavior database;
judging whether the data characteristics of the network layer are matched with the characteristics in the attack characteristic database or not, and judging whether the data characteristics of the physical layer are matched with the characteristics in the attack characteristic database or not;
and when at least one comparison result is matched, determining whether the code to be tested is malicious code.
It should be noted that, in this embodiment, by combining the data features of the network layer with the data features of the physical layer, the accuracy of identifying the code to be detected is improved, and the method is suitable for a system with a high defense requirement level, and fully improves the defense reliability of the system.
To be more specific, in step S2: and in the network layer, processing the code to be detected based on the attack data model to obtain the network layer data characteristics of the code to be detected. The method also comprises the following steps:
and matching the data characteristics of the network layer, and dividing the code to be detected into a normal code, a malicious code and an unknown code according to a matching result.
Wherein, the normal code refers to a code judged to have no attack threat; malicious code refers to code that is determined to have an attack threat; unknown code refers to "grey zones" where neither normal nor malicious code is present, code that needs further discrimination.
As a further description, in this embodiment, a code category identified by a network layer data feature is used as a preliminary identification result, and then different responses are implemented according to the code category according to the requirements of system defensiveness and real-time performance, specifically:
when the defense level requirement is high and the defense instantaneity requirement is low, feature extraction is carried out on the physical layer data of the normal codes and the physical layer data of the unknown codes by adopting an attack feature extraction method based on a prime mover to respectively obtain the physical layer data features of the normal codes and the physical layer data features of the unknown codes;
when the defense level requirement is high and the defense instantaneity requirement is high, feature extraction is carried out on the physical layer data of the unknown code by adopting an attack feature extraction method based on a prime mover to obtain the physical layer data feature of the unknown code;
and when the defense level requirement and the defense instantaneity requirement are both low, comparing the network layer data characteristics of the code to be detected with the attack characteristics in the attack characteristic database, and determining whether the code to be detected is malicious code or not when the network layer data characteristics of the code to be detected are matched with the attack characteristics in the attack characteristic database.
It should be noted that, if the data features of the network layer are not matched with the features in the attack feature database, feature extraction may be performed on the code to be detected of the network layer again, and if the data features of the network layer are not matched with the features in the attack feature database, the code to be detected is considered to be an unknown code.
It should be noted that, in this embodiment, the codes to be tested in the network layer are classified, and corresponding class codes are analyzed according to the system defense level and the requirement of defense instantaneity, for example, when the requirement of system instantaneity is high, only the unknown codes are subjected to feature extraction in the physical layer, which not only reduces time consumption, but also reduces system defense delay as a whole. When the system defense requirement is high, feature extraction is carried out on unknown codes and normal codes in a physical layer, and the codes are identified by combining the data features of the network layer and the data features of the physical layer, so that the requirement of high system defense is effectively met, and the reliability of the system defense is ensured. Therefore, the scheme of the embodiment can effectively improve the accuracy of malicious code detection and effectively control the consumption of system detection time.
By way of further illustration, the detection of malicious code may further comprise:
adding the code to be tested determined as the malicious code into the attack behavior database as newly-added data, and updating the attack behavior database;
and training the malicious codes in the updated attack behavior database by using a deep learning method so as to update the attack data model.
It should be noted that, in the embodiment, the to-be-detected code identified as the malicious code is added to the attack behavior database to update the malicious code stored in the attack behavior database, so as to update the attack data model, and thus, the iterative update is performed, so as to improve the accuracy of extracting the data features of the network layer and improve the accuracy of identifying the malicious code.
The following further explains the scheme of the embodiment by taking a detection process of a code to be detected in a power grid as an example:
as shown in fig. 2, for an input historical data set of a known attack type, we first perform data preprocessing, including performing attack vector extraction on the input data set to generate an alarm event sequence, that is, after extracting each known attack behavior by an attack vector, performing corresponding attack feature extraction, and generating a corresponding alarm event sequence from the longest sequence extracted.
In order to effectively use the alarm time log set by combining with the known alarm event list which may occur in the power grid network, the alarm events are firstly classified according to the attack purpose and are numbered in sequence. Wherein each alarm event type belongs to an alarm event type, and each alarm event type contains one or more alarm event types. The alarm event classification table describes the potential influence degree and range of an alarm event, the influence between each event type is relatively independent, but for an actual abnormal behavior, most of the cases comprise a plurality of event classifications to form a complex behavior description. In summary, according to the three common stages of the multi-step attack, the alarm event can be divided into the following three types, as shown in the alarm event classification table 1:
TABLE 1
The defense process provided by the invention can be divided into four stages:
(1) as shown in fig. 3, the basic static and dynamic features are extracted: on the premise of not running the software code program, possible bugs in the software program are analyzed, a symbol execution analysis technology based on taint analysis is researched, a static analysis technology is optimized through methods such as white lists, path search optimization and irrelevant state removal, and efficiency is improved. Furthermore, a static analysis technology based on a control flow graph is researched, and the depth of pointer analysis is analyzed through control flow analysis, data flow analysis and the like. The static analysis and the dynamic analysis are both traditional attack feature extraction methods, and are only used as a reference for extracting the attack features, so that the details are not described.
(2) And taking the extracted features, the binary codes of the malicious codes and the assembly codes after the disassembly as total input, and submitting the total input to a deep learning algorithm to obtain the features for judging the malicious codes.
(3) And finally adopting corresponding service response according to the requirements of different defense reliability and delay, comprising the following steps:
i) the advantages of extracting attack characteristics by deep learning are utilized, accurate sensing and all-around monitoring of the security states of networks with different levels of points, lines and planes are achieved, dynamic early warning is conducted on the network security situation, analysis is conducted on the network layer, a complete traceability data generation tool is formed by researching technologies such as multi-protocol flow monitoring, network security element integration middleware, communication behavior modeling based on communication flow and service logic and the like, abnormal identification of terminal communication flow is achieved, auditing is further conducted on key network security elements such as connection relation, flow types and access time sequence, and incidence situations of embedded terminal network attack threats are correlated and mined.
II) after the unknown attack characteristics are extracted by deep learning, dividing the unknown attack characteristics into attack and unknown attack according to the longest character matching, if the requirement on the safety performance is higher and the requirement on the real-time performance is not high as shown in figure 5, extracting the attack characteristics again by utilizing the deep learning on the data characteristics of the normal behaviors and the unknown behaviors at the physical layer, analyzing the extracted attack characteristics, decoding the internal codes of the firmware and preprocessing the information so as to solve the problem that the program codes or the data in the terminal firmware are difficult to obtain due to the adoption of an unknown compression algorithm, identifying the operating system and the file format of the terminal firmware by a binary code format, extracting information such as an instruction set, compiling optimization options, loading base addresses and the like from the extracted information, training a learning machine by utilizing the known binary file information, and analyzing the program codes in the unknown embedded terminal firmware, and the automatic processing of the binary code file information of the firmware is realized. And comprehensively analyzing the values of the network layer attack characteristic parameters and the values of the physical layer characteristic parameters, and finally determining whether the behavior is an attack behavior.
III) when the system has higher requirements on safety performance as shown in FIG. 4 and has the same higher requirements on defense real-time performance, only the physical layer data of unknown behaviors in behavior classification extracted from the network layer is subjected to feature judgment, and comprehensive analysis is performed by combining the values of the feature parameters of the network layer and the physical layer, namely, after deep learning is performed for feature analysis, a parameter value which is compared with a threshold value of a specified limit exists, and the attack behavior is determined.
IV) when the system has low requirements on safety performance and has different requirements on real-time performance of defense, cognitive recognition is not started, namely the attack behavior type judged by deep learning in the network layer is the final attack behavior type.
The comparison of the scheme and the existing feature extraction method is shown in table 2:
TABLE 2
As shown in table 2, IASA, Muscle, imucle, and the deep learning-based extraction method in this embodiment are respectively shown, and comparing the four extraction feature methods, the longest sequence feature that is most representative for the same attack type can be found: "GET-" HTTP/1.1\ r \ n "; andnghost to r/n; ' r \ nHost; the malicious code identification method based on deep learning provided by the embodiment is higher than the other three extraction methods in extraction time and extraction accuracy.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (7)
1. A multilevel attack feature extraction and malicious behavior identification method based on deep learning is characterized by comprising the following steps:
training malicious codes in an attack behavior database by using a deep learning method to construct an attack data model of the malicious codes;
processing the code to be detected in the network layer based on the attack data model to obtain the network layer data characteristics of the code to be detected;
matching the data characteristics of the network layer, and dividing the code to be detected into a normal code, a malicious code and an unknown code according to a matching result;
the method includes the steps of performing feature extraction on a code to be detected in a physical layer to obtain physical layer data features of the code to be detected, and specifically includes the following steps:
when the defense level requirement is high and the defense instantaneity requirement is low, feature extraction is carried out on the physical layer data of the normal codes and the physical layer data of the unknown codes by adopting an attack feature extraction method based on a prime mover to respectively obtain the physical layer data features of the normal codes and the physical layer data features of the unknown codes;
when the defense level requirement is high and the defense instantaneity requirement is high, feature extraction is carried out on the physical layer data of the unknown code by adopting an attack feature extraction method based on a prime mover to obtain the physical layer data feature of the unknown code;
determining whether the code to be detected is a malicious code by combining the data characteristics of the network layer and the data characteristics of the physical layer, specifically comprising the following steps:
when the defense level requirement and the defense instantaneity requirement are both low, comparing the network layer data characteristics of the code to be tested with the attack characteristics in the attack characteristic database;
and when the network layer data characteristics of the code to be detected are matched with the attack characteristics in the attack characteristic database, determining whether the code to be detected is a malicious code.
2. The deep learning-based multi-level attack feature extraction and malicious behavior identification method according to claim 1, wherein the training of the malicious codes in the attack behavior database by using the deep learning method to construct the attack data model of the malicious codes comprises:
converting necessary attack characteristics of the malicious codes in the attack behavior database into constraint conditions;
constructing an attack target function of the malicious code according to the constraint condition;
solving the attack objective function by using a nonlinear iterative algorithm to obtain an attack vector of the malicious code;
and constructing the attack data model according to the attack vector of the malicious code.
3. The deep learning-based multi-level attack feature extraction and malicious behavior identification method according to claim 1, wherein the processing of the code to be detected in the network layer based on the attack data model to obtain the network layer data features of the code to be detected comprises:
taking the code to be tested as the input of the attack data model to obtain a network layer attack vector corresponding to the code to be tested;
and taking the network layer attack vector as the input of a pre-constructed neural network model to obtain the data characteristics of the network layer.
4. The deep learning-based multi-level attack feature extraction and malicious behavior identification method according to claim 3, wherein the pre-constructed neural network model is constructed by the following steps:
stacking k limited Boltzmann machines into a depth belief network, wherein k is a positive integer;
training data characteristic classification parameters of each neural unit in a Boltzmann machine limited by a first layer of a deep belief network in an unsupervised mode;
taking the hidden layer of the first layer of limited Boltzmann machine as a visual layer of a second layer to train the data characteristic classification parameters of each neural unit in the second layer of limited Boltzmann machine, and finishing the training of the parameters of each layer of limited Boltzmann machine to the top layer in sequence to obtain the initial parameters of the neural network model;
and carrying out supervision training on the initial parameters by using data with trapping characteristic labels, determining weight parameters of neural units in each layer of limited Boltzmann machine and intimacy between adjacent network layers, and constructing the neural network model.
5. The deep learning-based multi-level attack feature extraction and malicious behavior identification method according to claim 4, wherein the obtaining of the network layer data features by taking the network layer attack vector as the input of a pre-constructed neural network model comprises:
in the neural network model, traversing a suspicious code sequence in a code to be tested and a malicious code sequence recorded in a system, and matching each character in the two sequences to obtain a matching result;
and traversing the matching result, and taking the longest public subsequence as the data characteristic of the network layer.
6. The deep learning-based multi-level attack feature extraction and malicious behavior identification method according to claim 1, wherein determining whether the code to be detected is a malicious code by combining the network layer data features and the physical layer data features comprises:
comparing the data characteristics of the network layer and the data characteristics of the physical layer with the characteristics in an attack characteristic database respectively, wherein the attack characteristics in the characteristic database are the characteristics of malicious codes in the attack behavior database;
judging whether the data characteristics of the network layer are matched with the characteristics in the attack characteristic database or not, and judging whether the data characteristics of the physical layer are matched with the characteristics in the attack characteristic database or not;
and when at least one comparison result is matched, determining whether the code to be tested is malicious code.
7. The deep learning-based multi-level attack feature extraction and malicious behavior identification method according to any one of claims 1 to 6, further comprising, when determining that the code to be tested is malicious code:
adding the code to be tested determined as the malicious code into the attack behavior database as newly-added data, and updating the attack behavior database;
and training the malicious codes in the updated attack behavior database by using a deep learning method so as to update the attack data model.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810481076.9A CN108718310B (en) | 2018-05-18 | 2018-05-18 | Deep learning-based multilevel attack feature extraction and malicious behavior identification method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810481076.9A CN108718310B (en) | 2018-05-18 | 2018-05-18 | Deep learning-based multilevel attack feature extraction and malicious behavior identification method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108718310A CN108718310A (en) | 2018-10-30 |
| CN108718310B true CN108718310B (en) | 2021-02-26 |
Family
ID=63899978
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810481076.9A Active CN108718310B (en) | 2018-05-18 | 2018-05-18 | Deep learning-based multilevel attack feature extraction and malicious behavior identification method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108718310B (en) |
Families Citing this family (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109508458B (en) * | 2018-10-31 | 2023-05-26 | 北京国双科技有限公司 | Legal entity identification method and device |
| CN109766693A (en) * | 2018-12-11 | 2019-05-17 | 四川大学 | A kind of cross-site scripting attack detection method based on deep learning |
| CN109873826B (en) * | 2019-02-28 | 2022-05-27 | 中国人民解放军战略支援部队信息工程大学 | Penetration path planning method and system based on dynamic feedback |
| CN110061982B (en) * | 2019-04-02 | 2021-06-29 | 广州大学 | Intelligent attack resisting safe transmission method based on reinforcement learning |
| CN110290101B (en) * | 2019-04-15 | 2021-12-07 | 南京邮电大学 | Deep trust network-based associated attack behavior identification method in smart grid environment |
| CN110390354B (en) * | 2019-07-01 | 2021-08-27 | 华北电力科学研究院有限责任公司 | Prediction method and device for defense capability of deep network |
| CN111143835B (en) * | 2019-11-18 | 2021-12-31 | 深圳供电局有限公司 | Non-invasive protection method for business logic of electric power metering system based on machine learning |
| CN110855683B (en) * | 2019-11-18 | 2021-08-10 | 东北电力大学 | Method for carrying out attack detection and reconstruction on electric power information physical system |
| CN110868421A (en) * | 2019-11-19 | 2020-03-06 | 泰康保险集团股份有限公司 | Malicious code identification method, device, equipment and storage medium |
| CN113127866B (en) * | 2019-12-31 | 2023-08-18 | 奇安信科技集团股份有限公司 | Feature code extraction method and device of malicious code and computer equipment |
| CN111208731B (en) * | 2020-01-12 | 2022-05-24 | 东北电力大学 | Method for attack detection and reconstruction of electric power information physical system |
| CN113472721B (en) * | 2020-03-31 | 2022-12-06 | 华为技术有限公司 | Network attack detection method and device |
| CN113496033A (en) * | 2020-04-08 | 2021-10-12 | 腾讯科技(深圳)有限公司 | Access behavior recognition method and device and storage medium |
| CN111488585B (en) * | 2020-04-17 | 2023-06-27 | 北京墨云科技有限公司 | Deep learning-based attack vector generation method for vulnerability detection |
| CN111797401B (en) * | 2020-07-08 | 2023-12-29 | 深信服科技股份有限公司 | Attack detection parameter acquisition method, device, equipment and readable storage medium |
| CN112565272B (en) * | 2020-12-09 | 2022-05-17 | 中国人民解放军国防科技大学 | Method and device for blocking minimum Steiner tree of double-layer network and computer equipment |
| CN112883995A (en) * | 2020-12-30 | 2021-06-01 | 华北电力大学 | Method and device for identifying malicious behaviors of closed-source power engineering control system based on ensemble learning |
| CN113141360B (en) * | 2021-04-21 | 2022-06-28 | 建信金融科技有限责任公司 | Method and device for detecting network malicious attack |
| CN113596020B (en) * | 2021-07-28 | 2023-03-24 | 深圳供电局有限公司 | Smart grid false data injection attack vulnerability detection method |
| CN114095260A (en) * | 2021-11-22 | 2022-02-25 | 广东电网有限责任公司 | Method, device and equipment for detecting abnormal flow of power grid and computer medium |
| CN114978654B (en) * | 2022-05-12 | 2023-03-10 | 北京大学 | End-to-end communication system attack defense method based on deep learning |
| CN115033895B (en) * | 2022-08-12 | 2022-12-09 | 中国电子科技集团公司第三十研究所 | Binary program supply chain safety detection method and device |
| CN115580492B (en) * | 2022-12-07 | 2023-05-16 | 深圳市乙辰科技股份有限公司 | Intelligent network safety protection method and system based on network equipment |
| CN117336068A (en) * | 2023-10-16 | 2024-01-02 | 北京安博通科技股份有限公司 | Gateway equipment-based data message processing method, device and equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102711099A (en) * | 2012-06-20 | 2012-10-03 | 上海电机学院 | Safety routing method and system capable of resisting interference attacks |
| CN103379099A (en) * | 2012-04-19 | 2013-10-30 | 阿里巴巴集团控股有限公司 | Hostile attack identification method and system |
| CN106850675A (en) * | 2017-03-10 | 2017-06-13 | 北京安赛创想科技有限公司 | A kind of determination method and device of attack |
| CN107194251A (en) * | 2017-04-01 | 2017-09-22 | 中国科学院信息工程研究所 | Android platform malicious application detection method and device |
| CN107392025A (en) * | 2017-08-28 | 2017-11-24 | 刘龙 | Malice Android application program detection method based on deep learning |
| CN108040073A (en) * | 2018-01-23 | 2018-05-15 | 杭州电子科技大学 | Malicious attack detection method based on deep learning in information physical traffic system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10169581B2 (en) * | 2016-08-29 | 2019-01-01 | Trend Micro Incorporated | Detecting malicious code in sections of computer files |
-
2018
- 2018-05-18 CN CN201810481076.9A patent/CN108718310B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103379099A (en) * | 2012-04-19 | 2013-10-30 | 阿里巴巴集团控股有限公司 | Hostile attack identification method and system |
| CN102711099A (en) * | 2012-06-20 | 2012-10-03 | 上海电机学院 | Safety routing method and system capable of resisting interference attacks |
| CN106850675A (en) * | 2017-03-10 | 2017-06-13 | 北京安赛创想科技有限公司 | A kind of determination method and device of attack |
| CN107194251A (en) * | 2017-04-01 | 2017-09-22 | 中国科学院信息工程研究所 | Android platform malicious application detection method and device |
| CN107392025A (en) * | 2017-08-28 | 2017-11-24 | 刘龙 | Malice Android application program detection method based on deep learning |
| CN108040073A (en) * | 2018-01-23 | 2018-05-15 | 杭州电子科技大学 | Malicious attack detection method based on deep learning in information physical traffic system |
Non-Patent Citations (2)
| Title |
|---|
| Deep Neural Networks for Automatic Android Malware Detection;Shifu Hou et al;;《2017 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM)》;20170803;第803-810页 * |
| 基于行为的恶意代码检测方法研究;杨晔;《中国优秀硕士学位论文全文数据库 信息科技辑(月刊 ) 》;20170315;第I138-213页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108718310A (en) | 2018-10-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108718310B (en) | Deep learning-based multilevel attack feature extraction and malicious behavior identification method | |
| CN106411921B (en) | Multi-step attack prediction technique based on causal Bayesian network | |
| CN113961922B (en) | Malicious software behavior detection and classification system based on deep learning | |
| CN111783442A (en) | Intrusion detection method, device, server and storage medium | |
| CN111600919B (en) | Method and device for constructing intelligent network application protection system model | |
| CN112492059A (en) | DGA domain name detection model training method, DGA domain name detection device and storage medium | |
| CN111143838B (en) | Database user abnormal behavior detection method | |
| CN112738014A (en) | Industrial control flow abnormity detection method and system based on convolution time sequence network | |
| Ajdani et al. | Introduced a new method for enhancement of intrusion detection with random forest and PSO algorithm | |
| Gonaygunta | Machine learning algorithms for detection of cyber threats using logistic regression | |
| Chen et al. | Applying convolutional neural network for malware detection | |
| Wu et al. | Research on Network Security Situational Awareness Based on Crawler Algorithm | |
| CN111400713A (en) | Malicious software family classification method based on operation code adjacency graph characteristics | |
| Harbola et al. | Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set | |
| CN109918901A (en) | The method that real-time detection is attacked based on Cache | |
| CN110290101B (en) | Deep trust network-based associated attack behavior identification method in smart grid environment | |
| CN116737850A (en) | Graph neural network model training method for APT entity relation prediction | |
| CN116545679A (en) | Industrial situation security basic framework and network attack behavior feature analysis method | |
| CN115277065B (en) | Anti-attack method and device in abnormal traffic detection of Internet of things | |
| Stokes et al. | Detection of prevalent malware families with deep learning | |
| CN113259369A (en) | Data set authentication method and system based on machine learning member inference attack | |
| Wan et al. | State-based control feature extraction for effective anomaly detection in process industries | |
| Nour et al. | Optimizing intrusion detection in industrial cyber-physical systems through transfer learning approaches | |
| Rashid et al. | Enhanced website phishing detection based on the cyber kill chain and cloud computing | |
| CN116579337B (en) | False news detection method integrating evidence credibility |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |