CN108881265A - A kind of network attack detecting method and system based on artificial intelligence - Google Patents

Abstract

The invention discloses a kind of network attack detecting method and system based on artificial intelligence, the network attack detecting method based on artificial intelligence include：Acquire the network data of destination host；Feature to be detected is extracted from the network data；The feature to be detected is imported into the artificial intelligence model pre-established, the feature to be detected is sorted out by the artificial intelligence model, determines the destination host whether by network attack and the attack type of the network attack according to categorization results.Network attack detecting method and system provided by the invention based on artificial intelligence is carried out the detection of attack using artificial intelligence technology, the case where attacker bypasses and can't detect is largely avoided, so as to find more network attacks.

Description

A kind of network attack detecting method and system based on artificial intelligence

Technical field

The present invention relates to technical field of network security, and in particular to a kind of network attack detecting method based on artificial intelligence And system.

Background technique

Continuous universal with internet with the continuous development of computer technology, network attack form emerges one after another, network Security issues become increasingly urgent, caused by social influence and economic loss it is increasing, Cyberthreat is detected and is proposed with defence New demand and challenge.Exception of network traffic is the pass of one of current main network security threats and network security monitoring Key object.It quickly and accurately finds exception flow of network, malicious code is promptly and accurately captured, is analyzed, is tracked and monitors, it can To provide knowledge support for network safety situation index evaluation and immune decision, to improve the entirety of network security emergency organization Responding ability.

Traditional network attack detecting method is mainly the description by the making a determination property of feature attacked known network, It forms corresponding rule and is aggregated into a feature database, then carry out the rule in the network data and feature database of acquisition one by one It compares.If the rule in the network data and feature database of acquisition matches, then indicating that this during comparing one by one It is an intrusion behavior.Traditional network attack detecting method can accurately detect known network attack, but this method depends on Rule is write, thus flexibility is poor, rate of failing to report is high.

Summary of the invention

To be solved by this invention is the problem that traditional network attack detecting method flexibility is poor, rate of failing to report is high.

The present invention is achieved through the following technical solutions：

A kind of network attack detecting method based on artificial intelligence, including：

Acquire the network data of destination host；

Feature to be detected is extracted from the network data；

The feature to be detected is imported into the artificial intelligence model pre-established, by the artificial intelligence model to described Feature to be detected is sorted out, and determines whether the destination host is attacked by network attack and the network according to categorization results The attack type hit.

Optionally, described to extract feature to be detected from the network data and include：

Request data is extracted from the network data, wherein the request data is used to initiate to the destination host Request service；

The feature to be detected is extracted from the request data.

Optionally, before the artificial intelligence model for pre-establishing the feature importing to be detected, further include：

Establish the artificial intelligence model.

Optionally, described to establish the artificial intelligence model and include：

Collect model training data；

The feature that known network attack is extracted from the model training data, obtains attack signature data；

Classify to the attack signature data, obtains training sample；

Model training is carried out according to the training sample, obtains the artificial intelligence model.

Optionally, the collection model training data include：

The published attack data in internet, the published loophole data in internet, the destination host is collected to have acquired Attack data and one of the loophole data that have acquired of the destination host or multiple combinations.

Optionally, described to include according to training sample progress model training：

According to the training sample, model training is carried out using NB Algorithm.

Optionally, determining the destination host by the network attack and the network attack according to categorization results Attack type after, further include：

Detect whether the network attack succeeds；

If the network attack success, the attack of the network attack to succeed.

Optionally, the detection network attack whether successfully include：

Feature to be compared is extracted from the network data；

The feature to be compared and more than one attack-response rule in the feature database that pre-establishes are compared one by one It is right, wherein the attack-response rule is formed according to the first response data, and first response data is under fire host pair The response of successful attack request；

If the feature to be compared matches with the attack-response rule, the network attack success is determined.

Optionally, described to extract feature to be compared from the network data and include：

The second response data is extracted from the network data, wherein second response data is used for the target master Machine response request service；

The feature to be compared is extracted from second response data.

Optionally, described to extract feature to be compared from the network data and include：

Request data and the second response data are extracted from the network data, wherein the request data is used for institute It states destination host and initiates request service, second response data is for destination host response request service；

The feature to be compared is extracted from the request data and second response data.

Optionally, it is advised in described more than one attack-response by the feature to be compared and the feature database pre-established Before then being compared one by one, further include：

Establish the feature database.

Optionally, described to establish the feature database and include：

Create database；

It is corresponding from more than one first response data to extract more than one attack-response feature；

Each being determined property of attack-response feature is described, more than one attack-response rule is formed；

By one above attack-response rule storage into the database, the feature database is obtained.

Optionally, the feature database includes N number of subcharacter library, and N is the integer not less than 2, described to establish the feature database Including：

Create N number of database；

It is corresponding from more than two first response datas to extract more than two attack-response features；

Each being determined property of attack-response feature is described, more than two attack-response rules are formed；

The attack-response rule for belonging to same attack type in described two above attack-response rules is stored to identical Database in, obtain the subcharacter library.

Optionally, more than one attack-response rule by the feature to be compared and the feature database pre-established Compare one by one and includes：

By the feature to be compared with and the corresponding subcharacter library of attack type of the network attack in more than one attack Rule of response is hit to be compared one by one.

Optionally, described to include to the description of each being determined property of attack-response feature：

Each being determined property of attack-response feature is described using regular expression.

Optionally, the attack of the network attack to succeed includes：

Establish the incidence relation in feature database between each attack-response rule and attack；

According to the incidence relation between attack-response rule each in feature database and attack, will with it is described to than Attack corresponding to attack-response rule to characteristic matching, is determined as the attack of the successful network attack.

Optionally, after whether the detection network attack is successful, further include：

Generate warning information, wherein the warning information includes the attack type of the network attack, the network attack Whether successful and successfully network attack attack.

Optionally, after the generation warning information, further include：

The warning information is sent by one of mail, short message, dialog box and instant messaging or multiple combinations To network management personnel.

Optionally, after the generation warning information, further include：

It is that the warning information adds corresponding attack chain label according to the warning content of the warning information, wherein institute It states attack chain label and is used to characterize network attack phase of the attack locating in attack chain；

Each attack chain label of same attack is counted, the net for being in each phase of the attack of the attack is obtained The attack of network attack total degree, successful network attack number and successful network attack；

According in the network attack total degree of each phase of the attack of the attack, successful network attack number with And successfully the attack of network attack generates attack route information, wherein the attack route information includes in described The network attack total degree of each phase of the attack of attack, successful network attack number and successful network attack are attacked Hit movement.

Optionally, the warning content according to the warning information is that the warning information adds corresponding attack chain mark Label include：

According to the warning content of the warning information, determination is corresponding with the warning information from the tag library pre-established Attack chain label.

Optionally, the attack chain label includes two-stage or more, and the warning content according to the warning information is institute Stating the corresponding attack chain label of warning information addition includes：

According to the warning content of the warning information, determination is corresponding with the warning information from the tag library pre-established Labels at different levels, wherein the label stock contains M attack chain label, the M attack chain label be divided into two-stage with On, M is the integer greater than 4.

Optionally, the attack route information further includes the beginning and ending time of each phase of the attack, is in institute in the basis State the network attack total degree of each phase of the attack of attack, successful network attack number and successful network attack After attack generates attack route information, further include：

The attack route information is shown according to the sequencing of the initial time of each phase of the attack.

Based on same inventive concept, the network attack detection system based on artificial intelligence that the present invention also provides a kind of, packet It includes：

Acquisition module, for acquiring the network data of destination host；

First extraction module, for extracting feature to be detected from the network data；

Import modul, for the feature to be detected to be imported the artificial intelligence model pre-established, by described artificial Whether model of mind sorts out the feature to be detected, determine the destination host by network attack according to categorization results And the attack type of the network attack.

Optionally, first extraction module includes：

First extraction unit, for extracting request data from the network data, wherein the request data be used for The destination host initiates request service；

Second extraction unit, for extracting the feature to be detected from the request data.

Optionally, the network attack detection system based on artificial intelligence further includes：

Model creation module, for establishing the artificial intelligence model.

Optionally, the model creation module includes：

Collection module, for collecting model training data；

Second extraction module is attacked for extracting the feature of known network attack from the model training data Characteristic；

Categorization module obtains training sample for classifying to the attack signature data；

Training module obtains the artificial intelligence model for carrying out model training according to the training sample.

Optionally, the model training data include the published attack data in internet, the published loophole in internet One of loophole data that the attack data and the destination host that data, the destination host have acquired have acquired are more Kind combination.

Optionally, the training module is NB Algorithm module.

Optionally, the network attack detection system based on artificial intelligence further includes：

Detection module, for detecting whether the network attack succeeds；

Attack obtains module, in network attack success, the attack of the network attack to succeed to be dynamic Make.

Optionally, the detection module includes：

Third extraction module, for extracting feature to be compared from the network data；

Comparison module, for advising more than one attack-response in the feature to be compared and the feature database pre-established It is then compared one by one, wherein the attack-response rule is formed according to the first response data, and first response data is used for The under fire response that host requests successful attack；

Determination module, for determining the network when the feature to be compared and the attack-response rule match Success attack.

Optionally, the third extraction module includes：

Third extraction unit, for extracting the second response data from the network data, wherein second number of responses According to for destination host response request service；

4th extraction unit, for extracting the feature to be compared from second response data.

Optionally, the third extraction module includes：

5th extraction unit, for extracting request data and the second response data from the network data, wherein described Request data is used to initiate request service to the destination host, and second response data is asked for the destination host response Ask service；

6th extraction unit, for extracting the spy to be compared from the request data and second response data Sign.

Optionally, the network attack detection system based on artificial intelligence further includes：

Feature database creation module, for establishing the feature database.

Optionally, the feature database creation module includes：

Database creation module, for creating database；

4th extraction module extracts more than one attack-response spy for corresponding from more than one first response data Sign；

Rule forms module, for describing to each being determined property of attack-response feature, forms more than one attack and rings Answer rule；

Memory module, for one above attack-response rule storage into the database, to be obtained the spy Levy library.

Optionally, the feature database includes N number of subcharacter library, and N is the integer not less than 2, the feature database creation module Including：

Database creation module, for creating N number of database；

4th extraction module, it is special for the more than two attack-responses of extraction corresponding from more than two first response datas Sign；

Rule forms module, for describing to each being determined property of attack-response feature, forms more than two attacks and rings Answer rule；

Memory module, for advising the attack-response for belonging to same attack type in described two above attack-response rules Then storage obtains the subcharacter library into identical database.

Optionally, the comparison module be used for by the feature to be compared with and the network attack attack type it is corresponding Subcharacter library in more than one attack-response rule compared one by one.

Optionally, it is that regular expression writes module that the rule, which forms module,.

Optionally, the attack acquisition module includes：

Incidence relation creation module, for establishing in feature database between each attack-response rule and attack Incidence relation；

Attack determining module, for according between the attack-response rule each in feature database and attack Attack corresponding to attack-response rule with the characteristic matching to be compared is determined as the success by incidence relation Network attack attack.

Optionally, the network attack detection system based on artificial intelligence further includes：

Warning information generation module, for generating warning information, wherein the warning information includes the network attack The attack of the whether successful and successful network attack of attack type, the network attack.

Optionally, the network attack detection system based on artificial intelligence further includes：

Sending module, will be described for passing through one of mail, short message, dialog box and instant messaging or multiple combinations Warning information is sent to network management personnel.

Optionally, the network attack detection system based on artificial intelligence further includes：

Label adding module is attacked for being that warning information addition is corresponding according to the warning content of the warning information Hit chain label, wherein the attack chain label is used to characterize network attack phase of the attack locating in attack chain；

Statistical module obtains each in the attack for counting each attack chain label of same attack The attack of the network attack total degree of a phase of the attack, successful network attack number and successful network attack；

Route information generation module, for always secondary according to the network attack in each phase of the attack of the attack The attack of several, successful network attack number and successful network attack generates attack route information, wherein described to attack Hitting route information includes network attack total degree, successful network attack number in each phase of the attack of the attack And the successfully attack of network attack.

Optionally, the label adding module is used for the warning content according to the warning information, from the mark pre-established It signs and determines attack chain label corresponding with the warning information in library.

Optionally, the attack chain label includes two-stage or more, and the label adding module is used to be believed according to the alarm The warning content of breath determines labels at different levels corresponding with the warning information, wherein the mark from the tag library pre-established Label inventory contains M attack chain label, and the M attack chain label is divided into two-stage or more, and M is the integer greater than 4.

Optionally, the attack route information further includes the beginning and ending time of each phase of the attack, described to be based on artificial intelligence Network attack detection system, further include：

Display module, the sequencing for the initial time according to each phase of the attack show the attack route letter Breath.

Based on same inventive concept, the present invention also provides a kind of computer readable storage mediums, are stored thereon with calculating Machine program, the program realize the above-mentioned network attack detecting method based on artificial intelligence when being executed by processor.

Based on same inventive concept, the present invention also provides a kind of computer equipments, including memory, processor and storage On a memory and the computer program that can run on a processor, the processor realize above-mentioned be based on when executing described program The network attack detecting method of artificial intelligence.

Compared with prior art, the present invention having the following advantages and benefits：

Network attack detecting method and system provided by the invention based on artificial intelligence, by the net for acquiring destination host Network data extract feature to be detected from the network data, and the feature to be detected are imported the artificial intelligence pre-established Energy model, automatically sorts out the feature to be detected by the artificial intelligence model, according to categorization results determination Whether destination host is by network attack and by the attack type of network attack.Since the present invention is by the artificial intelligence Energy model sorts out the feature to be detected whether to detect the destination host by network attack, is using artificial Intellectual technology carries out the detection of attack, independent of the rule in feature database, it is thus achieved that for network attack The randomization of request detects, and the case where attacker bypasses and can't detect is largely avoided, so as to find more More network attacks.

Detailed description of the invention

Attached drawing described herein is used to provide to further understand the embodiment of the present invention, constitutes one of the application Point, do not constitute the restriction to the embodiment of the present invention.In the accompanying drawings：

Fig. 1 is the flow diagram of the network attack detecting method based on artificial intelligence of the embodiment of the present invention；

Fig. 2 is the flow diagram for establishing artificial intelligence model of the embodiment of the present invention；

Fig. 3 is the whether successful flow diagram of detection network attack of the embodiment of the present invention；

Fig. 4 is the flow diagram for establishing feature database of an embodiment of the present invention；

Fig. 5 is the flow diagram for establishing feature database of another embodiment of the invention；

Fig. 6 is the schematic diagram of the attack route information of the embodiment of the present invention；

Fig. 7 is the schematic diagram of the tag library of the embodiment of the present invention.

Specific embodiment

The present invention provides a kind of network attack detecting method and system based on artificial intelligence, passes through acquisition destination host Network data, extracts feature to be detected from the network data, and the feature importing to be detected is pre-established artificial Model of mind automatically sorts out the feature to be detected by the artificial intelligence model, according to categorization results determination Whether destination host is by network attack and the attack type of the network attack.It is provided by the invention based on artificial intelligence Network attack detecting method and system carry out the detection of attack using artificial intelligence technology, independent of feature database In rule, largely avoid the case where attacker bypasses and can't detect network attack, it is thus possible to which discovery is more Network attack, reduce the rate of failing to report of network attack detection.

To make the objectives, technical solutions, and advantages of the present invention clearer, below with reference to embodiment and attached drawing, to this Invention is described in further detail, and exemplary embodiment of the invention and its explanation for explaining only the invention, are not made For limitation of the invention.

Embodiment 1

The present embodiment provides a kind of network attack detecting method based on artificial intelligence, Fig. 1 is described based on artificial intelligence Network attack detecting method flow diagram, the network attack detecting method based on artificial intelligence includes：

Step S11 acquires the network data of destination host；

Step S12 extracts feature to be detected from the network data；

The feature to be detected is imported the artificial intelligence model pre-established, passes through the artificial intelligence mould by step S13 Whether type sorts out the feature to be detected, determine the destination host by network attack and institute according to categorization results State the attack type of network attack.

Specifically, the destination host can be to provide the server of various services, be also possible to can be realized specific function The personal computer of energy, can also be that other are capable of providing the network equipment of network service.The destination host can receive end The request data for initiating to request to service to the destination host that end equipment sends over, carries out according to the request data Corresponding data processing is to obtain the second response data, i.e., described second response data is for destination host response request clothes Business, and second response data is fed back into the terminal device.The terminal device can be with display function and Support the various electronic equipments of interactive function, including but not limited to smart phone, tablet computer, personal computer and desk-top meter Calculation machine etc..In present invention detection this specific application scenarios of network attack, the attacker for initiating network attack is usually to dislike Meaning sends the user of mass data request.The terminal device that attacker is utilized can be the electronics with powerful computing function and set It is standby, or even can also be server.

Acquisition for the network data of the destination host can be obtained using Network Sniffing mode, can also be passed through Network port mirror-image fashion obtains.The Network Sniffing mode refers to that by the Network card setup of the destination host be promiscuous mode, The network data of the destination host is captured by calling network to cut job contract tool.The network port mirror-image fashion refers to institute The acquisition port for stating destination host is mapped to another port, is copied in real time to data, to obtain the destination host Network data.Certainly, the specific implementation for acquiring the network data of the destination host is not limited to above two mode, this Embodiment is not construed as limiting this.

After collecting the network data, the feature to be detected is extracted from the network data.The network number According to including the request data and second response data, as previously mentioned, the request data is used for the destination host Request service is initiated, is the data for being sent to the destination host by terminal device；Second response data is used for the mesh Host response request service is marked, is the data for being sent to terminal device by the destination host.The extraction of the feature to be detected, It can be and extract the feature of the request data from the network data directly to obtain the feature to be detected, be also possible to The request data is first extracted from the network data, then the feature to be detected, this reality are extracted from the request data It applies example and this is not construed as limiting.The feature to be detected may include request time, IP information, port information, protocol type, give out a contract for a project One or more combinations in frequency, mail address, file name and the address target URL.It should be noted that described to be checked Survey feature can flexibly be set according to the actual situation, the present embodiment to this with no restriction.

According to the difference of the transport protocol used between the destination host and terminal device, for example including but be not limited to surpass Text transfer protocol (HTTP, Hyper Text Transfer Protocol), File Transfer Protocol (FTP, File Transfer Protocol), Simple Mail Transfer protocol (SMTP, Simple Mail Transfer Protocol), it is described The structure of request data is not also identical.By taking the network request of HTTP type as an example, the request data includes following three parts： Request row, by method (for example, POST), uniform resource identifier (URI, Uniform Resource Identifier) and Three parts of protocol version (for example, HTTP 1.1) are constituted；Request header, for notifying the related terminal device of the destination host The information of request, including but not limited to generate request the identifiable content type list of browser type, terminal device and The host name of request；Request body.After collecting the network data, the solution of each field in HTTP request head is carried out Analysis, finds out the field contents detected, that is, extracts the feature to be detected.

After obtaining the feature to be detected, the feature to be detected is imported into the artificial intelligence model pre-established, is led to It crosses the artificial intelligence model to sort out the feature to be detected, obtains categorization results.The artificial intelligence model can be with It can also be deep learning disaggregated model for machine learning classification model, such as Naive Bayes Classification Model.If the classification As a result it is not belonging to the network attack of any known attack type for the feature to be detected, is also not belonging to unknown attack type Network attack, it is determined that the destination host is not affected by network attack；If the categorization results are the feature category to be detected In the network attack of certain known attack type, it is determined that network attack of the destination host by this kind of attack type；If The categorization results are the network attack that the feature to be detected belongs to certain unknown attack type, it is determined that the destination host Network attack by unknown attack type.

Network attack detecting method provided in this embodiment based on artificial intelligence, by importing the feature to be detected The artificial intelligence model pre-established is automatically sorted out the feature to be detected by the artificial intelligence model, to examine The destination host is measured whether by network attack and by the attack type of network attack.Due to the artificial intelligence mould Type is the disaggregated model using artificial intelligence technology, has the abilities such as self study, self-organizing, adaptive, so can effectively send out Existing novel or mutation network attack, unknown network attack cannot be detected by effectively making up traditional network attack detecting method Disadvantage improves overall network attack detecting ability, can reduce rate of failing to report.

Further, before the feature to be detected is imported the artificial intelligence model pre-established, it is also necessary to establish institute State artificial intelligence model.Fig. 2 is the flow diagram for establishing the artificial intelligence model, described to establish the artificial intelligence model Including：

Step S21 collects model training data；

Step S22 extracts the feature of known network attack from the model training data, obtains attack signature data；

Step S23 classifies to the attack signature data, obtains training sample；

Step S24 carries out model training according to the training sample, obtains the artificial intelligence model.

Specifically, the model training data include the published attack data in internet, the published loophole in internet One of loophole data that the attack data and the destination host that data, the destination host have acquired have acquired are more Kind combination.The attack data are the data extracted from existing network attack case, and the loophole data are from existing Loophole case in the data that extract.The attack data and the loophole data can be disclosed in internet, can also be with It is that the destination host is analyzed and refined according to the assault being subjected in the past.

After obtaining the model training data, the feature of known network attack is extracted from the model training data, Obtain attack signature data.Further, the attack signature data of extraction may include request time, IP information, port information, association Discuss one or more combinations in type, frequency of giving out a contract for a project, mail address, file name and the address target URL.It needs to illustrate That the attack signature data can flexibly be set according to the actual situation, the present embodiment to this with no restriction.It is attacked described in acquisition It hits after characteristic, classifies according to the attack type that its belonging network is attacked to form training sample, the network is attacked The attack type hit includes but is not limited to SQL injection attack and XSS attack.

Model training is carried out according to the training sample, that is, calculates the network attack of every kind of attack type in the trained sample The frequency of occurrences and each attack signature data in this, which divide, estimates the conditional probability of the network attack of every kind of attack type, And calculated result is recorded and just obtains the artificial intelligence model.In the present embodiment, the calculation of model training use is carried out Method is NB Algorithm.NB Algorithm is fine to small-scale Data Representation, is suitble to more classification tasks, is suitble to increase The training of amount formula.It is of course also possible to use other machines learning classification algorithm or deep learning sorting algorithm carry out model training, For example, it is also possible to carry out model training using decision Tree algorithms, the present embodiment is not construed as limiting this.

Embodiment 2

Network attack detecting method the present embodiment provides another kind based on artificial intelligence, with embodiment 1 provide based on The network attack detecting method of artificial intelligence is compared, and is determining the destination host by the network attack according to categorization results And after the attack type of the network attack, further include：Detect whether the network attack succeeds；If the network attack Success, the then attack of the network attack to succeed.

In the present embodiment, detect whether the network attack succeeds by the way of rule match.Fig. 3 is the present embodiment The whether successful flow diagram of the detection network attack, the detection network attack whether successfully include：

Step S31 extracts feature to be compared from the network data；

Step S32, by the feature to be compared and more than one attack-response rule in the feature database that pre-establishes into Row compares one by one, wherein the attack-response rule is formed according to the first response data, and first response data is for being attacked Hit the response that host requests successful attack；

Step S33, if the feature to be compared matches with the attack-response rule, determine the network attack at Function.

Specifically, every kind of successful network attack has its uniqueness, and this uniqueness mainly passes through under fire host pair The response of successful attack request embodies.Therefore, the extraction of the feature to be compared is the spy for extracting second response data Sign.Extracting the feature to be compared can be the feature that second response data is directly extracted from the network data, Can be and first extract second response data from the network data, then extract from second response data it is described to Feature is compared, the present embodiment is not construed as limiting this.

By taking the response of the network of HTTP type as an example, second response data includes following three parts：Statusline, by assisting View version (for example, HTTP 1.1), status code and status code describe three parts and form；Head is responded, including but not limited to Title, the version of application program, response body type, response text size and the used volume of response text of application program Code；Web response body Web.After collecting the network data, the parsing of each field in http response head is carried out, finding out needs The field contents to be compared extract the feature to be compared.

Further, to judge whether a network attack succeeds, can also inversely be derived from the angle of attacker, be led to The anti-feature that pushes away query-attack and should have of response contents is crossed, identifies the whether successful accuracy of network attack to improve.Therefore, institute The extraction for stating feature to be compared can also be extracts jointly from second response data and the request data.Specifically, The request data and second response data can be extracted from the network data, then from the request data and described The feature to be compared is extracted in second response data.Still it is with the network request of HTTP type and the response of the network of HTTP type Example carries out the parsing of each field in HTTP request head and http response head after collecting the network data, searches The field contents for needing to be compared out extract the feature to be compared.

After obtaining the feature to be compared, more than one attack in the feature to be compared and the feature database is rung Rule is answered to be compared one by one.Still by taking the transport protocol of HTTP type as an example, if in the feature to be compared and the feature database Some attack-response rule match, then determine HTTP request for malicious attack, the network attack that the destination host is subject to Success；If the feature to be compared cannot match with any one attack-response rule in the feature database, determine HTTP request is invalid network attack, can directly ignore the HTTP request.

The feature database pre-establishes, and the attack-response rule of storage is according to the first response data shape At for first response data for the response that under fire host requests successful attack, i.e., the described attack-response rule is root Request the response characteristic of corresponding attack-response pre-generated according to already existing successful attack.Fig. 4 be the present embodiment provides A kind of flow diagram for establishing the feature database, it is described to establish the feature database and include：

Step S41 creates database；

Step S42, it is corresponding from more than one first response data to extract more than one attack-response feature；

Step S43 describes each being determined property of attack-response feature, forms more than one attack-response rule；

Step S44 obtains the feature database by one above attack-response rule storage into the database.

Specifically, the creation database is the memory space for creating blank.First response data is for being attacked The response that host requests successful attack is hit, can have been adopted from the published attack data in internet and/or the destination host It is collected in the attack data of collection.For example, attacker reports an error injection attacks to having sent floor () function by attack host Request, and the injection attacks request that reports an error of the floor () function obtains success, it is described by attack host to the floor () Function report an error injection attacks request response be first response data.For the network attack of same attack type, It can also be divided according to the difference of specific attack.It further include count () function for example, being attacked for SQL injection Report an error injection, rand () function reports an error injection and floor () function reports an error injection etc..For the network of every kind of attack Attack, correspondence can collect first response data, thus can correspond to extraction one from more than one first response data A above attack-response feature, i.e., each first response data, which can correspond to, extracts an attack-response feature.It is attacked with described It is similar to hit characteristic, the attack-response feature may include request time, IP information, port information, protocol type, give out a contract for a project One or more combinations in frequency, mail address, file name and the address target URL.It should be noted that the attack Response characteristic can also flexibly be set according to the actual situation, the present embodiment to this with no restriction.

After obtaining the attack-response feature, each being determined property of attack-response feature is described, the certainty Description is described according to default rule.It in the present embodiment, can be using traditional regular expression to each attack The description of being determined property of response characteristic, can also be added the complexity such as arithmetic logic, matching logic in the regular expression and patrol Volume, to improve the accuracy of matching result.After obtaining the attack-response rule, by all attack-response rules storage to institute It states in database, i.e., corresponding data is written in the memory space of the blank, just obtain the feature database.

Further, the feature database can also include N number of subcharacter library, and each subcharacter library is corresponding to store same attack All attack-responses rule of type, wherein N is the integer not less than 2.Based on this, Fig. 5 is another kind provided in this embodiment Establish the flow diagram of the feature database, it is described to establish the feature database and include：

Step S51 creates N number of database；

Step S52, it is corresponding from more than two first response datas to extract more than two attack-response features；

Step S53 describes each being determined property of attack-response feature, forms more than two attack-response rules；

Step S54 deposits the attack-response rule for belonging to same attack type in described two above attack-response rules It stores up in identical database, obtains the subcharacter library.

Specifically, step S51~step S53 can refer to aforementioned to step S41~step S43 description, no longer superfluous herein It states.After obtaining more than two attack-response rules, according to attack type belonging to each attack-response rule, it will belong to same The attack-response rule of kind attack type is stored into identical database, obtains the subcharacter library.In the present embodiment, institute State subcharacter library can based on feature database, SQL injection feature database, XSS behavioral characteristics library and tool fingerprint base, wherein institute State the storage of foundation characteristic library is command characteristics and file characteristic, and the SQL injection feature database storage is that SQL injection is attacked Feature, what XSS behavioral characteristics library stored is the feature of XSS dynamic attacks, and the tool fingerprint base storage is that big horse connects Connect fingerprint and kitchen knife fingerprint.It should be noted that the subcharacter library can flexibly be set according to the actual situation, the present embodiment With no restriction to this.

It is described by the feature to be compared and the feature pre-established for the feature database established using process shown in Fig. 5 More than one attack-response rule in library compare one by one and is specifically included：By the feature to be compared with and the network attack More than one attack-response rule in the corresponding subcharacter library of the attack type hit is compared one by one.For example, if the net The attack type of network attack is SQL injection attack, then attacks the feature to be compared and more than one in SQL injection feature database Rule of response is hit to be compared one by one；If the attack type of the network attack is XSS dynamic attacks, by the spy to be compared Sign is compared one by one with more than one attack-response rule in XSS behavioral characteristics library.By setting the feature database to Multiple subcharacter libraries, it is possible to reduce the attack-response rule quantity being compared with the feature to be compared, it only need to be with certain height Attack-response rule in feature database is matched, it is thus possible to improve the feature to be compared and the attack-response is advised Comparison efficiency then.

For the network attack of every kind of attack, correspondence obtains an attack-response rule, thus can pass through foundation Incidence relation in the feature database between each attack-response rule and attack, according to attack each in the feature database Incidence relation between rule of response and attack, will be corresponding to the attack-response rule with the characteristic matching to be compared Attack is determined as the attack of the successful network attack.For example, the attack to match with the feature to be compared The corresponding attack of rule of response is that floor () function reports an error injection, then the attack of successful network attack is Floor () function reports an error injection.

Network attack detecting method provided in this embodiment based on artificial intelligence is determining the destination host by institute After the attack type for stating network attack and the network attack, also detect whether the network attack succeeds, and obtain at The attack of the network attack of function.Therefore, the present embodiment can efficiently identify successful network attack, so as to improve O&M efficiency finds true loophole.

Embodiment 3

Network attack detecting method the present embodiment provides another kind based on artificial intelligence, with embodiment 2 provide based on The network attack detecting method of artificial intelligence is compared, and after detecting the network attack and whether succeeding, can also generate alarm Information, wherein the warning information includes whether the attack type of the network attack, the network attack are successful and successfully Network attack attack.For example, when the destination host is attacked by SQL injection but attacks unsuccessful, the announcement Alert information can be " being attacked by SQL injection, attack is invalid "；When the destination host is attacked and attacked by SQL injection Success, specific attack are the injections that reported an error using floor () function, and the warning information can be for " by SQL injection Attack, success attack, floor () function report an error injection ".

Further, after generating the warning information, the warning information can also be sent to network management personnel. For example, the warning information can be sent to specified email address by way of mail, the side of short message can also be passed through The warning information is sent to specified mobile terminal by formula, can also be by way of dialog box directly in the destination host It shows the warning information, the warning information can also be sent to network management personnel by way of instant messaging.When So, the warning information can be sent to by network management personnel using any one of the above mode, it can also be using any several The warning information is sent to network management personnel by the combination of kind mode.

By generating the warning information, and the warning information is sent to network management personnel, network pipe can be made Reason personnel intuitively grasp the network attack situation that the destination host is subject to.

Embodiment 4

What embodiment 3 was taken is the alarm mode of the corresponding warning information of a network attack, that is, detects a net Network attack, correspondence will generate a warning information.However, isolated warning information cannot accurately reflect the destination host Safe condition, such attack shows and cannot hold attack process on the whole.Therefore, the present embodiment provides another kinds to be based on people The network attack detecting method of work intelligence.Compared with the network attack detecting method based on artificial intelligence that embodiment 3 provides, this Embodiment further includes after generating the warning information：

It is that the warning information adds corresponding attack chain label according to the warning content of the warning information, wherein institute It states attack chain label and is used to characterize network attack phase of the attack locating in attack chain；

Each attack chain label of same attack is counted, the net for being in each phase of the attack of the attack is obtained The attack of network attack total degree, successful network attack number and successful network attack；

According in the network attack total degree of each phase of the attack of the attack, successful network attack number with And successfully the attack of network attack generates attack route information, wherein the attack route information includes in described The network attack total degree of each phase of the attack of attack, successful network attack number and successful network attack are attacked Hit movement.

According to the phase of the attack difference for the network attack that the destination host is subject to, the warning content of the warning information Different, i.e., the warning content of the described warning information discloses the corresponding network attack of the warning information and wants the attack realized Purpose, the warning information of different warning contents correspond to different phase of the attack.Therefore, the network attack pair being subjected to according to destination host The warning content for the warning information answered can determine phase of the attack.Specifically, according to the warning content of the warning information, from pre- Attack chain label corresponding with the warning information is determined in the tag library first established.The label stock contains M attack chain Label, each corresponding characterization of attack chain label attack a phase of the attack in chain.The attack chain refers to attacker to target Host is usually made of several different phase of the attack from a series of circulating treatment procedures for detecting destruction.For example, the attack Chain can be leaked by reconnaissance stage, invasion stage, order control stage, horizontal infiltration stage, data the stage and trace cleaning Stage, six phase of the attack were constituted, i.e., the value of M is 6.Correspondingly, the M attack chain label be scout label, invasion label, Order abstract factory, horizontal infiltration label, data leak label and trace cleaning label.Certainly, the division of the attack chain It is not limited to such mode, can specifically carry out flexible setting according to the actual situation.

As previously mentioned, the warning information of different warning contents corresponds to different phase of the attack, and each attack chain label is corresponding A phase of the attack is characterized, thus the alarm of different warning contents can be pre-established according to published assault Incidence relation between information and different attack chain labels.It, can be from pre-establishing according to the warning content of the warning information Tag library in determine corresponding with warning information attack chain label.With attacking for network attack described in the warning information Hitting type is for PHP code executes attack, to execute attack for PHP code, is in the order control stage in attack chain, Therefore the attack chain label for being warning information addition is " order control " label.Further, the attack chain label can be with Attribute as the warning information is added.

After adding corresponding attack chain label for all warning information of an attack, attacked by counting identical The quantity for hitting chain label can be obtained the network attack total degree in each phase of the attack of the attack.For example, passing through Statistics scouts the quantity of label, can obtain the network attack total degree in the attack reconnaissance stage；Pass through statistics The quantity for invading label can obtain the network attack total degree in the attack invasion stage.With the attack thing For destination host described in part is by 10 network attacks, correspondence produces 10 warning information, 10 warning information Corresponding attack chain label is respectively：Scout label, scout label, invasion label, invasion label, invasion label, scout label, Invade label, order abstract factory, order abstract factory and order abstract factory.By uniting to 10 attack chain labels Meter, it is known that network attack 3 times by reconnaissance stage of the destination host are ordered by network attack 4 times of the invasion stage Enable network attack 3 times of control stage.

Acquisition for the successful network attack number in each phase of the attack of the attack, can be by success The corresponding warning information of network attack screen, then count the corresponding attack of warning information that these are screened out respectively The quantity of identical attack chain label, can be obtained the successful network in each phase of the attack of the attack in chain label Number of times of attack.In conjunction with the warning information content for being screened out, can be obtained in each phase of the attack of the attack The attack of successful network attack.

Obtaining network attack total degree, the successful network attack number for being in each phase of the attack of the attack And the attack route information successfully is generated after the attack of network attack.Further, the attack route information It can also include that can also be attacked according to each after route information is attacked in the generation beginning and ending time of each phase of the attack The sequencing for hitting the initial time in stage shows the attack route information.The initial time of each phase of the attack is in this The first Network Attack Time of phase of the attack, the termination time of each phase of the attack are that the end network in the phase of the attack is attacked Hit the time.Or by taking destination host described above is by 10 network attacks as an example, if the beginning and ending time of reconnaissance stage is 2018- 3-15 03：20~2018-3-19 15：12, the beginning and ending time for invading the stage is 2018-3-17 07：38~2018-3-21 05：21, the beginning and ending time in order control stage is 2018-3-20 14：47~2018-3-20 18：21, then according to statistical result The network attack route information of generation can be shown as " 2018-3-15 03：20~2018-3-19 15：12, investigation stage：3 It is secondary；2018-3-17 07：38~2018-3-21 05：21, it invades the stage, 4 times；2018-3-20 14：47~2018-3-20 18：21, the order control stage, 4 times ".Certainly, it is described attack route information can also include the destination host IP address and The information such as the duration of entire attack, as shown in fig. 6, the present embodiment is not construed as limiting this.

Further, since each phase of the attack in the attack chain can also be divided into several smaller attack ranks Section, each smaller phase of the attack is also by attack chain tag characterization.Correspondingly, the attack chain label may include two-stage with On, the warning content according to the warning information is that the corresponding attack chain label of warning information addition includes：According to The warning content of the warning information determines labels at different levels corresponding with the warning information from the tag library pre-established, Wherein, the label stock contains M attack chain label, and the M attack chain label is divided into two-stage or more, and M is greater than 4 Integer.

Fig. 7 is a kind of schematic diagram of tag library provided in this embodiment, and the attack chain label in the tag library is divided into three A grade.Level-one label include scout label, invasion label, order abstract factory, horizontal infiltration label, data leak label with And trace clears up label.Scouting the corresponding second level label of label includes port scan label, information leakage label, IP scanning label And subdomain name collects label；The corresponding second level label of invasion label includes vulnerability detection label, vulnerability exploit label, refusal clothes Business label, Brute Force label and high-risk operation label；The corresponding second level label of order abstract factory includes the controlled mark of host Label, hack tool upload label, transit server behavior label, mention token label, close antivirus software label and host information Obtain label；Horizontal infiltration label includes Intranet investigation label, Sniffing Attack label, Intranet vulnerability detection label and Intranet leakage Hole utilizes label；The data corresponding second level label of label that leaks includes file download label and dragging library behavior label；Trace cleaning The corresponding second level label of label includes that back door deletes label, closes attack service labels and removes Log Label.High-risk operation The corresponding three-level label of label includes that database manipulation label and weak passwurd successfully log in label.

Multiple grades are set as by the way that chain label will be attacked, the phase of the attack in attack chain can be more fully described, from And the whole process of attack is showed to network management personnel in more detail.It should be noted that the tag library can be with It is created, can also be created by other hosts by the destination host, the destination host needs to add corresponding attack chain label When directly call the tag library from other hosts.Further, it can also directly be added for the warning information corresponding Chain label is attacked, without creating the tag library.

After generating the attack route information, one in mail, short message, dialog box and instant messaging can be passed through Kind or multiple combinations mode the attack route information is sent to network management personnel.By for the warning information addition pair The attack chain label answered, it is total according to the network attack of the attack chain label statistics in each phase of the attack of the attack The attack of number, successful network attack number and successful network attack, can be to attack again according to thing The attack chain of part divides, and can show attack to network management personnel with dividing phase of the attack from the angle of big data analysis Whole process, avoid attack route chaotic.

Embodiment 5

The network attack detection system based on artificial intelligence that the present embodiment provides a kind of, the network based on artificial intelligence Attack detection system includes acquisition module, the first extraction module and import modul.

Specifically, the acquisition module is used to acquire the network data of destination host；First extraction module be used for from Feature to be detected is extracted in the network data；The import modul is used to the feature to be detected importing the people pre-established Work model of mind sorts out the feature to be detected by the artificial intelligence model, according to categorization results determination Whether destination host is by network attack and the attack type of the network attack.

Further, first extraction module includes：First extraction unit, for extracting request from the network data Data, wherein the request data is used to initiate request service to the destination host；Second extraction unit is used for from described The feature to be detected is extracted in request data.

Further, the network attack detection system based on artificial intelligence further includes model creation module, the model Creation module is for establishing the artificial intelligence model.Specifically, the model creation module includes：Collection module, for receiving Collect model training data；Second extraction module is obtained for extracting the feature of known network attack from the model training data Obtain attack signature data；Categorization module obtains training sample for classifying to the attack signature data；Training module, For carrying out model training according to the training sample, the artificial intelligence model is obtained.

The concrete operating principle of the network attack detection system based on artificial intelligence can refer in embodiment 1 for step The description of rapid S11 to step S13, details are not described herein for the present embodiment.

Embodiment 6

Network attack detection system the present embodiment provides another kind based on artificial intelligence, with embodiment 5 provide based on The network attack detection system of artificial intelligence is compared, and the network attack detection system based on artificial intelligence further includes：Detection Module, for detecting whether the network attack succeeds；Attack obtains module, is used in network attack success, The attack of the network attack to succeed.

Specifically, the detection module includes：Third extraction module, for extracting spy to be compared from the network data Sign；Comparison module, for by the feature to be compared and more than one attack-response rule in the feature database that pre-establishes into Row compares one by one, wherein the attack-response rule is formed according to the first response data, and first response data is for being attacked Hit the response that host requests successful attack；Determination module, in the feature to be compared and the attack-response rule phase When matching, the network attack success is determined.

Further, the third extraction module may include：Third extraction unit, for being extracted from the network data Second response data, wherein second response data is for destination host response request service；4th extraction unit, For extracting the feature to be compared from second response data.

Further, the third extraction module also may include：5th extraction unit, for being mentioned from the network data Take request data and the second response data, wherein the request data is used to initiate request service to the destination host, described Second response data is for destination host response request service；6th extraction unit is used for from the request data and institute It states and extracts the feature to be compared in the second response data.

Further, the network attack detection system based on artificial intelligence further includes：Feature database creation module, for building Found the feature database.Specifically, the feature database creation module may include：Database creation module, for creating database； 4th extraction module extracts more than one attack-response feature for corresponding from more than one first response data；Regular shape More than one attack-response rule is formed for describing to each being determined property of attack-response feature at module；Store mould Block, for one above attack-response rule storage into the database, to be obtained the feature database.The feature database It may include N number of subcharacter library, N is the integer not less than 2.Based on this, the feature database creation module also may include：Data Library creation module, for creating N number of database；4th extraction module is mentioned for corresponding from more than two first response datas Take more than two attack-response features；Rule forms module, for describing to each being determined property of attack-response feature, is formed More than two attack-response rules；Memory module, for same attack class will to be belonged in described two above attack-response rules The attack-response rule of type is stored into identical database, obtains the subcharacter library.

Further, the attack acquisition module includes：Incidence relation creation module, it is each in feature database for establishing Incidence relation between the attack-response rule and attack；Attack determining module, for according to every in feature database Incidence relation between a attack-response rule and attack will be advised with the attack-response of the characteristic matching to be compared Then corresponding attack, is determined as the attack of the successful network attack.

The concrete operating principle of the network attack detection system based on artificial intelligence can refer in embodiment 2 for step The description of rapid S31 to step S33, details are not described herein for the present embodiment.

Embodiment 7

Network attack detection system the present embodiment provides another kind based on artificial intelligence, with embodiment 6 provide based on The network attack detection system of artificial intelligence is compared, and the network attack detection system based on artificial intelligence further includes：Alarm Information generating module, for generating warning information, wherein the warning information includes the attack type of the network attack, institute State the attack of the whether successful and successful network attack of network attack.Further, the network based on artificial intelligence Attack detection system further includes：Sending module is used to pass through one of mail, short message, dialog box and instant messaging or more The warning information is sent to network management personnel by kind combination.

The concrete operating principle of the network attack detection system based on artificial intelligence can refer in embodiment 3 to each The description of step, details are not described herein for the present embodiment.

Embodiment 8

Network attack detection system the present embodiment provides another kind based on artificial intelligence, with embodiment 8 provide based on The network attack detection system of artificial intelligence is compared, and the network attack detection system based on artificial intelligence further includes：

Label adding module is attacked for being that warning information addition is corresponding according to the warning content of the warning information Hit chain label, wherein the attack chain label is used to characterize network attack phase of the attack locating in attack chain；

Statistical module obtains each in the attack for counting each attack chain label of same attack The attack of the network attack total degree of a phase of the attack, successful network attack number and successful network attack；

Route information generation module, for always secondary according to the network attack in each phase of the attack of the attack The attack of several, successful network attack number and successful network attack generates attack route information, wherein described to attack Hitting route information includes network attack total degree, successful network attack number in each phase of the attack of the attack And the successfully attack of network attack.

Further, the attack chain label includes two-stage or more, and the label adding module is used to be believed according to the alarm The warning content of breath determines labels at different levels corresponding with the warning information, wherein the mark from the tag library pre-established Label inventory contains M attack chain label, and the M attack chain label is divided into two-stage or more, and M is the integer greater than 4.

Further, the attack route information further includes the beginning and ending time of each phase of the attack, described to be based on artificial intelligence Network attack detection system further include：Display module, the sequencing for the initial time according to each phase of the attack are aobvious Show the attack route information.

The concrete operating principle of the network attack detection system based on artificial intelligence can refer in embodiment 4 to each The description of step, details are not described herein for the present embodiment.

Embodiment 9

The present embodiment provides a kind of computer readable storage mediums, are stored thereon with computer program, the embodiment of the present invention 1 If to embodiment 4 provide it is any based on the network attack detecting method of artificial intelligence in the form of SFU software functional unit it is real Now and when sold or used as an independent product, it can store in a computer readable storage medium.Based in this way Understanding, the present invention realize embodiment 1 to embodiment 4 provide any network attack detecting method based on artificial intelligence in All or part of the process, relevant hardware can also be instructed to complete by computer program.The computer program can It is stored in a computer readable storage medium, the computer program is when being executed by processor, it can be achieved that above-mentioned each method The step of embodiment.

Wherein, the computer program includes computer program code, and the computer program code can be source code Form, object identification code form, executable file or certain intermediate forms etc..The computer-readable medium may include：It can Carry any entity or device, medium, USB flash disk, mobile hard disk, magnetic disk, CD, the computer storage of the computer program code Device, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), Electric carrier signal, telecommunication signal and software distribution medium etc..It should be noted that the computer-readable medium include it is interior Increase and decrease appropriate can be carried out according to the requirement made laws in jurisdiction with patent practice by holding, such as in certain jurisdictions of courts Area does not include electric carrier signal and telecommunication signal according to legislation and patent practice, computer-readable medium.

Above-described specific embodiment has carried out further the purpose of the present invention, technical scheme and beneficial effects It is described in detail, it should be understood that being not intended to limit the present invention the foregoing is merely a specific embodiment of the invention Protection scope, all within the spirits and principles of the present invention, any modification, equivalent substitution, improvement and etc. done should all include Within protection scope of the present invention.

The present invention discloses A1, a kind of network attack detecting method based on artificial intelligence, including：

Acquire the network data of destination host；

Feature to be detected is extracted from the network data；

The feature to be detected is imported into the artificial intelligence model pre-established, by the artificial intelligence model to described Feature to be detected is sorted out, and determines whether the destination host is attacked by network attack and the network according to categorization results The attack type hit.

A2, a kind of network attack detecting method based on artificial intelligence according to a1, it is described from the network data It is middle to extract feature to be detected and include：

Request data is extracted from the network data, wherein the request data is used to initiate to the destination host Request service；

The feature to be detected is extracted from the request data.

A3, a kind of network attack detecting method based on artificial intelligence according to a1, it is described will be described to be detected Feature imports before the artificial intelligence model pre-established, further includes：

Establish the artificial intelligence model.

A4, a kind of network attack detecting method based on artificial intelligence according to a3, it is described to establish the artificial intelligence Can model include：

Collect model training data；

The feature that known network attack is extracted from the model training data, obtains attack signature data；

Classify to the attack signature data, obtains training sample；

Model training is carried out according to the training sample, obtains the artificial intelligence model.

A5, a kind of network attack detecting method based on artificial intelligence according to a4, the collection model training number According to including：

The published attack data in internet, the published loophole data in internet, the destination host is collected to have acquired Attack data and one of the loophole data that have acquired of the destination host or multiple combinations.

A6, a kind of network attack detecting method based on artificial intelligence according to a4, it is described according to the trained sample This progress model training includes：

According to the training sample, model training is carried out using NB Algorithm.

A7, according to a kind of described in any item network attack detecting methods based on artificial intelligence of A1 to A6, according to returning Class result determines that the destination host by after the attack type of the network attack and the network attack, further includes：

Detect whether the network attack succeeds；

If the network attack success, the attack of the network attack to succeed.

A8, a kind of network attack detecting method based on artificial intelligence according to A7, the detection network are attacked It hits and whether successfully includes：

Feature to be compared is extracted from the network data；

The feature to be compared and more than one attack-response rule in the feature database that pre-establishes are compared one by one It is right, wherein the attack-response rule is formed according to the first response data, and first response data is under fire host pair The response of successful attack request；

If the feature to be compared matches with the attack-response rule, the network attack success is determined.

A9, a kind of network attack detecting method based on artificial intelligence according to A8, it is described from the network data It is middle to extract feature to be compared and include：

The second response data is extracted from the network data, wherein second response data is used for the target master Machine response request service；

The feature to be compared is extracted from second response data.

A10, a kind of network attack detecting method based on artificial intelligence according to A8, from the network number described in A Include according to middle extraction feature to be compared：

Request data and the second response data are extracted from the network data, wherein the request data is used for institute It states destination host and initiates request service, second response data is for destination host response request service；

The feature to be compared is extracted from the request data and second response data.

A11, a kind of network attack detecting method based on artificial intelligence according to A8, it is described will be described to be compared Before more than one attack-response rule in feature and the feature database pre-established is compared one by one, further include：

Establish the feature database.

A12, a kind of network attack detecting method based on artificial intelligence according to A11, it is described to establish the feature Library includes：

Create database；

It is corresponding from more than one first response data to extract more than one attack-response feature；

Each being determined property of attack-response feature is described, more than one attack-response rule is formed；

By one above attack-response rule storage into the database, the feature database is obtained.

A13, a kind of network attack detecting method based on artificial intelligence according to A11, the feature database includes N number of Subcharacter library, N are integer not less than 2, described to establish the feature database and include：

Create N number of database；

It is corresponding from more than two first response datas to extract more than two attack-response features；

Each being determined property of attack-response feature is described, more than two attack-response rules are formed；

The attack-response rule for belonging to same attack type in described two above attack-response rules is stored to identical Database in, obtain the subcharacter library.

A14, a kind of network attack detecting method based on artificial intelligence according to A13, it is described will be described to be compared More than one attack-response rule in feature and the feature database pre-established compared one by one including：

By the feature to be compared with and the corresponding subcharacter library of attack type of the network attack in more than one attack Rule of response is hit to be compared one by one.

A15, a kind of network attack detecting method based on artificial intelligence according to A12 or A13, it is described to be attacked to each Hitting the description of being determined property of response characteristic includes：

Each being determined property of attack-response feature is described using regular expression.

A16, a kind of network attack detecting method based on artificial intelligence according to A12 or A13, it is described to succeed The attack of network attack include：

Establish the incidence relation in feature database between each attack-response rule and attack；

According to the incidence relation between attack-response rule each in feature database and attack, will with it is described to than Attack corresponding to attack-response rule to characteristic matching, is determined as the attack of the successful network attack.

A17, a kind of network attack detecting method based on artificial intelligence according to A7, in the detection network After whether attack is successful, further include：

Generate warning information, wherein the warning information includes the attack type of the network attack, the network attack Whether successful and successfully network attack attack.

A18, a kind of network attack detecting method based on artificial intelligence according to A17 are alerted in the generation and are believed After breath, further include：

The warning information is sent by one of mail, short message, dialog box and instant messaging or multiple combinations To network management personnel.

A19, a kind of network attack detecting method based on artificial intelligence according to A17 are alerted in the generation and are believed After breath, further include：

It is that the warning information adds corresponding attack chain label according to the warning content of the warning information, wherein institute It states attack chain label and is used to characterize network attack phase of the attack locating in attack chain；

Each attack chain label of same attack is counted, the net for being in each phase of the attack of the attack is obtained The attack of network attack total degree, successful network attack number and successful network attack；

According in the network attack total degree of each phase of the attack of the attack, successful network attack number with And successfully the attack of network attack generates attack route information, wherein the attack route information includes in described The network attack total degree of each phase of the attack of attack, successful network attack number and successful network attack are attacked Hit movement.

A20, a kind of network attack detecting method based on artificial intelligence according to A19, it is described according to the alarm The warning content of information is that the corresponding attack chain label of warning information addition includes：

According to the warning content of the warning information, determination is corresponding with the warning information from the tag library pre-established Attack chain label.

A21, a kind of network attack detecting method based on artificial intelligence according to A19, the attack chain label packet Two-stage or more is included, the warning content according to the warning information is that the warning information adds corresponding attack chain label packet It includes：

According to the warning content of the warning information, determination is corresponding with the warning information from the tag library pre-established Labels at different levels, wherein the label stock contains M attack chain label, the M attack chain label be divided into two-stage with On, M is the integer greater than 4.

A22, a kind of network attack detecting method based on artificial intelligence according to A19, the attack route information Further include the beginning and ending time of each phase of the attack, is in the network attack of each phase of the attack of the attack in the basis After the attack of total degree, successful network attack number and successful network attack generates attack route information, also Including：

The attack route information is shown according to the sequencing of the initial time of each phase of the attack.

The invention also discloses B23, a kind of network attack detection system based on artificial intelligence, including：

Acquisition module, for acquiring the network data of destination host；

First extraction module, for extracting feature to be detected from the network data；

Import modul, for the feature to be detected to be imported the artificial intelligence model pre-established, by described artificial Whether model of mind sorts out the feature to be detected, determine the destination host by network attack according to categorization results And the attack type of the network attack.

B24, a kind of network attack detection system based on artificial intelligence according to B23, the first extraction module described in B Including：

First extraction unit, for extracting request data from the network data, wherein the request data be used for The destination host initiates request service；

Second extraction unit, for extracting the feature to be detected from the request data.

B25, a kind of network attack detection system based on artificial intelligence according to B23 further include：

Model creation module, for establishing the artificial intelligence model.

B26, a kind of network attack detection system based on artificial intelligence according to B25, the model creation module Including：

Collection module, for collecting model training data；

Second extraction module is attacked for extracting the feature of known network attack from the model training data Characteristic；

Categorization module obtains training sample for classifying to the attack signature data；

Training module obtains the artificial intelligence model for carrying out model training according to the training sample.

B27, a kind of network attack detection system based on artificial intelligence according to B26, the model training data The attack number acquired including the published attack data in internet, the published loophole data in internet, the destination host Accordingly and one of the loophole data that have acquired of the destination host or multiple combinations.

B28, a kind of network attack detection system based on artificial intelligence according to B26, the training module are Piao Plain bayesian algorithm module.

B29, according to a kind of described in any item network attack detection systems based on artificial intelligence of B23 to B28, also wrap It includes：

Detection module, for detecting whether the network attack succeeds；

Attack obtains module, in network attack success, the attack of the network attack to succeed to be dynamic Make.

B30, a kind of network attack detection system based on artificial intelligence according to B29, the detection module include：

Third extraction module, for extracting feature to be compared from the network data；

Comparison module, for advising more than one attack-response in the feature to be compared and the feature database pre-established It is then compared one by one, wherein the attack-response rule is formed according to the first response data, and first response data is used for The under fire response that host requests successful attack；

Determination module, for determining the network when the feature to be compared and the attack-response rule match Success attack.

B31, a kind of network attack detection system based on artificial intelligence according to B30, the third extraction module Including：

Third extraction unit, for extracting the second response data from the network data, wherein second number of responses According to for destination host response request service；

4th extraction unit, for extracting the feature to be compared from second response data.

B32, a kind of network attack detection system based on artificial intelligence according to B30, the third extraction module Including：

5th extraction unit, for extracting request data and the second response data from the network data, wherein described Request data is used to initiate request service to the destination host, and second response data is asked for the destination host response Ask service；

6th extraction unit, for extracting the spy to be compared from the request data and second response data Sign.

B33, a kind of network attack detection system based on artificial intelligence according to B30 further include：

Feature database creation module, for establishing the feature database.

B34, a kind of network attack detection system based on artificial intelligence according to B33, the feature database create mould Block includes：

Database creation module, for creating database；

4th extraction module extracts more than one attack-response spy for corresponding from more than one first response data Sign；

Rule forms module, for describing to each being determined property of attack-response feature, forms more than one attack and rings Answer rule；

Memory module, for one above attack-response rule storage into the database, to be obtained the spy Levy library.

B35, a kind of network attack detection system based on artificial intelligence according to B33, the feature database includes N number of Subcharacter library, N are the integer not less than 2, and the feature database creation module includes：

Database creation module, for creating N number of database；

4th extraction module, it is special for the more than two attack-responses of extraction corresponding from more than two first response datas Sign；

Rule forms module, for describing to each being determined property of attack-response feature, forms more than two attacks and rings Answer rule；

Memory module, for advising the attack-response for belonging to same attack type in described two above attack-response rules Then storage obtains the subcharacter library into identical database.

B36, a kind of network attack detection system based on artificial intelligence according to B35, the comparison module are used for By the feature to be compared with and the corresponding subcharacter library of attack type of the network attack in more than one attack-response advise Then compared one by one.

B37, a kind of network attack detection system based on artificial intelligence according to B34 or B35, the rule are formed Module is that regular expression writes module.

B38, a kind of network attack detection system based on artificial intelligence according to B34 or B35, the attack Obtaining module includes：

Incidence relation creation module, for establishing in feature database between each attack-response rule and attack Incidence relation；

Attack determining module, for according between the attack-response rule each in feature database and attack Attack corresponding to attack-response rule with the characteristic matching to be compared is determined as the success by incidence relation Network attack attack.

B39, a kind of network attack detection system based on artificial intelligence according to B29 further include：

Warning information generation module, for generating warning information, wherein the warning information includes the network attack The attack of the whether successful and successful network attack of attack type, the network attack.

B40, a kind of network attack detection system based on artificial intelligence according to B39 further include：

Sending module, will be described for passing through one of mail, short message, dialog box and instant messaging or multiple combinations Warning information is sent to network management personnel.

B41, a kind of network attack detection system based on artificial intelligence according to B39 further include：

Label adding module is attacked for being that warning information addition is corresponding according to the warning content of the warning information Hit chain label, wherein the attack chain label is used to characterize network attack phase of the attack locating in attack chain；

Statistical module obtains each in the attack for counting each attack chain label of same attack The attack of the network attack total degree of a phase of the attack, successful network attack number and successful network attack；

Route information generation module, for always secondary according to the network attack in each phase of the attack of the attack The attack of several, successful network attack number and successful network attack generates attack route information, wherein described to attack Hitting route information includes network attack total degree, successful network attack number in each phase of the attack of the attack And the successfully attack of network attack.

B42, a kind of network attack detection system based on artificial intelligence according to B41, the label adding module For the warning content according to the warning information, attack corresponding with the warning information is determined from the tag library pre-established Hit chain label.

B43, a kind of network attack detection system based on artificial intelligence according to B41, the attack chain label packet Two-stage or more is included, the label adding module is used for the warning content according to the warning information, from the tag library pre-established Middle determination labels at different levels corresponding with the warning information, wherein the label stock contains M attack chain label, and the M is a Attack chain label is divided into two-stage or more, and M is the integer greater than 4.

B44, a kind of network attack detection system based on artificial intelligence according to B41, the attack route information Further include the beginning and ending time of each phase of the attack, further includes：

Display module, the sequencing for the initial time according to each phase of the attack show the attack route letter Breath.

The invention also discloses C45, a kind of computer readable storage medium, are stored thereon with computer program, the program A kind of A1 to A22 described in any item network attack detecting methods based on artificial intelligence are realized when being executed by processor.

The invention also discloses D46, a kind of computer equipment, including memory, processor and storage are on a memory simultaneously The computer program that can be run on a processor, the processor realize that A1 to A22 is described in any item when executing described program A kind of network attack detecting method based on artificial intelligence.

Claims (10)

1. a kind of network attack detecting method based on artificial intelligence, which is characterized in that including：

Acquire the network data of destination host；

Feature to be detected is extracted from the network data；

The feature to be detected is imported into the artificial intelligence model pre-established, by the artificial intelligence model to described to be checked It surveys feature to be sorted out, determines the destination host whether by network attack and the network attack according to categorization results Attack type.

2. a kind of network attack detecting method based on artificial intelligence according to claim 1, which is characterized in that it is described from Feature to be detected is extracted in the network data includes：

Request data is extracted from the network data, wherein the request data is used to initiate to request to the destination host Service；

The feature to be detected is extracted from the request data.

3. a kind of network attack detecting method based on artificial intelligence according to claim 1, which is characterized in that described Before the feature to be detected is imported the artificial intelligence model pre-established, further include：

Establish the artificial intelligence model.

4. a kind of network attack detecting method based on artificial intelligence according to claim 3, which is characterized in that described to build Founding the artificial intelligence model includes：

Collect model training data；

The feature that known network attack is extracted from the model training data, obtains attack signature data；

Classify to the attack signature data, obtains training sample；

Model training is carried out according to the training sample, obtains the artificial intelligence model.

5. a kind of network attack detecting method based on artificial intelligence according to claim 4, which is characterized in that the receipts Collecting model training data includes：

What the published attack data in collection internet, the published loophole data in internet, the destination host had acquired attacks Hit data and one of loophole data that the destination host has acquired or multiple combinations.

6. a kind of network attack detecting method based on artificial intelligence according to claim 4, which is characterized in that described Carrying out model training according to the training sample includes：

According to the training sample, model training is carried out using NB Algorithm.

7. a kind of network attack detecting method based on artificial intelligence according to any one of claims 1 to 6, feature exist In, according to categorization results determine the destination host by the attack type of the network attack and the network attack it Afterwards, further include：

Detect whether the network attack succeeds；

If the network attack success, the attack of the network attack to succeed.

8. a kind of network attack detection system based on artificial intelligence, which is characterized in that including：

Acquisition module, for acquiring the network data of destination host；

First extraction module, for extracting feature to be detected from the network data；

Import modul passes through the artificial intelligence for the feature to be detected to be imported the artificial intelligence model pre-established Model sorts out the feature to be detected, according to categorization results determine the destination host whether by network attack and The attack type of the network attack.

9. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is held by processor A kind of claim 1 to 7 described in any item network attack detecting methods based on artificial intelligence are realized when row.

10. a kind of computer equipment including memory, processor and stores the meter that can be run on a memory and on a processor Calculation machine program, which is characterized in that the processor realizes the described in any item one kind of claim 1 to 7 when executing described program Network attack detecting method based on artificial intelligence.