A kind of network attack detecting method and system based on artificial intelligence
Technical field
The present invention relates to technical field of network security, and in particular to a kind of network attack detecting method based on artificial intelligence
And system.
Background technique
Continuous universal with internet with the continuous development of computer technology, network attack form emerges one after another, network
Security issues become increasingly urgent, caused by social influence and economic loss it is increasing, Cyberthreat is detected and is proposed with defence
New demand and challenge.Exception of network traffic is the pass of one of current main network security threats and network security monitoring
Key object.It quickly and accurately finds exception flow of network, malicious code is promptly and accurately captured, is analyzed, is tracked and monitors, it can
To provide knowledge support for network safety situation index evaluation and immune decision, to improve the entirety of network security emergency organization
Responding ability.
Traditional network attack detecting method is mainly the description by the making a determination property of feature attacked known network,
It forms corresponding rule and is aggregated into a feature database, then carry out the rule in the network data and feature database of acquisition one by one
It compares.If the rule in the network data and feature database of acquisition matches, then indicating that this during comparing one by one
It is an intrusion behavior.Traditional network attack detecting method can accurately detect known network attack, but this method depends on
Rule is write, thus flexibility is poor, rate of failing to report is high.
Summary of the invention
To be solved by this invention is the problem that traditional network attack detecting method flexibility is poor, rate of failing to report is high.
The present invention is achieved through the following technical solutions:
A kind of network attack detecting method based on artificial intelligence, including:
Acquire the network data of destination host;
Feature to be detected is extracted from the network data;
The feature to be detected is imported into the artificial intelligence model pre-established, by the artificial intelligence model to described
Feature to be detected is sorted out, and determines whether the destination host is attacked by network attack and the network according to categorization results
The attack type hit.
Optionally, described to extract feature to be detected from the network data and include:
Request data is extracted from the network data, wherein the request data is used to initiate to the destination host
Request service;
The feature to be detected is extracted from the request data.
Optionally, before the artificial intelligence model for pre-establishing the feature importing to be detected, further include:
Establish the artificial intelligence model.
Optionally, described to establish the artificial intelligence model and include:
Collect model training data;
The feature that known network attack is extracted from the model training data, obtains attack signature data;
Classify to the attack signature data, obtains training sample;
Model training is carried out according to the training sample, obtains the artificial intelligence model.
Optionally, the collection model training data include:
The published attack data in internet, the published loophole data in internet, the destination host is collected to have acquired
Attack data and one of the loophole data that have acquired of the destination host or multiple combinations.
Optionally, described to include according to training sample progress model training:
According to the training sample, model training is carried out using NB Algorithm.
Optionally, determining the destination host by the network attack and the network attack according to categorization results
Attack type after, further include:
Detect whether the network attack succeeds;
If the network attack success, the attack of the network attack to succeed.
Optionally, the detection network attack whether successfully include:
Feature to be compared is extracted from the network data;
The feature to be compared and more than one attack-response rule in the feature database that pre-establishes are compared one by one
It is right, wherein the attack-response rule is formed according to the first response data, and first response data is under fire host pair
The response of successful attack request;
If the feature to be compared matches with the attack-response rule, the network attack success is determined.
Optionally, described to extract feature to be compared from the network data and include:
The second response data is extracted from the network data, wherein second response data is used for the target master
Machine response request service;
The feature to be compared is extracted from second response data.
Optionally, described to extract feature to be compared from the network data and include:
Request data and the second response data are extracted from the network data, wherein the request data is used for institute
It states destination host and initiates request service, second response data is for destination host response request service;
The feature to be compared is extracted from the request data and second response data.
Optionally, it is advised in described more than one attack-response by the feature to be compared and the feature database pre-established
Before then being compared one by one, further include:
Establish the feature database.
Optionally, described to establish the feature database and include:
Create database;
It is corresponding from more than one first response data to extract more than one attack-response feature;
Each being determined property of attack-response feature is described, more than one attack-response rule is formed;
By one above attack-response rule storage into the database, the feature database is obtained.
Optionally, the feature database includes N number of subcharacter library, and N is the integer not less than 2, described to establish the feature database
Including:
Create N number of database;
It is corresponding from more than two first response datas to extract more than two attack-response features;
Each being determined property of attack-response feature is described, more than two attack-response rules are formed;
The attack-response rule for belonging to same attack type in described two above attack-response rules is stored to identical
Database in, obtain the subcharacter library.
Optionally, more than one attack-response rule by the feature to be compared and the feature database pre-established
Compare one by one and includes:
By the feature to be compared with and the corresponding subcharacter library of attack type of the network attack in more than one attack
Rule of response is hit to be compared one by one.
Optionally, described to include to the description of each being determined property of attack-response feature:
Each being determined property of attack-response feature is described using regular expression.
Optionally, the attack of the network attack to succeed includes:
Establish the incidence relation in feature database between each attack-response rule and attack;
According to the incidence relation between attack-response rule each in feature database and attack, will with it is described to than
Attack corresponding to attack-response rule to characteristic matching, is determined as the attack of the successful network attack.
Optionally, after whether the detection network attack is successful, further include:
Generate warning information, wherein the warning information includes the attack type of the network attack, the network attack
Whether successful and successfully network attack attack.
Optionally, after the generation warning information, further include:
The warning information is sent by one of mail, short message, dialog box and instant messaging or multiple combinations
To network management personnel.
Optionally, after the generation warning information, further include:
It is that the warning information adds corresponding attack chain label according to the warning content of the warning information, wherein institute
It states attack chain label and is used to characterize network attack phase of the attack locating in attack chain;
Each attack chain label of same attack is counted, the net for being in each phase of the attack of the attack is obtained
The attack of network attack total degree, successful network attack number and successful network attack;
According in the network attack total degree of each phase of the attack of the attack, successful network attack number with
And successfully the attack of network attack generates attack route information, wherein the attack route information includes in described
The network attack total degree of each phase of the attack of attack, successful network attack number and successful network attack are attacked
Hit movement.
Optionally, the warning content according to the warning information is that the warning information adds corresponding attack chain mark
Label include:
According to the warning content of the warning information, determination is corresponding with the warning information from the tag library pre-established
Attack chain label.
Optionally, the attack chain label includes two-stage or more, and the warning content according to the warning information is institute
Stating the corresponding attack chain label of warning information addition includes:
According to the warning content of the warning information, determination is corresponding with the warning information from the tag library pre-established
Labels at different levels, wherein the label stock contains M attack chain label, the M attack chain label be divided into two-stage with
On, M is the integer greater than 4.
Optionally, the attack route information further includes the beginning and ending time of each phase of the attack, is in institute in the basis
State the network attack total degree of each phase of the attack of attack, successful network attack number and successful network attack
After attack generates attack route information, further include:
The attack route information is shown according to the sequencing of the initial time of each phase of the attack.
Based on same inventive concept, the network attack detection system based on artificial intelligence that the present invention also provides a kind of, packet
It includes:
Acquisition module, for acquiring the network data of destination host;
First extraction module, for extracting feature to be detected from the network data;
Import modul, for the feature to be detected to be imported the artificial intelligence model pre-established, by described artificial
Whether model of mind sorts out the feature to be detected, determine the destination host by network attack according to categorization results
And the attack type of the network attack.
Optionally, first extraction module includes:
First extraction unit, for extracting request data from the network data, wherein the request data be used for
The destination host initiates request service;
Second extraction unit, for extracting the feature to be detected from the request data.
Optionally, the network attack detection system based on artificial intelligence further includes:
Model creation module, for establishing the artificial intelligence model.
Optionally, the model creation module includes:
Collection module, for collecting model training data;
Second extraction module is attacked for extracting the feature of known network attack from the model training data
Characteristic;
Categorization module obtains training sample for classifying to the attack signature data;
Training module obtains the artificial intelligence model for carrying out model training according to the training sample.
Optionally, the model training data include the published attack data in internet, the published loophole in internet
One of loophole data that the attack data and the destination host that data, the destination host have acquired have acquired are more
Kind combination.
Optionally, the training module is NB Algorithm module.
Optionally, the network attack detection system based on artificial intelligence further includes:
Detection module, for detecting whether the network attack succeeds;
Attack obtains module, in network attack success, the attack of the network attack to succeed to be dynamic
Make.
Optionally, the detection module includes:
Third extraction module, for extracting feature to be compared from the network data;
Comparison module, for advising more than one attack-response in the feature to be compared and the feature database pre-established
It is then compared one by one, wherein the attack-response rule is formed according to the first response data, and first response data is used for
The under fire response that host requests successful attack;
Determination module, for determining the network when the feature to be compared and the attack-response rule match
Success attack.
Optionally, the third extraction module includes:
Third extraction unit, for extracting the second response data from the network data, wherein second number of responses
According to for destination host response request service;
4th extraction unit, for extracting the feature to be compared from second response data.
Optionally, the third extraction module includes:
5th extraction unit, for extracting request data and the second response data from the network data, wherein described
Request data is used to initiate request service to the destination host, and second response data is asked for the destination host response
Ask service;
6th extraction unit, for extracting the spy to be compared from the request data and second response data
Sign.
Optionally, the network attack detection system based on artificial intelligence further includes:
Feature database creation module, for establishing the feature database.
Optionally, the feature database creation module includes:
Database creation module, for creating database;
4th extraction module extracts more than one attack-response spy for corresponding from more than one first response data
Sign;
Rule forms module, for describing to each being determined property of attack-response feature, forms more than one attack and rings
Answer rule;
Memory module, for one above attack-response rule storage into the database, to be obtained the spy
Levy library.
Optionally, the feature database includes N number of subcharacter library, and N is the integer not less than 2, the feature database creation module
Including:
Database creation module, for creating N number of database;
4th extraction module, it is special for the more than two attack-responses of extraction corresponding from more than two first response datas
Sign;
Rule forms module, for describing to each being determined property of attack-response feature, forms more than two attacks and rings
Answer rule;
Memory module, for advising the attack-response for belonging to same attack type in described two above attack-response rules
Then storage obtains the subcharacter library into identical database.
Optionally, the comparison module be used for by the feature to be compared with and the network attack attack type it is corresponding
Subcharacter library in more than one attack-response rule compared one by one.
Optionally, it is that regular expression writes module that the rule, which forms module,.
Optionally, the attack acquisition module includes:
Incidence relation creation module, for establishing in feature database between each attack-response rule and attack
Incidence relation;
Attack determining module, for according between the attack-response rule each in feature database and attack
Attack corresponding to attack-response rule with the characteristic matching to be compared is determined as the success by incidence relation
Network attack attack.
Optionally, the network attack detection system based on artificial intelligence further includes:
Warning information generation module, for generating warning information, wherein the warning information includes the network attack
The attack of the whether successful and successful network attack of attack type, the network attack.
Optionally, the network attack detection system based on artificial intelligence further includes:
Sending module, will be described for passing through one of mail, short message, dialog box and instant messaging or multiple combinations
Warning information is sent to network management personnel.
Optionally, the network attack detection system based on artificial intelligence further includes:
Label adding module is attacked for being that warning information addition is corresponding according to the warning content of the warning information
Hit chain label, wherein the attack chain label is used to characterize network attack phase of the attack locating in attack chain;
Statistical module obtains each in the attack for counting each attack chain label of same attack
The attack of the network attack total degree of a phase of the attack, successful network attack number and successful network attack;
Route information generation module, for always secondary according to the network attack in each phase of the attack of the attack
The attack of several, successful network attack number and successful network attack generates attack route information, wherein described to attack
Hitting route information includes network attack total degree, successful network attack number in each phase of the attack of the attack
And the successfully attack of network attack.
Optionally, the label adding module is used for the warning content according to the warning information, from the mark pre-established
It signs and determines attack chain label corresponding with the warning information in library.
Optionally, the attack chain label includes two-stage or more, and the label adding module is used to be believed according to the alarm
The warning content of breath determines labels at different levels corresponding with the warning information, wherein the mark from the tag library pre-established
Label inventory contains M attack chain label, and the M attack chain label is divided into two-stage or more, and M is the integer greater than 4.
Optionally, the attack route information further includes the beginning and ending time of each phase of the attack, described to be based on artificial intelligence
Network attack detection system, further include:
Display module, the sequencing for the initial time according to each phase of the attack show the attack route letter
Breath.
Based on same inventive concept, the present invention also provides a kind of computer readable storage mediums, are stored thereon with calculating
Machine program, the program realize the above-mentioned network attack detecting method based on artificial intelligence when being executed by processor.
Based on same inventive concept, the present invention also provides a kind of computer equipments, including memory, processor and storage
On a memory and the computer program that can run on a processor, the processor realize above-mentioned be based on when executing described program
The network attack detecting method of artificial intelligence.
Compared with prior art, the present invention having the following advantages and benefits:
Network attack detecting method and system provided by the invention based on artificial intelligence, by the net for acquiring destination host
Network data extract feature to be detected from the network data, and the feature to be detected are imported the artificial intelligence pre-established
Energy model, automatically sorts out the feature to be detected by the artificial intelligence model, according to categorization results determination
Whether destination host is by network attack and by the attack type of network attack.Since the present invention is by the artificial intelligence
Energy model sorts out the feature to be detected whether to detect the destination host by network attack, is using artificial
Intellectual technology carries out the detection of attack, independent of the rule in feature database, it is thus achieved that for network attack
The randomization of request detects, and the case where attacker bypasses and can't detect is largely avoided, so as to find more
More network attacks.
Detailed description of the invention
Attached drawing described herein is used to provide to further understand the embodiment of the present invention, constitutes one of the application
Point, do not constitute the restriction to the embodiment of the present invention.In the accompanying drawings:
Fig. 1 is the flow diagram of the network attack detecting method based on artificial intelligence of the embodiment of the present invention;
Fig. 2 is the flow diagram for establishing artificial intelligence model of the embodiment of the present invention;
Fig. 3 is the whether successful flow diagram of detection network attack of the embodiment of the present invention;
Fig. 4 is the flow diagram for establishing feature database of an embodiment of the present invention;
Fig. 5 is the flow diagram for establishing feature database of another embodiment of the invention;
Fig. 6 is the schematic diagram of the attack route information of the embodiment of the present invention;
Fig. 7 is the schematic diagram of the tag library of the embodiment of the present invention.
Specific embodiment
The present invention provides a kind of network attack detecting method and system based on artificial intelligence, passes through acquisition destination host
Network data, extracts feature to be detected from the network data, and the feature importing to be detected is pre-established artificial
Model of mind automatically sorts out the feature to be detected by the artificial intelligence model, according to categorization results determination
Whether destination host is by network attack and the attack type of the network attack.It is provided by the invention based on artificial intelligence
Network attack detecting method and system carry out the detection of attack using artificial intelligence technology, independent of feature database
In rule, largely avoid the case where attacker bypasses and can't detect network attack, it is thus possible to which discovery is more
Network attack, reduce the rate of failing to report of network attack detection.
To make the objectives, technical solutions, and advantages of the present invention clearer, below with reference to embodiment and attached drawing, to this
Invention is described in further detail, and exemplary embodiment of the invention and its explanation for explaining only the invention, are not made
For limitation of the invention.
Embodiment 1
The present embodiment provides a kind of network attack detecting method based on artificial intelligence, Fig. 1 is described based on artificial intelligence
Network attack detecting method flow diagram, the network attack detecting method based on artificial intelligence includes:
Step S11 acquires the network data of destination host;
Step S12 extracts feature to be detected from the network data;
The feature to be detected is imported the artificial intelligence model pre-established, passes through the artificial intelligence mould by step S13
Whether type sorts out the feature to be detected, determine the destination host by network attack and institute according to categorization results
State the attack type of network attack.
Specifically, the destination host can be to provide the server of various services, be also possible to can be realized specific function
The personal computer of energy, can also be that other are capable of providing the network equipment of network service.The destination host can receive end
The request data for initiating to request to service to the destination host that end equipment sends over, carries out according to the request data
Corresponding data processing is to obtain the second response data, i.e., described second response data is for destination host response request clothes
Business, and second response data is fed back into the terminal device.The terminal device can be with display function and
Support the various electronic equipments of interactive function, including but not limited to smart phone, tablet computer, personal computer and desk-top meter
Calculation machine etc..In present invention detection this specific application scenarios of network attack, the attacker for initiating network attack is usually to dislike
Meaning sends the user of mass data request.The terminal device that attacker is utilized can be the electronics with powerful computing function and set
It is standby, or even can also be server.
Acquisition for the network data of the destination host can be obtained using Network Sniffing mode, can also be passed through
Network port mirror-image fashion obtains.The Network Sniffing mode refers to that by the Network card setup of the destination host be promiscuous mode,
The network data of the destination host is captured by calling network to cut job contract tool.The network port mirror-image fashion refers to institute
The acquisition port for stating destination host is mapped to another port, is copied in real time to data, to obtain the destination host
Network data.Certainly, the specific implementation for acquiring the network data of the destination host is not limited to above two mode, this
Embodiment is not construed as limiting this.
After collecting the network data, the feature to be detected is extracted from the network data.The network number
According to including the request data and second response data, as previously mentioned, the request data is used for the destination host
Request service is initiated, is the data for being sent to the destination host by terminal device;Second response data is used for the mesh
Host response request service is marked, is the data for being sent to terminal device by the destination host.The extraction of the feature to be detected,
It can be and extract the feature of the request data from the network data directly to obtain the feature to be detected, be also possible to
The request data is first extracted from the network data, then the feature to be detected, this reality are extracted from the request data
It applies example and this is not construed as limiting.The feature to be detected may include request time, IP information, port information, protocol type, give out a contract for a project
One or more combinations in frequency, mail address, file name and the address target URL.It should be noted that described to be checked
Survey feature can flexibly be set according to the actual situation, the present embodiment to this with no restriction.
According to the difference of the transport protocol used between the destination host and terminal device, for example including but be not limited to surpass
Text transfer protocol (HTTP, Hyper Text Transfer Protocol), File Transfer Protocol (FTP, File
Transfer Protocol), Simple Mail Transfer protocol (SMTP, Simple Mail Transfer Protocol), it is described
The structure of request data is not also identical.By taking the network request of HTTP type as an example, the request data includes following three parts:
Request row, by method (for example, POST), uniform resource identifier (URI, Uniform Resource Identifier) and
Three parts of protocol version (for example, HTTP 1.1) are constituted;Request header, for notifying the related terminal device of the destination host
The information of request, including but not limited to generate request the identifiable content type list of browser type, terminal device and
The host name of request;Request body.After collecting the network data, the solution of each field in HTTP request head is carried out
Analysis, finds out the field contents detected, that is, extracts the feature to be detected.
After obtaining the feature to be detected, the feature to be detected is imported into the artificial intelligence model pre-established, is led to
It crosses the artificial intelligence model to sort out the feature to be detected, obtains categorization results.The artificial intelligence model can be with
It can also be deep learning disaggregated model for machine learning classification model, such as Naive Bayes Classification Model.If the classification
As a result it is not belonging to the network attack of any known attack type for the feature to be detected, is also not belonging to unknown attack type
Network attack, it is determined that the destination host is not affected by network attack;If the categorization results are the feature category to be detected
In the network attack of certain known attack type, it is determined that network attack of the destination host by this kind of attack type;If
The categorization results are the network attack that the feature to be detected belongs to certain unknown attack type, it is determined that the destination host
Network attack by unknown attack type.
Network attack detecting method provided in this embodiment based on artificial intelligence, by importing the feature to be detected
The artificial intelligence model pre-established is automatically sorted out the feature to be detected by the artificial intelligence model, to examine
The destination host is measured whether by network attack and by the attack type of network attack.Due to the artificial intelligence mould
Type is the disaggregated model using artificial intelligence technology, has the abilities such as self study, self-organizing, adaptive, so can effectively send out
Existing novel or mutation network attack, unknown network attack cannot be detected by effectively making up traditional network attack detecting method
Disadvantage improves overall network attack detecting ability, can reduce rate of failing to report.
Further, before the feature to be detected is imported the artificial intelligence model pre-established, it is also necessary to establish institute
State artificial intelligence model.Fig. 2 is the flow diagram for establishing the artificial intelligence model, described to establish the artificial intelligence model
Including:
Step S21 collects model training data;
Step S22 extracts the feature of known network attack from the model training data, obtains attack signature data;
Step S23 classifies to the attack signature data, obtains training sample;
Step S24 carries out model training according to the training sample, obtains the artificial intelligence model.
Specifically, the model training data include the published attack data in internet, the published loophole in internet
One of loophole data that the attack data and the destination host that data, the destination host have acquired have acquired are more
Kind combination.The attack data are the data extracted from existing network attack case, and the loophole data are from existing
Loophole case in the data that extract.The attack data and the loophole data can be disclosed in internet, can also be with
It is that the destination host is analyzed and refined according to the assault being subjected in the past.
After obtaining the model training data, the feature of known network attack is extracted from the model training data,
Obtain attack signature data.Further, the attack signature data of extraction may include request time, IP information, port information, association
Discuss one or more combinations in type, frequency of giving out a contract for a project, mail address, file name and the address target URL.It needs to illustrate
That the attack signature data can flexibly be set according to the actual situation, the present embodiment to this with no restriction.It is attacked described in acquisition
It hits after characteristic, classifies according to the attack type that its belonging network is attacked to form training sample, the network is attacked
The attack type hit includes but is not limited to SQL injection attack and XSS attack.
Model training is carried out according to the training sample, that is, calculates the network attack of every kind of attack type in the trained sample
The frequency of occurrences and each attack signature data in this, which divide, estimates the conditional probability of the network attack of every kind of attack type,
And calculated result is recorded and just obtains the artificial intelligence model.In the present embodiment, the calculation of model training use is carried out
Method is NB Algorithm.NB Algorithm is fine to small-scale Data Representation, is suitble to more classification tasks, is suitble to increase
The training of amount formula.It is of course also possible to use other machines learning classification algorithm or deep learning sorting algorithm carry out model training,
For example, it is also possible to carry out model training using decision Tree algorithms, the present embodiment is not construed as limiting this.
Embodiment 2
Network attack detecting method the present embodiment provides another kind based on artificial intelligence, with embodiment 1 provide based on
The network attack detecting method of artificial intelligence is compared, and is determining the destination host by the network attack according to categorization results
And after the attack type of the network attack, further include:Detect whether the network attack succeeds;If the network attack
Success, the then attack of the network attack to succeed.
In the present embodiment, detect whether the network attack succeeds by the way of rule match.Fig. 3 is the present embodiment
The whether successful flow diagram of the detection network attack, the detection network attack whether successfully include:
Step S31 extracts feature to be compared from the network data;
Step S32, by the feature to be compared and more than one attack-response rule in the feature database that pre-establishes into
Row compares one by one, wherein the attack-response rule is formed according to the first response data, and first response data is for being attacked
Hit the response that host requests successful attack;
Step S33, if the feature to be compared matches with the attack-response rule, determine the network attack at
Function.
Specifically, every kind of successful network attack has its uniqueness, and this uniqueness mainly passes through under fire host pair
The response of successful attack request embodies.Therefore, the extraction of the feature to be compared is the spy for extracting second response data
Sign.Extracting the feature to be compared can be the feature that second response data is directly extracted from the network data,
Can be and first extract second response data from the network data, then extract from second response data it is described to
Feature is compared, the present embodiment is not construed as limiting this.
By taking the response of the network of HTTP type as an example, second response data includes following three parts:Statusline, by assisting
View version (for example, HTTP 1.1), status code and status code describe three parts and form;Head is responded, including but not limited to
Title, the version of application program, response body type, response text size and the used volume of response text of application program
Code;Web response body Web.After collecting the network data, the parsing of each field in http response head is carried out, finding out needs
The field contents to be compared extract the feature to be compared.
Further, to judge whether a network attack succeeds, can also inversely be derived from the angle of attacker, be led to
The anti-feature that pushes away query-attack and should have of response contents is crossed, identifies the whether successful accuracy of network attack to improve.Therefore, institute
The extraction for stating feature to be compared can also be extracts jointly from second response data and the request data.Specifically,
The request data and second response data can be extracted from the network data, then from the request data and described
The feature to be compared is extracted in second response data.Still it is with the network request of HTTP type and the response of the network of HTTP type
Example carries out the parsing of each field in HTTP request head and http response head after collecting the network data, searches
The field contents for needing to be compared out extract the feature to be compared.
After obtaining the feature to be compared, more than one attack in the feature to be compared and the feature database is rung
Rule is answered to be compared one by one.Still by taking the transport protocol of HTTP type as an example, if in the feature to be compared and the feature database
Some attack-response rule match, then determine HTTP request for malicious attack, the network attack that the destination host is subject to
Success;If the feature to be compared cannot match with any one attack-response rule in the feature database, determine
HTTP request is invalid network attack, can directly ignore the HTTP request.
The feature database pre-establishes, and the attack-response rule of storage is according to the first response data shape
At for first response data for the response that under fire host requests successful attack, i.e., the described attack-response rule is root
Request the response characteristic of corresponding attack-response pre-generated according to already existing successful attack.Fig. 4 be the present embodiment provides
A kind of flow diagram for establishing the feature database, it is described to establish the feature database and include:
Step S41 creates database;
Step S42, it is corresponding from more than one first response data to extract more than one attack-response feature;
Step S43 describes each being determined property of attack-response feature, forms more than one attack-response rule;
Step S44 obtains the feature database by one above attack-response rule storage into the database.
Specifically, the creation database is the memory space for creating blank.First response data is for being attacked
The response that host requests successful attack is hit, can have been adopted from the published attack data in internet and/or the destination host
It is collected in the attack data of collection.For example, attacker reports an error injection attacks to having sent floor () function by attack host
Request, and the injection attacks request that reports an error of the floor () function obtains success, it is described by attack host to the floor ()
Function report an error injection attacks request response be first response data.For the network attack of same attack type,
It can also be divided according to the difference of specific attack.It further include count () function for example, being attacked for SQL injection
Report an error injection, rand () function reports an error injection and floor () function reports an error injection etc..For the network of every kind of attack
Attack, correspondence can collect first response data, thus can correspond to extraction one from more than one first response data
A above attack-response feature, i.e., each first response data, which can correspond to, extracts an attack-response feature.It is attacked with described
It is similar to hit characteristic, the attack-response feature may include request time, IP information, port information, protocol type, give out a contract for a project
One or more combinations in frequency, mail address, file name and the address target URL.It should be noted that the attack
Response characteristic can also flexibly be set according to the actual situation, the present embodiment to this with no restriction.
After obtaining the attack-response feature, each being determined property of attack-response feature is described, the certainty
Description is described according to default rule.It in the present embodiment, can be using traditional regular expression to each attack
The description of being determined property of response characteristic, can also be added the complexity such as arithmetic logic, matching logic in the regular expression and patrol
Volume, to improve the accuracy of matching result.After obtaining the attack-response rule, by all attack-response rules storage to institute
It states in database, i.e., corresponding data is written in the memory space of the blank, just obtain the feature database.
Further, the feature database can also include N number of subcharacter library, and each subcharacter library is corresponding to store same attack
All attack-responses rule of type, wherein N is the integer not less than 2.Based on this, Fig. 5 is another kind provided in this embodiment
Establish the flow diagram of the feature database, it is described to establish the feature database and include:
Step S51 creates N number of database;
Step S52, it is corresponding from more than two first response datas to extract more than two attack-response features;
Step S53 describes each being determined property of attack-response feature, forms more than two attack-response rules;
Step S54 deposits the attack-response rule for belonging to same attack type in described two above attack-response rules
It stores up in identical database, obtains the subcharacter library.
Specifically, step S51~step S53 can refer to aforementioned to step S41~step S43 description, no longer superfluous herein
It states.After obtaining more than two attack-response rules, according to attack type belonging to each attack-response rule, it will belong to same
The attack-response rule of kind attack type is stored into identical database, obtains the subcharacter library.In the present embodiment, institute
State subcharacter library can based on feature database, SQL injection feature database, XSS behavioral characteristics library and tool fingerprint base, wherein institute
State the storage of foundation characteristic library is command characteristics and file characteristic, and the SQL injection feature database storage is that SQL injection is attacked
Feature, what XSS behavioral characteristics library stored is the feature of XSS dynamic attacks, and the tool fingerprint base storage is that big horse connects
Connect fingerprint and kitchen knife fingerprint.It should be noted that the subcharacter library can flexibly be set according to the actual situation, the present embodiment
With no restriction to this.
It is described by the feature to be compared and the feature pre-established for the feature database established using process shown in Fig. 5
More than one attack-response rule in library compare one by one and is specifically included:By the feature to be compared with and the network attack
More than one attack-response rule in the corresponding subcharacter library of the attack type hit is compared one by one.For example, if the net
The attack type of network attack is SQL injection attack, then attacks the feature to be compared and more than one in SQL injection feature database
Rule of response is hit to be compared one by one;If the attack type of the network attack is XSS dynamic attacks, by the spy to be compared
Sign is compared one by one with more than one attack-response rule in XSS behavioral characteristics library.By setting the feature database to
Multiple subcharacter libraries, it is possible to reduce the attack-response rule quantity being compared with the feature to be compared, it only need to be with certain height
Attack-response rule in feature database is matched, it is thus possible to improve the feature to be compared and the attack-response is advised
Comparison efficiency then.
For the network attack of every kind of attack, correspondence obtains an attack-response rule, thus can pass through foundation
Incidence relation in the feature database between each attack-response rule and attack, according to attack each in the feature database
Incidence relation between rule of response and attack, will be corresponding to the attack-response rule with the characteristic matching to be compared
Attack is determined as the attack of the successful network attack.For example, the attack to match with the feature to be compared
The corresponding attack of rule of response is that floor () function reports an error injection, then the attack of successful network attack is
Floor () function reports an error injection.
Network attack detecting method provided in this embodiment based on artificial intelligence is determining the destination host by institute
After the attack type for stating network attack and the network attack, also detect whether the network attack succeeds, and obtain at
The attack of the network attack of function.Therefore, the present embodiment can efficiently identify successful network attack, so as to improve
O&M efficiency finds true loophole.
Embodiment 3
Network attack detecting method the present embodiment provides another kind based on artificial intelligence, with embodiment 2 provide based on
The network attack detecting method of artificial intelligence is compared, and after detecting the network attack and whether succeeding, can also generate alarm
Information, wherein the warning information includes whether the attack type of the network attack, the network attack are successful and successfully
Network attack attack.For example, when the destination host is attacked by SQL injection but attacks unsuccessful, the announcement
Alert information can be " being attacked by SQL injection, attack is invalid ";When the destination host is attacked and attacked by SQL injection
Success, specific attack are the injections that reported an error using floor () function, and the warning information can be for " by SQL injection
Attack, success attack, floor () function report an error injection ".
Further, after generating the warning information, the warning information can also be sent to network management personnel.
For example, the warning information can be sent to specified email address by way of mail, the side of short message can also be passed through
The warning information is sent to specified mobile terminal by formula, can also be by way of dialog box directly in the destination host
It shows the warning information, the warning information can also be sent to network management personnel by way of instant messaging.When
So, the warning information can be sent to by network management personnel using any one of the above mode, it can also be using any several
The warning information is sent to network management personnel by the combination of kind mode.
By generating the warning information, and the warning information is sent to network management personnel, network pipe can be made
Reason personnel intuitively grasp the network attack situation that the destination host is subject to.
Embodiment 4
What embodiment 3 was taken is the alarm mode of the corresponding warning information of a network attack, that is, detects a net
Network attack, correspondence will generate a warning information.However, isolated warning information cannot accurately reflect the destination host
Safe condition, such attack shows and cannot hold attack process on the whole.Therefore, the present embodiment provides another kinds to be based on people
The network attack detecting method of work intelligence.Compared with the network attack detecting method based on artificial intelligence that embodiment 3 provides, this
Embodiment further includes after generating the warning information:
It is that the warning information adds corresponding attack chain label according to the warning content of the warning information, wherein institute
It states attack chain label and is used to characterize network attack phase of the attack locating in attack chain;
Each attack chain label of same attack is counted, the net for being in each phase of the attack of the attack is obtained
The attack of network attack total degree, successful network attack number and successful network attack;
According in the network attack total degree of each phase of the attack of the attack, successful network attack number with
And successfully the attack of network attack generates attack route information, wherein the attack route information includes in described
The network attack total degree of each phase of the attack of attack, successful network attack number and successful network attack are attacked
Hit movement.
According to the phase of the attack difference for the network attack that the destination host is subject to, the warning content of the warning information
Different, i.e., the warning content of the described warning information discloses the corresponding network attack of the warning information and wants the attack realized
Purpose, the warning information of different warning contents correspond to different phase of the attack.Therefore, the network attack pair being subjected to according to destination host
The warning content for the warning information answered can determine phase of the attack.Specifically, according to the warning content of the warning information, from pre-
Attack chain label corresponding with the warning information is determined in the tag library first established.The label stock contains M attack chain
Label, each corresponding characterization of attack chain label attack a phase of the attack in chain.The attack chain refers to attacker to target
Host is usually made of several different phase of the attack from a series of circulating treatment procedures for detecting destruction.For example, the attack
Chain can be leaked by reconnaissance stage, invasion stage, order control stage, horizontal infiltration stage, data the stage and trace cleaning
Stage, six phase of the attack were constituted, i.e., the value of M is 6.Correspondingly, the M attack chain label be scout label, invasion label,
Order abstract factory, horizontal infiltration label, data leak label and trace cleaning label.Certainly, the division of the attack chain
It is not limited to such mode, can specifically carry out flexible setting according to the actual situation.
As previously mentioned, the warning information of different warning contents corresponds to different phase of the attack, and each attack chain label is corresponding
A phase of the attack is characterized, thus the alarm of different warning contents can be pre-established according to published assault
Incidence relation between information and different attack chain labels.It, can be from pre-establishing according to the warning content of the warning information
Tag library in determine corresponding with warning information attack chain label.With attacking for network attack described in the warning information
Hitting type is for PHP code executes attack, to execute attack for PHP code, is in the order control stage in attack chain,
Therefore the attack chain label for being warning information addition is " order control " label.Further, the attack chain label can be with
Attribute as the warning information is added.
After adding corresponding attack chain label for all warning information of an attack, attacked by counting identical
The quantity for hitting chain label can be obtained the network attack total degree in each phase of the attack of the attack.For example, passing through
Statistics scouts the quantity of label, can obtain the network attack total degree in the attack reconnaissance stage;Pass through statistics
The quantity for invading label can obtain the network attack total degree in the attack invasion stage.With the attack thing
For destination host described in part is by 10 network attacks, correspondence produces 10 warning information, 10 warning information
Corresponding attack chain label is respectively:Scout label, scout label, invasion label, invasion label, invasion label, scout label,
Invade label, order abstract factory, order abstract factory and order abstract factory.By uniting to 10 attack chain labels
Meter, it is known that network attack 3 times by reconnaissance stage of the destination host are ordered by network attack 4 times of the invasion stage
Enable network attack 3 times of control stage.
Acquisition for the successful network attack number in each phase of the attack of the attack, can be by success
The corresponding warning information of network attack screen, then count the corresponding attack of warning information that these are screened out respectively
The quantity of identical attack chain label, can be obtained the successful network in each phase of the attack of the attack in chain label
Number of times of attack.In conjunction with the warning information content for being screened out, can be obtained in each phase of the attack of the attack
The attack of successful network attack.
Obtaining network attack total degree, the successful network attack number for being in each phase of the attack of the attack
And the attack route information successfully is generated after the attack of network attack.Further, the attack route information
It can also include that can also be attacked according to each after route information is attacked in the generation beginning and ending time of each phase of the attack
The sequencing for hitting the initial time in stage shows the attack route information.The initial time of each phase of the attack is in this
The first Network Attack Time of phase of the attack, the termination time of each phase of the attack are that the end network in the phase of the attack is attacked
Hit the time.Or by taking destination host described above is by 10 network attacks as an example, if the beginning and ending time of reconnaissance stage is 2018-
3-15 03:20~2018-3-19 15:12, the beginning and ending time for invading the stage is 2018-3-17 07:38~2018-3-21
05:21, the beginning and ending time in order control stage is 2018-3-20 14:47~2018-3-20 18:21, then according to statistical result
The network attack route information of generation can be shown as " 2018-3-15 03:20~2018-3-19 15:12, investigation stage:3
It is secondary;2018-3-17 07:38~2018-3-21 05:21, it invades the stage, 4 times;2018-3-20 14:47~2018-3-20
18:21, the order control stage, 4 times ".Certainly, it is described attack route information can also include the destination host IP address and
The information such as the duration of entire attack, as shown in fig. 6, the present embodiment is not construed as limiting this.
Further, since each phase of the attack in the attack chain can also be divided into several smaller attack ranks
Section, each smaller phase of the attack is also by attack chain tag characterization.Correspondingly, the attack chain label may include two-stage with
On, the warning content according to the warning information is that the corresponding attack chain label of warning information addition includes:According to
The warning content of the warning information determines labels at different levels corresponding with the warning information from the tag library pre-established,
Wherein, the label stock contains M attack chain label, and the M attack chain label is divided into two-stage or more, and M is greater than 4
Integer.
Fig. 7 is a kind of schematic diagram of tag library provided in this embodiment, and the attack chain label in the tag library is divided into three
A grade.Level-one label include scout label, invasion label, order abstract factory, horizontal infiltration label, data leak label with
And trace clears up label.Scouting the corresponding second level label of label includes port scan label, information leakage label, IP scanning label
And subdomain name collects label;The corresponding second level label of invasion label includes vulnerability detection label, vulnerability exploit label, refusal clothes
Business label, Brute Force label and high-risk operation label;The corresponding second level label of order abstract factory includes the controlled mark of host
Label, hack tool upload label, transit server behavior label, mention token label, close antivirus software label and host information
Obtain label;Horizontal infiltration label includes Intranet investigation label, Sniffing Attack label, Intranet vulnerability detection label and Intranet leakage
Hole utilizes label;The data corresponding second level label of label that leaks includes file download label and dragging library behavior label;Trace cleaning
The corresponding second level label of label includes that back door deletes label, closes attack service labels and removes Log Label.High-risk operation
The corresponding three-level label of label includes that database manipulation label and weak passwurd successfully log in label.
Multiple grades are set as by the way that chain label will be attacked, the phase of the attack in attack chain can be more fully described, from
And the whole process of attack is showed to network management personnel in more detail.It should be noted that the tag library can be with
It is created, can also be created by other hosts by the destination host, the destination host needs to add corresponding attack chain label
When directly call the tag library from other hosts.Further, it can also directly be added for the warning information corresponding
Chain label is attacked, without creating the tag library.
After generating the attack route information, one in mail, short message, dialog box and instant messaging can be passed through
Kind or multiple combinations mode the attack route information is sent to network management personnel.By for the warning information addition pair
The attack chain label answered, it is total according to the network attack of the attack chain label statistics in each phase of the attack of the attack
The attack of number, successful network attack number and successful network attack, can be to attack again according to thing
The attack chain of part divides, and can show attack to network management personnel with dividing phase of the attack from the angle of big data analysis
Whole process, avoid attack route chaotic.
Embodiment 5
The network attack detection system based on artificial intelligence that the present embodiment provides a kind of, the network based on artificial intelligence
Attack detection system includes acquisition module, the first extraction module and import modul.
Specifically, the acquisition module is used to acquire the network data of destination host;First extraction module be used for from
Feature to be detected is extracted in the network data;The import modul is used to the feature to be detected importing the people pre-established
Work model of mind sorts out the feature to be detected by the artificial intelligence model, according to categorization results determination
Whether destination host is by network attack and the attack type of the network attack.
Further, first extraction module includes:First extraction unit, for extracting request from the network data
Data, wherein the request data is used to initiate request service to the destination host;Second extraction unit is used for from described
The feature to be detected is extracted in request data.
Further, the network attack detection system based on artificial intelligence further includes model creation module, the model
Creation module is for establishing the artificial intelligence model.Specifically, the model creation module includes:Collection module, for receiving
Collect model training data;Second extraction module is obtained for extracting the feature of known network attack from the model training data
Obtain attack signature data;Categorization module obtains training sample for classifying to the attack signature data;Training module,
For carrying out model training according to the training sample, the artificial intelligence model is obtained.
The concrete operating principle of the network attack detection system based on artificial intelligence can refer in embodiment 1 for step
The description of rapid S11 to step S13, details are not described herein for the present embodiment.
Embodiment 6
Network attack detection system the present embodiment provides another kind based on artificial intelligence, with embodiment 5 provide based on
The network attack detection system of artificial intelligence is compared, and the network attack detection system based on artificial intelligence further includes:Detection
Module, for detecting whether the network attack succeeds;Attack obtains module, is used in network attack success,
The attack of the network attack to succeed.
Specifically, the detection module includes:Third extraction module, for extracting spy to be compared from the network data
Sign;Comparison module, for by the feature to be compared and more than one attack-response rule in the feature database that pre-establishes into
Row compares one by one, wherein the attack-response rule is formed according to the first response data, and first response data is for being attacked
Hit the response that host requests successful attack;Determination module, in the feature to be compared and the attack-response rule phase
When matching, the network attack success is determined.
Further, the third extraction module may include:Third extraction unit, for being extracted from the network data
Second response data, wherein second response data is for destination host response request service;4th extraction unit,
For extracting the feature to be compared from second response data.
Further, the third extraction module also may include:5th extraction unit, for being mentioned from the network data
Take request data and the second response data, wherein the request data is used to initiate request service to the destination host, described
Second response data is for destination host response request service;6th extraction unit is used for from the request data and institute
It states and extracts the feature to be compared in the second response data.
Further, the network attack detection system based on artificial intelligence further includes:Feature database creation module, for building
Found the feature database.Specifically, the feature database creation module may include:Database creation module, for creating database;
4th extraction module extracts more than one attack-response feature for corresponding from more than one first response data;Regular shape
More than one attack-response rule is formed for describing to each being determined property of attack-response feature at module;Store mould
Block, for one above attack-response rule storage into the database, to be obtained the feature database.The feature database
It may include N number of subcharacter library, N is the integer not less than 2.Based on this, the feature database creation module also may include:Data
Library creation module, for creating N number of database;4th extraction module is mentioned for corresponding from more than two first response datas
Take more than two attack-response features;Rule forms module, for describing to each being determined property of attack-response feature, is formed
More than two attack-response rules;Memory module, for same attack class will to be belonged in described two above attack-response rules
The attack-response rule of type is stored into identical database, obtains the subcharacter library.
Further, the attack acquisition module includes:Incidence relation creation module, it is each in feature database for establishing
Incidence relation between the attack-response rule and attack;Attack determining module, for according to every in feature database
Incidence relation between a attack-response rule and attack will be advised with the attack-response of the characteristic matching to be compared
Then corresponding attack, is determined as the attack of the successful network attack.
The concrete operating principle of the network attack detection system based on artificial intelligence can refer in embodiment 2 for step
The description of rapid S31 to step S33, details are not described herein for the present embodiment.
Embodiment 7
Network attack detection system the present embodiment provides another kind based on artificial intelligence, with embodiment 6 provide based on
The network attack detection system of artificial intelligence is compared, and the network attack detection system based on artificial intelligence further includes:Alarm
Information generating module, for generating warning information, wherein the warning information includes the attack type of the network attack, institute
State the attack of the whether successful and successful network attack of network attack.Further, the network based on artificial intelligence
Attack detection system further includes:Sending module is used to pass through one of mail, short message, dialog box and instant messaging or more
The warning information is sent to network management personnel by kind combination.
The concrete operating principle of the network attack detection system based on artificial intelligence can refer in embodiment 3 to each
The description of step, details are not described herein for the present embodiment.
Embodiment 8
Network attack detection system the present embodiment provides another kind based on artificial intelligence, with embodiment 8 provide based on
The network attack detection system of artificial intelligence is compared, and the network attack detection system based on artificial intelligence further includes:
Label adding module is attacked for being that warning information addition is corresponding according to the warning content of the warning information
Hit chain label, wherein the attack chain label is used to characterize network attack phase of the attack locating in attack chain;
Statistical module obtains each in the attack for counting each attack chain label of same attack
The attack of the network attack total degree of a phase of the attack, successful network attack number and successful network attack;
Route information generation module, for always secondary according to the network attack in each phase of the attack of the attack
The attack of several, successful network attack number and successful network attack generates attack route information, wherein described to attack
Hitting route information includes network attack total degree, successful network attack number in each phase of the attack of the attack
And the successfully attack of network attack.
Further, the attack chain label includes two-stage or more, and the label adding module is used to be believed according to the alarm
The warning content of breath determines labels at different levels corresponding with the warning information, wherein the mark from the tag library pre-established
Label inventory contains M attack chain label, and the M attack chain label is divided into two-stage or more, and M is the integer greater than 4.
Further, the attack route information further includes the beginning and ending time of each phase of the attack, described to be based on artificial intelligence
Network attack detection system further include:Display module, the sequencing for the initial time according to each phase of the attack are aobvious
Show the attack route information.
The concrete operating principle of the network attack detection system based on artificial intelligence can refer in embodiment 4 to each
The description of step, details are not described herein for the present embodiment.
Embodiment 9
The present embodiment provides a kind of computer readable storage mediums, are stored thereon with computer program, the embodiment of the present invention 1
If to embodiment 4 provide it is any based on the network attack detecting method of artificial intelligence in the form of SFU software functional unit it is real
Now and when sold or used as an independent product, it can store in a computer readable storage medium.Based in this way
Understanding, the present invention realize embodiment 1 to embodiment 4 provide any network attack detecting method based on artificial intelligence in
All or part of the process, relevant hardware can also be instructed to complete by computer program.The computer program can
It is stored in a computer readable storage medium, the computer program is when being executed by processor, it can be achieved that above-mentioned each method
The step of embodiment.
Wherein, the computer program includes computer program code, and the computer program code can be source code
Form, object identification code form, executable file or certain intermediate forms etc..The computer-readable medium may include:It can
Carry any entity or device, medium, USB flash disk, mobile hard disk, magnetic disk, CD, the computer storage of the computer program code
Device, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory),
Electric carrier signal, telecommunication signal and software distribution medium etc..It should be noted that the computer-readable medium include it is interior
Increase and decrease appropriate can be carried out according to the requirement made laws in jurisdiction with patent practice by holding, such as in certain jurisdictions of courts
Area does not include electric carrier signal and telecommunication signal according to legislation and patent practice, computer-readable medium.
Above-described specific embodiment has carried out further the purpose of the present invention, technical scheme and beneficial effects
It is described in detail, it should be understood that being not intended to limit the present invention the foregoing is merely a specific embodiment of the invention
Protection scope, all within the spirits and principles of the present invention, any modification, equivalent substitution, improvement and etc. done should all include
Within protection scope of the present invention.
The present invention discloses A1, a kind of network attack detecting method based on artificial intelligence, including:
Acquire the network data of destination host;
Feature to be detected is extracted from the network data;
The feature to be detected is imported into the artificial intelligence model pre-established, by the artificial intelligence model to described
Feature to be detected is sorted out, and determines whether the destination host is attacked by network attack and the network according to categorization results
The attack type hit.
A2, a kind of network attack detecting method based on artificial intelligence according to a1, it is described from the network data
It is middle to extract feature to be detected and include:
Request data is extracted from the network data, wherein the request data is used to initiate to the destination host
Request service;
The feature to be detected is extracted from the request data.
A3, a kind of network attack detecting method based on artificial intelligence according to a1, it is described will be described to be detected
Feature imports before the artificial intelligence model pre-established, further includes:
Establish the artificial intelligence model.
A4, a kind of network attack detecting method based on artificial intelligence according to a3, it is described to establish the artificial intelligence
Can model include:
Collect model training data;
The feature that known network attack is extracted from the model training data, obtains attack signature data;
Classify to the attack signature data, obtains training sample;
Model training is carried out according to the training sample, obtains the artificial intelligence model.
A5, a kind of network attack detecting method based on artificial intelligence according to a4, the collection model training number
According to including:
The published attack data in internet, the published loophole data in internet, the destination host is collected to have acquired
Attack data and one of the loophole data that have acquired of the destination host or multiple combinations.
A6, a kind of network attack detecting method based on artificial intelligence according to a4, it is described according to the trained sample
This progress model training includes:
According to the training sample, model training is carried out using NB Algorithm.
A7, according to a kind of described in any item network attack detecting methods based on artificial intelligence of A1 to A6, according to returning
Class result determines that the destination host by after the attack type of the network attack and the network attack, further includes:
Detect whether the network attack succeeds;
If the network attack success, the attack of the network attack to succeed.
A8, a kind of network attack detecting method based on artificial intelligence according to A7, the detection network are attacked
It hits and whether successfully includes:
Feature to be compared is extracted from the network data;
The feature to be compared and more than one attack-response rule in the feature database that pre-establishes are compared one by one
It is right, wherein the attack-response rule is formed according to the first response data, and first response data is under fire host pair
The response of successful attack request;
If the feature to be compared matches with the attack-response rule, the network attack success is determined.
A9, a kind of network attack detecting method based on artificial intelligence according to A8, it is described from the network data
It is middle to extract feature to be compared and include:
The second response data is extracted from the network data, wherein second response data is used for the target master
Machine response request service;
The feature to be compared is extracted from second response data.
A10, a kind of network attack detecting method based on artificial intelligence according to A8, from the network number described in A
Include according to middle extraction feature to be compared:
Request data and the second response data are extracted from the network data, wherein the request data is used for institute
It states destination host and initiates request service, second response data is for destination host response request service;
The feature to be compared is extracted from the request data and second response data.
A11, a kind of network attack detecting method based on artificial intelligence according to A8, it is described will be described to be compared
Before more than one attack-response rule in feature and the feature database pre-established is compared one by one, further include:
Establish the feature database.
A12, a kind of network attack detecting method based on artificial intelligence according to A11, it is described to establish the feature
Library includes:
Create database;
It is corresponding from more than one first response data to extract more than one attack-response feature;
Each being determined property of attack-response feature is described, more than one attack-response rule is formed;
By one above attack-response rule storage into the database, the feature database is obtained.
A13, a kind of network attack detecting method based on artificial intelligence according to A11, the feature database includes N number of
Subcharacter library, N are integer not less than 2, described to establish the feature database and include:
Create N number of database;
It is corresponding from more than two first response datas to extract more than two attack-response features;
Each being determined property of attack-response feature is described, more than two attack-response rules are formed;
The attack-response rule for belonging to same attack type in described two above attack-response rules is stored to identical
Database in, obtain the subcharacter library.
A14, a kind of network attack detecting method based on artificial intelligence according to A13, it is described will be described to be compared
More than one attack-response rule in feature and the feature database pre-established compared one by one including:
By the feature to be compared with and the corresponding subcharacter library of attack type of the network attack in more than one attack
Rule of response is hit to be compared one by one.
A15, a kind of network attack detecting method based on artificial intelligence according to A12 or A13, it is described to be attacked to each
Hitting the description of being determined property of response characteristic includes:
Each being determined property of attack-response feature is described using regular expression.
A16, a kind of network attack detecting method based on artificial intelligence according to A12 or A13, it is described to succeed
The attack of network attack include:
Establish the incidence relation in feature database between each attack-response rule and attack;
According to the incidence relation between attack-response rule each in feature database and attack, will with it is described to than
Attack corresponding to attack-response rule to characteristic matching, is determined as the attack of the successful network attack.
A17, a kind of network attack detecting method based on artificial intelligence according to A7, in the detection network
After whether attack is successful, further include:
Generate warning information, wherein the warning information includes the attack type of the network attack, the network attack
Whether successful and successfully network attack attack.
A18, a kind of network attack detecting method based on artificial intelligence according to A17 are alerted in the generation and are believed
After breath, further include:
The warning information is sent by one of mail, short message, dialog box and instant messaging or multiple combinations
To network management personnel.
A19, a kind of network attack detecting method based on artificial intelligence according to A17 are alerted in the generation and are believed
After breath, further include:
It is that the warning information adds corresponding attack chain label according to the warning content of the warning information, wherein institute
It states attack chain label and is used to characterize network attack phase of the attack locating in attack chain;
Each attack chain label of same attack is counted, the net for being in each phase of the attack of the attack is obtained
The attack of network attack total degree, successful network attack number and successful network attack;
According in the network attack total degree of each phase of the attack of the attack, successful network attack number with
And successfully the attack of network attack generates attack route information, wherein the attack route information includes in described
The network attack total degree of each phase of the attack of attack, successful network attack number and successful network attack are attacked
Hit movement.
A20, a kind of network attack detecting method based on artificial intelligence according to A19, it is described according to the alarm
The warning content of information is that the corresponding attack chain label of warning information addition includes:
According to the warning content of the warning information, determination is corresponding with the warning information from the tag library pre-established
Attack chain label.
A21, a kind of network attack detecting method based on artificial intelligence according to A19, the attack chain label packet
Two-stage or more is included, the warning content according to the warning information is that the warning information adds corresponding attack chain label packet
It includes:
According to the warning content of the warning information, determination is corresponding with the warning information from the tag library pre-established
Labels at different levels, wherein the label stock contains M attack chain label, the M attack chain label be divided into two-stage with
On, M is the integer greater than 4.
A22, a kind of network attack detecting method based on artificial intelligence according to A19, the attack route information
Further include the beginning and ending time of each phase of the attack, is in the network attack of each phase of the attack of the attack in the basis
After the attack of total degree, successful network attack number and successful network attack generates attack route information, also
Including:
The attack route information is shown according to the sequencing of the initial time of each phase of the attack.
The invention also discloses B23, a kind of network attack detection system based on artificial intelligence, including:
Acquisition module, for acquiring the network data of destination host;
First extraction module, for extracting feature to be detected from the network data;
Import modul, for the feature to be detected to be imported the artificial intelligence model pre-established, by described artificial
Whether model of mind sorts out the feature to be detected, determine the destination host by network attack according to categorization results
And the attack type of the network attack.
B24, a kind of network attack detection system based on artificial intelligence according to B23, the first extraction module described in B
Including:
First extraction unit, for extracting request data from the network data, wherein the request data be used for
The destination host initiates request service;
Second extraction unit, for extracting the feature to be detected from the request data.
B25, a kind of network attack detection system based on artificial intelligence according to B23 further include:
Model creation module, for establishing the artificial intelligence model.
B26, a kind of network attack detection system based on artificial intelligence according to B25, the model creation module
Including:
Collection module, for collecting model training data;
Second extraction module is attacked for extracting the feature of known network attack from the model training data
Characteristic;
Categorization module obtains training sample for classifying to the attack signature data;
Training module obtains the artificial intelligence model for carrying out model training according to the training sample.
B27, a kind of network attack detection system based on artificial intelligence according to B26, the model training data
The attack number acquired including the published attack data in internet, the published loophole data in internet, the destination host
Accordingly and one of the loophole data that have acquired of the destination host or multiple combinations.
B28, a kind of network attack detection system based on artificial intelligence according to B26, the training module are Piao
Plain bayesian algorithm module.
B29, according to a kind of described in any item network attack detection systems based on artificial intelligence of B23 to B28, also wrap
It includes:
Detection module, for detecting whether the network attack succeeds;
Attack obtains module, in network attack success, the attack of the network attack to succeed to be dynamic
Make.
B30, a kind of network attack detection system based on artificial intelligence according to B29, the detection module include:
Third extraction module, for extracting feature to be compared from the network data;
Comparison module, for advising more than one attack-response in the feature to be compared and the feature database pre-established
It is then compared one by one, wherein the attack-response rule is formed according to the first response data, and first response data is used for
The under fire response that host requests successful attack;
Determination module, for determining the network when the feature to be compared and the attack-response rule match
Success attack.
B31, a kind of network attack detection system based on artificial intelligence according to B30, the third extraction module
Including:
Third extraction unit, for extracting the second response data from the network data, wherein second number of responses
According to for destination host response request service;
4th extraction unit, for extracting the feature to be compared from second response data.
B32, a kind of network attack detection system based on artificial intelligence according to B30, the third extraction module
Including:
5th extraction unit, for extracting request data and the second response data from the network data, wherein described
Request data is used to initiate request service to the destination host, and second response data is asked for the destination host response
Ask service;
6th extraction unit, for extracting the spy to be compared from the request data and second response data
Sign.
B33, a kind of network attack detection system based on artificial intelligence according to B30 further include:
Feature database creation module, for establishing the feature database.
B34, a kind of network attack detection system based on artificial intelligence according to B33, the feature database create mould
Block includes:
Database creation module, for creating database;
4th extraction module extracts more than one attack-response spy for corresponding from more than one first response data
Sign;
Rule forms module, for describing to each being determined property of attack-response feature, forms more than one attack and rings
Answer rule;
Memory module, for one above attack-response rule storage into the database, to be obtained the spy
Levy library.
B35, a kind of network attack detection system based on artificial intelligence according to B33, the feature database includes N number of
Subcharacter library, N are the integer not less than 2, and the feature database creation module includes:
Database creation module, for creating N number of database;
4th extraction module, it is special for the more than two attack-responses of extraction corresponding from more than two first response datas
Sign;
Rule forms module, for describing to each being determined property of attack-response feature, forms more than two attacks and rings
Answer rule;
Memory module, for advising the attack-response for belonging to same attack type in described two above attack-response rules
Then storage obtains the subcharacter library into identical database.
B36, a kind of network attack detection system based on artificial intelligence according to B35, the comparison module are used for
By the feature to be compared with and the corresponding subcharacter library of attack type of the network attack in more than one attack-response advise
Then compared one by one.
B37, a kind of network attack detection system based on artificial intelligence according to B34 or B35, the rule are formed
Module is that regular expression writes module.
B38, a kind of network attack detection system based on artificial intelligence according to B34 or B35, the attack
Obtaining module includes:
Incidence relation creation module, for establishing in feature database between each attack-response rule and attack
Incidence relation;
Attack determining module, for according between the attack-response rule each in feature database and attack
Attack corresponding to attack-response rule with the characteristic matching to be compared is determined as the success by incidence relation
Network attack attack.
B39, a kind of network attack detection system based on artificial intelligence according to B29 further include:
Warning information generation module, for generating warning information, wherein the warning information includes the network attack
The attack of the whether successful and successful network attack of attack type, the network attack.
B40, a kind of network attack detection system based on artificial intelligence according to B39 further include:
Sending module, will be described for passing through one of mail, short message, dialog box and instant messaging or multiple combinations
Warning information is sent to network management personnel.
B41, a kind of network attack detection system based on artificial intelligence according to B39 further include:
Label adding module is attacked for being that warning information addition is corresponding according to the warning content of the warning information
Hit chain label, wherein the attack chain label is used to characterize network attack phase of the attack locating in attack chain;
Statistical module obtains each in the attack for counting each attack chain label of same attack
The attack of the network attack total degree of a phase of the attack, successful network attack number and successful network attack;
Route information generation module, for always secondary according to the network attack in each phase of the attack of the attack
The attack of several, successful network attack number and successful network attack generates attack route information, wherein described to attack
Hitting route information includes network attack total degree, successful network attack number in each phase of the attack of the attack
And the successfully attack of network attack.
B42, a kind of network attack detection system based on artificial intelligence according to B41, the label adding module
For the warning content according to the warning information, attack corresponding with the warning information is determined from the tag library pre-established
Hit chain label.
B43, a kind of network attack detection system based on artificial intelligence according to B41, the attack chain label packet
Two-stage or more is included, the label adding module is used for the warning content according to the warning information, from the tag library pre-established
Middle determination labels at different levels corresponding with the warning information, wherein the label stock contains M attack chain label, and the M is a
Attack chain label is divided into two-stage or more, and M is the integer greater than 4.
B44, a kind of network attack detection system based on artificial intelligence according to B41, the attack route information
Further include the beginning and ending time of each phase of the attack, further includes:
Display module, the sequencing for the initial time according to each phase of the attack show the attack route letter
Breath.
The invention also discloses C45, a kind of computer readable storage medium, are stored thereon with computer program, the program
A kind of A1 to A22 described in any item network attack detecting methods based on artificial intelligence are realized when being executed by processor.
The invention also discloses D46, a kind of computer equipment, including memory, processor and storage are on a memory simultaneously
The computer program that can be run on a processor, the processor realize that A1 to A22 is described in any item when executing described program
A kind of network attack detecting method based on artificial intelligence.