CN109347827A - Method, apparatus, equipment and the storage medium of attack prediction - Google Patents
Method, apparatus, equipment and the storage medium of attack prediction Download PDFInfo
- Publication number
- CN109347827A CN109347827A CN201811229471.4A CN201811229471A CN109347827A CN 109347827 A CN109347827 A CN 109347827A CN 201811229471 A CN201811229471 A CN 201811229471A CN 109347827 A CN109347827 A CN 109347827A
- Authority
- CN
- China
- Prior art keywords
- log
- attack
- processed
- prediction
- characteristic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the present invention provides method, apparatus, equipment and the storage medium of a kind of attack prediction.The method of the embodiment of the present invention, by carrying out feature extraction and identification to log to be processed according to log analytic modell analytical model, to obtain the characteristic and corresponding device information of the log to be processed;Security event data is determined according to the characteristic of the log to be processed and corresponding device information;It is predicted whether that attack occurs according to the security event data and Attack prediction, improve the parsing to log and recognition efficiency, it can be before attack generation, imminent attack is predicted, it provides the foundation to be effectively prevented from attack, so as to which the safety of the network equipment is effectively ensured.
Description
Technical field
The present invention relates to technical field of network security more particularly to a kind of method, apparatus of attack prediction, set
Standby and storage medium.
Background technique
Network security refers to that the data in the hardware, software and its system of network system are protected, not because accidental or
The reason of person's malice, is destroyed, is changed, being revealed, and system is continuously reliably normally run, and network service is uninterrupted.
The network equipment can be identified whether by network attack by being parsed to the log that the network equipment generates at present.
Since log belongs to unstructured data, format disunity, and the network equipment is many kinds of, and different networks is set
Standby, none unifies log parsing format.It is matched just by the setting of canonical matching algorithm and journal format in the prior art
Then expression formula identifies whether by attack.
But the attack recognition methods in existing technology is due to that will carry out regular expressions before each identification
The selection of formula is identified again, so causing recognition efficiency lower, and cannot be predicted attack, Bu Nengyou
Effect guarantees the safety of the network equipment.
Summary of the invention
The embodiment of the present invention provides method, apparatus, equipment and the storage medium of a kind of attack prediction, to solve
Selection of the attack recognition methods since regular expression will be carried out before each identification in certainly existing technology
It is identified again, so causing recognition efficiency lower, and attack cannot be predicted, net cannot be effectively ensured
The problem of safety of network equipment.
The one aspect of the embodiment of the present invention is to provide a kind of method of attack prediction, comprising:
Feature extraction and identification are carried out to log to be processed according to log analytic modell analytical model, to obtain the log to be processed
Characteristic and corresponding device information;
Security event data is determined according to the characteristic of the log to be processed and corresponding device information;
It is predicted whether that attack occurs according to the security event data and Attack prediction.
The other side of the embodiment of the present invention is to provide a kind of device of attack prediction, comprising:
Log analyzing module, for carrying out feature extraction and identification to log to be processed according to log analytic modell analytical model, to obtain
Obtain the characteristic and corresponding device information of the log to be processed;
Polymerization filling module, for determining safe thing according to the characteristic and corresponding device information of the log to be processed
Number of packages evidence;
Processing module is predicted, for predicting whether that network, which occurs, attacks according to the security event data and Attack prediction
Hit behavior.
The other side of the embodiment of the present invention is to provide a kind of pre- measurement equipment of attack, comprising:
Memory, processor, and it is stored in the computer journey that can be run on the memory and on the processor
Sequence,
The processor realizes attack prediction described above method when running the computer program.
The other side of the embodiment of the present invention is to provide a kind of computer readable storage medium, is stored with computer journey
Sequence,
The computer program realizes attack prediction described above method when being executed by processor.
Method, apparatus, equipment and the storage medium of attack prediction provided in an embodiment of the present invention, pass through acquisition
Log to be processed;Feature extraction and identification are carried out to the log to be processed according to log analytic modell analytical model, it is described wait locate to obtain
Manage the characteristic and corresponding device information of log;It is determined according to the characteristic of the log to be processed and corresponding device information
Security event data;It is predicted whether that attack occurs according to the security event data and Attack prediction, improved
Parsing and recognition efficiency to log, can be before attack generation, to imminent attack
It is predicted, is provided the foundation to be effectively prevented from attack, so as to which the safety of the network equipment is effectively ensured.
Detailed description of the invention
Fig. 1 is the method flow diagram for the attack prediction that the embodiment of the present invention one provides;
Fig. 2 is the method flow diagram of attack provided by Embodiment 2 of the present invention prediction;
Fig. 3 is the structural schematic diagram of the device for the attack prediction that the embodiment of the present invention three provides;
Fig. 4 is the structural schematic diagram of the device for the attack prediction that the embodiment of the present invention four provides;
Fig. 5 is the structural schematic diagram for the pre- measurement equipment of attack that the embodiment of the present invention five provides.
Through the above attached drawings, it has been shown that the specific embodiment of the present invention will be hereinafter described in more detail.These attached drawings
It is not intended to limit the range of design of the embodiment of the present invention in any manner with verbal description, but by reference to specific reality
Applying example is that those skilled in the art illustrate idea of the invention.
Specific embodiment
Embodiment of the present invention will be described in more detail below with reference to accompanying drawings.Although being shown in attached drawing of the invention certain
Embodiment, it should be understood that, the present invention can be realized by various forms, and should not be construed as being limited to this
In the embodiment that illustrates, providing these embodiments on the contrary is in order to more thorough and be fully understood by the present invention.It should be understood that
It is that being given for example only property of accompanying drawings and embodiments effect of the invention is not intended to limit protection scope of the present invention
The (if present)s such as term " first " involved in the embodiment of the present invention, " second ", " third ", " the 4th " are to be used for
Similar object is distinguished, without being used to describe a particular order or precedence order.It should be understood that the data used in this way are suitable
It can be interchanged in the case of, so that the embodiment of the present invention described herein is as can be in addition to shown in herein or those of description
Sequence in addition is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that cover non-exclusive
Include, for example, the process, method, system, product or equipment for containing a series of steps or units are not necessarily limited to be clearly listed
Those of step or unit, but may include be not clearly listed or it is intrinsic for these process, methods, product or equipment
Other step or units.In the description of following embodiment, the meaning of " plurality " is two or more, unless otherwise clearly having
The restriction of body.
These specific embodiments can be combined with each other below, may be at certain for the same or similar concept or process
It is repeated no more in a little embodiments.Below in conjunction with attached drawing, the embodiment of the present invention is described.
Embodiment one
Fig. 1 is the method flow diagram for the attack prediction that the embodiment of the present invention one provides.Needle of the embodiment of the present invention
Selection to the attack recognition methods in existing technology since regular expression will be carried out before each identification
It is identified again, so causing recognition efficiency lower, and attack cannot be predicted, net cannot be effectively ensured
The problem of safety of network equipment, provides the method for attack prediction.
As shown in Figure 1, specific step is as follows for this method:
Step S101, feature extraction and identification are carried out to log to be processed according to log analytic modell analytical model, it is to be processed to obtain
The characteristic and corresponding device information of log.
In the present embodiment, when needing to detect the safety of the network equipment, the log of the available network equipment,
Obtain log to be processed.
In the present embodiment, the network equipment refers to the entity device being connected in network with log recording function.Network is set
Standby includes: computer equipment (such as PC or server etc.), hub, interchanger, bridge, router, gateway, network
Interface card (NIC), wireless access point (WAP), printer etc., many kinds of and growing day by day, the present embodiment of the network equipment
It is not specifically limited herein for the specific type of the network equipment.
Optionally, multiple logs in available network equipment preset time period, as log to be processed.Wherein, in advance
If the period can be set according to actual needs by technical staff, the present embodiment is not specifically limited herein.
Wherein, log corresponding device information to be processed can be the information that can distinguish the different network equipments.Such as it should
The corresponding device information of log may include: the brand of corresponding device, device type, equipment identification information etc..
In the present embodiment, log analytic modell analytical model can pass through the training of the first training sample set based on the method for machine learning
It obtains, the accuracy of the model after training can be tested by the first test sample collection after the completion of training, if training
The accuracy of model afterwards meets preset condition, then the final log analytic modell analytical model obtained.
It includes multiple training samples that first training sample, which is concentrated, and each training sample corresponds to a history log, including
One history log and the label data of this log.Wherein, the label data of log includes characteristic and the institute of log
Belong to facility information.
Wherein, the characteristic of log to be processed can be the type for the feature vocabulary for including in log to be processed, occur
Number or frequency etc..The characteristic of log to be processed can be carried out according to actual needs by technical staff in the present embodiment
Setting, the present embodiment are not specifically limited herein.
For example, for the content of following history log:
[ip=192.168.174.145code=44243622type=0dev=130008:[hillsto ne fw
Syslog parser] prefix=Format message:<190>Jun 20 16:23:362206401140002123
(root)44243622Traffic@FLOW:SESSION:10.235.251.35:26763->10.235.117.97:902
(UDP),interface aggregate2,vr trust-vr,policy 22,user-@-,host-,session start
The corresponding label data of the log includes the characteristic and corresponding device information of this log, wherein the log
Characteristic may include: " ip ", and " type ", " Formate ", the Feature Words such as " message " and these Feature Words are at this
The number occurred in log;The corresponding device information of the log may include: the brand, device type and equipment mark of corresponding device
Know information etc..For example corresponding device is intruding detection system (the Intrusion Detection of certain brand (such as " green alliance ")
Systems, abbreviation IDS) equipment, then corresponding device information can be " green alliance IDS equipment ".
Wherein, the first training sample set and the first test sample collection can be by according to preset first machine learning algorithms
Preset first knowledge base is arranged to obtain.Wherein the first knowledge base is a product for the network equipment log of various manufacturers
It is tired, the history log including magnanimity.
By log input journal analytic modell analytical model to be processed, by log analytic modell analytical model can rapidly to log to be processed into
Row feature extraction and identification obtain the characteristic and corresponding device information of log to be processed, treat place to quickly complete
Manage the parsing of log.
Step S102, security event data is determined according to the characteristic of log to be processed and corresponding device information.
After being parsed to obtain the characteristic of log to be processed and corresponding device information to log to be processed, treat
Processing log carries out polymerization processing and filling processing, and log to be processed each of is retained after processing as a security incident number
According to.
Wherein, the polymerizing condition for polymerizeing processing includes: generation time and/or the polymerization item number of log.
To log to be processed carry out polymerization processing can be according to polymerizing condition will in log to be processed have same characteristic features
The repetition log of data and corresponding device information, which merges, becomes a log, specifically includes following several feasible embodiments:
A kind of feasible embodiment are as follows: polymerizing condition is the generation time of log, will generate the time in preset time model
In log to be processed in enclosing, the repetition log with same characteristic features data and corresponding device information, which merges, becomes a data.
Wherein, preset time range can be set according to actual needs by technical staff, and the present embodiment is not specifically limited herein.
For example, preset time range can be nearest 5 minutes.
Another feasible embodiment are as follows: polymerizing condition is polymerization item number, in log to be processed, will be no more than polymerization item
Several repetition logs with same characteristic features data and corresponding device information, which merges, becomes a data.Wherein, polymerization item number can
To be set according to actual needs by technical staff, the present embodiment is not specifically limited herein.For example, polymerization item number can be
1000。
Another feasible embodiment are as follows: polymerizing condition is generation time and the polymerization item number of log, will generate the time
In log to be processed in preset time range, there is same characteristic features data and corresponding device information no more than polymerization item number
Repetition log merge become a data.Wherein, preset time range and polymerization item number can be by technical staff according to reality
It is set, the present embodiment is not specifically limited herein.Being filled processing to log to be processed can be to be processed
The filling of the essential information of log.According to the type for the characteristic that log to be processed should include, if in a certain log to be processed
Lack a certain or various features data, then according to other characteristics of the log to be processed to the characteristic lacked into
Row filling processing, to be carried out to the characteristic of log to be processed perfect.
Wherein, other characteristics of log to be processed can retain geographical location information corresponding to log to be processed,
Etc..Optionally, if lacking a certain characteristic in log to be processed, can be led to according to the type of the characteristic lacked
The filling data crossed and the corresponding third party's interface routine of characteristic lacked is called to obtain filling data, and will acquire increase
Add as the characteristic of this type of log to be processed.
For example, the characteristic for recognizing a certain log includes IP address, but the region letter of the log is not recognized
Breath, then can be by calling the corresponding third party's interface routine of regional information to obtain the IP address that regional information inquires the log
Which domain belonged to, to obtain the corresponding regional information of the log, the regional information in the characteristic of log is filled,
The characteristic of the log is carried out perfect.For example, if the position that the characteristic lacked in a certain log is site is sat
Mark.It is possible to the longitude and latitude of site be got, to obtain location by calling third party's interface routine
The position coordinates of point, then increase to the position coordinates of site in the characteristic of the log, by site
Position coordinates are added in the corresponding security event data of the log.
Step S103, it is predicted whether that attack occurs according to security event data and Attack prediction.
In view of attack is to distinguish according to rule and time, and attacking the log generated is also having time
Sequencing, can be by security event data after obtaining the corresponding security event data of log to be processed in the present embodiment
It is input to Attack prediction according to the sequencing for generating the time, generation network can be predicted by Attack prediction and attacked
The probability of behavior is hit, and may further predict whether that attack occurs.
In the present embodiment, Attack prediction can be trained based on the method for machine learning by the second training sample set,
And the convergent Attack prediction tested by the second test sample collection, obtain Attack prediction.Attack Prediction mould
For predicting whether attack occurs for type.
Wherein, the second training sample set and the second test sample collection can be by according to preset second machine learning algorithms
Preset second knowledge base is arranged to obtain.Wherein the content of the second knowledge base is basic network attack rule, network attack
Rule can also be formulated by third party's Network Security Device, support configuration etc..By being attacked to the network in the second knowledge base
It hits regular data to be cleaned, obtains the second training sample set and the second test sample collection.
It, can be by security event data according to the generation time after obtaining the corresponding security event data of log to be processed
Sequencing be input to Attack prediction, by Attack prediction can predict occur attack it is general
Rate, and may further predict whether that attack occurs.
The embodiment of the present invention is by obtaining log to be processed;Feature is carried out to log to be processed according to log analytic modell analytical model to mention
It takes and identifies, to obtain the characteristic and corresponding device information of log to be processed;According to the characteristic of log to be processed and
Corresponding device information determines security event data;Predict whether that network, which occurs, attacks according to security event data and Attack prediction
Behavior is hit, the parsing to log and recognition efficiency are improved, it can be before attack generation, to imminent net
Network attack is predicted, is provided the foundation to be effectively prevented from attack, so as to which the network equipment is effectively ensured
Safety.
Embodiment two
Fig. 2 is the method flow diagram of attack provided by Embodiment 2 of the present invention prediction.In above-described embodiment one
On the basis of, it include generating the time in the characteristic of log to be processed, according to security event data and attack in the present embodiment
Prediction model predict whether occur attack, specifically include: by each security event data according to generate the time it is suitable
Sequence is input in Attack prediction, is occurred so that Attack prediction is determined according to the incidence relation of multiple security event datas
The probability of attack;The probability that attack occurs and default attack threshold value are compared;If network occurs
The probability of attack is greater than default attack threshold value, then exports the prediction result that attack occurs;If network occurs to attack
The probability for hitting behavior is less than or equal to default attack threshold value, then exports the prediction result that attack does not occur.Such as Fig. 2 institute
Show, specific step is as follows for this method:
Step S201, log to be processed is obtained.
In the present embodiment, when needing to detect the safety of the network equipment, the log of the available network equipment,
Obtain log to be processed.
In the present embodiment, the network equipment refers to the entity device being connected in network with log recording function.Network is set
Standby includes: computer equipment (such as PC or server etc.), hub, interchanger, bridge, router, gateway, network
Interface card (NIC), wireless access point (WAP), printer etc., many kinds of and growing day by day, the present embodiment of the network equipment
It is not specifically limited herein for the specific type of the network equipment.
Optionally, multiple logs in available network equipment preset time period, as log to be processed.Wherein, in advance
If the period can be set according to actual needs by technical staff, the present embodiment is not specifically limited herein.
Step S202, feature extraction and identification are carried out to log to be processed according to log analytic modell analytical model, it is to be processed to obtain
The characteristic and corresponding device information of log.
Wherein, log corresponding device information to be processed can be the information that can distinguish the different network equipments.
Log analytic modell analytical model is machine learning model.Log analytic modell analytical model can pass through based on the method for machine learning
The training of one training sample set, and the convergent log analytic modell analytical model tested by the first test sample collection.
In the present embodiment, the first knowledge base is obtained in advance, and the first knowledge base is the network equipment log for various manufacturers
One accumulation, the history log including magnanimity.By obtaining the arrangement of log in the first knowledge base for preset day
The first training sample set that will analytic modell analytical model is trained and optimizes, and for being surveyed to the log analytic modell analytical model after optimization
First test sample collection of examination.
Wherein, each of the first training sample of each of the first training sample concentration and the first test sample concentration first is surveyed
Sample is originally the log that the fixed network equipment generates.
After getting the first training sample set and the first test sample collection, log is parsed using the first training sample
Model is trained, and is tested log analytic modell analytical model using the first test sample, until log analytic modell analytical model is restrained, with
Log analytic modell analytical model after being optimized.
In the step, log input journal analytic modell analytical model to be processed can be treated rapidly by log analytic modell analytical model
It handles log and carries out feature extraction and identification, the characteristic and corresponding device information of log to be processed are obtained, thus rapidly complete
The identification of pairs of log to be processed improves the rate and precision of log identification.
Optionally, if generating unknown device type log according to log analytic modell analytical model to log recognition failures to be processed,
Unknown device type log is used to record the event to log recognition failures to be processed, so that technical staff is according to Unknown device class
Type log artificially identifies the characteristic and corresponding device information of log to be processed, and by the characteristic of log to be processed and
Corresponding device information is sent to the pre- measurement equipment of attack by user terminal.The pre- measurement equipment of attack receive to
Handle the characteristic and corresponding device information of log;Using the characteristic received and corresponding device information as day to be processed
The label data of will, using the label data of log to be processed and log to be processed as one article of first training sample storage to the
One training sample is concentrated, to be updated to the first training sample set;According to updated first training sample set to log solution
Analysis model is updated, to be further optimized to log analytic modell analytical model.
Specifically, the log to be processed for determining corresponding device information is stored to the process concentrated to the first training sample, with
By to the arrangement of log in the first knowledge base obtain for preset log analytic modell analytical model is trained and first training sample
The process of this collection is consistent.
Step S203, security event data is determined according to the characteristic of log to be processed and corresponding device information.
After being parsed to obtain the characteristic of log to be processed and corresponding device information to log to be processed, treat
Processing log carries out polymerization processing and filling processing, and log to be processed each of is retained after processing as a security incident number
According to.
In the present embodiment, security event data is determined according to the characteristic of log to be processed and corresponding device information, is had
Body can be realized in the following way:
Delete the duplicate log to be processed with same characteristic features data and corresponding device information;If in certain log to be processed
Lack certain characteristic, then processing is filled to the characteristic lacked according to other characteristics of the log to be processed;
To carry out deleting and filling processing after each of retain log to be processed and be determined as a security event data.
Specifically, the polymerizing condition of polymerization processing is generation time or the item number of log.Log to be processed is gathered
Conjunction processing, which can be, is filtered the repetition log in log to be processed with same characteristic features data and corresponding device information.
The filling for the essential information that processing can be to log to be processed is filled to log to be processed.According to be processed
The type for the characteristic that log should include, if lacking a certain or various features data, root in a certain log to be processed
Processing is filled to the characteristic lacked according to other characteristics of the log to be processed, thus to the spy of log to be processed
Sign data carry out perfect.
For example, the characteristic for recognizing a certain log includes IP address, but the region letter of the log is not recognized
Breath, then which domain is the IP address that can inquire the log belong to, can further obtain the corresponding regional information of the log, will
Regional information in the characteristic of log is filled, and is carried out to the characteristic of the log perfect.
Step S204, each security event data is sequentially input in Attack prediction according to the generation time, with
Attack prediction is set to determine the probability that attack occurs according to the incidence relation of multiple security event datas.
It, can be by security event data according to the generation time after obtaining the corresponding security event data of log to be processed
Sequencing be input to Attack prediction, by Attack prediction can predict occur attack it is general
Rate, and may further predict whether that attack occurs.
Wherein, Attack prediction is machine learning model.Attack prediction can be led to based on the method for machine learning
The training of the second training sample set, and the convergent Attack prediction tested by the second test sample collection are crossed, is attacked
Hit prediction model.For predicting whether attack occurs for Attack prediction.
In the present embodiment, the content of the second knowledge base is basic network attack rule, and network attack rule can also lead to
Third party's Network Security Device is crossed to formulate, supports configuration etc..By to the network attack regular data in the second knowledge base into
Row cleaning is obtained for being trained to preset Attack prediction and the second training sample set, and for pre- to attacking
Survey the second test sample collection that model is tested.
Wherein each of the second training sample of each of the second training sample concentration and the second test sample concentration second is surveyed
Sample is originally the incidence relation of each security event data in fixed each attack.
After getting the second training sample set and the second test sample collection, using the second training sample to Attack Prediction
Model is trained, and is tested Attack prediction using the second test sample, until Attack prediction is restrained, with
Obtain Attack prediction.
It, can be by security event data according to the generation time after obtaining the corresponding security event data of log to be processed
Sequencing be input to Attack prediction, by Attack prediction can predict occur attack it is general
Rate, and may further predict whether that attack occurs.
Step S205, the probability that attack occurs and default attack threshold value are compared.
After the probability for obtaining occurring attack, compare the probability that attack occurs and default attack
The size of threshold value predicts whether that attack occurs according to comparison result, obtains prediction result.
Wherein, presetting attack threshold value can be set according to actual needs by technical staff, and the present embodiment is not done herein
It is specific to limit.
If the probability that attack step S206, occurs is greater than default attack threshold value, generation network attack is exported
The prediction result of behavior.
If the probability that attack occurs is greater than default attack threshold value, it is determined that attack probability occurs very
Greatly, prediction result is that attack occurs.
Optionally, after attack occurs for prediction, the preset attack with prediction can be executed
Corresponding prevention processing.Wherein, preset processing can be set by technical staff according to practical application scene, the present embodiment
It is not specifically limited herein.
For example, issuing information warning to technical staff by preset mode;Alternatively, group circuit network etc. is directly taken to arrange
It applies.
If the probability that attack step S207, occurs is less than or equal to default attack threshold value, exports and do not occur
The prediction result of attack.
If the probability that attack occurs is less than or equal to default attack threshold value, it is determined that network attack row occurs
Not big enough for probability, prediction result is that attack does not occur.
Above-mentioned steps S205-S207 is that step S104 predicts whether to occur according to security event data and Attack prediction
A kind of feasible embodiment of attack.
The embodiment of the present invention is by obtaining log to be processed;Feature is carried out to log to be processed according to log analytic modell analytical model to mention
It takes and identifies, to obtain the characteristic and corresponding device information of log to be processed;According to the characteristic of log to be processed and
Corresponding device information determines security event data;Predict whether that network, which occurs, attacks according to security event data and Attack prediction
Behavior is hit, the parsing to log and recognition efficiency are improved, it can be before attack generation, to imminent net
Network attack is predicted, is provided the foundation to be effectively prevented from attack, so as to which the network equipment is effectively ensured
Safety.
Embodiment three
Fig. 3 is the structural schematic diagram of the device for the attack prediction that the embodiment of the present invention three provides.The present invention is real
The device for applying the attack prediction of example offer can execute the place that the embodiment of the method for attack prediction provides
Manage process.As shown in figure 3, the device 30 of attack prediction includes: log analyzing module 302, polymerization filling module
303 and prediction processing module 304.
Specifically, log analyzing module 302, for according to log analytic modell analytical model to log to be processed carry out feature extraction and
Identification, to obtain the characteristic and corresponding device information of log to be processed.
Polymerization filling module 303, for determining safe thing according to the characteristic and corresponding device information of log to be processed
Number of packages evidence.
Processing module 304 is predicted, for predicting whether that network, which occurs, attacks according to security event data and Attack prediction
Hit behavior.
Device provided in an embodiment of the present invention can be specifically used for executing embodiment of the method provided by above-described embodiment one,
Details are not described herein again for concrete function.
The embodiment of the present invention is by obtaining log to be processed;Feature is carried out to log to be processed according to log analytic modell analytical model to mention
It takes and identifies, to obtain the characteristic and corresponding device information of log to be processed;According to the characteristic of log to be processed and
Corresponding device information determines security event data;Predict whether that network, which occurs, attacks according to security event data and Attack prediction
Behavior is hit, the parsing to log and recognition efficiency are improved, it can be before attack generation, to imminent net
Network attack is predicted, is provided the foundation to be effectively prevented from attack, so as to which the network equipment is effectively ensured
Safety.
Example IV
Fig. 4 is the structural schematic diagram of the device for the attack prediction that the embodiment of the present invention four provides.In above-mentioned reality
On the basis of applying example three, in the present embodiment, includes generating the time in the characteristic of the log to be processed, predict processing module
It is specifically used for:
By each security event data being sequentially input in Attack prediction according to the generation time, so that Attack Prediction
Model determines the probability that attack occurs according to the incidence relation of multiple security event datas;Network attack row will occur
For probability compared with default attack threshold value;If the probability that attack occurs is greater than default attack threshold value, defeated
The prediction result of attack occurs out;If the probability that attack occurs is less than or equal to default attack threshold value,
Then export the prediction result that attack does not occur.
Optionally, polymerization filling module is specifically used for:
Delete the duplicate log to be processed with same characteristic features data and corresponding device information;If in certain log to be processed
Lack certain characteristic, then processing is filled to the characteristic lacked according to other characteristics of the log to be processed;
To carry out deleting and filling processing after each of retain log to be processed and be determined as a security event data.
Optionally, as shown in figure 4, the device 30 of attack prediction can also include: the training of log analytic modell analytical model
Module 305.
Log analytic modell analytical model training module 305 is used for:
The first training sample set and the first test sample collection are obtained, wherein each of first training sample concentration first
Training sample and first test sample each of concentrate the equal sample data of the first test sample be include fixed net
The label data of log and the log that network equipment generates, the label data includes the characteristic and corresponding device of log
Information;Log analytic modell analytical model is trained using the first training sample, and using the first test sample to log analytic modell analytical model
It is tested, until log analytic modell analytical model is restrained, to obtain the log analytic modell analytical model of optimization.
Optionally, log analytic modell analytical model training module 305 is also used to:
If receiving characteristic and the institute of log to be processed to log recognition failures to be processed according to log analytic modell analytical model
Belong to facility information;Using the characteristic received and corresponding device information as the label data of the log to be processed, by institute
The label data storage for stating log to be processed and the log to be processed is concentrated to the first training sample, to the first training sample
This collection is updated;Log analytic modell analytical model is updated according to updated first training sample set.
Optionally, as shown in figure 4, the device 30 of attack prediction can also include: Attack prediction training
Module 306.
Attack prediction training module 306 is used for:
The second training sample set and the second test sample collection are obtained, wherein the second training of each of the second training sample concentration
The second test sample of each of sample and the second test sample concentration is each peace in fixed each attack
The incidence relation of total event data;
Attack prediction is trained using the second training sample, and using the second test sample to Attack Prediction mould
Type is tested, until Attack prediction is restrained, to obtain Attack prediction.
Device provided in an embodiment of the present invention can be specifically used for executing embodiment of the method provided by above-described embodiment two,
Details are not described herein again for concrete function.
The embodiment of the present invention is by obtaining log to be processed;Feature is carried out to log to be processed according to log analytic modell analytical model to mention
It takes and identifies, to obtain the characteristic and corresponding device information of log to be processed;According to the characteristic of log to be processed and
Corresponding device information determines security event data;Predict whether that network, which occurs, attacks according to security event data and Attack prediction
Behavior is hit, the parsing to log and recognition efficiency are improved, it can be before attack generation, to imminent net
Network attack is predicted, is provided the foundation to be effectively prevented from attack, so as to which the network equipment is effectively ensured
Safety.
Embodiment five
Fig. 5 is the structural schematic diagram for the pre- measurement equipment of attack that the embodiment of the present invention five provides.As shown in figure 5,
The equipment 50 includes: processor 501, memory 502, and is stored in the meter that can be executed on memory 502 and by processor 501
Calculation machine program.
Processor 501 realizes any of the above-described embodiment of the method when executing and storing in the computer program on memory 502
The method of the attack prediction of offer.
The embodiment of the present invention is by obtaining log to be processed;Feature is carried out to log to be processed according to log analytic modell analytical model to mention
It takes and identifies, to obtain the characteristic and corresponding device information of log to be processed;According to the characteristic of log to be processed and
Corresponding device information determines security event data;Predict whether that network, which occurs, attacks according to security event data and Attack prediction
Behavior is hit, the parsing to log and recognition efficiency are improved, it can be before attack generation, to imminent net
Network attack is predicted, is provided the foundation to be effectively prevented from attack, so as to which the network equipment is effectively ensured
Safety.
In addition, the embodiment of the present invention also provides a kind of computer readable storage medium, it is stored with computer program, the meter
Calculation machine program realizes the attack prediction that any of the above-described embodiment of the method provides method when being executed by processor.
In several embodiments provided by the present invention, it should be understood that disclosed device and method can pass through it
Its mode is realized.For example, the apparatus embodiments described above are merely exemplary, for example, the division of the unit, only
Only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components can be tied
Another system is closed or is desirably integrated into, or some features can be ignored or not executed.Another point, it is shown or discussed
Mutual coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or logical of device or unit
Letter connection can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also realize in the form of hardware adds SFU software functional unit.
The above-mentioned integrated unit being realized in the form of SFU software functional unit can store and computer-readable deposit at one
In storage media.Above-mentioned SFU software functional unit is stored in a storage medium, including some instructions are used so that a computer
It is each that equipment (can be personal computer, server or the network equipment etc.) or processor (processor) execute the present invention
The part steps of embodiment the method.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (Read-
Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic or disk etc. it is various
It can store the medium of program code.
Those skilled in the art can be understood that, for convenience and simplicity of description, only with above-mentioned each functional module
Division progress for example, in practical application, can according to need and above-mentioned function distribution is complete by different functional modules
At the internal structure of device being divided into different functional modules, to complete all or part of the functions described above.On
The specific work process for stating the device of description, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to of the invention its
Its embodiment.The present invention is directed to cover any variations, uses, or adaptations of the invention, these modifications, purposes or
Person's adaptive change follows general principle of the invention and including the undocumented common knowledge in the art of the present invention
Or conventional techniques.The description and examples are only to be considered as illustrative, and true scope and spirit of the invention are by following
Claims are pointed out.
It should be understood that the present invention is not limited to the precise structure already described above and shown in the accompanying drawings, and
And various modifications and changes may be made without departing from the scope thereof.The scope of the present invention is only limited by appended claims
System.
Claims (10)
1. a kind of method of attack prediction characterized by comprising
Feature extraction and identification are carried out to log to be processed according to log analytic modell analytical model, to obtain the feature of the log to be processed
Data and corresponding device information;
Security event data is determined according to the characteristic of the log to be processed and corresponding device information;
It is predicted whether that attack occurs according to the security event data and Attack prediction.
2. the method according to claim 1, wherein the characteristic and institute according to the log to be processed
Belong to facility information and determine security event data, specifically includes:
Delete the duplicate log to be processed with same characteristic features data and corresponding device information;
If lacking certain characteristic in certain log to be processed, lacked according to other characteristics of the log to be processed to described
Characteristic be filled processing;
To carry out deleting and filling processing after each of retain log to be processed and be determined as a security event data.
3. the method according to claim 1, wherein including when generating in the characteristic of the log to be processed
Between, it is described to be predicted whether that attack occurs according to the security event data and Attack prediction, it specifically includes:
By each security event data being sequentially input in the Attack prediction according to the generation time, so that described
Attack prediction determines the probability that attack occurs according to the incidence relation of multiple security event datas;
The probability that attack occurs and default attack threshold value are compared;
If the probability that attack occurs is greater than the default attack threshold value, exports and attack occurs
Prediction result;
If the probability that attack occurs is less than or equal to the default attack threshold value, exports and network does not occur attack
Hit the prediction result of behavior.
4. the method according to claim 1, wherein described carry out log to be processed according to log analytic modell analytical model
Feature extraction and identification, before the characteristic and corresponding device information to obtain the log to be processed, further includes:
The first training sample set and the first test sample collection are obtained, wherein first training sample set and first test specimens
The sample data of this concentration includes the log that the fixed network equipment generates and the label data of the log, the number of tags
According to characteristic and corresponding device information including log;
Log analytic modell analytical model is trained using first training sample, and using first test sample to the day
Will analytic modell analytical model is tested, until the log analytic modell analytical model is restrained, to obtain the log analytic modell analytical model.
5. the method according to claim 1, wherein described according to the security event data and Attack Prediction mould
Type predicts whether before generation attack, further includes:
The second training sample set and the second test sample collection are obtained, wherein the second training of each of second training sample concentration
The second test sample of each of sample and second test sample concentration is in fixed each attack
The incidence relation of each security event data;
Attack prediction is trained using second training sample, and is attacked using second test sample to described
It hits prediction model to be tested, until the Attack prediction is restrained, to obtain the Attack prediction.
6. according to the method described in claim 4, it is characterized by further comprising:
If receiving the characteristic of the log to be processed to the log recognition failures to be processed according to log analytic modell analytical model
With corresponding device information;
It, will be described to be processed using the characteristic received and corresponding device information as the label data of the log to be processed
The storage of the label data of log and the log to be processed is concentrated to first training sample, to the first training sample
This collection is updated;
The log analytic modell analytical model is updated according to updated first training sample set.
7. a kind of device of attack prediction characterized by comprising
Log analyzing module, for carrying out feature extraction and identification to log to be processed according to log analytic modell analytical model, to obtain
State the characteristic and corresponding device information of log to be processed;
Polymerization filling module, for determining security incident number according to the characteristic and corresponding device information of the log to be processed
According to;
It predicts processing module, network attack row occurs for predicting whether according to the security event data and Attack prediction
For.
8. device according to claim 7, which is characterized in that include when generating in the characteristic of the log to be processed
Between, the prediction processing module is specifically used for:
By each security event data being sequentially input in the Attack prediction according to the generation time, so that described
Attack prediction determines the probability that attack occurs according to the incidence relation of multiple security event datas;
The probability that attack occurs and default attack threshold value are compared;
If the probability that attack occurs is greater than the default attack threshold value, exports and attack occurs
Prediction result;
If the probability that attack occurs is less than or equal to the default attack threshold value, exports and network does not occur attack
Hit the prediction result of behavior.
9. a kind of pre- measurement equipment of attack characterized by comprising
Memory, processor, and it is stored in the computer program that can be run on the memory and on the processor,
The processor realizes such as method of any of claims 1-6 when running the computer program.
10. a kind of computer readable storage medium, which is characterized in that it is stored with computer program,
Such as method of any of claims 1-6 is realized when the computer program is executed by processor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811229471.4A CN109347827B (en) | 2018-10-22 | 2018-10-22 | Method, device, equipment and storage medium for predicting network attack behavior |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811229471.4A CN109347827B (en) | 2018-10-22 | 2018-10-22 | Method, device, equipment and storage medium for predicting network attack behavior |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109347827A true CN109347827A (en) | 2019-02-15 |
CN109347827B CN109347827B (en) | 2021-06-22 |
Family
ID=65310688
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811229471.4A Active CN109347827B (en) | 2018-10-22 | 2018-10-22 | Method, device, equipment and storage medium for predicting network attack behavior |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109347827B (en) |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110059480A (en) * | 2019-03-13 | 2019-07-26 | 深圳壹账通智能科技有限公司 | Attack monitoring method, device, computer equipment and storage medium |
CN110321371A (en) * | 2019-07-01 | 2019-10-11 | 腾讯科技(深圳)有限公司 | Daily record data method for detecting abnormality, device, terminal and medium |
CN110912884A (en) * | 2019-11-20 | 2020-03-24 | 深信服科技股份有限公司 | Detection method, detection equipment and computer storage medium |
CN111178537A (en) * | 2019-12-09 | 2020-05-19 | 华为技术有限公司 | Feature extraction model training method and device |
CN111277606A (en) * | 2020-02-10 | 2020-06-12 | 北京邮电大学 | Detection model training method, detection method and device, and storage medium |
CN111885064A (en) * | 2020-07-24 | 2020-11-03 | 浙江军盾信息科技有限公司 | Security event analysis method and device based on multi-source data, electronic device and storage medium |
CN112073396A (en) * | 2020-08-27 | 2020-12-11 | 北京天融信网络安全技术有限公司 | Method and device for detecting transverse movement attack behavior of intranet |
CN112751876A (en) * | 2020-12-30 | 2021-05-04 | 北京天融信网络安全技术有限公司 | Control method and device of message acquisition system, electronic equipment and storage medium |
CN113079153A (en) * | 2021-03-26 | 2021-07-06 | 新华三技术有限公司 | Network attack type prediction method and device and storage medium |
CN113162794A (en) * | 2021-01-27 | 2021-07-23 | 国网福建省电力有限公司 | Next-step attack event prediction method and related equipment |
CN113688383A (en) * | 2021-08-31 | 2021-11-23 | 林楠 | Attack defense testing method based on artificial intelligence and artificial intelligence analysis system |
CN113688382A (en) * | 2021-08-31 | 2021-11-23 | 林楠 | Attack intention mining method based on information security and artificial intelligence analysis system |
CN114679341A (en) * | 2022-05-27 | 2022-06-28 | 江苏益柏锐信息科技有限公司 | Network intrusion attack analysis method, equipment and medium combined with ERP system |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104573024A (en) * | 2015-01-12 | 2015-04-29 | 国家电网公司 | Self-adaptive extracting method and system for heterogeneous security log information under complex network system |
CN105653444A (en) * | 2015-12-23 | 2016-06-08 | 北京大学 | Internet log data-based software defect failure recognition method and system |
CN106209893A (en) * | 2016-07-27 | 2016-12-07 | 中国人民解放军信息工程大学 | The inside threat detecting system excavated based on business process model and detection method thereof |
WO2017115458A1 (en) * | 2015-12-28 | 2017-07-06 | 日本電気株式会社 | Log analysis system, method, and program |
CN107273269A (en) * | 2017-06-12 | 2017-10-20 | 北京奇虎科技有限公司 | Daily record analysis method and device |
CN108449342A (en) * | 2018-03-20 | 2018-08-24 | 北京搜狐互联网信息服务有限公司 | Malicious requests detection method and device |
US20180270261A1 (en) * | 2017-03-17 | 2018-09-20 | Target Brands, Inc. | Word embeddings for anomaly classification from event logs |
CN108616498A (en) * | 2018-02-24 | 2018-10-02 | 国家计算机网络与信息安全管理中心 | A kind of web access exceptions detection method and device |
-
2018
- 2018-10-22 CN CN201811229471.4A patent/CN109347827B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104573024A (en) * | 2015-01-12 | 2015-04-29 | 国家电网公司 | Self-adaptive extracting method and system for heterogeneous security log information under complex network system |
CN105653444A (en) * | 2015-12-23 | 2016-06-08 | 北京大学 | Internet log data-based software defect failure recognition method and system |
WO2017115458A1 (en) * | 2015-12-28 | 2017-07-06 | 日本電気株式会社 | Log analysis system, method, and program |
CN106209893A (en) * | 2016-07-27 | 2016-12-07 | 中国人民解放军信息工程大学 | The inside threat detecting system excavated based on business process model and detection method thereof |
US20180270261A1 (en) * | 2017-03-17 | 2018-09-20 | Target Brands, Inc. | Word embeddings for anomaly classification from event logs |
CN107273269A (en) * | 2017-06-12 | 2017-10-20 | 北京奇虎科技有限公司 | Daily record analysis method and device |
CN108616498A (en) * | 2018-02-24 | 2018-10-02 | 国家计算机网络与信息安全管理中心 | A kind of web access exceptions detection method and device |
CN108449342A (en) * | 2018-03-20 | 2018-08-24 | 北京搜狐互联网信息服务有限公司 | Malicious requests detection method and device |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110059480A (en) * | 2019-03-13 | 2019-07-26 | 深圳壹账通智能科技有限公司 | Attack monitoring method, device, computer equipment and storage medium |
CN110321371B (en) * | 2019-07-01 | 2024-04-26 | 腾讯科技(深圳)有限公司 | Log data anomaly detection method, device, terminal and medium |
CN110321371A (en) * | 2019-07-01 | 2019-10-11 | 腾讯科技(深圳)有限公司 | Daily record data method for detecting abnormality, device, terminal and medium |
CN110912884A (en) * | 2019-11-20 | 2020-03-24 | 深信服科技股份有限公司 | Detection method, detection equipment and computer storage medium |
CN111178537A (en) * | 2019-12-09 | 2020-05-19 | 华为技术有限公司 | Feature extraction model training method and device |
CN111178537B (en) * | 2019-12-09 | 2023-11-17 | 华为云计算技术有限公司 | Feature extraction model training method and device |
CN111277606A (en) * | 2020-02-10 | 2020-06-12 | 北京邮电大学 | Detection model training method, detection method and device, and storage medium |
CN111885064A (en) * | 2020-07-24 | 2020-11-03 | 浙江军盾信息科技有限公司 | Security event analysis method and device based on multi-source data, electronic device and storage medium |
CN111885064B (en) * | 2020-07-24 | 2022-11-25 | 杭州安恒信息安全技术有限公司 | Security event analysis method and device based on multi-source data, electronic device and storage medium |
CN112073396A (en) * | 2020-08-27 | 2020-12-11 | 北京天融信网络安全技术有限公司 | Method and device for detecting transverse movement attack behavior of intranet |
CN112751876A (en) * | 2020-12-30 | 2021-05-04 | 北京天融信网络安全技术有限公司 | Control method and device of message acquisition system, electronic equipment and storage medium |
CN112751876B (en) * | 2020-12-30 | 2022-11-15 | 北京天融信网络安全技术有限公司 | Control method and device of message acquisition system, electronic equipment and storage medium |
CN113162794A (en) * | 2021-01-27 | 2021-07-23 | 国网福建省电力有限公司 | Next-step attack event prediction method and related equipment |
CN113162794B (en) * | 2021-01-27 | 2024-01-16 | 国网福建省电力有限公司 | Next attack event prediction method and related equipment |
CN113079153A (en) * | 2021-03-26 | 2021-07-06 | 新华三技术有限公司 | Network attack type prediction method and device and storage medium |
CN113079153B (en) * | 2021-03-26 | 2022-06-21 | 新华三技术有限公司 | Network attack type prediction method and device and storage medium |
CN113688382A (en) * | 2021-08-31 | 2021-11-23 | 林楠 | Attack intention mining method based on information security and artificial intelligence analysis system |
CN113688383A (en) * | 2021-08-31 | 2021-11-23 | 林楠 | Attack defense testing method based on artificial intelligence and artificial intelligence analysis system |
CN114679341A (en) * | 2022-05-27 | 2022-06-28 | 江苏益柏锐信息科技有限公司 | Network intrusion attack analysis method, equipment and medium combined with ERP system |
Also Published As
Publication number | Publication date |
---|---|
CN109347827B (en) | 2021-06-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109347827A (en) | Method, apparatus, equipment and the storage medium of attack prediction | |
CN108600200B (en) | Domain name detection method and device, computer equipment and storage medium | |
Park et al. | Classification of attack types for intrusion detection systems using a machine learning algorithm | |
CN108471429B (en) | Network attack warning method and system | |
CN101924757B (en) | Method and system for reviewing Botnet | |
CN111355697B (en) | Detection method, device, equipment and storage medium for botnet domain name family | |
CN108449342A (en) | Malicious requests detection method and device | |
Niu et al. | Identifying APT malware domain based on mobile DNS logging | |
CN110198303A (en) | Threaten the generation method and device, storage medium, electronic device of information | |
CN106302450B (en) | A kind of detection method and device based on malice address in DDOS attack | |
CN110149319B (en) | APT organization tracking method and device, storage medium and electronic device | |
Cipriano et al. | Nexat: A history-based approach to predict attacker actions | |
CN110210213A (en) | The method and device of filtering fallacious sample, storage medium, electronic device | |
CN107995179A (en) | A kind of unknown threat cognitive method, device, equipment and system | |
CN105262730B (en) | Monitoring method and device based on enterprise domain name safety | |
Suthar et al. | A signature-based botnet (emotet) detection mechanism | |
Elekar | Combination of data mining techniques for intrusion detection system | |
Eldos et al. | On the KDD'99 Dataset: Statistical Analysis for Feature Selection | |
CN109756467A (en) | A kind of recognition methods of fishing website and device | |
Amin et al. | Classification of cyber attacks based on rough set theory | |
CN107231383A (en) | The detection method and device of CC attacks | |
Alosefer et al. | Predicting client-side attacks via behaviour analysis using honeypot data | |
CN110224975B (en) | APT information determination method and device, storage medium and electronic device | |
Song et al. | A comprehensive approach to detect unknown attacks via intrusion detection alerts | |
CN110188537A (en) | Separate-storage method and device, storage medium, the electronic device of data |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |