CN109347827A - Method, apparatus, equipment and the storage medium of attack prediction - Google Patents

Method, apparatus, equipment and the storage medium of attack prediction Download PDF

Info

Publication number
CN109347827A
CN109347827A CN201811229471.4A CN201811229471A CN109347827A CN 109347827 A CN109347827 A CN 109347827A CN 201811229471 A CN201811229471 A CN 201811229471A CN 109347827 A CN109347827 A CN 109347827A
Authority
CN
China
Prior art keywords
log
attack
processed
prediction
characteristic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811229471.4A
Other languages
Chinese (zh)
Other versions
CN109347827B (en
Inventor
阎俊达
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Neusoft Corp
Original Assignee
Neusoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Neusoft Corp filed Critical Neusoft Corp
Priority to CN201811229471.4A priority Critical patent/CN109347827B/en
Publication of CN109347827A publication Critical patent/CN109347827A/en
Application granted granted Critical
Publication of CN109347827B publication Critical patent/CN109347827B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the present invention provides method, apparatus, equipment and the storage medium of a kind of attack prediction.The method of the embodiment of the present invention, by carrying out feature extraction and identification to log to be processed according to log analytic modell analytical model, to obtain the characteristic and corresponding device information of the log to be processed;Security event data is determined according to the characteristic of the log to be processed and corresponding device information;It is predicted whether that attack occurs according to the security event data and Attack prediction, improve the parsing to log and recognition efficiency, it can be before attack generation, imminent attack is predicted, it provides the foundation to be effectively prevented from attack, so as to which the safety of the network equipment is effectively ensured.

Description

Method, apparatus, equipment and the storage medium of attack prediction
Technical field
The present invention relates to technical field of network security more particularly to a kind of method, apparatus of attack prediction, set Standby and storage medium.
Background technique
Network security refers to that the data in the hardware, software and its system of network system are protected, not because accidental or The reason of person's malice, is destroyed, is changed, being revealed, and system is continuously reliably normally run, and network service is uninterrupted.
The network equipment can be identified whether by network attack by being parsed to the log that the network equipment generates at present. Since log belongs to unstructured data, format disunity, and the network equipment is many kinds of, and different networks is set Standby, none unifies log parsing format.It is matched just by the setting of canonical matching algorithm and journal format in the prior art Then expression formula identifies whether by attack.
But the attack recognition methods in existing technology is due to that will carry out regular expressions before each identification The selection of formula is identified again, so causing recognition efficiency lower, and cannot be predicted attack, Bu Nengyou Effect guarantees the safety of the network equipment.
Summary of the invention
The embodiment of the present invention provides method, apparatus, equipment and the storage medium of a kind of attack prediction, to solve Selection of the attack recognition methods since regular expression will be carried out before each identification in certainly existing technology It is identified again, so causing recognition efficiency lower, and attack cannot be predicted, net cannot be effectively ensured The problem of safety of network equipment.
The one aspect of the embodiment of the present invention is to provide a kind of method of attack prediction, comprising:
Feature extraction and identification are carried out to log to be processed according to log analytic modell analytical model, to obtain the log to be processed Characteristic and corresponding device information;
Security event data is determined according to the characteristic of the log to be processed and corresponding device information;
It is predicted whether that attack occurs according to the security event data and Attack prediction.
The other side of the embodiment of the present invention is to provide a kind of device of attack prediction, comprising:
Log analyzing module, for carrying out feature extraction and identification to log to be processed according to log analytic modell analytical model, to obtain Obtain the characteristic and corresponding device information of the log to be processed;
Polymerization filling module, for determining safe thing according to the characteristic and corresponding device information of the log to be processed Number of packages evidence;
Processing module is predicted, for predicting whether that network, which occurs, attacks according to the security event data and Attack prediction Hit behavior.
The other side of the embodiment of the present invention is to provide a kind of pre- measurement equipment of attack, comprising:
Memory, processor, and it is stored in the computer journey that can be run on the memory and on the processor Sequence,
The processor realizes attack prediction described above method when running the computer program.
The other side of the embodiment of the present invention is to provide a kind of computer readable storage medium, is stored with computer journey Sequence,
The computer program realizes attack prediction described above method when being executed by processor.
Method, apparatus, equipment and the storage medium of attack prediction provided in an embodiment of the present invention, pass through acquisition Log to be processed;Feature extraction and identification are carried out to the log to be processed according to log analytic modell analytical model, it is described wait locate to obtain Manage the characteristic and corresponding device information of log;It is determined according to the characteristic of the log to be processed and corresponding device information Security event data;It is predicted whether that attack occurs according to the security event data and Attack prediction, improved Parsing and recognition efficiency to log, can be before attack generation, to imminent attack It is predicted, is provided the foundation to be effectively prevented from attack, so as to which the safety of the network equipment is effectively ensured.
Detailed description of the invention
Fig. 1 is the method flow diagram for the attack prediction that the embodiment of the present invention one provides;
Fig. 2 is the method flow diagram of attack provided by Embodiment 2 of the present invention prediction;
Fig. 3 is the structural schematic diagram of the device for the attack prediction that the embodiment of the present invention three provides;
Fig. 4 is the structural schematic diagram of the device for the attack prediction that the embodiment of the present invention four provides;
Fig. 5 is the structural schematic diagram for the pre- measurement equipment of attack that the embodiment of the present invention five provides.
Through the above attached drawings, it has been shown that the specific embodiment of the present invention will be hereinafter described in more detail.These attached drawings It is not intended to limit the range of design of the embodiment of the present invention in any manner with verbal description, but by reference to specific reality Applying example is that those skilled in the art illustrate idea of the invention.
Specific embodiment
Embodiment of the present invention will be described in more detail below with reference to accompanying drawings.Although being shown in attached drawing of the invention certain Embodiment, it should be understood that, the present invention can be realized by various forms, and should not be construed as being limited to this In the embodiment that illustrates, providing these embodiments on the contrary is in order to more thorough and be fully understood by the present invention.It should be understood that It is that being given for example only property of accompanying drawings and embodiments effect of the invention is not intended to limit protection scope of the present invention
The (if present)s such as term " first " involved in the embodiment of the present invention, " second ", " third ", " the 4th " are to be used for Similar object is distinguished, without being used to describe a particular order or precedence order.It should be understood that the data used in this way are suitable It can be interchanged in the case of, so that the embodiment of the present invention described herein is as can be in addition to shown in herein or those of description Sequence in addition is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that cover non-exclusive Include, for example, the process, method, system, product or equipment for containing a series of steps or units are not necessarily limited to be clearly listed Those of step or unit, but may include be not clearly listed or it is intrinsic for these process, methods, product or equipment Other step or units.In the description of following embodiment, the meaning of " plurality " is two or more, unless otherwise clearly having The restriction of body.
These specific embodiments can be combined with each other below, may be at certain for the same or similar concept or process It is repeated no more in a little embodiments.Below in conjunction with attached drawing, the embodiment of the present invention is described.
Embodiment one
Fig. 1 is the method flow diagram for the attack prediction that the embodiment of the present invention one provides.Needle of the embodiment of the present invention Selection to the attack recognition methods in existing technology since regular expression will be carried out before each identification It is identified again, so causing recognition efficiency lower, and attack cannot be predicted, net cannot be effectively ensured The problem of safety of network equipment, provides the method for attack prediction.
As shown in Figure 1, specific step is as follows for this method:
Step S101, feature extraction and identification are carried out to log to be processed according to log analytic modell analytical model, it is to be processed to obtain The characteristic and corresponding device information of log.
In the present embodiment, when needing to detect the safety of the network equipment, the log of the available network equipment, Obtain log to be processed.
In the present embodiment, the network equipment refers to the entity device being connected in network with log recording function.Network is set Standby includes: computer equipment (such as PC or server etc.), hub, interchanger, bridge, router, gateway, network Interface card (NIC), wireless access point (WAP), printer etc., many kinds of and growing day by day, the present embodiment of the network equipment It is not specifically limited herein for the specific type of the network equipment.
Optionally, multiple logs in available network equipment preset time period, as log to be processed.Wherein, in advance If the period can be set according to actual needs by technical staff, the present embodiment is not specifically limited herein.
Wherein, log corresponding device information to be processed can be the information that can distinguish the different network equipments.Such as it should The corresponding device information of log may include: the brand of corresponding device, device type, equipment identification information etc..
In the present embodiment, log analytic modell analytical model can pass through the training of the first training sample set based on the method for machine learning It obtains, the accuracy of the model after training can be tested by the first test sample collection after the completion of training, if training The accuracy of model afterwards meets preset condition, then the final log analytic modell analytical model obtained.
It includes multiple training samples that first training sample, which is concentrated, and each training sample corresponds to a history log, including One history log and the label data of this log.Wherein, the label data of log includes characteristic and the institute of log Belong to facility information.
Wherein, the characteristic of log to be processed can be the type for the feature vocabulary for including in log to be processed, occur Number or frequency etc..The characteristic of log to be processed can be carried out according to actual needs by technical staff in the present embodiment Setting, the present embodiment are not specifically limited herein.
For example, for the content of following history log:
[ip=192.168.174.145code=44243622type=0dev=130008:[hillsto ne fw Syslog parser] prefix=Format message:<190>Jun 20 16:23:362206401140002123 (root)44243622Traffic@FLOW:SESSION:10.235.251.35:26763->10.235.117.97:902 (UDP),interface aggregate2,vr trust-vr,policy 22,user-@-,host-,session start
The corresponding label data of the log includes the characteristic and corresponding device information of this log, wherein the log Characteristic may include: " ip ", and " type ", " Formate ", the Feature Words such as " message " and these Feature Words are at this The number occurred in log;The corresponding device information of the log may include: the brand, device type and equipment mark of corresponding device Know information etc..For example corresponding device is intruding detection system (the Intrusion Detection of certain brand (such as " green alliance ") Systems, abbreviation IDS) equipment, then corresponding device information can be " green alliance IDS equipment ".
Wherein, the first training sample set and the first test sample collection can be by according to preset first machine learning algorithms Preset first knowledge base is arranged to obtain.Wherein the first knowledge base is a product for the network equipment log of various manufacturers It is tired, the history log including magnanimity.
By log input journal analytic modell analytical model to be processed, by log analytic modell analytical model can rapidly to log to be processed into Row feature extraction and identification obtain the characteristic and corresponding device information of log to be processed, treat place to quickly complete Manage the parsing of log.
Step S102, security event data is determined according to the characteristic of log to be processed and corresponding device information.
After being parsed to obtain the characteristic of log to be processed and corresponding device information to log to be processed, treat Processing log carries out polymerization processing and filling processing, and log to be processed each of is retained after processing as a security incident number According to.
Wherein, the polymerizing condition for polymerizeing processing includes: generation time and/or the polymerization item number of log.
To log to be processed carry out polymerization processing can be according to polymerizing condition will in log to be processed have same characteristic features The repetition log of data and corresponding device information, which merges, becomes a log, specifically includes following several feasible embodiments:
A kind of feasible embodiment are as follows: polymerizing condition is the generation time of log, will generate the time in preset time model In log to be processed in enclosing, the repetition log with same characteristic features data and corresponding device information, which merges, becomes a data. Wherein, preset time range can be set according to actual needs by technical staff, and the present embodiment is not specifically limited herein. For example, preset time range can be nearest 5 minutes.
Another feasible embodiment are as follows: polymerizing condition is polymerization item number, in log to be processed, will be no more than polymerization item Several repetition logs with same characteristic features data and corresponding device information, which merges, becomes a data.Wherein, polymerization item number can To be set according to actual needs by technical staff, the present embodiment is not specifically limited herein.For example, polymerization item number can be 1000。
Another feasible embodiment are as follows: polymerizing condition is generation time and the polymerization item number of log, will generate the time In log to be processed in preset time range, there is same characteristic features data and corresponding device information no more than polymerization item number Repetition log merge become a data.Wherein, preset time range and polymerization item number can be by technical staff according to reality It is set, the present embodiment is not specifically limited herein.Being filled processing to log to be processed can be to be processed The filling of the essential information of log.According to the type for the characteristic that log to be processed should include, if in a certain log to be processed Lack a certain or various features data, then according to other characteristics of the log to be processed to the characteristic lacked into Row filling processing, to be carried out to the characteristic of log to be processed perfect.
Wherein, other characteristics of log to be processed can retain geographical location information corresponding to log to be processed, Etc..Optionally, if lacking a certain characteristic in log to be processed, can be led to according to the type of the characteristic lacked The filling data crossed and the corresponding third party's interface routine of characteristic lacked is called to obtain filling data, and will acquire increase Add as the characteristic of this type of log to be processed.
For example, the characteristic for recognizing a certain log includes IP address, but the region letter of the log is not recognized Breath, then can be by calling the corresponding third party's interface routine of regional information to obtain the IP address that regional information inquires the log Which domain belonged to, to obtain the corresponding regional information of the log, the regional information in the characteristic of log is filled, The characteristic of the log is carried out perfect.For example, if the position that the characteristic lacked in a certain log is site is sat Mark.It is possible to the longitude and latitude of site be got, to obtain location by calling third party's interface routine The position coordinates of point, then increase to the position coordinates of site in the characteristic of the log, by site Position coordinates are added in the corresponding security event data of the log.
Step S103, it is predicted whether that attack occurs according to security event data and Attack prediction.
In view of attack is to distinguish according to rule and time, and attacking the log generated is also having time Sequencing, can be by security event data after obtaining the corresponding security event data of log to be processed in the present embodiment It is input to Attack prediction according to the sequencing for generating the time, generation network can be predicted by Attack prediction and attacked The probability of behavior is hit, and may further predict whether that attack occurs.
In the present embodiment, Attack prediction can be trained based on the method for machine learning by the second training sample set, And the convergent Attack prediction tested by the second test sample collection, obtain Attack prediction.Attack Prediction mould For predicting whether attack occurs for type.
Wherein, the second training sample set and the second test sample collection can be by according to preset second machine learning algorithms Preset second knowledge base is arranged to obtain.Wherein the content of the second knowledge base is basic network attack rule, network attack Rule can also be formulated by third party's Network Security Device, support configuration etc..By being attacked to the network in the second knowledge base It hits regular data to be cleaned, obtains the second training sample set and the second test sample collection.
It, can be by security event data according to the generation time after obtaining the corresponding security event data of log to be processed Sequencing be input to Attack prediction, by Attack prediction can predict occur attack it is general Rate, and may further predict whether that attack occurs.
The embodiment of the present invention is by obtaining log to be processed;Feature is carried out to log to be processed according to log analytic modell analytical model to mention It takes and identifies, to obtain the characteristic and corresponding device information of log to be processed;According to the characteristic of log to be processed and Corresponding device information determines security event data;Predict whether that network, which occurs, attacks according to security event data and Attack prediction Behavior is hit, the parsing to log and recognition efficiency are improved, it can be before attack generation, to imminent net Network attack is predicted, is provided the foundation to be effectively prevented from attack, so as to which the network equipment is effectively ensured Safety.
Embodiment two
Fig. 2 is the method flow diagram of attack provided by Embodiment 2 of the present invention prediction.In above-described embodiment one On the basis of, it include generating the time in the characteristic of log to be processed, according to security event data and attack in the present embodiment Prediction model predict whether occur attack, specifically include: by each security event data according to generate the time it is suitable Sequence is input in Attack prediction, is occurred so that Attack prediction is determined according to the incidence relation of multiple security event datas The probability of attack;The probability that attack occurs and default attack threshold value are compared;If network occurs The probability of attack is greater than default attack threshold value, then exports the prediction result that attack occurs;If network occurs to attack The probability for hitting behavior is less than or equal to default attack threshold value, then exports the prediction result that attack does not occur.Such as Fig. 2 institute Show, specific step is as follows for this method:
Step S201, log to be processed is obtained.
In the present embodiment, when needing to detect the safety of the network equipment, the log of the available network equipment, Obtain log to be processed.
In the present embodiment, the network equipment refers to the entity device being connected in network with log recording function.Network is set Standby includes: computer equipment (such as PC or server etc.), hub, interchanger, bridge, router, gateway, network Interface card (NIC), wireless access point (WAP), printer etc., many kinds of and growing day by day, the present embodiment of the network equipment It is not specifically limited herein for the specific type of the network equipment.
Optionally, multiple logs in available network equipment preset time period, as log to be processed.Wherein, in advance If the period can be set according to actual needs by technical staff, the present embodiment is not specifically limited herein.
Step S202, feature extraction and identification are carried out to log to be processed according to log analytic modell analytical model, it is to be processed to obtain The characteristic and corresponding device information of log.
Wherein, log corresponding device information to be processed can be the information that can distinguish the different network equipments.
Log analytic modell analytical model is machine learning model.Log analytic modell analytical model can pass through based on the method for machine learning The training of one training sample set, and the convergent log analytic modell analytical model tested by the first test sample collection.
In the present embodiment, the first knowledge base is obtained in advance, and the first knowledge base is the network equipment log for various manufacturers One accumulation, the history log including magnanimity.By obtaining the arrangement of log in the first knowledge base for preset day The first training sample set that will analytic modell analytical model is trained and optimizes, and for being surveyed to the log analytic modell analytical model after optimization First test sample collection of examination.
Wherein, each of the first training sample of each of the first training sample concentration and the first test sample concentration first is surveyed Sample is originally the log that the fixed network equipment generates.
After getting the first training sample set and the first test sample collection, log is parsed using the first training sample Model is trained, and is tested log analytic modell analytical model using the first test sample, until log analytic modell analytical model is restrained, with Log analytic modell analytical model after being optimized.
In the step, log input journal analytic modell analytical model to be processed can be treated rapidly by log analytic modell analytical model It handles log and carries out feature extraction and identification, the characteristic and corresponding device information of log to be processed are obtained, thus rapidly complete The identification of pairs of log to be processed improves the rate and precision of log identification.
Optionally, if generating unknown device type log according to log analytic modell analytical model to log recognition failures to be processed, Unknown device type log is used to record the event to log recognition failures to be processed, so that technical staff is according to Unknown device class Type log artificially identifies the characteristic and corresponding device information of log to be processed, and by the characteristic of log to be processed and Corresponding device information is sent to the pre- measurement equipment of attack by user terminal.The pre- measurement equipment of attack receive to Handle the characteristic and corresponding device information of log;Using the characteristic received and corresponding device information as day to be processed The label data of will, using the label data of log to be processed and log to be processed as one article of first training sample storage to the One training sample is concentrated, to be updated to the first training sample set;According to updated first training sample set to log solution Analysis model is updated, to be further optimized to log analytic modell analytical model.
Specifically, the log to be processed for determining corresponding device information is stored to the process concentrated to the first training sample, with By to the arrangement of log in the first knowledge base obtain for preset log analytic modell analytical model is trained and first training sample The process of this collection is consistent.
Step S203, security event data is determined according to the characteristic of log to be processed and corresponding device information.
After being parsed to obtain the characteristic of log to be processed and corresponding device information to log to be processed, treat Processing log carries out polymerization processing and filling processing, and log to be processed each of is retained after processing as a security incident number According to.
In the present embodiment, security event data is determined according to the characteristic of log to be processed and corresponding device information, is had Body can be realized in the following way:
Delete the duplicate log to be processed with same characteristic features data and corresponding device information;If in certain log to be processed Lack certain characteristic, then processing is filled to the characteristic lacked according to other characteristics of the log to be processed; To carry out deleting and filling processing after each of retain log to be processed and be determined as a security event data.
Specifically, the polymerizing condition of polymerization processing is generation time or the item number of log.Log to be processed is gathered Conjunction processing, which can be, is filtered the repetition log in log to be processed with same characteristic features data and corresponding device information.
The filling for the essential information that processing can be to log to be processed is filled to log to be processed.According to be processed The type for the characteristic that log should include, if lacking a certain or various features data, root in a certain log to be processed Processing is filled to the characteristic lacked according to other characteristics of the log to be processed, thus to the spy of log to be processed Sign data carry out perfect.
For example, the characteristic for recognizing a certain log includes IP address, but the region letter of the log is not recognized Breath, then which domain is the IP address that can inquire the log belong to, can further obtain the corresponding regional information of the log, will Regional information in the characteristic of log is filled, and is carried out to the characteristic of the log perfect.
Step S204, each security event data is sequentially input in Attack prediction according to the generation time, with Attack prediction is set to determine the probability that attack occurs according to the incidence relation of multiple security event datas.
It, can be by security event data according to the generation time after obtaining the corresponding security event data of log to be processed Sequencing be input to Attack prediction, by Attack prediction can predict occur attack it is general Rate, and may further predict whether that attack occurs.
Wherein, Attack prediction is machine learning model.Attack prediction can be led to based on the method for machine learning The training of the second training sample set, and the convergent Attack prediction tested by the second test sample collection are crossed, is attacked Hit prediction model.For predicting whether attack occurs for Attack prediction.
In the present embodiment, the content of the second knowledge base is basic network attack rule, and network attack rule can also lead to Third party's Network Security Device is crossed to formulate, supports configuration etc..By to the network attack regular data in the second knowledge base into Row cleaning is obtained for being trained to preset Attack prediction and the second training sample set, and for pre- to attacking Survey the second test sample collection that model is tested.
Wherein each of the second training sample of each of the second training sample concentration and the second test sample concentration second is surveyed Sample is originally the incidence relation of each security event data in fixed each attack.
After getting the second training sample set and the second test sample collection, using the second training sample to Attack Prediction Model is trained, and is tested Attack prediction using the second test sample, until Attack prediction is restrained, with Obtain Attack prediction.
It, can be by security event data according to the generation time after obtaining the corresponding security event data of log to be processed Sequencing be input to Attack prediction, by Attack prediction can predict occur attack it is general Rate, and may further predict whether that attack occurs.
Step S205, the probability that attack occurs and default attack threshold value are compared.
After the probability for obtaining occurring attack, compare the probability that attack occurs and default attack The size of threshold value predicts whether that attack occurs according to comparison result, obtains prediction result.
Wherein, presetting attack threshold value can be set according to actual needs by technical staff, and the present embodiment is not done herein It is specific to limit.
If the probability that attack step S206, occurs is greater than default attack threshold value, generation network attack is exported The prediction result of behavior.
If the probability that attack occurs is greater than default attack threshold value, it is determined that attack probability occurs very Greatly, prediction result is that attack occurs.
Optionally, after attack occurs for prediction, the preset attack with prediction can be executed Corresponding prevention processing.Wherein, preset processing can be set by technical staff according to practical application scene, the present embodiment It is not specifically limited herein.
For example, issuing information warning to technical staff by preset mode;Alternatively, group circuit network etc. is directly taken to arrange It applies.
If the probability that attack step S207, occurs is less than or equal to default attack threshold value, exports and do not occur The prediction result of attack.
If the probability that attack occurs is less than or equal to default attack threshold value, it is determined that network attack row occurs Not big enough for probability, prediction result is that attack does not occur.
Above-mentioned steps S205-S207 is that step S104 predicts whether to occur according to security event data and Attack prediction A kind of feasible embodiment of attack.
The embodiment of the present invention is by obtaining log to be processed;Feature is carried out to log to be processed according to log analytic modell analytical model to mention It takes and identifies, to obtain the characteristic and corresponding device information of log to be processed;According to the characteristic of log to be processed and Corresponding device information determines security event data;Predict whether that network, which occurs, attacks according to security event data and Attack prediction Behavior is hit, the parsing to log and recognition efficiency are improved, it can be before attack generation, to imminent net Network attack is predicted, is provided the foundation to be effectively prevented from attack, so as to which the network equipment is effectively ensured Safety.
Embodiment three
Fig. 3 is the structural schematic diagram of the device for the attack prediction that the embodiment of the present invention three provides.The present invention is real The device for applying the attack prediction of example offer can execute the place that the embodiment of the method for attack prediction provides Manage process.As shown in figure 3, the device 30 of attack prediction includes: log analyzing module 302, polymerization filling module 303 and prediction processing module 304.
Specifically, log analyzing module 302, for according to log analytic modell analytical model to log to be processed carry out feature extraction and Identification, to obtain the characteristic and corresponding device information of log to be processed.
Polymerization filling module 303, for determining safe thing according to the characteristic and corresponding device information of log to be processed Number of packages evidence.
Processing module 304 is predicted, for predicting whether that network, which occurs, attacks according to security event data and Attack prediction Hit behavior.
Device provided in an embodiment of the present invention can be specifically used for executing embodiment of the method provided by above-described embodiment one, Details are not described herein again for concrete function.
The embodiment of the present invention is by obtaining log to be processed;Feature is carried out to log to be processed according to log analytic modell analytical model to mention It takes and identifies, to obtain the characteristic and corresponding device information of log to be processed;According to the characteristic of log to be processed and Corresponding device information determines security event data;Predict whether that network, which occurs, attacks according to security event data and Attack prediction Behavior is hit, the parsing to log and recognition efficiency are improved, it can be before attack generation, to imminent net Network attack is predicted, is provided the foundation to be effectively prevented from attack, so as to which the network equipment is effectively ensured Safety.
Example IV
Fig. 4 is the structural schematic diagram of the device for the attack prediction that the embodiment of the present invention four provides.In above-mentioned reality On the basis of applying example three, in the present embodiment, includes generating the time in the characteristic of the log to be processed, predict processing module It is specifically used for:
By each security event data being sequentially input in Attack prediction according to the generation time, so that Attack Prediction Model determines the probability that attack occurs according to the incidence relation of multiple security event datas;Network attack row will occur For probability compared with default attack threshold value;If the probability that attack occurs is greater than default attack threshold value, defeated The prediction result of attack occurs out;If the probability that attack occurs is less than or equal to default attack threshold value, Then export the prediction result that attack does not occur.
Optionally, polymerization filling module is specifically used for:
Delete the duplicate log to be processed with same characteristic features data and corresponding device information;If in certain log to be processed Lack certain characteristic, then processing is filled to the characteristic lacked according to other characteristics of the log to be processed; To carry out deleting and filling processing after each of retain log to be processed and be determined as a security event data.
Optionally, as shown in figure 4, the device 30 of attack prediction can also include: the training of log analytic modell analytical model Module 305.
Log analytic modell analytical model training module 305 is used for:
The first training sample set and the first test sample collection are obtained, wherein each of first training sample concentration first Training sample and first test sample each of concentrate the equal sample data of the first test sample be include fixed net The label data of log and the log that network equipment generates, the label data includes the characteristic and corresponding device of log Information;Log analytic modell analytical model is trained using the first training sample, and using the first test sample to log analytic modell analytical model It is tested, until log analytic modell analytical model is restrained, to obtain the log analytic modell analytical model of optimization.
Optionally, log analytic modell analytical model training module 305 is also used to:
If receiving characteristic and the institute of log to be processed to log recognition failures to be processed according to log analytic modell analytical model Belong to facility information;Using the characteristic received and corresponding device information as the label data of the log to be processed, by institute The label data storage for stating log to be processed and the log to be processed is concentrated to the first training sample, to the first training sample This collection is updated;Log analytic modell analytical model is updated according to updated first training sample set.
Optionally, as shown in figure 4, the device 30 of attack prediction can also include: Attack prediction training Module 306.
Attack prediction training module 306 is used for:
The second training sample set and the second test sample collection are obtained, wherein the second training of each of the second training sample concentration The second test sample of each of sample and the second test sample concentration is each peace in fixed each attack The incidence relation of total event data;
Attack prediction is trained using the second training sample, and using the second test sample to Attack Prediction mould Type is tested, until Attack prediction is restrained, to obtain Attack prediction.
Device provided in an embodiment of the present invention can be specifically used for executing embodiment of the method provided by above-described embodiment two, Details are not described herein again for concrete function.
The embodiment of the present invention is by obtaining log to be processed;Feature is carried out to log to be processed according to log analytic modell analytical model to mention It takes and identifies, to obtain the characteristic and corresponding device information of log to be processed;According to the characteristic of log to be processed and Corresponding device information determines security event data;Predict whether that network, which occurs, attacks according to security event data and Attack prediction Behavior is hit, the parsing to log and recognition efficiency are improved, it can be before attack generation, to imminent net Network attack is predicted, is provided the foundation to be effectively prevented from attack, so as to which the network equipment is effectively ensured Safety.
Embodiment five
Fig. 5 is the structural schematic diagram for the pre- measurement equipment of attack that the embodiment of the present invention five provides.As shown in figure 5, The equipment 50 includes: processor 501, memory 502, and is stored in the meter that can be executed on memory 502 and by processor 501 Calculation machine program.
Processor 501 realizes any of the above-described embodiment of the method when executing and storing in the computer program on memory 502 The method of the attack prediction of offer.
The embodiment of the present invention is by obtaining log to be processed;Feature is carried out to log to be processed according to log analytic modell analytical model to mention It takes and identifies, to obtain the characteristic and corresponding device information of log to be processed;According to the characteristic of log to be processed and Corresponding device information determines security event data;Predict whether that network, which occurs, attacks according to security event data and Attack prediction Behavior is hit, the parsing to log and recognition efficiency are improved, it can be before attack generation, to imminent net Network attack is predicted, is provided the foundation to be effectively prevented from attack, so as to which the network equipment is effectively ensured Safety.
In addition, the embodiment of the present invention also provides a kind of computer readable storage medium, it is stored with computer program, the meter Calculation machine program realizes the attack prediction that any of the above-described embodiment of the method provides method when being executed by processor.
In several embodiments provided by the present invention, it should be understood that disclosed device and method can pass through it Its mode is realized.For example, the apparatus embodiments described above are merely exemplary, for example, the division of the unit, only Only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components can be tied Another system is closed or is desirably integrated into, or some features can be ignored or not executed.Another point, it is shown or discussed Mutual coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or logical of device or unit Letter connection can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme 's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list Member both can take the form of hardware realization, can also realize in the form of hardware adds SFU software functional unit.
The above-mentioned integrated unit being realized in the form of SFU software functional unit can store and computer-readable deposit at one In storage media.Above-mentioned SFU software functional unit is stored in a storage medium, including some instructions are used so that a computer It is each that equipment (can be personal computer, server or the network equipment etc.) or processor (processor) execute the present invention The part steps of embodiment the method.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (Read- Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic or disk etc. it is various It can store the medium of program code.
Those skilled in the art can be understood that, for convenience and simplicity of description, only with above-mentioned each functional module Division progress for example, in practical application, can according to need and above-mentioned function distribution is complete by different functional modules At the internal structure of device being divided into different functional modules, to complete all or part of the functions described above.On The specific work process for stating the device of description, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to of the invention its Its embodiment.The present invention is directed to cover any variations, uses, or adaptations of the invention, these modifications, purposes or Person's adaptive change follows general principle of the invention and including the undocumented common knowledge in the art of the present invention Or conventional techniques.The description and examples are only to be considered as illustrative, and true scope and spirit of the invention are by following Claims are pointed out.
It should be understood that the present invention is not limited to the precise structure already described above and shown in the accompanying drawings, and And various modifications and changes may be made without departing from the scope thereof.The scope of the present invention is only limited by appended claims System.

Claims (10)

1. a kind of method of attack prediction characterized by comprising
Feature extraction and identification are carried out to log to be processed according to log analytic modell analytical model, to obtain the feature of the log to be processed Data and corresponding device information;
Security event data is determined according to the characteristic of the log to be processed and corresponding device information;
It is predicted whether that attack occurs according to the security event data and Attack prediction.
2. the method according to claim 1, wherein the characteristic and institute according to the log to be processed Belong to facility information and determine security event data, specifically includes:
Delete the duplicate log to be processed with same characteristic features data and corresponding device information;
If lacking certain characteristic in certain log to be processed, lacked according to other characteristics of the log to be processed to described Characteristic be filled processing;
To carry out deleting and filling processing after each of retain log to be processed and be determined as a security event data.
3. the method according to claim 1, wherein including when generating in the characteristic of the log to be processed Between, it is described to be predicted whether that attack occurs according to the security event data and Attack prediction, it specifically includes:
By each security event data being sequentially input in the Attack prediction according to the generation time, so that described Attack prediction determines the probability that attack occurs according to the incidence relation of multiple security event datas;
The probability that attack occurs and default attack threshold value are compared;
If the probability that attack occurs is greater than the default attack threshold value, exports and attack occurs Prediction result;
If the probability that attack occurs is less than or equal to the default attack threshold value, exports and network does not occur attack Hit the prediction result of behavior.
4. the method according to claim 1, wherein described carry out log to be processed according to log analytic modell analytical model Feature extraction and identification, before the characteristic and corresponding device information to obtain the log to be processed, further includes:
The first training sample set and the first test sample collection are obtained, wherein first training sample set and first test specimens The sample data of this concentration includes the log that the fixed network equipment generates and the label data of the log, the number of tags According to characteristic and corresponding device information including log;
Log analytic modell analytical model is trained using first training sample, and using first test sample to the day Will analytic modell analytical model is tested, until the log analytic modell analytical model is restrained, to obtain the log analytic modell analytical model.
5. the method according to claim 1, wherein described according to the security event data and Attack Prediction mould Type predicts whether before generation attack, further includes:
The second training sample set and the second test sample collection are obtained, wherein the second training of each of second training sample concentration The second test sample of each of sample and second test sample concentration is in fixed each attack The incidence relation of each security event data;
Attack prediction is trained using second training sample, and is attacked using second test sample to described It hits prediction model to be tested, until the Attack prediction is restrained, to obtain the Attack prediction.
6. according to the method described in claim 4, it is characterized by further comprising:
If receiving the characteristic of the log to be processed to the log recognition failures to be processed according to log analytic modell analytical model With corresponding device information;
It, will be described to be processed using the characteristic received and corresponding device information as the label data of the log to be processed The storage of the label data of log and the log to be processed is concentrated to first training sample, to the first training sample This collection is updated;
The log analytic modell analytical model is updated according to updated first training sample set.
7. a kind of device of attack prediction characterized by comprising
Log analyzing module, for carrying out feature extraction and identification to log to be processed according to log analytic modell analytical model, to obtain State the characteristic and corresponding device information of log to be processed;
Polymerization filling module, for determining security incident number according to the characteristic and corresponding device information of the log to be processed According to;
It predicts processing module, network attack row occurs for predicting whether according to the security event data and Attack prediction For.
8. device according to claim 7, which is characterized in that include when generating in the characteristic of the log to be processed Between, the prediction processing module is specifically used for:
By each security event data being sequentially input in the Attack prediction according to the generation time, so that described Attack prediction determines the probability that attack occurs according to the incidence relation of multiple security event datas;
The probability that attack occurs and default attack threshold value are compared;
If the probability that attack occurs is greater than the default attack threshold value, exports and attack occurs Prediction result;
If the probability that attack occurs is less than or equal to the default attack threshold value, exports and network does not occur attack Hit the prediction result of behavior.
9. a kind of pre- measurement equipment of attack characterized by comprising
Memory, processor, and it is stored in the computer program that can be run on the memory and on the processor,
The processor realizes such as method of any of claims 1-6 when running the computer program.
10. a kind of computer readable storage medium, which is characterized in that it is stored with computer program,
Such as method of any of claims 1-6 is realized when the computer program is executed by processor.
CN201811229471.4A 2018-10-22 2018-10-22 Method, device, equipment and storage medium for predicting network attack behavior Active CN109347827B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811229471.4A CN109347827B (en) 2018-10-22 2018-10-22 Method, device, equipment and storage medium for predicting network attack behavior

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811229471.4A CN109347827B (en) 2018-10-22 2018-10-22 Method, device, equipment and storage medium for predicting network attack behavior

Publications (2)

Publication Number Publication Date
CN109347827A true CN109347827A (en) 2019-02-15
CN109347827B CN109347827B (en) 2021-06-22

Family

ID=65310688

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811229471.4A Active CN109347827B (en) 2018-10-22 2018-10-22 Method, device, equipment and storage medium for predicting network attack behavior

Country Status (1)

Country Link
CN (1) CN109347827B (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110059480A (en) * 2019-03-13 2019-07-26 深圳壹账通智能科技有限公司 Attack monitoring method, device, computer equipment and storage medium
CN110321371A (en) * 2019-07-01 2019-10-11 腾讯科技(深圳)有限公司 Daily record data method for detecting abnormality, device, terminal and medium
CN110912884A (en) * 2019-11-20 2020-03-24 深信服科技股份有限公司 Detection method, detection equipment and computer storage medium
CN111178537A (en) * 2019-12-09 2020-05-19 华为技术有限公司 Feature extraction model training method and device
CN111277606A (en) * 2020-02-10 2020-06-12 北京邮电大学 Detection model training method, detection method and device, and storage medium
CN111885064A (en) * 2020-07-24 2020-11-03 浙江军盾信息科技有限公司 Security event analysis method and device based on multi-source data, electronic device and storage medium
CN112073396A (en) * 2020-08-27 2020-12-11 北京天融信网络安全技术有限公司 Method and device for detecting transverse movement attack behavior of intranet
CN112751876A (en) * 2020-12-30 2021-05-04 北京天融信网络安全技术有限公司 Control method and device of message acquisition system, electronic equipment and storage medium
CN113079153A (en) * 2021-03-26 2021-07-06 新华三技术有限公司 Network attack type prediction method and device and storage medium
CN113162794A (en) * 2021-01-27 2021-07-23 国网福建省电力有限公司 Next-step attack event prediction method and related equipment
CN113688383A (en) * 2021-08-31 2021-11-23 林楠 Attack defense testing method based on artificial intelligence and artificial intelligence analysis system
CN113688382A (en) * 2021-08-31 2021-11-23 林楠 Attack intention mining method based on information security and artificial intelligence analysis system
CN114679341A (en) * 2022-05-27 2022-06-28 江苏益柏锐信息科技有限公司 Network intrusion attack analysis method, equipment and medium combined with ERP system

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104573024A (en) * 2015-01-12 2015-04-29 国家电网公司 Self-adaptive extracting method and system for heterogeneous security log information under complex network system
CN105653444A (en) * 2015-12-23 2016-06-08 北京大学 Internet log data-based software defect failure recognition method and system
CN106209893A (en) * 2016-07-27 2016-12-07 中国人民解放军信息工程大学 The inside threat detecting system excavated based on business process model and detection method thereof
WO2017115458A1 (en) * 2015-12-28 2017-07-06 日本電気株式会社 Log analysis system, method, and program
CN107273269A (en) * 2017-06-12 2017-10-20 北京奇虎科技有限公司 Daily record analysis method and device
CN108449342A (en) * 2018-03-20 2018-08-24 北京搜狐互联网信息服务有限公司 Malicious requests detection method and device
US20180270261A1 (en) * 2017-03-17 2018-09-20 Target Brands, Inc. Word embeddings for anomaly classification from event logs
CN108616498A (en) * 2018-02-24 2018-10-02 国家计算机网络与信息安全管理中心 A kind of web access exceptions detection method and device

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104573024A (en) * 2015-01-12 2015-04-29 国家电网公司 Self-adaptive extracting method and system for heterogeneous security log information under complex network system
CN105653444A (en) * 2015-12-23 2016-06-08 北京大学 Internet log data-based software defect failure recognition method and system
WO2017115458A1 (en) * 2015-12-28 2017-07-06 日本電気株式会社 Log analysis system, method, and program
CN106209893A (en) * 2016-07-27 2016-12-07 中国人民解放军信息工程大学 The inside threat detecting system excavated based on business process model and detection method thereof
US20180270261A1 (en) * 2017-03-17 2018-09-20 Target Brands, Inc. Word embeddings for anomaly classification from event logs
CN107273269A (en) * 2017-06-12 2017-10-20 北京奇虎科技有限公司 Daily record analysis method and device
CN108616498A (en) * 2018-02-24 2018-10-02 国家计算机网络与信息安全管理中心 A kind of web access exceptions detection method and device
CN108449342A (en) * 2018-03-20 2018-08-24 北京搜狐互联网信息服务有限公司 Malicious requests detection method and device

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110059480A (en) * 2019-03-13 2019-07-26 深圳壹账通智能科技有限公司 Attack monitoring method, device, computer equipment and storage medium
CN110321371B (en) * 2019-07-01 2024-04-26 腾讯科技(深圳)有限公司 Log data anomaly detection method, device, terminal and medium
CN110321371A (en) * 2019-07-01 2019-10-11 腾讯科技(深圳)有限公司 Daily record data method for detecting abnormality, device, terminal and medium
CN110912884A (en) * 2019-11-20 2020-03-24 深信服科技股份有限公司 Detection method, detection equipment and computer storage medium
CN111178537A (en) * 2019-12-09 2020-05-19 华为技术有限公司 Feature extraction model training method and device
CN111178537B (en) * 2019-12-09 2023-11-17 华为云计算技术有限公司 Feature extraction model training method and device
CN111277606A (en) * 2020-02-10 2020-06-12 北京邮电大学 Detection model training method, detection method and device, and storage medium
CN111885064A (en) * 2020-07-24 2020-11-03 浙江军盾信息科技有限公司 Security event analysis method and device based on multi-source data, electronic device and storage medium
CN111885064B (en) * 2020-07-24 2022-11-25 杭州安恒信息安全技术有限公司 Security event analysis method and device based on multi-source data, electronic device and storage medium
CN112073396A (en) * 2020-08-27 2020-12-11 北京天融信网络安全技术有限公司 Method and device for detecting transverse movement attack behavior of intranet
CN112751876A (en) * 2020-12-30 2021-05-04 北京天融信网络安全技术有限公司 Control method and device of message acquisition system, electronic equipment and storage medium
CN112751876B (en) * 2020-12-30 2022-11-15 北京天融信网络安全技术有限公司 Control method and device of message acquisition system, electronic equipment and storage medium
CN113162794A (en) * 2021-01-27 2021-07-23 国网福建省电力有限公司 Next-step attack event prediction method and related equipment
CN113162794B (en) * 2021-01-27 2024-01-16 国网福建省电力有限公司 Next attack event prediction method and related equipment
CN113079153A (en) * 2021-03-26 2021-07-06 新华三技术有限公司 Network attack type prediction method and device and storage medium
CN113079153B (en) * 2021-03-26 2022-06-21 新华三技术有限公司 Network attack type prediction method and device and storage medium
CN113688382A (en) * 2021-08-31 2021-11-23 林楠 Attack intention mining method based on information security and artificial intelligence analysis system
CN113688383A (en) * 2021-08-31 2021-11-23 林楠 Attack defense testing method based on artificial intelligence and artificial intelligence analysis system
CN114679341A (en) * 2022-05-27 2022-06-28 江苏益柏锐信息科技有限公司 Network intrusion attack analysis method, equipment and medium combined with ERP system

Also Published As

Publication number Publication date
CN109347827B (en) 2021-06-22

Similar Documents

Publication Publication Date Title
CN109347827A (en) Method, apparatus, equipment and the storage medium of attack prediction
CN108600200B (en) Domain name detection method and device, computer equipment and storage medium
Park et al. Classification of attack types for intrusion detection systems using a machine learning algorithm
CN108471429B (en) Network attack warning method and system
CN101924757B (en) Method and system for reviewing Botnet
CN111355697B (en) Detection method, device, equipment and storage medium for botnet domain name family
CN108449342A (en) Malicious requests detection method and device
Niu et al. Identifying APT malware domain based on mobile DNS logging
CN110198303A (en) Threaten the generation method and device, storage medium, electronic device of information
CN106302450B (en) A kind of detection method and device based on malice address in DDOS attack
CN110149319B (en) APT organization tracking method and device, storage medium and electronic device
Cipriano et al. Nexat: A history-based approach to predict attacker actions
CN110210213A (en) The method and device of filtering fallacious sample, storage medium, electronic device
CN107995179A (en) A kind of unknown threat cognitive method, device, equipment and system
CN105262730B (en) Monitoring method and device based on enterprise domain name safety
Suthar et al. A signature-based botnet (emotet) detection mechanism
Elekar Combination of data mining techniques for intrusion detection system
Eldos et al. On the KDD'99 Dataset: Statistical Analysis for Feature Selection
CN109756467A (en) A kind of recognition methods of fishing website and device
Amin et al. Classification of cyber attacks based on rough set theory
CN107231383A (en) The detection method and device of CC attacks
Alosefer et al. Predicting client-side attacks via behaviour analysis using honeypot data
CN110224975B (en) APT information determination method and device, storage medium and electronic device
Song et al. A comprehensive approach to detect unknown attacks via intrusion detection alerts
CN110188537A (en) Separate-storage method and device, storage medium, the electronic device of data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant