CN110276195A - A kind of smart machine intrusion detection method, equipment and storage medium - Google Patents
A kind of smart machine intrusion detection method, equipment and storage medium Download PDFInfo
- Publication number
- CN110276195A CN110276195A CN201910340862.1A CN201910340862A CN110276195A CN 110276195 A CN110276195 A CN 110276195A CN 201910340862 A CN201910340862 A CN 201910340862A CN 110276195 A CN110276195 A CN 110276195A
- Authority
- CN
- China
- Prior art keywords
- data
- standardized
- smart machine
- intrusion detection
- model data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
Abstract
The invention discloses a kind of smart machine intrusion detection method, equipment and storage mediums to be standardized to obtain standardized data by obtaining pending data to the pending data;Preset model data is obtained, clustering is carried out to the standardized data according to the model data, judges whether the standardized data meets the model data;If so, being judged to the corresponding pending data of the standardized data to invade data.Pass through the technical solution of application the application, the intrusion detection for practical smart machine Run-time scenario is realized, by the individual features of analysis detection network packet, to judge whether it is Network Intrusion, active interception malicious act, and retain Log Report and audit and assess to user.Meet the requirement for not influencing user experience, has both reliability and feasibility for the intruding detection system for being applied to smart machine.
Description
Technical field
The present invention relates to information technology security fields, particularly relates to a kind of smart machine intrusion detection method, equipment and deposit
Storage media.
Background technique
Intruding detection system is the monitoring system of computer, is divided into the difference of the difference in information source and detection method several
Class: according to information source can be divided into Intrusion Detection based on host IDS (Intrusion Detection Systems, intruding detection system) and
Network-based IDS can be divided into abnormal intrusion detection and misused detection according to detection method again.Intruding detection system is continuous
Rapid development, many companies put on this field, Venustech (Venus InfoTech), Internet Security
The companies such as System (ISS), Cisco, Symantec are all proposed the product of oneself.
Existing intrusion detection method is main are as follows: 1) based on abnormal detection technique: being first based on abnormal detection technique
Define the numerical value of one group of system " normal " situation, such as cpu busy percentage, memory usage, file verification and (this kind of data can be with
Artificially defined, can also be obtained by observing system and with the method for statistics), numerical value when then running system and determine
" normal " situation of justice compares, and whether obtain has the sign attacked.It is so-called that the core of this detection mode is how to define
" normal " situation.2) misused detection technology: misused detection technology mainly by certain mode pre-define into
Behavior is invaded, then the operation of monitoring system, and therefrom finds out the intrusion behavior for meeting and pre-defining rule.Misused detection system
System assumes that invader's activity can be indicated with one mode, and the target of system is whether detection subject activity meets these moulds
Formula.
The intruding detection system of mainstream is mostly network invasion monitoring and the combination of Host-based intrusion detection at present, with letter of auditing
Breath is information source with network packet, and many work have also been made on improving accuracy rate and rate of false alarm in certain systems, for big number
According to scene, utilization is combined with machine learning field distributed.But the development of current intruding detection system also faces very
More challenges, the intrusion detection especially for smart machine are still very deficient.
Summary of the invention
In view of this, it is an object of the invention to propose that one kind can intercept and capture smart machine attack traffic, and pass through statistics
Analysis carries out feature extraction, by the individual features of analysis detection network packet, thus judge whether it is Network Intrusion, it is main
It is dynamic to intercept malicious act, and retain smart machine intrusion detection method, equipment that Log Report is audited and assessed to user
And storage medium.
Based on above-mentioned purpose, in a first aspect, the present invention provides a kind of smart machine intrusion detection methods, comprising:
Pending data is obtained, the pending data is standardized to obtain standardized data;
Preset model data is obtained, clustering, judgement are carried out to the standardized data according to the model data
Whether the standardized data meets the model data;
If so, being judged to the corresponding pending data of the standardized data to invade data.
It is in some embodiments, described to judge whether the standardized data meets the model data, further includes:
If it is not, the corresponding pending data of the standardized data is then determined as normal data, it will be described normal
Data sequence is arranged in after the previous normal data, waits pending data described in sequential delivery.
In some embodiments, described to be judged to the corresponding pending data of the standardized data to invade number
According to specifically including:
The invasion data are directly abandoned, and generate invasion log message;According to the invasion log message trigger into
Invade alarm.
In some embodiments, described that clustering, tool are carried out to the standardized data according to the model data
Body includes:
Initial center optimization is carried out to the model data and the standardized data, is linearly sentenced using using Fisher
The Euclidean distance of the weighting of rate criterion does not realize that the K-means clustering algorithm of optimization clusters the standardized data.
In some embodiments, before the preset model data of acquisition, further includes:
The more new command for obtaining user obtains according to the more new command and updates model data;
According to the more original model data of update model data, the model data is modified, is adjusted
Whole and/or deletion, generates the new model data.
In some embodiments, described that the pending data is standardized to obtain standardized data, tool
Body includes:
According to preset feature extraction rule, counts and extract the pending data;
The characteristic attribute extracted is subjected to vectorization expression, the pending data after indicating according to vectorization generates
The standardized data.
In some embodiments, described according to preset feature extraction rule, it specifically includes:
The regular feature to be extracted of the feature extraction includes at least: the essential characteristic of TCP connection, TCP connection it is interior
Hold feature, time-based network flow statistic feature and/or host-based network traffic statistics feature.
In some embodiments, before the acquisition pending data, further includes:
The configuration file for obtaining user generates according to the configuration file and intercepts prediction scheme;
All request datas are obtained, are obtained according to the interception prediction scheme corresponding described to be processed in the request data
Data.
Second aspect, the present invention also provides a kind of smart machine intrusion detection devices, comprising:
Module is obtained, pending data is obtained, the pending data is standardized to obtain standardized data;
Cluster module obtains preset model data, is clustered according to the model data to the standardized data
Analysis, judges whether the standardized data meets the model data;
Processing module, if so, being judged to the corresponding pending data of the standardized data to invade data.
The third aspect, the present invention also provides a kind of computer readable storage medium, the computer readable storage medium
In be stored with instruction, when described instruction is run on the terminal device, so that the terminal device executes intelligence as described above
Equipment intrusion detection method.
From the above it can be seen that a kind of smart machine intrusion detection method provided by the invention, equipment and storage are situated between
Matter is standardized to obtain standardized data by obtaining pending data to the pending data;It obtains preset
Model data carries out clustering to the standardized data according to the model data, whether judges the standardized data
Meet the model data;If so, being judged to the corresponding pending data of the standardized data to invade data.It is logical
The technical solution using the application is crossed, the intrusion detection for practical smart machine Run-time scenario is realized, passes through analysis detection
The individual features of network packet, thus judge whether it is Network Intrusion, active interception malicious act, and retain Log Report
It audits and assesses to user.Meet the requirement for not influencing user experience, to the intruding detection system for being applied to smart machine
For have both reliability and feasibility.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
It obtains other drawings based on these drawings.
Fig. 1 is a kind of flow diagram for smart machine intrusion detection method that the embodiment of the present invention proposes;
Fig. 2 is a kind of structural schematic diagram for embedded intelligent equipment intruding detection system that the embodiment of the present invention proposes;
Fig. 3 is a kind of workflow signal for embedded intelligent equipment intruding detection system that the embodiment of the present invention proposes
Figure;
Fig. 4 is a kind of structural schematic diagram for smart machine intrusion detection device that the embodiment of the present invention proposes.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with specific embodiment, and reference
Attached drawing, the present invention is described in more detail.
The embodiment of the invention provides a kind of smart machine intrusion detection method, the smart machine (intelligent
Device) refer to any equipment, instrument or machine with calculation processing ability.Smart machine is conventional electrical devices
It is mutually tied with computer technology, data processing technique, control theory, sensor technology, network communication technology, power electronic technique etc.
The product of conjunction.When computer technology becomes increasingly advanced, when more and more cheap, it will be able to construct various types of equipment, remove
Personal and palm PC, there are many more smart machine, including medical device, geology equipment, housed device etc. are all to meet intelligence
The related device of energy device definition will not influence protection scope of the present invention, and subsequent embodiment no longer illustrates this one by one.
As shown in Figure 1, a kind of flow diagram of the smart machine intrusion detection method proposed for the embodiment of the present invention, it should
Method specifically includes the following steps:
Step 101, pending data is obtained, the pending data is standardized to obtain standardized data.
This step is intended to for the pending data of acquisition being standardized, and pending data is made to pass through certain rule
It is summarized as the standardized data file of easy-to-handle reference format.Wherein, the rule of data normalization can be many kinds,
Such as: morphological analysis, syntactic analysis, control flow analysis, data-flow analysis.Meanwhile obtaining pending data can also be a variety of sides
Formula, such as: passive wire transmission, passive wireless transmission, actively autonomous inquiry obtains.Its different rule and acquisition methods are only
It wants that corresponding purpose can be reached, different methods will not influence protection scope of the present invention.
Further, compare in order to facilitate follow-up data, digitized representation image simultaneously is carried out to different types of data
The feature of each data of expression of change, it is in a preferred embodiment of the present application, described that the pending data is standardized
Processing obtains standardized data, specifically includes:
According to preset feature extraction rule, counts and extract the pending data;
The characteristic attribute extracted is subjected to vectorization expression, the pending data after indicating according to vectorization generates
The standardized data.
Further, in order to for generally existing some foundation characteristics progress common to data and in invasion data
Targeted feature extraction, it is in a preferred embodiment of the present application, described according to preset feature extraction rule, it is specific to wrap
It includes:
The regular feature to be extracted of the feature extraction includes at least: the essential characteristic of TCP connection, TCP connection it is interior
Hold feature, time-based network flow statistic feature and/or host-based network traffic statistics feature.
Further, it for the configuration for updating user for equipment of following up in real time, while being included in new smart machine and being
Test object, in a preferred embodiment of the present application, before the acquisition pending data, further includes:
The configuration file for obtaining user generates according to the configuration file and intercepts prediction scheme;
All request datas are obtained, are obtained according to the interception prediction scheme corresponding described to be processed in the request data
Data.
In concrete application scene, feature extraction and intrusion detection algorithm determine the accuracy rate and efficiency of intrusion detection.
Feature extraction is the basis of intrusion detection, is responsible for extracting flow information, to match with network intrusions and system misuse mode,
To detect Network Intrusion.In this concrete application scene, configurator, which is responsible for interacting with user, can receive user couple
In the configuration that smart machine performs intrusion detection.Blocker is responsible for intercepting all number of requests that client initiates smart machine
According to packet, it is achieved by the information transmission port scanning to smart machine, the data packet of interception is passed through into safe transmission module
Intrusion detection module is input to for subsequent analysis detection.Intrusion detection module is that feature extraction is carried out to request data package, raw
It is described at standardized characteristic attribute, then inputs to clustering device and carry out intrusion behavior differentiation.Including data processing
Module, data processing module be on the basis of resolve packet, by count transformation extract TCP connection essential characteristic,
The content characteristic of TCP connection, time-based network flow statistic feature and host-based network traffic statistics feature four are big
The characteristic attribute of class, and be standardized.Then interface is provided to read these information to clustering device.
Step 102, preset model data is obtained, cluster point is carried out to the standardized data according to the model data
Analysis, judges whether the standardized data meets the model data.
This step is intended to standardized data and model data comparing cluster, and judges the result of cluster.
Wherein clustering is a kind of analysis of exploration, during classification, it is not necessary to provide the standard of a classification, cluster in advance
Analysis can classify automatically from sample data.There are many kinds of the methods of clustering: act of union, decomposition method,
Dendrogram, partition clustering, spectral clustering etc..Meanwhile obtaining preset model data can also be various ways, such as: passive wired biography
Defeated, passive wireless transmission, actively autonomous inquiry acquisition etc..As long as its different clustering method and acquisition methods can reach
Corresponding purpose, different methods will not influence protection scope of the present invention.
Further, in order to effectively distinguish normal data and invasion data, while normal data being enable normally to carry out
Data transmission, it is in a preferred embodiment of the present application, described to judge whether the standardized data meets the model data, also
Include:
If it is not, the corresponding pending data of the standardized data is then determined as normal data, it will be described normal
Data sequence is arranged in after the previous normal data, waits pending data described in sequential delivery.
Further, in order to which the various features for making clustering method more adapt to smart machine further increase detection in turn
Accuracy rate, it is in a preferred embodiment of the present application, described that the standardized data is clustered according to the model data
Analysis, specifically includes:
Initial center optimization is carried out to the model data and the standardized data, is linearly sentenced using using Fisher
The Euclidean distance of the weighting of rate criterion does not realize that the K-means clustering algorithm of optimization clusters the standardized data.
Further, for the model data updated for intrusion detection that follows up in real time, and then reach to model data
Timely amendment and adjustment, in a preferred embodiment of the present application, it is described obtain preset model data before, further includes:
The more new command for obtaining user obtains according to the more new command and updates model data;
According to the more original model data of update model data, the model data is modified, is adjusted
Whole and/or deletion, generates the new model data.
In concrete application scene, clustering is carried out on the basis of feature vector, judges whether depositing for user's request
In Network Intrusion behavior, and is provided to results processor and differentiate result;According to differentiation as a result, if judging result is that there is no invasions
Attack then continue to data packet the processing of forwarding.Wherein, model management module is responsible for the offer of intrusion detection module
Feature extraction rule, meanwhile, it is capable to which the model of intrusion detection is modified and is adjusted;Cluster Analysis module is mainly being located
On the basis of managing data, carry out clustering using clustering algorithm, judge user's request with the presence or absence of Network Intrusion behavior, and
Interface is provided to results processor to read differentiation result;Result treatment module is according to differentiation as a result, data packet is marked.
And normal request data packet is passed to by safe transmission module according to label and is waited in line.Meanwhile relative to other invasion inspections
Survey technology, this system use initial center optimization method, and the Euclidean of the weighting of connected applications Fisher linear discriminant rate criterion
Distance realizes the cluster of the K-means clustering algorithm of optimization, to greatly improve the accuracy rate of detection.
Step 103, if so, being judged to the corresponding pending data of the standardized data to invade data.
This step is intended to corresponding pending data labeled as invasion data.There are many kinds of the modes wherein marked, such as:
Special marking, the special new line of setting, setting label etc. are set.As long as its different labeling method can reach corresponding purpose, no
Same method will not influence protection scope of the present invention.
Further, in order to which invasion file is effectively treated, while achieving the purpose that user and data is reminded to put on record, in this Shen
It is described that the corresponding pending data of the standardized data is judged to invading data in preferred embodiment please, specifically
Include:
The invasion data are directly abandoned, and generate invasion log message;According to the invasion log message trigger into
Invade alarm.
In concrete application scene, result treatment module is according to differentiation as a result, data packet is marked.By Network Intrusion
Data packet discarding, and generate log and be passed to intrusion alarm unit.
By application the application technical solution, the program by obtain pending data, to the pending data into
Row standardization obtains standardized data;Preset model data is obtained, according to the model data to the normalized number
According to clustering is carried out, judge whether the standardized data meets the model data;If so, by the standardized data
The corresponding pending data is judged to invading data.By the technical solution of application the application, realize for practical intelligence
Can equipment Run-time scenario intrusion detection, by the individual features of analysis detection network packet, thus judge its whether be into
Attack, active interception malicious act are invaded, and retains Log Report and audits and assess to user.Satisfaction does not influence user experience
Requirement, to be applied to smart machine intruding detection system for have both reliability and feasibility.
For the technical idea that the present invention is further explained, now in conjunction with specific application scenarios, to technical side of the invention
Case is illustrated.
As shown in Fig. 2, in this concrete application scene, embedded intelligent equipment intruding detection system (Embedded
Intelligent device intrusion detection system, IDIDS) mainly drawn by client, safe transmission
It holds up, intrusion detection engine three subsystems composition.
(1) client:
1) detection configurator, which is responsible for interacting with user, can receive what user performed intrusion detection smart machine
Configuration.
2) purpose of Request Interceptor is responsible for intercepting all request data packages that client initiates smart machine, passes through
The information transmission port scanning of smart machine is achieved, the data packet of interception is input to invasion by safe transmission engine
Detecting and alarm is for subsequent analysis detection.
3) function that intrusion alarm unit is realized is result according to intrusion detection engine, it may be found that Network Intrusion behavior day
Will is reported to user.
(2) function of safe transmission engine implementation is forwarded to the encrypted transmission of request data package, queuing.Interception is asked
It asks data packet to be encrypted, guarantees the information security in transmission process.And it is lined up to by the request of intrusion detection, safety
It is transmitted to smart machine and completes request task.
(3) target of intrusion detection engine is to carry out feature extraction to request data package, generates standardized characteristic attribute
Description then inputs clustering device and carries out intrusion behavior differentiation.Results processor is according to differentiation as a result, being passed at alarm respectively
Reason device carries out blocking alarm or incoming safe transmission engine makes requests forwarding.According to functional requirement, and it is divided into data processing
Device, clustering device, model manager,
Four submodules of results processor.
1) data processor is to extract the substantially special of TCP connection by counting transformation on the basis of resolve packet
Sign, the content characteristic of TCP connection, time-based network flow statistic feature and host-based network traffic statistics feature four
The characteristic attribute of major class, and be standardized.Then interface is provided to read these information to clustering device.
2) clustering device carries out clustering, judgement using clustering algorithm mainly on the basis of reduced data
User's request whether there is Network Intrusion behavior, and provide interface to results processor to read differentiation result.
3) model manager is responsible for intrusion detection engine and provides feature extraction rule, meanwhile, it is capable to intrusion detection
Model is modified and adjusts.
4) results processor is according to differentiation as a result, data packet is marked.And according to label by normal request data packet
Incoming safe transmission engine is waited in line, and by Network Intrusion data packet discarding, and generates log and is passed to intrusion alarm unit.
As shown in figure 3, IDIDS main processing steps are as follows:
1. IDIDS starts after the smart machine catalogue of the good IDIDS detection of user configuration, information transmission interface, Protocol directory
Work.
2.IDIDS makes requests interception to the equipment of user configuration first.
3. the feature extraction rule in reading model manager, handles request data package, counts and extract characteristic attribute, use
Characteristic attribute vector description request data package.
4. carrying out clustering on the basis of feature vector, judge user's request whether there is Network Intrusion behavior,
And it is provided to results processor and differentiates result.
5. the processing of forwarding is abandoned or continued to data packet according to differentiation result.
By application the application technical solution, the program by obtain pending data, to the pending data into
Row standardization obtains standardized data;Preset model data is obtained, according to the model data to the normalized number
According to clustering is carried out, judge whether the standardized data meets the model data;If so, by the standardized data
The corresponding pending data is judged to invading data.By the technical solution of application the application, realize for practical intelligence
Can equipment Run-time scenario intrusion detection, by the individual features of analysis detection network packet, thus judge its whether be into
Attack, active interception malicious act are invaded, and retains Log Report and audits and assess to user.Satisfaction does not influence user experience
Requirement, to be applied to smart machine intruding detection system for have both reliability and feasibility.
Based on the same inventive concept, the embodiment of the invention also provides a kind of smart machine intrusion detection devices, such as Fig. 4 institute
Show, comprising:
Module 401 is obtained, pending data is obtained, the pending data is standardized to obtain normalized number
According to;
Cluster module 402 obtains preset model data, is gathered according to the model data to the standardized data
Alanysis, judges whether the standardized data meets the model data;
Processing module 403, if so, being judged to the corresponding pending data of the standardized data to invade number
According to.
In specific application scenarios, the cluster module 402 judges whether the standardized data meets the model
Data, further includes:
Transmission module 404, if it is not, the corresponding pending data of the standardized data is then determined as normal number
According to, after the normal data sequence is arranged in the previous normal data, pending data described in waiting sequential delivery.
In specific application scenarios, the processing module 403 is by the corresponding number to be processed of the standardized data
According to being judged to invading data, specifically include:
The invasion data are directly abandoned, and generate invasion log message;According to the invasion log message trigger into
Invade alarm.
In specific application scenarios, the cluster module 402 according to the model data to the standardized data into
Row clustering, specifically includes:
Initial center optimization is carried out to the model data and the standardized data, is linearly sentenced using using Fisher
The Euclidean distance of the weighting of rate criterion does not realize that the K-means clustering algorithm of optimization clusters the standardized data.
In specific application scenarios, the cluster module 402 is obtained before preset model data, further includes:
The more new command for obtaining user obtains according to the more new command and updates model data;
According to the more original model data of update model data, the model data is modified, is adjusted
Whole and/or deletion, generates the new model data.
In specific application scenarios, the acquisition module 401 is standardized to obtain to the pending data
Standardized data specifically includes:
According to preset feature extraction rule, counts and extract the pending data;
The characteristic attribute extracted is subjected to vectorization expression, the pending data after indicating according to vectorization generates
The standardized data.
In specific application scenarios, the acquisition module 401 is specifically included according to preset feature extraction rule:
The regular feature to be extracted of the feature extraction includes at least: the essential characteristic of TCP connection, TCP connection it is interior
Hold feature, time-based network flow statistic feature and/or host-based network traffic statistics feature.
In specific application scenarios, the acquisition module 401 is obtained before pending data, further includes:
The configuration file for obtaining user generates according to the configuration file and intercepts prediction scheme;
All request datas are obtained, are obtained according to the interception prediction scheme corresponding described to be processed in the request data
Data.
The equipment of above-described embodiment for realizing method corresponding in previous embodiment there is corresponding method to implement
The beneficial effect of example, details are not described herein.
Based on the same inventive concept, the embodiment of the invention also provides a kind of computer readable storage medium, the calculating
Instruction is stored in machine readable storage medium storing program for executing, when described instruction is run on the terminal device, so that the terminal device executes
Smart machine intrusion detection method as described above.
The storage medium of above-described embodiment has corresponding method for realizing method corresponding in previous embodiment
The beneficial effect of embodiment, details are not described herein.
It should be noted that above embodiments are only rather than the limitation ot it to illustrate technical solution of the present invention.To the greatest extent
Pipe is with reference to the foregoing embodiments described in detail invention, those skilled in the art should understand that: it is still
It can modify to technical solution documented by previous embodiment or equivalent replacement of some of the technical features;
And these are modified or replaceed, the embodiment of the present invention technical solution that it does not separate the essence of the corresponding technical solution spirit and
Protection scope.
It should be understood by those ordinary skilled in the art that: the discussion of any of the above embodiment is exemplary only, not
It is intended to imply that the scope of the present disclosure (including claim) is limited to these examples;Under thinking of the invention, above embodiments
Or can also be combined between the technical characteristic in different embodiments, step can be realized with random order, and be existed such as
Many other variations of the upper different aspect of the invention, for simplicity, they are not provided in details.
In addition, to simplify explanation and discussing, and in order not to obscure the invention, it can in provided attached drawing
It is connect with showing or can not show with the well known power ground of integrated circuit (IC) chip and other components.Furthermore, it is possible to
Device is shown in block diagram form, to avoid obscuring the invention, and this has also contemplated following facts, i.e., about this
The details of the embodiment of a little block diagram arrangements be height depend on will implementing platform of the invention (that is, these details should
It is completely within the scope of the understanding of those skilled in the art).Elaborating that detail (for example, circuit) is of the invention to describe
In the case where exemplary embodiment, it will be apparent to those skilled in the art that can be in these no details
In the case where or implement the present invention in the case that these details change.Therefore, these descriptions should be considered as explanation
Property rather than it is restrictive.
Although having been incorporated with specific embodiments of the present invention, invention has been described, according to retouching for front
It states, many replacements of these embodiments, modifications and variations will be apparent for those of ordinary skills.Example
Such as, discussed embodiment can be used in other memory architectures (for example, dynamic ram (DRAM)).
The embodiment of the present invention be intended to cover fall into all such replacements within the broad range of appended claims,
Modifications and variations.Therefore, all within the spirits and principles of the present invention, any omission, modification, equivalent replacement, the improvement made
Deng should all be included in the protection scope of the present invention.
Claims (10)
1. a kind of smart machine intrusion detection method characterized by comprising
Pending data is obtained, the pending data is standardized to obtain standardized data;
Preset model data is obtained, clustering is carried out to the standardized data according to the model data, described in judgement
Whether standardized data meets the model data;
If so, being judged to the corresponding pending data of the standardized data to invade data.
2. a kind of smart machine intrusion detection method according to claim 1, which is characterized in that the judgement standard
Change whether data meet the model data, further includes:
If it is not, the corresponding pending data of the standardized data is then determined as normal data, by the normal data
Sequence is arranged in after the previous normal data, waits pending data described in sequential delivery.
3. a kind of smart machine intrusion detection method according to claim 1, which is characterized in that described by the standardization
The corresponding pending data of data is judged to invading data, specifically includes:
The invasion data are directly abandoned, and generate invasion log message;Invasion report is triggered according to the invasion log message
It is alert.
4. a kind of smart machine intrusion detection method according to claim 1, which is characterized in that described according to the model
Data carry out clustering to the standardized data, specifically include:
Initial center optimization is carried out to the model data and the standardized data, using using Fisher linear discriminant rate
The Euclidean distance of the weighting of criterion realizes that the K-means clustering algorithm of optimization clusters the standardized data.
5. a kind of smart machine intrusion detection method according to claim 1, which is characterized in that described to obtain preset mould
Before type data, further includes:
The more new command for obtaining user obtains according to the more new command and updates model data;
According to the more original model data of update model data, the model data is modified, adjust and/
Or delete, generate the new model data.
6. a kind of smart machine intrusion detection method according to claim 1, which is characterized in that described to described to be processed
Data are standardized to obtain standardized data, specifically include:
According to preset feature extraction rule, counts and extract the pending data;
The characteristic attribute extracted is subjected to vectorization expression, described in the pending data generation after indicating according to vectorization
Standardized data.
7. a kind of smart machine intrusion detection method according to claim 6, which is characterized in that described according to preset spy
Extracting rule is levied, is specifically included:
The regular feature to be extracted of the feature extraction includes at least: essential characteristic, the content of TCP connection of TCP connection are special
Sign, time-based network flow statistic feature and/or host-based network traffic statistics feature.
8. a kind of smart machine intrusion detection method according to claim 1, which is characterized in that described to obtain number to be processed
According to before, further includes:
The configuration file for obtaining user generates according to the configuration file and intercepts prediction scheme;
All request datas are obtained, the corresponding number to be processed in the request data is obtained according to the interception prediction scheme
According to.
9. a kind of smart machine intrusion detection device characterized by comprising
Module is obtained, pending data is obtained, the pending data is standardized to obtain standardized data;
Cluster module obtains preset model data, carries out clustering to the standardized data according to the model data,
Judge whether the standardized data meets the model data;
Processing module, if so, being judged to the corresponding pending data of the standardized data to invade data.
10. a kind of computer readable storage medium, which is characterized in that instruction is stored in the computer readable storage medium,
When described instruction is run on the terminal device, so that the terminal device perform claim requires the described in any item intelligence of 1-8
Equipment intrusion detection method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910340862.1A CN110276195A (en) | 2019-04-25 | 2019-04-25 | A kind of smart machine intrusion detection method, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910340862.1A CN110276195A (en) | 2019-04-25 | 2019-04-25 | A kind of smart machine intrusion detection method, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110276195A true CN110276195A (en) | 2019-09-24 |
Family
ID=67959542
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910340862.1A Pending CN110276195A (en) | 2019-04-25 | 2019-04-25 | A kind of smart machine intrusion detection method, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110276195A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110636086A (en) * | 2019-11-13 | 2019-12-31 | 国家电网有限公司 | Network protection test method and device |
| CN111107152A (en) * | 2019-12-19 | 2020-05-05 | 浙江军盾信息科技有限公司 | Internet of vehicles terminal intrusion processing method, device, equipment and storage medium |
| CN112906786A (en) * | 2021-02-07 | 2021-06-04 | 滁州职业技术学院 | Data classification improvement method based on naive Bayes model |
| CN113297577A (en) * | 2021-06-16 | 2021-08-24 | 深信服科技股份有限公司 | Request processing method and device, electronic equipment and readable storage medium |
| CN114666137A (en) * | 2022-03-25 | 2022-06-24 | 山东鼎夏智能科技有限公司 | Threat information processing method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1668015A (en) * | 2004-12-20 | 2005-09-14 | 华中科技大学 | Cooperative intrusion detection based large-scale network security defense system |
| CN103368979A (en) * | 2013-08-08 | 2013-10-23 | 电子科技大学 | Network security verifying device based on improved K-means algorithm |
| CN108123939A (en) * | 2017-12-14 | 2018-06-05 | 华中师范大学 | Malicious act real-time detection method and device |
| CN108632278A (en) * | 2018-05-08 | 2018-10-09 | 北京理工大学 | A kind of network inbreak detection method being combined with Bayes based on PCA |
| CN109218321A (en) * | 2018-09-25 | 2019-01-15 | 北京明朝万达科技股份有限公司 | A kind of network inbreak detection method and system |
-
2019
- 2019-04-25 CN CN201910340862.1A patent/CN110276195A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1668015A (en) * | 2004-12-20 | 2005-09-14 | 华中科技大学 | Cooperative intrusion detection based large-scale network security defense system |
| CN103368979A (en) * | 2013-08-08 | 2013-10-23 | 电子科技大学 | Network security verifying device based on improved K-means algorithm |
| CN108123939A (en) * | 2017-12-14 | 2018-06-05 | 华中师范大学 | Malicious act real-time detection method and device |
| CN108632278A (en) * | 2018-05-08 | 2018-10-09 | 北京理工大学 | A kind of network inbreak detection method being combined with Bayes based on PCA |
| CN109218321A (en) * | 2018-09-25 | 2019-01-15 | 北京明朝万达科技股份有限公司 | A kind of network inbreak detection method and system |
Non-Patent Citations (2)
| Title |
|---|
| 冯光升 等: "《信息系统安全实验》", 28 February 2014 * |
| 刘晓勇 等: "《Python语言程序设计基础》", 31 January 2019 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110636086A (en) * | 2019-11-13 | 2019-12-31 | 国家电网有限公司 | Network protection test method and device |
| CN110636086B (en) * | 2019-11-13 | 2023-12-26 | 国家电网有限公司 | Network protection testing method and device |
| CN111107152A (en) * | 2019-12-19 | 2020-05-05 | 浙江军盾信息科技有限公司 | Internet of vehicles terminal intrusion processing method, device, equipment and storage medium |
| CN112906786A (en) * | 2021-02-07 | 2021-06-04 | 滁州职业技术学院 | Data classification improvement method based on naive Bayes model |
| CN113297577A (en) * | 2021-06-16 | 2021-08-24 | 深信服科技股份有限公司 | Request processing method and device, electronic equipment and readable storage medium |
| CN114666137A (en) * | 2022-03-25 | 2022-06-24 | 山东鼎夏智能科技有限公司 | Threat information processing method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110276195A (en) | A kind of smart machine intrusion detection method, equipment and storage medium | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| CN109299135A (en) | Abnormal inquiry recognition methods, identification equipment and medium based on identification model | |
| CN107888571A (en) | A kind of various dimensions webshell intrusion detection methods and detecting system based on HTTP daily records | |
| CN110795703B (en) | Data theft prevention method and related product | |
| CN112491779B (en) | Abnormal behavior detection method and device and electronic equipment | |
| TWI677804B (en) | Computer device and method of identifying whether container behavior thereof is abnormal | |
| CN114584405A (en) | Electric power terminal safety protection method and system | |
| CN105378745A (en) | Disabling and initiating nodes based on security issue | |
| Vashishtha et al. | HIDM: A hybrid intrusion detection model for cloud based systems | |
| Wang et al. | An evolutionary computation-based machine learning for network attack detection in big data traffic | |
| Ou et al. | Immunity-inspired host-based intrusion detection systems | |
| Agrawal et al. | A SURVEY ON ATTACKS AND APPROACHES OF INTRUSION DETECTION SYSTEMS. | |
| CN113132329A (en) | WEBSHELL detection method, device, equipment and storage medium | |
| US10740458B2 (en) | System and method for high frequency heuristic data acquisition and analytics of information security events | |
| CN111125701B (en) | File detection method, equipment, storage medium and device | |
| CN111563269B (en) | Sensitive data security protection method and system based on shadow system | |
| CN114124453A (en) | Network security information processing method and device, electronic equipment and storage medium | |
| CN112861160A (en) | Data privacy protection system and protection method | |
| CN112272176A (en) | Network security protection method and system based on big data platform | |
| Rani | A Perspective for Intrusion Detection & Prevention in Cloud Environment | |
| CN111177765A (en) | Financial big data processing method, storage medium and system | |
| CN117544420B (en) | Fusion system safety management method and system based on data analysis | |
| CN116756578B (en) | Vehicle information security threat aggregation analysis and early warning method and system | |
| CN112839053B (en) | Electric power industrial control network malicious code protection system based on self-culture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190924 |
|
| RJ01 | Rejection of invention patent application after publication |