CN110958263B - Network attack detection method, device, equipment and storage medium - Google Patents

Network attack detection method, device, equipment and storage medium Download PDF

Info

Publication number
CN110958263B
CN110958263B CN201911289345.2A CN201911289345A CN110958263B CN 110958263 B CN110958263 B CN 110958263B CN 201911289345 A CN201911289345 A CN 201911289345A CN 110958263 B CN110958263 B CN 110958263B
Authority
CN
China
Prior art keywords
environment
network
parameter
model
environmental
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911289345.2A
Other languages
Chinese (zh)
Other versions
CN110958263A (en
Inventor
张壮
董志强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Cloud Computing Beijing Co Ltd
Original Assignee
Tencent Cloud Computing Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Cloud Computing Beijing Co Ltd filed Critical Tencent Cloud Computing Beijing Co Ltd
Priority to CN201911289345.2A priority Critical patent/CN110958263B/en
Publication of CN110958263A publication Critical patent/CN110958263A/en
Application granted granted Critical
Publication of CN110958263B publication Critical patent/CN110958263B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The application discloses a network attack detection method, a device, equipment and a storage medium, and belongs to the technical field of networks. The application provides a method for deploying a honeypot environment by using a generative countermeasure network, wherein a generative model of the generative countermeasure network can automatically generate high-simulation environment parameters, and after the environmental parameters are configured, the honeypot environment close to the real environment can be configured, so that the immersive honeypot environment is provided. And time cost brought by manual determination of environmental parameters is saved, manpower is greatly saved, and therefore efficiency is improved.

Description

Network attack detection method, device, equipment and storage medium
Technical Field
The present application relates to the field of network technologies, and in particular, to a network attack detection method, apparatus, device, and storage medium.
Background
With the continuous development of network technology, network attack behaviors frequently occur, and therefore, the honeypot technology can be used for detecting the network attack behaviors, so that the security of the network is improved.
The honeypot technology is a technology for cheating an attacker by a defender, the defender captures network attack behaviors by configuring the environment into a honeypot environment, and learns network tools and methods used by the attacker according to the network attack behaviors, so that the security protection capability of the system is enhanced. The honeypot environment refers to an environment for inducing an attacker to perform network attack. In particular, the honeypot environment may include devices or services on which traffic resources that may be of interest to an attacker are stored, which may be used as a bait to entice the attacker to implement a network attack on the system.
At present, a user generally determines environmental parameters of a honeypot environment according to manual experience, the environmental parameters of the honeypot environment are input into computer equipment, the computer equipment can be configured according to the environmental parameters input by the user, the honeypot environment is constructed, and network attack behaviors are captured in the later operation process.
When the method is adopted, a large amount of time cost is consumed for manually determining the environmental parameters, and the efficiency is low. Moreover, the manual determination mode has certain subjectivity, and cannot have a uniform and objective standard, so that the accuracy of the obtained environmental parameters is poor, and after the configuration is carried out based on the environmental parameters, the honeypot environment rather than the real environment is easily identified by an attacker, so that the network attack behavior is difficult to capture.
Disclosure of Invention
The embodiment of the application provides a network attack detection method, a network attack detection device, network attack detection equipment and a storage medium, and at least solves the problems of high time cost and low efficiency in the related technology. The technical scheme is as follows:
in one aspect, a network attack detection method is provided, where the method includes:
calling a generative confrontation network, wherein the generative confrontation network comprises a generative model and an identification model, the generative model is used for generating environmental parameters of the honeypot environment, and the identification model is used for identifying whether the environmental parameters generated by the generative model are environmental parameters of a real environment;
generating a first environmental parameter through a generative model of the generative countermeasure network;
configuring a current environmental parameter as the first environmental parameter;
capturing network attack behavior during operation based on the first environmental parameter.
Optionally, the first environment parameter includes one or more of a name of the service resource, a storage location of the service resource, a data volume of the service resource, a name of the desktop file, a storage location of the privacy file, or a network configuration parameter.
In another aspect, a network attack detection apparatus is provided, the apparatus including:
the generating countermeasure network comprises a generating model and an identifying model, the generating model is used for generating environmental parameters of the honeypot environment, and the identifying model is used for identifying whether the environmental parameters generated by the generating model are environmental parameters of the real environment or not;
the generating module is used for generating a first environment parameter through a generating model of the generating type countermeasure network;
a configuration module, configured to configure a current environmental parameter as the first environmental parameter;
and the capturing module is used for capturing the network attack behavior in the process of operating based on the first environment parameter.
Optionally, the apparatus further comprises: the training module is used for generating a second environment parameter through the generating model; inputting the second environmental parameter into the recognition model; identifying the second environment parameter through the identification model; and if the second environmental parameter is identified as the environmental parameter of the honeypot environment by the identification model, adjusting the parameter of the generated model until the environmental parameter generated by the generated model is identified as the environmental parameter of the real environment by the identification model.
Optionally, the generative model is a decoding network in a self-encoder network, the self-encoder network includes an encoding network and the decoding network, the encoding network is configured to perform feature extraction on an environmental parameter of the real environment, and the decoding network is configured to reconstruct the environmental parameter of the real environment according to the extracted feature.
Optionally, the training module is configured to input a third environment parameter into the self-encoder network, where the third environment parameter is an environment parameter of the real environment of the sample; extracting the characteristics of the third environment parameters through the coding network, and outputting the environment characteristics of the real environment of the sample; reconstructing the environment characteristics through the decoding network and outputting a fourth environment parameter; obtaining a loss value according to the difference between the third environmental parameter and the fourth environmental parameter; adjusting parameters of the self-encoder network according to the loss value; and when the training termination condition is met, outputting the decoding network adopted in the iteration process as a trained generated model.
Optionally, the generating module is configured to input a random parameter into the generating model; and adjusting the random parameter through the generation model to obtain the first environmental parameter.
Optionally, the apparatus further comprises:
the output module is used for outputting the first environment parameter;
the receiving module is used for receiving an identification result input by a user for the first environment parameter, and the identification result is used for indicating whether the first identification environment parameter is an environment parameter of a real environment;
the configuration module is configured to configure the current environmental parameter as the first environmental parameter if the identification result indicates that the first environmental parameter is an environmental parameter of a real environment.
Optionally, the first environment parameter includes one or more of a name of the service resource, a storage location of the service resource, a data volume of the service resource, a name of the desktop file, a storage location of the privacy file, or a network configuration parameter.
In another aspect, a computer device is provided, which includes one or more processors and one or more memories, and at least one program code is stored in the one or more memories, and loaded and executed by the one or more processors to implement the operations performed by the above network attack detection method.
In another aspect, a computer-readable storage medium is provided, in which at least one program code is stored, and the at least one program code is loaded and executed by a processor to implement the operations performed by the above network attack detection method.
The beneficial effects brought by the technical scheme provided by the embodiment of the application at least comprise:
the embodiment provides a method for deploying a honeypot environment by using a generative confrontation network, wherein a generative model of the generative confrontation network can automatically generate high-simulation environment parameters, and after configuration is carried out based on the environment parameters, the honeypot environment approaching to the real environment can be configured, so that the immersive honeypot environment is provided, and as the confusability and the concealment of the honeypot environment are better, an attacker can be effectively induced to carry out network attack, so that the network attack behavior can be timely and accurately detected. And time cost brought by manual determination of environmental parameters is saved, and manpower is greatly saved, so that efficiency is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a block diagram of a network attack detection system according to an embodiment of the present application;
FIG. 2 is a flow chart of a training method for generating a generative model of environmental parameters of a honeypot environment provided by an embodiment of the present application;
FIG. 3 is a schematic diagram of a training generative model provided by an embodiment of the present application;
FIG. 4 is a flow chart of a training method of a generative confrontation network for generating environmental parameters of a honeypot environment according to an embodiment of the present application;
FIG. 5 is a schematic diagram of a training generative confrontation network provided by an embodiment of the present application;
fig. 6 is a flowchart of a network attack detection method provided in an embodiment of the present application;
fig. 7 is a schematic diagram of a network deployment before configuring a first environment parameter according to an embodiment of the present application;
FIG. 8 is a schematic diagram of a network deployment after configuring a first environment parameter according to an embodiment of the present application;
FIG. 9 is a schematic diagram of a honeypot deployment environment provided by an embodiment of the present application;
fig. 10 is a schematic structural diagram of a network attack detection apparatus according to an embodiment of the present application;
fig. 11 is a schematic structural diagram of a server according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The term "and/or" in this application is only one kind of association relationship describing the associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" in the present application generally indicates that the former and latter related objects are in an "or" relationship.
The term "plurality" in this application means two or more, e.g., a plurality of packets means two or more packets.
The terms "first," "second," and the like in this application are used for distinguishing between similar items and items that have substantially the same function or similar functionality, and it should be understood that "first," "second," and "nth" do not have any logical or temporal dependency or limitation on the number or order of execution.
Hereinafter, terms related to the present application are explained.
And (4) honeypot: the honeypot technology is essentially a technology for cheating attackers, and the attackers are induced to implement network attack on the attackers by arranging hosts, services or resources as decoys, so that network attack behaviors can be captured, tools and methods used by the attackers can be known by analyzing the network attack behaviors, the intention and the motivation of the attack can be deduced, and defenders can know the facing security threat, so that the security protection capability of the system is enhanced. The honeypot environment can be regarded as a carefully placed "black box" for the defender, including a server for inducing hacker attacks, collecting evidence by inducing hackers to invade the server, while hiding the real address of the server.
Honey bait: refers to a resource that may be of interest to an attacker deployed by a defender, such as a certain battle plan, a certain business contract, and so on. Under normal conditions, the resources are not opened, and once the files are opened, the intrusion behavior can be basically determined.
Generative Adaptive Networks (GAN) is an unsupervised deep learning model. GAN mainly consists of two major parts: the method comprises the steps of generating a Model (Generative Model) and a discriminant Model (discriminant Model), wherein the generating Model and the discriminant Model are obtained by training in a countermeasure learning mode, and the countermeasure learning can be understood as that the generating Model and the discriminant Model mutually game to learn an output result.
Artificial Intelligence (AI) is a theory, method, technique and application system that uses a digital computer or a machine controlled by a digital computer to simulate, extend and expand human Intelligence, perceive the environment, acquire knowledge and use the knowledge to obtain the best results. In other words, artificial intelligence is a comprehensive technique of computer science that attempts to understand the essence of intelligence and produce a new intelligent machine that can react in a manner similar to human intelligence. Artificial intelligence is the research of the design principle and the realization method of various intelligent machines, so that the machines have the functions of perception, reasoning and decision making. The artificial intelligence technology is a comprehensive subject and relates to the field of extensive technology, namely the technology of a hardware level and the technology of a software level. The artificial intelligence base technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and the like.
Machine Learning (ML) is a multi-domain cross discipline, and relates to a plurality of disciplines such as probability theory, statistics, approximation theory, convex analysis, algorithm complexity theory and the like. The special research on how a computer simulates or realizes the learning behavior of human beings so as to acquire new knowledge or skills and reorganize the existing knowledge structure to continuously improve the performance of the computer. Machine learning is the core of artificial intelligence, is the fundamental approach to make computers have intelligence, and is applied in various fields of artificial intelligence. Machine learning and deep learning generally include techniques such as artificial neural networks, belief networks, reinforcement learning, transfer learning, inductive learning, and teaching learning. Along with the research and progress of artificial intelligence technology, the artificial intelligence technology develops research and application in a plurality of fields, for example, common intelligent house, intelligent wearable equipment, virtual assistant, intelligent sound box, intelligent marketing, unmanned driving, automatic driving, unmanned aerial vehicle, robot, intelligent medical treatment, intelligent customer service and the like.
Hereinafter, the system architecture of the present application is exemplarily described.
Fig. 1 is a block diagram of a network attack detection system according to an embodiment of the present application. The network attack detection system includes: a computer device 101 and an inspection platform 102. The computer device 101 is connected to the detection platform 102 via a wireless or wired network.
The computer device 101 may be at least one of a server, a mainframe, or a personal computer. The detection platform 102 includes at least one of a server, a plurality of servers, a cloud computing platform, and a virtualization center.
Optionally, the detection platform 102 undertakes primary detection work, and the computer device 101 undertakes secondary detection work; or, the detection platform 102 undertakes the secondary detection work, and the computer device 101 undertakes the primary detection work; alternatively, the testing platform 102 or the computer device 101, respectively, may be solely responsible for the testing.
Optionally, the detection platform 102 comprises: access server 1021, database 1022, and AI server. The access server 1021 is used to provide access services for the computer device 101. The AI server 1023 is used to provide services related to model training. The AI server 1023 may be one or more. When the AI servers 1023 are multiple, there are at least two AI servers 1023 to provide different services, and/or there are at least two AI servers 1023 to provide the same service, such as in a load-balanced manner, to form an AI cluster to coordinate training.
With the method provided by this embodiment, the database 1022 may store environment parameters of a large number of sample real environments, the AI server 1023 may construct a self-encoder network, read the environment parameters stored in the database 1022, train the self-encoder network using the environment parameters, use a decoder of the trained self-encoder network as a generation model, construct the generation model and the constructed recognition model as a generative confrontation network, train the generative confrontation network using the environment parameters stored in the database 1022, finally obtain the trained generative confrontation network, send the trained generative confrontation network to the computer device, and the computer device may use the generative confrontation network sent by the AI server 1023 to obtain the environment parameters, thereby configuring the honeypot environment.
The computer device 101 may be broadly referred to as one of a plurality of computer devices, and the embodiment is illustrated only with the computer device 101.
Those skilled in the art will appreciate that the number of computer devices described above may be greater or fewer. For example, the number of the computer devices may be only one, or several tens or hundreds, or more, in which case the network attack detection system further includes other computer devices. The number and the type of the computer devices are not limited in the embodiments of the present application.
Fig. 2 is a flowchart of a training method for generating a generative model of an environmental parameter of a honey pot environment, according to an embodiment of the present application, where an execution subject of the embodiment is a computer device, see fig. 2, and the method includes:
201. the computer device inputs the third environmental parameter from the encoder network.
The third environment parameter is an environment parameter of the real environment of the sample. An autoencoder network can be used to learn from parameters of a large number of sample real environments, thereby automatically generating environmental parameters that can simulate real environments. The type of the third environmental parameter may include a variety. For example, the third environment parameter may include one or more of a name of the business resource, a storage location of the business resource, a data volume of the business resource, a name of a desktop file, a storage location of a privacy file, or a network configuration parameter.
The specific form of the service resource can be set according to experiments, experiences or service requirements, and the service resource can be any one of files, videos, images and audios and the combination of the files, the videos, the images and the audios. In the honeypot technology field, the service resource may be referred to as bait, honey label or breadcrumb, and a file that an attacker may be interested in may be configured as the service resource in the third environment parameter, so as to induce the attacker to perform network attack on the device where the service resource is located. For example, the business resource may be a business contract, a campaign, and the like.
An auto-encoder network is an unsupervised neural network, and an auto-encoder network (auto-encoder) includes an encoding network (encoder) and a decoding network (decoder). The encoding network and the decoding network may be cascaded.
The coding network is used for extracting the characteristics of the environment parameters of the real environment, the input parameters of the coding network can comprise the environment parameters, and the output parameters of the coding network can comprise the environment characteristics. The decoding network is used for reconstructing the environment parameters of the real environment according to the extracted features. The input parameters of the decoding network may comprise environmental characteristics and the output parameters of the encoding network may comprise environmental parameters. The environmental characteristic may be a vector, and a value of each dimension of the vector is a numerical value.
202. And the computer equipment performs feature extraction on the third environment parameter through a coding network in the self-coder network and outputs the environment features of the real environment of the sample.
The coding network may include an input layer, a hidden layer, and an output layer, each layer may include a number of neurons, and each neuron may perform linear mapping and nonlinear mapping on an input environmental parameter to obtain an environmental characteristic.
203. And the computer equipment reconstructs the environmental characteristics through a decoding network and outputs a fourth environmental parameter.
The fourth environment parameter refers to the environment parameter reconstructed by the decoding network according to the input environment characteristic. The fourth environment parameter may be of the same type as the third environment parameter, including, for example, one or more of a name of the business resource, a storage location of the business resource, a name of the desktop file, a storage location of the privacy file, or a network configuration parameter. The decoding network may include an input layer, a hidden layer, and an output layer, each layer may include a number of neurons, and each neuron may output the fourth environment parameter after performing linear mapping and nonlinear mapping on the input environment feature.
204. And the computer equipment acquires the loss value according to the difference between the third environmental parameter and the fourth environmental parameter.
The difference between the third environmental parameter and the fourth environmental parameter can reflect the accuracy of the self-encoder network, and the smaller the difference is, the more accurate the environmental characteristics generated by the encoding network are, and the more accurate the environmental parameters restored by the decoding network are.
The loss value is used for indicating the difference between the third environmental parameter and the fourth environmental parameter, and the smaller the difference between the third environmental parameter and the fourth environmental parameter is, the smaller the loss value is. The loss value may be obtained by calculating the third environmental parameter and the fourth environmental parameter using a loss function. The loss value includes, but is not limited to, a minimum absolute error (L1 loss), a minimum square error (L2 loss), a KL distance (also called relative entropy), and the like.
205. The computer device adjusts parameters from the encoder network based on the loss values.
The computer equipment can adopt a Back Propagation (Back Propagation) algorithm, the weight of each convolution kernel of the coding network and the decoding network is adjusted according to the loss value, and the accuracy of the self-encoder network prediction is improved by adjusting the weight, so that the difference between the restored environment parameter and the input environment parameter during the next prediction is reduced.
206. And when the training termination condition is met, the computer equipment outputs the decoding network adopted in the iteration process as the trained generation model.
The computer device may determine whether a training termination condition is satisfied during the execution of the above steps, stop training when the training termination condition is satisfied, and continue to execute the above steps when the training termination condition is not satisfied. Specifically, steps 201 to 205 may be performed as an iterative process, and in the process of training the self-encoder network, the steps 201 to 205 may be performed multiple times. Specifically, after the model parameters are adjusted, the above steps 201 to 205 may be executed again to obtain a new loss value, and the model parameters are adjusted again according to the new loss value until the training termination condition is satisfied, and the adjustment is stopped.
The training termination condition may be set as needed, for example, the loss value may be converged, or, for example, the loss function may satisfy a preset condition, or, for example, the capability of the training termination condition may not be improved within a period of time when the training termination condition is verified based on the verification data set. The target times may be preset iteration times to determine the timing of finishing training and avoid waste of training resources, and the preset condition may be that a loss function value is not changed or does not decrease in a period of time during the training process. When the training termination condition is met, the self-encoder network can effectively restore the input environmental parameters, and then the decoding network in the self-encoder network can be used as a generation model.
Illustratively, referring to fig. 3, a decoder capable of restoring the environment parameters of the real environment can be obtained by constructing a self-encoder network and using the parameters of the sample real environment for training, and the decoder is used as a generation model in the GAN.
In the method provided by the embodiment, the coding network is used for extracting the characteristics of the environment parameters of the real environment of the sample, the decoding network is used for reconstructing the environment characteristics extracted by the coding network into the environment parameters, and the coding network and the decoding network are trained, so that the decoding network learns the capability of automatically generating the environment parameters. And subsequently, on the basis of decoding the network, a final generated model is obtained by continuously training by using a training method of the GAN network, so that the generated model can be ensured to automatically simulate the environmental parameters of a real environment. Compared with a method for artificially designing the environment parameters, on one hand, the decoding network can automatically generate high-simulation environment parameters due to the fact that the decoding network learns the environment parameters of the real environment of the sample, so that the environment parameters are high in confusion, and an attacker is effectively attracted to attack. On the other hand, the labor cost and the time overhead caused by manual design of the environmental parameters are avoided, and the efficiency of generating the environmental parameters is greatly improved.
Fig. 4 is a flowchart of a training method for generating a generative confrontation network of environmental parameters of a honeypot environment, according to an embodiment of the present application, where an execution subject of the embodiment is a computer device, see fig. 4, and the method includes:
401. the computer device generates a second environmental parameter by generating a model.
Through the embodiment of fig. 2, the generative model has a basic capability of generating the environmental parameters of the real environment, and the method provided by this embodiment may be executed to continue training the generative model by using a GAN training method on the basis of the generative model obtained in the embodiment of fig. 2, thereby improving the accuracy of the parameters of the generative model and enhancing the simulation of the environmental parameters generated by the generative model.
The second environment parameter refers to the environment parameter generated by the GAN training stage generation model. The type of the second environment parameter may be the same as the type of the third environment parameter, and for example, include one or more of a name of the service resource, a storage location of the service resource, a data amount of the service resource, a name of the desktop file, a storage location of the privacy file, or a network configuration parameter.
In some embodiments, the process of generating the second environmental parameter may include the following steps one through two:
step one, inputting random parameters into a generation model by computer equipment.
The environmental characteristics may be initialized to obtain random parameters. The random parameter may be a vector, and each dimension of the vector takes the value of a random number.
And step two, the computer equipment adjusts the random parameters through the generated model to obtain second environment parameters.
402. The computer device inputs the second environmental parameter into the recognition model.
403. And the computer equipment identifies the second environment parameter through the identification model.
The identification model is used for identifying whether the environmental parameters generated by the generation model are the environmental parameters of the real environment. The recognition model may be a classifier, and the output result of the recognition model may represent that the environmental parameter is an environmental parameter of a real environment or an environmental parameter of a honeypot environment. For example, the recognition model may discriminate whether the second environment parameter is an environment parameter of the real environment or an environment parameter of the honeypot environment, and output a probability that the second environment parameter is discriminated as the environment parameter of the real environment. For example, if it is discriminated that the second environmental parameter is an environmental parameter of a real environment, the recognition model outputs 1, and if it is discriminated that the second environmental parameter is an environmental parameter of a honey pot environment, the recognition model outputs 0. The recognition model may be a neural network model, but may also be other machine learning models with classification functions.
404. And if the second environment parameter is recognized as the environment parameter of the honeypot environment by the recognition model, the computer equipment adjusts the parameter of the generated model until the environment parameter generated by the generated model is recognized as the environment parameter of the real environment by the recognition model, and the generated countermeasure network adopted by the iteration process is output as the trained generated countermeasure network.
The training process of the generative confrontation network can be understood as that the generative model and the recognition model play games with each other, and the two models confront each other to improve the authenticity of the generated result. Specifically, the environmental parameters of the honeypot environment for fitting the real environment can be generated by generating the model, the environmental parameters generated by generating the model and the environmental parameters of the sample real environment can be input into the recognition model, the input environmental parameters are recognized by the recognition model, and a recognition result is obtained, wherein the recognition result is used for indicating that the input environmental parameters are the environmental parameters of the real environment or the environmental parameters of the honeypot environment. According to the recognition result, a loss value can be obtained, and the parameters of the generative countermeasure network can be adjusted according to the loss value. If the environmental parameters output by the generating model are input into the recognition model, the recognition result output by the recognition model is the environmental parameters of the honeypot environment, and the recognition model shows that the non-real samples are distinguished by the recognition model, the environmental parameters of the generating model are adjusted to improve the simulation capability of the generating model; and if the recognition result of the recognition model is the environmental parameter of the real environment after the environmental parameter output by the generated model is input into the recognition model, which indicates that the recognition model confuses the non-real sample and the real sample, adjusting the environmental parameter of the recognition model to improve the discrimination capability of the recognition model. Through multiple times of training, the simulation capability of the environment parameters generated by the generated model can be continuously improved, the finally output environment parameters can achieve the effect of being false and spurious, and in addition, the discrimination capability of the discrimination model can be continuously improved.
Schematically, referring to fig. 5, the process of constructing the generative confrontation network may include the following steps (1) to (3).
And (1) generating an environment parameter by generating a model, and sending the environment parameter to the recognition model.
And (2) identifying whether the input environmental parameters of the model identification are environmental parameters of the real environment.
And (3) if the environmental parameters are identified to be the environmental parameters of the honey pot environment by the identification model, retraining and adjusting the generation model until the environmental parameters generated by the generation model are sent to the identification model, and the environmental parameters cannot be identified to be the environmental parameters of the honey pot environment by the identification model.
The method provided by the embodiment provides a method for constructing a generative model through a generative confrontation network, the environmental parameters of a honeypot environment are generated by training a generative model, the environmental parameters of the honeypot environment are identified by training a recognition model, and the environmental parameters generated by the generative model have very good puzzlement by countertraining the generative model and the recognition model.
Referring to fig. 6, the application phase of the generative countermeasure network, that is, the network attack detection process, is described below based on fig. 6, where the method may be applied to a server or a computer device, for example, the server may apply a trained generative countermeasure network to detect a network attack, and may also send the trained generative countermeasure network to any computer device to detect a network attack, and this embodiment is described by taking a computer device as an execution subject, and the network attack detection process includes:
601. the computer device invokes the generative countermeasure network.
The generative confrontation network comprises a generative model and an identification model, wherein the generative model is used for generating the environmental parameters of the honeypot environment, and the identification model is used for identifying whether the environmental parameters generated by the generative model are the environmental parameters of the real environment.
602. The computer device generates a first environmental parameter by generating a generative model in the generative confrontation network.
The first environmental parameter refers to an environmental parameter generated by a model application stage generation model. The type of the first environment parameter may be the same as the type of the third environment parameter, and for example, include one or more of a name of the service resource, a storage location of the service resource, a data amount of the service resource, a name of the desktop file, a storage location of the privacy file, or a network configuration parameter.
In some embodiments, the process of generating the first environmental parameter may include the following steps one to two:
step one, inputting random parameters into a generation model by computer equipment.
And step two, the computer equipment adjusts the random parameters through the generated model to obtain first environment parameters.
The generation process of the environment parameters in the model application phase may be the same as the generation process of the environment parameters in the model training phase, and is not described herein again.
603. The computer device outputs a first environmental parameter.
604. The computer device receives a recognition result input by a user.
In some embodiments, the environmental parameters generated by the generative model may be provided to an expert for recognition, and if the expert cannot distinguish the authenticity of the environmental parameters, the emulation of the environmental parameters is good, and the honeypot environment may be deployed using the environmental parameters. Specifically, after the computer device outputs the first environment parameter, the user may manually identify the first environment parameter in combination with experience, and perform an input operation on the computer device to input an identification result. The recognition result is used for representing the environmental parameters of the honeypot environment or the environmental parameters of the real environment.
605. If the recognition result indicates that the first environment parameter is the environment parameter of the real environment, the computer device configures the current environment parameter as the first environment parameter.
For example, if the first environment parameter includes a name of the business resource and a storage location of the business resource, the computer device may store the business resource corresponding to the name in the storage location. If the first environmental parameter comprises a storage location of the privacy file, the computer device may store the privacy file at the storage location. If the first environment parameter includes a name of the desktop file, the computer device may configure the name of the desktop file as the name. The business resources stored by the computer device can be simulated business resources, and the privacy files stored by the computer device can be simulated privacy files.
In some embodiments, the first environmental parameter may be configured in the real production environment, thereby constructing part or all of the real production environment as a honeypot environment; the first environment parameter can also be configured in the external environment of the real production environment, so that part or all of the external environment is constructed into the honeypot environment; the first environment parameter may be configured locally or on the remote device. For example, if the first environmental parameter comprises an environmental parameter of the remote device, the computer device may transmit the first environmental parameter and the configuration instructions to the remote device. The remote device configures the current environmental parameter to be the first environmental parameter according to the configuration instruction. In one exemplary scenario, a server in the enterprise network may be configured as the execution subject of the embodiment, the server obtains the first environmental parameter by generating a model, and sends the first environmental parameter to other servers, personal computers and hosts in the enterprise network to deploy the honeypot environment on the plurality of devices.
Referring to fig. 7, fig. 7 is a schematic diagram of network deployment before configuring a first environment parameter, referring to fig. 8, fig. 8 is a schematic diagram of network deployment after configuring the first environment parameter, where the first environment parameter may include names and storage locations of files such as "XX contract", "XX plan", "XX secret", and based on the first environment parameter, "XX contract", "XX plan", "XX secret" may be stored on an internal server or a host, respectively, and the service resources are used as decoys to induce hackers to attack.
Furthermore, if the recognition result indicates that the first environmental parameter is the environmental parameter of the honey pot environment, the computer device may execute the embodiment of fig. 4 to retrain the generative model until the human being cannot distinguish whether the environmental parameter generated by the generative model is the environmental parameter of the honey pot environment or the environmental parameter of the real environment.
606. The computer device captures network attack behavior during operation based on the first environmental parameter.
The computer device may record a network attack behavior, for example, a source Internet Protocol (IP) address for recording the network attack behavior, a time point of the network attack behavior, a type of the network attack behavior, and the like. In addition, when capturing the network attack behavior, the computer equipment can respond to the network attack behavior and return the reply message to the attacker of the network attack behavior, so that the attacker is prevented from identifying and invading the honeypot environment through interaction with the attacker. In addition, the computer device can hide its own IP address to avoid revealing a real IP address.
Referring to fig. 9, the flow of deploying a honeypot environment may include the following steps (1) to (5).
And (1) summarizing the dimensions of the environmental parameters of the honeypot environment, such as the positions of desktop files and privacy files, the names of the decoy files, the sizes of the decoy files, network configuration parameters and the like, through manual operation and analysis.
And (2) extracting the environmental parameters of the real environment of the sample as a data set.
And (3) inputting the data set into a generative confrontation network for training to obtain the trained generative confrontation network.
And (4) generating environmental parameters of the honeypot environment through a generative model of the generative confrontation network.
And (5) testing the environmental parameters of the honey pot environment through an artificial expert, if the environmental parameters of the honey pot environment cannot be identified, the environmental parameter test of the honey pot environment is passed, and the honey pot environment is deployed according to the environmental parameters.
In the related art, the environmental parameters of the honeypot environment need to be constructed by a large amount of time and energy consumed by workers, so that the consumed time cost and the human resource cost are huge, the efficiency is low, the environmental parameters can be influenced by human subjectivity, and the authenticity is poor. The honeypot environment configured by the artificially constructed environmental parameters can only capture broad-spectrum attacks, and is easy to be recognized by hackers rather than a real environment due to obvious characteristics, so that high-level attacks are difficult to capture. In addition, the honeypot environment is usually only specific to a specific scene, and has poor mobility, expansibility and flexibility.
The embodiment provides a method for deploying a honeypot environment by using a generative countermeasure network, wherein a generative model of the generative countermeasure network can automatically generate high-simulation environment parameters, and after configuration is performed based on the environment parameters, the honeypot environment close to the real environment can be configured, so that the immersive honeypot environment is provided. And time cost brought by manual determination of environmental parameters is saved, and manpower is greatly saved, so that efficiency is improved.
Fig. 10 is a schematic structural diagram of a network attack detection apparatus according to an embodiment of the present application. Referring to fig. 10, the apparatus includes:
the calling module 1001 is used for calling a generative confrontation network, the generative confrontation network comprises a generative model and an identification model, the generative model is used for generating environmental parameters of the honeypot environment, and the identification model is used for identifying whether the environmental parameters generated by the generative model are environmental parameters of a real environment;
a generating module 1002, configured to generate a first environment parameter through a generative model of a generative confrontation network;
a configuration module 1003, configured to configure a current environment parameter as a first environment parameter;
a capturing module 1004 for capturing a network attack behavior during operation based on the first environmental parameter.
The device that this application embodiment provided provides one kind and utilizes generation formula to fight the network and dispose the honeypot environment's device, and this generation formula fight the generative model of network can generate the environmental parameter of high emulation automatically, after configuring based on this environmental parameter, can dispose the honeypot environment that is close to the true environment to provide immersive honeypot environment, because the puzzlement nature and the disguise nature of honeypot environment are better, consequently can induce the attacker effectively and carry out the cyber attack, thereby detect the cyber attack action accurately in time. And time cost brought by manual determination of environmental parameters is saved, and manpower is greatly saved, so that efficiency is improved.
Optionally, the apparatus further comprises: the training module is used for generating a second environment parameter by generating a model; inputting the second environment parameter into the recognition model; identifying the second environment parameter through the identification model; and if the second environment parameter is identified as the environment parameter of the honeypot environment by the identification model, adjusting the parameter of the generation model until the environment parameter generated by the generation model is identified as the environment parameter of the real environment by the identification model.
Optionally, the generated model is a decoding network in a self-encoder network, the self-encoder network includes an encoding network and a decoding network, the encoding network is used for extracting features of the environment parameters of the real environment, and the decoding network is used for reconstructing the environment parameters of the real environment according to the extracted features.
Optionally, the training module is configured to input a third environment parameter from the encoder network, where the third environment parameter is an environment parameter of the real environment of the sample; extracting the characteristics of the third environment parameter through a coding network, and outputting the environment characteristics of the real environment of the sample; reconstructing the environment characteristics through a decoding network, and outputting a fourth environment parameter; acquiring a loss value according to the difference between the third environmental parameter and the fourth environmental parameter; adjusting parameters of the self-encoder network according to the loss value; and when the training termination condition is met, outputting the decoding network adopted in the iteration process as a trained generated model.
Optionally, the generating module 1002 is configured to input a random parameter into the generating model; and adjusting the random parameters through the generated model to obtain first environment parameters.
Optionally, the apparatus further comprises:
the output module is used for outputting a first environment parameter;
the receiving module is used for receiving an identification result input by a user;
a configuring module 1003, configured to configure the current environment parameter as the first environment parameter if the identification result indicates that the first environment parameter is the environment parameter of the real environment.
Optionally, the first environment parameter includes one or more of a name of the service resource, a storage location of the service resource, a data amount of the service resource, a name of the desktop file, a storage location of the privacy file, or a network configuration parameter.
All the above optional technical solutions may be combined arbitrarily to form the optional embodiments of the present disclosure, and are not described herein again.
It should be noted that: in the network attack detection apparatus provided in the foregoing embodiment, when detecting a network attack, only the division of the functional modules is exemplified, and in practical applications, the function distribution may be completed by different functional modules according to needs, that is, the internal structure of the network attack detection apparatus is divided into different functional modules to complete all or part of the functions described above. In addition, the network attack detection apparatus and the network attack detection method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and are not described herein again.
The computer device in the foregoing method embodiments may be implemented as a terminal or a server, for example, fig. 11 is a schematic structural diagram of a server provided in the present embodiment, where the server 1100 may generate a relatively large difference due to different configurations or performances, and may include one or more processors (CPUs) 1101 and one or more memories 1102, where at least one program code is stored in the memory 1102, and the at least one program code is loaded and executed by the processors 1101 to implement the network attack detection methods provided in the foregoing method embodiments. Certainly, the server may further have a wired or wireless network interface, an input/output interface, and other components to facilitate input and output, and the server may further include other components for implementing functions of the device, which are not described herein again.
In an exemplary embodiment, a computer-readable storage medium, such as a memory including a program code, which is executable by a processor to perform the network attack detection method in the above-described embodiment, is also provided. For example, the computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a Compact Disc Read-Only Memory (CD-ROM), a magnetic tape, a floppy disk, an optical data storage device, and the like.
It should be understood that, in the various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.
It should be understood that determining B from a does not mean determining B from a alone, but may also be determined from a and/or other information.
It will be understood by those skilled in the art that all or part of the steps of implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, and the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The present application is intended to cover various modifications, alternatives, and equivalents, which may be included within the spirit and scope of the present application.

Claims (8)

1. A network attack detection method, performed by a server in an enterprise network, the method comprising:
calling a generative confrontation network, wherein the generative confrontation network comprises a generative model and an identification model, the generative model is used for generating environmental parameters of the honeypot environment, and the identification model is used for identifying whether the environmental parameters generated by the generative model are environmental parameters of a real environment;
generating a first environment parameter through a generative model of the generative countermeasure network, wherein the first environment parameter comprises one or more of the name of a service resource, the storage position of the service resource, the data volume of the service resource, the name of a desktop file or the storage position of a privacy file;
outputting the first environmental parameter;
receiving a recognition result input by a user;
if the identification result shows that the first environment parameter is the environment parameter of the real environment, configuring the current environment parameters of a plurality of devices in the enterprise network except the server as the first environment parameter;
capturing network attack behavior during operation of the plurality of devices based on the first environmental parameter;
the generating model is a decoding network in a self-encoder network, the self-encoder network comprises an encoding network and the decoding network, the encoding network is used for carrying out feature extraction on the environment parameters of the real environment, and the decoding network is used for reconstructing the environment parameters of the real environment according to the extracted features;
the training process of the generative model comprises the following steps:
inputting a third environment parameter into the self-encoder network, wherein the third environment parameter is an environment parameter of a real environment of the sample;
extracting the characteristics of the third environment parameters through the coding network, and outputting the environment characteristics of the real environment of the sample;
reconstructing the environment characteristics through the decoding network and outputting a fourth environment parameter;
obtaining a loss value according to the difference between the third environmental parameter and the fourth environmental parameter;
adjusting parameters of the self-encoder network according to the loss value;
and when the training termination condition is met, outputting the decoding network adopted in the iteration process as a trained generated model.
2. The method of claim 1, wherein the training process of the generative confrontation network comprises:
generating a second environment parameter through the generation model;
inputting the second environmental parameter into the recognition model;
identifying the second environment parameter through the identification model;
and if the second environmental parameter is identified as the environmental parameter of the honeypot environment by the identification model, adjusting the parameter of the generated model until the environmental parameter generated by the generated model is identified as the environmental parameter of the real environment by the identification model.
3. The method of claim 1, wherein generating a first environmental parameter via a generative model of the generative countermeasure network comprises:
inputting random parameters into the generative model;
and adjusting the random parameter through the generation model to obtain the first environment parameter.
4. A cyber attack detecting apparatus provided in a server of an enterprise network, the apparatus comprising:
the generating countermeasure network comprises a generating model and an identifying model, the generating model is used for generating environmental parameters of the honeypot environment, and the identifying model is used for identifying whether the environmental parameters generated by the generating model are environmental parameters of the real environment or not;
the generating module is used for generating a first environment parameter through a generating model of the generating type countermeasure network, wherein the first environment parameter comprises one or more of the name of a service resource, the storage position of the service resource, the data volume of the service resource, the name of a desktop file or the storage position of a privacy file;
the output module is used for outputting the first environment parameter;
the receiving module is used for receiving an identification result input by a user;
a configuration module, configured to configure current environmental parameters of a plurality of devices in the enterprise network, except the server, as the first environmental parameters if the identification result indicates that the first environmental parameters are environmental parameters of a real environment;
the capturing module is used for capturing network attack behaviors in the process that the plurality of devices operate based on the first environment parameters;
the generating model is a decoding network in a self-encoder network, the self-encoder network comprises an encoding network and the decoding network, the encoding network is used for carrying out feature extraction on the environment parameters of the real environment, and the decoding network is used for reconstructing the environment parameters of the real environment according to the extracted features;
the device further comprises:
the training module is used for inputting a third environment parameter into the self-encoder network, wherein the third environment parameter is an environment parameter of a real environment of the sample; extracting the characteristics of the third environment parameter through the coding network, and outputting the environment characteristics of the real environment of the sample; reconstructing the environment characteristics through the decoding network and outputting a fourth environment parameter; obtaining a loss value according to the difference between the third environmental parameter and the fourth environmental parameter; adjusting parameters of the self-encoder network according to the loss value; and when the training termination condition is met, outputting the decoding network adopted in the iteration process as a trained generated model.
5. The apparatus of claim 4, wherein the training module is further configured to generate a second environment parameter through the generative model; inputting the second environmental parameter into the recognition model; identifying the second environment parameter through the identification model; and if the second environmental parameter is identified as the environmental parameter of the honeypot environment by the identification model, adjusting the parameter of the generated model until the environmental parameter generated by the generated model is identified as the environmental parameter of the real environment by the identification model.
6. The apparatus of claim 4, wherein the generating module is configured to input random parameters into the generative model; and adjusting the random parameter through the generation model to obtain the first environment parameter.
7. A computer device, comprising one or more processors and one or more memories having stored therein at least one program code, the at least one program code loaded into and executed by the one or more processors to perform the operations performed by the network attack detection method of any one of claims 1 to 3.
8. A computer-readable storage medium having stored therein at least one program code, the at least one program code being loaded into and executed by a processor to perform operations performed by the network attack detection method according to any one of claims 1 to 3.
CN201911289345.2A 2019-12-13 2019-12-13 Network attack detection method, device, equipment and storage medium Active CN110958263B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911289345.2A CN110958263B (en) 2019-12-13 2019-12-13 Network attack detection method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911289345.2A CN110958263B (en) 2019-12-13 2019-12-13 Network attack detection method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN110958263A CN110958263A (en) 2020-04-03
CN110958263B true CN110958263B (en) 2022-07-12

Family

ID=69981700

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911289345.2A Active CN110958263B (en) 2019-12-13 2019-12-13 Network attack detection method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN110958263B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111931874B (en) * 2020-10-09 2020-12-25 北京元支点信息安全技术有限公司 Adjoint bait generation method and device based on deep learning and data clustering
CN112232434B (en) * 2020-10-29 2024-02-20 浙江工业大学 Correlation analysis-based anti-attack cooperative defense method and device
CN113794674B (en) * 2021-03-09 2024-04-09 北京沃东天骏信息技术有限公司 Method, device and system for detecting mail
CN113489694B (en) * 2021-06-24 2023-04-28 浙江德迅网络安全技术有限公司 Dynamic defense system for resisting large-flow attack in honey farm system

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102254111A (en) * 2010-05-17 2011-11-23 北京知道创宇信息技术有限公司 Malicious site detection method and device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104506507B (en) * 2014-12-15 2017-10-10 蓝盾信息安全技术股份有限公司 A kind of sweet net safety protective system and method for SDN
AU2017283544A1 (en) * 2016-06-13 2018-11-01 FHOOSH, Inc. Systems and methods for secure storage of user information in a user profile
US20190044942A1 (en) * 2017-08-01 2019-02-07 Twosense, Inc. Deep Learning for Behavior-Based, Invisible Multi-Factor Authentication
CN109685200B (en) * 2018-11-19 2023-04-25 华东师范大学 Mist computing industrial protocol construction method and system based on generation countermeasure network

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102254111A (en) * 2010-05-17 2011-11-23 北京知道创宇信息技术有限公司 Malicious site detection method and device

Also Published As

Publication number Publication date
CN110958263A (en) 2020-04-03

Similar Documents

Publication Publication Date Title
CN110958263B (en) Network attack detection method, device, equipment and storage medium
Li et al. DDoS attack detection based on neural network
CN109902018B (en) Method for acquiring test case of intelligent driving system
CN110990631A (en) Video screening method and device, electronic equipment and storage medium
CN111343174B (en) Intelligent learning type self-response industrial internet honeypot induction method and system
CN114331829A (en) Countermeasure sample generation method, device, equipment and readable storage medium
Chen et al. Backdoor attacks and defenses for deep neural networks in outsourced cloud environments
Li et al. Deep learning backdoors
Zhao et al. Maldeep: A deep learning classification framework against malware variants based on texture visualization
AU2021210217B2 (en) Neural flow attestation
Kumar et al. Synthetic attack data generation model applying generative adversarial network for intrusion detection
CN114422271B (en) Data processing method, device, equipment and readable storage medium
CN116569180A (en) Generating data based on a pre-trained model using a generated countermeasure model
Mohammadpourfard et al. Generation of false data injection attacks using conditional generative adversarial networks
CN114584359A (en) Safe trapping method and device and computer equipment
Truong et al. X-ware: a proof of concept malware utilizing artificial intelligence
Nazari et al. Using cgan to deal with class imbalance and small sample size in cybersecurity problems
CN110581857B (en) Virtual execution malicious software detection method and system
Clausen et al. Evading stepping-stone detection with enough chaff
Lu et al. Ranking attack graphs with graph neural networks
CN115758337A (en) Back door real-time monitoring method based on timing diagram convolutional network, electronic equipment and medium
CN110414233A (en) Malicious code detecting method and device
KR102092684B1 (en) Apparatus and method for cyber security training based on random forest
Stahl et al. Intelligence Techniques in Computer Security and Forensics: at the boundaries of ethics and law
Kukiełka et al. Analysis of neural networks usage for detection of a new attack in IDS

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40021512

Country of ref document: HK

GR01 Patent grant
GR01 Patent grant