CN111277564B - Enterprise network anomaly detection method and system based on dynamic storage network - Google Patents

Enterprise network anomaly detection method and system based on dynamic storage network Download PDF

Info

Publication number
CN111277564B
CN111277564B CN202010017618.4A CN202010017618A CN111277564B CN 111277564 B CN111277564 B CN 111277564B CN 202010017618 A CN202010017618 A CN 202010017618A CN 111277564 B CN111277564 B CN 111277564B
Authority
CN
China
Prior art keywords
module
event
vector
network
storage
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010017618.4A
Other languages
Chinese (zh)
Other versions
CN111277564A (en
Inventor
吴振东
李锐
于治楼
安程治
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Inspur Scientific Research Institute Co Ltd
Original Assignee
Shandong Inspur Scientific Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Inspur Scientific Research Institute Co Ltd filed Critical Shandong Inspur Scientific Research Institute Co Ltd
Priority to CN202010017618.4A priority Critical patent/CN111277564B/en
Publication of CN111277564A publication Critical patent/CN111277564A/en
Application granted granted Critical
Publication of CN111277564B publication Critical patent/CN111277564B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Algebra (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Pure & Applied Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method and a system for detecting enterprise network abnormity based on a dynamic storage network, belonging to the field of network security detection; the detection system of the invention carries out implicit coding on the workflow path of the bottom system through an iterative reminding process, and stores the workflow path through the temporary storage module, so that the detection system can provide possible important clues that related events become potential malicious activities, thereby facilitating origin tracking, realizing potential correlation detection among different events in different domains, reducing dependency between adjacent events, improving the detection sensitivity of the detection method on abnormal networks, ensuring the safety of enterprise networks and reducing the security threat born by the enterprise networks.

Description

Enterprise network anomaly detection method and system based on dynamic storage network
Technical Field
The invention discloses an enterprise network anomaly detection method and system based on a dynamic storage network, and relates to the technical field of network security detection.
Background
The intranet is a network established based on the technology of the internet, particularly the technology of the world wide web thereof, and is mainly used for information exchange within a business or an organization, but can be connected to the internet through a proxy server. With the proliferation of network applications, enterprise networks are facing a wide variety of network threats. The weakness of internal networks, different user authorities and the dispersion of confidential information are the main reasons that the enterprise network needs to be maintained by an anomaly detection technology;
Anomaly detection techniques have gained significant application in the field of predictive maintenance. The source of the enterprise network under attack is traced by finding the abnormal operation behavior in the weblog data, the attack to be suffered by the enterprise network is protected in advance, and the security threat born by the enterprise network is reduced;
existing anomaly detection methods are valuable in terms of specific time series whose dominance involves strong time dependencies, but the synthetic sequence of multi-domain event records equates to a mix of multiple time series where the dependencies between adjacent events are significantly reduced. In such a context, the previously mentioned anomaly detection techniques are very inefficient.
Disclosure of Invention
The invention provides a method and a system for detecting enterprise network abnormity based on a dynamic storage network aiming at the problems of the prior art, and the adopted technical scheme is as follows: a method for detecting enterprise network abnormity based on a dynamic storage network comprises the following steps:
s1, preprocessing the original event, recording and maintaining a multi-domain event database;
s2 converts current event C and historical event S into multi-bit digital vectors Q and F by field level embedding and temporal level encoding;
S3 forms an integrated memory M by retrieving F contained in Q to aggregate relevant facts through an iterative alert process, and initializes the memory to the code vector M0 ═ Q of the current event;
s4, decoding the integrated memory M to obtain the distribution probability of the expected event;
s5 determines whether the current event is abnormal by comparing the current event with the predicted event.
The specific steps of S2 are as follows:
s201, preselecting a periodic continuous bag-of-words model, and calculating an embedded vector of each field of a current event C and a historical event S to obtain corresponding field-level embedded vectors Q and F;
s202 feeds the field-level embedded vectors Q and F into the Bi-directional gated round robin unit Bi-GRU, representing the encoded vectors of the field-level embedded vectors Q and F as Q and F [ F ]1,f2,…fT]。
The specific steps of S3 are as follows:
s301, for each iteration i, a prompt vector A is usedi=[ai 1,ai 2,…ai T]Calculating a correlation between given F and Q;
s302, inputting a reminding vector into A by using a double-layer feedforward neural networkiVector code ft for capturing historical events, the previous memory Mi-1And the internal connection between the current event Q is denoted Zt;
s303 represents the calculation scenario Eatt of the GRU with modification by attGRU to obtain the final hidden state of the given reminding vector, E i att=hi T
S304 updates the integrated memory M to Mi for each iteration i.
The S4 decodes the integrated storage M by gating the loop unit GRU in combination with the full connection layer FCL, constructs a separate GRUj + FCLj network with the given historical event S to predict the event
Figure GDA0003608467870000021
The jth field in (1).
And in the process of S3, the retrieval of the relevant facts is stored in a temporary storage mechanism, and the method is characterized by comprising the following steps:
s311, taking the historical event F with the reminding value exceeding the threshold lambda as a related event;
s312, when the final storage is obtained, the abnormal detection system puts the indexes of the relevant facts into a temporary storage;
s313, the abnormity detection system queries the cache to obtain related previous events;
s314, transmitting the abnormity detection early warning to a network security officer for analysis;
s315 when the current event is normal, the abnormality detection system automatically clears the cache.
An enterprise network anomaly detection system based on a dynamic storage network comprises a data preparation module, a presentation layer module, a storage formation module, a temporary storage module, a prediction layer module and an anomaly detection module;
a data preparation module: preprocessing an original event, and recording and maintaining a multi-domain event database;
A presentation layer module: converting a current event C and a historical event S into multi-bit digital vectors Q and F by field level embedding and time level coding;
a storage formation module: f contained by Q is retrieved to aggregate relevant facts through an iterative alert process to form an integrated store M, and the store is initialized to be a coded vector M0Q of the current event;
a temporary storage module: storing the relevant facts in the storage forming module as relevant events;
a prediction layer module: decoding the integrated memory M to obtain the distribution probability of the expected event;
an anomaly detection module: and comparing the current event with the predicted event to judge whether the current event is abnormal.
The representation layer module comprises a vector conversion module and a code conversion module;
the vector conversion module presets a periodic continuous bag-of-words model to calculate the embedded vector of each field of the current event C and the historical event S, and corresponding field-level embedded vectors Q and F are obtained;
the transcoding module feeds the field-level embedded vectors Q and F into the Bi-directional gated round-robin unit Bi-GRU, representing the encoded vectors of the field-level embedded vectors Q and F as Q and F ═ F1, F2, … fT.
The storage forming module comprises a correlation calculation module, an internal connection module, a state hiding module and a storage updating module;
A correlation calculation module: for each iteration i, by a prompt vector Ai=[ai 1,ai 2,…ai T]Calculating a correlation between given F and Q;
an internal connection module: inputting a reminding vector by using a double-layer feedforward neural network, capturing a vector code ft of a historical event, and storing a previous memory Mi-1And between the current event QThe internal connection is denoted Zt;
a state hiding module: using attGRU to represent GRU calculation scenario Eatt of operation modification to obtain final hidden state of given reminding vector, Ei att=hi T
A storage update module: for each iteration i, the integrated memory M is updated to Mi
The invention has the beneficial effects that: the detection method implicitly codes the workflow path of the bottom system through an iteration reminding process, so that related events can be provided as possible important clues of potential malicious activities, origin tracking is facilitated, meanwhile, potential correlation detection among different events in different domains is realized, dependency among adjacent events is reduced, the detection sensitivity of the detection method on abnormal networks is improved, the safety of enterprise networks is ensured, and the security threat born by the enterprise networks is reduced;
the data preparation module and the presentation layer module of the detection system are matched, and the detected network signal is used as a current event to carry out implicit coding processing; the storage forming module is matched with the temporary storage module, extracts the scene characteristic value of the current event through an iteration reminding process, forms an integrated storage M and stores the integrated storage M into the temporary storage module; the prediction layer module and the anomaly detection module compare the current event with the integrated storage M, so that the network signal of the current event is detected; the detection system of the invention performs implicit coding on the workflow path of the bottom system through an iterative reminding process, stores the workflow path through the temporary storage module, so that the detection system can provide possible important clues that related events become potential malicious activities, facilitates origin tracking, simultaneously realizes potential correlation detection between different events in different domains, reduces dependency between adjacent events, improves the detection sensitivity of the detection system of the invention on abnormal networks, ensures the safety of enterprise networks, and reduces the security threat born by the enterprise networks.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow chart diagram of a method for detecting enterprise network anomaly based on a dynamic storage network; FIG. 2 is a schematic structural diagram of an enterprise network anomaly detection system based on a dynamic storage network; fig. 3 is a work flow diagram of an enterprise network anomaly detection system based on a dynamic storage network.
Detailed Description
The present invention is further described below in conjunction with the following figures and specific examples so that those skilled in the art may better understand the present invention and practice it, but the examples are not intended to limit the present invention.
The first embodiment is as follows:
a method for detecting enterprise network abnormity based on a dynamic storage network comprises the following steps:
s1, taking the new event as a current event C, normalizing the current event C into a group of preset fields, taking K windows of the latest time from the database as related contexts, and expressing the historical event by S;
S2 converts current events C and historical events S into multi-bit digital vectors Q and F by field level embedding and event level encoding, the specific steps are:
s201, preselecting a periodic continuous bag-of-words model, and calculating an embedded vector of each field of a current event C and a historical event S to obtain corresponding field-level embedded vectors Q and F;
s202 feeds the field-level embedded vectors Q and F into the Bi-directional gated round-robin unit Bi-GRU, representing the encoded vectors of the field-level embedded vectors Q and F as Q and F [ < F >1,f2,…fT],ftAn amount of code representing the tth historical event;
the periodic continuous bag-of-words model can recycle hidden states, fusing a large amount of context information in field level embedding. For fields with continuous values, such as timestamps, we divide the range of values into several segments in order to reduce the large number of continuous values to a smaller set of discrete intervals;
s3 is formed an integrated memory M by searching F contained in Q to aggregate related facts through an iterative reminding process, and the memory is initialized to be the code vector M of the current event0The method comprises the following specific steps:
s301, for each iteration i, a prompt vector A is usedi=[ai 1,ai 2,…ai T]Calculating the correlation between given F and Q, ai tIs the alert weight;
S302 double-layer feedforward neural network inputs reminding vector ztVector encoding/to capture historical eventstPrevious memory Mi-1And internal connection between the previous event Q:
Figure GDA0003608467870000064
Figure GDA0003608467870000061
wherein O is the product of elements, W1,W2,b1,b2Is a parameter to be learned;
s303, using attGRU to represent operation modified GRU computing scenario Eatt to obtain given reminding vector ai TFinal hidden state h ofi T
Figure GDA0003608467870000062
An episode is defined as the final hidden state of attGRU, Ei att=hi T(ii) a Wherein a isi tTo remind the weights, S304 updates the integrated memory M to, for each iteration i:
Figure GDA0003608467870000063
saving the retrieval of the relevant facts in a temporary storage mechanism in the process of S3, and setting the maximum value of the iteration times as r by a worker in the absence of clear supervision, wherein the method is implemented by the mechanism through the following steps:
s311, taking the historical event F with the reminding value exceeding the threshold lambda as a related event;
s312, when the final storage is obtained, the abnormal detection system puts the indexes of the relevant facts into a temporary storage to be used as a summary of the scenarios generated by each iteration;
s313, the abnormity detection system queries the cache to obtain related previous events;
s314, transmitting the abnormity detection early warning to a network security officer for analysis;
s315, when the current event is normal, the abnormality detection system automatically clears the cache;
The method for realizing the temporary storage of the indexes of the relevant events can avoid slow running speed caused by excessive storage contents, thereby improving the detection efficiency of the detection method and increasing the sensitivity of the detection method;
s4 decodes the integrated storage M by GRU and full connection layer FCL combination, and uses given historical events to construct a single GRUj + FCLj network to predict events
Figure GDA0003608467870000071
The j field in (1) comprises the following specific steps:
s401 represents a field uj of predicted expected time as GRUj + FCLj;
s402 calculates the conditional probability of field uj of the expected event:
Figure GDA0003608467870000072
wherein g isj tIs GRU at time tjHidden state of (W)j (1),Wj (2),bj (1)And bj (2)Is FCLjWeight and deviation of (y)j tIs the output of the first fully connected layer, ujIs obtained by the softmax function at the end of the second fully connected layer
S403, predicting the event
Figure GDA0003608467870000073
Is expressed as:
Figure GDA0003608467870000074
where n is the number of predefined fields of time;
the model training process minimizes cross-entropy loss on the training event sequence between expected events and observation times, while avoiding overfitting using techniques such as L2 regularization, random inactivation, increasing gradient noise, and the like;
s5 predicting event according to current observed event C and predicted event
Figure GDA0003608467870000075
Comparing to determine whether the current event is abnormal, and the method specifically comprises the following steps:
s501 sets a threshold value as a cut value in the prediction output;
s502, judging whether the current event C is positioned in the first k predicted events
Figure GDA0003608467870000076
The preparation method comprises the following steps of (1) performing;
s503, when the judgment in S502 is yes, the current event C is a normal event, and the system clears the cache;
s504 when the judgment of S502 is negative, the system immediately sends out an alarm;
s505, after the current event C which causes the alarm is read and cached as a related historical event, the system clears the cache;
the detection of the network signal can be completed for one time;
the detection method of the invention implicitly codes the workflow path of the bottom system through the iterative reminding process, so that the detection method can provide possible important clues that related events become potential malicious activities, facilitates origin tracking, simultaneously realizes potential correlation detection between different events in different domains, reduces dependency between adjacent events, improves the detection sensitivity of the detection method of the invention to abnormal networks, ensures the safety of enterprise networks, and reduces the security threat born by the enterprise networks.
Example two:
an enterprise network anomaly detection system based on a dynamic storage network comprises a data preparation module, a presentation layer module, a storage formation module, a temporary storage module, a prediction layer module and an anomaly detection module;
A data preparation module: taking a new event as a current event C, normalizing the current event C into a group of preset fields, taking K windows of the latest time from a database as related contexts, and expressing historical events by S;
the representation layer module comprises a vector conversion module and a code conversion module;
a vector conversion module: preselecting a periodic continuous bag-of-words model to calculate the embedded vector of each field of the current event C and the historical event S to obtain corresponding field-level embedded vectors Q and F;
the code conversion module sends the field level embedded vectors Q and F to a bidirectional gating circulation unit Bi-GRU, the coded vectors of the field level embedded vectors Q and F are represented as Q and F [ F1, F2, … fT ], and fT represents a proper amount of codes of the t-th historical event;
the periodic continuous bag-of-words model can recycle hidden states, fusing a large amount of context information in field level embedding. For fields with continuous values, such as timestamps, we divide the range of values into segments to reduce the large number of continuous values to a smaller set of discrete intervals;
the storage forming module comprises a related calculation module, an internal connection module, a state hiding module and a storage updating module;
A correlation calculation module: for each iteration i, by a prompt vector Ai=[ai 1,ai 2,…ai T]Calculating the correlation between given F and Q, ai tIs the alert weight;
an internal connection module: the double-layer feedforward neural network inputs a reminding vector ztVector encoding f to capture historical eventstPrevious memory Mi-1And internal connection between the previous event Q:
Figure GDA0003608467870000094
Figure GDA0003608467870000091
where O is the product of elements, W1,W2,b1,b2Is a parameter to be learned;
a state hiding module: using attGRU to represent GRU calculation scenario Eatt of operation modification to obtain given reminding vector ai TFinal hidden state h ofi T
Figure GDA0003608467870000092
An episode is defined as the final hidden state of attGRU, Ei att=hi T
A storage update module: for each iteration i, the integrated memory M is updated to:
Figure GDA0003608467870000093
the temporary storage module comprises an event extraction module, an event unloading module, a priority check module, a temporary early warning module and a mechanism resetting module;
an event extraction module: taking a historical event F with the reminding value exceeding a threshold lambda as a related event;
an event unloading module: when the final storage is obtained, the abnormal detection system puts the indexes of the relevant facts into a temporary storage;
a priority check module: the anomaly detection system queries the cache for relevant prior events;
the temporary early warning module: transmitting the abnormity detection early warning to a network security officer for analysis;
A mechanism resetting module: when the current event is normal, the abnormality detection system automatically clears the cache;
the prediction layer module comprises a field representation module, a field prediction module and a prediction calculation module;
a field representation module: representing a field uj of the predicted expected time as GRUj + FCLj;
a field prediction module: the conditional probability of the field uj of the expected event is calculated:
Figure GDA0003608467870000101
a prediction calculation module: will predict the event
Figure GDA0003608467870000102
Is expressed as:
Figure GDA0003608467870000103
the model training process minimizes cross-entropy loss on the training event sequence between expected events and observation times, while avoiding overfitting using techniques such as L2 regularization, random inactivation, increasing gradient noise, and the like;
the abnormity detection module comprises a threshold value cutting module and a prediction judgment module;
a threshold cutting module: setting a threshold to a cut value in the prediction output;
predictionA judging module: judging whether the current event C is positioned in the first k predicted events
Figure GDA0003608467870000104
Performing the following steps;
when the prediction judgment module judges that the current event C is a normal event, the alarm module clears the cache in the system;
when the prediction judging module judges that the current event C is a related historical event, the cache module clears the cache in the system;
The detection system of the invention performs implicit coding on the workflow path of the bottom system through an iterative reminding process, stores the workflow path through the temporary storage module, so that the detection system can provide possible important clues that related events become potential malicious activities, facilitates origin tracking, simultaneously realizes potential correlation detection between different events in different domains, reduces dependency between adjacent events, improves the detection sensitivity of the detection method of the invention on abnormal networks, ensures the safety of enterprise networks, and reduces the security threat born by the enterprise networks.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (6)

1. An enterprise network anomaly detection method based on a dynamic storage network is characterized by comprising the following steps:
S1, preprocessing the original event, recording and maintaining a multi-domain event database;
s2 converts current event C and historical event S into multi-bit digital vectors Q and F by field-level embedding and temporal-level encoding:
s201, preselecting a periodic continuous bag-of-words model, and calculating an embedded vector of each field of a current event C and a historical event S to obtain corresponding field-level embedded vectors Q and F;
s202, sending the field-level embedded vectors Q and F to a bidirectional gating circulation unit Bi-GRU, representing the coded vectors of the field-level embedded vectors Q and F as Q and F [ F1, F2, … fT ], and fT representing a proper amount of codes of the t-th historical event;
s3 forming an integrated memory M by retrieving F contained in Q to aggregate related facts through an iterative alert process, initializing the memory to the encoding vector M0 ═ Q of the current event;
s4, decoding the integrated memory M to obtain the distribution probability of the expected event;
s5 determines whether the current event is abnormal by comparing the current event with the predicted event.
2. The method for detecting enterprise network abnormality based on dynamic storage network as claimed in claim 1, wherein said step S3 includes the following steps:
s301, for each iteration i, a prompt vector A is used i=[ai 1,ai 2,…ai T]Calculating a correlation between given F and Q;
s302 double-layer feedforward neural network inputs reminding vector into AiVector code ft for capturing historical events, the previous memory Mi-1And the internal connection between the current event Q is denoted Zt;
s303 uses attGRU to represent operation modified GRU calculating scenario Eatt to obtain final hidden state of given reminding vector, Ei att=hi T
S304 updates the integrated memory M to Mi for each iteration i.
3. The method of claim 2, wherein the step S4 is performed by gating a loop unit GRUDecoding integrated storage M in combination with fully-connected layer FCL, building a separate GRUj + FCLj network with given historical events S to predict events
Figure FDA0003585464680000021
The jth field in (1).
4. A method for detecting enterprise network abnormality based on dynamic storage network as claimed in claim 2 or 3, wherein said S3 procedure stores the retrieval of related facts in a temporary storage mechanism, and is characterized in that said mechanism implements the method steps of:
s311, taking the historical event F with the reminding value exceeding the threshold lambda as a related event;
s312, when the final storage is obtained, the abnormal detection system puts the indexes of the relevant facts into a temporary storage;
S313, the abnormity detection system queries the cache to obtain related previous events;
s314, transmitting the abnormal detection early warning to a network security officer for analysis;
s315 when the current event is normal, the abnormality detection system automatically clears the cache.
5. An enterprise network anomaly detection system based on a dynamic storage network is characterized by comprising a data preparation module, a presentation layer module, a storage forming module, a temporary storage module, a prediction layer module and an anomaly detection module;
a data preparation module: preprocessing an original event, and recording and maintaining a multi-domain event database;
a presentation layer module: converting the current event C and the historical event S into multi-bit digital vectors Q and F through field-level embedding and time-level encoding;
the representation layer module comprises a vector conversion module and a code conversion module;
the vector conversion module presets a periodic continuous bag-of-words model to calculate the embedded vector of each field of the current event C and the historical event S, and corresponding field-level embedded vectors Q and F are obtained;
the code conversion module sends the field level embedded vectors Q and F to a bidirectional gating circulation unit Bi-GRU, the coded vectors of the field level embedded vectors Q and F are represented as Q and F [ F1, F2, … fT ], and fT represents a proper amount of codes of the t-th historical event;
A storage formation module: f contained by Q is retrieved to aggregate relevant facts through an iterative alert process to form an integrated store M, and the store is initialized to be a coded vector M0Q of the current event;
a temporary storage module: storing the relevant facts in the storage forming module as relevant events;
a prediction layer module: decoding the integrated memory M to obtain the distribution probability of the expected event;
an anomaly detection module: and comparing the current event with the predicted event to judge whether the current event is abnormal.
6. The enterprise network anomaly detection system based on the dynamic storage network as claimed in claim 5, wherein said storage forming module comprises a correlation calculation module, an internal connection module, a state hiding module and a storage updating module;
a correlation calculation module: for each iteration i, by a prompt vector Ai=[ai 1,ai 2,…ai T]Calculating a correlation between given F and Q;
an internal connection module: inputting a reminding vector by using a double-layer feedforward neural network, capturing a vector code ft of a historical event, and storing a previous memory Mi-1And the internal connection between the current event Q is denoted Zt;
a state hiding module: using attGRU to represent GRU calculation scenario Eatt of operation modification to obtain final hidden state of given reminding vector, E i att=hi T
A storage update module: for each iteration i, the integrated memory M is updated to Mi.
CN202010017618.4A 2020-01-08 2020-01-08 Enterprise network anomaly detection method and system based on dynamic storage network Active CN111277564B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010017618.4A CN111277564B (en) 2020-01-08 2020-01-08 Enterprise network anomaly detection method and system based on dynamic storage network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010017618.4A CN111277564B (en) 2020-01-08 2020-01-08 Enterprise network anomaly detection method and system based on dynamic storage network

Publications (2)

Publication Number Publication Date
CN111277564A CN111277564A (en) 2020-06-12
CN111277564B true CN111277564B (en) 2022-06-28

Family

ID=71001606

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010017618.4A Active CN111277564B (en) 2020-01-08 2020-01-08 Enterprise network anomaly detection method and system based on dynamic storage network

Country Status (1)

Country Link
CN (1) CN111277564B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107229967A (en) * 2016-08-22 2017-10-03 北京深鉴智能科技有限公司 A kind of hardware accelerator and method that rarefaction GRU neutral nets are realized based on FPGA
CN108833382A (en) * 2018-05-31 2018-11-16 腾讯科技(深圳)有限公司 Network information detection method, device, storage medium and computer equipment
CN109710919A (en) * 2018-11-27 2019-05-03 杭州电子科技大学 A kind of neural network event extraction method merging attention mechanism
KR20190072823A (en) * 2017-12-18 2019-06-26 한국과학기술원 Domain specific dialogue acts classification for customer counseling of banking services using rnn sentence embedding and elm algorithm
CN109993224A (en) * 2019-03-27 2019-07-09 中国人民解放军战略支援部队航天工程大学 GEO satellite shape and gesture recognition method based on deep learning and Multiple Kernel Learning

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9699205B2 (en) * 2015-08-31 2017-07-04 Splunk Inc. Network security system
US10699009B2 (en) * 2018-02-28 2020-06-30 Microsoft Technology Licensing, Llc Automatic malicious session detection
CN108881194B (en) * 2018-06-07 2020-12-11 中国人民解放军战略支援部队信息工程大学 Method and device for detecting abnormal behaviors of users in enterprise

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107229967A (en) * 2016-08-22 2017-10-03 北京深鉴智能科技有限公司 A kind of hardware accelerator and method that rarefaction GRU neutral nets are realized based on FPGA
KR20190072823A (en) * 2017-12-18 2019-06-26 한국과학기술원 Domain specific dialogue acts classification for customer counseling of banking services using rnn sentence embedding and elm algorithm
CN108833382A (en) * 2018-05-31 2018-11-16 腾讯科技(深圳)有限公司 Network information detection method, device, storage medium and computer equipment
CN109710919A (en) * 2018-11-27 2019-05-03 杭州电子科技大学 A kind of neural network event extraction method merging attention mechanism
CN109993224A (en) * 2019-03-27 2019-07-09 中国人民解放军战略支援部队航天工程大学 GEO satellite shape and gesture recognition method based on deep learning and Multiple Kernel Learning

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
M. Das et al ; .Automated CAPTCHA Generation from Annotated Images Using Encoder Decoder Architecture.《IEEE》.2016,第45-50页. *
基于GRU网络和矩阵分解的混合推荐算法;徐彬源等;《现代计算机(专业版)》;20180915(第26期);第15-19、44页 *
基于深度学习的网络入侵检测方法研究;许聪源;《中国优秀博硕士学位论文全文数据库(博士)信息科技辑(月刊)》;20191231;第I139-3页 *

Also Published As

Publication number Publication date
CN111277564A (en) 2020-06-12

Similar Documents

Publication Publication Date Title
Zhou et al. Deep learning approach for cyberattack detection
Li et al. An active learning based TCM-KNN algorithm for supervised network intrusion detection
Ma et al. A hybrid methodologies for intrusion detection based deep neural network with support vector machine and clustering technique
Wang et al. The abnormal traffic detection scheme based on PCA and SSH
Rani et al. An ensemble-based multiclass classifier for intrusion detection using Internet of Things
Ding et al. Efficient BiSRU combined with feature dimensionality reduction for abnormal traffic detection
CN108446562B (en) Intrusion detection method based on tabu and artificial bee colony bidirectional optimization support vector machine
Yoon et al. Adaptive model pooling for online deep anomaly detection from a complex evolving data stream
Lu et al. Defense against backdoor attack in federated learning
CN115333778A (en) Network attack behavior prediction method based on attack mode
CN116996272A (en) Network security situation prediction method based on improved sparrow search algorithm
Aljehane A Secure Intrusion Detection System in Cyberphysical Systems Using a Parameter-Tuned Deep-Stacked Autoencoder.
Fu Computer network intrusion anomaly detection with recurrent neural network
Zhang et al. An intrusion detection method based on stacked sparse autoencoder and improved gaussian mixture model
Lee et al. Network intrusion detection through genetic feature selection
CN111277564B (en) Enterprise network anomaly detection method and system based on dynamic storage network
El-Toukhy et al. Countering Evasion Attacks for Smart Grid Reinforcement Learning-based Detectors
CN115208604B (en) AMI network intrusion detection method, device and medium
Kong et al. A novel ConvLSTM with multifeature fusion for financial intelligent trading
Henry et al. Intelligent intrusion detection system using deep learning technique
Xiong et al. A Smart Grid Traffic Anomaly Detector Based on Deep Learning
CN114397842A (en) Intelligent inspection reinforcing method for safety of power monitoring network
Narengbam et al. Harris hawk optimization trained artificial neural network for anomaly based intrusion detection system
Sheng et al. Network traffic anomaly detection method based on chaotic neural network
Khaled et al. Efficient Defense Against Model Stealing Attacks on Convolutional Neural Networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20220606

Address after: 250100 building S02, No. 1036, Langchao Road, high tech Zone, Jinan City, Shandong Province

Applicant after: Shandong Inspur Scientific Research Institute Co.,Ltd.

Address before: 250100 First Floor of R&D Building 2877 Kehang Road, Sun Village Town, Jinan High-tech Zone, Shandong Province

Applicant before: JINAN INSPUR HIGH-TECH TECHNOLOGY DEVELOPMENT Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: A Method and System for Anomaly Detection in Enterprise Networks Based on Dynamic Storage Networks

Effective date of registration: 20230613

Granted publication date: 20220628

Pledgee: Qilu Bank Co.,Ltd. Jinan Science and Technology Innovation Financial Center Branch

Pledgor: Shandong Inspur Scientific Research Institute Co.,Ltd.

Registration number: Y2023980043550

PE01 Entry into force of the registration of the contract for pledge of patent right