CN111901296A - Network attack behavior detection method and detection system - Google Patents
Network attack behavior detection method and detection system Download PDFInfo
- Publication number
- CN111901296A CN111901296A CN202010553031.5A CN202010553031A CN111901296A CN 111901296 A CN111901296 A CN 111901296A CN 202010553031 A CN202010553031 A CN 202010553031A CN 111901296 A CN111901296 A CN 111901296A
- Authority
- CN
- China
- Prior art keywords
- attack
- prediction
- event
- address
- source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 21
- 238000012549 training Methods 0.000 claims abstract description 68
- 238000003062 neural network model Methods 0.000 claims abstract description 40
- 238000000034 method Methods 0.000 claims abstract description 14
- 238000012544 monitoring process Methods 0.000 claims description 30
- 108091026890 Coding region Proteins 0.000 claims description 24
- 238000010276 construction Methods 0.000 claims description 9
- 239000013598 vector Substances 0.000 claims description 9
- 230000006399 behavior Effects 0.000 abstract description 24
- 238000013528 artificial neural network Methods 0.000 description 12
- 238000010586 diagram Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000004422 calculation algorithm Methods 0.000 description 3
- 239000002131 composite material Substances 0.000 description 3
- 150000001875 compounds Chemical class 0.000 description 3
- 230000002265 prevention Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000009825 accumulation Methods 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001364 causal effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005094 computer simulation Methods 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method for detecting network attack behaviors, which comprises the following steps: and constructing an attack scene, and acquiring a training set and a prediction set. And (5) coding a training set and coding a prediction set to generate an attack prediction neural network model. And acquiring current attack event information. And generating network attack prompt information. The network attack behavior detection method provided by the invention trains the recognition model through dynamic acquisition of attack data, so that the recognition model can be updated in use, the recognition rate of network attack is improved, and the reliability and stability of a network use environment are improved. Meanwhile, the invention also provides a system for detecting the network attack behavior.
Description
Technical Field
The invention relates to the field of network security applications. The invention particularly relates to a method and a system for detecting network attack behaviors.
Background
In the existing network attack prevention mode, an attack IP address screening mode or an attack event screening mode is mostly adopted. The above approach relies on the accumulation of attack IP information and attack event information. For a new attack mode, the attack cannot be effectively defended.
Disclosure of Invention
The invention aims to provide a network attack behavior detection method, which can dynamically adjust a training set, update in time and ensure the effectiveness and reliability of network attack prevention.
The invention also aims to provide a network attack behavior detection system, which can dynamically adjust the training set data, update in time and ensure the effectiveness and reliability of network attack prevention.
The invention provides a method for detecting network attack behaviors, which comprises the following steps:
step S101, an attack scene is constructed to generate intrusion monitoring log sample data. The attack scenario includes a source IP address set, a target IP address set and a plurality of attack events. And the source IP address in the source IP address set initiates any attack event to any target IP address in the target IP address set through the attack event.
The sample data of the intrusion monitoring log comprises a plurality of attack sample series. Each attack sample series has the same source IP address set, a target IP address set and an attack event terminator.
And S102, extracting an attack sample series with an attack event end symbol from a plurality of attack sample series in the intrusion monitoring log sample data as a training set. And excluding the training set from the plurality of attack sample series to obtain a prediction set.
And step S103, coding the training set according to a set coding format and the time sequence of the training set. The setting of the coding format comprises: source IP address coding, target IP address coding and attack event name coding of the training set.
And step S104, encoding the prediction set according to a set encoding format and the time sequence of the prediction set. The setting of the coding format comprises: and the source IP address code, the target IP address code and the attack event set name code of the prediction set.
And step S105, training the training set codes and the prediction set codes through a neural network model to generate an attack prediction neural network model.
And step S106, inputting the current intrusion monitoring log data into the attack prediction neural network model to obtain the current attack event information.
And step S107, judging whether the current attack event information is a set alarm event, if so, generating network attack prompt information.
In an embodiment of the present invention, the step S101 further includes: and acquiring a plurality of alarm event groups according to the sample data of the intrusion monitoring log. And acquiring an attack packet according to the alarm event packet. And dividing the attack packet into a plurality of sequentially increasing attack sample sequences according to the set threat value in the attack packet.
In one embodiment of the invention, the neural network model is configured as three input variables and three output variables, respectively. The three input variables are a source IP set coding sequence, a target IP set coding sequence and an attack event name sequence. The three output variables are a prediction source IP set coding sequence, a prediction target IP set coding sequence and a prediction attack event name sequence.
The neural network model is provided with an input layer, an embedded layer, an LSTM layer and a full connection layer. The input layer receives the attack sample sequence data encodings. The embedding layer encodes and converts the attack sample sequence data into an N-dimensional vector.
In an embodiment of the present invention, after step S107, the method further includes:
and step S108, judging whether the current attack event information is a set alarm event or not, if not, returning to the step S103 as an attack event according to the current attack event information, and retraining to generate an attack prediction neural network model.
Meanwhile, the invention also provides a detection system of network attack behaviors, which comprises a construction unit, a classification unit, a coding unit, a model training unit, an acquisition unit and a judgment unit:
the construction unit is configured to construct an attack scene and generate intrusion monitoring log sample data. The attack scenario includes a source IP address set, a target IP address set and a plurality of attack events. And the source IP address in the source IP address set initiates any attack event to any target IP address in the target IP address set through the attack event. The sample data of the intrusion monitoring log comprises a plurality of attack sample series. Each attack sample series has the same source IP address set, a target IP address set and an attack event terminator.
The classification unit is configured to extract an attack sample series with an attack event end symbol from a plurality of attack sample series in the intrusion monitoring log sample data as a training set. And excluding the training set from the plurality of attack sample series to obtain a prediction set.
The encoding unit is configured to encode the training set according to a set encoding format and a time sequence of the training set. The setting of the coding format comprises: source IP address coding, target IP address coding and attack event name coding of the training set.
And encoding the prediction set according to a set encoding format and the time sequence of the prediction set. The setting of the coding format comprises: and the source IP address code, the target IP address code and the attack event set name code of the prediction set.
The model training unit is configured to train the training set codes and the prediction set codes through a neural network model to generate an attack prediction neural network model.
The acquisition unit is configured to input current intrusion monitoring log data into the attack prediction neural network model to acquire current attack event information.
The judging unit is configured to judge whether the current attack event information is a set alarm event, and if so, network attack prompting information is generated.
In an embodiment of the invention, the construction unit is further configured to: and acquiring a plurality of alarm event groups according to the sample data of the intrusion monitoring log. And acquiring an attack packet according to the alarm event packet. And dividing the attack packet into a plurality of sequentially increasing attack sample sequences according to the set threat value in the attack packet.
In one embodiment of the invention, the neural network model is configured as three input variables and three output variables, respectively. The three input variables are a source IP set coding sequence, a target IP set coding sequence and an attack event name sequence. The three output variables are a prediction source IP set coding sequence, a prediction target IP set coding sequence and a prediction attack event name sequence.
The neural network model is provided with an input layer, an embedded layer, an LSTM layer and a full connection layer. The input layer receives the attack sample sequence data encodings. The embedding layer encodes and converts the attack sample sequence data into an N-dimensional vector.
In an embodiment of the present invention, the method further includes a model updating unit.
And the model updating unit is configured to judge whether the current attack event information is a set alarm event, and if not, the current attack event information is used as an attack event and returned to the model training unit for retraining to generate an attack prediction neural network model.
Therefore, the network attack behavior detection method provided by the invention trains the recognition model through dynamic acquisition of attack data, so that the recognition model can be updated in use, the recognition rate of network attack is improved, and the reliability and stability of a network use environment are improved.
The above features, technical features, advantages and modes of achieving them will be further described in a clear and understandable manner by referring to the accompanying drawings.
Drawings
Fig. 1 is a flowchart for explaining a network attack behavior detection method.
Fig. 2 is a flow diagram for illustrating a method for detecting cyber attack behavior in one embodiment.
Fig. 3 is a flow diagram illustrating a network attack behavior detection system.
FIG. 4 is a flow diagram illustrating a system for detecting cyber attack behavior, in one embodiment.
Fig. 5 is a process flow diagram for explaining an attack behavior prediction model.
Fig. 6 is a diagram for explaining a deep learning-based network attack prediction model in the present invention.
Detailed Description
In order to more clearly understand the technical features, objects and effects of the present invention, embodiments of the present invention will now be described with reference to the accompanying drawings, in which the same reference numerals indicate the same or structurally similar but functionally identical elements.
"exemplary" means "serving as an example, instance, or illustration" herein, and any illustration, embodiment, or steps described as "exemplary" herein should not be construed as a preferred or advantageous alternative. For the sake of simplicity, the drawings only schematically show the parts relevant to the present exemplary embodiment, and they do not represent the actual structure and the true scale of the product.
The invention provides a method for detecting network attack behaviors, which comprises the following steps of:
and step S101, constructing an attack scene.
In the step, an attack scene is constructed to generate sample data of the intrusion monitoring log. The attack scenario includes a source IP address set, a target IP address set and a plurality of attack events. And the source IP address in the source IP address set initiates any attack event to any target IP address in the target IP address set through the attack event.
The intrusion monitoring log sample data comprises a plurality of attack sample series. Each attack sample series has the same source IP address set, a target IP address set and an attack event terminator.
It should be noted that the above-mentioned multiple attack scenarios are collected attack events under multiple attack scenarios. Such as programs or event content collected in the system after an attack.
The attack event terminator may be a fixed terminator for transmitting data, or may be an attack event terminator assigned to a previous attack event when a plurality of attack events are performed and an interval between a plurality of attack events issued by one source IP address exceeds a set time.
Step S102, a training set and a prediction set are obtained.
In this step, the attack sample series with the attack event end symbol is extracted from a plurality of attack sample series in the intrusion monitoring log sample data as a training set. And (4) excluding the training set from a plurality of attack sample series to obtain a prediction set.
And step S103, coding the training set.
In this step, the training set is encoded according to the set encoding format and the time sequence of the training set. Setting the encoding format includes: source IP address coding, target IP address coding and attack event name coding of the training set.
Step S104, predicting set coding.
In this step, the prediction set is encoded according to a predetermined encoding format and a time sequence of the prediction set. Setting the encoding format includes: and the source IP address code, the target IP address code and the attack event set name code of the prediction set.
Step S105, generating an attack prediction neural network model.
In the step, a training set code and a prediction set code are trained through a neural network model to generate an attack prediction neural network model.
And step S106, acquiring the current attack event information.
In this step, the current intrusion monitoring log data is input into an attack prediction neural network model to obtain the current attack event information.
Step S107, network attack prompting information is generated.
In this step, it is determined whether the current attack event information is a set alarm event, and if so, network attack prompt information is generated.
In one embodiment of the present invention, step S101 further includes: and acquiring a plurality of alarm event groups according to the sample data of the intrusion monitoring log. And acquiring an attack packet according to the alarm event packet. The attack blocks are divided into a plurality of sequentially increasing attack sample sequences according to a set threat value in the attack block.
In one embodiment of the invention, the neural network model is configured as three input variables and three output variables, respectively. The three input variables are a source IP set coding sequence, a target IP set coding sequence and an attack event name sequence. The three output variables are a prediction source IP set coding sequence, a prediction target IP set coding sequence and a prediction attack event name sequence.
The neural network model comprises a configuration input layer, an embedded layer, an LSTM layer and a full connection layer. The input layer receives the attack sample sequence data encodings. The embedding layer encodes the attack sample sequence data into an N-dimensional vector.
In an embodiment of the present invention, as shown in fig. 2, after step S107, the method further includes:
and step S108, updating the attack prediction neural network model.
In this step, it is determined whether the current attack event information is a set alarm event, and if not, the current attack event information is used as an attack event and returned to S105 to retrain and generate an attack prediction neural network model.
Meanwhile, the invention also provides a network attack behavior detection system, as shown in fig. 3, which includes a construction unit 101, a classification unit 201, a coding unit 301, a model training unit 401, an acquisition unit 501 and a judgment unit 601.
The construction unit 101 is configured to construct an attack scene and generate intrusion monitoring log sample data. The attack scenario includes a source IP address set, a target IP address set and a plurality of attack events. And the source IP address in the source IP address set initiates any attack event to any target IP address in the target IP address set through the attack event. The intrusion monitoring log sample data comprises a plurality of attack sample series. Each attack sample series has the same source IP address set, a target IP address set and an attack event terminator.
The classification unit 201 is configured to extract an attack sample series with an attack event end symbol from a plurality of attack sample series in the intrusion monitoring log sample data as a training set. And (4) excluding the training set from a plurality of attack sample series to obtain a prediction set.
An encoding unit 301 configured to encode the training set according to a set encoding format and a time order of the training set. Setting the encoding format includes: source IP address coding, target IP address coding and attack event name coding of the training set.
And encoding the prediction set according to the set encoding format and the time sequence of the prediction set. Setting the encoding format includes: and the source IP address code, the target IP address code and the attack event set name code of the prediction set.
A model training unit 401 configured to train the training set code and the prediction set code through the neural network model, and generate an attack prediction neural network model.
And the acquisition unit 501 is configured to input the current intrusion monitoring log data into the attack prediction neural network model to acquire current attack event information.
A judging unit 601 configured to judge whether the current attack event information is a set alarm event, and if so, generate network attack prompting information.
In an embodiment of the present invention, the construction unit 101 is further configured to: and acquiring a plurality of alarm event groups according to the sample data of the intrusion monitoring log. And acquiring an attack packet according to the alarm event packet. The attack blocks are divided into a plurality of sequentially increasing attack sample sequences according to a set threat value in the attack block.
In one embodiment of the invention, the neural network model is configured as three input variables and three output variables, respectively. The three input variables are a source IP set coding sequence, a target IP set coding sequence and an attack event name sequence. The three output variables are a prediction source IP set coding sequence, a prediction target IP set coding sequence and a prediction attack event name sequence.
The neural network model comprises a configuration input layer, an embedded layer, an LSTM layer and a full connection layer. The input layer receives the attack sample sequence data encodings. The embedding layer encodes the attack sample sequence data into an N-dimensional vector.
In an embodiment of the system for detecting network attack behavior according to the present invention, as shown in fig. 4, the system further includes a model updating unit 701.
And the model updating unit 701 is configured to judge whether the current attack event information is a set alarm event, and if not, return the current attack event information as an attack event to the model training unit 401 to retrain and generate the attack prediction neural network model.
In one embodiment of the method for detecting network attack behavior of the present invention: the detection method comprises the following steps:
1.1 attack behavior prediction
The model extracts attack events and constructs attack sequences according to IDS logs and IP asset information in the network. And inputting the coded attack sequence into a customized deep neural network to train the network and predict the network attack. The flow chart of the whole model is shown in fig. 5, and mainly comprises two parts, namely attack scene reconstruction and a deep neural network. The several basic definitions referred to in the figures are as follows:
definition 1 (alarm packet) divides alarm events ai and aj between hosts having abnormal communication with each other into a group called an alarm packet, which is denoted as AltGrpi. The same alarm event may be divided into different alarm packets. i. j and x represent numbers, the same below.
Definition 2 (attack event) an attacker using one or more hosts to perform the same attack on one or more other hosts is called an attack event, denoted as ei. One or more alarm events constitute an attack event, which is a basic building block of an attack sequence.
Definition 3 (attack group) aggregates the related alarm events ai in each alarm group AltGrpi into an attack event ei, at this time, the alarm group evolves into an attack group, which is marked as AtkGrpi, and the alarm events with the same name may be divided into different attack events.
Definition 4 (attack sequence) in each attack group atksgrpi, a sequence consisting of attack events with sequentially increasing threat levels is called an attack sequence and is marked as AtkSeqi. The attack sequence represents the attack steps of an attacker, and a plurality of attack sequences can be divided in one attack packet.
An attack scenario reconstruction section receives Intrusion Detection System (IDS) logs incoming from an IDS. The IDS log is first partitioned into a plurality of alert packets by an IP related alert sequence partitioning algorithm. An extraction attack event algorithm is then applied within each alert packet to convert the plurality of alert packets into a plurality of attack packets. And finally, converting each attack group into one or more attack sequences by extracting a constructed sequence algorithm.
The deep neural network part receives a set of attack sequences transmitted by the attack scene reconstruction part. Firstly, sequences meeting requirements are screened from an attack sequence set, namely attack sequences with or without termination are used as a prediction set, and all attack sequences are used as a training set. The training set is then segmented and encoded for training of the neural network. And finally, the prediction set is input into a neural network after being coded, and a next attack sequence is predicted and decoded into a human-understood language. The dotted lines in the figure represent the solid line portions that are completed before they are processed.
1.2 attack scene reconstruction
An IDS log is a collection of alarm events from multiple attack sequences. The IDS log is divided into a plurality of IP related alarm sequences based on the inherent association between IDS alarms. Attack events are then extracted in each IP-related alarm sequence. And finally, sequencing according to the occurrence time of the attack event to form an attack sequence.
A basic IDS log (referred to herein as a NIDS log) typically contains six fields, alarm time, source IP address, source port number, destination IP address, destination port number, and alarm name.
If the alarm ai alarms aj are associatively clusterable, then the IP address of ai, whether it be a source IP address or a destination IP address, will have one and seven source or destination IP addresses that are the same. Causal alarm events triggered by the same attack activity always have an association with each other in the address distribution. The sequence of all alarm components in the IDS log is denoted by IDSAlts.
IP related alarms are grouped together as an attack event if the alarm names are the same. Each attack event includes attributes such as the attack name, the time of occurrence (i.e., the time of the first alarm), the end time (i.e., the time of the last alarm), the set of source IP addresses, the set of destination IP addresses, and the score for the attack event. Since an attack event does not continue all the time, even if alarms with the same alarm name are directed to the same host, they are considered alarms in different attack events if the time interval between them is too long.
Theoretically, the threat level of each attack step of a composite attack is sequentially increased, and the attack score quantifies the threat level of each attack step, so that the score of each attack event extracted into each attack sequence should also be sequentially increased.
1.3 establishing an attack prediction deep neural network
And the deep neural network part receives all attack sequences generated by the attack scene reconstruction part and generates a training set and a prediction set. The attack sequences can be used as training sets, and those with the tail end not being-1 in the attack sequences can be used as prediction sets. After the two data sets are coded, the two data sets are respectively applied to a training stage and a prediction stage of the deep neural network.
The process of coding the attack sequence is as follows:
each attack event contains attack event information, the names of the attack events in the information are represented by character strings, the source/destination IP sets are represented by character string sets, and the attack sequence codes represent the attack events in numerical forms. The significance of this is:
the attack sequence is converted into a form that can be processed by a computer model.
And specific information in the local area network, such as the distribution mode of IP addresses, the number of hosts in the local area network and the like, is avoided.
For the coding of the alarm name, a dictionary for recording the alarm name and the corresponding coding thereof needs to be maintained, the first occurring alarm name is coded from 1, the number is increased in sequence, and 0 represents a placeholder.
For the encoding of the source and destination IP sets, firstly, the source IP set and the destination set of each multi-step attack event are laid in a row according to the previously ordered sequence, which is as follows: and step 1, a source IP set, step 1 destination IP set, step 2 source IP set, step 2 destination IP set and the like, wherein 0 is also used for representing a placeholder, and encoding is started from 1. The first set is coded as 1, the subsequent sets (S) sequentially calculate the similarity (sim) between the first set and the previous sets, if the similarity between the first set and a set at a certain position is maximum and is greater than a set threshold value T, the first set is coded as the sequence number of the set position with the maximum similarity, and otherwise, the first set is the sequence number corresponding to the position of the first set. The calculation formula of the similarity is as follows:
note: if the attack event is-1, the codes of the alarm name and the IP set are both-1.
In a composite attack, an attacker determines the subsequent attack means through the result of the previous attack. The composite attack prediction model is a time series model that predicts subsequent attack events by inputting a historical sequence of attack events.
The overall structure model of the neural network mainly comprises an Embedding layer, an LSTM layer and a Dense layer.
The overall structure model of the neural network comprises three inputs and three outputs, namely a coded source IP set sequence (Src IP Seq), a coded target IP set sequence (Des IP Seq), an Attack Name sequence (attach Name Seq), a segmented subsequent source IP set (Src IP), a segmented target IP set (Des IP) and an Attack Name (attach Name). The entire network structure is shown in fig. 6.
Wherein, including the Embedding layer:
the first layer after the input layer is the Embedding layer. In the neural network model, the significance of the layer is to encode each code twice, each digital code is mapped into an independent N-dimensional vector, and the vector gradually has physical significance, attack type, frequency of IP, distance, included angle and the like between the attack type and the IP in the training process, and simultaneously, invalid signals, namely signals with the code of 0, are shielded. Also, because of the Embedding layer, alarm names with different names generated by different IDSs can be represented by similar vectors in space.
Considering that the attack type will affect the subsequent source IP and destination IP, the source IP and destination IP have less influence on the subsequent attack type. Therefore, the attack type sequence coded by Embedding and the IP sequence coded by Embedding are fused to be used as the input for predicting the subsequent IP.
Including the LSTM layer:
the human thinking way is continuous, and when reading an article, the meaning of a sentence is generally understood by combining the context. Conventional neural networks have difficulty dealing with the problem of inferring subsequent events from previously occurring events. A compound attack is also similar, and when an attacker attacks a network, the attack to be launched next is usually never based on the results of the attack launched before.
The LSTM layer plays a key role in predicting attack behavior, and a multi-step attack is a sequence of attack events, so that a previous attack step has an influence on a later attack step. The same attack event has different effects in different compound attacks, and each occurring attack event can be represented as information superposition of the current attack event and the attack event before the compound attack through the processing of the LSTM.
The device comprises a Dense layer:
the last layer of the neural network is the fully-connected layer. Combining and superposing the extracted characteristics of the previous layers, and predicting the probability of the subsequent various source IP sets, target IP sets and attack names by carrying out nonlinear processing on the activation function to realize the classification of the subsequent attack events.
Meanwhile, the number of attack event names is increased continuously with the lapse of time, and thus a density layer parameter predicting the attack event names is changed. When the parameter changes, fine-tune operation is required to be performed on the Dense layer. The fine-tune approach is to keep the structure and weights of the previous layers unchanged, only change the structure of this layer and retrain its weights.
1.4 optimizing attack prediction model
In the scenario of network attack prediction, a time sequence occurring before can capture the tags of the sequence at some time in the future if the time sequence is not finished, so that the data set of the training model can be continuously acquired over time. In order to enhance the prediction effect of the model with the time, the model designs the following continuous training mechanism.
The Time window is the Time window for each training session and indicates that only alarm events occurring within the Time window are subject to the algorithmic processing described above. The Time step is a Time step, which indicates how often a model training is performed and the trained model is used to predict future alarm events. For example: the size of a time window is selected to be 1 month, the step length is 1 day, the model of the model is trained every other day in the next time, the data set of each time is the alarm data in the past month, and the next attack event is predicted.
For the event with the error prediction, due to the adoption of the mechanism, the correct training data which has already occurred is contained in the next training set, the number of samples of the training data with the correction function is increased in a copying mode, and the error prediction result can be corrected by the new training data. And if the subsequent result of the related event sequence is a more serious attack event, copying the number of samples to increase the recall rate of the serious attack event.
Aiming at the model, input data comprises an intranet gateway flow log, a host terminal security software log and alarm logs of various types of security equipment, security software, vulnerability scanners and the like. And after model processing, outputting a formatted detection result of the illegal attack behavior, a behavior influence score, corresponding treatment measures and a behavior prediction result.
It should be understood that although the present description is described in terms of various embodiments, not every embodiment includes only a single embodiment, and such description is for clarity purposes only, and those skilled in the art will recognize that the embodiments described herein as a whole may be suitably combined to form other embodiments as will be appreciated by those skilled in the art.
The above-listed detailed description is only a specific description of a possible embodiment of the present invention, and they are not intended to limit the scope of the present invention, and equivalent embodiments or modifications made without departing from the technical spirit of the present invention should be included in the scope of the present invention.
Claims (8)
1. A method for detecting network attack behavior is characterized by comprising the following steps:
s101, constructing an attack scene to generate intrusion monitoring log sample data; the attack scene comprises a source IP address set, a target IP address set and a plurality of attack events; the source IP address in the source IP address set initiates any attack event to any target IP address in the target IP address set through the attack event;
the sample data of the intrusion monitoring log comprises a plurality of attack sample series; each attack sample series has the same source IP address set, a target IP address set and an attack event terminator;
step S102, extracting attack sample series with attack event end symbols from a plurality of attack sample series in the intrusion monitoring log sample data as a training set; excluding the training set from the plurality of attack sample series to obtain a prediction set;
step S103, coding the training set according to a set coding format and the time sequence of the training set; the setting of the coding format comprises: a source IP address code, a target IP address code and an attack event name code of a training set;
step S104, encoding the prediction set according to a set encoding format and the time sequence of the prediction set; the setting of the coding format comprises: a source IP address code, a target IP address code and an attack event set name code of a prediction set;
step S105, training the training set code and the prediction set code through a neural network model to generate an attack prediction neural network model;
step S106, inputting the current intrusion monitoring log data into the attack prediction neural network model to obtain the current attack event information;
and step S107, judging whether the current attack event information is a set alarm event, if so, generating network attack prompt information.
2. The detection method according to claim 1, wherein the step S101 further comprises:
acquiring a plurality of alarm event groups according to the sample data of the intrusion monitoring log; acquiring an attack packet according to the alarm event packet; and dividing the attack packet into a plurality of sequentially increasing attack sample sequences according to the set threat value in the attack packet.
3. The detection method according to claim 1, wherein the neural network model is configured as three input variables and three output variables, respectively; the three input variables are a source IP set coding sequence, a target IP set coding sequence and an attack event name sequence; the three output variables are a prediction source IP set coding sequence, a prediction target IP set coding sequence and a prediction attack event name sequence;
the neural network model is provided with an input layer, an embedded layer, an LSTM layer and a full connection layer; the input layer receives the attack sample sequence data codes; the embedding layer encodes and converts the attack sample sequence data into an N-dimensional vector.
4. The method according to claim 1, wherein step S107 is followed by further comprising:
and step S108, judging whether the current attack event information is a set alarm event or not, if not, returning to the step S105 for retraining to generate an attack prediction neural network model according to the current attack event information serving as an attack event.
5. The network attack behavior detection system is characterized by comprising a construction unit, a classification unit, a coding unit, a model training unit, an acquisition unit and a judgment unit:
the construction unit is configured to construct an attack scene and generate sample data of the intrusion monitoring log; the attack scene comprises a source IP address set, a target IP address set and a plurality of attack events; the source IP address in the source IP address set initiates any attack event to any target IP address in the target IP address set through the attack event; the sample data of the intrusion monitoring log comprises a plurality of attack sample series; each attack sample series has the same source IP address set, a target IP address set and an attack event terminator;
the classification unit is configured to extract an attack sample series with an attack event end symbol from a plurality of attack sample series in the intrusion monitoring log sample data as a training set; excluding the training set from the plurality of attack sample series to obtain a prediction set;
the encoding unit is configured to encode the training set according to a set encoding format and the time sequence of the training set; the setting of the coding format comprises: a source IP address code, a target IP address code and an attack event name code of a training set;
encoding the prediction set according to a set encoding format and a time sequence of the prediction set; the setting of the coding format comprises: a source IP address code, a target IP address code and an attack event set name code of a prediction set;
the model training unit is configured to train the training set codes and the prediction set codes through a neural network model to generate an attack prediction neural network model;
the acquisition unit is configured to input current intrusion monitoring log data into the attack prediction neural network model to acquire current attack event information;
the judging unit is configured to judge whether the current attack event information is a set alarm event, and if so, network attack prompting information is generated.
6. The detection system of claim 5, wherein the construction unit is further configured to:
acquiring a plurality of alarm event groups according to the sample data of the intrusion monitoring log; acquiring an attack packet according to the alarm event packet; and dividing the attack packet into a plurality of sequentially increasing attack sample sequences according to the set threat value in the attack packet.
7. The detection system of claim 6, wherein the neural network model is configured as three input variables and three output variables, respectively; the three input variables are a source IP set coding sequence, a target IP set coding sequence and an attack event name sequence; the three output variables are a prediction source IP set coding sequence, a prediction target IP set coding sequence and a prediction attack event name sequence;
the neural network model is provided with an input layer, an embedded layer, an LSTM layer and a full connection layer; the input layer receives the attack sample sequence data codes; the embedding layer encodes and converts the attack sample sequence data into an N-dimensional vector.
8. The detection system according to claim 6, further comprising a model update unit;
and the model updating unit is configured to judge whether the current attack event information is a set alarm event, and if not, the current attack event information is used as an attack event and returned to the model training unit for retraining to generate an attack prediction neural network model.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010553031.5A CN111901296A (en) | 2020-06-17 | 2020-06-17 | Network attack behavior detection method and detection system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010553031.5A CN111901296A (en) | 2020-06-17 | 2020-06-17 | Network attack behavior detection method and detection system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111901296A true CN111901296A (en) | 2020-11-06 |
| CN111901296A8 CN111901296A8 (en) | 2022-09-16 |
Family
ID=73206741
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010553031.5A Pending CN111901296A (en) | 2020-06-17 | 2020-06-17 | Network attack behavior detection method and detection system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111901296A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112861122A (en) * | 2021-01-15 | 2021-05-28 | 新华三信息安全技术有限公司 | Method and equipment for establishing prediction model and predicting security risk |
| CN113472789A (en) * | 2021-06-30 | 2021-10-01 | 深信服科技股份有限公司 | Attack detection method, attack detection system, storage medium and electronic equipment |
| CN113596012A (en) * | 2021-07-26 | 2021-11-02 | 工银科技有限公司 | Method, device, equipment, medium and program product for identifying attack behavior |
| CN113592150A (en) * | 2021-07-04 | 2021-11-02 | 北京工业大学 | Attack phase prediction method based on LSTM and attacker information |
| CN113872942A (en) * | 2021-09-03 | 2021-12-31 | 国网四川省电力公司信息通信公司 | Electric power internet of things network security risk prediction method |
| CN114095270A (en) * | 2021-11-29 | 2022-02-25 | 北京天融信网络安全技术有限公司 | Network attack prediction method and device |
| CN114205138A (en) * | 2021-12-09 | 2022-03-18 | 麒麟软件有限公司 | Network intrusion detection method for container cloud platform |
| CN113794699B (en) * | 2021-08-30 | 2022-06-07 | 西安交通大学 | Network analysis processing method |
| CN115348042A (en) * | 2021-04-29 | 2022-11-15 | 中国移动通信集团上海有限公司 | Monitoring method, monitoring device, electronic equipment and storage medium |
| CN115550072A (en) * | 2022-11-30 | 2022-12-30 | 浙江省能源集团有限公司 | Network attack monitoring and early warning method and system |
-
2020
- 2020-06-17 CN CN202010553031.5A patent/CN111901296A/en active Pending
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112861122A (en) * | 2021-01-15 | 2021-05-28 | 新华三信息安全技术有限公司 | Method and equipment for establishing prediction model and predicting security risk |
| CN115348042A (en) * | 2021-04-29 | 2022-11-15 | 中国移动通信集团上海有限公司 | Monitoring method, monitoring device, electronic equipment and storage medium |
| CN113472789B (en) * | 2021-06-30 | 2023-05-16 | 深信服科技股份有限公司 | Attack detection method, attack detection system, storage medium and electronic device |
| CN113472789A (en) * | 2021-06-30 | 2021-10-01 | 深信服科技股份有限公司 | Attack detection method, attack detection system, storage medium and electronic equipment |
| CN113592150A (en) * | 2021-07-04 | 2021-11-02 | 北京工业大学 | Attack phase prediction method based on LSTM and attacker information |
| CN113596012A (en) * | 2021-07-26 | 2021-11-02 | 工银科技有限公司 | Method, device, equipment, medium and program product for identifying attack behavior |
| CN113794699B (en) * | 2021-08-30 | 2022-06-07 | 西安交通大学 | Network analysis processing method |
| CN113872942A (en) * | 2021-09-03 | 2021-12-31 | 国网四川省电力公司信息通信公司 | Electric power internet of things network security risk prediction method |
| CN113872942B (en) * | 2021-09-03 | 2023-11-14 | 国网四川省电力公司信息通信公司 | Electric power Internet of things network security risk prediction method |
| CN114095270A (en) * | 2021-11-29 | 2022-02-25 | 北京天融信网络安全技术有限公司 | Network attack prediction method and device |
| CN114095270B (en) * | 2021-11-29 | 2024-01-23 | 北京天融信网络安全技术有限公司 | Network attack prediction method and device |
| CN114205138A (en) * | 2021-12-09 | 2022-03-18 | 麒麟软件有限公司 | Network intrusion detection method for container cloud platform |
| CN115550072B (en) * | 2022-11-30 | 2023-03-17 | 浙江省能源集团有限公司 | Network attack monitoring and early warning method and system |
| CN115550072A (en) * | 2022-11-30 | 2022-12-30 | 浙江省能源集团有限公司 | Network attack monitoring and early warning method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111901296A8 (en) | 2022-09-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111901296A (en) | Network attack behavior detection method and detection system | |
| CN111818052B (en) | CNN-LSTM-based industrial control protocol homologous attack detection method | |
| JP6932270B2 (en) | How to generate malicious samples of industrial control systems based on hostile learning | |
| KR102590451B1 (en) | A deep embedded self-taught learning system and method for detecting suspicious network behaviours | |
| CN112738039B (en) | Malicious encrypted flow detection method, system and equipment based on flow behavior | |
| CN111181901B (en) | Abnormal flow detection device and abnormal flow detection method thereof | |
| Zixu et al. | Generative adversarial network and auto encoder based anomaly detection in distributed IoT networks | |
| CN110166454B (en) | Mixed feature selection intrusion detection method based on adaptive genetic algorithm | |
| CN110768946A (en) | Industrial control network intrusion detection system and method based on bloom filter | |
| CN116346384A (en) | Malicious encryption flow detection method based on variation self-encoder | |
| CN115987615A (en) | Network behavior safety early warning method and system | |
| CN116662184B (en) | Industrial control protocol fuzzy test case screening method and system based on Bert | |
| CN117220920A (en) | Firewall policy management method based on artificial intelligence | |
| CN114697086B (en) | Mining Trojan detection method based on depth typical correlation analysis | |
| CN112464295A (en) | Communication maintenance safety device based on electric power edge gateway equipment | |
| KR102526935B1 (en) | Network intrusion detection system and network intrusion detection method | |
| CN116318975A (en) | Malicious traffic detection method and system based on multiple sessions and multiple protocols | |
| CN109194446B (en) | Polarization code blind detection method and device based on neural network | |
| CN114143085B (en) | BGP community attribute anomaly detection method and system based on self-encoder | |
| CN115622793A (en) | Attack type identification method and device, electronic equipment and storage medium | |
| KR102609592B1 (en) | Method and apparatus for detecting abnormal behavior of IoT system | |
| CN116032515A (en) | DDoS attack detection method based on transducer on SDN | |
| CN117749477B (en) | Network traffic anomaly detection method based on generation countermeasure network | |
| CN118199973A (en) | Industrial control system protocol fuzzy test case generation method, system and application | |
| CN116192536B (en) | Network intrusion detection method and device, electronic equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| CI02 | Correction of invention patent application |
Correction item: Inventor Correct: Cui Wenke|Tang Xinmin|Shi Qinghui False: urge liberal arts|Tang Xinmin|Shi Qinghui Number: 45-02 Page: The title page Volume: 36 Correction item: Inventor Correct: Cui Wenke|Tang Xinmin|Shi Qinghui False: urge liberal arts|Tang Xinmin|Shi Qinghui Number: 45-02 Volume: 36 |
|
| CI02 | Correction of invention patent application | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |