CN111917765A - Network attack flow generation system based on generation type countermeasure network - Google Patents

Network attack flow generation system based on generation type countermeasure network Download PDF

Info

Publication number
CN111917765A
CN111917765A CN202010742886.2A CN202010742886A CN111917765A CN 111917765 A CN111917765 A CN 111917765A CN 202010742886 A CN202010742886 A CN 202010742886A CN 111917765 A CN111917765 A CN 111917765A
Authority
CN
China
Prior art keywords
flow
gan
traffic
network
samples
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010742886.2A
Other languages
Chinese (zh)
Inventor
杨华
温泉
王晓菲
李宁
张茜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Computer Technology and Applications
Original Assignee
Beijing Institute of Computer Technology and Applications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Computer Technology and Applications filed Critical Beijing Institute of Computer Technology and Applications
Priority to CN202010742886.2A priority Critical patent/CN111917765A/en
Publication of CN111917765A publication Critical patent/CN111917765A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a network attack flow generation system based on a generation type countermeasure network, belonging to the technical field of network security. The invention generates the network attack flow through training by applying the generating type confrontation network algorithm, is used for simulating the attack flow in the network environment, can be used for verifying the processing capacity of the safety protection system on abnormal data, and can also be applied to a network target range as a generation source of the attack flow.

Description

Network attack flow generation system based on generation type countermeasure network
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a network attack flow generation system based on a generation type countermeasure network.
Background
In cyberspace, a cyber attack may be described as any malicious activity that attempts to compromise the network. Very extensive network behavior may be included in the definition, such as attempting to break the stability of the network, obtain unauthorized files, or elevate access rights. Currently, the threats faced by computer network security can be mainly classified into two categories: the threat to the information in the network and the threat to the equipment in the network. The security, integrity and usability of information can be protected only by ensuring the physical security, the network system security, the data security, the information content security and the information basic equipment security.
In order to verify the security of the network environment, the network security shooting range is an important means for supporting network space security technology verification, network tool test, attack and defense countermeasure drilling and network risk assessment. A virtualization platform which can be flexibly shared by entity equipment and environment and computing and storage resources is built, a simulation experiment environment aiming at a field network space network and equipment is formed, and the virtual drill training service capability is improved. Meanwhile, activities such as confrontation exercise, actual combat teaching, tool evaluation and the like can be carried out by utilizing the target range, so that the working personnel can carry out exercise in a scene close to the reality before carrying out tasks, learn various previously accumulated technical and combat law experiences and effectively improve the capability of the working personnel in solving practical problems.
One key and difficult problem in network shooting range construction is to simulate network attack traffic close to the actual network. The realistic network attack flow can more accurately verify the protection capability of the safety protection system on one hand, and can generate a network attack event close to the actual effect on the other hand, so that the problem solving capability of workers is better improved.
Disclosure of Invention
Technical problem to be solved
The technical problem to be solved by the invention is as follows: how to design a network attack traffic generation system.
(II) technical scheme
In order to solve the above technical problem, the present invention provides a network attack traffic generation system based on a generation-based countermeasure network, comprising: a generative countermeasure network GAN, a traffic generator and a proxy system;
the GAN is used for learning a characteristic distribution rule of target flow and generating flow characteristics, and then the generated flow characteristics are sent to a flow generator;
the flow generator is used for generating a packet sequence with randomness according to the flow characteristics, mixing the packet sequence with real attack flow, and generating the packet sequence into simulated flow through a flow generation algorithm;
the proxy system comprises a local proxy server, wherein the local proxy server is used for deforming the simulation flow and loading the load into the simulation flow to obtain the required final simulation attack flow output.
Preferably, the GAN is composed of a generator and a discriminator, wherein the generator generates a new data sample by self-learning sample feature training after receiving the real data sample, and the discriminator is used as a classifier for judging whether the input is real data or generated sample data;
setting variable z as random noise, x as input sample data, G as a generation model, D as a discriminant model, V as a flow characteristic function, and E as a two-classifierP(x)(α) represents the likelihood function of α, GAN is expressed as:
Figure BDA0002607324410000021
wherein log (1-D (G (z)) represents new data sample judgment generated by training, and through continuous mutual game of maximum and minimum values, G and D are optimized cyclically and continuously until the two models reach Nash equilibrium, gradient diffusion may occur in the minimized target function of GAN, so that the target function is difficult to update the generator, LSGANs punish samples far away from decision boundary, the gradient of the samples is the decision direction of gradient descent, the cross entropy in LSGANs does not care about distance, but only care about whether to classify correctly, and the target function of a discriminator is:
Figure BDA0002607324410000031
the goal function of GAN is:
Figure BDA0002607324410000032
wherein a, b and c are variable parameters, and in the process of training the model, a, b and c satisfy b-c-1 and b-a-2.
Preferably, the traffic generator can generate a specific packet sequence according to the traffic characteristics of GAN, generate a simulated traffic by mixing the packet sequence of the real attack traffic, use the cumulative representation of the traffic cUMUL to guide the traffic generation process in the traffic generation algorithm used in mixing, and for a packet sequence Pa=[pa1,pa2,…,pai]Flow rate of paiThe absolute value of (b) indicates the length of the ith packet, pai>0 indicates that the ith packet is an outbound packet and pai<0 indicates that the ith packet is a received packet; the cUMUL representation of the flow is a sequence c ═ c1,c2,…,cN]Wherein c is0=0,ci=ci-1+piI ∈ {1, 2, …, N }, where N denotes the length of the sequence.
Preferably, the local proxy server deforms the simulated traffic according to the generated traffic pattern, and outputs the deformed simulated traffic as final simulated attack traffic.
Preferably, in the process of generating the flow characteristics by using the GAN, the size parameter of the GAN is selected, and there are two selection modes: firstly, selecting a full data set; second, choose the minimum number of samples to train, namely train only one sample at a time.
Preferably, in the process that the GAN is used to generate the flow characteristics, the imbalance ratio is set according to data input for the first time of GAN training as follows:
num=N-/N+
wherein N is-The number of UAL samples; n is a radical of+And setting the number of NORMAL samples, and increasing num continuously during the process of generating the samples by repeatedly utilizing the GAN until the number of the NUM is 1, stopping generating the samples at the moment, and balancing the sample proportion.
Preferably, in the process of generating the traffic characteristics by using the GAN, the number of iterations of different types of samples is different, and the number of iterations of the GAN is:
count=(N+-N')/x
wherein, the count is the iteration times needed by different types of data; n' is set as the initial sample number of the data type to be generated; x is a size parameter set by GAN.
The invention also provides a method for generating the network attack flow by using the system.
Preferably, the method comprises the following steps:
the GAN learns the characteristic distribution rule of the target flow and generates flow characteristics, and then the generated flow characteristics are sent to a flow generator;
the flow generator generates a packet sequence with randomness according to the flow characteristics, mixes the packet sequence with real attack flow, and generates the packet sequence into simulated flow through a flow generation algorithm;
and the local proxy server deforms the simulation flow and loads the load into the simulation flow to obtain the required final simulation attack flow output.
The invention also provides an application of the system in the technical field of network security.
(III) advantageous effects
The invention generates the network attack flow through training by applying the generating type confrontation network algorithm, is used for simulating the attack flow in the network environment, can be used for verifying the processing capacity of the safety protection system on abnormal data, and can also be applied to a network target range as a generation source of the attack flow.
Drawings
FIG. 1 is a basic framework diagram of a generative countermeasure network;
FIG. 2 is a block diagram of a network attack traffic generation system of the generative countermeasure network of the present invention;
fig. 3 is a flowchart of the network attack traffic generation system of the generative countermeasure network according to the present invention.
Detailed Description
In order to make the objects, contents, and advantages of the present invention clearer, the following detailed description of the embodiments of the present invention will be made in conjunction with the accompanying drawings and examples.
The network attack traffic generation system of the generative countermeasure network comprises a generative countermeasure network gan (generating adaptive network), a traffic generator and a proxy system, and the overall design of the system is shown in fig. 2.
The GAN is used for learning a characteristic distribution rule of target flow and generating flow characteristics, and then the generated flow characteristics are sent to a flow generator; the flow generator is used for generating a packet sequence with randomness according to the flow characteristics, mixing the packet sequence with real attack flow, and generating the packet sequence into simulated flow through a flow generation algorithm; the proxy system comprises a local proxy server, wherein the local proxy server is used for deforming the simulation flow and loading the load into the simulation flow to obtain the required final simulation attack flow output.
The generative confrontation network imitates the mode of two-person zero-sum game in game theory and consists of a generator and a discriminator. The generator generates new data samples by self-learning sample features after receiving real data samples. The discriminator is used as a classifier and judges whether the input is real data or generated sample data. The basic framework of a GAN network is shown in fig. 1.
Setting variable z as random noise, x as input sample data, G as a generation model, D as a discriminant model, V as a flow characteristic function, and E as a two-classifierP(x)(α) represents the likelihood function of α, GAN is expressed as:
Figure BDA0002607324410000051
wherein log D (x) is the judgment of the discriminator; and log (1-D (G (z)) represents judgment of generated data, and G and D are cyclically and continuously optimized through continuous mutual game of maximum and minimum values until the two models reach Nash equilibrium. Gradient diffusion may occur in the minimized target function of GAN, so that the target function is difficult to update the generator again, and the training process of GAN is unstable. LSGANs penalize samples far from the decision boundary, solving the above problem. The gradient of these samples is the determining direction of the gradient descent. In LSGANs, the cross entropy does not concern distance, but only whether it is correctly classified, and the objective function of its discriminator is:
Figure BDA0002607324410000052
the goal function of GAN is:
Figure BDA0002607324410000062
wherein a, b and c are variable parameters, and in the process of training the model, a, b and c satisfy b-c ═ 1 and b-a ═ 2, the model can relieve instability in training and improve diversity of GAN generation characteristics.
The flow generator can generate a specific packet sequence according to the flow characteristics of the GAN, and the packet sequence of the real attack flow is mixed to generate the simulated attack flow. In the traffic generation algorithm, the present invention uses a cumulative representation of traffic (cUMUL) to guide the traffic generation process. For a sequence P containing packetsa=[pa1,pa2,…,pai]In which p isaiThe absolute value of (b) indicates the length of the ith packet, pai>0 indicates that the ith packet is an outbound packet and pai<0 indicates that the ith packet is a received packet; the cUMUL representation of the flow is a sequence c ═ c1,c2,…,cN]Wherein c is0=0,ci=ci-1+piI ∈ {1, 2, …, N }, where N denotes the length of the sequence.
The proxy system comprises a local proxy server, the client is connected with the local proxy server firstly and sends the simulated traffic generated by the traffic generator to the local proxy server, and then the local proxy server deforms the simulated traffic according to the generated traffic mode and outputs the deformed simulated traffic as final simulated attack traffic.
The following describes the working process of the generated system for generating traffic against network attacks by taking pre-collected unauthorized local super login attack traffic (UAL) as an example, and with reference to fig. 3, the method includes the following steps:
step 1 extracting characteristic types of data
The UAL network traffic is characterized as follows:
Figure BDA0002607324410000061
Figure BDA0002607324410000071
step 2 data sample feature analysis
(1) And (6) digitizing. Converting the character-type features into numerical-type features.
(2) And (6) standardizing. In the analysis process, firstly, the data after the digitization is processed by data standardization.
(3) And (6) normalizing. The values are normalized to the [0, 1] interval, resulting in a data set suitable for GAN and hence training therein.
Step 3 data sample Generation
And training the potential features of the UAL data type to GAN in times, generating sufficient sample data, and mixing the sample data into the original data to solve the problem of less samples of the type. The value of the selected GAN is selected as the value of the Size parameter, and the value of the selected GAN has two options: firstly, a full data set is selected, so that the representative sample characteristics can be better trained; secondly, the minimum number of samples is selected for training, namely only one sample is trained at a time, so that the function can be converged to the fastest speed. The UAL data flow 50 data types are selected as the whole block of data input into the model of the GAN.
Setting the unbalance proportion according to data input for the first time of GAN training as follows:
num=N-/N+
wherein N is-The number of UAL samples; n is a radical of+Set to the number of NORMAL samples. During the process of generating samples by reusing GAN, num is increased continuously until it is 1. At this point, the sample generation is stopped and the sample ratios are balanced. The number of iterations for different types of samples in the process is also different,the iterative generation times of GAN are:
count=(N+-N')/x
wherein, the count is the iteration times needed by different types of data; n' is set as the initial sample number of the data type to be generated; x is the Batch _ Size set by GAN. After introducing the UAL sample X + into the GAN model, the GAN function changes as follows:
Figure BDA0002607324410000072
and (4) inputting the traffic characteristics and the real attack traffic generated in the step (4) into a traffic generator, wherein the traffic generator outputs the traffic with the highest similarity with other traffic models in the generated traffic.
And 5, the local proxy server is responsible for deforming the traffic and loading the load into the generated traffic, and then obtaining the required attack traffic.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.

Claims (10)

1. A system for generating network attack traffic based on a generative countermeasure network, comprising: a generative countermeasure network GAN, a traffic generator and a proxy system;
the GAN is used for learning a characteristic distribution rule of target flow and generating flow characteristics, and then the generated flow characteristics are sent to a flow generator;
the flow generator is used for generating a packet sequence with randomness according to the flow characteristics, mixing the packet sequence with real attack flow, and generating the packet sequence into simulated flow through a flow generation algorithm;
the proxy system comprises a local proxy server, wherein the local proxy server is used for deforming the simulation flow and loading the load into the simulation flow to obtain the required final simulation attack flow output.
2. The system of claim 1, wherein the GAN is comprised of a generator that generates new data samples by self-learning sample feature training after receiving real data samples, and a discriminator that determines whether the input is real data or generated sample data;
setting variable z as random noise, x as input sample data, G as a generation model, D as a discriminant model, V as a flow characteristic function, and E as a two-classifierP(x)(α) represents the likelihood function of α, GAN is expressed as:
Figure FDA0002607324400000011
wherein log (1-D (G (z)) represents new data sample judgment generated by training, and through continuous mutual game of maximum and minimum values, G and D are optimized cyclically and continuously until the two models reach Nash equilibrium, gradient diffusion may occur in the minimized target function of GAN, so that the target function is difficult to update the generator, LSGANs punish samples far away from decision boundary, the gradient of the samples is the decision direction of gradient descent, the cross entropy in LSGANs does not care about distance, but only care about whether to classify correctly, and the target function of a discriminator is:
Figure FDA0002607324400000012
the goal function of GAN is:
Figure FDA0002607324400000021
wherein a, b and c are variable parameters, and in the process of training the model, a, b and c satisfy b-c-1 and b-a-2.
3. The system of claim 1, wherein the traffic generator is capable of generating specific packet sequences based on the traffic characteristics of GAN, generating simulated traffic by mixing the packet sequences of real attack traffic, and using the cumulative representation of traffic, cUMUL, in the traffic generation algorithm used in the mixing to guide the traffic generation process, for a packet sequence Pa=[pa1,pa2,…,pai]Flow rate of paiThe absolute value of (b) indicates the length of the ith packet, pai>0 indicates that the ith packet is an outbound packet and pai<0 indicates that the ith packet is a received packet; the cUMUL representation of the flow is a sequence c ═ c1,c2,…,cN]Wherein c is0=0,ci=ci-1+piI ∈ {1, 2, …, N }, where N denotes the length of the sequence.
4. The system of claim 1, wherein the local proxy server morphs the simulated traffic according to the generated traffic pattern as a final simulated attack traffic output.
5. The system of claim 2, wherein the GAN is used to select the size parameter of the GAN during the generation of the traffic characteristics, and there are two options: firstly, selecting a full data set; second, choose the minimum number of samples to train, namely train only one sample at a time.
6. The system of claim 5, wherein the GAN is used in generating the flow characteristics by setting an imbalance ratio according to data input for the first time of GAN training as:
num=N-/N+
wherein N is-The number of UAL samples; n is a radical of+And setting the number of NORMAL samples, and increasing num continuously during the process of generating the samples by repeatedly utilizing the GAN until the number of the NUM is 1, stopping generating the samples at the moment, and balancing the sample proportion.
7. The system of claim 6, wherein the GAN is used to generate the traffic characteristics with different iterations for different types of samples, and wherein the number of iterations for the GAN is:
count=(N+-N')/x
wherein, the count is the iteration times needed by different types of data; n' is set as the initial sample number of the data type to be generated; x is a size parameter set by GAN.
8. A method of implementing network attack traffic generation using the system of any one of claims 1 to 7.
9. The method of claim 8, comprising the steps of:
the GAN learns the characteristic distribution rule of the target flow and generates flow characteristics, and then the generated flow characteristics are sent to a flow generator;
the flow generator generates a packet sequence with randomness according to the flow characteristics, mixes the packet sequence with real attack flow, and generates the packet sequence into simulated flow through a flow generation algorithm;
and the local proxy server deforms the simulation flow and loads the load into the simulation flow to obtain the required final simulation attack flow output.
10. Use of a system according to any of claims 1 to 7 in the field of network security technology.
CN202010742886.2A 2020-07-29 2020-07-29 Network attack flow generation system based on generation type countermeasure network Pending CN111917765A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010742886.2A CN111917765A (en) 2020-07-29 2020-07-29 Network attack flow generation system based on generation type countermeasure network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010742886.2A CN111917765A (en) 2020-07-29 2020-07-29 Network attack flow generation system based on generation type countermeasure network

Publications (1)

Publication Number Publication Date
CN111917765A true CN111917765A (en) 2020-11-10

Family

ID=73286635

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010742886.2A Pending CN111917765A (en) 2020-07-29 2020-07-29 Network attack flow generation system based on generation type countermeasure network

Country Status (1)

Country Link
CN (1) CN111917765A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113938309A (en) * 2021-10-28 2022-01-14 西安热工研究院有限公司 DoS attack traffic generation system and method based on DCGAN network
CN114189354A (en) * 2021-11-10 2022-03-15 西安理工大学 SYN Flooding network attack scene reproduction method
CN115277440A (en) * 2022-05-09 2022-11-01 南京赛宁信息技术有限公司 Method and system for generating hybrid traffic in network target range
CN116545767A (en) * 2023-06-27 2023-08-04 北京天云海数技术有限公司 Automatic XSS attack load generation method and system based on generation countermeasure network
RU2823895C1 (en) * 2023-12-21 2024-07-30 Федеральное государственное бюджетное учреждение науки Институт системного программирования им. В.П. Иванникова Российской академии наук Method of generating adversarial examples for network intrusion detection system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110602078A (en) * 2019-09-04 2019-12-20 南京邮电大学 Application encryption traffic generation method and system based on generation countermeasure network
CN111447212A (en) * 2020-03-24 2020-07-24 哈尔滨工程大学 Method for generating and detecting APT (advanced persistent threat) attack sequence based on GAN (generic antigen network)

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110602078A (en) * 2019-09-04 2019-12-20 南京邮电大学 Application encryption traffic generation method and system based on generation countermeasure network
CN111447212A (en) * 2020-03-24 2020-07-24 哈尔滨工程大学 Method for generating and detecting APT (advanced persistent threat) attack sequence based on GAN (generic antigen network)

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
XUDONG MAO: "Least Squares Generative Adversarial Networks", 《IEEE》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113938309A (en) * 2021-10-28 2022-01-14 西安热工研究院有限公司 DoS attack traffic generation system and method based on DCGAN network
CN114189354A (en) * 2021-11-10 2022-03-15 西安理工大学 SYN Flooding network attack scene reproduction method
CN115277440A (en) * 2022-05-09 2022-11-01 南京赛宁信息技术有限公司 Method and system for generating hybrid traffic in network target range
CN115277440B (en) * 2022-05-09 2023-08-22 南京赛宁信息技术有限公司 Method and system for generating mixed flow in network target range
CN116545767A (en) * 2023-06-27 2023-08-04 北京天云海数技术有限公司 Automatic XSS attack load generation method and system based on generation countermeasure network
CN116545767B (en) * 2023-06-27 2024-01-09 北京天云海数技术有限公司 Automatic XSS attack load generation method and system based on generation countermeasure network
RU2823895C1 (en) * 2023-12-21 2024-07-30 Федеральное государственное бюджетное учреждение науки Институт системного программирования им. В.П. Иванникова Российской академии наук Method of generating adversarial examples for network intrusion detection system

Similar Documents

Publication Publication Date Title
CN111917765A (en) Network attack flow generation system based on generation type countermeasure network
Mukkamala et al. Modeling intrusion detection systems using linear genetic programming approach
CN103782303B (en) System and method for the detection based on unsigned of malice process
Suwannalai et al. Network intrusion detection systems using adversarial reinforcement learning with deep Q-network
Happe et al. Getting pwn’d by ai: Penetration testing with large language models
CN104796416A (en) Botnet simulation method and botnet simulation system
Yin et al. Towards accurate intrusion detection based on improved clonal selection algorithm
CN106997437B (en) System vulnerability protection method and device
CN116996286A (en) Network attack and security vulnerability management framework platform based on big data analysis
Idris et al. Development of vulnerable web application based on OWASP API security risks
Eduardo A. Sousa et al. Fighting under-price DoS attack in ethereum with machine learning techniques
Buchyk et al. Devising a method of protection against zero-day attacks based on an analytical model of changing the state of the network sandbox
CN115270996A (en) DGA domain name detection method, detection device and computer storage medium
Alhassan et al. A fuzzy classifier-based penetration testing for web applications
CN113435505A (en) Construction method and device for safe user portrait
Dorofeev et al. Ethical hacking training
Eldos et al. On the KDD'99 Dataset: Statistical Analysis for Feature Selection
Mfogo et al. AIIPot: Adaptive intelligent-interaction honeypot for IoT devices
CN116506206A (en) Big data behavior analysis method and system based on zero trust network user
Bokova et al. Innovative technology in the research of implementation dynamics of network attacks on the digital educational resources
Park et al. Development of incident response tool for cyber security training based on virtualization and cloud
Zhang et al. Attack simulation based software protection assessment method
CN113472733B (en) Internet-oriented security audit method
Junfeng et al. A cloud user behavior authentication model based on multi-partite graphs
Welch et al. A framework for an information warfare simulation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20201110

RJ01 Rejection of invention patent application after publication