CN112437085B - Network attack identification method and device - Google Patents

Network attack identification method and device Download PDF

Info

Publication number
CN112437085B
CN112437085B CN202011320697.2A CN202011320697A CN112437085B CN 112437085 B CN112437085 B CN 112437085B CN 202011320697 A CN202011320697 A CN 202011320697A CN 112437085 B CN112437085 B CN 112437085B
Authority
CN
China
Prior art keywords
rate
iteration
network
network attack
response delay
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011320697.2A
Other languages
Chinese (zh)
Other versions
CN112437085A (en
Inventor
王智明
徐雷
陶冶
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202011320697.2A priority Critical patent/CN112437085B/en
Publication of CN112437085A publication Critical patent/CN112437085A/en
Application granted granted Critical
Publication of CN112437085B publication Critical patent/CN112437085B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/088Non-supervised learning, e.g. competitive learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Biomedical Technology (AREA)
  • Molecular Biology (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biophysics (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a network attack identification method and a network attack identification device, wherein the method comprises the following steps: acquiring network traffic data, wherein the network traffic data comprises a source IP address and network behaviors; carrying out deep analysis on the network traffic data to obtain a final network attack identification scheme; and identifying suspicious network behaviors and suspicious source IP addresses in the network traffic data according to the final network attack identification scheme, and intercepting the network traffic data corresponding to the suspicious network behaviors and the suspicious source IP addresses. The method and the device can solve the problems that the traditional network attack identification mode adopted in the prior art can not adapt to the increasing requirements of network attack upgrading and variation gradually, and the response delay is high and the misjudgment rate is high.

Description

Network attack identification method and device
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to a method and an apparatus for identifying a network attack.
Background
With the rapid development of artificial intelligence, the traditional network attack identification mode adopted at present can not adapt to the increasing requirements of network attack upgrade and variation, and the problems of high response delay, high misjudgment rate and the like are increasingly prominent.
Therefore, it is an urgent problem to be solved by those skilled in the art to provide a network attack identification method.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a method and an apparatus for identifying a network attack, aiming at the above-mentioned deficiencies in the prior art, so as to solve the problems that the traditional network attack identification mode adopted in the prior art is gradually unable to adapt to the increasing requirements of network attack upgrade and variation, and has high response delay and high false positive rate.
In a first aspect, an embodiment of the present invention provides a method for identifying a network attack, including:
acquiring network traffic data, wherein the network traffic data comprises a source IP address and network behaviors;
carrying out deep analysis on the network traffic data to obtain a final network attack identification scheme;
and identifying suspicious network behaviors and suspicious source IP addresses in the network traffic data according to the final network attack identification scheme, and intercepting the network traffic data corresponding to the suspicious network behaviors and the suspicious source IP addresses.
Preferably, the performing deep analysis on the network traffic data includes:
s1: setting an iteration initial parameter and a maximum iteration number;
s2: analyzing the network flow data based on the misjudgment rate, the response delay rate and the accuracy to obtain a network attack identification scheme with the optimal matching degree;
s3: judging whether the network attack recognition scheme with the optimal matching degree meets preset evaluation conditions, and if so, turning to the step S6; if not, go to step S2;
s4: deep unsupervised learning is carried out on the misjudgment rate, the response delay rate and the accuracy rate;
s5: adding 1 to the iteration times, judging whether the current iteration times are smaller than the maximum iteration times, if so, returning to the step S2, and if not, executing the step S6;
s6: and outputting the network attack identification scheme with the optimal matching degree as a final network attack identification scheme.
Preferably, the misjudgment rate is a ratio of the amount which is not detected but has a difference in flow rate per unit time to the total amount of flow rate difference analysis detection per unit time, the response delay rate is a ratio of the amount of time that the flow rate detection in unit time is invalid to the total amount per unit time, and the correct rate is a ratio of the amount of work done in the difference flow rate detection per unit time to the total amount of the difference flow rate per unit time.
Preferably, in the step of analyzing the network traffic data based on the misjudgment rate, the response delay rate, and the accuracy to obtain the network attack recognition scheme with the optimal matching degree, the network attack recognition scheme with the optimal matching degree is obtained according to the following calculation formula:
Figure BDA0002792810050000021
in the formula, k is iteration times; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively;
Figure BDA0002792810050000022
the accuracy of the kth iteration is obtained;
Figure BDA0002792810050000023
Is the response delay rate at the kth iteration;
Figure BDA0002792810050000024
The false rate in the k iteration; c kmax The maximum accuracy at the k iteration; e kmin Is the minimum response delay rate at the k iteration; w kmin The minimum misjudgment rate at the k-th iteration is obtained.
Preferably, the network attack recognition scheme with the optimal matching degree determines classification categories through a decision tree classifier, and the decision tree classifier satisfies the following formula:
Figure BDA0002792810050000031
wherein k is the number of iterations; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively;
Figure BDA0002792810050000032
the accuracy of the k iteration is obtained;
Figure BDA0002792810050000033
For the k-th iterationResponse delay rate of (2);
Figure BDA0002792810050000034
The false positive rate at the k-th iteration.
Preferably, the judging whether the network attack recognition scheme with the optimal matching degree meets a preset evaluation condition is specifically performed according to the following formula:
Figure BDA0002792810050000035
wherein k is the number of iterations; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively;
Figure BDA0002792810050000036
the accuracy of the k iteration is obtained;
Figure BDA0002792810050000037
Is the response delay rate at the kth iteration;
Figure BDA0002792810050000038
The misjudgment rate in the k iteration; p is the probability.
Preferably, the deep unsupervised learning is performed on the misjudgment rate, the response delay rate and the accuracy rate, specifically, the deep unsupervised learning is performed according to the following formula:
Figure BDA0002792810050000039
Figure BDA00027928100500000310
wherein M is ijt k+1 Mainly comprises
Figure BDA00027928100500000311
Three aspects of an information vector, based on a predetermined criterion>
Figure BDA00027928100500000312
Is the correct rate in the (k + 1) th iteration>
Figure BDA00027928100500000313
Is the response delay rate at the k +1 th iteration, <' > is>
Figure BDA00027928100500000314
The error rate of the k +1 th iteration is shown, mu is an adjustment coefficient, and k is the iteration number; i. j and t are dimensions; b is ijt k+1 The depth unsupervised learning enhancement factor is the depth unsupervised learning enhancement factor in the k +1 th iteration;
wherein, the deep unsupervised learning enhancement factor B ijt k+1 Obtained according to the following formula:
Figure BDA0002792810050000041
in the formula, C kmax The maximum accuracy at the k iteration; e kmin Is the minimum response delay rate at the k iteration; w kmin The minimum misjudgment rate at the k-th iteration is obtained.
In a second aspect, an embodiment of the present invention provides an apparatus for identifying a network attack, including:
the data acquisition module is used for acquiring network flow data, and the network flow data comprises a source IP address and network behaviors;
the deep analysis module is connected with the data acquisition module and is used for carrying out deep analysis on the network traffic data to obtain a final network attack identification scheme;
and the identification processing module is connected with the deep analysis module and used for identifying suspicious network behaviors and suspicious source IP addresses in the network traffic data according to the final network attack identification scheme and intercepting the network traffic data corresponding to the suspicious network behaviors and the suspicious source IP addresses.
Preferably, the depth analysis module comprises:
the setting unit is used for setting an iteration initial parameter and the maximum iteration times;
the analysis unit is used for analyzing the network traffic data based on the misjudgment rate, the response delay rate and the accuracy rate to obtain a network attack identification scheme with the optimal matching degree;
the evaluation judging unit is used for judging whether the network attack identification scheme with the optimal matching degree meets preset evaluation conditions or not;
the learning unit is used for carrying out deep unsupervised learning on the misjudgment rate, the response delay rate and the accuracy rate;
the iteration judging unit is used for adding 1 to the iteration times and judging whether the current iteration times are smaller than the maximum iteration times;
and the output unit is used for outputting the network attack identification scheme with the optimal matching degree as a final network attack identification scheme.
Preferably, the misjudgment rate is a ratio of the amount which is not detected but has a difference in flow rate per unit time to the total amount of flow rate difference analysis detection per unit time, the response delay rate is a ratio of the amount of time that the flow rate detection in unit time is invalid to the total amount per unit time, and the correct rate is a ratio of the amount of work done in the difference flow rate detection per unit time to the total amount of the difference flow rate per unit time.
According to the method and the device for identifying the network attack, network flow data are obtained, and the network flow data comprise a source IP address and network behaviors; deep analysis is carried out on the network traffic data, and a final network attack identification scheme with low response delay, low false judgment rate and high accuracy can be obtained; therefore, the suspicious network behavior and the suspicious source IP address in the network traffic data are identified according to the final network attack identification scheme, and the network traffic data corresponding to the suspicious network behavior and the suspicious source IP address is intercepted, so that the attack of hackers is effectively prevented, and the safety performance of the system is improved. The method solves the problems that the traditional network attack identification mode adopted in the prior art can not adapt to the increasing requirements of network attack upgrading and variation gradually, and has high response delay and high misjudgment rate.
Drawings
FIG. 1: the invention relates to an identification scene graph of network attack;
FIG. 2: the invention is a flow chart of a network attack recognition method;
FIG. 3: the structure diagram of the multilayer convolution neuron network is shown in the embodiment of the invention;
FIG. 4 is a schematic view of: a storage model for an embodiment of the invention;
FIG. 5 is a schematic view of: the invention relates to a structure diagram of a network attack recognition device.
Detailed Description
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the scene diagram described in the embodiment of the present application is for more clearly illustrating the technical solution of the embodiment of the present application, and does not constitute a limitation to the technical solution provided in the embodiment of the present application, and as a person having ordinary skill in the art knows that along with the evolution of the network architecture and the appearance of a new service scenario, the technical solution provided in the embodiment of the present application is also applicable to similar technical problems.
As shown in fig. 1, a scene diagram for identifying a network attack provided in the embodiment of the present application is provided, where each part is described as follows:
1) An intelligent network attack classification analysis detection system, comprising: input, analysis and output. Wherein the input comprises: the network flow data mainly realizes the input function of the attacker flow data, and the network flow data at least comprises a source IP address and network behaviors. The analysis mainly implements a classification analysis function of traffic or network behavior of the attacker. The output includes: suspicious behaviors and non-suspicious rows, and/or suspicious source IP addresses and non-suspicious source IP addresses, mainly realize the statistics and report of the suspicious behaviors and/or suspicious source IP addresses of attackers, and report to a security expert operation team for subsequent rating and other related work;
2) A local cluster server, comprising: a server, etc. for implementing local services;
3) A cloud service, comprising: various cloud services and the like, and local business service is realized.
4) Internal and external attackers, comprising: and internal and external attackers for realizing internal and external attacks.
In the scenario shown in fig. 1, the following process flows are included:
1&2&3. An external attacker can establish a hidden channel with a local server through cloud service or directly, and the external attacker carries out malicious network attacks such as message tampering, counterfeiting, service denial, flow analysis, eavesdropping and the like aiming at the cloud service and the local cluster server, namely generates network attack analysis and detection requirements;
4. an internal attacker can directly establish a hidden channel with a local server, and the internal attacker carries out malicious network attacks such as social work, message tampering, counterfeiting, service denial, flow analysis, eavesdropping and the like on the cloud service and the local cluster server;
5 and 6, the intelligent network attack classification analysis detection system is positioned in the middle of a network and used for monitoring and analyzing the flow of the incoming and outgoing networks in real time;
7. the intelligent network attack classification analysis detection system reports the primary identification to a security team, and the security team returns the verification and auxiliary analysis results to the intelligent network attack classification analysis detection system;
8. the intelligent network attack classification analysis detection system intercepts and blocks network attacks at a round real point, and the round real point in the upper graph is the interception and blocking point.
Based on the scenario diagram shown in fig. 1, the following describes an embodiment related to identifying a network attack to which the present application relates. Referring to fig. 2, it is a flowchart of a method for identifying a network attack according to an embodiment of the present invention, and as shown in fig. 2, the method includes the following steps:
step S102, network flow data is obtained, and the network flow data comprises a source IP address and network behaviors.
In this embodiment, the intelligent network attack classification analysis and detection system may monitor and acquire network traffic connected to or entering the cloud service or the local cluster server in real time, and the cloud service or the local cluster server may also report network traffic data periodically and actively, so that the intelligent network attack classification analysis and detection system analyzes the network traffic data.
In this embodiment, the network traffic data may be acquired based on a network attack identification requirement sent by the cloud service or the local cluster server, where the network attack identification requirement may be automatically generated when the cloud service or the local cluster server preliminarily determines that a network attack may exist.
And step S104, carrying out deep analysis on the network traffic data to obtain a final network attack identification scheme.
In this embodiment, after the intelligent network attack classification analysis and detection system obtains the network traffic data, deep analysis is performed on the network traffic data, so as to obtain a final network attack identification scheme with low response delay, low false judgment rate and high accuracy, where the network attack identification scheme is used to identify a suspicious network behavior in the network traffic data and a suspicious source IP address corresponding to the suspicious network behavior, and the suspicious network behavior is as follows: delete commands, or modify commands, etc. are frequently used.
In this embodiment, the intelligent network attack classification analysis and detection system may receive network attack identification requirements sent by a cloud service or a local cluster server, the network attack identification requirements may be stored by using a sparse matrix, and the network attack identification requirements are independent of each other and do not interfere with each other. And when the network attack identification requirement reaches the deep analysis model, analyzing the network attack identification requirement into a corresponding deep analysis result. The current higher analysis dispatch priority is given if the incoming network attack identification needs are delayed.
In the embodiment, the network traffic data is subjected to deep analysis, a deep analysis model is adopted for analysis, and the strategy ideas of multilayer convolutional neurons, classification analysis, deep unsupervised learning and the like in each iteration are that in a 1, 2. Based on strategy principles such as multilayer convolutional neurons, classification analysis and deep unsupervised learning, network attack identification requirements are input through requests after being input, and corresponding network attack identification schemes are output after the multilayer convolutional neurons, the classification analysis and the deep unsupervised learning analysis. As shown in fig. 3, the multi-layered convolutional neuron network comprises: a misjudgment rate W (= amount of difference flow rate in unit time but not detected/total amount of flow rate difference analysis detection in unit time), a response delay rate E (= amount of time of ineffective occupation of flow rate detection in unit time/total amount of unit time), and a correct rate C (= amount of difference flow rate detection success in unit time/total amount of difference flow rate in unit time). The output quantity comprises: a network attack identification scheme.
Optionally, performing deep analysis on the network traffic data may include:
s1: setting an iteration initial parameter and a maximum iteration number;
s2: analyzing the network flow data based on the misjudgment rate, the response delay rate and the accuracy to obtain a network attack identification scheme with the optimal matching degree;
s3: judging whether the network attack recognition scheme with the optimal matching degree meets preset evaluation conditions, and if so, turning to the step S6; if not, go to step S4;
s4: deep unsupervised learning is carried out on the misjudgment rate, the response delay rate and the accuracy rate;
s5: adding 1 to the iteration times, judging whether the current iteration times are smaller than the maximum iteration times, if so, returning to execute the step S2, and if not, executing the step S6;
s6: and outputting the network attack identification scheme with the optimal matching degree as a final network attack identification scheme.
In this embodiment, the false positive rate, the response delay rate, and the accuracy rate may be preset by the intelligent network attack classification analysis and detection system in advance, and are continuously optimized through deep unsupervised learning, and then a better network attack identification scheme with low response delay, low false positive rate, and high accuracy rate is obtained through the continuously optimized false positive rate, response delay rate, and accuracy rate.
In this embodiment, when the network attack identification scheme with the optimal intermediate matching degree does not satisfy the preset evaluation condition, the network attack identification scheme not satisfying the evaluation condition is further optimized iteratively. Meanwhile, in order to avoid infinite iteration optimization, the maximum iteration number can be set to be 45-55, preferably 50, when the iteration number reaches 50, the scheme is defaulted to meet the preset evaluation condition, and finally, the network attack identification scheme with the optimal matching degree reaching the evaluation condition or reaching the maximum iteration number is selected as the final network attack identification scheme.
In this embodiment, as shown in fig. 4, each network attack recognition scheme with the optimal matching degree may be stored in a form of a three-dimensional vector, where each three-dimensional coordinate at least includes a false positive rate, a response delay rate, and a correct rate, the false positive rate is a ratio of an undetected amount due to difference in flow rate in a unit time to a total amount of flow rate difference analysis detection in the unit time, the response delay rate is a ratio of an amount of time occupied by detection of flow rate in the unit time to the total amount of the unit time, and the correct rate is a ratio of a success amount of difference flow rate detection in the unit time to the total amount of difference flow rate in the unit time.
Optionally, in the step of analyzing the network traffic data based on the misjudgment rate, the response delay rate, and the accuracy to obtain the network attack recognition scheme with the optimal matching degree, the network attack recognition scheme with the optimal matching degree may be obtained according to the following calculation formula:
Figure BDA0002792810050000091
in the formula, k is iteration times; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively;
Figure BDA0002792810050000092
the accuracy of the kth iteration is obtained;
Figure BDA0002792810050000093
Is the response delay rate at the kth iteration;
Figure BDA0002792810050000094
The false rate in the k iteration; c kmax The maximum accuracy at the k iteration; e kmin Is the minimum response delay rate at the kth iteration; w kmin The minimum misjudgment rate at the k-th iteration is obtained.
Optionally, the network attack recognition scheme with the optimal matching degree determines the classification category through a decision tree classifier, and the decision tree classifier satisfies the following formula:
Figure BDA0002792810050000095
wherein k is the number of iterations; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively;
Figure BDA0002792810050000096
the accuracy of the k iteration is obtained;
Figure BDA0002792810050000097
Is the response delay rate at the kth iteration;
Figure BDA0002792810050000101
The false positive rate at the k-th iteration.
Optionally, whether the network attack recognition scheme with the optimal matching degree meets a preset evaluation condition is judged, and the judgment is specifically carried out according to the following formula:
Figure BDA0002792810050000102
wherein k is the number of iterations; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively;
Figure BDA0002792810050000103
the accuracy of the k iteration is obtained;
Figure BDA0002792810050000104
Is the response delay rate at the kth iteration;
Figure BDA0002792810050000105
The misjudgment rate in the k iteration; p is the probability.
Optionally, deep unsupervised learning is performed on the false positive rate, the response delay rate and the accuracy rate, specifically according to the following formula:
Figure BDA0002792810050000106
Figure BDA0002792810050000107
wherein M is ijt k+1 Mainly comprises
Figure BDA0002792810050000108
Three aspects of an information vector, based on a predetermined criterion>
Figure BDA0002792810050000109
Is the correct rate in the (k + 1) th iteration>
Figure BDA00027928100500001010
Response delay for the (k + 1) th iterationRatio, is greater or less>
Figure BDA00027928100500001011
The error judgment rate is the error judgment rate in the k +1 iteration, mu is an adjustment coefficient, and k is the iteration number; i. j and t are dimensions; b ijt k+1 The depth unsupervised learning enhancement factor is the depth unsupervised learning enhancement factor in the k +1 th iteration;
wherein, the deep unsupervised learning enhancement factor B ijt k+1 Obtained according to the following formula:
Figure BDA00027928100500001012
in the formula, C kmax The maximum accuracy at the k iteration; e kmin Is the minimum response delay rate at the k iteration; w kmin The minimum misjudgment rate at the k-th iteration is obtained.
And step S106, identifying suspicious network behaviors and suspicious source IP addresses in the network traffic data according to the final network attack identification scheme, and intercepting the network traffic data corresponding to the suspicious network behaviors and the suspicious source IP addresses.
In the method for identifying a network attack provided by this embodiment, network traffic data is obtained, where the network traffic data includes a source IP address and a network behavior; deep analysis is carried out on the network traffic data, and a final network attack identification scheme with low response delay, low false judgment rate and high accuracy can be obtained; therefore, the suspicious network behavior and the suspicious source IP address in the network traffic data are identified according to the final network attack identification scheme, and the network traffic data corresponding to the suspicious network behavior and the suspicious source IP address is intercepted, so that the attack of hackers is effectively prevented, and the safety performance of the system is improved. The problems that a traditional network attack recognition mode adopted in the prior art cannot gradually adapt to the increasing requirements of network attack upgrading and variation, and response delay is high and misjudgment rate is high are solved.
As shown in fig. 5, this embodiment further provides a network attack recognition apparatus, including:
a data obtaining module 21, configured to obtain network traffic data, where the network traffic data includes a source IP address and a network behavior;
the deep analysis module 22 is connected with the data acquisition module 21 and is used for performing deep analysis on the network traffic data to obtain a final network attack identification scheme;
and the identification processing module 23 is connected to the deep analysis module 22, and is configured to identify a suspicious network behavior and a suspicious source IP address in the network traffic data according to the final network attack identification scheme, and intercept the network traffic data corresponding to the suspicious network behavior and the suspicious source IP address.
Optionally, the depth analysis module 22 may include:
the setting unit is used for setting an iteration initial parameter and the maximum iteration times;
the analysis unit is used for analyzing the network traffic data based on the misjudgment rate, the response delay rate and the accuracy rate to obtain a network attack identification scheme with the optimal matching degree;
the evaluation judging unit is used for judging whether the network attack identification scheme with the optimal matching degree meets preset evaluation conditions or not;
the learning unit is used for carrying out deep unsupervised learning on the misjudgment rate, the response delay rate and the accuracy rate;
the iteration judging unit is used for adding 1 to the iteration times and judging whether the current iteration times are smaller than the maximum iteration times or not;
and the output unit is used for outputting the network attack identification scheme with the optimal matching degree as a final network attack identification scheme.
Optionally, the misjudgment rate is a ratio of an undetected amount with a difference flow rate in unit time to a total amount of flow rate difference analysis detection in unit time, the response delay rate is a ratio of an amount of time occupied by flow rate detection ineffectively in unit time to the total amount in unit time, and the correct rate is a ratio of a difference flow rate detection success rate in unit time to the total amount of the difference flow rate in unit time.
Optionally, the analysis unit is specifically configured to analyze the network traffic data based on a false positive rate, a response delay rate, and a correct rate according to the following calculation formula to obtain a network attack identification scheme with an optimal matching degree:
Figure BDA0002792810050000121
in the formula, k is iteration times; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively;
Figure BDA0002792810050000122
the accuracy of the k iteration is obtained;
Figure BDA0002792810050000123
Is the response delay rate at the kth iteration;
Figure BDA0002792810050000124
The false rate in the k iteration; c kmax The maximum accuracy at the k iteration; e kmin Is the minimum response delay rate at the kth iteration; w kmin The minimum misjudgment rate at the k-th iteration is obtained.
Optionally, the network attack recognition scheme with the optimal matching degree determines the classification category through a decision tree classifier, where the decision tree classifier satisfies the following formula:
Figure BDA0002792810050000125
wherein k is the number of iterations; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively;
Figure BDA0002792810050000126
the accuracy of the k iteration is obtained;
Figure BDA0002792810050000127
Is the response delay rate at the k-th iteration;
Figure BDA0002792810050000128
The false positive rate at the k-th iteration.
Optionally, the evaluation and determination unit is specifically configured to determine whether the network attack identification scheme with the optimal matching degree meets a preset evaluation condition according to the following formula:
Figure BDA0002792810050000129
wherein k is the number of iterations; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively;
Figure BDA00027928100500001210
the accuracy of the k iteration is obtained;
Figure BDA00027928100500001211
Is the response delay rate at the kth iteration;
Figure BDA0002792810050000131
The misjudgment rate in the k iteration; p is the probability.
Optionally, the learning unit is specifically configured to perform deep unsupervised learning on the false positive rate, the response delay rate, and the correct rate according to the following formulas:
Figure BDA0002792810050000132
Figure BDA0002792810050000133
wherein M is ijt k+1 Mainly comprises
Figure BDA0002792810050000134
Three aspects of an information vector, <' > based on a predetermined criterion>
Figure BDA0002792810050000135
Is the correct rate in the (k + 1) th iteration>
Figure BDA0002792810050000136
Is the response delay rate at the k +1 th iteration, <' > is>
Figure BDA0002792810050000137
The error rate of the k +1 th iteration is shown, mu is an adjustment coefficient, and k is the iteration number; i. j and t are dimensions; b is ijt k+1 The depth unsupervised learning enhancement factor is the depth unsupervised learning enhancement factor in the k +1 th iteration;
wherein, the deep unsupervised learning enhancement factor B ijt k+1 Obtained according to the following formula:
Figure BDA0002792810050000138
in the formula, C kmax The maximum accuracy at the k iteration; e kmin Is the minimum response delay rate at the k iteration; w kmin The minimum misjudgment rate at the k-th iteration is obtained.
The network attack recognition device provided by the embodiment of the invention obtains network flow data, wherein the network flow data comprises a source IP address and network behaviors; deep analysis is carried out on the network traffic data, and a final network attack identification scheme with low response delay, low false judgment rate and high accuracy can be obtained; therefore, the suspicious network behavior and the suspicious source IP address in the network traffic data are identified according to the final network attack identification scheme, and the network traffic data corresponding to the suspicious network behavior and the suspicious source IP address are intercepted, so that the attack of hackers is effectively prevented, and the safety performance of the system is improved. The method solves the problems that the traditional network attack identification mode adopted in the prior art can not adapt to the increasing requirements of network attack upgrading and variation gradually, and has high response delay and high misjudgment rate.
It will be understood that the above embodiments are merely exemplary embodiments taken to illustrate the principles of the present invention, which is not limited thereto. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit and substance of the invention, and these modifications and improvements are also considered to be within the scope of the invention.

Claims (5)

1. A network attack recognition method is characterized by comprising the following steps:
acquiring network traffic data, wherein the network traffic data comprises a source IP address and network behaviors;
carrying out deep analysis on the network traffic data to obtain a final network attack identification scheme;
identifying suspicious network behaviors and suspicious source IP addresses in the network traffic data according to the final network attack identification scheme, and intercepting the network traffic data corresponding to the suspicious network behaviors and the suspicious source IP addresses;
the deep analysis of the network traffic data includes:
s1: setting an iteration initial parameter and a maximum iteration number;
s2: analyzing the network flow data based on the misjudgment rate, the response delay rate and the accuracy to obtain a network attack identification scheme with the optimal matching degree;
s3: judging whether the network attack recognition scheme with the optimal matching degree meets preset evaluation conditions, and if so, turning to the step S6; if not, go to step S2;
s4: deep unsupervised learning is carried out on the misjudgment rate, the response delay rate and the accuracy rate;
s5: adding 1 to the iteration times, judging whether the current iteration times are smaller than the maximum iteration times, if so, returning to execute the step S2, and if not, executing the step S6;
s6: outputting the network attack identification scheme with the optimal matching degree as a final network attack identification scheme;
the misjudgment rate is the ratio of the amount which has different flow rates but is not detected in unit time to the total amount of flow rate difference analysis and detection in unit time, the response delay rate is the ratio of the amount of time occupied by ineffective flow rate detection in unit time to the total amount in unit time, and the correct rate is the ratio of the amount of work done by the different flow rate detection in unit time to the total amount of the different flow rate in unit time;
in the step of analyzing the network traffic data based on the misjudgment rate, the response delay rate and the accuracy rate to obtain the network attack recognition scheme with the optimal matching degree, the network attack recognition scheme with the optimal matching degree is obtained according to the following calculation formula:
Figure FDA0003870301850000021
in the formula, k is iteration times; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively;
Figure FDA0003870301850000022
the accuracy of the k iteration is obtained;
Figure FDA0003870301850000023
is the response delay rate at the kth iteration;
Figure FDA0003870301850000024
the misjudgment rate in the k iteration; c kmax The maximum accuracy at the k iteration; e kmin Is the minimum response delay rate at the k iteration; w kmin The minimum misjudgment rate at the k iteration is obtained.
2. The network attack recognition method according to claim 1, wherein the network attack recognition scheme with the optimal matching degree determines classification categories through a decision tree classifier, and the decision tree classifier satisfies the following formula:
Figure FDA0003870301850000025
wherein k is the number of iterations; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively;
Figure FDA0003870301850000026
the accuracy of the kth iteration is obtained;
Figure FDA0003870301850000027
is the response delay rate at the kth iteration;
Figure FDA0003870301850000028
the false positive rate at the k-th iteration.
3. The method for identifying a network attack according to claim 2, wherein the judgment of whether the network attack identification scheme with the optimal matching degree meets a preset evaluation condition is specifically performed according to the following formula:
Figure FDA0003870301850000029
wherein k is the number of iterations; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively;
Figure FDA00038703018500000210
the accuracy of the k iteration is obtained;
Figure FDA00038703018500000211
is the response delay rate at the kth iteration;
Figure FDA00038703018500000212
the misjudgment rate in the k iteration; p is the probability.
4. The method according to claim 3, wherein the deep unsupervised learning is performed on the false positive rate, the response delay rate and the correct rate, specifically according to the following formula:
Figure FDA0003870301850000031
Figure FDA0003870301850000032
wherein,
Figure FDA0003870301850000033
mainly comprises
Figure FDA0003870301850000034
The information vector of the three aspects is that,
Figure FDA0003870301850000035
is the correct rate at the k +1 th iteration,
Figure FDA0003870301850000036
is the response delay rate at the k +1 th iteration,
Figure FDA0003870301850000037
the error rate of the k +1 th iteration is shown, mu is an adjustment coefficient, and k is the iteration number; i. j and t are dimensions;
Figure FDA0003870301850000038
the depth unsupervised learning enhancement factor is the depth unsupervised learning enhancement factor in the k +1 th iteration;
wherein the deep unsupervised learning enhancement factor
Figure FDA0003870301850000039
Obtained according to the following formula:
Figure FDA00038703018500000310
in the formula, C kmax The maximum accuracy at the k iteration; e kmin Is the minimum response delay rate at the k iteration; w kmin The minimum misjudgment rate at the k-th iteration is obtained.
5. An apparatus for identifying a cyber attack, comprising:
the data acquisition module is used for acquiring network traffic data, and the network traffic data comprises a source IP address and network behaviors;
the deep analysis module is connected with the data acquisition module and is used for carrying out deep analysis on the network traffic data to obtain a final network attack identification scheme;
the identification processing module is connected with the deep analysis module and is used for identifying suspicious network behaviors and suspicious source IP addresses in the network traffic data according to the final network attack identification scheme and intercepting the network traffic data corresponding to the suspicious network behaviors and the suspicious source IP addresses;
the depth analysis module includes:
the setting unit is used for setting iteration initial parameters and the maximum iteration times;
the analysis unit is used for analyzing the network traffic data based on the misjudgment rate, the response delay rate and the accuracy rate to obtain a network attack identification scheme with the optimal matching degree;
the evaluation judging unit is used for judging whether the network attack identification scheme with the optimal matching degree meets preset evaluation conditions or not;
the learning unit is used for carrying out deep unsupervised learning on the misjudgment rate, the response delay rate and the accuracy rate;
the iteration judging unit is used for adding 1 to the iteration times and judging whether the current iteration times are smaller than the maximum iteration times;
the output unit is used for outputting the network attack identification scheme with the optimal matching degree as a final network attack identification scheme;
the misjudgment rate is the ratio of the amount which has different flow rates but is not detected in unit time to the total amount of flow rate difference analysis and detection in unit time, the response delay rate is the ratio of the amount of time occupied by ineffective flow rate detection in unit time to the total amount in unit time, and the correct rate is the ratio of the amount of work done by the different flow rate detection in unit time to the total amount of the different flow rate in unit time;
the analysis unit is specifically configured to execute the following formula to obtain the network attack identification scheme with the optimal matching degree:
Figure FDA0003870301850000041
in the formula, k is iteration times; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively;
Figure FDA0003870301850000042
the accuracy of the kth iteration is obtained;
Figure FDA0003870301850000043
is the response delay rate at the kth iteration;
Figure FDA0003870301850000044
the misjudgment rate in the k iteration; c kmax The maximum accuracy at the k iteration; e kmin Is the minimum response delay rate at the k iteration; w kmin The minimum misjudgment rate at the k-th iteration is obtained.
CN202011320697.2A 2020-11-23 2020-11-23 Network attack identification method and device Active CN112437085B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011320697.2A CN112437085B (en) 2020-11-23 2020-11-23 Network attack identification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011320697.2A CN112437085B (en) 2020-11-23 2020-11-23 Network attack identification method and device

Publications (2)

Publication Number Publication Date
CN112437085A CN112437085A (en) 2021-03-02
CN112437085B true CN112437085B (en) 2023-03-24

Family

ID=74692904

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011320697.2A Active CN112437085B (en) 2020-11-23 2020-11-23 Network attack identification method and device

Country Status (1)

Country Link
CN (1) CN112437085B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115426167B (en) * 2022-08-31 2024-07-19 中国联合网络通信集团有限公司 Black product identification method and device and computer readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018126984A2 (en) * 2017-01-06 2018-07-12 江南大学 Mea-bp neural network-based wsn abnormality detection method
CN108900556A (en) * 2018-08-24 2018-11-27 海南大学 Ddos attack detection method based on HMM and chaotic model
CN111600877A (en) * 2020-05-14 2020-08-28 湖南大学 LDoS attack detection method based on MF-Ada algorithm

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018126984A2 (en) * 2017-01-06 2018-07-12 江南大学 Mea-bp neural network-based wsn abnormality detection method
CN108900556A (en) * 2018-08-24 2018-11-27 海南大学 Ddos attack detection method based on HMM and chaotic model
CN111600877A (en) * 2020-05-14 2020-08-28 湖南大学 LDoS attack detection method based on MF-Ada algorithm

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于半监督学习的无线网络攻击行为检测优化方法;王婷 等;《计算机研究与发展》;20200430;第3-4章 *

Also Published As

Publication number Publication date
CN112437085A (en) 2021-03-02

Similar Documents

Publication Publication Date Title
CN112738015B (en) Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection
CN108289088A (en) Abnormal traffic detection system and method based on business model
CN109861985A (en) IP air control method, apparatus, equipment and the storage medium divided based on risk class
WO2015160367A1 (en) Pre-cognitive security information and event management
CN111641634B (en) Honey net based active defense system and method for industrial control network
CN112422513B (en) Anomaly detection and attack initiator analysis system based on network traffic message
CN103561003A (en) Cooperative type active defense method based on honeynets
CN112039865A (en) Network attack detection and response method driven by threat
Zhao Network intrusion detection system model based on data mining
CN112437085B (en) Network attack identification method and device
CN112261042A (en) Anti-seepage system based on attack hazard assessment
Reddy et al. A hybrid neural network architecture for early detection of DDOS attacks using deep learning models
CN112311813B (en) Network attack identification method and device
CN116846642A (en) Dynamic access control method and system based on programmable network
CN113132414B (en) Multi-step attack mode mining method
Rehak et al. Network intrusion detection by means of community of trusting agents
CN113902052B (en) Distributed denial of service attack network anomaly detection method based on AE-SVM model
CN113821792B (en) Method, device, computer equipment and storage medium for preventing model parameter from being stolen
CN117278335B (en) Password suite selection method and device, electronic equipment and storage medium
CN118337526B (en) Method for generating anti-attack sample
CN118233317B (en) Topology confusion defense method based on time-based network inference
CN118233217B (en) Multi-level characteristic firewall system and medium for internal and external network
Cai et al. Detection and Analysis Framework of Anomalous Internet Crime Data Based on Edge Computing
CN116707905A (en) Threat early warning method, threat early warning device, threat early warning system, threat early warning equipment and storage medium
CN117978464A (en) IPv6 network unknown threat classification detection method and related components

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant