CN112437099A

CN112437099A - Network attack detection method and device, storage medium and electronic equipment

Info

Publication number: CN112437099A
Application number: CN202110107046.3A
Authority: CN
Inventors: 申军利; 郑兴; 许艾斯; 彭婧; 华珊珊; 郭晶; 刘羽; 范宇河; 唐文韬; 何澍; 常优; 王悦
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2021-01-27
Filing date: 2021-01-27
Publication date: 2021-03-02
Anticipated expiration: 2041-01-27
Also published as: CN112437099B

Abstract

The invention discloses a network attack detection method and device, a storage medium and electronic equipment. Wherein, the method comprises the following steps: the method comprises the steps of obtaining a first captured target message, inputting the first target message into a first target discrimination model to obtain a first target discrimination result output by the first target discrimination model, inputting the first target message into a target long-short term memory model under the condition that the first target discrimination result indicates that the first target message is an attack message, obtaining a second target discrimination result output by the target long-short term memory model, further detecting whether the first captured target message is the attack message, improving the accuracy of a network attack detection result when a user protects, and effectively protecting the privacy and safety of the user. The invention solves the technical problems of poor detection capability and low detection accuracy of network attacks in the related technology.

Description

Network attack detection method and device, storage medium and electronic equipment

Technical Field

The present invention relates to the field of computers, and in particular, to a method and an apparatus for detecting a network attack, a storage medium, and an electronic device.

Background

In recent years, network attacks are still enriched in network environments, which pose threats to the use security of users, for example, Advanced Persistent Threats (APT) are increasing, and APT is one of the most difficult attack means to prevent in network attacks. Such attacks often have a very obvious purpose, and attackers conceal and remain hidden for a long time in the target system through a complex intrusion mode which can not be resisted, and finally implement destruction.

Currently, common detection methods related to APT include: sandbox-based malicious code detection, anomaly traffic-based detection, full packet capture and analysis, host malicious code detection, social network security event mining, and the like. The method can only deal with APT attacks with fixed attack modes and short time span, has small application range, has large attack scale and long attack duration, has high sample data acquisition cost, single solidification of attack data and rare quantity of sample attack data, and has large time span of APT attacks, so that the detection result of network attacks is not accurate enough when a user protects the APT attacks in the related technology, and the privacy and the safety of the user are difficult to effectively protect.

In view of the above problems, no effective solution has been proposed.

Disclosure of Invention

The embodiment of the invention provides a network attack detection method and device, a storage medium and electronic equipment, and aims to at least solve the technical problems of poor network attack detection capability and low detection accuracy rate in the related technology.

According to an aspect of the embodiments of the present invention, a method for detecting a network attack is provided, including: acquiring a captured first target message; inputting the first target message into a first target discrimination model to obtain a first target discrimination result output by the first target discrimination model, wherein the first target discrimination result is used for indicating whether the first target message is an attack message, the first target discrimination model is a model obtained by training a first training discrimination model by using a first sample attack message set and a second sample attack message set, the first sample attack message set comprises a captured group of sample attack messages, and the second sample attack message set comprises attack messages generated according to the sample attack messages in the first sample attack message set;

and under the condition that the first target judgment result shows that the first target message is an attack message, inputting the first target message into a target long-short term memory model to obtain a second target judgment result output by the target long-short term memory model, wherein the second target judgment result is used for showing whether the first target message is the attack message or not.

According to another aspect of the embodiments of the present invention, there is also provided a device for detecting a network attack, including:

the acquisition module is used for acquiring the captured first target message;

a first input module, configured to input the first target packet into a first target discrimination model, to obtain a first target discrimination result output by the first target discrimination model, where the first target discrimination result is used to indicate whether the first target packet is an attack packet, the first target discrimination model is a model obtained by training a first training discrimination model using a first sample attack packet set and a second sample attack packet set, the first sample attack packet set includes a captured group of sample attack packets, and the second sample attack packet set includes an attack packet generated according to a sample attack packet in the first sample attack packet set;

and the second input module is used for inputting the first target message into a target long-short term memory model under the condition that the first target judgment result shows that the first target message is an attack message, so as to obtain a second target judgment result output by the target long-short term memory model, wherein the second target judgment result is used for showing whether the first target message is an attack message.

Optionally, the apparatus is further configured to:

and training the first training discrimination model by using the first sample attack packet set and the second sample attack packet set to obtain the first target discrimination model.

Optionally, the apparatus is further configured to train the first training discriminant model by using the first sample attack packet set and the second sample attack packet set to obtain the first target discriminant model:

repeatedly executing the following steps until the first target discrimination model is obtained:

sequentially inputting M sample attack messages in the first sample attack message set and M sample random noises in the sample random noise set into a training generation model to obtain M sample attack messages sequentially generated by the training generation model, wherein the second sample attack message set comprises the M sample attack messages sequentially generated by the training generation model, an input item input into the target generation model each time comprises a sample attack message and a sample random noise, the training generation model is used for generating an attack message matched with the input sample attack message according to the input sample random noise each time, and M is a natural number;

and training the first training discrimination model by using the M sample attack messages in the first sample attack message set and the M sample attack messages sequentially generated by the training generation model.

Optionally, the apparatus is further configured to train the first training discriminant model by using the M sample attack packets in the first sample attack packet set and the M sample attack packets sequentially generated by the training generation model in the following manner:

acquiring a training sample message set, wherein the training sample message set comprises M sample attack messages in the first sample attack message set, M sample attack messages sequentially generated by the training generation model and an acquired normal message set;

the following steps are repeatedly executed until the training is finished:

acquiring a training sample message to be input from the training sample message set;

inputting the training sample message into the first training discriminant model to obtain a sample discriminant result output by the first training discriminant model, wherein the sample discriminant result is used for indicating whether the training sample message is an attack message;

determining a value of a first loss function of the first training discrimination model according to the sample discrimination result and an actual discrimination result of the training sample message, wherein the actual discrimination result is used for indicating whether the training sample message is an attack message or not;

adjusting parameters in the first training discriminant model and the training generation model or adjusting parameters in the first training discriminant model under the condition that the value of the first loss function does not meet a preset first loss condition;

and under the condition that the value of the first loss function meets the first loss condition, ending the training of the first training discriminant model, wherein the first target discriminant model is the first training discriminant model when the training is ended.

Optionally, the apparatus is further configured to obtain a training sample packet set by:

and randomly sequencing the M sample attack messages in the first sample attack message set, the M sample attack messages sequentially generated by the training generation model and the normal message set to obtain the training sample message set.

Optionally, the apparatus is further configured to sequentially input the M sample attack packets in the first sample attack packet set and the M sample random noises in the sample random noise set to a training generation model, so as to obtain M sample attack packets sequentially generated by the training generation model:

under the condition that the first sample attack message set comprises N first sample attack message subsets and each first sample attack message subset comprises a sample attack message of the same attack type, executing the following steps for each first sample attack message subset, wherein N is a natural number larger than 1, and executing the following steps, wherein each first sample attack message subset is regarded as a current sample attack message subset, and the sample attack messages in the current sample attack message subset belong to the current attack type:

sequentially inputting M1 sample attack messages in the first sample attack message subset and M1 sample random noises in the sample random noise set to a current training generation submodel corresponding to the current attack type to obtain M1 sample attack messages sequentially generated by the current training generation submodel, wherein the training generation model comprises N training generation submodels, the second sample attack message set comprises N second attack message subsets, the second attack message subset corresponding to the current attack type in the second sample attack message set comprises M1 sample attack messages sequentially generated by the current training generation submodel, an input item input to the current training generation submodel each time comprises a sample attack message and a sample random noise, and the current training generation submodel is used for generating the sample attack message input according to the sample random noise each time The attack message is matched and the type is the attack message of the current attack type, M1 is a natural number, and M1 is less than or equal to M.

acquiring N training sample message subsets in a training sample message set, wherein each training sample message subset comprises M1 sample attack messages in one first sample attack message subset, M1 sample attack messages corresponding to one second sample attack message subset and an acquired normal message subset, and the sample attack messages in the first sample attack message subset and the second sample attack message subset belong to the same attack type;

for N training discrimination submodels included in the first training discrimination model, repeatedly executing the following steps until training is finished, wherein in the following steps, one training discrimination submodel is regarded as a current training discrimination submodel, a training sample message subset used for training the current training discrimination submodel in the N training sample message subsets is regarded as a current training sample message subset, sample attack messages in the first sample attack message subset and the second sample attack message subset in the current training sample message subset belong to a current attack type, and the current training discrimination submodel is used for determining whether an input message is an attack message of the current attack type:

acquiring a training sample message to be input from the current training sample message subset;

inputting the training sample message into the current training discrimination submodel to obtain a sample discrimination result output by the current training discrimination submodel, wherein the sample discrimination result is used for indicating whether the training sample message is an attack message of the current attack type;

determining the value of the current loss function of the current training discrimination sub-model according to the sample discrimination result and the actual discrimination result of the training sample message, wherein the actual discrimination result is used for indicating whether the training sample message is actually an attack message of the current attack type;

under the condition that the value of the current loss function does not meet the current loss condition, adjusting parameters in the current training discrimination submodel and the training generation model, or adjusting parameters in the current training discrimination submodel;

and under the condition that the value of the current loss function meets the current loss condition, ending the training of the current training discrimination sub-model, wherein one corresponding target discrimination sub-model in the first target discrimination model is the current training discrimination sub-model when the training is ended, and the corresponding target discrimination sub-model is used for determining whether the input message is the attack message of the current attack type.

Optionally, the apparatus is further configured to:

training a second training discrimination model by using a sample attack message subset in the first sample attack message set to obtain a third training discrimination model, wherein the third training discrimination model is used for determining whether a message input into the third training discrimination model is an attack message;

initializing the first trained discrimination model to the third trained discrimination model.

Optionally, the apparatus is further configured to:

and training a training long-short term memory model by using the first sample attack message set and a third sample attack message set to obtain the target long-short term memory model, wherein the third sample attack message set comprises attack messages generated by a target generation model according to the sample attack messages in the first sample attack message set, the target generation model is a generation model obtained by training the training generation model, and the second sample attack message set comprises attack messages generated by the training generation model according to the sample attack messages in the first sample attack message set.

Optionally, the apparatus is further configured to train a training long-short term memory model by using the first sample attack packet set and the third sample attack packet set in the following manner, so as to obtain the target long-short term memory model:

under the condition that the first sample attack message set comprises P first sample attack message subsets, the third sample attack message set comprises P third sample attack message subsets, the P first sample attack message subsets and the P third sample attack message subsets have one-to-one correspondence, and one first sample attack message subset and one sample attack message in the third sample attack message subset which have the correspondence belong to the same attack type, the first sample attack message set and the third sample attack message set are used for training a training long-short term memory model to obtain the target long-short term memory model, wherein the target long-short term memory model is used for respectively determining the probability that the input message belongs to each attack type in the P attack types, and the P attack types and the P first sample attack message subsets, The P third sample attack message subsets have a one-to-one correspondence relationship, and P is a natural number.

the following steps are repeatedly executed until the training is finished:

acquiring training sample messages to be input from the first sample attack message set and the third sample attack message set;

inputting the training sample message into the training long-short term memory model to obtain a sample discrimination result output by the training long-short term memory model, wherein the sample discrimination result is used for representing the probability that the training sample message belongs to each attack type in N attack types;

determining a value of a second loss function of the training long-term and short-term memory model according to the sample discrimination result and an actual discrimination result of the training sample message, wherein the actual discrimination result is used for indicating whether the training sample message is an attack message or not and indicating an attack type to which the training sample message belongs under the condition that the training sample message is the attack message;

adjusting parameters in the training long-short term memory model under the condition that the value of the second loss function does not meet a preset second loss condition;

and under the condition that the value of the second loss function meets the second loss condition, ending the training of the training long-short term memory model, wherein the target long-short term memory model is the training long-short term memory model when the training is ended.

Optionally, the apparatus is further configured to input the first target packet into a target long-short term memory model to obtain a second target discrimination result output by the target long-short term memory model, where:

inputting the first target message into the target long-short term memory model to obtain a second target discrimination result output by the target long-short term memory model, wherein the second target discrimination result is used for indicating whether the first target message is an attack message or not and indicating the attack type of the first target message under the condition that the first target message is the attack message;

the target long-short term memory model is obtained by training a training long-short term memory model by using the first sample attack packet set and the third sample attack packet set, the first sample attack packet set comprises N first sample attack packet subsets, the third sample attack packet set comprises N third sample attack packet subsets, the N first sample attack packet subsets, the N third sample attack packet subsets and the N attack types have a one-to-one correspondence relationship, one first sample attack packet subset and one sample attack packet in the third sample attack packet subset which have the correspondence relationship belong to the same attack type, and N is a natural number greater than 1.

According to still another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium, in which a computer program is stored, where the computer program is configured to execute the above network attack detection method when running.

According to another aspect of the embodiments of the present invention, there is also provided an electronic device, including a memory and a processor, where the memory stores a computer program, and the processor is configured to execute the method for detecting a network attack through the computer program.

In the embodiment of the invention, a first target message which is captured is obtained, the first target message is input into a first target discrimination model, and a first target discrimination result which is output by the first target discrimination model is obtained, wherein the first target discrimination result is used for indicating whether the first target message is an attack message or not, the first target discrimination model is a model which is obtained by training a first training discrimination model by using a first sample attack message set and a second sample attack message set, the first sample attack message set comprises a group of captured sample attack messages, the second sample attack message set comprises attack messages which are generated according to the sample attack messages in the first sample attack message set, and the first target message is input into a target long-short term memory model under the condition that the first target message is indicated as an attack message by the first target discrimination result, the method for obtaining the second target judgment result output by the target long and short term memory model comprises the steps of inputting captured message data into a trained judgment model and a trained long and short term memory model to determine whether the captured message is an attack message or not, achieving the purpose of detecting the network attack, judging the target message by combining the judgment model and the long and short term memory model, generating a large amount of attack data based on the judgment model, enriching the types and the quantity of the attack messages, and optimizing related defects of memory loss of a discriminator caused by large attack event span based on the long and short term memory model, thereby realizing the technical effects of improving the detection accuracy and the efficiency of the network attack, and further solving the technical problems of poor detection capability and low detection accuracy of the network attack in the related technology.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:

fig. 1 is a schematic diagram of an application environment of an alternative network attack detection method according to an embodiment of the present invention;

FIG. 2 is a diagram illustrating an alternative network attack detection method according to an embodiment of the present invention;

FIG. 3 is a diagram illustrating an alternative network attack detection method according to an embodiment of the present invention;

FIG. 4 is a diagram illustrating an alternative network attack detection method according to an embodiment of the present invention;

FIG. 5 is a diagram illustrating an alternative network attack detection method according to an embodiment of the present invention;

FIG. 6 is a diagram illustrating an alternative network attack detection method according to an embodiment of the present invention;

FIG. 7 is a diagram illustrating an alternative method for detecting a network attack according to an embodiment of the present invention;

FIG. 8 is a diagram illustrating an alternative method for detecting a network attack according to an embodiment of the present invention;

FIG. 9 is a diagram illustrating an alternative method for detecting a network attack according to an embodiment of the present invention;

FIG. 10 is a diagram illustrating an alternative method for detecting a network attack according to an embodiment of the present invention;

fig. 11 is a schematic structural diagram of an alternative network attack detection apparatus according to an embodiment of the present invention;

fig. 12 is a schematic structural diagram of an alternative electronic device according to an embodiment of the invention.

Detailed Description

In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

First, partial nouns or terms appearing in the description of the embodiments of the present application are applicable to the following explanations:

cloud technology refers to a hosting technology for unifying serial resources such as hardware, software, network and the like in a wide area network or a local area network to realize calculation, storage, processing and sharing of data.

Cloud technology (Cloud technology) is based on a general term of network technology, information technology, integration technology, management platform technology, application technology and the like applied in a Cloud computing business model, can form a resource pool, is used as required, and is flexible and convenient. Cloud computing technology will become an important support. Background services of the technical network system require a large amount of computing and storage resources, such as video websites, picture-like websites and more web portals. With the high development and application of the internet industry, each article may have its own identification mark and needs to be transmitted to a background system for logic processing, data in different levels are processed separately, and various industrial data need strong system background support and can only be realized through cloud computing.

Cloud computing (cloud computing) is a computing model that distributes computing tasks over a pool of resources formed by a large number of computers, enabling various application systems to obtain computing power, storage space, and information services as needed. The network that provides the resources is referred to as the "cloud". Resources in the "cloud" appear to the user as being infinitely expandable and available at any time, available on demand, expandable at any time, and paid for on-demand.

As a basic capability provider of cloud computing, a cloud computing resource pool (called as an ifas (Infrastructure as a Service) platform for short is established, and multiple types of virtual resources are deployed in the resource pool and are selectively used by external clients.

According to the logic function division, a PaaS (Platform as a Service) layer can be deployed on an IaaS (Infrastructure as a Service) layer, a SaaS (Software as a Service) layer is deployed on the PaaS layer, and the SaaS can be directly deployed on the IaaS. PaaS is a platform on which software runs, such as a database, a web container, etc. SaaS is a variety of business software, such as web portal, sms, and mass texting. Generally speaking, SaaS and PaaS are upper layers relative to IaaS.

Cloud computing refers to a delivery and use mode of an IT infrastructure, and refers to acquiring required resources in an on-demand and easily-extensible manner through a network; the generalized cloud computing refers to a delivery and use mode of a service, and refers to obtaining a required service in an on-demand and easily-extensible manner through a network. Such services may be IT and software, internet related, or other services. Cloud Computing is a product of development and fusion of traditional computers and Network Technologies, such as Grid Computing (Grid Computing), Distributed Computing (Distributed Computing), Parallel Computing (Parallel Computing), Utility Computing (Utility Computing), Network Storage (Network Storage Technologies), Virtualization (Virtualization), Load balancing (Load Balance), and the like.

With the development of diversification of internet, real-time data stream and connecting equipment and the promotion of demands of search service, social network, mobile commerce, open collaboration and the like, cloud computing is rapidly developed. Different from the prior parallel distributed computing, the generation of cloud computing can promote the revolutionary change of the whole internet mode and the enterprise management mode in concept.

Cloud Security (Cloud Security) refers to a generic term for Security software, hardware, users, organizations, secure Cloud platforms based on Cloud computing business model applications. The cloud security integrates emerging technologies and concepts such as parallel processing, grid computing and unknown virus behavior judgment, abnormal monitoring of software behaviors in the network is achieved through a large number of meshed clients, the latest information of trojans and malicious programs in the internet is obtained and sent to the server for automatic analysis and processing, and then the virus and trojan solution is distributed to each client.

The main research directions of cloud security include: 1. the cloud computing security mainly researches how to guarantee the security of the cloud and various applications on the cloud, including the security of a cloud computer system, the secure storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; 2. the cloud of the security infrastructure mainly researches how to adopt cloud computing to newly build and integrate security infrastructure resources and optimize a security protection mechanism, and comprises the steps of constructing a super-large-scale security event and an information acquisition and processing platform through a cloud computing technology, realizing the acquisition and correlation analysis of mass information, and improving the handling control capability and the risk control capability of the security event of the whole network; 3. the cloud security service mainly researches various security services, such as anti-virus services and the like, provided for users based on a cloud computing platform.

The invention is illustrated below with reference to examples:

according to an aspect of the embodiment of the present invention, a method for detecting a network attack is provided, and optionally, in this embodiment, the method for detecting a network attack may be applied to a hardware environment formed by a server 101 and a user terminal 103 as shown in fig. 1. As shown in fig. 1, a server 101 is connected to a terminal 103 through a network, and may be configured to provide a service to a user terminal or a client installed on the user terminal, where the client may be a video client, an instant messaging client, a browser client, an education client, a game client, and the like, and may further include, but is not limited to, various nodes in the blockchain technology. The database 105 may be provided on or separate from the server for providing data storage services, e.g., sample data storage servers, to the server 101, which may include, but is not limited to: a wired network, a wireless network, wherein the wired network comprises: a local area network, a metropolitan area network, and a wide area network, the wireless network comprising: bluetooth, WIFI, and other networks implementing wireless communication, the user terminal 103 may be a terminal configured with a detection application of network attack, and may include but is not limited to at least one of the following: the detection method of the network attack includes that the Mobile phone (such as an Android Mobile phone, an iOS Mobile phone, etc.), a notebook computer, a tablet computer, a palm computer, an MID (Mobile Internet Devices ), a PAD, a desktop computer, a smart television, etc., the server may be a single server, or a server cluster composed of a plurality of servers, or a cloud server, and may include but not limited to a route or a gateway, the detection application 107 of the network attack using the detection method of the network attack may include but not limited to displaying through a user terminal 103 or displaying through a display connected with the server 101, and the detection method of the network attack may be executed through an entrance of the application 107 configured on the terminal or the server for detecting the network attack.

As shown in fig. 1, the method for detecting a network attack may be implemented in the server 101 by the following steps:

s1, acquiring the captured first target message in the application 107 configured on the server 101;

s2, inputting a first target packet into a first target discrimination model in an application 107 configured on a server 101, to obtain a first target discrimination result output by the first target discrimination model, where the first target discrimination result is used to indicate whether the first target packet is an attack packet, the first target discrimination model is a model obtained by training a first training discrimination model using a first sample attack packet set and a second sample attack packet set, the first sample attack packet set includes a captured group of sample attack packets, and the second sample attack packet set includes attack packets generated according to the sample attack packets in the first sample attack packet set;

s3, when the first target discrimination result indicates that the first target packet is an attack packet in the application 107 configured on the server 101, the first target packet is input to the target long-short term memory model to obtain a second target discrimination result output by the target long-short term memory model, where the second target discrimination result is used to indicate whether the first target packet is an attack packet.

Optionally, in this embodiment, the detection of the network attack may also be used by a client configured in the user terminal, and may include but is not limited to flexibly adjusting according to the computing capability of the user terminal or the server.

Alternatively, in this embodiment, the detection of the network attack may include, but is not limited to, asynchronous use by the user terminal 103 and the server 101, that is, in the case where the application 107 configured on the server 101 inputs a first target packet into a first target discrimination model to obtain a first target discrimination result output by the first target discrimination model, and in the case where the first target discrimination result indicates that the first target packet is an attack packet, the first target packet is input into a target long-short term memory model on the user terminal 103 to obtain a second target discrimination result output by the target long-short term memory model, or in the case where the application 107 configured on the user terminal 103 inputs the first target packet into the first target discrimination model to obtain a first target discrimination result output by the first target discrimination model, and in the case where the first target discrimination result indicates that the first target packet is an attack packet on the server 101, and inputting the first target message into the target long-short term memory model to obtain a second target judgment result output by the target long-short term memory model.

The above is merely an example, and the present embodiment is not particularly limited.

Optionally, as an optional implementation manner, as shown in fig. 2, the method for detecting a network attack includes:

s202, acquiring a captured first target message;

s204, inputting the first target message into a first target discrimination model to obtain a first target discrimination result output by the first target discrimination model, wherein the first target discrimination result is used for indicating whether the first target message is an attack message or not, the first target discrimination model is a model obtained by training a first training discrimination model by using a first sample attack message set and a second sample attack message set, the first sample attack message set comprises a group of captured sample attack messages, and the second sample attack message set comprises attack messages generated according to the sample attack messages in the first sample attack message set;

and S206, under the condition that the first target judgment result shows that the first target message is an attack message, inputting the first target message into the target long-short term memory model to obtain a second target judgment result output by the target long-short term memory model, wherein the second target judgment result is used for showing whether the first target message is the attack message or not.

Optionally, in this embodiment, the detection method of the network attack may include, but is not limited to, being applied to an application scenario that needs to perform network attack protection or detection, for example, but not limited to, detection of APT attack, detection of DDOS attack, detection of trojan attack, and the like, and the detection method of the network attack may be applied to a security scheme that includes, but is not limited to, antivirus software, a firewall, an IPS, and the like, or other security schemes currently or in the future for performing network attack detection.

The above is merely an example, and the present embodiment is not limited in any way.

Optionally, in this embodiment, the first target message may include, but is not limited to, a message sent to the system after being connected by a mobile device such as a smart phone, a tablet computer, and a USB, and may also include, but is not limited to, a message generated by a file in multiple formats such as an email, a link, a program, and a document.

Optionally, in this embodiment, the first target discriminant model may include, but is not limited to, a discriminant model included in a GAN (generic adaptive Networks) deep learning model, and may further include, but is not limited to, a discriminant model improved based on the discriminant model included in the GAN deep learning model.

Optionally, in this embodiment, an output of the first target discrimination model is a first target discrimination result, and is used to identify whether the first target packet is an attack packet. The first sample attack packet set includes a group of captured and labeled sample attack packets, for example, a group of sample attack packets obtained through a security scheme such as a firewall, anti-virus software, and IPS, and the second sample attack packet set includes attack packets generated according to the sample attack packets in the first sample attack packet set, for example, attack packets generated by adding random noise to the sample attack packets.

Optionally, in this embodiment, the target long-short term memory model is used for processing and predicting a time sequence with a long interval and a long delay, and for example, the method may include, but is not limited to, training a training long-short term memory model by using the first sample attack packet and the second sample attack packet that cannot be distinguished by the target distinguishing model.

Optionally, in this embodiment, the second target determination result is used to indicate whether the first target packet is an attack packet, and may include, but is not limited to, outputting binary characters, where 0 indicates that the first target packet is not an attack packet, and 1 indicates that the first target packet is an attack packet.

Fig. 3 is a schematic diagram of an alternative network attack detection method according to an embodiment of the present invention, and as shown in fig. 3, the flow includes, but is not limited to, the following steps:

s1, capturing network messages;

s2, inputting the captured network message into the trained detection model (corresponding to the target discrimination model and the target long-short term memory model);

s3, a detection result (corresponding to the first object recognition result and the second object recognition result) is obtained based on the output result of the detection model.

Optionally, in this embodiment, a large number of sample attack packets can be obtained based on the second sample set, so as to solve the problems that the sample attack packets are single in solidification and insufficient in number, and the target discrimination model performs discrimination, and meanwhile, when the output result of the target discrimination model indicates that the first target packet is an attack packet, the LSTM is used to process the first target packet, so that the problem of low accuracy rate caused by a large attack time span of the attack packet can be solved, and the technical effects of improving the discrimination accuracy rate of the target discrimination model, reducing a false alarm rate, and ensuring feature memory of a longer time sequence, so as to further improve the detection accuracy rate of the network attack and reduce the false alarm rate of the network attack when the network attack with longer duration is targeted are achieved.

According to the embodiment, a first target discrimination result output by the first target discrimination model is obtained by acquiring a captured first target message and inputting the first target message into the first target discrimination model, wherein the first target discrimination result is used for indicating whether the first target message is an attack message or not, the first target discrimination model is a model obtained by training the first training discrimination model by using a first sample attack message set and a second sample attack message set, the first sample attack message set comprises a captured group of sample attack messages, the second sample attack message set comprises attack messages generated according to the sample attack messages in the first sample attack message set, and the first target message is input into the target long-short term memory model under the condition that the first target discrimination result indicates that the first target message is an attack message, so as to obtain a second target discrimination result output by the target long-short term memory model, the method comprises the steps of inputting captured message data into a trained discrimination model and a long-short term memory model to determine whether the captured message is an attack message or not, achieving the purpose of achieving security detection on network attacks, discriminating a target message by combining the discrimination model and the long-short term memory model, generating a large amount of attack data based on the discrimination model, enriching the types and the number of the attack messages, optimizing related defects of memory loss of a discriminator caused by large attack event span based on the long-short term memory model, achieving the technical effect of improving the detection accuracy and the detection efficiency of the network attacks, and further solving the technical problems of poor detection capability and low detection accuracy of the network attacks in the related technology.

As an optional solution, the method further comprises: and training the first training discrimination model by using the first sample attack packet set and the second sample attack packet set to obtain the first target discrimination model.

Optionally, in this embodiment, the method may include, but is not limited to, training a first training discriminant model by using the first sample attack packet set, the second sample attack packet set, and the labeled non-attack packet, so as to obtain the first target discriminant model.

Optionally, in this embodiment, the training of the first training discrimination model by using the first sample attack packet set and the second sample attack packet set to obtain the first target discrimination model may include, but is not limited to, randomly inputting the first sample attack packet, the second sample attack packet generated after random noise is added to the first sample attack packet, and the normal packet into the first training discrimination model in a disordering order to adjust parameters in the first training discrimination model, thereby implementing training of the first training discrimination model to obtain the first target discrimination model.

According to the embodiment, the first training discrimination model is trained by using the first sample attack message set and the second sample attack message set to obtain the first target discrimination model, so that the purpose of realizing security detection on the network attack is achieved, the technical effects of improving the detection accuracy and efficiency of the network attack are achieved, and the technical problems of poor detection capability and low detection accuracy of the network attack in the related technology are solved.

As an optional scheme, the training the first training discriminant model by using the first sample attack packet set and the second sample attack packet set to obtain the first target discriminant model includes:

s1, sequentially inputting M sample attack messages in the first sample attack message set and M sample random noises in the sample random noise set to a training generation model, to obtain M sample attack messages sequentially generated by the training generation model, where the second sample attack message set includes M sample attack messages sequentially generated by the training generation model, an input item input to the target generation model each time includes one sample attack message and one sample random noise, the training generation model is configured to generate an attack message matched with the input sample attack message each time according to the input sample random noise, and M is a natural number;

s2, training the first training discrimination model by using M sample attack messages in the first sample attack message set and M sample attack messages sequentially generated by the training generation model.

Optionally, in this embodiment, the sample random noise may include, but is not limited to, a preset by a system or a server, and may also include, but is not limited to, for example, a noise caused by a large number of fluctuating harassment accumulations randomly generated in time, whose value cannot be predicted within a given moment, and specifically, may include, but is not limited to, a gaussian noise.

Optionally, in this embodiment, the sequentially inputting the M sample attack packets in the first sample attack packet set and the M sample random noise in the sample random noise set to the training generation model may include, but is not limited to, inputting one sample attack packet and one sample random noise to the training generation model to obtain one sample attack packet.

Optionally, in this embodiment, the generating of the attack packet matching with the input one sample attack packet according to the input one sample random noise at a time may include, but is not limited to, making the one sample attack packet and the attack packet generated according to the sample random noise have a one-to-one correspondence relationship.

Optionally, in this embodiment, the training of the first trained discrimination model to obtain the first target discrimination model may include, but is not limited to, that an attack packet generated according to an input sample random noise is indistinguishable from the one sample attack packet by the trained discrimination model, that is, it may be determined that the trained discrimination model has been trained, and then the first target discrimination model is obtained.

By the embodiment, the following steps are repeatedly executed until the first target discrimination model is obtained: a mode of inputting M sample attack messages in the first sample attack message set and M sample random noises in the sample random noise set into a training generation model in sequence to obtain M sample attack messages generated by the training generation model in sequence, training the first training discrimination model by using the M sample attack messages in the first sample attack message set and the M sample attack messages generated by the training generation model in sequence, so as to realize the training of the training discrimination model, obtain the first target discrimination model, and finally obtain the first target discrimination result based on the first target discrimination model, so as to complete the detection of the network attack, thereby realizing the technical effect of improving the detection accuracy and efficiency of the network attack, and the technical problems of poor detection capability and low detection accuracy of network attacks in the related technology are solved.

As an optional scheme, the training the first training discriminant model by using the M sample attack packets in the first sample attack packet set and the M sample attack packets sequentially generated by the training generation model includes:

s1, acquiring a training sample message set, wherein the training sample message set comprises M sample attack messages in the first sample attack message set, M sample attack messages sequentially generated by the training generation model and an acquired normal message set;

the following steps are repeatedly executed until the training is finished:

s2, acquiring a training sample message to be input from the training sample message set;

s3, inputting the training sample message into the first training discriminant model to obtain a sample discriminant result output by the first training discriminant model, wherein the sample discriminant result is used for indicating whether the training sample message is an attack message;

s4, determining the value of a first loss function of the first training discriminant model according to the sample discriminant result and the actual discriminant result of the training sample packet, wherein the actual discriminant result is used for indicating whether the training sample packet is actually an attack packet;

s5, when the value of the first loss function does not satisfy a preset first loss condition, adjusting parameters in the first training discriminant model and the training generation model, or adjusting parameters in the first training discriminant model;

s6, when the value of the first loss function satisfies the first loss condition, ending the training of the first training discriminant model, wherein the first target discriminant model is the first training discriminant model at the end of the training.

Optionally, in this embodiment, the normal packet may include, but is not limited to, a group of word vectors of the participles in the normal network packet, and is mixed with the first sample attack packet and the second sample attack packet and then input into the first training discriminant model, where the packet in the normal packet set is a labeled non-attack packet, and a technical effect of enriching the sample set can be achieved by obtaining the normal packet set.

Optionally, in this embodiment, the sample discrimination result is an output result of the first training discrimination model, and the actual discrimination result is obtained according to M sample attack messages in the first sample attack message set, M sample attack messages sequentially generated by a training generation model, and label information of the obtained normal message set.

For example, fig. 4 is a schematic diagram of another network attack detection method according to an embodiment of the present invention, as shown in fig. 4, the method includes, but is not limited to, the following:

acquiring M first sample attack messages and M second sample attack messages and a plurality of normal messages which are sequentially acquired after M input training generation models 402 are acquired, wherein the marking information of the sample attack messages is attack messages, and the marking information of the normal messages is non-attack messages;

and randomly sorting the order in which the M first sample attack messages, the M second sample attack messages and the plurality of normal messages are input into the first training discriminant model, wherein the first sample attack messages are represented by a messages, the second sample attack messages are represented by B messages, and the normal messages are represented by C messages, and the randomly sorted order may include, but is not limited to, C, B, A, A, C, B and the like.

Taking inputting a or B message as an example, inputting the a or B message into the first training discrimination model 404, and obtaining that the sample discrimination result is a non-attack message, and the label information of the a or B message is an attack message, that is, the actual discrimination result of the a or B message is an attack message;

and judging that the A or B message is judged to be incorrect, namely, the value of the first loss function does not meet the preset first loss condition, adjusting parameters in the first training discriminant model and the training generation model or adjusting parameters in the first training discriminant model, and inputting the message again.

After a or B is input into the first training discriminant model 404, the sample discrimination result is obtained as an attack packet, and the label information of the a or B packet is an attack packet, that is, the actual discrimination result of the a or B packet is an attack packet;

the message a or the message B can be judged to be correctly discriminated, that is, the value of the first loss function satisfies a preset first loss condition, and the training of the first training discriminant model is finished.

The above is a single-layer training pattern, and may actually include, but is not limited to, a multi-layer training pattern.

That is, as shown in fig. 4, a probability value that the first training discriminant model is correctly or incorrectly discriminated is obtained, where the probability value may include, but is not limited to, a value of the first loss function, where the probability value is converged, that is, where the value of the first loss function satisfies a first loss condition, the training of the first training discriminant model is ended, and where the value of the first loss function does not satisfy the first loss condition, parameters in the first training discriminant model and the training generation model or parameters in the first training discriminant model are adjusted, and a packet is input again.

And ending the training of the first training discriminant model to obtain the first target discriminant model when the probability is greater than a predetermined threshold.

Optionally, in the present embodiment, the loss function may include, but is not limited to, a 0-1 loss function, an absolute value loss function, a log-log loss function, a square loss function, an exponential loss function, a Hinge loss function, a cross-entropy loss function, and the like.

By the embodiment, the diversity of the samples can be increased based on the training generation model, the discrimination of the attack message is realized based on the training discrimination model, and finally, the technical effects of improving the detection accuracy and efficiency of the network attack are realized, so that the technical problems of poor detection capability and low detection accuracy of the network attack in the related technology are solved.

As an optional scheme, the obtaining of the training sample packet set includes:

Optionally, in this embodiment, the random ordering manner may be any random ordering manner, and may also be a corresponding random ordering manner configured according to the sample attack packet in the first sample attack packet set, the sample attack packet in the second sample attack set, and the number or packet type of the normal packet.

As an optional scheme, the sequentially inputting the M sample attack packets in the first sample attack packet set and the M sample random noise in the sample random noise set into a training generation model to obtain the M sample attack packets sequentially generated by the training generation model includes:

Optionally, in this embodiment, each of the first sample attack packet subsets corresponds to a sample attack packet of an attack type, where the attack type may include, but is not limited to, an attack type such as a trojan loopback, a phishing mail trigger, a buffer overflow attack, a Web exploit attack, and the like, which is only an example, and this embodiment is not limited in any way.

Optionally, in this embodiment, the M1 sample attack packets in the first sample attack packet subset and the M1 sample attack packets obtained by inputting M1 sample random noise into the current training generation sub-model all include corresponding tagging information, where the tagging information tags whether the packet is an attack packet or not, and if the packet is an attack packet, the type of attack of the attack packet to which the packet belongs.

In other words, in this embodiment, the sample attack packet input of each attack type corresponds to one training generation submodel, so as to obtain the second sample attack packet with the same attack type.

According to the embodiment, the model is generated for the first sample attack messages of different types through the training corresponding to the attack types, so that the second sample attack message corresponding to the attack types is obtained, the subsequent target discrimination model can judge the attack types of the attack messages on the basis of judging whether the input message is the attack message or not, and under the condition that the message is the attack message, the technical effects of improving the detection accuracy and efficiency of the network attack are achieved, and the technical problems that the network attack detection capability is poor and the detection accuracy is low in the related technology are solved.

s1, acquiring N training sample packet subsets in a training sample packet set, where each training sample packet subset includes M1 sample attack packets in one first sample attack packet subset, M1 sample attack packets corresponding to one second sample attack packet subset, and an acquired normal packet subset, and the sample attack packets in the first sample attack packet subset and the second sample attack packet subset belong to the same attack type;

s2, for N training discrimination submodels included in the first training discrimination model, repeatedly executing the following steps until training is completed, wherein in the following steps, one training discrimination submodel is regarded as a current training discrimination submodel, a training sample packet subset used for training the current training discrimination submodel in the N training sample packet subsets is regarded as a current training sample packet subset, sample attack packets in the first sample attack packet subset and the second sample attack packet subset in the current training sample packet subset belong to a current attack type, and the current training discrimination submodel is used for determining whether an input packet is an attack packet of the current attack type:

s3, acquiring a training sample message to be input from the current training sample message subset;

s4, inputting the training sample message into the current training discrimination submodel to obtain a sample discrimination result output by the current training discrimination submodel, wherein the sample discrimination result is used for indicating whether the training sample message is an attack message of the current attack type;

s5, determining the value of the current loss function of the current training discrimination sub-model according to the sample discrimination result and the actual discrimination result of the training sample message, wherein the actual discrimination result is used for indicating whether the training sample message is actually the attack message of the current attack type;

s6, adjusting the parameters in the current training discrimination submodel and the training generation model or adjusting the parameters in the current training discrimination submodel under the condition that the value of the current loss function does not meet the current loss condition;

and S7, when the value of the current loss function meets the current loss condition, ending the training of the current training discrimination sub-model, wherein one corresponding target discrimination sub-model in the first target discrimination model is the current training discrimination sub-model when the training is ended, and the corresponding target discrimination sub-model is used for determining whether the input message is the attack message of the current attack type.

Optionally, in this embodiment, the messages in the normal message set are labeled non-attack messages, the number of the normal message set may include, but is not limited to, M1, and the technical effect of enriching the sample set can be achieved by obtaining the normal message set.

Optionally, in this embodiment, the sample discrimination result is an output result of the current training discrimination sub-model, and the actual discrimination result is obtained according to M1 sample attack messages in the current sample attack message set, M1 sample attack messages sequentially generated by a current training generation model, and the obtained labeling information of the normal message set.

For example, fig. 5 is a schematic diagram of another network attack detection method according to an embodiment of the present invention, as shown in fig. 5, the method includes, but is not limited to, the following:

obtaining M1 current sample attack messages, M1 sample attack messages in M1 second sample attack message subsets obtained in sequence after the input training generation model 502, and M2 normal messages, wherein the labeling information of the sample attack messages is attack messages and corresponding attack types, and the labeling information of the normal messages is non-attack messages;

inputting the current sample attack messages of the M1, the sample attack messages of the M1 second sample attack message subsets and the normal messages of the M2 into the current training discrimination submodel, wherein the current sample attack messages are represented by A messages, the sample attack messages of the second sample attack message subsets are represented by B messages, and the normal messages are represented by C messages.

Taking inputting a or B message as an example, inputting the a or B message into the current training discrimination sub-model 504, and obtaining that the sample discrimination result is a non-attack message, and the label information of the a or B message is an attack message, that is, the actual discrimination result of the a or B message is an attack message;

judging that the A or B message is judged to be incorrect, namely, the value of the current loss function does not meet the preset current loss condition, adjusting the parameters in the current training discrimination submodel and the training generation model or adjusting the parameters in the current training discrimination submodel, and inputting the message again.

After a or B is input into the current training discrimination submodel 504, the obtained sample discrimination result is an attack packet, and the label information of the a or B packet is also an attack packet, that is, the actual discrimination result of the a or B packet is an attack packet, and the actual attack type corresponding to the a or B packet is a first attack type, and the obtained attack type of the sample discrimination result which is the a or B packet is also a first attack type, it can be determined that the a or B packet is correctly discriminated, that is, the value of the current loss function satisfies the preset current loss condition, and the training of the current training discrimination submodel is ended.

The above is a simple training pattern and may in fact include, but is not limited to, more complex training patterns.

That is, as shown in fig. 5, a probability value indicating whether the current training discrimination submodel is discriminated correctly or incorrectly is obtained, where the probability value may include, but is not limited to, a value of the current loss function, and when the probability value is converged, that is, when the value of the current loss function satisfies a current loss condition, the training of the current training discrimination submodel is ended, and when the value of the current loss function does not satisfy the current loss condition, the parameters in the current training discrimination submodel and the training generation model or the parameters in the current training discrimination submodel are adjusted, and a packet is input again.

And under the condition that the probability is greater than a preset threshold value, finishing the training of the current training discrimination sub-model to obtain the current target discrimination model.

As an optional solution, the method further comprises:

Optionally, in this embodiment, the third training discriminant model may include, but is not limited to, a training discriminant model obtained by pre-training the second training discriminant model, and the initial training discriminant model is pre-trained by using a small number of sample attack packets to obtain the third training discriminant model with initial discriminant capability, so as to improve the training speed of subsequent discriminant models and achieve the technical effect of improving the network attack detection efficiency.

As an optional solution, the method further comprises:

Optionally, in this embodiment, the Long-Short Term Memory model may include, but is not limited to, LSTM (Long Short-Term Memory, Long-Short Term Memory network/model, which is composed of different Memory blocks called cells, where a Memory block is responsible for memorizing things, and the operation on the Memory is completed through three main mechanisms, called gates: 1) form Gate, which is responsible for removing information from the cell units, where the information is information that is no longer needed or less important by the LSTM; 2) an Input Gate to add information to the cell state; 3) out Gate-select useful information from the current cell state and display it as output).

Optionally, in this embodiment, the input of the long-term and short-term memory model is a sample attack packet in the first sample attack packet subset and a sample attack packet in the third sample attack packet subset, and the output is a result of determining whether the input packet is an attack packet or not and, if the input packet is an attack packet, a type of attack to which the attack packet belongs.

Optionally, in this embodiment, the third sample attack packet may include, but is not limited to, a sample attack packet generated by the target generation model based on the first sample attack packet, for example, a sample attack packet generated after random noise is added to the first sample attack packet.

Optionally, in this embodiment, when the first target discrimination result output by the target discrimination model indicates that the first sample attack packet or the third sample attack packet is an attack packet, the first sample attack packet or the third sample attack packet is input into the trained long-short term memory model, so as to implement training of the trained long-short term memory model as the target long-short term memory model.

For example, fig. 6 is a schematic diagram of another network attack detection method according to an embodiment of the present invention, and as shown in fig. 6, the method may include, but is not limited to, the following steps:

s602, acquiring a first sample attack message;

s604, inputting the first sample attack message into G (target generation model) 602 to add random noise, and obtaining a third sample attack message;

s606, randomly inputting the first sample attack packet or the third sample attack packet into a D (target discrimination model) 604, and obtaining a discrimination result that the input first sample attack packet or the third sample attack packet is an attack packet;

s608, randomly inputting the first sample attack message or the third sample attack message into the LSTM training long-short term memory model 606;

s610, obtaining an output result of the LSTM training long-short term memory model 606;

s612, adjusting parameters of the LSTM training long-short term memory model 606 under the condition that the output result indicates that the probability that the input first sample attack packet or the input third sample attack packet is not an attack packet or the probability that the sample attack packet is a target type attack packet does not reach a preset condition;

s614, if the output result indicates that the input first sample attack packet or the third sample attack packet is an attack packet and the probability that the sample attack packet is a target type attack packet reaches a preset condition, executing step S616;

and S616, ending.

According to the embodiment, the mode that the first sample attack message set and the third sample attack message set are used for training the training long-term and short-term memory model to obtain the target long-term and short-term memory model is adopted, the long-term and short-term memory model is trained to obtain the target long-term and short-term memory model, and finally, the technical effects of improving the network attack detection accuracy and efficiency are achieved, and the technical problems that the network attack detection capability is poor and the detection accuracy is low in the related technology are solved.

As an optional scheme, the training a training long-short term memory model by using the first sample attack packet set and the third sample attack packet set to obtain the target long-short term memory model includes:

Optionally, in this embodiment, the P attack types may include, but are not limited to, attack types such as ping of death attack, detardrop attack, malformed TCP packet attack, and IP-fragment attack, which are only examples, and this embodiment is not limited in any way.

Optionally, in this embodiment, fig. 7 is a schematic diagram of another network attack detection method according to an embodiment of the present invention, and as shown in fig. 7, the process includes, but is not limited to, the following steps:

s702, obtaining P first sample attack message subsets and P third sample attack message subsets, wherein the sample attack messages in the third sample attack message subsets are obtained by inputting the first sample attack messages into a target sub generation model 702;

s704, randomly inputting a first sample attack message and a third sample attack message corresponding to the first sample attack message to the target discrimination model 704;

s706, under the condition that the discrimination result output by the target discrimination model 704 shows that the input first sample attack message and the corresponding third sample attack message are both attack messages, inputting the first sample attack message and the corresponding third sample attack message into the LSTM training long-short term memory model 706;

s708, obtaining an output result output by the LSTM, and obtaining the target long-short term memory model based on the output result.

According to the embodiment, the first sample attack message set and the third sample attack message set are used for training the training long-short term memory model to obtain the target long-short term memory model, the long-short term memory model is trained according to the attack types of the sample messages to obtain the target long-short term memory model, so that the attack types of the messages can be identified by the output result of the target long-short term memory model, finally, the technical effect of improving the network attack detection accuracy and efficiency is achieved, and the technical problems that the network attack detection capability is poor and the detection accuracy is low in the related technology are solved.

the following steps are repeatedly executed until the training is finished:

s1, acquiring training sample messages to be input from the first sample attack message set and the third sample attack message set;

s2, inputting the training sample message into the training long-short term memory model to obtain a sample discrimination result output by the training long-short term memory model, wherein the sample discrimination result is used for representing the probability that the training sample message belongs to each attack type in N attack types;

s3, determining the value of a second loss function of the training long-short term memory model according to the sample discrimination result and the actual discrimination result of the training sample message, wherein the actual discrimination result is used for indicating whether the training sample message is an attack message or not and indicating the attack type of the training sample message under the condition that the training sample message is the attack message;

s4, adjusting parameters in the training long-short term memory model under the condition that the value of the second loss function does not meet a preset second loss condition;

and S5, when the value of the second loss function meets the second loss condition, ending the training of the training long-short term memory model, wherein the target long-short term memory model is the training long-short term memory model when the training is ended.

Optionally, in this embodiment, the sample discrimination result is used to indicate a probability that the training sample packet belongs to each of the N attack types, and the actual discrimination result is used to indicate whether the training sample packet is an attack packet, and in a case that the training sample packet is an attack packet, also indicates an attack type to which the training sample packet belongs.

As an optional scheme, the inputting the first target packet into a target long-short term memory model to obtain a second target discrimination result output by the target long-short term memory model includes:

Optionally, in this embodiment, fig. 8 is a schematic diagram of another optional network attack detection method according to an embodiment of the present invention, and as shown in fig. 8, the method may include, but is not limited to, the following steps:

s802, obtaining N first sample attack message subsets and N third sample attack message subsets;

s804, randomly inputting the first sample attack message and the third sample attack message which correspond one to one into an LSTM training long-short term memory model;

s806, outputting a result, wherein the output result comprises the probability of whether the input sample attack message is an attack message or not and the corresponding attack type;

s808, determining the value of a second loss function according to the probability, and adjusting the parameters of the LSTM training long-short term memory model under the condition that the value of the second loss function does not meet a preset second loss condition;

and S810, finishing the training of the training long-short term memory model under the condition that the value of the second loss function meets a preset second loss condition.

The present embodiment is further explained below with reference to specific examples:

currently, common detection methods related to APT include sandbox-based malicious code detection, abnormal traffic detection-based full packet capture and analysis, host malicious code detection, social network security event mining, and the like. The sandbox-based malicious code detection method realizes the detection of malicious attack codes by running suspicious applications in a container (simulated execution environment) and monitoring abnormal behaviors of the suspicious applications. The method based on abnormal flow detection firstly establishes a normal flow mode reference and detects a network attack event through slight change of network flow. The full packet capturing and analyzing method detects whether attacks exist by capturing full data messages in a network on specific occasions and utilizing a big data analyzing technology. The host malicious code detection method detects malicious codes through feature codes or heuristic rules. The social network security event mining method learns the behavior pattern of the user in the network from the mass data of the social network and mines social attributes of the user, such as a social relationship network and the like, and provides guidance and basis for APT attack detection.

The method mainly deals with the APT attack with a fixed attack mode and a short time span, but the APT attack has a large scale and a long attack duration, so that the data acquisition cost is high, attack samples are often few, and the detection effect of the traditional method is often poor.

In view of this, in the embodiment, an APT attack detection method based on GAN and LSTM is proposed. On one hand, a large amount of attack data is generated based on GAN simulation, and the problems of single solidification of the attack data and insufficient attack data samples are solved; on the other hand, the discriminator obtained by the training in the GAN is used for carrying out the APT detection, and meanwhile, the LSTM is used for processing the APT attack sequence, so that the problem of memory loss of the discriminator caused by large attack time span is solved, and the technical effect of improving the detection capability of the APT attack is finally achieved.

Optionally, in this embodiment, the APT attack detection algorithm includes 3 modules, which are an APT attack data generation module, an APT attack data discrimination module, and an APT timing sequence processing module, respectively, fig. 9 is a schematic diagram of another network attack detection method according to an embodiment of the present invention, and as shown in fig. 9, the APT attack data generation module 902 generates simulated attack data of 4 attack tags by using GAN, where the input of the simulated attack data is an original attack sample x and a gaussian random noise z, and the output is generated attack data. The APT attack data discrimination module 904 is responsible for multi-classifying attack data, and inputs the attack data as an original attack sample x and generated data g (z), and outputs the attack data as a corresponding classification label. The APT timing sequence processing module 906 performs timing sequence processing on the APT by using an LSTM structure, inputs the attack tag after vectorization, and outputs a boolean quantity y representing whether a sequence of the current sequence before the current position is an APT attack sequence.

The training process of the APT attack detection algorithm is as follows:

firstly, according to the APT attack data generation module 902, an attack data generator for generating NUM attack tags is constructed by using the GAN principle, and the specific steps are as follows.

S1, PRE-training each generated model for PRE iterations to ensure that the generated model has certain discrimination capability, and recording the PRE-trained model as

；

S2, constructing a GAN model

As initialization in GAN

And the network achieves convergence through N times of confrontation training. Thus, a generative model is obtained

。

Secondly, after training the NUM generators, the discriminant model D of the APT attack data discriminant module 904 is optimally trained by using the generated data, which specifically includes the following steps:

s1, initializing the discriminant model D of the APT attack data discriminant module by using the weight of the discriminant model in the GAN under the Nash equilibrium state.

S2, using the generator

C pieces of simulation sample data are generated, and the generated data labels are processed according to the category of the generator;

and S3, taking the generated data and the original sample data as a sample to be input into the model D until the algorithm converges to obtain the APT attack multi-classification discriminant model D.

Finally, after the discriminant model D is trained, the APT time sequence processing module 906 is used to train the APT attack sequence, which includes the following steps:

s1, vectorizing the output label of the model D according to the type and the number of the labels;

and S2, taking an APT attack sequence x with the length of SEQ as sample data, sequentially inputting the word vector of x at the time t into the time sequence processing model, and training the model for L times to reach a convergence state.

In summary, after the timing model training is completed, the whole model framework training is completed. And the time sequence processing module infinitely receives the vectorized output of the APT attack data judging module until the current sequence is detected to belong to the APT attack sequence.

Optionally, in this embodiment, fig. 10 is a schematic diagram of another network attack detection method according to this embodiment, and as shown in fig. 10, an application flow of the APT attack detection may include, but is not limited to, the following flows:

s1002, obtaining a network data message (corresponding to the first target message) at the moment T;

s1004, extracting the characteristics of the network data message to obtain a corresponding characteristic vector;

s1006, inputting the feature vector into an attack detection model D (corresponding to the aforementioned target discrimination model);

s1008, outputting the corresponding output tag (corresponding to the first object discrimination result);

s1010, extracting the next section of message under the condition that the output label indicates that the network data message is a normal message;

s1012, inputting an LSTM model (corresponding to the target long-short term memory model) to obtain an APT probability (corresponding to the probability of the attack type to which the message belongs) when the output tag identifies that the network data message is an abnormal message.

According to the embodiment, the attack data are generated through simulation, the sample data volume is greatly increased, the accuracy of the discrimination model is improved, the false alarm rate is reduced, in addition, for the long-term persistence of the APT attack, the feature memory of a longer time sequence is ensured through the memory unit and the gate structure of the LSTM, and certain accuracy and false alarm rate are ensured when the APT attack sequence with longer persistence is targeted.

It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.

According to another aspect of the embodiment of the present invention, there is also provided a network attack detection apparatus for implementing the network attack detection method. As shown in fig. 11, the apparatus includes:

an obtaining module 1102, configured to obtain a captured first target packet;

a first input module 1104, configured to input the first target packet into a first target discrimination model to obtain a first target discrimination result output by the first target discrimination model, where the first target discrimination result is used to indicate whether the first target packet is an attack packet, the first target discrimination model is a model obtained by training a first training discrimination model using a first sample attack packet set and a second sample attack packet set, the first sample attack packet set includes a captured group of sample attack packets, and the second sample attack packet set includes an attack packet generated according to a sample attack packet in the first sample attack packet set;

a second input module 1106, configured to, when the first target discrimination result indicates that the first target packet is an attack packet, input the first target packet into a target long-short term memory model to obtain a second target discrimination result output by the target long-short term memory model, where the second target discrimination result is used to indicate whether the first target packet is an attack packet.

As an optional solution, the apparatus is further configured to:

As an optional scheme, the apparatus is further configured to train the first training discriminant model by using the first sample attack packet set and the second sample attack packet set to obtain the first target discriminant model:

As an optional scheme, the apparatus is further configured to train the first training discriminant model by using the M sample attack packets in the first sample attack packet set and the M sample attack packets sequentially generated by the training generation model in the following manner:

the following steps are repeatedly executed until the training is finished:

As an optional scheme, the apparatus is further configured to obtain a training sample packet set by:

As an optional scheme, the apparatus is further configured to sequentially input the M sample attack packets in the first sample attack packet set and the M sample random noises in the sample random noise set to a training generation model in the following manner, so as to obtain M sample attack packets sequentially generated by the training generation model:

As an optional solution, the apparatus is further configured to:

As an optional scheme, the apparatus is further configured to train a training long-short term memory model by using the first sample attack packet set and the third sample attack packet set, so as to obtain the target long-short term memory model:

the following steps are repeatedly executed until the training is finished:

As an optional scheme, the apparatus is further configured to input the first target packet into a target long-short term memory model to obtain a second target discrimination result output by the target long-short term memory model by:

According to another aspect of the embodiment of the present invention, there is also provided an electronic device for implementing the method for detecting a network attack, where the electronic device may be a terminal device or a server shown in fig. 1. The present embodiment takes the electronic device as a server as an example for explanation. As shown in fig. 12, the electronic device comprises a memory 1202 and a processor 1204, the memory 1202 having stored therein a computer program, the processor 1204 being arranged to perform the steps of any of the above-described method embodiments by means of the computer program.

Optionally, in this embodiment, the electronic device may be located in at least one network device of a plurality of network devices of a computer network.

Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:

s1, acquiring the captured first target message;

s2, inputting the first target message into a first target discrimination model to obtain a first target discrimination result output by the first target discrimination model, wherein the first target discrimination result is used for indicating whether the first target message is an attack message, the first target discrimination model is a model obtained by training a first training discrimination model by using a first sample attack message set and a second sample attack message set, the first sample attack message set comprises a captured group of sample attack messages, and the second sample attack message set comprises attack messages generated according to the sample attack messages in the first sample attack message set;

and S3, under the condition that the first target judgment result shows that the first target message is an attack message, inputting the first target message into the target long-short term memory model to obtain a second target judgment result output by the target long-short term memory model, wherein the second target judgment result is used for showing whether the first target message is an attack message or not.

Alternatively, it can be understood by those skilled in the art that the structure shown in fig. 12 is only an illustration, and the electronic device may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palmtop computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 12 is a diagram illustrating a structure of the electronic device. For example, the electronics may also include more or fewer components (e.g., network interfaces, etc.) than shown in FIG. 12, or have a different configuration than shown in FIG. 12.

The memory 1202 may be used to store software programs and modules, such as program instructions/modules corresponding to the network attack detection method and apparatus in the embodiments of the present invention, and the processor 1204 executes various functional applications and data processing by running the software programs and modules stored in the memory 1202, that is, implements the above-described network attack detection method. The memory 1202 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 1202 can further include memory located remotely from the processor 1204, which can be connected to a terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof. The memory 1202 may be specifically but not limited to be used for storing information such as sample attack packets and network data packets. As an example, as shown in fig. 12, the memory 1202 may include, but is not limited to, an obtaining module 1102, a first input module 1104, and a second input module 1106 in the detection apparatus for network attacks. In addition, the present invention may further include, but is not limited to, other module units in the above network attack detection apparatus, which is not described in detail in this example.

Optionally, the transmitting device 1206 is configured to receive or transmit data via a network. Examples of the network may include a wired network and a wireless network. In one example, the transmitting device 1206 includes a Network adapter (NIC) that can be connected to a router via a Network cable to communicate with the internet or a local area Network. In one example, the transmitting device 1206 is a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.

In addition, the electronic device further includes: a display 1208, configured to display a detection result of the network attack; and a connection bus 1210 for connecting the respective module parts in the above-described electronic apparatus.

In other embodiments, the terminal device or the server may be a node in a distributed system, where the distributed system may be a blockchain system, and the blockchain system may be a distributed system formed by connecting a plurality of nodes through a network communication. Nodes can form a Peer-To-Peer (P2P, Peer To Peer) network, and any type of computing device, such as a server, a terminal, and other electronic devices, can become a node in the blockchain system by joining the Peer-To-Peer network.

According to an aspect of the application, a computer program product or computer program is provided, comprising computer instructions, the computer instructions being stored in a computer readable storage medium. The computer instructions are read by a processor of the computer device from a computer-readable storage medium, and the computer instructions are executed by the processor to cause the computer device to perform the methods provided in the various alternative implementations of the detection aspect of the network attack described above. Wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.

Alternatively, in the present embodiment, the above-mentioned computer-readable storage medium may be configured to store a computer program for executing the steps of:

s1, acquiring the captured first target message;

Alternatively, in this embodiment, a person skilled in the art may understand that all or part of the steps in the methods of the foregoing embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.

The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.

The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing one or more computer devices (which may be personal computers, servers, network devices, etc.) to execute all or part of the steps of the method according to the embodiments of the present invention.

In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.

In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims

1. A method for detecting network attacks is characterized by comprising the following steps:

acquiring a captured first target message;

inputting the first target message into a first target discrimination model to obtain a first target discrimination result output by the first target discrimination model, wherein the first target discrimination result is used for indicating whether the first target message is an attack message, the first target discrimination model is a model obtained by training a first training discrimination model by using a first sample attack message set and a second sample attack message set, the first sample attack message set comprises a captured group of sample attack messages, and the second sample attack message set comprises attack messages generated according to the sample attack messages in the first sample attack message set;

2. The method of claim 1, further comprising:

3. The method of claim 2, wherein the training the first training discriminant model using the first set of sample attack packets and the second set of sample attack packets to obtain the first target discriminant model comprises:

4. The method according to claim 3, wherein the training the first training discriminant model using the M sample attack packets in the first sample attack packet set and the M sample attack packets sequentially generated by the training generation model comprises:

the following steps are repeatedly executed until the training is finished:

5. The method of claim 4, wherein the obtaining the set of training sample packets comprises:

6. The method according to claim 3, wherein the sequentially inputting the M sample attack packets in the first sample attack packet set and the M sample random noise in the sample random noise set to a training generation model to obtain the M sample attack packets sequentially generated by the training generation model comprises:

7. The method according to claim 6, wherein the training the first training discriminant model using the M sample attack packets in the first sample attack packet set and the M sample attack packets sequentially generated by the training generation model comprises:

8. The method of claim 3, further comprising:

9. The method according to any one of claims 1 to 8, further comprising:

10. The method according to claim 9, wherein the training a training long-short term memory model using the first sample attack packet set and the third sample attack packet set to obtain the target long-short term memory model comprises:

11. The method according to claim 10, wherein the training a training long-short term memory model using the first sample attack packet set and the third sample attack packet set to obtain the target long-short term memory model comprises:

the following steps are repeatedly executed until the training is finished:

12. The method according to claim 9, wherein the inputting the first target message into a target long-short term memory model to obtain a second target discrimination result output by the target long-short term memory model comprises:

13. An apparatus for detecting a cyber attack, comprising:

the acquisition module is used for acquiring the captured first target message;

14. A computer-readable storage medium, characterized in that it comprises a stored program, wherein the program is executable by a terminal device or a computer to perform the method of any one of claims 1 to 12.

15. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to execute the method of any of claims 1 to 12 by means of the computer program.