CN112543186B - Network behavior detection method and device, storage medium and electronic equipment - Google Patents
Network behavior detection method and device, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN112543186B CN112543186B CN202011325427.0A CN202011325427A CN112543186B CN 112543186 B CN112543186 B CN 112543186B CN 202011325427 A CN202011325427 A CN 202011325427A CN 112543186 B CN112543186 B CN 112543186B
- Authority
- CN
- China
- Prior art keywords
- network
- node
- target
- value interval
- node set
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Abstract
The disclosure provides a network behavior detection method, a network behavior detection device, a storage medium and electronic equipment, relates to a network security technology, and can solve the problem that certain security risks exist in the prior art. The specific technical scheme is as follows: acquiring an access relation between nodes in a current network; judging whether a network attack behavior exists in the current network according to the access relation; and if so, sending prompt information to an administrator, wherein the prompt information is used for prompting that the administrator has network attack behaviors in the current network. The method is used for detecting the network attack behavior.
Description
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method and an apparatus for detecting network behavior, a storage medium, and an electronic device.
Background
In the prior art, a detection packet detection-based method is usually adopted to detect whether a network attack action occurs in a network. Specifically, the network detection device acquires a data packet in a network, performs deep detection on the data packet, and judges whether the data packet has a network attack behavior according to a preset rule.
However, with the prior art, if the data packet is encrypted, the network detection device cannot acquire the content of the data packet, and further cannot perform deep detection on the data packet, and further cannot detect whether a network attack action exists. Moreover, the preset rule in the prior art is generated according to the published network security leakage, and if some network security leakage is not published (for example, a zero day bug), the prior art cannot detect the network attack behavior brought by the undisclosed network security leakage, so that certain security risk exists.
Disclosure of Invention
The embodiment of the disclosure provides a network behavior detection method, a network behavior detection device, a storage medium and an electronic device, which can solve the problem of certain security risk existing in the prior art. The technical scheme is as follows:
according to a first aspect of the embodiments of the present disclosure, there is provided a network behavior detection method, including:
acquiring an access relation between nodes in a current network;
judging whether a network attack behavior exists in the current network according to the access relation;
and if so, sending prompt information to an administrator, wherein the prompt information is used for prompting that the administrator has network attack behaviors in the current network.
The network behavior detection method provided by the embodiment of the disclosure can acquire the access relationship between each node in the current network; judging whether a network attack behavior exists in the current network according to the access relation; if yes, sending prompt information to an administrator, wherein the prompt information is used for prompting the administrator that a network attack behavior exists in the current network, determining whether the network attack behavior exists in the current network according to the access relation among nodes in the current network, and still determining whether the network attack behavior exists in the current network when a data packet is encrypted.
In an embodiment, the determining whether a network attack behavior exists in the current network according to the access relationship includes:
inputting the access relation into a pre-trained graph neural network model to generate a feature graph of the current network, wherein the feature graph comprises at least one node set and a feature value interval of each node set in the at least one node set, each node set at least comprises one node, and the difference value of the feature values of every two nodes in the same node set is smaller than or equal to a preset difference value threshold;
determining a target characteristic value interval where a target node is located from the characteristic graph, wherein the target node is any one node in the network;
and if the target characteristic value interval where the target node is located is inconsistent with the preset characteristic value interval corresponding to the target node, determining that the network attack action exists in the current network and the target node is the node with the network attack action.
By inputting the access relation into a pre-trained graph neural network model, a feature graph of a current network can be accurately generated, a target feature value interval where a target node is located is determined from the feature graph, when the target feature value interval where the target node is located is inconsistent with a preset feature value interval corresponding to the target node, it is determined that a network attack behavior exists in the current network and the target node is a node where the network attack behavior occurs, the target node of the network attack behavior can be accurately determined, and the safety of the network is improved.
In one embodiment, before inputting the access relation into the pre-trained neural network model, the method further comprises:
inputting the access relation between nodes in the network within a preset time length into a pre-trained graph neural network model, and generating a reference characteristic graph of the current network, wherein the reference characteristic graph comprises at least one node set and a reference characteristic value interval of each node set in the at least one node set, each node set at least comprises one node, and the difference value of the reference characteristic values of every two nodes in the same node set is less than or equal to the preset difference value threshold;
determining a target reference characteristic value interval where the target node is located from the characteristic graph;
and taking the target reference characteristic value interval as the preset characteristic value interval corresponding to the target node.
The method comprises the steps of inputting the access relation among all nodes in the network within a preset time length into a pre-trained graph neural network model, accurately generating a reference characteristic graph of a current network, determining a target characteristic value interval where a target node is located from the reference characteristic graph, taking the target reference characteristic value interval as a preset characteristic value interval corresponding to the target node, accurately determining the preset characteristic value interval corresponding to the target node, further determining that the network attack behavior exists in the current network and the target node is the node generating the network attack behavior when the target characteristic value interval where the target node is located is inconsistent with the preset characteristic value interval corresponding to the target node, accurately determining the target node of the network attack behavior, and improving the safety of the network.
In one embodiment, the obtaining the current access relationship of the network includes:
acquiring the current mirror image flow of a network;
and acquiring the access relation among all nodes in the current network from the mirror image flow.
By acquiring the current mirror flow of the network and acquiring the access relation among all nodes in the current network from the mirror flow, the transmission of data in the actual flow of the current network cannot be influenced.
According to a second aspect of the embodiments of the present disclosure, there is provided a network behavior detection apparatus including:
the access relation acquisition module is used for acquiring the access relation among all nodes in the current network;
the network attack behavior determining module is used for judging whether a network attack behavior exists in the current network according to the access relation;
and the prompt information sending module is used for sending prompt information to an administrator if the network attack behavior exists, and the prompt information is used for prompting the administrator that the network attack behavior exists in the current network.
In one embodiment, the network attack behavior determination module is to:
inputting the access relation into a pre-trained graph neural network model to generate a feature graph of the current network, wherein the feature graph comprises at least one node set and a feature value interval of each node set in the at least one node set, each node set at least comprises one node, and the difference value of the feature values of every two nodes in the same node set is smaller than or equal to a preset difference value threshold;
determining a target characteristic value interval where a target node is located from the characteristic graph, wherein the target node is any one node in the network;
and if the target characteristic value interval where the target node is located is inconsistent with the preset characteristic value interval corresponding to the target node, determining that the network attack action exists in the current network and the target node is the node with the network attack action.
In one embodiment, the apparatus further comprises:
the reference characteristic diagram generating module is used for inputting the access relation among all nodes in the network within a preset time length into a pre-trained neural network model to generate a reference characteristic diagram of the current network, wherein the reference characteristic diagram comprises at least one node set and a reference characteristic value interval of each node set in the at least one node set, each node set at least comprises one node, and the characteristic values of all nodes in the same node set are in the same reference characteristic value interval;
a target reference characteristic value interval determining module, configured to determine, from the characteristic graph, a target reference characteristic value interval in which the target node is located;
and the preset characteristic value interval determining module is used for taking the target reference characteristic value interval as the preset characteristic value interval corresponding to the target node.
In one embodiment, the access relationship obtaining module is configured to:
acquiring the current mirror image flow of a network;
and acquiring the access relation among all nodes in the current network from the mirror image flow.
According to a third aspect of embodiments of the present disclosure, there is provided an electronic device, the electronic device comprising a processor and a memory, the memory having stored therein at least one computer instruction, the instruction being loaded and executed by the processor to implement the steps performed in the network behavior detection method of any one of the first aspects.
According to a fourth aspect of the embodiments of the present disclosure, there is provided a computer-readable storage medium, in which at least one computer instruction is stored, the instruction being loaded and executed by a processor to implement the steps performed in the network behavior detection method according to any one of the first aspect.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and, together with the description, serve to explain the principles of the disclosure.
Fig. 1 is a schematic structural diagram of a network behavior detection system provided in an embodiment of the present disclosure;
fig. 2 is a flowchart of a network behavior detection method provided by an embodiment of the present disclosure;
fig. 3 is a schematic diagram of a feature diagram of a current network provided by an embodiment of the present disclosure;
FIG. 4 is a schematic diagram of a reference feature map of a current network provided by an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of a network behavior detection apparatus according to an embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of a network behavior detection apparatus according to an embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. The following description refers to the accompanying drawings in which the same numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the exemplary embodiments below do not represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present disclosure, as detailed in the appended claims.
Fig. 1 is a schematic structural diagram of a network behavior detection system according to an embodiment of the present disclosure. As shown in fig. 1, the system includes:
a network detection device 101, a switch 102, and at least one network device 103. Wherein, the network detection device 101 is connected with the switch 102, and the switch 102 is connected with at least one network device 103.
The network device may be a computer or other terminal device in a network, such as a mobile phone, and one network device in the network may be a node of the network. For example, as shown in fig. 1, six nodes a, B, C, D, E, and F in the network are all connected to the switch 102, and any one node in the network can communicate with other nodes through the switch. For example, when the node a accesses the node B, the node a may send an Internet Protocol (IP) address, a packet transmission Protocol, an IP address of the node B, and a node B port number of the node a to the switch, and the switch sends the packet and the generated timestamp (access time) to a corresponding port of the node B through the transmission Protocol according to the IP address of the node B and the node B port number.
The network detection device 101 may obtain, from the switch 102, an access relationship between nodes, where the access relationship includes an IP address of a source node, an IP address of a node to be accessed, a port number of the node to be accessed, a data transmission protocol, a traffic of a transmitted data packet, and access time, and then determine whether a network attack behavior exists in the network according to the access relationship between the nodes. If yes, sending prompt information to a network administrator so that the administrator can perform corresponding processing.
With reference to the embodiment of fig. 2, a flowchart of a network behavior detection method provided in the embodiment of the present disclosure is described below. As shown in fig. 2, the method includes:
s201, obtaining the access relation among all nodes in the current network.
Illustratively, the switch may mirror the current traffic of the network, generating the current mirrored traffic of the network. The network detection equipment acquires the access relation among all nodes in the current network from the current mirror flow of the switch network and the mirror flow.
When it needs to be explained here, all data in the current network of the current traffic of the network is the various data acquired by the switch. The switch may mirror the traffic. The switch may be a virtual switch built in the network detection device, or may also be an actual switch, and the specific implementation manner of the switch is not limited in this embodiment.
For example, the network detection device may obtain current mirror traffic of the network according to a preset access relation obtaining rule and obtain an access relation between nodes in the current network from the mirror traffic. The preset access relation obtaining rule comprises an IP address of a source node, an IP address of a destination node, a port number of the destination node and a data transmission protocol. For example, when the IP address of the source node is the IP address of the a node, the IP address of the node to be accessed is the IP address of the B node, the port number of the node to be accessed is 80, and the data transmission protocol is TCP/IP, the network detection device may obtain all data packets sent from the a node to the port number 80 of the B node by using the TCP/IP transmission protocol. For example, currently, there are 5 data packets sent from the node a to the port 80 of the node B by using a Transmission Control Protocol (TCP)/IP Transmission Protocol, 50Kbit, 40Kbit, 60Kbit, 50Kbit, and 60Kbit, where the current time period is 1s and the current timestamp is 2020, 10, month, 22, day, 15, 47 minutes and 56 seconds, and then the flow of the data packet sent from the node a to the port 80 of the node B is (50 Kbit)
+40kbit +60kbit + 50kbit)/1 s, that is, the traffic of the data packet of port number 80 currently sent to the node B by the node a is 210Kbit/s. The access relationship between the node a and the node B acquired by the network detection device is the IP address of the node a, the IP address of the node B, the port number 80 of the node B, the data transmission protocol TCP/IP, the flow 210Kbit/s of the transmitted data packet, and the access time 10, 22, 15, 47 minutes and 56 seconds.
Similarly, the network detection device may also obtain access relationships between all other nodes in the current network, which is not described herein again. It should be noted here that after the network detection device obtains the access relationship, it may send a mirror traffic deletion instruction to the switch, so that the switch deletes the current mirror traffic of the network. All data in the actual traffic of the current network is sent by the switch, so the switch does not need to store the mirror traffic.
S202, judging whether a network attack behavior exists in the current network according to the access relation.
In this step, inputting the access relationship into a pre-trained graph neural network model, and generating a feature graph of the current network, where the feature graph includes at least one node set and a feature value interval of each node set in the at least one node set, where each node set includes at least one node, and a difference value between feature values of every two nodes in the same node set is less than or equal to a preset difference value threshold; determining a target characteristic value interval where a target node is located from the characteristic graph, wherein the target node is any one node in the network;
and if the target characteristic value interval of the target node is inconsistent with the preset characteristic value interval corresponding to the target node, determining that the network attack action exists in the current network and the target node is the node with the network attack action.
Fig. 3 is a schematic diagram of a feature diagram of a current network according to an embodiment of the present disclosure. As shown in fig. 3, there are 6 nodes in the network, a, B, C, D, E, and F. And the A and the B belong to a first node set, and a first characteristic value interval where the first node set is located is a circle with the circle center of (1, 1) and the radius of 0.5. C. D belongs to a second node set, and the second characteristic value interval where the second node set is located is a circle with the circle center being (3, 3) and the radius being 0.5. E. And F belongs to a third node set, and the third characteristic value interval where the third node set is located is a circle with the circle center of (6, 6) and the radius of 0.5. Namely, the difference between the characteristic values of every two nodes in the same node set does not exceed 1.
The target node is referred to as an a node. As shown in fig. 3, the target characteristic value interval where the node a is located is a circle with a circle center of (1, 1) and a radius of 0.5, the preset characteristic value interval corresponding to the node a is a circle with a circle center of (3, 3) and a radius of 0.5, and the target characteristic value interval where the node a is located is not consistent with the preset characteristic value interval corresponding to the node a, it is determined that a network attack behavior exists in the current network and the node a is a node where the network attack behavior occurs.
How to determine the preset feature value interval corresponding to the target node is described below.
Before obtaining the access relation among all nodes in the current network, inputting the access relation among all nodes in the network within a preset time length into a pre-trained graph neural network model to generate a reference characteristic graph of the current network, wherein the reference characteristic graph comprises at least one node set and a reference characteristic value interval of each node set in the at least one node set, each node set at least comprises one node, and the characteristic values of all nodes in the same node set are in the same reference characteristic value interval;
determining a target reference characteristic value interval where the target node is located from the characteristic graph;
and taking the target reference characteristic value interval as the preset characteristic value interval corresponding to the target node.
For example, the visiting relations among the nodes in the network in the previous 3 months of the current time can be input into a pre-trained graph neural network model, and a reference feature graph of the current network is generated. Fig. 4 is a schematic diagram of a reference characteristic diagram of a current network according to an embodiment of the present disclosure, as shown in fig. 4, B belongs to a first node set, and a first characteristic value interval where the first node set is located is a circle with a circle center of (1, 1) and a radius of 0.5. A. C and D belong to a second node set, and a second characteristic value interval where the second node set is located is a circle with the circle center of (3, 3) and the radius of 0.5. E. And F belongs to a second node set, and the second characteristic value interval where the second node set is located is a circle with the circle center of (6, 6) and the radius of 0.5. Namely, the difference between the reference characteristic values of every two nodes in the same node set does not exceed 1.
As shown in fig. 4, the reference eigenvalue interval where the node a is located is a circle with a center of circle (3, 3) and a radius of 0.5, that is, the preset eigenvalue interval corresponding to the node a is a circle with a center of circle (3, 3) and a radius of 0.5.
It should be noted here that before generating the reference feature map of the current network, the neural network model of the current network may be trained by using a data set with known feature attributes. For example, the graph neural network model may be trained using a multi-dimensional dataset of known feature attributes. Each data in the data set is multidimensional data, and the data set comprises a plurality of data with similar characteristics and a part of data with larger characteristic difference with the plurality of data. The data set is adopted to train the model until a plurality of data with similar characteristics are distributed in the same characteristic value interval in the characteristic diagram of the obtained data set, and partial data with larger data characteristic difference do not belong to the characteristic value interval and are discrete points in the characteristic diagram.
And S203, if so, sending prompt information to the administrator, wherein the prompt information is used for prompting that the administrator has network attack behaviors in the current network.
In this step, if it is determined that the network attack behavior exists in the current network and the target node is a node where the network attack behavior occurs, the administrator sends a prompt message, where the prompt message includes identification information of the target node, and the prompt message is used to prompt the administrator that the network attack behavior exists in the target node in the current network, so that the network administrator performs corresponding processing.
The network behavior detection method provided by the embodiment of the disclosure can acquire the access relationship between each node in the current network; judging whether a network attack behavior exists in the current network according to the access relation; if yes, sending prompt information to an administrator, wherein the prompt information is used for prompting the administrator that a network attack behavior exists in the current network, determining whether the network attack behavior exists in the current network according to the access relation among the current nodes, and still determining whether the network attack behavior exists in the current network when a data packet is encrypted.
The network behavior detection method described in the corresponding embodiment above is an embodiment of the apparatus of the present disclosure, and may be used to execute the embodiment of the method of the present disclosure. Fig. 5 is a schematic structural diagram of a network behavior detection method according to an embodiment of the present disclosure. As shown in fig. 5, the apparatus 50 includes:
an access relationship obtaining module 501, configured to obtain an access relationship between nodes in a current network;
a network attack behavior determination module 502, configured to determine whether a network attack behavior exists in the current network according to the access relationship;
and a prompt information sending module 503, configured to send a prompt information to an administrator if the network attack behavior exists, where the prompt information is used to prompt the administrator that a network attack behavior exists in the current network.
In one embodiment, the network attack behavior determination module 502 is configured to:
inputting the access relation into a pre-trained graph neural network model to generate a feature graph of the current network, wherein the feature graph comprises at least one node set and a feature value interval of each node set in the at least one node set, each node set at least comprises one node, and the difference value of the feature values of every two nodes in the same node set is smaller than or equal to a preset difference value threshold;
determining a target characteristic value interval where a target node is located from the characteristic graph, wherein the target node is any one node in the network;
and if the target characteristic value interval of the target node is inconsistent with the preset characteristic value interval corresponding to the target node, determining that the network attack behavior exists in the current network and the target node is the node with the network attack behavior.
In one embodiment, as shown in fig. 6, the apparatus 50 further comprises:
a reference feature map generation module 504, configured to input an access relationship between nodes in a network within a preset time period into a pre-trained graph neural network model, and generate a reference feature map of a current network, where the reference feature map includes at least one node set and a reference feature value interval of each node set in the at least one node set, where each node set includes at least one node, and a difference value between reference feature values of every two nodes in a same node set is smaller than or equal to a preset difference value threshold;
a target reference characteristic value interval determining module 505, configured to determine, from the characteristic map, a target reference characteristic value interval in which the target node is located;
a preset feature value interval determining module 506, configured to use the target reference feature value interval as the preset feature value interval corresponding to the target node.
In one embodiment, the access relationship obtaining module 501 is configured to:
acquiring the current mirror image flow of a network;
and acquiring the access relation among all nodes in the current network from the mirror image flow.
For the network behavior detection apparatus provided in the embodiment of the present disclosure, the implementation process and the technical effect thereof may refer to the embodiments corresponding to fig. 2 to fig. 4, which are not described herein again.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure, and as shown in fig. 7, the electronic device 70 includes:
a processor 701 and a memory 702, where the memory 702 stores at least one computer instruction, and the instruction is loaded and executed by the processor 701 to implement the steps performed in the network behavior detection method according to the embodiment corresponding to fig. 2 to 4.
Based on the network behavior detection method described in the embodiments corresponding to fig. 2 to fig. 4, the embodiments of the present disclosure further provide a computer-readable storage medium, for example, the non-transitory computer-readable storage medium may be a Read Only Memory (ROM), a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like. The storage medium stores computer instructions for executing the network behavior detection method described in the embodiments corresponding to fig. 2 to fig. 4, which are not described herein again.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice in the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
Claims (8)
1. A network behavior detection method is characterized by comprising the following steps:
acquiring an access relation between nodes in a current network;
judging whether a network attack behavior exists in the current network according to the access relation;
if so, sending prompt information to an administrator, wherein the prompt information is used for prompting that the administrator has network attack behaviors in the current network;
the judging whether the network attack behavior exists in the current network according to the access relationship comprises the following steps:
inputting the access relation into a pre-trained graph neural network model to generate a feature graph of the current network, wherein the feature graph comprises at least one node set and a feature value interval of each node set in the at least one node set, each node set at least comprises one node, and the difference value of the feature values of every two nodes in the same node set is smaller than or equal to a preset difference value threshold value;
determining a target characteristic value interval where a target node is located from the characteristic graph, wherein the target node is any one node in the network;
and if the target characteristic value interval where the target node is located is inconsistent with the preset characteristic value interval corresponding to the target node, determining that the network attack action exists in the current network and the target node is the node with the network attack action.
2. The method of claim 1, wherein before inputting the access relationships into a pre-trained graph neural network model, the method further comprises:
inputting the access relation between nodes in the network within a preset time length into a pre-trained graph neural network model, and generating a reference characteristic graph of the current network, wherein the reference characteristic graph comprises at least one node set and a reference characteristic value interval of each node set in the at least one node set, each node set at least comprises one node, and the difference value of the reference characteristic values of every two nodes in the same node set is less than or equal to the preset difference value threshold;
determining a target reference characteristic value interval where the target node is located from the characteristic graph;
and taking the target reference characteristic value interval as the preset characteristic value interval corresponding to the target node.
3. The method of claim 1, wherein obtaining the access relationship between nodes in the current network comprises:
acquiring the current mirror image flow of a network;
and acquiring the access relation among all nodes in the current network from the mirror image flow.
4. A network behavior detection device, comprising:
the access relation acquisition module is used for acquiring the access relation among all nodes in the current network;
the network attack behavior determining module is used for judging whether a network attack behavior exists in the current network according to the access relation;
the prompt information sending module is used for sending prompt information to an administrator if the network attack behavior exists in the current network, and the prompt information is used for prompting the administrator that the network attack behavior exists in the current network;
the network attack behavior determination module is used for:
inputting the access relation into a pre-trained graph neural network model to generate a feature graph of the current network, wherein the feature graph comprises at least one node set and a feature value interval of each node set in the at least one node set, each node set at least comprises one node, and the difference value of the feature values of every two nodes in the same node set is smaller than or equal to a preset difference value threshold value;
determining a target characteristic value interval where a target node is located from the characteristic graph, wherein the target node is any one node in the network;
and if the target characteristic value interval of the target node is inconsistent with the preset characteristic value interval corresponding to the target node, determining that the network attack behavior exists in the current network and the target node is the node with the network attack behavior.
5. The apparatus of claim 4, further comprising:
the reference characteristic diagram generating module is used for inputting the access relation between nodes in the network within a preset time length into a pre-trained graph neural network model and generating a reference characteristic diagram of the current network, wherein the reference characteristic diagram comprises at least one node set and a reference characteristic value interval of each node set in the at least one node set, each node set at least comprises one node, and the difference value of the reference characteristic values of every two nodes in the same node set is smaller than or equal to the preset difference value threshold;
a target reference characteristic value interval determining module, configured to determine, from the characteristic map, a target reference characteristic value interval in which the target node is located;
and the preset characteristic value interval determining module is used for taking the target reference characteristic value interval as the preset characteristic value interval corresponding to the target node.
6. The apparatus of claim 4, wherein the access relationship obtaining module is configured to:
acquiring the current mirror image flow of a network;
and acquiring the access relation among all nodes in the current network from the mirror flow.
7. An electronic device, comprising a processor and a memory, wherein at least one computer instruction is stored in the memory, and the instruction is loaded and executed by the processor to implement the steps performed in the network behavior detection method according to any one of claims 1 to 3.
8. A computer-readable storage medium, having stored therein at least one computer instruction, which is loaded and executed by a processor to implement the steps performed in the network behavior detection method of any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011325427.0A CN112543186B (en) | 2020-11-23 | 2020-11-23 | Network behavior detection method and device, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011325427.0A CN112543186B (en) | 2020-11-23 | 2020-11-23 | Network behavior detection method and device, storage medium and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112543186A CN112543186A (en) | 2021-03-23 |
| CN112543186B true CN112543186B (en) | 2023-02-14 |
Family
ID=75014665
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011325427.0A Active CN112543186B (en) | 2020-11-23 | 2020-11-23 | Network behavior detection method and device, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112543186B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114039777B (en) * | 2021-11-09 | 2022-09-20 | 国家工业信息安全发展研究中心 | Intelligent threat perception method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107276858A (en) * | 2017-08-17 | 2017-10-20 | 深信服科技股份有限公司 | A kind of access relation carding method and system |
| CN108924169A (en) * | 2018-09-17 | 2018-11-30 | 武汉思普崚技术有限公司 | A kind of visual network security system |
| CN110138803A (en) * | 2019-06-03 | 2019-08-16 | 武汉思普崚技术有限公司 | A kind of method and Visualization Platform of network behavior data |
| CN111600880A (en) * | 2020-05-14 | 2020-08-28 | 深信服科技股份有限公司 | Method, system, storage medium and terminal for detecting abnormal access behavior |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI648650B (en) * | 2017-07-20 | 2019-01-21 | 中華電信股份有限公司 | Gateway device, detection method of malicious domain and host host, and non-transitory computer readable media |
| US11178182B2 (en) * | 2018-04-20 | 2021-11-16 | Sailpoint Technologies, Inc. | Automated access control management for computing systems |
-
2020
- 2020-11-23 CN CN202011325427.0A patent/CN112543186B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107276858A (en) * | 2017-08-17 | 2017-10-20 | 深信服科技股份有限公司 | A kind of access relation carding method and system |
| CN108924169A (en) * | 2018-09-17 | 2018-11-30 | 武汉思普崚技术有限公司 | A kind of visual network security system |
| CN110138803A (en) * | 2019-06-03 | 2019-08-16 | 武汉思普崚技术有限公司 | A kind of method and Visualization Platform of network behavior data |
| CN111600880A (en) * | 2020-05-14 | 2020-08-28 | 深信服科技股份有限公司 | Method, system, storage medium and terminal for detecting abnormal access behavior |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112543186A (en) | 2021-03-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108768943B (en) | Method and device for detecting abnormal account and server | |
| CN111447204B (en) | Weak password detection method, device, equipment and medium | |
| CN112019575A (en) | Data packet processing method and device, computer equipment and storage medium | |
| CN104796406A (en) | Method and device for identifying application | |
| CN113689292B (en) | User aggregation identification method and system based on image background identification | |
| CN104253687B (en) | It reduces verification efficiency method, generate identifying code method, related system and server | |
| CN112543186B (en) | Network behavior detection method and device, storage medium and electronic equipment | |
| CN111327588A (en) | Network access security detection method, system, terminal and readable storage medium | |
| US10972500B2 (en) | Detection system, detection apparatus, detection method, and detection program | |
| CN113630418B (en) | Network service identification method, device, equipment and medium | |
| CN113067802B (en) | User identification method, device, equipment and computer readable storage medium | |
| CN113438225B (en) | Vehicle-mounted terminal vulnerability detection method, system, equipment and storage medium | |
| CN113285960B (en) | Data encryption method and system for service data sharing cloud platform | |
| CN112732560B (en) | Method and device for detecting leakage risk of file descriptor | |
| CN113098852A (en) | Log processing method and device | |
| CN112699034A (en) | Virtual login user construction method, device, equipment and storage medium | |
| CN117201601A (en) | Internet of things equipment access method, device, equipment and storage medium | |
| CN108540471B (en) | Mobile application network traffic clustering method, computer readable storage medium and terminal | |
| CN111405007A (en) | TCP session management method, device, storage medium and electronic equipment | |
| CN103916365A (en) | Method and apparatus for exporting and verifying network behavioral characteristics of malicious code | |
| CN110321287A (en) | A kind of detection method of server capability, device and electronic equipment | |
| CN115664743A (en) | Behavior detection method and device | |
| CN111294336B (en) | Login behavior detection method and device, computer equipment and storage medium | |
| WO2020113401A1 (en) | Data detection method, apparatus and device | |
| CN108667685B (en) | Mobile application network flow clustering device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |