CN112953918A - Network attack protection method combined with big data server and big data protection equipment - Google Patents
Network attack protection method combined with big data server and big data protection equipment Download PDFInfo
- Publication number
- CN112953918A CN112953918A CN202110129964.6A CN202110129964A CN112953918A CN 112953918 A CN112953918 A CN 112953918A CN 202110129964 A CN202110129964 A CN 202110129964A CN 112953918 A CN112953918 A CN 112953918A
- Authority
- CN
- China
- Prior art keywords
- attack
- behavior
- tested
- network
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The method is an updating and upgrading method aiming at a network attack protection strategy, namely, the updating and upgrading method is carried out before the execution of the defense action of the actual network attack, the updating indication information of the linkage protection index of the updated network attack recognition model can be obtained by the network attack detection model through self-adaptive training and learning, compared with the mode of setting the updating indication of the linkage protection index based on artificial experience in the related technology, the updating indication of the linkage protection index of the embodiment can reduce the dependence on the artificial experience, thereby increasing the determining mode of the updating indication of the linkage protection index, improving the real-time property and the service matching property of the updating indication of the linkage protection index, being beneficial to improving the network attack defense capability of the network attack protection strategy, and avoiding the related network equipment from being attacked by hackers due to the fact that the updating and upgrading of the network attack protection strategy are not in place Significant data is lost.
Description
Technical Field
The present application relates to the field of big data and network attack protection technologies, and in particular, to a network attack protection method and a big data protection device that combine a big data server.
Background
Cyber Attacks (also known as Cyber Attacks) refer to any type of offensive action directed to a computer information system, infrastructure, computer network, or personal computer device. For computers and computer networks, destroying, revealing, modifying, disabling software or services, stealing or accessing data from any computer without authorization, is considered an attack in computers and computer networks.
Network attacks can be generally classified into active attacks and passive attacks. The active attack refers to an attack mode (such as tampering, counterfeiting, denial of service, and the like) for modifying a message of an attack target or refusing a user to use a resource. Passive attacks refer to attack methods (such as eavesdropping and traffic analysis) in which an attacker does not modify any data information, but intercepts or eavesdrops on the information or related data of a user without the consent and permission of an unauthorized user.
At present, with the fire development of big data, most of services are carried out by the cloud, a big data server bears more pressure, network attacks are a non-negligible threat to data security in the big data server, so that privacy information of a user is leaked slightly, and a great deal of economic loss and serious consequences are caused seriously. Therefore, how to protect against network attacks is important for various servers in the big data era.
Generally, related network attack protection technologies are implemented based on a network protection model or a firewall, but the network attack type is changeable, in order to ensure the efficiency of network attack protection, the network protection model or the firewall needs to be upgraded and updated irregularly, but the related update method still has defects.
Disclosure of Invention
One of the embodiments of the present application provides a network attack protection method combined with a big data server, including: acquiring attack behavior data to be tested and real-time attack intention information corresponding to the attack behavior data to be tested, wherein the real-time attack intention information corresponding to the attack behavior data to be tested comprises real-time attack type information of each attack behavior event in the attack behavior data to be tested; and performing network attack detection on the attack behavior data to be tested and the real-time attack intention information corresponding to the attack behavior data to be tested based on a network attack identification model in the network attack protection strategy to be updated and upgraded to obtain a network attack detection result, and updating and upgrading the network attack protection strategy based on the network attack detection result. By the design, the dependence on manual experience can be reduced when the network attack protection strategy is updated and upgraded, so that the network attack defense capability of the updated and upgraded network attack protection strategy is improved.
Preferably, the network attack detection is performed on the attack behavior data to be tested and the real-time attack intention information corresponding to the attack behavior data to be tested based on a network attack recognition model in the network attack protection policy to be updated and upgraded to obtain a network attack detection result, and the network attack protection policy is updated and upgraded based on the network attack detection result, including: inputting the attack behavior data to be tested into a network attack identification model in a network attack protection strategy to be updated and upgraded, and performing behavior identification on the attack behavior data to be tested through a behavior identification unit of the network attack identification model to obtain a target behavior identification result of the attack behavior data to be tested; determining potential attack intention information corresponding to the attack behavior data to be tested based on the target behavior identification result through an attack intention analysis unit of the network attack identification model, wherein the potential attack intention information corresponding to the attack behavior data to be tested comprises potential attack type information of each attack behavior event in the attack behavior data to be tested; determining, by a network attack detection model in the network attack protection policy to be updated and upgraded, a first network attack detection result that the potential attack intention information belongs to effective attack intention information of the attack behavior data to be tested and a second network attack detection result that the real-time attack intention information belongs to effective attack intention information of the attack behavior data to be tested based on real-time attack intention information and potential attack intention information of the attack behavior data to be tested; updating the linkage protection index of the network attack protection strategy based on the first network attack detection result and the second network attack detection result to obtain the upgraded network attack protection strategy. By the design, the updating indication information of the linkage protection index for updating the network attack identification model can be obtained by the network attack detection model through self-adaptive training and learning, and compared with a mode of setting the updating indication of the linkage protection index based on manual experience in the related technology, the updating indication of the linkage protection index of the embodiment can reduce the dependence on the manual experience, so that the determining mode of the updating indication of the linkage protection index is increased, the real-time performance and the service matching performance of the updating indication of the linkage protection index are improved, the network attack defense capability of a network attack protection strategy is improved, and important data loss caused by hacker attack on related network equipment due to the fact that the network attack protection strategy is not updated and upgraded properly is avoided.
Preferably, the performing behavior recognition on the attack behavior data to be tested through the behavior recognition unit of the network attack recognition model to obtain a target behavior recognition result of the attack behavior data to be tested, includes: and performing behavior recognition on the attack behavior data to be tested through a behavior recognition unit of the network attack recognition model to obtain behavior recognition results of a plurality of behavior recognition degrees of the attack behavior data to be tested, and correlating the behavior recognition results of the plurality of behavior recognition degrees to obtain a target behavior recognition result of the attack behavior data to be tested. By the design, the integrity of the target behavior recognition result can be ensured.
Preferably, the behavior identification unit comprises a behavior association layer and at least two behavior identification layers which are sequentially connected; the behavior recognition unit of the network attack recognition model performs behavior recognition on the attack behavior data to be tested to obtain behavior recognition results of a plurality of behavior recognition degrees of the attack behavior data to be tested, and correlates the behavior recognition results of the plurality of behavior recognition degrees to obtain a target behavior recognition result of the attack behavior data to be tested, including: performing behavior recognition on the attack behavior data to be tested through the behavior recognition layers connected in sequence to obtain behavior recognition results with different behavior recognition degrees output by different behavior recognition layers; through the behavior association layer, associating the behavior identification results with different behavior identification degrees according to the sequence from the last behavior identification layer to the initial behavior identification layer to obtain a target behavior identification result of the attack behavior data to be tested; wherein the number of the behavior association layers is one layer less than that of the behavior identification layer; the step of associating the behavior recognition results with different behavior recognition degrees through the behavior association layer according to the sequence from the last behavior recognition layer to the initial behavior recognition layer to obtain the target behavior recognition result of the attack behavior data to be tested includes: performing behavior recognition degree correction processing on the behavior recognition result input into the current behavior association layer to obtain a corrected behavior recognition result, wherein the corrected behavior recognition result is the same as the behavior recognition degree of the behavior recognition result recognized by the bottommost behavior recognition layer in the behavior recognition results not participating in the association processing; if the current behavior association layer is the last behavior association layer, inputting a behavior identification result of the current association layer as a behavior identification result identified by the last behavior identification layer; and performing behavior recognition result association on the corrected behavior recognition result and a behavior recognition result recognized by the lowest behavior recognition layer in the behavior recognition results not participating in association processing through the current behavior association layer, and inputting the associated behavior recognition result into the previous behavior association layer, wherein if the current behavior association layer is the initial behavior association layer, the associated behavior recognition result obtained by the current behavior association layer is the target behavior recognition result. By the design, the time sequence continuity and integrity of the target behavior recognition result can be ensured.
Preferably, the acquiring the attack behavior data to be tested and the real-time attack intention information corresponding to the attack behavior data to be tested includes: acquiring initial attack behavior data to be tested of a network attack protection strategy to be updated and upgraded, wherein a behavior portrait of the initial attack behavior data to be tested comprises the following steps: initial real-time attack intention information of initial attack behavior data to be tested, wherein the initial real-time attack intention information comprises real-time attack type information of each attack behavior event in the initial attack behavior data to be tested; extracting at least one group of attack behavior data with preset data volume from the initial attack behavior data to be tested, and taking the extracted attack behavior data as the attack behavior data to be tested of the network attack protection strategy to be updated and upgraded; and acquiring real-time attack intention information of the attack behavior data to be tested from the initial real-time attack intention information of the initial attack behavior data to be tested based on the data distribution information of the attack behavior data to be tested in the corresponding initial attack behavior data to be tested. By the design, the real-time attack intention information can be determined based on the preset data volume, so that the real-time attack intention information can be determined accurately and reliably.
Preferably, the real-time attack intention information is recorded information of real-time attack intention tendency, and the potential attack intention information is recorded information of potential attack intention tendency; the determining, by the network attack detection model in the network attack protection policy to be updated and upgraded, a first network attack detection result that the potential attack intention information belongs to effective attack intention information of the attack behavior data to be tested and a second network attack detection result that the real-time attack intention information belongs to effective attack intention information of the attack behavior data to be tested based on real-time attack intention information and potential attack intention information of the attack behavior data to be tested, includes: combining the attack behavior data to be tested and the corresponding recording information of the real-time attack intention tendency to obtain the combined recording information of the real-time attack intention tendency, and combining the attack behavior data to be tested and the corresponding recording information of the potential attack intention tendency to obtain the combined recording information of the potential attack intention tendency; acquiring first attack behavior data behavior information from the combined and processed recording information of the potential attack intention tendency through a behavior information acquisition unit of the network attack detection model; determining, by an intention tendency detection unit of the network attack detection model, based on behavior interaction features corresponding to the first attack behavior data, recording information of a potential attack intention tendency corresponding to the recording information of the potential attack intention tendency after the combination processing, and a first network attack detection result of effective attack intention detection data belonging to the attack behavior data to be tested; acquiring second attack behavior data behavior information from the combined real-time attack intention tendency record information through a behavior information acquisition unit of the network attack detection model; and determining real-time attack intention tendency record information corresponding to the combined real-time attack intention tendency record information based on the second attack behavior data behavior information by an intention tendency detection unit of the network attack detection model, wherein the real-time attack intention tendency record information belongs to a second network attack detection result of effective attack intention detection data of the attack behavior data to be tested. By the design, the attack intention tendency can be deeply analyzed based on the intention tendency detection unit, so that the credibility of different network attack detection results is ensured.
Preferably, the updating the linkage protection index of the network attack protection policy based on the first network attack detection result and the second network attack detection result to obtain the updated network attack protection policy includes: determining error information analyzed by a first attack intention of the network attack identification model based on the first network attack detection result; determining error information analyzed by a second attack intention of the network attack recognition model based on a differential comparison result between the potential attack type information and the real-time attack type information of the same attack behavior event in the real-time attack intention information and the potential attack intention information of the attack behavior data to be tested; updating the linkage protection index of the network attack recognition model based on the error information analyzed by the first attack intention and the error information analyzed by the second attack intention to obtain the upgraded network attack recognition model; determining error information of the intention tendency judgment of the network attack detection model based on the first network attack detection result and the second network attack detection result; updating the linkage protection index of the network attack detection model based on the error information judged by the intention tendency; the potential attack type information comprises a potential attack type and a potential network attack detection result corresponding to the potential attack type; the determining error information analyzed by the second attack intention of the network attack recognition model according to the differential comparison result between the potential attack type information and the real-time attack type information of the same attack behavior event in the real-time attack intention information and the potential attack intention information of the attack behavior data to be tested comprises: determining real-time attack types of attack behavior events in the attack behavior data to be tested and potential network attack detection results of the attack behavior events in the potential attack intention information under the corresponding real-time attack types based on the real-time attack intention information and the potential attack intention information of the attack behavior data to be tested; and determining the error information analyzed by the second attack intention of the network attack recognition model based on the real-time attack type of the attack behavior event of the attack behavior data to be tested and the potential network attack detection result under the real-time attack type. By the design, the real-time performance and the service matching performance of the updating indication of the linkage protection index can be improved, the network attack defense capacity of the network attack protection strategy can be improved, and important data loss caused by hacker attack on related network equipment due to the fact that the network attack protection strategy is not updated and upgraded in place is avoided.
Preferably, the number of the description dimensions of the attack behavior data of the real-time attack intention tendency recorded information and the potential attack intention tendency recorded information is the same, and the independent attack behavior data on the description dimensions of each attack behavior data of the real-time attack intention tendency recorded information includes: whether each attack behavior event of the attack behavior data to be tested is real-time attack type information corresponding to the description dimension of the attack behavior data; the independent attack behavior data on the description dimension of each attack behavior data of the recorded information of the potential attack intention tendency comprises: each attack behavior event of the attack behavior data to be tested is a potential network attack detection result of a potential attack type corresponding to the description dimension of the attack behavior data; the combining and processing the attack behavior data to be tested and the corresponding recording information of the real-time attack intention tendency to obtain the recording information of the real-time attack intention tendency after the combining and processing, and the combining and processing the attack behavior data to be tested and the corresponding recording information of the potential attack intention tendency to obtain the recording information of the potential attack intention tendency after the combining and processing, comprises: independent attack behavior data of the description dimension of each attack behavior data of the recorded information of the attack behavior data to be tested and the real-time attack intention tendency are used as independent attack behavior data of the description dimension of each attack behavior data of the recorded information of the real-time attack intention tendency after combination processing, and the independent attack behavior data of the description dimension of each attack behavior data of the recorded information of the real-time attack intention tendency to be tested and the recorded information of the real-time attack intention tendency are combined to obtain the recorded information of the real-time attack intention tendency after combination processing; and combining the data of the attack behaviors to be tested and the recorded information of the potential attack intention tendency to obtain the combined recorded information of the potential attack intention tendency. By the design, the recorded information of the potential attack intention tendency after combined processing can be ensured not to be lost, so that a complete and reliable analysis basis is provided for subsequent strategy updating.
One of the embodiments of the present application provides a big data protection device, which includes a processing engine, a network module, and a memory; the processing engine and the memory communicate through the network module, and the processing engine reads the computer program from the memory and operates to perform the above-described method.
One of the embodiments of the present application provides a computer storage medium on which a computer program is stored, which when executed implements the method described above.
By adopting the embodiment of the application, the attack behavior data to be tested and the real-time attack intention information corresponding to the attack behavior data to be tested can be obtained, wherein the real-time attack intention information corresponding to the attack behavior data to be tested comprises the real-time attack type information of each attack behavior event in the attack behavior data to be tested; inputting the attack behavior data to be tested into a network attack identification model in the network attack protection strategy to be updated and upgraded, and performing behavior identification on the attack behavior data to be tested through a behavior identification unit of the network attack identification model to obtain a target behavior identification result of the attack behavior data to be tested; determining potential attack intention information corresponding to attack behavior data to be tested based on a target behavior identification result through an attack intention analysis unit of a network attack identification model, wherein the potential attack intention information corresponding to the attack behavior data to be tested comprises potential attack type information of each attack behavior event in the attack behavior data to be tested; determining a first network attack detection result of which the potential attack intention information is effective attack intention information of the attack behavior data to be tested and a second network attack detection result of which the real-time attack intention information is effective attack intention information of the attack behavior data to be tested by a network attack detection model in the network attack protection strategy to be updated and upgraded based on the real-time attack intention information and the potential attack intention information of the attack behavior data to be tested; updating the linkage protection index of the network attack protection strategy based on the first network attack detection result and the second network attack detection result to obtain the updated network attack protection strategy, wherein the updating indication information of the linkage protection index for updating the network attack recognition model in the embodiment can be obtained by the network attack detection model through self-adaptive training and learning, compared with the mode of setting the updating indication of the linkage protection index based on manual experience in the related art, the updating indication of the linkage protection index in the embodiment can reduce the dependence on the manual experience, therefore, the determining mode of the updating indication of the linkage protection index is increased, the real-time performance and the service matching performance of the updating indication of the linkage protection index are improved, the network attack defense capability of the network attack protection strategy is favorably improved, and important data loss caused by hacker attack on related network equipment due to the fact that the network attack protection strategy is not updated in place is avoided.
In the description that follows, additional features will be set forth, in part, in the description. These features will be in part apparent to those skilled in the art upon examination of the following and the accompanying drawings, or may be learned by production or use. The features of the present application may be realized and attained by practice or use of various aspects of the methodologies, instrumentalities and combinations particularly pointed out in the detailed examples that follow.
Drawings
The present application will be further explained by way of exemplary embodiments, which will be described in detail by way of the accompanying drawings. These embodiments are not intended to be limiting, and in these embodiments like numerals are used to indicate like structures, wherein:
FIG. 1 is a block diagram illustrating an exemplary network attack prevention system incorporating a big data server, in accordance with some embodiments of the present invention;
FIG. 2 is a flowchart illustrating one example method and/or process for network attack protection in conjunction with a big data server, according to some embodiments of the present invention;
FIG. 3 is another flow diagram of an exemplary network attack prevention method and/or process in conjunction with a big data server, according to some embodiments of the invention, an
FIG. 4 is a diagram illustrating the hardware and software components of an exemplary big data fence device, according to some embodiments of the present invention.
Detailed Description
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings used in the description of the embodiments will be briefly introduced below. It is obvious that the drawings in the following description are only examples or embodiments of the application, from which the application can also be applied to other similar scenarios without inventive effort for a person skilled in the art. Unless otherwise apparent from the context, or otherwise indicated, like reference numbers in the figures refer to the same structure or operation.
It should be understood that "system", "device", "unit" and/or "module" as used herein is a method for distinguishing different components, elements, parts, portions or assemblies at different levels. However, other words may be substituted by other expressions if they accomplish the same purpose.
As used in this application and the appended claims, the terms "a," "an," "the," and/or "the" are not intended to be inclusive in the singular, but rather are intended to be inclusive in the plural unless the context clearly dictates otherwise. In general, the terms "comprises" and "comprising" merely indicate that steps and elements are included which are explicitly identified, that the steps and elements do not form an exclusive list, and that a method or apparatus may include other steps or elements.
Flow charts are used herein to illustrate operations performed by systems according to embodiments of the present application. It should be understood that the preceding or following operations are not necessarily performed in the exact order in which they are performed. Rather, the various steps may be processed in reverse order or simultaneously. Meanwhile, other operations may be added to the processes, or a certain step or several steps of operations may be removed from the processes.
Referring to fig. 1, the network attack prevention system combined with a big data server provided in this embodiment may include a data service terminal 10, a big data prevention device 20, and the like.
The big data protection device 20 may be configured to obtain attack behavior data to be tested and real-time attack intention information corresponding to the attack behavior data to be tested, where the real-time attack intention information corresponding to the attack behavior data to be tested includes real-time attack type information of each attack behavior event in the attack behavior data to be tested; inputting the attack behavior data to be tested into a network attack identification model in a network attack protection strategy to be updated and upgraded, and performing behavior identification on the attack behavior data to be tested through a behavior identification unit of the network attack identification model to obtain a target behavior identification result of the attack behavior data to be tested; determining potential attack intention information corresponding to the attack behavior data to be tested based on the target behavior identification result through an attack intention analysis unit of the network attack identification model, wherein the potential attack intention information corresponding to the attack behavior data to be tested comprises potential attack type information of each attack behavior event in the attack behavior data to be tested; determining, by a network attack detection model in the network attack protection policy to be updated and upgraded, a first network attack detection result that the potential attack intention information belongs to effective attack intention information of the attack behavior data to be tested and a second network attack detection result that the real-time attack intention information belongs to effective attack intention information of the attack behavior data to be tested based on real-time attack intention information and potential attack intention information of the attack behavior data to be tested; updating the linkage protection index of the network attack protection strategy based on the first network attack detection result and the second network attack detection result to obtain the upgraded network attack protection strategy.
The network attack identification model in the updated network attack protection strategy can be deployed in a required server or terminal, for example, in the big data protection device 20.
The data service terminal 10 may be configured to obtain target attack behavior data to be analyzed, and send the target attack behavior data to the big data protection device 20.
The big data protection device 20 can be used for inputting target attack behavior data into the network attack recognition model which completes upgrading; performing behavior recognition on the target attack behavior data through a behavior recognition unit of the network attack recognition model to obtain a target behavior recognition result of the target attack behavior data; and determining potential attack intention information corresponding to the target attack behavior data based on the target behavior identification result through an attack intention analysis unit of the network attack identification model, wherein the potential attack intention information corresponding to the target attack behavior data comprises potential attack type information of each attack behavior event in the target attack behavior data.
The following are detailed below. It should be noted that the following description of the embodiments is not intended to limit the preferred order of the embodiments.
The embodiment of the present invention will be described from the perspective of a network attack prevention device combined with a big data server, which may be specifically integrated in a terminal or a server, for example, in the form of an application program.
The network attack protection method combined with the big data server provided by the embodiment of the invention can be executed by a processor of a terminal or a server (big data protection device).
As shown in fig. 2, the network attack protection method combined with a big data server may include:
101. inputting target attack behavior data into the upgraded network attack recognition model;
102. the behavior identification unit based on the network attack identification model performs behavior identification on the target attack behavior data to obtain a target behavior identification result of the target attack behavior data;
103. and determining potential attack intention information corresponding to the target attack behavior data based on the target behavior identification result through an attack intention analysis unit of the network attack identification model, wherein the potential attack intention information corresponding to the target attack behavior data comprises potential attack type information of each attack behavior event in the target attack behavior data.
It can be understood that after the potential attack intention information is obtained, the related data can be transferred or encrypted based on the potential attack intention information, the related service request can be intercepted according to the potential attack intention information, and the authority of the related data access interface can be updated according to the potential attack intention information, so that the effective protection against network attack can be realized, and the data security can be ensured.
The network attack recognition model of the embodiment is a network which can be used for analyzing the attack intention of the attack behavior data, and the model structure of the network attack recognition model has no limitation in the embodiment, that is, the network attack recognition model can be constructed based on any network model which can be used for analyzing the attack intention in the related art.
In one example, the target attack behavior data may be obtained from data service interaction behaviors, such as data service interaction behaviors of government affairs, data service interaction behaviors of payment affairs, data service interaction behaviors of office affairs, and data service interaction behaviors of data mining affairs.
Optionally, before the step of inputting the target attack behavior data into the updated network attack recognition model, the method may further include:
and determining target data service interaction behaviors to be identified, and acquiring attack behavior data from the target data service interaction behaviors as target attack behavior data.
The target data service interaction behavior may be a data service interaction behavior corresponding to an effective service scenario, for example, an effective government service data service interaction behavior.
In this embodiment, after the target attack behavior data is obtained from the data service interaction behavior, the behavior recognition degree of the target attack behavior data may be corrected, and then the processed target attack behavior data is input into the network attack recognition model.
For example, before the step "inputting target attack behavior data into the upgraded network attack recognition model", the steps may include: acquiring input attack behavior data attribute information of a network attack identification model; and updating the attribute information of the target attack behavior data based on the input attack behavior data attribute information to obtain updated target attack behavior data. The input attack behavior data attribute information includes but is not limited to: data volume of the attack behavior data, data format, data source, and the like.
In this embodiment, first, with reference to fig. 3, the network attack protection method based on the network attack recognition model and combined with the big data server is described, in this embodiment, a model training process of the network attack recognition model is performed together with a corresponding network attack detection model, and an update instruction of a part of linkage protection indexes of the network attack recognition model is obtained by adaptive training and learning of the network attack detection model.
Summary a of the network attack protection method combined with the big data server in this embodiment may be as follows: acquiring attack behavior data to be tested and real-time attack intention information corresponding to the attack behavior data to be tested, wherein the real-time attack intention information corresponding to the attack behavior data to be tested comprises real-time attack type information of each attack behavior event in the attack behavior data to be tested; and performing network attack detection on the attack behavior data to be tested and the real-time attack intention information corresponding to the attack behavior data to be tested based on a network attack identification model in the network attack protection strategy to be updated and upgraded to obtain a network attack detection result, and updating and upgrading the network attack protection strategy based on the network attack detection result.
It can be understood that the network attack protection method combined with the big data server disclosed in this embodiment can be understood as an update and upgrade method for the network attack protection policy, that is, the update and upgrade method is performed before the actual network attack defense action is executed, and it can be understood that, by the above method, the update indication information of the linkage protection index for updating the network attack recognition model can be obtained by the network attack detection model through adaptive training and learning, compared with the method of setting the update indication of the linkage protection index based on manual experience in the related art, the update indication of the linkage protection index of this embodiment can reduce the dependence on manual experience, thereby increasing the determination mode of the update indication of the linkage protection index, improving the real-time performance and the service matching performance of the update indication of the linkage protection index, and being beneficial to improving the network attack defense capability of the network attack protection policy, important data loss caused by hacker attack on related network equipment due to the fact that updating and upgrading of the network attack protection strategy are not in place is avoided.
Optionally, summary B of the network attack protection method in combination with the big data server in this embodiment may also be as follows: and updating and upgrading the network attack protection strategy to be updated and upgraded according to the acquired attack behavior data to be tested and the real-time attack intention information corresponding to the attack behavior data to be tested. It is understood that further description of this summary may be that corresponding to summary a.
One embodiment of the network attack protection method combined with the big data server in the embodiment includes:
201. acquiring attack behavior data to be tested and real-time attack intention information corresponding to the attack behavior data to be tested, wherein the real-time attack intention information corresponding to the attack behavior data to be tested comprises real-time attack type information of each attack behavior event in the attack behavior data to be tested;
202. inputting the attack behavior data to be tested into a network attack identification model in a network attack protection strategy to be updated and upgraded, and performing behavior identification on the attack behavior data to be tested through a behavior identification unit of the network attack identification model to obtain a target behavior identification result of the attack behavior data to be tested;
203. determining potential attack intention information corresponding to the attack behavior data to be tested based on the target behavior identification result through an attack intention analysis unit of the network attack identification model, wherein the potential attack intention information corresponding to the attack behavior data to be tested comprises potential attack type information of each attack behavior event in the attack behavior data to be tested;
204. determining, by a network attack detection model in the network attack protection policy to be updated and upgraded, a first network attack detection result that the potential attack intention information belongs to effective attack intention information of the attack behavior data to be tested and a second network attack detection result that the real-time attack intention information belongs to effective attack intention information of the attack behavior data to be tested based on real-time attack intention information and potential attack intention information of the attack behavior data to be tested;
205. updating the linkage protection index of the network attack protection strategy based on the first network attack detection result and the second network attack detection result to obtain the upgraded network attack protection strategy.
The attack behavior data to be tested in the embodiment is the attack behavior data to be tested of a network attack protection strategy, the network attack protection strategy comprises a network attack identification model and a network attack detection model, the network attack identification model is used for analyzing the attack intention of the attack behavior data to obtain the attack intention information of the attack behavior data, and in one example, the attack intention information can be attack intention detection data.
The attack intention analysis in the present embodiment may be understood as: according to the attack type of each attack behavior event in the initial attack behavior data, determining an attack type behavior portrait (the attack type behavior portrait comprises attack type information) of each attack behavior event to obtain attack intention detection data, wherein the attack type behavior portrait in the attack intention detection data can be determined based on data distribution information of the corresponding attack behavior event in the initial attack behavior data, and each attack type behavior portrait can represent the attack type information of the corresponding attack behavior event.
For example, the active attack behavior data is attack intention detection data of the passive attack behavior data, one data tampering label exists in the passive attack behavior data, the attack type behavior portrait on the data distribution information of the attack behavior event corresponding to the data tampering label in the active attack behavior data is attack type behavior portrait 1, the attack type behavior portrait of the attack behavior event of other data distribution information is attack type 0, the attack type of the attack behavior event of the data distribution information is the data tampering label by the attack type 1, and the attack type of the attack behavior event of the data distribution information is illegal data access label by the attack type 0.
The attack type in this embodiment refers to an attack type of an attacker corresponding to the attack behavior data, and the attack type is not limited, and may be CC attack, SYN attack, IP fragmentation attack, or the like.
In the analysis of the attack intention of the attack behavior data, the network attack recognition model uses an attack intention mining algorithm for the attack behavior data, and specifically uses a Deep Neural Networks (DNN) in the attack intention mining algorithm for the attack behavior data.
The training of the proposed cyber attack recognition model in the content described in this embodiment is implemented based on an Artificial Intelligence (AI) technology, particularly based on a Machine Learning (ML) technology in the AI technology, and more particularly, may be implemented by a Deep Learning (Deep Learning) technology in the Machine Learning.
The Network attack recognition model in this embodiment may be constructed based on any structure of an artificial Neural Network (artificial Neural Network) that can be used for attack intention analysis, for example, the Network attack recognition model may be a Convolutional Neural Network (CNN), a Fully connected Neural Network (FCN), or the like, which is not limited in this embodiment.
In this embodiment, the attack behavior data that the network attack recognition model needs to determine the potential attack intention information is not limited to the source of the target attack behavior data and the attack behavior data to be tested, and may be attack behavior data of any service scenario, such as a service scenario, where the service scenario includes, but is not limited to, a government service scenario, a game service scenario, an office service scenario, and the like, and may also be an online shopping service scenario, such as a cross-border payment service scenario, a password-free payment service scenario, a payment delegation service scenario, and the like.
The real-time attack intention information of the embodiment can be understood as the most significant attack intention information of the attack behavior data to be tested, the real-time attack intention information comprises real-time attack type information of each attack behavior event of the attack behavior data to be tested, and the real-time attack type information comprises the real-time attack type of each attack behavior event. In one example, the real-time attack intention information may be real-time attack intention trend record information, where the real-time attack intention trend record information includes multiple independent attack behavior data of the description dimension of the attack behavior data, the description dimension of each attack behavior data corresponds to one real-time attack type, and the independent attack behavior data of the description dimension of some attack behavior data includes information of an attack behavior event belonging to the real-time attack type corresponding to the description dimension of the attack behavior data.
The service interaction behavior of the service scene data is taken as an example for explanation, and the service interaction behavior of the service scene data may be a data service interaction behavior of an interactive government service scene. The analysis result of the attack intention of the attack behavior data from the scene can provide useful data about the government business environment for the relevant model, and the relevant model is helpful for understanding the current government business environment. It is assumed that tags of 5 attack types, such as a data tampering tag, a data deletion tag, a data stealing tag, a data usage blocking tag, and a data illegal access tag, are included in the government affair attack behavior data of the interactive government affair business. The recorded information of the real-time attack intention tendency of the government affair attack behavior data includes five independent attack behavior data describing dimensions of the attack behavior data, each independent attack behavior data corresponds to one attack type, for example, an identifier representing that the attack behavior event is a data tamper tag is set on data distribution information of the attack behavior event corresponding to the data tamper tag in the government affair attack behavior data in the independent attack behavior data corresponding to the attack type of the data tamper tag, such as a character xx1, and an identifier representing that the attack behavior event is a data tamper tag is set on data distribution information of the attack behavior event corresponding to the data tamper tag in the government affair attack behavior data in the independent attack behavior data corresponding to the attack type of the data delete tag, such as a character xx 2.
By analyzing the attack intention of the data service interactive behavior attack behavior data of the interactive government service, the attack type in the service scene corresponding to the target label (such as a data tampering label) can be obtained, and the relevant model (such as the above mentioned models) can complete further detection processing operation according to the attack type information.
In this embodiment, the attack types that the network attack recognition model can recognize may be set by manually constructing the network attack recognition model, and the number of the attack types and the meaning of each attack type are determined according to the setting of the network attack recognition model, for example, the number of the attack types may be 7 types, and each attack type includes: data tampering tags, data deletion tags, data theft tags, data use hindering tags, data illegal access tags, traffic attack tags, and resource exhaustion attack tags.
In this embodiment, the attack behavior data to be tested may be derived from historical data service interaction behaviors, such as historical government service data service interaction behaviors derived from interactive government services.
Sampling can be performed from the data service interaction behavior according to a certain extraction frequency to obtain sampling attack behavior data. The extraction frequency cannot be too fast, the correlation between the sampling attack behavior data is prevented from being high, the data storage space of the attack behavior data to be tested is oversaturated, for example, the extraction frequency can be 1 second and 10mb, the data volume of the sampling attack behavior data collected in the embodiment is not limited, and for the government affair service data service interaction behavior, the data volume of the sampling attack behavior data can be 1 GB.
After the sampled attack behavior data is obtained, attack intention information of the sampled attack behavior data can be manually marked as real-time attack intention information of the sampled attack behavior data, a real-time attack type of an attack behavior event in the real-time attack intention information is one of attack types which can be identified by a network attack identification model, for example, if the network attack identification model is manually defined, 7 attack types can be identified: the real-time attack type of each attack behavior event is one of the 7 attack types. The purpose of manual marking is to construct an attack intention data storage space, and subsequent model training can be guided only after sampling attack behavior data and corresponding real-time attack intention information.
In one example, the marked sampling attack behavior data can be directly used as the attack behavior data to be tested to train the network attack protection strategy.
In another example, the marked sampling attack behavior data can be used as initial attack behavior data to be tested, and a greater number of attack behavior data to be tested can be obtained from the initial attack behavior data to be tested in the modes of attack behavior data extraction and the like, so that training data are enriched. Optionally, the step of "obtaining the attack behavior data to be tested and the real-time attack intention information corresponding to the attack behavior data to be tested" includes:
acquiring initial attack behavior data to be tested of a network attack protection strategy to be updated and upgraded, wherein a behavior portrait of the initial attack behavior data to be tested comprises the following steps: initial real-time attack intention information of initial attack behavior data to be tested, wherein the initial real-time attack intention information comprises real-time attack type information of each attack behavior event in the initial attack behavior data to be tested;
extracting at least one group of attack behavior data with preset data volume from the initial attack behavior data to be tested, and taking the extracted attack behavior data as the attack behavior data to be tested of the network attack protection strategy to be updated and upgraded;
and acquiring real-time attack intention information of the attack behavior data to be tested from the initial real-time attack intention information of the initial attack behavior data to be tested based on the data distribution information of the attack behavior data to be tested in the corresponding initial attack behavior data to be tested.
The preset data amount may be set according to actual needs, and may be the attack behavior data amount defined in the foregoing input attack behavior data attribute information, and may be set to 2000Mb, or the like. In one example, multiple groups of 2000Mb of incompletely repeated attack behavior data to be tested can be randomly acquired from the same initial attack behavior data to be tested, so that training data are enriched, and overfitting of a network attack protection strategy model can be prevented due to large difference between attack behavior data extracted randomly. And the potential attack intention information output by the network attack recognition model in the updated network attack protection strategy is consistent with the artificially marked real-time attack intention information as much as possible.
In this embodiment, the method may include the steps of obtaining behavior recognition results of a plurality of behavior recognition degrees for attack behavior data to be tested, and then associating the behavior recognition results to obtain target behavior recognition results of the attack behavior data to be tested, and optionally performing behavior recognition on the attack behavior data to be tested through a behavior recognition unit of the network attack recognition model to obtain the target behavior recognition results of the attack behavior data to be tested, where the steps include: and performing behavior recognition on the attack behavior data to be tested through a behavior recognition unit of the network attack recognition model to obtain behavior recognition results of a plurality of behavior recognition degrees of the attack behavior data to be tested, and correlating the behavior recognition results of the plurality of behavior recognition degrees to obtain a target behavior recognition result of the attack behavior data to be tested.
The potential attack intention information of the embodiment is obtained by analyzing the attack intention of the attack behavior data by the network attack recognition model, the potential attack intention information includes the potential attack type information of the attack behavior event, and the potential attack type information includes the potential network attack detection result of each preset attack type of the attack behavior event. In one example, the potential attack intention information may be recording information of potential attack intention tendency, the recording information of potential attack intention tendency includes independent attack behavior data of description dimensions of a plurality of attack behavior data, the description dimension of each attack behavior data corresponds to one potential attack type, and the independent attack behavior data of the description dimension of a certain attack behavior data includes a potential network attack detection result that an attack behavior event belongs to the potential attack type corresponding to the description dimension of the attack behavior data.
It can be understood that, for one attack behavior event, in the information of the potential attack type, the attack behavior event may have potential cyber attack detection results on multiple attack types, for example, the potential cyber attack detection result with the attack type being a data tampering tag is 0.8, the potential cyber attack detection result with the attack type being a tree is 0.3, and so on. The network attack detection result may be represented in the form of a detection index, such as 0.8 and 0.3 described above. The detection index 1 indicates that the probability of the attack behavior corresponding to the network attack detection result is 100%, and so on.
In this embodiment, the identification result of the network attack detection model for the potential attack intention information is an identification result of whether the potential attack intention information of the network attack detection model is attack intention information effective in the attack behavior data to be tested. The identification result may be a probability value corresponding to the network attack detection result, which indicates that the network attack detection model identifies the potential attack intention information as the network attack intention information effective in the attack behavior data to be tested. The network attack detection result can be regarded as the judgment tendency degree of the network attack detection model to the potential attack intention information. An update indication of a portion of the linkage protection index of the network attack recognition model may be obtained based on the network attack detection result. By the design, the diversity of the updating indication sources can be ensured, so that the timeliness, the accuracy and the reliability of strategy updating are ensured, and the cost of strategy updating is reduced.
In this embodiment, the behavior recognizing unit may include at least two behavior recognizing layers and a behavior associating layer, which are sequentially connected; the specific obtaining process of the target behavior recognition result may include:
performing behavior recognition on target attack behavior data through behavior recognition layers connected in sequence to obtain behavior recognition results with different behavior recognition degrees output by different behavior recognition layers;
and through the behavior association layer, associating the behavior identification results with different behavior identification degrees according to the sequence from the last behavior identification layer to the initial behavior identification layer to obtain a target behavior identification result of the target attack behavior data.
In this embodiment, the number of the behavior recognition layers is not limited, for example, the number may be 5 layers, and in this embodiment, the association of the behavior recognition results with different behavior recognition degrees may be performed by converting all the behavior recognition results into behavior recognition results with the same behavior recognition degree, and then associating each modified behavior recognition result according to a set manner (for example, an association manner based on a time sequence level) to obtain a target behavior recognition result.
Or, in another example, the behavior recognition results with different behavior recognition degrees may also be associated in a layer-by-layer association manner.
The association of the behavior recognition results in this embodiment may be implemented based on behavior association layers in the behavior recognition unit, where the number of behavior association layers is one layer less than that of the behavior recognition layers.
In this embodiment, the scheme for obtaining the target behavior recognition result based on the behavior association layer includes:
performing behavior recognition degree correction processing on the behavior recognition result input into the current behavior association layer to obtain a corrected behavior recognition result, wherein the corrected behavior recognition result is the same as the behavior recognition degree of the behavior recognition result recognized by the bottommost behavior recognition layer in the behavior recognition results not participating in the association processing; if the current behavior association layer is the last behavior association layer, inputting a behavior identification result of the current association layer as a behavior identification result identified by the last behavior identification layer;
and performing behavior recognition result association on the corrected behavior recognition result and a behavior recognition result recognized by the lowest behavior recognition layer in the behavior recognition results not participating in association processing through the current behavior association layer, and inputting the associated behavior recognition result into the previous behavior association layer, wherein if the current behavior association layer is the initial behavior association layer, the associated behavior recognition result obtained by the current behavior association layer is the target behavior recognition result.
The behavior recognition degree correction processing in this embodiment may be random distribution sampling processing based on a probability function, inverse time effect processing, or the like, which is not limited in this embodiment. For example, the behavior recognition layer may be composed based on aging layers, each aging layer represents one behavior recognition layer, and the number of aging layers may be 5. And the behavior recognition degree correction processing is realized by adopting random distribution sampling processing based on a probability function.
For example, 2000Mb × 3 pieces of attack behavior data to be tested are input into the network attack recognition model, and a hot behavior recognition result of the attack behavior data to be tested is recognized through 5 sequentially connected aging treatment layers (the hot behavior recognition result is a behavior streaming record output by the aging treatment layers). And according to the sequence of the aging treatment layer from top to bottom, outputting a behavior identification result as a partial data segment of the attack behavior data to be tested.
And finally, expanding the behavior recognition degree of behavior stream recording through a tail random distribution sampling layer, specifically, inserting a setting mark in the middle of the input behavior recognition result by the random distribution sampling layer, then carrying out aging treatment operation on the behavior recognition result, wherein the aging weight of the output behavior recognition result is 2 times of that of the input behavior recognition result, and the first data volume of the attack behavior data to be tested is changed into the second data volume of the attack behavior data to be tested. And then carrying out time sequence association on the behavior identification result and the behavior identification result of the previous layer to obtain the associated behavior identification result.
And inputting the correlated behavior recognition result into a previous layer of randomly distributed sampling layer, performing similar randomly distributed sampling operation on the randomly distributed sampling layer to obtain a new behavior recognition result, performing time sequence correlation on the new behavior recognition result and a behavior recognition result of a previous layer to obtain a new correlated behavior recognition result, and inputting the new correlated behavior recognition result into the previous layer of randomly distributed sampling layer until all the behavior recognition results are correlated to obtain a target behavior recognition result.
The attack intention analyzing unit in this embodiment may also be implemented based on a randomly distributed sampling layer, for example, if the lowest layer of the randomly distributed sampling layer does not belong to the behavior association layer but belongs to the attack intention analyzing unit in this embodiment, the attack intention analyzing unit may classify the target behavior recognition result output by the behavior association layer to obtain potential attack intention information, and the number of output description dimensions of the attack intention analyzing unit is 7, which corresponds to 7 preset attack types.
Because there are 7 attack intention attack types, the description dimension number of the finally generated record information of the potential attack intention tendency is 7, each description dimension corresponds to one attack type, and if the potential network attack detection result of an attack behavior event on a certain attack type is result1, the attack behavior event is the attack type. For example, an exemplary attack intention analysis result is composed of network attack detection results of 7 attack types of each behavior data block, the detection record of the jth behavior data block of the ith description dimension corresponds to the network attack detection result of the jth behavior data block of the attack behavior data to be tested belonging to the ith attack type.
Specifically, the real-time attack intention information is recorded information of real-time attack intention tendency, the potential attack intention information is recorded information of potential attack intention tendency, the cyber attack detection model includes a behavior information obtaining unit and an intention tendency detection unit, and step 204 may include:
combining the attack behavior data to be tested and the corresponding recording information of the real-time attack intention tendency to obtain the combined recording information of the real-time attack intention tendency, and combining the attack behavior data to be tested and the corresponding recording information of the potential attack intention tendency to obtain the combined recording information of the potential attack intention tendency;
acquiring first attack behavior data behavior information from the combined and processed recording information of the potential attack intention tendency through a behavior information acquisition unit of a network attack detection model;
determining, by an intention tendency detection unit of a network attack detection model, recording information of a potential attack intention tendency corresponding to the recording information of the potential attack intention tendency after the combination processing based on behavior interaction characteristics corresponding to the first attack behavior data, and a first network attack detection result of effective attack intention detection data belonging to the attack behavior data to be tested;
acquiring second attack behavior data behavior information from the combined real-time attack intention tendency record information through a behavior information acquisition unit of the network attack detection model;
and determining real-time attack intention tendency record information corresponding to the combined real-time attack intention tendency record information based on the second attack behavior data behavior information by an intention tendency detection unit of the network attack detection model, wherein the real-time attack intention tendency record information belongs to a second network attack detection result of effective attack intention detection data of the attack behavior data to be tested.
Here, the structure of the intention tendency detection unit is not limited, and may include a full connection layer or the like.
Optionally, in this embodiment, the combined processing of the attack behavior data to be tested and the potential (or real-time) attack intention detection data may be understood as overlapping independent attack behavior data of the description dimension of each attack behavior data in the attack behavior data. According to the related definitions, the real-time attack intention tendency record information and the potential attack intention tendency record information both include independent attack behavior data of the description dimensions of a plurality of attack behavior data, and the number of the description dimensions of the attack behavior data of the real-time attack intention tendency record information and the potential attack intention tendency record information is the same; the real-time attack intention tendency recorded information and the potential attack intention tendency recorded information can be understood as attack behavior data formed by superposing independent attack behavior data of the description dimensions of a plurality of attack behavior data.
The independent attack behavior data on the description dimension of each attack behavior data of the recorded information of the real-time attack intention tendency comprises the following steps: and whether each attack behavior event of the attack behavior data to be tested is the real-time attack type information corresponding to the description dimension of the attack behavior data.
Wherein, the independent attack behavior data on the description dimension of each attack behavior data of the recorded information of the potential attack intention tendency comprises: and each attack behavior event of the attack behavior data to be tested belongs to a potential network attack detection result of a potential attack type corresponding to the description dimension of the attack behavior data.
In this embodiment, the step of "combining and processing the attack behavior data to be tested and the recorded information of the real-time attack intention tendency corresponding to the attack behavior data to be tested to obtain the recorded information of the real-time attack intention tendency after the combined processing, and combining and processing the attack behavior data to be tested and the recorded information of the potential attack intention tendency corresponding to the attack behavior data to be tested to obtain the recorded information of the potential attack intention tendency after the combined processing" includes:
independent attack behavior data of the description dimension of each attack behavior data of the recorded information of the attack behavior data to be tested and the real-time attack intention tendency are used as independent attack behavior data of the description dimension of each attack behavior data of the recorded information of the real-time attack intention tendency after combination processing, and the independent attack behavior data of the description dimension of each attack behavior data of the recorded information of the real-time attack intention tendency to be tested and the recorded information of the real-time attack intention tendency are combined to obtain the recorded information of the real-time attack intention tendency after combination processing;
and combining the data of the attack behaviors to be tested and the recorded information of the potential attack intention tendency to obtain the combined recorded information of the potential attack intention tendency.
In this embodiment, the description dimension number of the attack behavior data to be tested is not limited.
Optionally, the attack behavior data behavior identification of the network attack detection model may be implemented by aging, and the network attack detection model may include an aging layer and an intention classification layer.
The first attack behavior data behavior information can be obtained from the combined and processed record information of the potential attack intention tendency through an aging processing layer of the network attack detection model. And acquiring second attack behavior data behavior information from the combined real-time attack intention tendency record information through an aging treatment layer of the network attack detection model.
And determining the recording information of the potential attack intention tendency corresponding to the recording information of the potential attack intention tendency after the combination processing based on the behavior interactive characteristics corresponding to the first attack behavior data by an intention classification layer of the network attack detection model, wherein the recording information belongs to a first network attack detection result of effective attack intention detection data of the attack behavior data to be tested.
And determining real-time attack intention tendency record information corresponding to the combined real-time attack intention tendency record information based on behavior interaction characteristics corresponding to the second attack behavior data through an intention classification layer of the network attack detection model, wherein the second network attack detection result belongs to effective attack intention detection data of the attack behavior data to be tested.
For example, taking three description dimensions of attack behavior data to be tested of the interactive government affairs service as an example, combining the record information of the potential attack intention tendency and the record information of the real-time attack intention tendency with the attack behavior data to be tested respectively to generate ten description dimensions of the record information of the potential attack intention tendency after the combination processing and the record information of the real-time attack intention tendency after the combination processing, wherein in the attack behavior data after the combination processing, the first three description dimensions are attack behavior data of the interactive government affairs service, and the last seven description dimensions are attack intention detection data.
Further, the ten described-dimensional behaviors may be used as inputs of a cyber attack detection model, and if the cyber attack detection model determines that the attack intention detection data is valid attack intention detection data, the cyber attack detection model aims to output 1, otherwise, 0 is output.
The network attack detection model can perform behavior recognition on attack behavior data of ten description dimensions after combined processing through a plurality of sequentially connected aging treatment layers, input the behavior recognition result of the output at the tail end into the full connection layer, and perform judgment through the full connection layer to output the judgment result.
In this embodiment, the goal of the network attack detection model is to improve the accuracy and the reliability of different styles of attack behavior data for distinguishing effective attack intentions.
205. And updating the linkage protection index of the network attack protection strategy based on the first network attack detection result, the second network attack detection result, and the potential attack intention information and the real-time attack intention information of the attack behavior data to be tested.
In this embodiment, the real-time attack intention information of the attack behavior data to be tested includes real-time attack type information of each attack behavior event, the goal of the network attack recognition model is to generate more effective attack intention information, and the updating of the linkage protection index of the network attack recognition model and the network attack detection model may specifically include:
determining error information analyzed by a first attack intention of the network attack identification model based on the first network attack detection result;
determining error information analyzed by a second attack intention of the network attack recognition model based on a differential comparison result between the potential attack type information and the real-time attack type information of the same attack behavior event in the real-time attack intention information and the potential attack intention information of the attack behavior data to be tested;
updating the linkage protection index of the network attack recognition model based on the error information analyzed by the first attack intention and the error information analyzed by the second attack intention to obtain the upgraded network attack recognition model;
determining error information of the intention tendency judgment of the network attack detection model based on the first network attack detection result and the second network attack detection result;
and updating the linkage protection index of the network attack detection model based on the error information determined by the intention tendency.
In this embodiment, the discrimination network and the network attack recognition model may be trained in an iterative manner, and if the update demand description value corresponding to the update indication of the linkage protection index of the network attack recognition model is lower than the threshold (and/or the update demand description value corresponding to the update indication of the linkage protection index of the network attack detection model is lower than the corresponding threshold), the model training may be stopped.
Optionally, the specific step of obtaining the target behavior recognition result in step 102 may include:
performing behavior recognition on target attack behavior data through behavior recognition layers connected in sequence to obtain behavior recognition results with different behavior recognition degrees output by different behavior recognition layers;
and through the behavior association layer, associating the behavior identification results with different behavior identification degrees according to the sequence from the last behavior identification layer to the initial behavior identification layer to obtain a target behavior identification result of the target attack behavior data.
Wherein the number of the behavior association layers is one layer less than that of the behavior identification layers; the step of associating the behavior recognition results with different behavior recognition degrees through the behavior association layer according to the sequence from the last behavior recognition layer to the initial behavior recognition layer to obtain the target behavior recognition result of the target attack behavior data may include:
performing behavior recognition degree correction processing on the behavior recognition result input into the current behavior association layer to obtain a corrected behavior recognition result, wherein the corrected behavior recognition result is the same as the behavior recognition degree of the behavior recognition result recognized by the bottommost behavior recognition layer in the behavior recognition results not participating in the association processing; if the current behavior association layer is the last behavior association layer, inputting a behavior identification result of the current association layer as a behavior identification result identified by the last behavior identification layer;
and performing behavior recognition result association on the corrected behavior recognition result and a behavior recognition result recognized by the lowest behavior recognition layer in the behavior recognition results not participating in association processing through the current behavior association layer, and inputting the associated behavior recognition result into the previous behavior association layer, wherein if the current behavior association layer is the initial behavior association layer, the associated behavior recognition result obtained by the current behavior association layer is the target behavior recognition result.
In this embodiment, the behavior recognition of the behavior recognition layer is performed by forward distributed sampling or aging analysis, and the behavior recognition degree correction process may be performed by random distributed sampling and reverse aging analysis based on a probability function, or may be performed by forward distributed sampling and aging analysis if the behavior recognition of the behavior recognition layer is performed by random distributed sampling or reverse aging analysis.
In this embodiment, the specific obtaining process of the target behavior recognition result may refer to the related description in the model training process, and is not described herein again.
In this embodiment, the attack intention analyzing unit may determine, based on the target behavior recognition result of the target attack behavior data, a potential network attack detection result that each attack behavior event in the target attack behavior data belongs to each preset attack type, and then obtain potential attack type information of the target attack behavior data.
In this embodiment, after determining the potential attack intention information of the target attack behavior data, the target attack initiating terminal that is desired to be identified may be identified from the target attack behavior data according to the potential attack intention information, and optionally, after obtaining the attack intention information of the target attack behavior data, the method may further include:
determining a target attack type of a target attack initiating terminal to be identified in target attack behavior data;
determining a target attack behavior event belonging to the target attack type in the target attack behavior data based on the potential attack intention information of the target attack behavior data;
and determining a target attack initiating terminal corresponding to the target attack behavior data based on the target attack behavior event.
Specifically, the target attack behavior event belonging to the target attack type in the target attack behavior data may be determined based on a potential network attack detection result of the potential attack type of each attack behavior event in the potential attack intention information of the target attack behavior data.
After the target attack behavior event is determined, the target attack initiating terminal corresponding to the target attack behavior data may also be determined according to a risk conduction analysis of service interaction and other manners, for example, a risk conduction path formed by the target attack behavior event is determined in a manner of risk conduction analysis of service interaction, and one risk conduction path corresponds to one target attack initiating terminal.
By adopting the embodiment, the linkage protection index of the network attack recognition model can be updated by obtaining the update indication of the linkage protection index of the network attack recognition model based on the recognition result of the network attack detection model on the potential attack intention information, the real-time attack intention information of the attack behavior data to be tested and the differentiation comparison result between the potential attack intention information recognized by the network attack recognition model from the attack behavior data to be tested, so that the update indication of a part of the linkage protection index of the network attack recognition model is learned by the network attack detection model, compared with the mode that only workers make the update indication according to experience in the related technology, the update indication of the linkage protection index of the embodiment is more complete, more timely and more flexible, the dependence on the experience of the workers can be reduced, the accuracy of attack intention analysis of the attack behavior data of the network attack recognition model can be improved, and the linkage protection index of the network attack recognition model can be updated, Real-time and reliable.
Based on the same inventive concept, aiming at the network attack protection method combined with the big data server, the embodiment of the invention also provides an exemplary network attack protection device combined with the big data server, and the network attack protection device combined with the big data server can comprise the following functional modules.
The data acquisition module is used for acquiring attack behavior data to be tested and real-time attack intention information corresponding to the attack behavior data to be tested, wherein the real-time attack intention information corresponding to the attack behavior data to be tested comprises real-time attack type information of each attack behavior event in the attack behavior data to be tested.
And the updating and upgrading module is used for carrying out network attack detection on the attack behavior data to be tested and the real-time attack intention information corresponding to the attack behavior data to be tested based on a network attack identification model in the network attack protection strategy to be updated and upgraded to obtain a network attack detection result, and updating and upgrading the network attack protection strategy based on the network attack detection result.
For the description of the functional modules, reference may be made to the description of the embodiments of the method described above, which is not described herein again.
Further, referring to fig. 4 in conjunction, big data guard device 20 may include a processing engine 210, a network module 220, and a memory 230, where processing engine 210 and memory 230 communicate through network module 220.
Processing engine 210 may process the relevant information and/or data to perform one or more of the functions described herein. For example, in some embodiments, processing engine 210 may include at least one processing engine (e.g., a single core processing engine or a multi-core processor). By way of example only, Processing engine 210 may include a Central Processing Unit (CPU), an Application-Specific Integrated Circuit (ASIC), an Application-Specific Instruction Set Processor (ASIP), a Graphics Processing Unit (GPU), a Physical Processing Unit (PPU), a Digital Signal Processor (DSP), a Field Programmable Gate Array (FPGA), a Programmable Logic Device (PLD), a controller, a microcontroller Unit, a Reduced Instruction Set Computer (RISC), a microprocessor, or the like, or any combination thereof.
The network module 220 may facilitate the exchange of information and/or data. In some embodiments, the network module 220 may be any type of wired or wireless network or combination thereof. Merely by way of example, the Network module 220 may include a cable Network, a wired Network, a fiber optic Network, a telecommunications Network, an intranet, the internet, a Local Area Network (LAN), a Wide Area Network (WAN), a Wireless Local Area Network (WLAN), a Metropolitan Area Network (MAN), a Public Switched Telephone Network (PSTN), a bluetooth Network, a Wireless personal Area Network, a Near Field Communication (NFC) Network, and the like, or any combination thereof. In some embodiments, the network module 220 may include at least one network access point. For example, the network module 220 may include a wired or wireless network access point, such as a base station and/or a network access point.
The Memory 230 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 230 is used for storing a program, and the processing engine 210 executes the program after receiving an execution instruction.
It will be appreciated that the configuration shown in FIG. 4 is merely illustrative and that the large data guard 20 may include more or fewer components than shown in FIG. 4 or may have a different configuration than shown in FIG. 4. The components shown in fig. 4 may be implemented in hardware, software, or a combination thereof.
The foregoing disclosure of embodiments of the present invention will be apparent to those skilled in the art. It should be understood that the process of deriving and analyzing technical terms, which are not explained, by those skilled in the art based on the above disclosure is based on the contents described in the present application, and thus the above contents are not an inventive judgment of the overall scheme.
It should be appreciated that the system and its modules shown above may be implemented in a variety of ways. For example, in some embodiments, the system and its modules may be implemented in hardware, software, or a combination of software and hardware. Wherein the hardware portion may be implemented using dedicated logic; the software portions may be stored in a memory for execution by a suitable instruction execution system, such as a microprocessor or specially designed hardware. Those skilled in the art will appreciate that the methods and systems described above may be implemented using computer executable instructions and/or embodied in processor control code, such code being provided, for example, on a carrier medium such as a diskette, CD-or DVD-ROM, a programmable memory such as read-only memory (firmware), or a data carrier such as an optical or electronic signal carrier. The system and its modules of the present application may be implemented not only by hardware circuits such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, or programmable hardware devices such as field programmable gate arrays, programmable logic devices, etc., but also by software executed by various types of processors, for example, or by a combination of the above hardware circuits and software (e.g., firmware).
It is to be noted that different embodiments may produce different advantages, and in different embodiments, any one or combination of the above advantages may be produced, or any other advantages may be obtained.
Having thus described the basic concept, it will be apparent to those skilled in the art that the foregoing detailed disclosure is to be considered merely illustrative and not restrictive of the broad application. Various modifications, improvements and adaptations to the present application may occur to those skilled in the art, although not explicitly described herein. Such modifications, improvements and adaptations are proposed in the present application and thus fall within the spirit and scope of the exemplary embodiments of the present application.
Also, this application uses specific language to describe embodiments of the application. Reference throughout this specification to "one embodiment," "an embodiment," and/or "some embodiments" means that a particular feature, structure, or characteristic described in connection with at least one embodiment of the present application is included in at least one embodiment of the present application. Therefore, it is emphasized and should be appreciated that two or more references to "an embodiment" or "one embodiment" or "an alternative embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, some features, structures, or characteristics of one or more embodiments of the present application may be combined as appropriate.
Moreover, those skilled in the art will appreciate that aspects of the present application may be illustrated and described in terms of several patentable species or situations, including any new and useful combination of processes, machines, manufacture, or materials, or any new and useful improvement thereon. Accordingly, various aspects of the present application may be embodied entirely in hardware, entirely in software (including firmware, resident software, micro-code, etc.) or in a combination of hardware and software. The above hardware or software may be referred to as "data block," module, "" engine, "" unit, "" component, "or" system. Furthermore, aspects of the present application may be represented as a computer product, including computer readable program code, embodied in one or more computer readable media.
The computer storage medium may comprise a propagated data signal with the computer program code embodied therewith, for example, on baseband or as part of a carrier wave. The propagated signal may take any of a variety of forms, including electromagnetic, optical, etc., or any suitable combination. A computer storage medium may be any computer-readable medium that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code located on a computer storage medium may be propagated over any suitable medium, including radio, cable, fiber optic cable, RF, or the like, or any combination of the preceding.
Computer program code required for the operation of various portions of the present application may be written in any one or more programming languages, including an object oriented programming language such as Java, Scala, Smalltalk, Eiffel, JADE, Emerald, C + +, C #, VB.NET, Python, and the like, a conventional programming language such as C, Visual Basic, Fortran 2003, Perl, COBOL 2002, PHP, ABAP, a dynamic programming language such as Python, Ruby, and Groovy, or other programming languages, and the like. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any network format, such as a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet), or in a cloud computing environment, or as a service, such as a software as a service (SaaS).
Additionally, the order in which elements and sequences of the processes described herein are processed, the use of alphanumeric characters, or the use of other designations, is not intended to limit the order of the processes and methods described herein, unless explicitly claimed. While various presently contemplated embodiments of the invention have been discussed in the foregoing disclosure by way of example, it is to be understood that such detail is solely for that purpose and that the appended claims are not limited to the disclosed embodiments, but, on the contrary, are intended to cover all modifications and equivalent arrangements that are within the spirit and scope of the embodiments herein. For example, although the system components described above may be implemented by hardware devices, they may also be implemented by software-only solutions, such as installing the described system on an existing server or mobile device.
Similarly, it should be noted that in the preceding description of embodiments of the application, various features are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure aiding in the understanding of one or more of the embodiments. This method of disclosure, however, is not intended to require more features than are expressly recited in the claims. Indeed, the embodiments may be characterized as having less than all of the features of a single embodiment disclosed above.
Numerals describing the number of components, attributes, etc. are used in some embodiments, it being understood that such numerals used in the description of the embodiments are modified in some instances by the use of the modifier "about", "approximately" or "substantially". Unless otherwise indicated, "about", "approximately" or "substantially" indicates that the numbers allow for adaptive variation. Accordingly, in some embodiments, the numerical parameters used in the specification and claims are approximations that may vary depending upon the desired properties of the individual embodiments. In some embodiments, the numerical parameter should take into account the specified significant digits and employ a general digit preserving approach. Notwithstanding that the numerical ranges and parameters setting forth the broad scope of the range are approximations, in the specific examples, such numerical values are set forth as precisely as possible within the scope of the application.
The entire contents of each patent, patent application publication, and other material cited in this application, such as articles, books, specifications, publications, documents, and the like, are hereby incorporated by reference into this application. Except where the application is filed in a manner inconsistent or contrary to the present disclosure, and except where the claim is filed in its broadest scope (whether present or later appended to the application) as well. It is noted that the descriptions, definitions and/or use of terms in this application shall control if they are inconsistent or contrary to the statements and/or uses of the present application in the material attached to this application.
Finally, it should be understood that the embodiments described herein are merely illustrative of the principles of the embodiments of the present application. Other variations are also possible within the scope of the present application. Thus, by way of example, and not limitation, alternative configurations of the embodiments of the present application can be viewed as being consistent with the teachings of the present application. Accordingly, the embodiments of the present application are not limited to only those embodiments explicitly described and depicted herein.
Claims (10)
1. A network attack protection method combined with a big data server is characterized by comprising the following steps:
acquiring the attack behavior data to be tested and real-time attack intention information corresponding to the attack behavior data to be tested, wherein the real-time attack intention information corresponding to the attack behavior data to be tested comprises real-time attack type information of each attack behavior event in the attack behavior data to be tested;
and performing network attack detection on the attack behavior data to be tested and the real-time attack intention information corresponding to the attack behavior data to be tested based on a network attack identification model in the network attack protection strategy to be updated and upgraded to obtain a network attack detection result, and updating and upgrading the network attack protection strategy based on the network attack detection result.
2. The network attack protection method combined with big data server according to claim 1, wherein the network attack detection is performed on the attack behavior data to be tested and the real-time attack intention information corresponding to the attack behavior data to be tested based on the network attack recognition model in the network attack protection strategy to be updated and upgraded to obtain a network attack detection result, and the network attack protection strategy is updated and upgraded based on the network attack detection result, comprising:
inputting the attack behavior data to be tested into a network attack identification model in a network attack protection strategy to be updated and upgraded, and performing behavior identification on the attack behavior data to be tested through a behavior identification unit of the network attack identification model to obtain a target behavior identification result of the attack behavior data to be tested;
determining potential attack intention information corresponding to the attack behavior data to be tested based on the target behavior identification result through an attack intention analysis unit of the network attack identification model, wherein the potential attack intention information corresponding to the attack behavior data to be tested comprises potential attack type information of each attack behavior event in the attack behavior data to be tested;
determining, by a network attack detection model in the network attack protection policy to be updated and upgraded, a first network attack detection result that the potential attack intention information belongs to effective attack intention information of the attack behavior data to be tested and a second network attack detection result that the real-time attack intention information belongs to effective attack intention information of the attack behavior data to be tested based on real-time attack intention information and potential attack intention information of the attack behavior data to be tested;
updating the linkage protection index of the network attack protection strategy based on the first network attack detection result and the second network attack detection result to obtain the upgraded network attack protection strategy.
3. The network attack protection method combined with big data server according to claim 1, wherein the obtaining of the target behavior recognition result of the attack behavior data to be tested by the behavior recognition unit of the network attack recognition model performing behavior recognition on the attack behavior data to be tested comprises:
and performing behavior recognition on the attack behavior data to be tested through a behavior recognition unit of the network attack recognition model to obtain behavior recognition results of a plurality of behavior recognition degrees of the attack behavior data to be tested, and correlating the behavior recognition results of the plurality of behavior recognition degrees to obtain a target behavior recognition result of the attack behavior data to be tested.
4. The network attack protection method combined with the big data server as claimed in claim 3, wherein the behavior recognition unit comprises a behavior association layer and at least two behavior recognition layers connected in sequence; the behavior recognition unit of the network attack recognition model performs behavior recognition on the attack behavior data to be tested to obtain behavior recognition results of a plurality of behavior recognition degrees of the attack behavior data to be tested, and correlates the behavior recognition results of the plurality of behavior recognition degrees to obtain a target behavior recognition result of the attack behavior data to be tested, including:
performing behavior recognition on the attack behavior data to be tested through the behavior recognition layers connected in sequence to obtain behavior recognition results with different behavior recognition degrees output by different behavior recognition layers;
through the behavior association layer, associating the behavior identification results with different behavior identification degrees according to the sequence from the last behavior identification layer to the initial behavior identification layer to obtain a target behavior identification result of the attack behavior data to be tested;
wherein the number of the behavior association layers is one layer less than that of the behavior identification layer; the step of associating the behavior recognition results with different behavior recognition degrees through the behavior association layer according to the sequence from the last behavior recognition layer to the initial behavior recognition layer to obtain the target behavior recognition result of the attack behavior data to be tested includes:
performing behavior recognition degree correction processing on the behavior recognition result input into the current behavior association layer to obtain a corrected behavior recognition result, wherein the corrected behavior recognition result is the same as the behavior recognition degree of the behavior recognition result recognized by the bottommost behavior recognition layer in the behavior recognition results not participating in the association processing;
if the current behavior association layer is the last behavior association layer, inputting a behavior identification result of the current association layer as a behavior identification result identified by the last behavior identification layer; and performing behavior recognition result association on the corrected behavior recognition result and a behavior recognition result recognized by the lowest behavior recognition layer in the behavior recognition results not participating in association processing through the current behavior association layer, and inputting the associated behavior recognition result into the previous behavior association layer, wherein if the current behavior association layer is the initial behavior association layer, the associated behavior recognition result obtained by the current behavior association layer is the target behavior recognition result.
5. The network attack protection method combined with big data server according to any of claims 2-4, wherein the obtaining of the attack behavior data to be tested and the real-time attack intention information corresponding to the attack behavior data to be tested includes:
acquiring initial attack behavior data to be tested of a network attack protection strategy to be updated and upgraded, wherein a behavior portrait of the initial attack behavior data to be tested comprises the following steps: initial real-time attack intention information of initial attack behavior data to be tested, wherein the initial real-time attack intention information comprises real-time attack type information of each attack behavior event in the initial attack behavior data to be tested;
extracting at least one group of attack behavior data with preset data volume from the initial attack behavior data to be tested, and taking the extracted attack behavior data as the attack behavior data to be tested of the network attack protection strategy to be updated and upgraded;
and acquiring real-time attack intention information of the attack behavior data to be tested from the initial real-time attack intention information of the initial attack behavior data to be tested based on the data distribution information of the attack behavior data to be tested in the corresponding initial attack behavior data to be tested.
6. The network attack protection method combined with the big data server according to any one of claims 2-4, wherein the real-time attack intention information is recorded information of real-time attack intention tendency, and the potential attack intention information is recorded information of potential attack intention tendency; the determining, by the network attack detection model in the network attack protection policy to be updated and upgraded, a first network attack detection result that the potential attack intention information belongs to effective attack intention information of the attack behavior data to be tested and a second network attack detection result that the real-time attack intention information belongs to effective attack intention information of the attack behavior data to be tested based on real-time attack intention information and potential attack intention information of the attack behavior data to be tested, includes:
combining the attack behavior data to be tested and the corresponding recording information of the real-time attack intention tendency to obtain the combined recording information of the real-time attack intention tendency, and combining the attack behavior data to be tested and the corresponding recording information of the potential attack intention tendency to obtain the combined recording information of the potential attack intention tendency;
acquiring first attack behavior data behavior information from the combined and processed recording information of the potential attack intention tendency through a behavior information acquisition unit of the network attack detection model; determining, by an intention tendency detection unit of the network attack detection model, based on behavior interaction features corresponding to the first attack behavior data, recording information of a potential attack intention tendency corresponding to the recording information of the potential attack intention tendency after the combination processing, and a first network attack detection result of effective attack intention detection data belonging to the attack behavior data to be tested;
acquiring second attack behavior data behavior information from the combined real-time attack intention tendency record information through a behavior information acquisition unit of the network attack detection model; and determining real-time attack intention tendency record information corresponding to the combined real-time attack intention tendency record information based on the second attack behavior data behavior information by an intention tendency detection unit of the network attack detection model, wherein the real-time attack intention tendency record information belongs to a second network attack detection result of effective attack intention detection data of the attack behavior data to be tested.
7. The network attack protection method combined with the big data server according to any one of claims 2 to 4, wherein the updating of the linkage protection index of the network attack protection policy based on the first network attack detection result and the second network attack detection result to obtain the updated network attack protection policy comprises:
determining error information analyzed by a first attack intention of the network attack identification model based on the first network attack detection result;
determining error information analyzed by a second attack intention of the network attack recognition model based on a differential comparison result between the potential attack type information and the real-time attack type information of the same attack behavior event in the real-time attack intention information and the potential attack intention information of the attack behavior data to be tested;
updating the linkage protection index of the network attack recognition model based on the error information analyzed by the first attack intention and the error information analyzed by the second attack intention to obtain the upgraded network attack recognition model;
determining error information of the intention tendency judgment of the network attack detection model based on the first network attack detection result and the second network attack detection result;
updating the linkage protection index of the network attack detection model based on the error information judged by the intention tendency;
the potential attack type information comprises a potential attack type and a potential network attack detection result corresponding to the potential attack type; the determining error information analyzed by the second attack intention of the network attack recognition model according to the differential comparison result between the potential attack type information and the real-time attack type information of the same attack behavior event in the real-time attack intention information and the potential attack intention information of the attack behavior data to be tested comprises:
determining real-time attack types of attack behavior events in the attack behavior data to be tested and potential network attack detection results of the attack behavior events in the potential attack intention information under the corresponding real-time attack types based on the real-time attack intention information and the potential attack intention information of the attack behavior data to be tested;
and determining the error information analyzed by the second attack intention of the network attack recognition model based on the real-time attack type of the attack behavior event of the attack behavior data to be tested and the potential network attack detection result under the real-time attack type.
8. The method for protecting against network attacks combined with a big data server according to claim 6, wherein the number of the description dimensions of the attack behavior data of the recorded information of the real-time attack intention tendency and the recorded information of the potential attack intention tendency is the same, and the independent attack behavior data in the description dimensions of each attack behavior data of the recorded information of the real-time attack intention tendency comprises: whether each attack behavior event of the attack behavior data to be tested is real-time attack type information corresponding to the description dimension of the attack behavior data; the independent attack behavior data on the description dimension of each attack behavior data of the recorded information of the potential attack intention tendency comprises: each attack behavior event of the attack behavior data to be tested is a potential network attack detection result of a potential attack type corresponding to the description dimension of the attack behavior data; the combining and processing the attack behavior data to be tested and the corresponding recording information of the real-time attack intention tendency to obtain the recording information of the real-time attack intention tendency after the combining and processing, and the combining and processing the attack behavior data to be tested and the corresponding recording information of the potential attack intention tendency to obtain the recording information of the potential attack intention tendency after the combining and processing, comprises:
independent attack behavior data of the description dimension of each attack behavior data of the recorded information of the attack behavior data to be tested and the real-time attack intention tendency are used as independent attack behavior data of the description dimension of each attack behavior data of the recorded information of the real-time attack intention tendency after combination processing, and the independent attack behavior data of the description dimension of each attack behavior data of the recorded information of the real-time attack intention tendency to be tested and the recorded information of the real-time attack intention tendency are combined to obtain the recorded information of the real-time attack intention tendency after combination processing;
and combining the data of the attack behaviors to be tested and the recorded information of the potential attack intention tendency to obtain the combined recorded information of the potential attack intention tendency.
9. The big data protection device is characterized by comprising a processing engine, a network module and a memory; the processing engine and the memory communicate through the network module, the processing engine reading a computer program from the memory and operating to perform the method of any of claims 1-8.
10. A computer storage medium, having stored thereon a computer program which, when executed, implements the method of any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110129964.6A CN112953918A (en) | 2021-01-29 | 2021-01-29 | Network attack protection method combined with big data server and big data protection equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110129964.6A CN112953918A (en) | 2021-01-29 | 2021-01-29 | Network attack protection method combined with big data server and big data protection equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112953918A true CN112953918A (en) | 2021-06-11 |
Family
ID=76240152
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110129964.6A Withdrawn CN112953918A (en) | 2021-01-29 | 2021-01-29 | Network attack protection method combined with big data server and big data protection equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112953918A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114218568A (en) * | 2021-12-10 | 2022-03-22 | 萍乡市圣迈互联网科技有限公司 | Big data attack processing method and system applied to cloud service |
| CN114500020A (en) * | 2022-01-18 | 2022-05-13 | 成都网域探行科技有限公司 | Network security management method based on big data |
| CN114978765A (en) * | 2022-07-06 | 2022-08-30 | 济南邦杰电子科技有限公司 | Big data processing method serving information attack defense and AI attack defense system |
| CN116204872A (en) * | 2022-11-18 | 2023-06-02 | 国网河北省电力有限公司电力科学研究院 | Network attack recognition method for power grid information based on attack and defense visual angles |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103748991B (en) * | 2010-06-09 | 2012-02-08 | 北京理工大学 | Network attack recognition system based on multistage event correlation |
| US20170054745A1 (en) * | 2014-02-17 | 2017-02-23 | Beijing Qihoo Technology Company Limited | Method and device for processing network threat |
| CN107659543A (en) * | 2016-07-26 | 2018-02-02 | 北京计算机技术及应用研究所 | The means of defence of facing cloud platform APT attacks |
| CN107710680A (en) * | 2016-03-29 | 2018-02-16 | 华为技术有限公司 | Network attack defence policies are sent, the method and apparatus of network attack defence |
| CN111565205A (en) * | 2020-07-16 | 2020-08-21 | 腾讯科技(深圳)有限公司 | Network attack identification method and device, computer equipment and storage medium |
| CN111565199A (en) * | 2020-07-14 | 2020-08-21 | 腾讯科技(深圳)有限公司 | Network attack information processing method and device, electronic equipment and storage medium |
-
2021
- 2021-01-29 CN CN202110129964.6A patent/CN112953918A/en not_active Withdrawn
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103748991B (en) * | 2010-06-09 | 2012-02-08 | 北京理工大学 | Network attack recognition system based on multistage event correlation |
| US20170054745A1 (en) * | 2014-02-17 | 2017-02-23 | Beijing Qihoo Technology Company Limited | Method and device for processing network threat |
| CN107710680A (en) * | 2016-03-29 | 2018-02-16 | 华为技术有限公司 | Network attack defence policies are sent, the method and apparatus of network attack defence |
| CN107659543A (en) * | 2016-07-26 | 2018-02-02 | 北京计算机技术及应用研究所 | The means of defence of facing cloud platform APT attacks |
| CN111565199A (en) * | 2020-07-14 | 2020-08-21 | 腾讯科技(深圳)有限公司 | Network attack information processing method and device, electronic equipment and storage medium |
| CN111565205A (en) * | 2020-07-16 | 2020-08-21 | 腾讯科技(深圳)有限公司 | Network attack identification method and device, computer equipment and storage medium |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114218568A (en) * | 2021-12-10 | 2022-03-22 | 萍乡市圣迈互联网科技有限公司 | Big data attack processing method and system applied to cloud service |
| CN114218568B (en) * | 2021-12-10 | 2022-08-23 | 厦门吉快科技有限公司 | Big data attack processing method and system applied to cloud service |
| CN114500020A (en) * | 2022-01-18 | 2022-05-13 | 成都网域探行科技有限公司 | Network security management method based on big data |
| CN114500020B (en) * | 2022-01-18 | 2024-01-16 | 成都网域探行科技有限公司 | Network security management method based on big data |
| CN114978765A (en) * | 2022-07-06 | 2022-08-30 | 济南邦杰电子科技有限公司 | Big data processing method serving information attack defense and AI attack defense system |
| CN116204872A (en) * | 2022-11-18 | 2023-06-02 | 国网河北省电力有限公司电力科学研究院 | Network attack recognition method for power grid information based on attack and defense visual angles |
| CN116204872B (en) * | 2022-11-18 | 2023-09-12 | 国网河北省电力有限公司电力科学研究院 | Network attack recognition method for power grid information based on attack and defense visual angles |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112953918A (en) | Network attack protection method combined with big data server and big data protection equipment | |
| Gopinath et al. | A comprehensive survey on deep learning based malware detection techniques | |
| US20200019821A1 (en) | Detecting and mitigating poison attacks using data provenance | |
| CN106375331B (en) | Attack organization mining method and device | |
| CN110213226B (en) | Network attack scene reconstruction method and system based on risk full-factor identification association | |
| CN112615865B (en) | Data anti-intrusion method based on big data and artificial intelligence and big data server | |
| Xia et al. | Poisoning attacks in federated learning: A survey | |
| WO2021017318A1 (en) | Cross-site scripting attack protection method and apparatus, device and storage medium | |
| Lv et al. | Secure deep learning in defense in deep-learning-as-a-service computing systems in digital twins | |
| CN107871080A (en) | The hybrid Android malicious code detecting methods of big data and device | |
| CN106815229A (en) | Database virtual patch means of defence | |
| Vidal et al. | Online masquerade detection resistant to mimicry | |
| CN114422224A (en) | Attack tracing-oriented threat information intelligent analysis method and system | |
| CN110276195A (en) | A kind of smart machine intrusion detection method, equipment and storage medium | |
| Macas et al. | Adversarial examples: A survey of attacks and defenses in deep learning-enabled cybersecurity systems | |
| Chen et al. | Advanced persistent threat organization identification based on software gene of malware | |
| CN113114637A (en) | Network resource intrusion detection method combining big data analysis and security server | |
| Shin et al. | Focusing on the weakest link: A similarity analysis on phishing campaigns based on the att&ck matrix | |
| Du et al. | Spear or shield: Leveraging generative AI to tackle security threats of intelligent network services | |
| Zakaria et al. | Feature extraction and selection method of cyber-attack and threat profiling in cybersecurity audit | |
| Yerima et al. | Bot-IMG: A framework for image-based detection of Android botnets using machine learning | |
| CN110647747B (en) | False mobile application detection method based on multi-dimensional similarity | |
| CN114662111B (en) | Malicious code software gene homology analysis method | |
| CN114124453A (en) | Network security information processing method and device, electronic equipment and storage medium | |
| CN112966270A (en) | Application program security detection method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20210611 |