CN113822355A - Composite attack prediction method and device based on improved hidden Markov model - Google Patents
Composite attack prediction method and device based on improved hidden Markov model Download PDFInfo
- Publication number
- CN113822355A CN113822355A CN202111105948.XA CN202111105948A CN113822355A CN 113822355 A CN113822355 A CN 113822355A CN 202111105948 A CN202111105948 A CN 202111105948A CN 113822355 A CN113822355 A CN 113822355A
- Authority
- CN
- China
- Prior art keywords
- attack
- hidden markov
- markov model
- training
- sequence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 239000002131 composite material Substances 0.000 title claims description 43
- 238000012549 training Methods 0.000 claims abstract description 86
- 150000001875 compounds Chemical class 0.000 claims abstract description 52
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 48
- 238000005457 optimization Methods 0.000 claims abstract description 8
- 230000015654 memory Effects 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 12
- 238000000137 annealing Methods 0.000 claims description 8
- 230000008569 process Effects 0.000 description 6
- 230000006399 behavior Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000004364 calculation method Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 239000011159 matrix material Substances 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 230000007704 transition Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000013210 evaluation model Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000004445 quantitative analysis Methods 0.000 description 1
- 230000004083 survival effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/29—Graphical models, e.g. Bayesian networks
- G06F18/295—Markov models or related models, e.g. semi-Markov models; Markov random fields; Networks embedding Markov models
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Physics & Mathematics (AREA)
- Bioinformatics & Computational Biology (AREA)
- General Physics & Mathematics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a compound attack prediction method and a device based on an improved hidden Markov model, wherein the method comprises the following steps: acquiring a single-step attack sequence; inputting the single-step attack sequence into a trained hidden Markov model to obtain the occurrence probability of the compound attack, wherein the hidden Markov model determines the corresponding compound attack according to the single-step attack sequence to further determine the occurrence probability of the corresponding compound attack, and the hidden Markov model adopts a Forward-Backward algorithm and a Baum-Welch algorithm to carry out parameter optimization during training. The method and the device have the advantage of accurately predicting the risk of the compound attack.
Description
Technical Field
The invention relates to the technical field of network attack early warning, in particular to a composite attack prediction method and device based on an improved hidden Markov model.
Background
At present, compound attacks have become the most threatening form of cyber attack. For the compound attack behavior, an attacker uses different attack means to achieve the attack intention, but the attack intention is hidden in various simple single-step attack behaviors and is invisible. The existing intrusion detection system can only generate different alarm information for various single-step attack behaviors, and the attack intention of the attacker compound attack is submerged in a large amount of alarm information. The compound attack comprises a plurality of single-step attack steps, and each single-step attack is refracted by the corresponding alarm information of the step. Therefore, how to predict the risk of compound attack based on the alarm information of a large number of single-step attacks is a technical problem to be solved in the field.
Disclosure of Invention
In order to solve at least one technical problem in the background art, the invention provides a compound attack prediction method and a compound attack prediction device based on an improved hidden markov model.
In order to achieve the above object, according to an aspect of the present invention, there is provided a composite attack prediction method based on an improved hidden markov model, the method including:
acquiring a single-step attack sequence;
inputting the single-step attack sequence into a trained hidden Markov model to obtain the occurrence probability of the compound attack, wherein the hidden Markov model determines the corresponding compound attack according to the single-step attack sequence to further determine the occurrence probability of the corresponding compound attack, and the hidden Markov model adopts a Forward-Backward algorithm and a Baum-Welch algorithm to carry out parameter optimization during training.
Optionally, the method for predicting a compound attack based on an improved hidden markov model further includes:
acquiring a training sample, wherein the training sample is a single-step attack sequence sample marked with a composite attack and the occurrence probability of the composite attack;
and training a preset hidden Markov model according to the training sample to obtain a trained hidden Markov model, and optimizing parameters of the model by adopting a Forward-Backward algorithm and a Baum-Welch algorithm during training.
Optionally, the training of the preset hidden markov model according to the training sample specifically includes:
during training, the complex attack corresponding to the training sample is determined through the Baum-Welch algorithm, and the probability of the attack corresponding to the training sample is determined through the Forward-Backward algorithm.
Optionally, the training a preset hidden markov model according to the training sample specifically includes:
during training, an annealing algorithm is adopted to prevent the training from entering a local optimal solution.
Optionally, the method for predicting a compound attack based on an improved hidden markov model further includes:
acquiring an alarm information sequence;
and generating a single-step attack sequence according to the alarm information sequence.
In order to achieve the above object, according to another aspect of the present invention, there is provided a composite attack prediction apparatus based on an improved hidden markov model, the apparatus including:
the single-step attack sequence acquisition module is used for acquiring a single-step attack sequence;
and the compound attack prediction module is used for inputting the single-step attack sequence into a trained hidden Markov model to obtain the occurrence probability of the compound attack, wherein the hidden Markov model determines the corresponding compound attack according to the single-step attack sequence to further determine the occurrence probability of the corresponding compound attack, and the hidden Markov model adopts a Forward-Backward algorithm and a Baum-Welch algorithm to carry out parameter optimization during training.
Optionally, the apparatus for predicting a compound attack based on an improved hidden markov model further includes:
the system comprises a training sample acquisition module, a training sample acquisition module and a training sample acquisition module, wherein the training sample is a single-step attack sequence sample for marking out a composite attack and the occurrence probability of the composite attack;
and the model training module is used for training a preset hidden Markov model according to the training samples to obtain the trained hidden Markov model, and during training, the Forward-Backward algorithm and the Baum-Welch algorithm are adopted to optimize the parameters of the model.
Optionally, the model training module is further configured to prevent training from entering a local optimal solution by using an annealing algorithm during training.
In order to achieve the above object, according to another aspect of the present invention, there is also provided a computer device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the steps in the above-mentioned hidden markov model-based compound attack prediction method when executing the computer program.
In order to achieve the above object, according to another aspect of the present invention, there is also provided a computer readable storage medium storing a computer program which, when executed in a computer processor, implements the steps in the above-described method for predicting a composite attack based on an improved hidden markov model.
The invention has the beneficial effects that:
the invention can predict the occurrence probability of the compound attack according to the single-step attack sequence by establishing the improved hidden Markov model, thereby realizing the beneficial effect of more accurately predicting the risk of the compound attack.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts. In the drawings:
FIG. 1 is a first flowchart of a composite attack prediction method based on an improved hidden Markov model according to an embodiment of the present invention;
FIG. 2 is a second flowchart of a composite attack prediction method based on an improved hidden Markov model according to an embodiment of the present invention;
FIG. 3 is a first block diagram of a composite attack prediction device based on an improved hidden Markov model according to an embodiment of the present invention;
FIG. 4 is a second block diagram of the composite attack prediction device based on the improved hidden Markov model according to the embodiment of the present invention;
FIG. 5 is a schematic diagram of a computer apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
It should be noted that the terms "comprises" and "comprising," and any variations thereof, in the description and claims of the present invention and the above-described drawings, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict. The present invention will be described in detail below with reference to the embodiments with reference to the attached drawings.
Fig. 1 is a first flowchart of a composite attack prediction method based on an improved hidden markov model according to an embodiment of the present invention, as shown in fig. 1, in an embodiment of the present invention, the composite attack prediction method based on an improved hidden markov model includes steps S101 to S102.
And step S101, acquiring a single-step attack sequence.
In an embodiment of the present invention, the single-step attack sequence may be a sequence of alarm information of the system, where each piece of alarm information corresponds to one single-step attack.
And S102, inputting the single-step attack sequence into a trained hidden Markov model to obtain the occurrence probability of the compound attack, wherein the hidden Markov model determines the corresponding compound attack according to the single-step attack sequence to further determine the occurrence probability of the corresponding compound attack, and the hidden Markov model adopts a Forward-Backward algorithm and a Baum-Welch algorithm to carry out parameter optimization during training.
In the present invention, the attack process of the attacker is very complicated, and a fixed single-step attack is not used to realize the attack intention (compound attack). Generally, attackers adopt corresponding attack means to achieve the purpose along with different obtained information. Different attack behaviors can be adopted to realize the same compound attack. The harmful compound attacks are generally composed of single-step attacks in different stages, and if attack intentions in different stages are extracted, the same attack intentions in each stage are divided into corresponding sets, so that the attack intentions are conveniently used for analyzing the whole process of the attacks.
For example, to achieve single-step attack behavior at different stages in a composite-attack, persistent blue attack: IP scanning, aiming to obtain the IP address of the survival host; port scanning, which is to obtain a port opened by a target host; firewall detection: the aim is to detect the opening and closing condition of the firewall of the target host; if the target host firewall is detected to be closed, a permanent blue attack can be initiated.
In the invention, the compound attack generally comprises some specific single-step attack steps, each step of attack depends on the attack situation of the previous step, and the hidden markov model (also referred to as HMM model in the invention) can not only mine the relation between the attack steps, but also better describe the relation between the attack steps and the compound attack.
In one embodiment of the invention, the hidden markov model consists of λ ═ { M, N, pi, a, B }. M represents different kinds of security of the hostNumber of all states, S ═ S1,S2...SM},q1∈{S1,S2...SMS represents a finite number of states. N represents the number of alarm event categories, o ═ o1,o2...on},vt∈{o1,o2...onAnd o represent observed values for different states. Pi represents the initial state of the host, and is recorded as pi ═ piiIn which pii=p(qi=Si) And p represents the initial probability of each state. A represents the state transition matrix of the host, and is marked as A ═ aij)M×N,aij=p(qt+1=j|qtI, j 1,2,3.. M. And B represents an observation value probability density matrix, which represents the probability that the system is in a certain state when a certain observation value is observed. Let B be (B)ik)M×NWherein b isik=p(vt=ok|qt=Si) I is more than or equal to 1 and less than or equal to M, k is more than or equal to 1 and less than or equal to N, and the system is in the state SiObserved value okThe probability of occurrence is independent of the time of occurrence.
Assumptions of the invention regarding HMM models:
the current state depends only on the last state:
p(qt+1|qt,qt-1,…q1,ot,ot-1,…o1)=p(qt+1|qt)
the current output depends only on the current state:
p(ot|qt,qt-1,…q1,ot,ot-1,…o1)=p(ot|qt)
fig. 2 is a second flowchart of the method for predicting a composite attack based on an improved hidden markov model according to an embodiment of the present invention, as shown in fig. 2, in an embodiment of the present invention, the method for predicting a composite attack based on an improved hidden markov model further includes steps S201 to S202.
Step S201, a training sample is obtained, wherein the training sample is a single-step attack sequence sample marked with a composite attack and the occurrence probability of the composite attack.
And S202, training a preset hidden Markov model according to the training sample to obtain a trained hidden Markov model, and optimizing parameters of the model by adopting a Forward-Backward algorithm and a Baum-Welch algorithm during training.
In a specific embodiment of the invention, p (o | λ) is the occurrence probability of the compound attack, and the Forward-Backward algorithm is used for adjusting parameters pi, A and B of an HMM model, so that the p (o | λ) is calculated more accurately and quickly.
The Forward-Backward algorithm is specifically used for o ═ x for a given single-step attack sequence (i.e., alarm information sequence)1,x2,...xTCalculate the probability of occurrence of the sequence as p (o | λ). The specific calculation flow is as follows:
p(o,X|λ)=p(o|X,λ)p(X|λ)
in one embodiment of the invention, the invention uses the Baum-Welch algorithm for pi, a in HMM modelsij,bjAnd optimizing and taking a local optimal solution. Given a single-step attack sequence o ═ x1,x2,...xtAnd obtaining the composite attack with the maximum occurrence probability. The transition probability from i to j is defined as ξt(i,j),
Indicating that time t is in state SiThe probability of (a) of (b) being,
representing slave state S in the whole processiThe expectation of the number of roll-outs,
represents SiJump to SjPredicted number of times of ξt(i, j) represents the probability of a state with hidden Markov chain at time t being i and a state at time t +1 being j. Wherein:
π1=γ1(i)
aijRepresenting the probability of representing the state Si at which the system is in at time t, transitioning to state Sj at the next time.
In an embodiment of the present invention, after the hidden markov model is trained, o ═ x for a given single-step attack sequence (i.e., a sequence of alert messages)1,x2,...xTThe hidden markov model calculates the probability p (o | λ) of the composite attack, and the specific calculation formula is as follows:
in an embodiment of the present invention, the training of the preset hidden markov model according to the training samples in step S202 includes:
during training, the complex attack corresponding to the training sample is determined through the Baum-Welch algorithm, and the probability of the attack corresponding to the training sample is determined through the Forward-Backward algorithm.
In an embodiment of the present invention, the training of the preset hidden markov model according to the training samples in step S202 includes: during training, an annealing algorithm is adopted to prevent the training from entering a local optimal solution.
In the invention, aiming at the problem that training on a hidden Markov model by using a Baum-Welch algorithm is easy to fall into a local optimal solution, an annealing algorithm is introduced. The annealing algorithm is introduced, so that the obtained optimal solution can be popped out probabilistically, and the situation that the optimal solution falls into local optimization is avoided.
In an embodiment of the present invention, before the step S101, the method for predicting a compound attack based on an improved hidden markov model further includes:
acquiring an alarm information sequence;
and generating a single-step attack sequence according to the alarm information sequence.
From the above embodiments, the present invention deeply analyzes the attack characteristics and attack steps of the compound attack, and proposes a compound attack prediction method based on the improved hidden markov model, which further predicts the currently detected events by introducing the Baum-Welch algorithm. Potential hidden dangers caused by missing reports can be found in time, and unnecessary reactions to false reports are reduced. Compared with other detection methods, the improved hidden Markov model has the characteristics of small calculated amount and high practical application value. Through experimental calculation, the improved hidden Markov model has better performance under the condition that the alarm information has false alarm. The invention at least achieves the following beneficial effects:
1. the method applies the improved hidden Markov model to the prediction of the attack occurrence probability, and improves the accuracy of the prediction of the attack occurrence probability.
2. According to the method, the configuration parameters of the evaluation model are optimized through the Baum-Welch algorithm, the security situation of the whole network is obtained through quantitative analysis, and the parameters of the HMM model are optimized, so that the calculation of the attack prediction probability is more accurate, and the occurrence frequency of false alarms is reduced.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than presented herein.
Based on the same inventive concept, the embodiment of the present invention further provides a composite attack prediction apparatus based on an improved hidden markov model, which can be used to implement the composite attack prediction method based on an improved hidden markov model described in the foregoing embodiment, as described in the following embodiment. Since the principle of the composite attack prediction device based on the improved hidden markov model for solving the problem is similar to that of the composite attack prediction method based on the improved hidden markov model, the embodiment of the composite attack prediction device based on the improved hidden markov model can be referred to as the embodiment of the composite attack prediction method based on the improved hidden markov model, and repeated details are not repeated. As used hereinafter, the term "unit" or "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 3 is a first block diagram of a composite attack prediction apparatus based on an improved hidden markov model according to an embodiment of the present invention, and as shown in fig. 3, the composite attack prediction apparatus based on an improved hidden markov model according to an embodiment of the present invention includes:
the single-step attack sequence acquisition module 1 is used for acquiring a single-step attack sequence;
and the compound attack prediction module 2 is used for inputting the single-step attack sequence into a trained hidden Markov model to obtain the occurrence probability of the compound attack, wherein the hidden Markov model determines the corresponding compound attack according to the single-step attack sequence to further determine the occurrence probability of the corresponding compound attack, and the hidden Markov model adopts a Forward-Backward algorithm and a Baum-Welch algorithm for parameter optimization during training.
Fig. 4 is a first structural block diagram of a composite attack prediction apparatus based on an improved hidden markov model according to an embodiment of the present invention, and as shown in fig. 4, the composite attack prediction apparatus based on an improved hidden markov model according to an embodiment of the present invention further includes:
a training sample obtaining module 3, configured to obtain a training sample, where the training sample is a single-step attack sequence sample in which a composite attack and an occurrence probability of the composite attack are marked;
and the model training module 4 is used for training a preset hidden Markov model according to the training samples to obtain the trained hidden Markov model, and during training, the Forward-Backward algorithm and the Baum-Welch algorithm are adopted to optimize the parameters of the model.
In an embodiment of the present invention, the model training module is further configured to prevent the training from entering the local optimal solution by using an annealing algorithm during the training.
In an embodiment of the invention, the model training module is further configured to determine, during training, a composite attack corresponding to the training sample through a Baum-Welch algorithm, and determine a probability of an attack corresponding to the training sample through a Forward-Backward algorithm.
In an embodiment of the present invention, the apparatus for predicting a composite attack based on an improved hidden markov model according to an embodiment of the present invention further includes:
the alarm information sequence acquisition module is used for acquiring an alarm information sequence;
and the single-step attack sequence generation module is used for generating a single-step attack sequence according to the alarm information sequence.
To achieve the above object, according to another aspect of the present application, there is also provided a computer apparatus. As shown in fig. 5, the computer device comprises a memory, a processor, a communication interface and a communication bus, wherein a computer program that can be run on the processor is stored in the memory, and the steps of the method of the above embodiment are realized when the processor executes the computer program.
The processor may be a Central Processing Unit (CPU). The Processor may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, or a combination thereof.
The memory, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and units, such as the corresponding program units in the above-described method embodiments of the present invention. The processor executes various functional applications of the processor and the processing of the work data by executing the non-transitory software programs, instructions and modules stored in the memory, that is, the method in the above method embodiment is realized.
The memory may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created by the processor, and the like. Further, the memory may include high speed random access memory, and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory located remotely from the processor, and such remote memory may be coupled to the processor via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The one or more units are stored in the memory and when executed by the processor perform the method of the above embodiments.
The specific details of the computer device may be understood by referring to the corresponding related descriptions and effects in the above embodiments, and are not described herein again.
In order to achieve the above object, according to another aspect of the present application, there is also provided a computer-readable storage medium storing a computer program which, when executed in a computer processor, implements the steps in the above-mentioned method for predicting a composite attack based on an improved hidden markov model. It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD) or a Solid State Drive (SSD), etc.; the storage medium may also comprise a combination of memories of the kind described above.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and they may alternatively be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, or fabricated separately as individual integrated circuit modules, or fabricated as a single integrated circuit module from multiple modules or steps. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A composite attack prediction method based on an improved hidden markov model, comprising:
acquiring a single-step attack sequence;
inputting the single-step attack sequence into a trained hidden Markov model to obtain the occurrence probability of the compound attack, wherein the hidden Markov model determines the corresponding compound attack according to the single-step attack sequence to further determine the occurrence probability of the corresponding compound attack, and the hidden Markov model adopts a Forward-Backward algorithm and a Baum-Welch algorithm to carry out parameter optimization during training.
2. The improved hidden markov model based compound attack prediction method of claim 1, further comprising:
acquiring a training sample, wherein the training sample is a single-step attack sequence sample marked with a composite attack and the occurrence probability of the composite attack;
and training a preset hidden Markov model according to the training sample to obtain a trained hidden Markov model, and optimizing parameters of the model by adopting a Forward-Backward algorithm and a Baum-Welch algorithm during training.
3. The method according to claim 2, wherein the training of the hidden markov model according to the training samples comprises:
during training, the complex attack corresponding to the training sample is determined through the Baum-Welch algorithm, and the probability of the attack corresponding to the training sample is determined through the Forward-Backward algorithm.
4. The method according to claim 3, wherein the training of the hidden Markov model according to the training samples further comprises:
during training, an annealing algorithm is adopted to prevent the training from entering a local optimal solution.
5. The improved hidden markov model based compound attack prediction method of claim 1, further comprising:
acquiring an alarm information sequence;
and generating a single-step attack sequence according to the alarm information sequence.
6. A composite attack prediction apparatus based on an improved hidden markov model, comprising:
the single-step attack sequence acquisition module is used for acquiring a single-step attack sequence;
and the compound attack prediction module is used for inputting the single-step attack sequence into a trained hidden Markov model to obtain the occurrence probability of the compound attack, wherein the hidden Markov model determines the corresponding compound attack according to the single-step attack sequence to further determine the occurrence probability of the corresponding compound attack, and the hidden Markov model adopts a Forward-Backward algorithm and a Baum-Welch algorithm to carry out parameter optimization during training.
7. The hidden markov model-based compound attack prediction device of claim 6, further comprising:
the system comprises a training sample acquisition module, a training sample acquisition module and a training sample acquisition module, wherein the training sample is a single-step attack sequence sample for marking out a composite attack and the occurrence probability of the composite attack;
and the model training module is used for training a preset hidden Markov model according to the training samples to obtain the trained hidden Markov model, and during training, the Forward-Backward algorithm and the Baum-Welch algorithm are adopted to optimize the parameters of the model.
8. The improved hidden markov model based compound attack prediction device of claim 7, wherein the model training module is further configured to employ an annealing algorithm during training to prevent the training from being trapped in the locally optimal solution.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1 to 5 when executing the computer program.
10. A computer-readable storage medium, in which a computer program is stored which, when executed in a computer processor, implements the method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111105948.XA CN113822355A (en) | 2021-09-22 | 2021-09-22 | Composite attack prediction method and device based on improved hidden Markov model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111105948.XA CN113822355A (en) | 2021-09-22 | 2021-09-22 | Composite attack prediction method and device based on improved hidden Markov model |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113822355A true CN113822355A (en) | 2021-12-21 |
Family
ID=78915092
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111105948.XA Pending CN113822355A (en) | 2021-09-22 | 2021-09-22 | Composite attack prediction method and device based on improved hidden Markov model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113822355A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114978617A (en) * | 2022-05-06 | 2022-08-30 | 国网湖北省电力有限公司信息通信公司 | Network attack threat statistical judgment method based on Markov process learning model |
| CN115021983A (en) * | 2022-05-20 | 2022-09-06 | 北京信息科技大学 | Penetration path determination method and system based on absorption Markov chain |
| CN115174208A (en) * | 2022-07-04 | 2022-10-11 | 中国银行股份有限公司 | Multi-step attack detection method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170046519A1 (en) * | 2015-08-12 | 2017-02-16 | U.S Army Research Laboratory ATTN: RDRL-LOC-I | Methods and systems for defending cyber attack in real-time |
| CN107070852A (en) * | 2016-12-07 | 2017-08-18 | 东软集团股份有限公司 | Network attack detecting method and device |
| CN112866292A (en) * | 2021-03-04 | 2021-05-28 | 哈尔滨安天科技集团股份有限公司 | Attack behavior prediction method and device for multi-sample combination attack |
| WO2021179715A1 (en) * | 2020-10-21 | 2021-09-16 | 平安科技(深圳)有限公司 | Hidden markov model-based resignation prediction method and related device |
-
2021
- 2021-09-22 CN CN202111105948.XA patent/CN113822355A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170046519A1 (en) * | 2015-08-12 | 2017-02-16 | U.S Army Research Laboratory ATTN: RDRL-LOC-I | Methods and systems for defending cyber attack in real-time |
| CN107070852A (en) * | 2016-12-07 | 2017-08-18 | 东软集团股份有限公司 | Network attack detecting method and device |
| WO2021179715A1 (en) * | 2020-10-21 | 2021-09-16 | 平安科技(深圳)有限公司 | Hidden markov model-based resignation prediction method and related device |
| CN112866292A (en) * | 2021-03-04 | 2021-05-28 | 哈尔滨安天科技集团股份有限公司 | Attack behavior prediction method and device for multi-sample combination attack |
Non-Patent Citations (4)
| Title |
|---|
| 杨建军: "《科学研究方法概论》", 国防工业出版社, pages: 253 * |
| 段峰 主编: "《智能机器人开发与实践》", 31 May 2021, 机械工业出版社, pages: 180 - 184 * |
| 耿仕勋: "基于隐马尔可夫模型的复合式攻击预测方法研究", 《中国优秀硕士学位论文全文数据库(电子期刊)信息科技辑》, vol. 2018, no. 07, pages 5 - 7 * |
| 肖秦琨 等著: "《动态贝叶斯网络推理学习理论及应用》", 31 October 2007, 国防工业出版社, pages: 253 - 54 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114978617A (en) * | 2022-05-06 | 2022-08-30 | 国网湖北省电力有限公司信息通信公司 | Network attack threat statistical judgment method based on Markov process learning model |
| CN114978617B (en) * | 2022-05-06 | 2023-08-08 | 国网湖北省电力有限公司信息通信公司 | Network attack threat statistics judgment method based on Markov process learning model |
| CN115021983A (en) * | 2022-05-20 | 2022-09-06 | 北京信息科技大学 | Penetration path determination method and system based on absorption Markov chain |
| CN115021983B (en) * | 2022-05-20 | 2023-06-06 | 北京信息科技大学 | Permeation path determining method and system based on absorption Markov chain |
| CN115174208A (en) * | 2022-07-04 | 2022-10-11 | 中国银行股份有限公司 | Multi-step attack detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11188643B2 (en) | Methods and apparatus for detecting a side channel attack using hardware performance counters | |
| CN113822355A (en) | Composite attack prediction method and device based on improved hidden Markov model | |
| CN106911669B (en) | DDOS detection method based on deep learning | |
| US20140279762A1 (en) | Analytical neural network intelligent interface machine learning method and system | |
| De Souza et al. | Two-step ensemble approach for intrusion detection and identification in IoT and fog computing environments | |
| CN111783442A (en) | Intrusion detection method, device, server and storage medium | |
| Yuan et al. | Ada: Adaptive deep log anomaly detector | |
| CN111709028A (en) | Network security state evaluation and attack prediction method | |
| US20210360406A1 (en) | Internet-of-things device classifier | |
| CN113221109B (en) | Intelligent malicious file analysis method based on generation countermeasure network | |
| Hnamte et al. | Dependable intrusion detection system using deep convolutional neural network: A novel framework and performance evaluation approach | |
| JP2024517124A (en) | DEVICE, SYSTEM, AND METHOD FOR PROTECTING MACHINE LEARNING, ARTIFICIAL INTELLIGENCE, AND DEEP LEARNING UNITS | |
| Van et al. | Accelerating anomaly-based IDS using neural network on GPU | |
| Roschke et al. | High-quality attack graph-based IDS correlation | |
| CN114944939B (en) | Network attack situation prediction model construction method, device, equipment and storage medium | |
| Zhou et al. | An intrusion detection approach based on incremental long short-term memory | |
| Yang et al. | Cloud-edge coordinated traffic anomaly detection for industrial cyber-physical systems | |
| Babbar et al. | Evaluation of deep learning models in its software-defined intrusion detection systems | |
| CN113282920A (en) | Log abnormity detection method and device, computer equipment and storage medium | |
| CN117729027A (en) | Abnormal behavior detection method, device, electronic equipment and storage medium | |
| Şeker | Use of Artificial Intelligence Techniques/Applications in Cyber Defense | |
| CN115774784A (en) | Text object identification method and device | |
| KR102548321B1 (en) | Valuable alert screening methods for detecting malicious threat | |
| CN115758337A (en) | Back door real-time monitoring method based on timing diagram convolutional network, electronic equipment and medium | |
| Thanthrige | Hidden markov model based intrusion alert prediction |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |