CN114363082A - Network attack detection method, device, equipment and computer readable storage medium - Google Patents
Network attack detection method, device, equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN114363082A CN114363082A CN202210031454.XA CN202210031454A CN114363082A CN 114363082 A CN114363082 A CN 114363082A CN 202210031454 A CN202210031454 A CN 202210031454A CN 114363082 A CN114363082 A CN 114363082A
- Authority
- CN
- China
- Prior art keywords
- clustering
- user data
- network
- users
- risk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 60
- 238000000034 method Methods 0.000 claims abstract description 40
- 238000004364 calculation method Methods 0.000 claims abstract description 34
- 238000012549 training Methods 0.000 claims abstract description 16
- 238000004590 computer program Methods 0.000 claims description 18
- 230000000694 effects Effects 0.000 abstract description 5
- 230000002349 favourable effect Effects 0.000 abstract description 2
- 238000012502 risk assessment Methods 0.000 abstract description 2
- 230000008569 process Effects 0.000 description 11
- 238000003491 array Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 238000004422 calculation algorithm Methods 0.000 description 5
- 238000012790 confirmation Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 238000012544 monitoring process Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000003064 k means clustering Methods 0.000 description 2
- 238000003062 neural network model Methods 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000012417 linear regression Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012847 principal component analysis method Methods 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 230000003595 spectral effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012706 support-vector machine Methods 0.000 description 1
Images
Abstract
The application belongs to the field of network security and provides a network attack detection method, a device, equipment and a computer readable storage medium. The method comprises the following steps: acquiring user data in a network access record; clustering users accessing the network according to the user data; determining risk factors included by the clustered users according to the result of the clustering calculation; acquiring a risk score of a clustering result determined based on the risk factor, and training a preset supervised score model according to the clustering result and the corresponding risk score; and carrying out network attack detection according to the trained supervised scoring model. Therefore, dependence on expert service experience can be effectively reduced, risk assessment and attack detection are actively carried out on clustered users, and the method is favorable for improving the detection effect on the gang crime.
Description
Technical Field
The present application relates to the field of network security, and in particular, to a method, an apparatus, a device, and a computer-readable storage medium for detecting a network attack.
Background
With the development of basic communication technology, mobile internet, internet of things, industrial internet, energy internet, car networking and the like will change the business forms of all enterprises, and accelerate us to enter a comprehensive network era. As online services provided by enterprises become more and more complex and diversified, the online services are also exposed to external illegal users, and the system may be attacked by the illegal users.
Current attack countermeasure schemes typically include: the intercepting rules are summarized based on past processing experiences, or the intercepting rules are summarized based on preset black and white lists, such as IP addresses, equipment and the like of the black lists or the white lists, or a supervised wind control model is trained through collection of historical samples, and wind control monitoring is carried out based on the trained wind control model. Although the current wind control monitoring mode monitors risks to a certain extent, the current wind control monitoring mode excessively depends on expert business experience, the fraud prevention mode is passive, and the detection effect on the group partner crime is poor.
Disclosure of Invention
In view of this, embodiments of the present application provide a network attack detection method, apparatus, device and computer readable storage medium, so as to solve the problems in the prior art that when performing network attack detection, the expert service experience is excessively relied on, the fraud prevention mode is passive, and the detection effect on the coming gang proposal is poor.
A first aspect of an embodiment of the present application provides a network attack detection method, where the method includes:
acquiring user data in a network access record;
clustering users accessing the network according to the user data;
determining risk factors included by the clustered users according to the result of the clustering calculation;
acquiring a risk score of a clustering result determined based on the risk factor, and training a preset supervised score model according to the clustering result and the corresponding risk score;
and carrying out network attack detection according to the trained supervised scoring model.
With reference to the first aspect, in a first possible implementation manner of the first aspect, clustering users accessing the network according to the user data includes:
determining the characteristic weight corresponding to the user data;
and calculating the similarity of user data according to the characteristic weight, and clustering the users according to the similarity.
With reference to the first aspect, in a second possible implementation manner of the first aspect, clustering users accessing the network according to the user data includes:
selecting a preset number of data categories to determine local data according to the data categories included in the user data;
and calculating the similarity of the users according to the local data, and clustering the users according to the similarity.
With reference to the first aspect, in a third possible implementation manner of the first aspect, clustering users accessing the network according to the user data includes:
determining the position of a user according to the IP address in the user data;
determining the distance between users according to the positions;
and determining the cluster to which the user belongs according to the distance and by combining a preset distance threshold.
With reference to the first aspect, in a fourth possible implementation manner of the first aspect, the determining, according to a result of the cluster calculation, a risk factor included in a clustered user includes:
acquiring clustering scores of different parameters of clustered users included in a clustering result, wherein the clustering scores are determined according to similarity and characteristic weight of the parameters;
and determining the risk factors included by the clustered users according to the clustering scores of the parameters.
With reference to the first aspect, in a fifth possible implementation manner of the first aspect, the training a preset supervised scoring model according to the clustering result and the corresponding risk score includes:
inputting the clustering result into a preset supervised scoring model to obtain a calculation score output by the supervised scoring model;
and determining the difference between the calculated score and the risk score corresponding to the clustering result, and adjusting the parameters of the supervised scoring model according to the difference until the difference between the calculated score output by the supervised model and the corresponding risk score meets the preset requirement to obtain the trained supervised scoring model.
With reference to the first aspect, in a sixth possible implementation manner of the first aspect, the performing network attack detection according to the trained supervised scoring model includes:
acquiring user data in a network access record;
clustering users accessing the network according to the user data;
and inputting the clustering result into the trained supervised scoring model to obtain a risk score corresponding to the clustering result, and determining whether the network access is a network attack or not according to the risk score.
A second aspect of an embodiment of the present application provides a network attack detection apparatus, where the apparatus includes:
the user data acquisition unit is used for acquiring user data in the network access record;
the user clustering unit is used for clustering the users accessing the network according to the user data;
the risk factor determining unit is used for determining the risk factors included by the clustered users according to the result of the clustering calculation;
the model training unit is used for acquiring the risk score of the clustering result determined based on the risk factor and training a preset supervised score model according to the clustering result and the corresponding risk score;
and the attack detection unit is used for carrying out network attack detection according to the trained supervised scoring model.
A third aspect of embodiments of the present application provides a network attack detection device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the processor implements the steps of the method according to any one of the first aspect.
A fourth aspect of embodiments of the present application provides a computer-readable storage medium, in which a computer program is stored, which, when executed by a processor, performs the steps of the method according to any one of the first aspect.
Compared with the prior art, the embodiment of the application has the advantages that: according to the method and the device, the obtained user data in the network access records are clustered, the risk factors included by the clustered users are determined, the risk scores of the clustering results determined based on the risk factors are obtained, the supervised scoring model is trained through the clustering results and the corresponding risk scores, and the supervised scoring model is trained to perform network attack detection, so that the dependence on expert service experience can be reduced, risk assessment and attack detection are actively performed on the clustered users, and the detection effect on the group committing is favorably improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1 is a schematic diagram of an implementation scenario of network attack detection provided in an embodiment of the present application;
fig. 2 is a schematic flow chart illustrating an implementation of a network attack detection method according to an embodiment of the present application;
fig. 3 is a schematic flow chart illustrating an implementation of a supervised scoring model training method according to an embodiment of the present disclosure;
fig. 4 is a schematic flow chart illustrating an implementation process of network attack detection according to a supervised scoring model according to an embodiment of the present application;
fig. 5 is a schematic diagram of a network attack detection apparatus according to an embodiment of the present application;
fig. 6 is a schematic diagram of a network attack detection device according to an embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
In order to explain the technical solution described in the present application, the following description will be given by way of specific examples.
At present, when network attack detection is performed, intercepting rules are generally summarized based on past processing experience, or a preset black and white list is based on, for example, IP addresses, devices and the like of the black list or the white list are constructed, or a supervised wind control model is trained through collection of historical samples, and wind control monitoring is performed based on the trained wind control model. The monitoring mode usually needs to set a black and white list or an interception rule by depending on expert business experience, the requirement on the business experience of workers constructing the black and white list is high, once the construction is completed, new attack information is not easy to discover actively, and a fraud prediction mode is passive. In addition, when attack detection is carried out based on the interception rule or the black and white list, the method is not beneficial to finding the gang proposal and has poor detection effect on the gang proposal.
Based on the above problems, an embodiment of the present application provides a network attack detection method, and as shown in fig. 1, an implementation scenario diagram of the network attack detection method provided by the embodiment of the present application is provided. As shown in fig. 1, the implementation scenario includes an online platform and an online terminal. The online platform can provide business services for users through a network interface. For example, the online platform may provide the business service for the user in the form of a web page through the interface, or provide the business service for the user in the form of an APP. The online terminal may include an online terminal 1, an online terminal 2 … …, and the online terminal may input data to be uploaded by a user or browse desired data or files through a web interface provided by the online platform or an APP interface provided by the online platform. When an illegal user performs an illegal attack through an interface provided by the online platform, the online platform may be crashed or data errors may occur, which is not favorable for improving the reliability and security of the online platform.
Fig. 2 is a schematic view of an implementation flow of a network attack detection method provided in an embodiment of the present application, where an execution subject of the network attack detection method may be an online platform or an online system, and may also be a specially-configured network attack detection server. As shown in fig. 2, the method includes:
in S201, user data in the network access record is acquired.
In the embodiment of the application, the system for executing the network attack detection method can provide business service for enterprises through online channels. When an enterprise provides services for users through an online channel, the online business is also exposed to illegal users. Therefore, an illegal user may launch a network attack on the system using the access interface provided by the online service. In order to ensure the reliability of system operation, it is necessary to detect a network attack initiated by an illegal user, so as to improve the security of a system providing an online service.
The user data in the network access record in the embodiment of the present application may be data related to the user detected by the system when the user accesses the online platform. For example, the user data may include an IP address of the user, an account number of the user, a password of the user, device information of the user, mobile phone number information of the user, and the like.
The IP address of the user may include an IP address currently used by the user and an IP address historically used by the user. The device information of the user includes device information currently used by the user and device information detected by the user in the history access record. The device information may include a type of device used by the user, a system type of the device, a device system version, and the like. The user data may include structured data or unstructured data. The mobile phone number information of the user can comprise the number section to which the mobile phone number of the user belongs.
In S202, according to the user data, clustering is performed on users accessing the network.
In the embodiment of the present application, a plurality of data may be included for the user data of each user. For example, the user data may include an IP address of the user, an account number of the user, a password of the user, device information of the user, mobile phone number information of the user, and the like. Each user corresponds to a plurality of data, i.e. each user may correspond to an array. After the system respectively acquires the user data corresponding to the plurality of users, the array corresponding to the plurality of users can be determined. For example, the corresponding array of users may be: [ IP address of user, account number of user, password of user, device information of user, mobile phone number information of user ].
In the embodiment of the application, for the determined plurality of user data or arrays, an unsupervised learning method may be adopted to perform cluster calculation on the user data or arrays respectively corresponding to the plurality of users to obtain one or more clusters. One cluster may be a cluster belonging to the same number segment, or may be a cluster of the same IP address, or a cluster of IP addresses of the same area.
The unsupervised learning method adopted in the embodiment of the application may include, but is not limited to, a K-means clustering algorithm, a spectral clustering algorithm, or a principal component analysis method.
For example, when the K-means clustering algorithm is used, K initial points (the dimension of the initial points may be the same as the dimension of the user data) may be determined as central points, and the distance between each determined point of each array and each central point may be calculated (or the similarity may also be calculated). And respectively carrying out distance calculation on the points corresponding to each array and K central red frames, and calculating to obtain K distances. According to the K distances, the point (i.e., user data) corresponding to the array may be divided into the center points closest to the point. And after the calculation is completed, one or more arrays divided by each central point are obtained. Calculating each central point and the average value of one or more arrays divided by the central point, taking the calculated average value as a new central point, recalculating the distance between each array and the new central point, dividing each array to the central point closest to the distance again according to the calculated distance, repeating iteration in this way until the calculation result is converged, or repeating the iterative calculation for a preset number of times to obtain a clustering result for clustering the user data.
In a possible implementation manner of the application, when clustering is performed on the user data, part of the category data in the user data can be selected for clustering calculation, so that the characteristics of illegal groups can be determined more accurately from different sides. The partial categories may be any number of categories less than the total number of categories of user data. For example, when the total number of categories is 10, the partial categories may be any 1, 2, … … 9, etc. of the 10 categories. By clustering different amounts of data of the categories, the group characteristics can be found more accurately.
For example, the mobile phone number information in the user data may be clustered, the user accounts in the user data may be clustered, or the user accounts and the user passwords in the user data may be clustered, so as to obtain the similarity of the user data obtained in different dimensions, and the clustering result may be determined according to the similarity of the user data. And correspondingly determining the group information of different dimensions based on the clustering results of different dimensions.
Or, in a possible implementation manner, a distance threshold (or a similarity threshold) of the clustering may be preset, and the number of the central points required in the actual partitioning process is determined according to the set distance threshold, so that the clustering result can be determined more accurately.
For example, a distance threshold may be preset. And determining the position of the user based on the corresponding relation between the IP address and the position according to the IP address in the acquired user data. From the determined positions of the users, the distance between the users is calculated. The calculated distance between users is compared with a preset distance threshold, if the distance between one user and any user in the cluster is greater than the preset distance threshold, it is determined that the user does not belong to the cluster, the distances between the user and users in other clusters can be calculated to classify the user into other clusters, or it is determined that the user does not belong to other clusters.
In the embodiment of the present application, when the categories of the user data used for calculating the clusters are two or more, different feature weights may be assigned to different categories of user data. For example, data such as an IP address and mobile phone number information that are more likely to detect an attack feature are assigned with a higher feature weight, and a user account and a user password that are less likely to detect an attack feature attack are assigned with a lower feature weight. When the similarity score or the clustering score is calculated, the ganged party which initiates the network attack can be more accurately determined based on different characteristic weights.
In S203, the risk factors included by the clustered users are determined according to the result of the clustering calculation.
After the clustering result of the user is determined according to the clustering algorithm, the clustering scores corresponding to different parameters can be determined according to the clustering scores of different parameters of the clustered user. The parameter with the largest clustering score or the predetermined number of parameters with larger clustering scores can be selected to determine the risk factor of the clustering result. The clustering score can be determined according to the similarity between the parameters of the users in the clustering result and the preset characteristic weight.
When single-category data is adopted for clustering, the parameters of the category can be directly determined to be risk factors according to the category of the parameters adopted by clustering calculation. For example, when clustering calculation is performed through mobile phone number information, a plurality of users belonging to the same number segment are clustered, and the risk factor corresponding to the clustering result is the mobile phone number information.
When two or more kinds of data are used for clustering calculation, the parameter type with the largest clustering score can be used as the risk factor of the clustering result according to the clustering calculation result. For example, when clustering calculation is performed through the mobile phone number information, the IP address, and the user account, and the clustering score of the mobile phone number information is the largest in the obtained first cluster, the mobile phone number information is used as the risk factor of the first cluster. And in the second clustering, if the clustering score of the IP address is larger, the IP address is used as a risk factor of the second clustering. In the third cluster, if the cluster score of the user account is larger, the user account is used as a risk factor of the third cluster.
Of course, the risk factors may include two or more in the same cluster. For example, in the above clustering result, there may be a fourth cluster, and the risk factor of the fourth cluster may include the user account and the mobile phone number information.
The influence of the category of the user data on the clustering result can be determined according to the similarity calculated by the category of the user data. For example, the similarity between user data of different categories may be calculated, and a category with a higher similarity may be selected as the risk factor according to the calculated similarity. Alternatively, the risk factor in the user data may be determined by combining the calculated similar sizes with the feature weights corresponding to the categories.
In S204, the risk score of the clustering result determined based on the risk factor is obtained, and a preset supervised score model is trained according to the clustering result and the corresponding risk score.
After the risk factors in the clustering result are determined, the user can be helped to quickly locate the reasons of the risks in the clustering. Based on the reason for the risk, the risk can be conveniently and quickly positioned by the staff, and the risk information is graded and confirmed, so that the misjudgment probability of the system is reduced.
According to the embodiment of the application, the risk score of the clustering result can be determined according to the confirmation data by acquiring the confirmation data. The confirmation data may be based on the intelligent detection data or may be obtained manually. From the score of each risk factor, the score of the clustered result can be determined.
Or risk confirmation can be performed on the users in the clustering result through the system, and the risk score is determined according to the risk confirmation result. For example, voice communication may be initiated to the user in the clustering result, or a risk questionnaire may be sent to the user. And determining the risk score according to the similarity of the users answering the calls or the similarity of the contents fed back by the risk questionnaire. If the similarity of the received calls is higher, for example, the same user is identified through the tone analysis, the risk score can be determined to be the preset risk score corresponding to the use of multiple accounts by the same user.
Alternatively, the risk score of the clustering result may be determined according to other investigation methods. For example, the risk score corresponding to the clustering result may be obtained through a field survey mode or a big data analysis mode for the user in the clustering result. The higher the risk score, the higher the likelihood that the clustering result is likely to be an illegitimate user.
After determining the score corresponding to the clustering result, the clustering result and the risk score corresponding to the clustering result may be input to the supervised scoring model as sample data, and the supervised scoring model is trained. Wherein, the supervised scoring model can be a neural network model. The training process may be as shown in fig. 3, including:
in S301, the clustering result is input to a preset supervised scoring model, and a calculation score output by the supervised scoring model is obtained.
The clustering result and the risk factor in the clustering result can be input into a supervised scoring model, and scoring calculation is carried out through the supervised scoring model, so that the calculated score is output by the supervised scoring model. Wherein, the supervised scoring model can be preset. For example, the supervised scoring model may be a linear regression network model, a neural network model, a decision tree network model, a support vector machine network model, a mutual bayesian network model, or the like.
Based on the set supervised scoring model and the initialized parameters, a calculation score corresponding to the clustering result input to the supervised scoring model can be calculated.
In S302, the difference between the calculated score and the risk score corresponding to the clustering result is determined, and the parameter of the supervised scoring model is adjusted according to the difference until the difference between the calculated score output by the supervised model and the corresponding risk score meets the preset requirement, so as to obtain the trained supervised scoring model.
Comparing the calculated score to the determined risk score may result in a difference between the calculated score and the risk score (i.e., the nominal score). According to the difference between the two, the parameters in the supervised scoring model can be adjusted. And repeatedly adjusting and comparing parameters until the difference between the output calculation score and the corresponding risk score meets the preset requirement, thereby finishing the training of the supervised scoring model.
It can be understood that the cluster calculation and the risk score determination can be repeatedly performed according to the continuously acquired user data, and the supervised scoring model is continuously updated and perfected.
For example, in a first time period after the service system is online, the user data a is acquired, and based on the acquired user data a, the clustering result included in the user data a can be calculated and obtained by combining the feature weight in the user data. And after determining the risk score corresponding to the clustering result, training the clustering result of the user data A and the risk score corresponding to the clustering result on a supervised scoring model. When the supervised scoring model converges the clustering result corresponding to the user data A, the supervised scoring model which is initially trained can be obtained. The system will collect user data B during a second period of time after the first period of time on-line with the service system. Since the attack means of the illegal user may be continuously updated and optimized, the supervised scoring model may not have a good identification of the updated attack means. Through the cluster calculation, the system can find new clusters in time, iterative training can be carried out on the supervised scoring model according to the risk scoring determined by the new clusters, the supervised scoring model can learn the characteristics corresponding to the updated attack means, the supervised scoring model can automatically upgrade and optimize the model in the using process of the system, the more complex attack detection can be adapted, the accuracy of the system detection is improved, misjudgment is reduced, and the use experience of a user is improved.
In S205, network attack detection is performed according to the trained supervised scoring model.
After the supervised scoring model is trained, risk calculation can be carried out through the trained supervised scoring, and whether the user has the ganged partner plan characteristics or not is judged, so that the network attack of the ganged partner plan can be found in time.
The process of network model detection based on the trained supervised scoring model may be as shown in fig. 4, and includes:
in S401, the user data in the network access record is acquired.
When the network attack detection is carried out, the access data of the network can be collected in real time. By detecting the acquired network access data in time, the user who initiates network attack on the system can be found in time.
In S402, according to the user data, clustering is performed on users accessing the network.
For the determined user data or arrays, an unsupervised learning method may be adopted to perform cluster calculation on the user data or arrays respectively corresponding to the users to obtain one or more clusters. One cluster may be a cluster belonging to the same number segment, or may be a cluster of the same IP address, or a cluster of IP addresses of the same area.
Or, other data similarity calculation methods may be adopted to determine the similarity of the user data among the users, and cluster the user data based on the determined similarity to obtain two or more users belonging to the same cluster.
In S403, the clustering result is input to the supervised scoring model after training, so as to obtain a risk score corresponding to the clustering result, and whether the network access is a network attack is determined according to the risk score.
The supervised scoring model is trained, namely the supervised scoring model calculates the clustering result to output a calculated score, and the difference between the calculated score and the standard risk score meets the preset requirement. Therefore, when the supervised scoring model is used for calculating the clustering result of the collected user data, the calculation score corresponding to the clustering result of the user data can be calculated, and the difference between the calculation score and the standard risk score meets the preset requirement, so that whether the user is an illegal user or not can be judged based on the obtained calculation score, or whether the access of the user is a network attack or not can be determined. For example, when the user is determined to be a group user doing illegal acts, the access of the group can be determined to be the network attack of the user.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.
Fig. 5 is a schematic diagram of a network attack detection apparatus provided in an embodiment of the present application, and as shown in fig. 5, the apparatus includes:
a user data obtaining unit 501, configured to obtain user data in a network access record;
a user clustering unit 502, configured to cluster users accessing the network according to the user data;
a risk factor determining unit 503, configured to determine risk factors included by clustered users according to a result of clustering calculation;
a model training unit 504, configured to obtain a risk score of a clustering result determined based on the risk factor, and train a preset supervised score model according to the clustering result and a corresponding risk score;
and an attack detection unit 505, configured to perform network attack detection according to the trained supervised scoring model.
The attack detection apparatus shown in fig. 5 corresponds to the attack detection method shown in fig. 2.
Fig. 6 is a schematic diagram of a network attack detection device according to an embodiment of the present application. As shown in fig. 6, the cyber attack detecting apparatus 6 according to the embodiment includes: a processor 60, a memory 61 and a computer program 62, such as a network attack detection program, stored in said memory 61 and executable on said processor 60. The processor 60, when executing the computer program 62, implements the steps in the various network attack detection method embodiments described above. Alternatively, the processor 60 implements the functions of the modules/units in the above-described device embodiments when executing the computer program 62.
Illustratively, the computer program 62 may be partitioned into one or more modules/units that are stored in the memory 61 and executed by the processor 60 to accomplish the present application. The one or more modules/units may be a series of computer program instruction segments capable of performing specific functions, which are used to describe the execution process of the computer program 62 in the network attack detection device 6.
The network attack detection device 6 may be a desktop computer, a notebook, a palm computer, a cloud server, or other computing devices. The cyber attack detecting device may include, but is not limited to, a processor 60, a memory 61. Those skilled in the art will appreciate that fig. 6 is merely an example of the cyber attack detection apparatus 6, and does not constitute a limitation of the cyber attack detection apparatus 6, and may include more or less components than those shown, or combine some components, or different components, for example, the cyber attack detection apparatus may further include an input-output device, a network access device, a bus, and the like.
The Processor 60 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 61 may be an internal storage unit of the cyber attack detecting device 6, such as a hard disk or a memory of the cyber attack detecting device 6. The memory 61 may also be an external storage device of the cyber attack detecting device 6, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the cyber attack detecting device 6. Further, the memory 61 may also include both an internal storage unit and an external storage device of the cyber attack detection device 6. The memory 61 is used for storing the computer program and other programs and data required by the network attack detection device. The memory 61 may also be used to temporarily store data that has been output or is to be output.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-mentioned division of the functional units and modules is illustrated, and in practical applications, the above-mentioned function distribution may be performed by different functional units and modules according to needs, that is, the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-mentioned functions. Each functional unit and module in the embodiments may be integrated in one processing unit, or each unit may exist alone physically, or two or more units are integrated in one unit, and the integrated unit may be implemented in a form of hardware, or in a form of software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working processes of the units and modules in the system may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus/terminal device and method may be implemented in other ways. For example, the above-described embodiments of the apparatus/terminal device are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated modules/units, if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer readable storage medium. Based on such understanding, all or part of the processes in the methods of the embodiments described above can be implemented by hardware related to instructions of a computer program, which can be stored in a computer readable storage medium, and when the computer program is executed by a processor, the steps of the methods described above can be implemented. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer readable medium may contain other components which may be suitably increased or decreased as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media which may not include electrical carrier signals and telecommunications signals in accordance with legislation and patent practice.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present application and are intended to be included within the scope of the present application.
Claims (10)
1. A network attack detection method, the method comprising:
acquiring user data in a network access record;
clustering users accessing the network according to the user data;
determining risk factors included by the clustered users according to the result of the clustering calculation;
acquiring a risk score of a clustering result determined based on the risk factor, and training a preset supervised score model according to the clustering result and the corresponding risk score;
and carrying out network attack detection according to the trained supervised scoring model.
2. The method of claim 1, wherein clustering users accessing the network based on the user data comprises:
determining the characteristic weight corresponding to the user data;
and calculating the similarity of user data according to the characteristic weight, and clustering the users according to the similarity.
3. The method of claim 1, wherein clustering users accessing the network based on the user data comprises:
selecting a preset number of data categories to determine local data according to the data categories included in the user data;
and calculating the similarity of the users according to the local data, and clustering the users according to the similarity.
4. The method of claim 1, wherein clustering users accessing the network based on the user data comprises:
determining the position of a user according to the IP address in the user data;
determining the distance between users according to the positions;
and determining the cluster to which the user belongs according to the distance and by combining a preset distance threshold.
5. The method of claim 1, wherein determining the risk factors included by the clustered users based on the results of the clustering calculations comprises:
acquiring clustering scores of different parameters of clustered users included in a clustering result, wherein the clustering scores are determined according to similarity and characteristic weight of the parameters;
and determining the risk factors included by the clustered users according to the clustering scores of the parameters.
6. The method of claim 1, wherein training a pre-defined supervised scoring model based on the clustering results and corresponding risk scores comprises:
inputting the clustering result into a preset supervised scoring model to obtain a calculation score output by the supervised scoring model;
and determining the difference between the calculated score and the risk score corresponding to the clustering result, and adjusting the parameters of the supervised scoring model according to the difference until the difference between the calculated score output by the supervised model and the corresponding risk score meets the preset requirement to obtain the trained supervised scoring model.
7. The method of claim 1, wherein performing cyber attack detection based on the trained supervised scoring model comprises:
acquiring user data in a network access record;
clustering users accessing the network according to the user data;
and inputting the clustering result into the trained supervised scoring model to obtain a risk score corresponding to the clustering result, and determining whether the network access is a network attack or not according to the risk score.
8. A cyber attack detecting apparatus, the apparatus comprising:
the user data acquisition unit is used for acquiring user data in the network access record;
the user clustering unit is used for clustering the users accessing the network according to the user data;
the risk factor determining unit is used for determining the risk factors included by the clustered users according to the result of the clustering calculation;
the model training unit is used for acquiring the risk score of the clustering result determined based on the risk factor and training a preset supervised score model according to the clustering result and the corresponding risk score;
and the attack detection unit is used for carrying out network attack detection according to the trained supervised scoring model.
9. A cyber attack detection apparatus comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of the method according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210031454.XA CN114363082B (en) | 2022-01-12 | Network attack detection method, device, equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210031454.XA CN114363082B (en) | 2022-01-12 | Network attack detection method, device, equipment and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114363082A true CN114363082A (en) | 2022-04-15 |
| CN114363082B CN114363082B (en) | 2024-05-03 |
Family
ID=
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115659197A (en) * | 2022-12-28 | 2023-01-31 | 湖南财政经济学院 | Data security monitoring model training method, application method, device and storage medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180060591A1 (en) * | 2016-08-24 | 2018-03-01 | Microsoft Technology Licensing, Llc | Computing Device Protection Based On Device Attributes And Device Risk Factor |
| US20180103043A1 (en) * | 2016-10-10 | 2018-04-12 | AO Kaspersky Lab | System and methods of detecting malicious elements of web pages |
| CN108881194A (en) * | 2018-06-07 | 2018-11-23 | 郑州信大先进技术研究院 | Enterprises user anomaly detection method and device |
| CN109344906A (en) * | 2018-10-24 | 2019-02-15 | 中国平安人寿保险股份有限公司 | Consumer's risk classification method, device, medium and equipment based on machine learning |
| CN110503207A (en) * | 2019-08-28 | 2019-11-26 | 深圳前海微众银行股份有限公司 | Federation's study credit management method, device, equipment and readable storage medium storing program for executing |
| CN111245793A (en) * | 2019-12-31 | 2020-06-05 | 西安交大捷普网络科技有限公司 | Method and device for analyzing abnormity of network data |
| CN111612037A (en) * | 2020-04-24 | 2020-09-01 | 平安直通咨询有限公司上海分公司 | Abnormal user detection method, device, medium and electronic equipment |
| CN112560940A (en) * | 2020-12-14 | 2021-03-26 | 广东电网有限责任公司广州供电局 | Power utilization abnormity detection method, device, equipment and storage medium |
| CN113919415A (en) * | 2021-09-08 | 2022-01-11 | 天翼电子商务有限公司 | Abnormal group detection method based on unsupervised algorithm |
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180060591A1 (en) * | 2016-08-24 | 2018-03-01 | Microsoft Technology Licensing, Llc | Computing Device Protection Based On Device Attributes And Device Risk Factor |
| US20180103043A1 (en) * | 2016-10-10 | 2018-04-12 | AO Kaspersky Lab | System and methods of detecting malicious elements of web pages |
| CN108881194A (en) * | 2018-06-07 | 2018-11-23 | 郑州信大先进技术研究院 | Enterprises user anomaly detection method and device |
| CN109344906A (en) * | 2018-10-24 | 2019-02-15 | 中国平安人寿保险股份有限公司 | Consumer's risk classification method, device, medium and equipment based on machine learning |
| CN110503207A (en) * | 2019-08-28 | 2019-11-26 | 深圳前海微众银行股份有限公司 | Federation's study credit management method, device, equipment and readable storage medium storing program for executing |
| CN111245793A (en) * | 2019-12-31 | 2020-06-05 | 西安交大捷普网络科技有限公司 | Method and device for analyzing abnormity of network data |
| CN111612037A (en) * | 2020-04-24 | 2020-09-01 | 平安直通咨询有限公司上海分公司 | Abnormal user detection method, device, medium and electronic equipment |
| CN112560940A (en) * | 2020-12-14 | 2021-03-26 | 广东电网有限责任公司广州供电局 | Power utilization abnormity detection method, device, equipment and storage medium |
| CN113919415A (en) * | 2021-09-08 | 2022-01-11 | 天翼电子商务有限公司 | Abnormal group detection method based on unsupervised algorithm |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115659197A (en) * | 2022-12-28 | 2023-01-31 | 湖南财政经济学院 | Data security monitoring model training method, application method, device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111428231B (en) | Safety processing method, device and equipment based on user behaviors | |
| CN109922032B (en) | Method, device, equipment and storage medium for determining risk of logging in account | |
| CN105590055B (en) | Method and device for identifying user credible behaviors in network interaction system | |
| CN109787960B (en) | Abnormal flow data identification method, abnormal flow data identification device, abnormal flow data identification medium, and electronic device | |
| CN106295349A (en) | Risk Identification Method, identification device and the anti-Ore-controlling Role that account is stolen | |
| CN109327439B (en) | Risk identification method and device for service request data, storage medium and equipment | |
| CN111614690A (en) | Abnormal behavior detection method and device | |
| CN111507470A (en) | Abnormal account identification method and device | |
| CN111460312A (en) | Method and device for identifying empty-shell enterprise and computer equipment | |
| CN109376873B (en) | Operation and maintenance method, operation and maintenance device, electronic equipment and computer readable storage medium | |
| CN112581259B (en) | Account risk identification method and device, storage medium and electronic equipment | |
| CN110348471B (en) | Abnormal object identification method, device, medium and electronic equipment | |
| EP4199421A1 (en) | Credit threshold training method and apparatus, and ip address detection method and apparatus | |
| CN111259952A (en) | Abnormal user identification method and device, computer equipment and storage medium | |
| CN111754241A (en) | User behavior perception method, device, equipment and medium | |
| CN110162958B (en) | Method, apparatus and recording medium for calculating comprehensive credit score of device | |
| US20230086187A1 (en) | Detection of anomalies associated with fraudulent access to a service platform | |
| CN110445772B (en) | Internet host scanning method and system based on host relationship | |
| CN115310762A (en) | Target service determination method and device based on heterogeneous graph neural network | |
| CN114363082B (en) | Network attack detection method, device, equipment and computer readable storage medium | |
| CN114363082A (en) | Network attack detection method, device, equipment and computer readable storage medium | |
| CN114329449A (en) | System security detection method and device, storage medium and electronic device | |
| CN113452648A (en) | Method, device, equipment and computer readable medium for detecting network attack | |
| CN112118259A (en) | Unauthorized vulnerability detection method based on classification model of lifting tree | |
| CN114189585A (en) | Crank call abnormity detection method and device and computing equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20240402 Address after: Room 608, 6th Floor, Unit 1, Office Building 2, Wanhaocheng, No. 298 Yinhuan Road, Xihu District, Nanchang City, Jiangxi Province, 330000 Applicant after: Nanchang Home Technology Co.,Ltd. Country or region after: China Address before: 518000 Room 201, building A, No. 1, Qian Wan Road, Qianhai Shenzhen Hong Kong cooperation zone, Shenzhen, Guangdong (Shenzhen Qianhai business secretary Co., Ltd.) Applicant before: PING AN PUHUI ENTERPRISE MANAGEMENT Co.,Ltd. Country or region before: China |
|
| GR01 | Patent grant |