CN114462589B - Normal behavior neural network model training method, system, device and storage medium - Google Patents
Normal behavior neural network model training method, system, device and storage medium Download PDFInfo
- Publication number
- CN114462589B CN114462589B CN202111147137.6A CN202111147137A CN114462589B CN 114462589 B CN114462589 B CN 114462589B CN 202111147137 A CN202111147137 A CN 202111147137A CN 114462589 B CN114462589 B CN 114462589B
- Authority
- CN
- China
- Prior art keywords
- data
- behavior
- address
- neural network
- network model
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/16—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Computation (AREA)
- Biophysics (AREA)
- Mathematical Physics (AREA)
- Data Mining & Analysis (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- General Physics & Mathematics (AREA)
- Computational Linguistics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Health & Medical Sciences (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Databases & Information Systems (AREA)
- Medical Informatics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application relates to a normal behavior neural network model training method, a system, a device and a storage medium, relating to the field of neural network model training, wherein the method comprises the steps of obtaining behavior data and source information of the behavior data; obtaining a data transmission environment of corresponding behavior data based on the source information; judging whether the behavior data can be regarded as training data or not based on the data transmission environment of the behavior data; and after the behavior data are regarded as training data, the training data and the abnormal behavior-free results are transmitted to the normal behavior neural network model, and the normal behavior neural network model is trained. Before the behavior data is used for training the normal behavior neural network model, whether the behavior data is normal data or not is judged, and if the behavior data is normal data, the behavior data is used. The method and the device have the advantage that the training precision of the normal behavior neural network model is convenient to improve, so that the effect of improving the accuracy of an analysis result is facilitated when the normal behavior neural network model is actually used.
Description
Technical Field
The invention relates to the field of neural network model training, in particular to a method, a system, a device and a storage medium for training a neural network model with normal behavior.
Background
In order to improve the security of internet application, except for setting a firewall, a honeypot and other defense modules, part of users can train a network intrusion neural network model for detecting uplink and downlink data in real time, once attack data enter the system, the network intrusion neural network model can output an analysis result aiming at the attack data, and the transmitted data are displayed as the attack data, so that the security of the system is improved. For a relatively important system, a normal behavior neural network model is set besides a network intrusion neural network model, and is used for detecting whether normal behavior data is abnormal or not, so that the system safety is further improved.
In the related art, when a normal behavior neural network model is trained, normal behavior data for training is usually acquired from real equipment, and the normal behavior data and an abnormal analysis result are transmitted to the normal behavior neural network model, so that the normal behavior data are input from an input end of the normal behavior neural network model, and the abnormal analysis result is output from an output end of the normal behavior neural network model, so that the normal behavior neural network model is learned, and the training of the normal behavior neural network model is realized.
For the above related technologies, the inventor considers that attack data is easily received by real equipment, and when a normal behavior neural network model is trained, if the attack data received by the real equipment is regarded as normal behavior data and transmitted to the normal behavior neural network model, and the normal behavior neural network model is trained, the training precision of the normal behavior neural network model is affected, and the accuracy of an output analysis result of the normal behavior neural network model in actual use is easily reduced.
Disclosure of Invention
In order to be helpful for improving the training precision of the normal behavior neural network model and further facilitate the output of an analysis result with higher accuracy when the normal behavior neural network model is actually used, the invention provides a normal behavior neural network model training method, a system, a device and a storage medium.
In a first aspect, the normal behavior neural network model training method provided by the application adopts the following technical scheme:
a normal behavior neural network model training method comprises the following steps:
behavior data and source information of the behavior data are obtained, wherein the source information comprises a source address;
obtaining a data transmission environment corresponding to the behavior data based on the source information, wherein the data transmission environment comprises a single-path transmission environment and a multi-path transmission environment;
when the data transmission environment is a single-path transmission environment, judging the regularity of the behavior data based on the source information and preset regular address information;
when the behavior data are the conventional data, the behavior data are regarded as training data;
when the data transmission environment is a multi-path transmission environment, judging whether the source address of the corresponding behavior data is a false node or not based on the source information corresponding to the behavior data and a false node address table prestored in the database;
when the source address of the behavior data is not a false node, regarding the behavior data as training data;
and transmitting the training data and the abnormal behavior-free result to a normal behavior neural network model, and training the normal behavior neural network model.
By adopting the technical scheme, the behavior data is judged according to different data transmission environments, if the behavior data is acquired under the single-path transmission environment, the regularity of the behavior data is judged, if the behavior data is regarded as the regularity data, the behavior data is proved to be safe, namely data with non-attack property, at the moment, the behavior data is regarded as training data, and is transmitted to the normal behavior neural network model together with the abnormal behavior result, so that the normal behavior neural network model is trained.
Similarly, the behavior data obtained under the multipath transmission environment is judged whether the source address of the behavior data is a false node, and the false node attracts an attacker to attack, so that the behavior data obtained from the false node are attack data. If the source address of the behavior data is not a false node, the behavior data is regarded as training data and used for training a normal behavior neural network model.
Therefore, when the normal behavior neural network model is trained, the training data is considered to be not easy to contain attack data, which is beneficial to improving the training precision of the normal behavior neural network model, so that the normal behavior neural network model is convenient to output an analysis result with higher accuracy in actual use.
Optionally, the step of obtaining a data transmission environment of the behavior data based on the source information includes:
extracting a source address from the source information;
searching a data transmission environment corresponding to the source address in an equipment address relation table prestored in the database;
and extracting the searched data transmission environment.
By adopting the technical scheme, the source address is extracted from the source information, and the data transmission environment is searched from the source address to the pre-stored equipment address relation table, so that the data transmission environment corresponding to the equipment address of the equipment is convenient to change when the data transmission environment of the equipment is changed; on the other hand, errors are not prone to occur in the acquired data transmission environment, so that the accuracy of judging the behavior data into the training data is improved, and the training precision of the normal behavior neural network model is improved conveniently.
Optionally, after searching the data transmission environment corresponding to the source address in the device address relationship table prestored in the database, the method further includes:
when the source address is not found or the data transmission environment corresponding to the source address is not found in the device address relation table, the behavior data corresponding to the source information is regarded as attack data;
and transmitting the attack data and the abnormal behavior result to a normal behavior neural network model, and training the normal behavior neural network model.
By adopting the technical scheme, the normal behavior neural network model is trained by using the attack data and the abnormal behavior result besides the training data, so that the training precision of the normal behavior neural network model is improved, and the accuracy of the analysis result is improved when the normal behavior neural network model is used.
Optionally, the step of determining the regularity of the behavior data based on the source information and preset regular address information includes:
extracting a source address in the source information;
when the source address and the conventional address information are the same address, regarding the corresponding behavior data as conventional data;
otherwise, the corresponding behavior data is considered as unconventional data;
the step of judging whether the source address of the corresponding behavior data is a false node based on the source information corresponding to the behavior data and a false node address table pre-stored in the database includes:
extracting a source address in the source information;
searching the false node address table for the false node address which is the same as the source address;
when a false node with the same address as the source address is stored in a false node address table, regarding the source address of the corresponding behavior data as a false node;
otherwise, the source address of the corresponding behavior data is considered as a non-false node.
By adopting the technical scheme, the false node address mark is preset, so that the false node address mark is convenient to change, and the accuracy of judging whether the source address is the false node or not is improved, thereby being beneficial to improving the training precision of a normal behavior neural network model.
Optionally, after the determining the regularity of the behavior data based on the source information and the preset regular address information, the method further includes:
when the behavior data are irregular data, the behavior data are regarded as attack data;
after the determining whether the source address of the corresponding behavior data is a false node, the method further includes:
when the source address of the behavior data is a false node, regarding the behavior data as attack data;
before the transmitting the attack data and the abnormal behavior result to the normal behavior neural network model, the method further comprises:
acquiring a data log corresponding to the attack data;
based on the data log and an attack type table prestored in the database, matching the abnormal behavior result with the corresponding attack data when the data log corresponds to the attack type in the attack type table;
and when the data log does not correspond to the attack type in the attack type table, deleting the attack data corresponding to the data log.
By adopting the technical scheme, after the behavior data is regarded as attack data, the attack data is checked according to the data log corresponding to the attack data and a preset attack type table, and if the behavior data regarded as the attack data is offensive indeed, namely accords with the characteristics of the attack data, the attack data is used for training a normal behavior neural network model; if the behavior data which is regarded as the attack data is not real attack data after being checked, namely the misjudgment condition occurs, the corresponding attack data is deleted, and the training precision of the normal behavior neural network model is ensured.
In a second aspect, the normal behavior neural network model training system provided by the present application adopts the following technical scheme:
a normal behavior neural network model training system comprises an acquisition module, a processing module and a training module, wherein the acquisition module is used for acquiring behavior data and source information of the behavior data, and the source information comprises a source address;
the searching module is used for obtaining a data transmission environment corresponding to the behavior data based on the source information, and the data transmission environment comprises a single-path transmission environment and a multi-path transmission environment;
the judging module is used for judging the regularity of the behavior data based on the source information and the preset regular address information when the data transmission environment is a single-path transmission environment, and regarding the behavior data as training data when the behavior data is the regular data;
the judging module is further configured to judge whether the source address of the corresponding behavior data is a false node based on the source information corresponding to the behavior data and a false node address table pre-stored in the database when the data transmission environment is a multi-path transmission environment; when the source address of the behavior data is not a false node, regarding the behavior data as training data;
and the number of the first and second groups,
and the transmission module is used for transmitting the training data and the abnormal behavior-free result to a normal behavior neural network model and training the normal behavior neural network model.
Optionally, the determining module includes an extracting unit, configured to extract a source address in the source information;
the processing unit is used for regarding the corresponding behavior data as the regular data when the source address and the regular address information are the same address, and otherwise, regarding the corresponding behavior data as the irregular data;
the processing unit is also used for searching the false node address which is the same as the source address in the false node address table; and when a false node with the same address as the source address is stored in a false node address table, considering the source address of the corresponding behavior data as a false node, otherwise, considering the source address of the corresponding behavior data as a non-false node.
Optionally, the determining module is configured to regard the behavior data as attack data when the behavior data is irregular data, and regard the behavior data as attack data when the source address of the behavior data is a false node;
the training system also comprises an auditing module connected with the judging module, wherein the auditing module is used for acquiring a data log corresponding to attack data, and matching the abnormal behavior result with the corresponding attack data when the data log corresponds to an attack type in an attack type table based on the data log and the attack type table pre-stored in a database module; when the data log does not correspond to the attack type in the attack type table, deleting the attack data corresponding to the data log;
and the transmission module is used for transmitting the attack data and the abnormal behavior result to a normal behavior neural network model and training the normal behavior neural network model.
In a third aspect, the normal behavior neural network model training device provided by the application adopts the following technical scheme:
a training device of a normal behavior neural network model comprises a memory and a processor, wherein a training program of the normal behavior neural network model is stored in the memory; the processor is used for adopting the method when executing the training program of the normal behavior neural network model.
In a fourth aspect, the following technical solution is adopted for a storage medium provided by the present application:
a storage medium stores a computer program that can be loaded by a processor and that executes the above-described method.
In summary, after the behavior data used for training the normal behavior neural network model is logically determined, whether the behavior data is applied to the training of the normal behavior neural network model is determined according to the logical determination result, so that when the normal behavior neural network model is trained, the training data associated with the abnormal behavior-free result are all non-aggressive data, namely, are all normal data, which is beneficial to improving the training precision of the normal behavior neural network model, and is beneficial to outputting more accurate analysis results when the normal behavior neural network model is actually used.
Drawings
Fig. 1 is a flowchart of a normal behavior neural network model training method according to an embodiment of the present application.
Fig. 2 is a block diagram of a normal behavior neural network model training system according to an embodiment of the present application.
Description of reference numerals:
1. an acquisition module; 2. a search module; 3. a judgment module; 31. an extraction unit; 32. a processing unit; 4. an auditing module; 5. and a transmission module.
Detailed Description
The embodiment of the application discloses a normal behavior neural network model training method. Referring to fig. 1, includes:
s100, behavior data and source information of the behavior data are obtained, wherein the source information comprises a source address.
The behavior data is data generated when the device performs an action, and includes received data of a received action, transmission data of a transmission action, start data of a start action, and the like. The source address is a device address of a data source, and may be device information such as a device name and a device number that can represent the data source.
S200, acquiring a data transmission environment corresponding to the behavior data based on the source information, wherein the data transmission environment comprises a single-pass transmission environment and a multi-pass transmission environment.
The single-path transmission environment refers to a data transmission environment where a source device of behavior data is located is a single communication path, for example, a camera, and only communicates with a server when the camera is not attacked, and the communication includes receiving a control instruction transmitted by the server, feeding back a message to the server, transmitting camera data to the server, and the like. That is, a device in a single-path transmission environment may connect a plurality of downstream devices and a plurality of upstream devices, but when the device is not attacked, data transmission is a fixed line. It will be appreciated that in the event of an attack, the camera may act to transmit data to or claim data from a device other than the server.
Accordingly, the multipath transmission environment refers to a data transmission environment in which the source device of behavior data is located, and is a multipath communication path, such as a router, which can communicate with a plurality of switches or terminals according to the situation when not attacked. The device in the multi-path transmission environment is connected with a plurality of downlink devices and a plurality of uplink devices, and data transmission is carried out by a plurality of paths whether attacked or not. Taking a router as an example, in order to improve the security of the communication system, a terminal is configured between the router and the switch, and a plurality of false nodes are configured in the terminal, and each false node has an IP address for inducing an attack of an attacker. Therefore, in the present embodiment, there are several dummy nodes corresponding to devices in the multipath transmission environment.
In one embodiment, step S200 includes:
s210, extracting a source address from the source information.
S220, searching a data transmission environment corresponding to the source address in an equipment address relation table prestored in a database.
It is understood that the device address relationship table stores the device address of each device, i.e., the source address in the source information of the behavior data. The device address of each device corresponds to a pre-stored data transmission environment. And searching the equipment address which is completely the same as the information of the source address in the equipment address relation table, and finding out the corresponding data transmission environment. The device address may be a port IP of the device, a physical IP of the device, or a device IP of the device.
If the device address identical to the source address is found, step S230 is executed to extract the found data transmission environment.
Otherwise, step S240 is executed, and when the source address or the data transmission environment corresponding to the source address is not found in the device address relationship table, the behavior data corresponding to the source information is regarded as attack data.
That is, the device address identical to the information of the source address is found, or the device address identical to the information is found, but the device address does not have a corresponding pre-stored data transmission environment, in this case, the corresponding behavior data is not enough to be determined as safe or normal, that is, it cannot be determined as non-attack data, and the corresponding behavior data is regarded as attack data.
And S250, acquiring a data log corresponding to the attack data.
Each attack data corresponds to a data log.
And S260, matching the abnormal behavior result with corresponding attack data when the data log corresponds to the attack type in the attack type table based on the data log and the attack type table pre-stored in the database.
And S270, when the data log does not correspond to the attack type in the attack type table, deleting the attack data corresponding to the data log.
And S280, transmitting the attack data and the abnormal behavior result to the normal behavior neural network model, and training the normal behavior neural network model.
And the attack data is matched with the abnormal behavior result to train the normal behavior neural network model, and compared with the method of matching the attack data with the abnormal behavior result to train the normal behavior neural network model, the method is convenient for improving the training precision of the normal behavior neural network model.
S300, when the data transmission environment is a single-path transmission environment, judging the regularity of behavior data based on the source information and the preset regular address information.
Specifically, step S300 includes:
s310, extracting a source address in the source information.
And S320, when the source address and the conventional address information are the same address, regarding the corresponding behavior data as conventional data.
It will be appreciated that the source device of the behavioural data should always be the same device, such as the camera in the above example, since the source device to which the behavioural data corresponds is in a single pass transmission environment. The device address of the camera is set to be the conventional address information, if the source address is the conventional address information, the source of the behavior data is proved to be normal, the behavior data is not easy to be attack data, and therefore the behavior data can be regarded as the conventional data.
And S330, if not, the corresponding behavior data is regarded as unconventional data.
And S340, when the behavior data is irregular data, regarding the behavior data as attack data.
And S400, when the behavior data are the conventional data, the behavior data are regarded as training data.
The normal data is normal data and can also be regarded as safe data, and the corresponding behavior data is regarded as training data, so that the normal behavior neural network model can be conveniently trained.
S500, when the data transmission environment is a multi-path transmission environment, whether the source address of the corresponding behavior data is a false node is judged based on the source information corresponding to the behavior data and a false node address table prestored in a database.
Specifically, step S500 includes:
s510, extracting a source address in the source information.
S520, searching the false node address which is the same as the source address in the false node address table.
The false node address table prestores false node addresses of all the false nodes, and the false node addresses are IP addresses outside the false node pairs.
S530, when the false node with the same address as the source address is stored in the false node address table, the source address of the corresponding behavior data is considered as the false node.
And S540, if not, regarding the source address of the corresponding behavior data as a non-false node.
It is understood that the dummy node is used to obfuscate and induce an attack by an attacker, and thus all data originating from the dummy node is attack data. And comparing the source address with the false node to know whether the behavior data is attack data.
And S550, when the source address of the behavior data is a false node, regarding the corresponding behavior data as attack data.
S600, when the source address of the behavior data is not a false node, the behavior data is regarded as training data.
And S700, transmitting the training data and the abnormal behavior-free result to the normal behavior neural network model, and training the normal behavior neural network model.
The implementation principle of the normal behavior neural network model training method in the embodiment of the application is as follows: the behavior data is judged according to different data transmission environments, if the behavior data is acquired under the single-path transmission environment, the regularity of the behavior data is judged, if the behavior data is considered to be the regularity data, the behavior data is proved to be safe, namely the data with non-attack property, at the moment, the behavior data is considered as training data, the training data and the result of the abnormal behavior are transmitted to the normal behavior neural network model together, and the normal behavior neural network model is trained.
And judging whether the source address of the behavior data is a false node or not in the behavior data obtained under the multi-path transmission environment, wherein the false node attracts an attacker to attack, so that the behavior data obtained from the false node are attack data. And if the source address of the behavior data is not a false node, regarding the behavior data as training data and using the training data for training the normal behavior neural network model.
And matching the behavior data which is regarded as the attack data with the abnormal behavior result for training the normal behavior neural network model. When the normal behavior neural network model is actually used, after behavior data is input, an abnormal behavior result or a non-abnormal behavior result can be accurately output aiming at the input behavior data.
The embodiment also discloses a normal behavior neural network model training system, which refers to fig. 2 and includes an obtaining module 1 for obtaining behavior data and source information of the behavior data, where the source information includes a source address. The searching module 2 is in communication connection with the obtaining module 1, wherein the communication connection may be a wired connection or a wireless connection, and is configured to obtain the behavior data and the corresponding source information from the obtaining module 1, and obtain a data transmission environment of the corresponding behavior data based on the source information. The data transmission environment includes a single-pass transmission environment and a multi-pass transmission environment.
And the judging module 3 is in communication connection with the searching module 2, and is used for judging the regularity of the behavior data based on the source information and the preset regular address information when the data transmission environment is a single-path transmission environment, and regarding the behavior data as training data when the behavior data is the regular data.
The judging module 3 is further configured to, when the data transmission environment is a multi-path transmission environment, judge whether a source address of corresponding behavior data is a false node based on source information corresponding to the behavior data and a false node address table prestored in the database; when the source address of the behavior data is not a false node, the behavior data is regarded as training data. And the transmission module 5 is connected with the judgment module 3 and is used for transmitting the training data and the abnormal behavior-free result to the normal behavior neural network model and training the normal behavior neural network model.
Specifically, in an embodiment, the determining module 3 includes an extracting unit 31, configured to extract a source address in the source information; and the processing unit 32 is used for regarding the corresponding behavior data as the regular data when the source address and the regular address information are the same address, and otherwise regarding the corresponding behavior data as the irregular data.
The processing unit 32 is further configured to look up a false node address in the false node address table, where the false node address is the same as the source address; and when the false node with the same address as the source address is stored in the false node address table, the source address of the corresponding behavior data is considered as the false node, otherwise, the source address of the corresponding behavior data is considered as the non-false node.
The judging module 3 is used for regarding the behavior data as attack data when the behavior data is irregular data, and regarding the behavior data as attack data when the source address of the behavior data is a false node;
the training system also comprises an auditing module 4 connected with the judging module 3, wherein the auditing module 4 is used for acquiring a data log corresponding to the attack data, and matching the abnormal behavior result with the corresponding attack data when the data log corresponds to an attack type in an attack type table based on the data log and the attack type table pre-stored in a database module; when the data log does not correspond to the attack type in the attack type table, deleting the attack data corresponding to the data log; and the transmission module 5 is used for transmitting the attack data and the abnormal behavior result to the normal behavior neural network model and training the normal behavior neural network model.
The embodiment also discloses a normal behavior neural network model training device, which comprises a memory and a processor, wherein the memory stores a training program of the normal behavior neural network model; the processor is used for adopting the normal behavior neural network model training method when executing the training program of the normal behavior neural network model.
The embodiment also discloses a storage medium which stores a computer program capable of being loaded by a processor and executing the normal behavior neural network model training method.
The above are preferred embodiments of the present application, and the scope of protection of the present application is not limited thereto, so: all equivalent changes made according to the structure, shape and principle of the present application shall be covered by the protection scope of the present application.
Claims (7)
1. A normal behavior neural network model training method is characterized by comprising the following steps:
behavior data and source information of the behavior data are obtained, wherein the source information comprises a source address;
obtaining a data transmission environment corresponding to the behavior data based on the source information, wherein the data transmission environment comprises a single-path transmission environment and a multi-path transmission environment;
when the data transmission environment is a single-path transmission environment, judging the regularity of the behavior data based on the source information and preset regular address information;
when the behavior data are the conventional data, the behavior data are regarded as training data;
when the data transmission environment is a multi-path transmission environment, judging whether the source address of the corresponding behavior data is a false node or not based on the source information corresponding to the behavior data and a false node address table prestored in a database;
when the source address of the behavior data is not a false node, regarding the behavior data as training data;
transmitting the training data and the abnormal behavior-free result to a normal behavior neural network model, and training the normal behavior neural network model;
the step of obtaining a data transmission environment of the behavior data based on the source information includes:
extracting a source address from the source information;
searching a data transmission environment corresponding to the source address in an equipment address relation table prestored in the database;
extracting the searched data transmission environment;
after the data transmission environment corresponding to the source address is searched in the device address relation table prestored in the database, the method further comprises the following steps:
when the source address is not found in the equipment address relation table or the data transmission environment corresponding to the source address is not found, the behavior data corresponding to the source information is regarded as attack data;
transmitting the attack data and the abnormal behavior result to a normal behavior neural network model, and training the normal behavior neural network model;
after the determining the regularity of the behavior data based on the source information and the preset regular address information, the method further comprises:
when the behavior data is irregular data, the behavior data is regarded as attack data;
after the determining whether the source address of the corresponding behavior data is a false node, the method further includes:
when the source address of the behavior data is a false node, regarding the behavior data as attack data;
before the transmitting the attack data and the abnormal behavior result to the normal behavior neural network model, the method further comprises:
acquiring a data log corresponding to the attack data;
based on the data log and an attack type table prestored in the database, matching the abnormal behavior result with the corresponding attack data when the data log corresponds to the attack type in the attack type table;
and when the data log does not correspond to the attack type in the attack type table, deleting the attack data corresponding to the data log.
2. The method for training the neural network model of normal behavior according to claim 1, wherein: the step of judging the regularity of the behavior data based on the source information and the preset regular address information includes:
extracting a source address in the source information;
when the source address and the conventional address information are the same address, regarding the corresponding behavior data as conventional data;
otherwise, the corresponding behavior data is regarded as irregular data;
the step of judging whether the source address of the corresponding behavior data is a false node based on the source information corresponding to the behavior data and a false node address table pre-stored in the database includes:
extracting a source address in the source information;
searching the false node address table for the false node address which is the same as the source address;
when a false node with the same address as the source address is stored in a false node address table, regarding the source address of the corresponding behavior data as a false node;
otherwise, the source address of the corresponding behavior data is considered as a non-false node.
3. A normal behavior neural network model training system is characterized in that: the behavior data acquisition device comprises an acquisition module (1) for acquiring behavior data and source information of the behavior data, wherein the source information comprises a source address;
the searching module (2) is used for obtaining a data transmission environment corresponding to the behavior data based on the source information, and the data transmission environment comprises a single-pass transmission environment and a multi-pass transmission environment;
the judging module (3) is used for judging the regularity of the behavior data based on the source information and preset regular address information when the data transmission environment is a single-path transmission environment, and regarding the behavior data as training data when the behavior data is the regular data;
the judging module (3) is further configured to, when the data transmission environment is a multi-path transmission environment, judge whether the source address of the corresponding behavior data is a false node based on the source information corresponding to the behavior data and a false node address table prestored in a database; when the source address of the behavior data is not a false node, regarding the behavior data as training data;
and (c) a second step of,
and the transmission module (5) is used for transmitting the training data and the abnormal behavior result to a normal behavior neural network model and training the normal behavior neural network model.
4. The system of claim 3, wherein the neural network model for normal behavior training system comprises: the judging module (3) comprises an extracting unit (31) for extracting a source address in the source information;
and (c) a second step of,
the processing unit (32) is used for regarding the corresponding behavior data as the regular data when the source address and the regular address information are the same address, and otherwise, regarding the corresponding behavior data as the irregular data;
the processing unit (32) is further configured to look up a false node address in the false node address table, wherein the false node address is the same address as the source address; and when a false node with the same address as the source address is stored in a false node address table, considering the source address of the corresponding behavior data as a false node, otherwise, considering the source address of the corresponding behavior data as a non-false node.
5. The system according to claim 3 or 4, wherein: the judging module (3) is used for regarding the behavior data as attack data when the behavior data is irregular data, and regarding the behavior data as attack data when the source address of the behavior data is a false node;
the training system further comprises an auditing module (4) connected with the judging module (3), wherein the auditing module (4) is used for acquiring a data log corresponding to attack data, and matching the abnormal behavior result with the corresponding attack data when the data log corresponds to an attack type in an attack type table based on the data log and the attack type table pre-stored in a database module; when the data log does not correspond to the attack type in the attack type table, deleting the attack data corresponding to the data log;
and the transmission module (5) is used for transmitting the attack data and the abnormal behavior result to a normal behavior neural network model and training the normal behavior neural network model.
6. A normal behavior neural network model training device comprises a memory and a processor, and is characterized in that: a training program of a normal behavior neural network model is stored in the memory; the processor is configured to employ the method of any one of claims 1-2 when performing a training procedure for a normal behavioral neural network model.
7. A storage medium, characterized by: a computer program which can be loaded by a processor and which performs the method according to any of claims 1-2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111147137.6A CN114462589B (en) | 2021-09-28 | 2021-09-28 | Normal behavior neural network model training method, system, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111147137.6A CN114462589B (en) | 2021-09-28 | 2021-09-28 | Normal behavior neural network model training method, system, device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114462589A CN114462589A (en) | 2022-05-10 |
| CN114462589B true CN114462589B (en) | 2022-11-04 |
Family
ID=81405564
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111147137.6A Active CN114462589B (en) | 2021-09-28 | 2021-09-28 | Normal behavior neural network model training method, system, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114462589B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107864128A (en) * | 2017-10-30 | 2018-03-30 | 深信服科技股份有限公司 | Scanning detection method, device, readable storage medium storing program for executing based on network behavior |
| CN109787943A (en) * | 2017-11-14 | 2019-05-21 | 华为技术有限公司 | A kind of method and apparatus of resisting abnegation service aggression |
| CN111385236A (en) * | 2018-12-27 | 2020-07-07 | 北京卫达信息技术有限公司 | Dynamic defense system based on network spoofing |
| CN111428231A (en) * | 2020-06-12 | 2020-07-17 | 完美世界(北京)软件科技发展有限公司 | Safety processing method, device and equipment based on user behaviors |
| CN111488590A (en) * | 2020-05-29 | 2020-08-04 | 深圳易嘉恩科技有限公司 | SQ L injection detection method based on user behavior credibility analysis |
| CN112653682A (en) * | 2020-12-16 | 2021-04-13 | 深圳前海微众银行股份有限公司 | Method and device for detecting block chain eclipse attack |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110445770B (en) * | 2019-07-18 | 2022-07-22 | 平安科技(深圳)有限公司 | Network attack source positioning and protecting method, electronic equipment and computer storage medium |
-
2021
- 2021-09-28 CN CN202111147137.6A patent/CN114462589B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107864128A (en) * | 2017-10-30 | 2018-03-30 | 深信服科技股份有限公司 | Scanning detection method, device, readable storage medium storing program for executing based on network behavior |
| CN109787943A (en) * | 2017-11-14 | 2019-05-21 | 华为技术有限公司 | A kind of method and apparatus of resisting abnegation service aggression |
| CN111385236A (en) * | 2018-12-27 | 2020-07-07 | 北京卫达信息技术有限公司 | Dynamic defense system based on network spoofing |
| CN111488590A (en) * | 2020-05-29 | 2020-08-04 | 深圳易嘉恩科技有限公司 | SQ L injection detection method based on user behavior credibility analysis |
| CN111428231A (en) * | 2020-06-12 | 2020-07-17 | 完美世界(北京)软件科技发展有限公司 | Safety processing method, device and equipment based on user behaviors |
| CN112653682A (en) * | 2020-12-16 | 2021-04-13 | 深圳前海微众银行股份有限公司 | Method and device for detecting block chain eclipse attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114462589A (en) | 2022-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12019745B2 (en) | Cyberanalysis workflow acceleration | |
| CN110324313B (en) | Honeypot system-based malicious user identification method and related equipment | |
| CN107454037B (en) | Network attack identification method and system | |
| CN113259392B (en) | Network security attack and defense method, device and storage medium | |
| CN111314285B (en) | Method and device for detecting route prefix attack | |
| CN111371639B (en) | Network delay analysis method and device, storage medium and computer equipment | |
| CN106790189B (en) | intrusion detection method and device based on response message | |
| CN110061998B (en) | Attack defense method and device | |
| CN110557358A (en) | Honeypot server communication method, SSLStrip man-in-the-middle attack perception method and related device | |
| CN112437062B (en) | ICMP tunnel detection method, device, storage medium and electronic equipment | |
| CN112738109A (en) | Web attack detection method and device | |
| CN112804263A (en) | Vulnerability scanning method, system and equipment for Internet of things | |
| JPWO2019043804A1 (en) | Log analysis device, log analysis method and program | |
| CN114462589B (en) | Normal behavior neural network model training method, system, device and storage medium | |
| US20210377285A1 (en) | Information processing apparatus and non-transitory computer readable medium | |
| CN111953810B (en) | Method, device and storage medium for identifying proxy internet protocol address | |
| CN111597559B (en) | System command injection vulnerability detection method and device, equipment and storage medium | |
| CN114462588B (en) | Training method, system and equipment of neural network model for detecting network intrusion | |
| CN111314348B (en) | Method and device for establishing trust degree model, trust evaluation and equipment authentication | |
| CN109768949B (en) | Port scanning processing system, method and related device | |
| CN114760216B (en) | Method and device for determining scanning detection event and electronic equipment | |
| CN115801530A (en) | Network management type network switch with modular design | |
| CN111901324B (en) | Method, device and storage medium for flow identification based on sequence entropy | |
| CN115412312A (en) | Malicious domain name determination method, device, equipment and medium | |
| CN107819739B (en) | Method and server for determining whether long-link connection exists in terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |