CN114499923A

CN114499923A - ICMP (Internet control message protocol) simulation message generation method and device

Info

Publication number: CN114499923A
Application number: CN202111446474.5A
Authority: CN
Inventors: 庞瑞
Original assignee: Beijing Topsec Technology Co Ltd; Beijing Topsec Network Security Technology Co Ltd; Beijing Topsec Software Co Ltd
Current assignee: Beijing Topsec Technology Co Ltd; Beijing Topsec Network Security Technology Co Ltd; Beijing Topsec Software Co Ltd
Priority date: 2021-11-30
Filing date: 2021-11-30
Publication date: 2022-05-13
Anticipated expiration: 2041-11-30
Also published as: CN114499923B

Abstract

The application provides a method and a device for generating an ICMP simulation message, which relate to the field of network security and comprise the following steps: acquiring an ICMP normal message and an ICMP attack message; training a discriminator according to an ICMP normal message and an ICMP attack message, and training a generator according to the ICMP attack message; constructing and generating a countermeasure network according to the discriminator and the generator; performing iterative training on the generator by generating a countermeasure network to obtain a simulated tunnel data generator; acquiring ICMP simulation tunnel data generated by a simulation tunnel data generator; and generating an ICMP simulation message according to the ICMP simulation tunnel data. Therefore, by implementing the implementation mode, a large number of ICMP simulation messages can be generated, and the problem that black samples are scarce in machine learning model training is solved.

Description

ICMP simulation message generation method and device

Technical Field

The present application relates to the field of network security, and in particular, to a method and an apparatus for generating an ICMP analog packet.

Background

At present, APT attackers begin to adopt ICMP tunnel transmission to transmit obfuscated Trojan horse viruses, thereby achieving the purpose of attack. However, because APT attacks are usually latent and have a detection resistance, ICMP traffic data generated by APT attack communication is extremely difficult to obtain, so ICMP attack traffic is very rare. Therefore, corresponding black samples are very scarce in the corresponding machine learning model training.

Disclosure of Invention

An object of the embodiments of the present application is to provide a method and an apparatus for generating an ICMP simulation message, which can generate a large number of ICMP simulation messages, thereby solving the problem of scarcity of black samples in machine learning model training.

A first aspect of the present application provides a method for generating an ICMP simulation message, including: acquiring an ICMP normal message and an ICMP attack message;

training a discriminator according to the ICMP normal message and the ICMP attack message, and training a generator according to the ICMP attack message;

constructing a generation countermeasure network according to the discriminator and the generator;

performing iterative training on the generator through the generation countermeasure network to obtain a simulated tunnel data generator;

acquiring ICMP simulation tunnel data generated by the simulation tunnel data generator;

and generating an ICMP simulation message according to the ICMP simulation tunnel data.

By implementing the implementation mode, the generation countermeasure network can be created in advance, the training of the generation countermeasure network is carried out according to the acquired ICMP normal message and the acquired ICMP attack message, the generation countermeasure network can iterate the simulation tunnel data generator in real time, the simulation tunnel data generator can generate a large amount of reliable ICMP simulation tunnel data and can be restored into the corresponding ICMP simulation message, and therefore the problem that the black samples are scarce in the machine learning model training can be solved.

Further, the training of the discriminator according to the ICMP normal message and the ICMP attack message, and the training of the generator according to the ICMP attack message include:

analyzing the ICMP normal message to obtain ICMP normal tunnel data;

analyzing the ICMP attack message to obtain ICMP hiding tunnel data;

carrying out simulation confusion processing on the ICMP hidden tunnel data to obtain ICMP confused tunnel data;

training a discriminator according to the ICMP normal tunnel data and the ICMP concealed tunnel data;

training a generator based on the ICMP obfuscated tunnel data.

By implementing the implementation mode, the method can train a discriminator capable of accurately identifying whether the data is attack data or not according to the accurate data, and can train a generator capable of generating a large amount of attack data similar to normal data according to the accurate attack data and self-generated confusion data.

Further, the step of analyzing the ICMP attack packet to obtain ICMP concealed tunnel data includes:

analyzing the ICMP attack message to obtain the hidden data stored in the optional data field;

and generating ICMP hiding tunnel data according to the hiding data.

By implementing this embodiment, field data in the optional data field of the ICMP protocol storing the hidden data can be extracted, ICMP hidden tunnel data can be generated from the field data, and the depth analysis of the ICMP attack packet can be completed in a rush.

Further, the step of performing analog obfuscation processing on the ICMP hidden tunnel data to obtain ICMP obfuscated tunnel data includes:

randomly generating a positive integer smaller than a preset numerical value, and randomly generating a random eight-bit binary number;

determining bytes with byte bit numbers equal to multiples of the positive integer in the ICMP hiding tunnel data as confusion bytes to be simulated;

performing exclusive-or processing according to the eight-bit binary number and the confusion byte to be simulated to obtain a simulation confusion byte;

and generating ICMP obfuscated tunnel data according to the emulation obfuscated byte and the rest bytes.

Further, the training of the discriminator based on the ICMP normal tunnel data and the ICMP concealed tunnel data includes:

judging whether the data volume of the ICMP hiding tunnel data is smaller than a preset data volume or not;

when the data volume of the ICMP hiding tunnel data is smaller than the preset data volume, sampling and expanding the ICMP hiding tunnel data to obtain ICMP expanded tunnel data;

and training a discriminator according to the ICMP normal tunnel data and the ICMP extended tunnel data.

Further, the training the generator according to the ICMP obfuscated tunnel data includes:

and training a generator according to a preset multilayer GRU model and the ICMP confusion tunnel data.

Further, the step of iteratively training the generator through the generation countermeasure network to obtain the simulated tunnel data generator includes:

performing iterative training on the generator through the generated countermeasure network to obtain a data generator;

judging whether the data generated by the data generator has quality problems or not;

determining the data generator as a simulated tunnel data generator when the data does not have the quality problem.

A second aspect of the present invention provides an apparatus for generating an ICMP analog message, where the apparatus for generating an ICMP analog message includes:

the acquisition unit is used for acquiring an ICMP normal message and an ICMP attack message;

a training unit, configured to train a discriminator according to the ICMP normal message and the ICMP attack message, and train a generator according to the ICMP attack message;

the construction unit is used for constructing and generating a countermeasure network according to the discriminator and the generator;

the iteration unit is used for carrying out iteration training on the generator through the generation countermeasure network to obtain a simulated tunnel data generator;

the acquisition unit is further configured to acquire the ICMP simulated tunnel data generated by the simulated tunnel data generator;

and the generating unit is used for generating an ICMP simulation message according to the ICMP simulation tunnel data.

In the implementation process, the ICMP simulation message generation apparatus can automatically train a suitable generation countermeasure network, and iterate a good-quality simulated tunnel data generator according to the generation countermeasure network, so that the simulated tunnel data generator generates ICMP simulated tunnel data, and packages the ICMP simulated tunnel data into an ICMP simulation message after generating the ICMP simulated tunnel data. Therefore, by implementing the implementation mode, a large number of reliable ICMP simulation messages can be obtained, so that the subsequent machine learning model has enough black samples to be trained.

A third aspect of the present embodiment provides an electronic device, including a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to make the electronic device execute the method for generating an ICMP simulation message according to any one of the first aspect of the present embodiment.

A fourth aspect of the present embodiment provides a computer-readable storage medium, which stores computer program instructions, and when the computer program instructions are read and executed by a processor, the computer program instructions perform the method for generating an ICMP simulation message according to any one of the first aspect of the present embodiment.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.

Fig. 1 is a schematic flow chart of a method for generating an ICMP simulation message according to an embodiment of the present application;

fig. 2 is a schematic structural diagram of an ICMP simulation message generation apparatus according to an embodiment of the present application;

fig. 3 is a schematic flowchart illustrating an example of a method for generating an ICMP simulation message according to an embodiment of the present application;

fig. 4 is a schematic structural diagram of a GRU model according to an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.

It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.

Example 1

Referring to fig. 1, fig. 1 is a schematic flow chart of a method for generating an ICMP simulation message according to an embodiment of the present application. The method for generating the ICMP simulation message comprises the following steps:

s101, obtaining an ICMP normal message and an ICMP attack message.

In this embodiment, the ICMP normal packet and the ICMP attack packet are packet data based on the ICMP protocol.

In this embodiment, the ICMP protocol is an internet control protocol based on an IP protocol. Specifically, the ICMP protocol packet is divided into two formats, ICMPv4 and ICMPv 6. Although the header data of the two versions of the message are slightly different, both versions of the message can carry data loads.

For example, taking ICMPv4 as an example, the ICMP message acquired in the method may be configured as shown in the following table:

in the method, an APT attacker usually performs obfuscation encryption on data transmitted by a tunnel, where obfuscation refers to that a malicious code execution result is basically unchanged, but its code composition changes, such as a transformation function and a class name in a script language code, adding spaces and invalid characters, adding invalid comments, and the like. The obfuscation method is used for resisting detection methods based on rules and whole hash (MD5, SHA1, SHA256 and the like), is quite common in the field of hacker penetration, and is extremely numerous, so that an attacker can also invent the obfuscation method. Encryption is usually performed to avoid directly analyzing the transmission content, but since a complicated encryption method causes high resource occupancy rate during decryption, complex codes and is not beneficial to the concealment of APT attacks, simple encryption methods such as base32 and base64 are usually used.

In this embodiment, the ICMP attack packet may be generated by the above-mentioned means.

In this embodiment, the ICMP attack packet is an ICMP packet that is known to be used by the APT attack.

S102, analyzing the ICMP normal message to obtain the ICMP normal tunnel data.

In this embodiment, the ICMP packet is a packet sequence packet.

In this embodiment, the method may perform deep packet analysis on the ICMP packet sequence packet. Specifically, the method may obtain each internal field of the message sequence P1, P2, … … Pn according to the ICMP protocol, and determine the ICMP data according to the field.

S103, analyzing the ICMP attack message to obtain the hidden data stored in the optional data field.

In this embodiment, the hidden data is used to represent optional data field data.

S104, generating ICMP hiding tunnel data according to the hiding data.

In this embodiment, because the ICMP tunneling usually uses the optional data field of the ICMP protocol to store hidden data, the method concatenates the optional data fields in P1, P2, … … Pn into a binary sequence M, and represents a complete ICMP hidden tunnel data with the binary sequence M.

And S105, carrying out simulation confusion processing on the ICMP hidden tunnel data to obtain the ICMP confused tunnel data.

In this embodiment, the method manually adds simulated confusion to the binary sequence M to obtain ICMP obfuscated tunnel data.

As an optional implementation, the step of performing analog obfuscation processing on the ICMP hidden tunnel data to obtain ICMP obfuscated tunnel data includes:

determining bytes with byte bit number equal to multiple of positive integer in ICMP hiding tunnel data as confusion bytes to be simulated;

carrying out XOR processing according to the eight-bit binary number and the confusion byte to be simulated to obtain the simulation confusion byte;

ICMP obfuscated tunnel data is generated from the emulation obfuscated bytes and the remaining bytes.

For example, the method may pre-select a positive integer N (i.e., a preset value), for example, N ═ 5, and randomly select a positive integer between 1 and N positive integers by using a random number generator, denoted as N; counting from the first byte of the binary sequence M, wherein each counting to the nth byte is the byte to be obfuscated (i.e. the obfuscated byte to be emulated); second, the method randomly generates a positive integer between 0 and 255 with a uniform distribution using a random number generator, and converts the resulting integer into a binary (i.e., eight-bit binary number), such as 100 with a binary value of 01100100. On the basis, the eight-bit binary number and the byte to be confused are subjected to exclusive-or, for example, the original byte is 11111111, and the binary representation of the new byte is 10011011 after exclusive-or is carried out on the byte generated randomly; in the step, each confusion byte to be simulated is subjected to exclusive OR by adopting a unified eight-bit binary number.

S106, training a discriminator according to the ICMP normal tunnel data and the ICMP hidden tunnel data.

In this embodiment, the method may pre-define a discriminator D, and the discriminator D may use any machine learning model with discrimination capability, such as a logistic regression model, a neural network model, a decision tree model, and the like.

As an alternative embodiment, the step of training the discriminator according to the ICMP normal tunnel data and the ICMP concealed tunnel data includes:

when the data volume of the ICMP hiding tunnel data is smaller than the preset data volume, carrying out sampling expansion on the ICMP hiding tunnel data to obtain ICMP expanded tunnel data;

By implementing the implementation mode, when the quantity of the collected real ICMP tunnel traffic is less, the tunnel data can be increased by adopting an oversampling mode, so that the tunnel data and the normal ICMP message data are balanced.

And S107, training a generator according to the preset multilayer GRU model and ICMP confusion tunnel data.

In this embodiment, the method may pre-design the network structure of the generator G. The method designs the network structure of the generator G into a multilayer neural network structure.

Referring to fig. 4, fig. 4 shows an architecture of a GRU model. Wherein, the following four formulas are adopted in the GRU model:

r_t＝σ(w_r*[h_t-1,x_t])；

h_t＝tanh(w*[r_t*h_t-1,x_t])；

z_t＝σ(w_z*[h_t-1,x_t])；

h_t＝(1-z_t)*h_t-1+z_t*h_t；

wherein, GRU is a kind of recurrent neural network for extracting sequence information characteristic, and GRU is a variant of LSTM model, which reserves the ability of LSTM to extract long-distance information while reducing parameter number. In the upper graph, Xt represents an input, r represents a reset gate, and z represents an update gate; the calculation becomes simpler with one less control gate compared to LSTM. Through the reset gate, the model generates a state value at the current moment; (1-Zt) represents selective forgetting of an originally hidden state, and Zt represents selective memorizing of current node information.

In this embodiment, since the network output of the generator G is the simulated tunnel data, the number of network output nodes of the generator G is unified in correspondence with the dimension of the input tunnel data traffic as the seed.

In this embodiment, the method takes ICMP obfuscated tunnel data as input to the generator G; wherein, the data which is insufficient or exceeds the dimension of the input node is subjected to 0 complementing or truncation.

And S108, constructing and generating a countermeasure network according to the discriminator and the generator.

In this embodiment, the method may be implemented by pre-constructing a generation countermeasure network gan (generic adaptive network), which mainly includes a generator g (generator) and a discriminator d (discriminator). Wherein, the generator G and the discriminator D are both a neural network model, and the model uses the generator and the discriminator trained by the above. In the generation countermeasure network GAN, the generator G and the discriminator D can be further refined by training so that it is difficult for the discriminator D to distinguish whether the data sample generated by the generator G is true or false, i.e., whether a data sample is generated by the generator G or a training sample that has been prepared already.

In this embodiment, the method may fix the relevant neural network parameters of the generator G in advance, train the discriminator D according to the known real ICMP tunnel traffic and data segment data in the normal ICMP message, iterate its internal network parameters, and train to converge the loss function. Then, fixing the network parameters of the discriminator D, combining the generator G and the discriminator D, and outputting the simulated ICMP tunnel flow to the discriminator D with the fixed network parameters through the generator G; at this time, after the network parameters of the generator G are iterated for several times by using the loss function, the network parameters of the generator G are fixed, and the arbiter D is iterated. Usually, the number of iterations of the generator G exceeds the number of iterations of the discriminator D, for example, 5: 1, in a ratio of 1.

In this embodiment, after the above process is repeated several times, it is detected whether the loss function reaches the convergence index. If the convergence index is reached, the iteration is stopped.

And S109, performing iterative training on the generator by generating a confrontation network to obtain a data generator.

In this embodiment, the discriminator D gives a discrimination conclusion to the obfuscated ICMP simulation tunnel data generated by the generator G. The more the discriminator D discriminates the ICMP simulation tunnel data as the number of real tunnel flows, the smaller the error fed back to the generator G, and the better the performance of the generator G.

S110, judging whether the data generated by the data generator has quality problems or not, and if so, ending the process; if not, step S111 is executed.

In this embodiment, the method may check the quality of the simulation data generated by the generator G, and if there is a convergence to a single mode or only a single binary sequence is output, a mode collapse problem occurs, and the training parameters, the neural network architecture and the activation function type need to be reselected, thereby avoiding a mode collapse phenomenon and causing the loss function to converge to an index requirement.

In this embodiment, the quality problem includes the pattern collapse problem described above.

And S111, determining the data generator as a simulation tunnel data generator.

And S112, acquiring the ICMP simulation tunnel data generated by the simulation tunnel data generator.

S113, generating an ICMP simulation message according to the ICMP simulation tunnel data.

In this embodiment, the method can output ICMP analog tunnel optional data field data which is added in a batch manner and is confused and meets the machine learning detection requirement through the above steps. Then, this step adds fields such as ICMP message header to it to restore it to a complete ICMP simulation message.

In this embodiment, the ICMP simulation message may be used for supervised learning training with other normal ICMP traffic data, and for message playback testing in the network device.

As an optional implementation manner, after the step of generating the ICMP simulation message according to the ICMP simulation tunnel data, the method further includes:

training a preset machine learning model according to the ICMP simulation message to obtain an ICMP attack message identification model; the ICMP attack message identification model is used for identifying ICMP attack messages.

Referring to fig. 3, fig. 3 is a schematic flowchart illustrating an example of a method for generating an ICMP simulation message. The normal data is an ICMP normal message, the APT attack tunnel data is an ICMP attack message, the data section is ICMP normal tunnel data and ICMP hidden tunnel data, the white sample is a sample without attack data, the black sample is a sample with attack data, the model training module is used for training and generating an anti-network GAN, and the ICMP tunnel data generated after training is ICMP obfuscated tunnel data.

For example, the method is to collect ICMP message traffic from the current network, screen the ICMP message traffic, and screen a small amount of ICMP tunnel traffic belonging to APT attack type as black samples and other normal message traffic as white samples by combining expert knowledge of security researchers; then, a small amount of ICMP tunnel flow of black samples collected by the current network is used as input, and a certain amount of simulated hidden tunnel flow meeting the requirements is generated by using the method; then, performing supervised learning training on the generated simulated ICMP tunnel traffic and normal traffic by using a machine learning training and detection method to obtain a machine learning detection model; and finally, deploying the model in a generation environment, inputting the ICMP protocol flow in the current network, judging by the model, identifying whether the input flow is other similar APT attack flow similar to the APT attack type ICMP hidden tunnel used as the input, and realizing the function of detecting the APT attack type ICMP hidden tunnel with confusion.

By implementing the implementation mode, the problem that the conventional ICMP tunnel communication detection method based on the ICMP hidden tunnel is difficult to detect, and the conventional ICMP tunnel communication detection method based on machine learning uses an open source ICMP tunnel tool to construct training flow data, so that ICMP communication in the APT attack cannot be accurately detected can be solved. Specifically, the method can utilize a small amount of captured APT to attack the ICMP tunnel, simulate attackers to join confusion, and then utilize a GAN network to simulate and generate a batch of ICMP tunnel communication flow, which is more accurate than the flow generated based on an open source tunnel tool, and can provide better help for utilizing a machine learning detection model to detect the APT attack type ICMP tunnel communication.

In the embodiment of the present application, the execution subject of the method may be a computing device such as a computer and a server, and is not limited in this embodiment.

In this embodiment, an execution subject of the method may also be an intelligent device such as a smart phone and a tablet computer, which is not limited in this embodiment.

It can be seen that, by implementing the method for generating an ICMP simulation message described in this embodiment, it is very difficult to acquire traffic of an APT type ICMP attack tunnel, and traffic simulated by using an open source tunnel tool cannot be directly used for training a machine learning detection model, because the intrinsic feature distribution of the traffic may be completely different from that of the APT attack traffic to be detected. In order to solve the problem of difficulty in acquiring the traffic, the method provides an ICMP tunnel traffic simulation method added with confusion, and ICMP tunnel traffic data meeting the training requirement of a machine learning detection model can be generated.

Example 2

Please refer to fig. 2, fig. 2 is a schematic structural diagram of an ICMP simulation message generating apparatus according to an embodiment of the present application. As shown in fig. 2, the ICMP simulation message generating apparatus includes:

an obtaining unit 210, configured to obtain an ICMP normal message and an ICMP attack message;

a training unit 220, configured to train a discriminator according to the ICMP normal message and the ICMP attack message, and train a generator according to the ICMP attack message;

a construction unit 230 for constructing a generation countermeasure network from the discriminator and the generator;

an iteration unit 240, configured to perform iterative training on the generator by generating a countermeasure network, so as to obtain a simulated tunnel data generator;

the obtaining unit 210 is further configured to obtain ICMP simulated tunnel data generated by the simulated tunnel data generator;

a generating unit 250, configured to generate an ICMP simulation message according to the ICMP simulation tunnel data.

As an alternative to the above-described embodiment,

as an alternative embodiment, the training unit 220 includes:

an analyzing subunit 221, configured to analyze the ICMP normal message to obtain ICMP normal tunnel data;

the analyzing subunit 221 is further configured to analyze the ICMP attack packet to obtain ICMP hidden tunnel data;

an obfuscating subunit 222, configured to perform analog obfuscation processing on the ICMP hidden tunnel data to obtain ICMP obfuscated tunnel data;

a training subunit 223, configured to train a discriminator according to the ICMP normal tunnel data and the ICMP hidden tunnel data;

and a training subunit 223, further configured to train the generator according to the ICMP obfuscated tunnel data.

As an optional implementation, the parsing subunit 221 includes:

the first analysis module is used for analyzing the ICMP attack message to obtain the hidden data stored in the optional data field;

and the first generation module is used for generating ICMP hiding tunnel data according to the hiding data.

As an alternative embodiment, the obfuscating sub-unit 222 includes:

the second generation module is used for randomly generating a positive integer smaller than a preset numerical value and randomly generating a random eight-bit binary number;

the determining module is used for determining bytes with the byte bit number equal to multiple of a positive integer in the ICMP hiding tunnel data as the confusion bytes to be simulated;

the confusion module is used for carrying out XOR processing according to the eight-bit binary number and the confusion byte to be simulated to obtain the simulation confusion byte;

and the second generation module is also used for generating ICMP obfuscated tunnel data according to the emulation obfuscated byte and the rest bytes.

As an alternative embodiment, the training subunit 223 includes:

the judging module is used for judging whether the data volume of the ICMP concealed tunnel data is smaller than the preset data volume;

the sampling module is used for sampling and expanding the ICMP hidden tunnel data to obtain the ICMP expanded tunnel data when the data volume of the ICMP hidden tunnel data is smaller than the preset data volume;

and the training module is used for training the discriminator according to the ICMP normal tunnel data and the ICMP extended tunnel data.

As an alternative embodiment, the training subunit 223 is specifically configured to train the generator according to a preset multi-layer GRU model and ICMP obfuscated tunnel data.

As an alternative embodiment, the iteration unit 240 includes:

an iteration subunit 241, configured to perform iterative training on the generator by generating a countermeasure network, so as to obtain a data generator;

a judging subunit 242, configured to judge whether there is a quality problem in the data generated by the data generator;

a determining subunit 243, configured to determine the data generator as the analog tunnel data generator when there is no quality problem in the data.

In this embodiment of the present application, for explanation of an ICMP analog message generating apparatus, reference may be made to the description in embodiment 1 or embodiment 2, and details are not repeated in this embodiment.

It can be seen that, by implementing the ICMP simulation message generation apparatus described in this embodiment, a suitable generation countermeasure network can be trained automatically, and a good quality simulated tunnel data generator can be iterated according to the generation countermeasure network, so that the simulated tunnel data generator generates ICMP simulation tunnel data, and packages the ICMP simulation tunnel data into an ICMP simulation message after generating the ICMP simulation tunnel data. Therefore, by implementing the implementation mode, a large number of reliable ICMP simulation messages can be obtained, so that the subsequent machine learning model has enough black samples to be trained.

An embodiment of the present application provides an electronic device, including a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to make the electronic device execute the method for generating an ICMP simulation message in embodiment 1 of the present application.

An embodiment of the present application provides a computer-readable storage medium, which stores computer program instructions, and when the computer program instructions are read and executed by a processor, the computer program instructions execute the method for generating an ICMP simulation message in embodiment 1 of the present application.

In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.

The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims

1. A method for generating an ICMP simulation message, comprising:

acquiring an ICMP normal message and an ICMP attack message;

2. The method for generating an ICMP simulation message according to claim 1, wherein the training a discriminator according to the ICMP normal message and the ICMP attack message, and the training a generator according to the ICMP attack message includes:

analyzing the ICMP normal message to obtain ICMP normal tunnel data;

analyzing the ICMP attack message to obtain ICMP hiding tunnel data;

training a generator based on the ICMP obfuscated tunnel data.

3. The method for generating an ICMP simulation message according to claim 2, wherein the step of analyzing the ICMP attack message to obtain ICMP concealed tunnel data includes:

generating ICMP hidden tunnel data according to the hidden data.

4. The method for generating an ICMP simulation message according to claim 2, wherein the step of performing simulation aliasing processing on the ICMP hidden tunnel data to obtain ICMP aliased tunnel data includes:

5. The method of generating an ICMP simulation message according to claim 2, wherein the step of training an arbiter based on the ICMP normal tunnel data and the ICMP hidden tunnel data comprises:

6. The method of generating an ICMP simulation message according to claim 2, wherein the step of training a generator according to the ICMP garbled tunnel data comprises:

7. The method of generating an ICMP simulation message according to claim 1, wherein the step of iteratively training the generator through the generative countermeasure network to obtain a simulation tunnel data generator comprises:

8. An apparatus for generating an ICMP analog message, comprising:

9. An electronic device, comprising a memory for storing a computer program and a processor for executing the computer program to cause the electronic device to perform the method of generating an ICMP simulation message according to any one of claims 1 to 7.

10. A readable storage medium having stored thereon computer program instructions which, when read and executed by a processor, perform a method of generating an ICMP simulation message according to any one of claims 1 to 7.