CN114499923B - ICMP simulation message generation method and device - Google Patents
ICMP simulation message generation method and device Download PDFInfo
- Publication number
- CN114499923B CN114499923B CN202111446474.5A CN202111446474A CN114499923B CN 114499923 B CN114499923 B CN 114499923B CN 202111446474 A CN202111446474 A CN 202111446474A CN 114499923 B CN114499923 B CN 114499923B
- Authority
- CN
- China
- Prior art keywords
- icmp
- tunnel data
- data
- generator
- training
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 62
- 238000004088 simulation Methods 0.000 title claims abstract description 61
- 238000012549 training Methods 0.000 claims abstract description 75
- 238000012545 processing Methods 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 10
- 238000005070 sampling Methods 0.000 claims description 5
- 238000010276 construction Methods 0.000 claims description 3
- 238000010801 machine learning Methods 0.000 abstract description 15
- 230000006870 function Effects 0.000 description 11
- 238000001514 detection method Methods 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 5
- 238000013528 artificial neural network Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000003062 neural network model Methods 0.000 description 2
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 230000008485 antagonism Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000007477 logistic regression Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 230000005641 tunneling Effects 0.000 description 1
- 238000009827 uniform distribution Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/044—Recurrent networks, e.g. Hopfield networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/047—Probabilistic or stochastic networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The application provides a method and a device for generating an ICMP simulation message, which relate to the field of network security, wherein the method for generating the ICMP simulation message comprises the following steps: acquiring an ICMP normal message and an ICMP attack message; training a discriminator according to the ICMP normal message and the ICMP attack message, and training a generator according to the ICMP attack message; constructing and generating an countermeasure network according to the discriminator and the generator; iterative training is carried out on the generator through a generated countermeasure network, so that a simulated tunnel data generator is obtained; acquiring ICMP simulation tunnel data generated by a simulation tunnel data generator; and generating an ICMP simulation message according to the ICMP simulation tunnel data. It can be seen that by implementing this embodiment, a large number of ICMP analog messages can be generated, thereby solving the problem of scarcity of black samples in machine learning model training.
Description
Technical Field
The application relates to the field of network security, in particular to a method and a device for generating an ICMP (information and communication protocol) simulation message.
Background
At present, an APT attacker starts to transmit the confused Trojan horse virus by adopting an ICMP tunnel, thereby achieving the purpose of attack. However, because the APT attack is often latent and has anti-detection capability, ICMP traffic data generated by APT attack communication is extremely difficult to obtain, thus resulting in quite rare ICMP attack traffic. Thus, the corresponding black samples in the corresponding machine learning model training are quite rare.
Disclosure of Invention
The embodiment of the application aims to provide a method and a device for generating ICMP simulation messages, which can generate a large number of ICMP simulation messages, thereby solving the problem of scarcity of black samples in machine learning model training.
The first aspect of the embodiment of the application provides a method for generating an ICMP simulation message, which comprises the following steps: acquiring an ICMP normal message and an ICMP attack message;
training a discriminator according to the ICMP normal message and the ICMP attack message, and training a generator according to the ICMP attack message;
constructing and generating an countermeasure network according to the discriminator and the generator;
performing iterative training on the generator through the generation countermeasure network to obtain a simulated tunnel data generator;
acquiring ICMP simulation tunnel data generated by the simulation tunnel data generator;
and generating an ICMP simulation message according to the ICMP simulation tunnel data.
By implementing the embodiment, the generation countermeasure network can be created in advance, training of the generation countermeasure network is carried out according to the acquired ICMP normal message and ICMP attack message, the generation countermeasure network can iterate out to form the simulated tunnel data generator in real time, and the simulated tunnel data generator can generate a large amount of reliable ICMP simulated tunnel data and can be restored to the corresponding ICMP simulated message, so that the problem of scarcity of black samples in machine learning model training can be solved.
Further, the step of training the discriminator according to the ICMP normal message and the ICMP attack message, and training the generator according to the ICMP attack message includes:
analyzing the ICMP normal message to obtain ICMP normal tunnel data;
analyzing the ICMP attack message to obtain ICMP hidden tunnel data;
performing simulation confusion processing on the ICMP hidden tunnel data to obtain ICMP confusion tunnel data;
training a discriminator according to the ICMP normal tunnel data and the ICMP hidden tunnel data;
and training a generator according to the ICMP confusion tunnel data.
By implementing the embodiment, the method can train out the judging device capable of accurately identifying whether the attack data is the attack data according to the accurate data, and train out the generator capable of generating a large amount of attack data similar to the normal data according to the accurate attack data and the self-generated confusion data.
Further, the step of parsing the ICMP attack packet to obtain ICMP hidden tunnel data includes:
analyzing the ICMP attack message to obtain hidden data stored in an optional data field;
and generating ICMP hidden tunnel data according to the hidden data.
By implementing the embodiment, the field data in the optional data field of the ICMP protocol storing the hidden data can be extracted, the ICMP hidden tunnel data can be generated according to the field data, and the deep analysis of the ICMP attack message can be completed in a hurry.
Further, the step of performing the simulation confusion processing on the ICMP hidden tunnel data to obtain ICMP confused tunnel data includes:
randomly generating a positive integer smaller than a preset numerical value, and randomly generating a random eight-bit binary number;
determining bytes of which the byte bit number is equal to the multiple of the positive integer in the ICMP hidden tunnel data as to-be-simulated confusion bytes;
performing exclusive or processing according to the eight-bit binary number and the to-be-simulated confusion byte to obtain a simulation confusion byte;
and generating ICMP confusion tunnel data according to the simulation confusion bytes and the rest bytes.
Further, the step of training a discriminator based on the ICMP normal tunnel data and the ICMP occult tunnel data comprises:
judging whether the data volume of the ICMP hidden tunnel data is smaller than a preset data volume or not;
when the data volume of the ICMP hidden tunnel data is smaller than the preset data volume, sampling and expanding the ICMP hidden tunnel data to obtain ICMP expanded tunnel data;
and training a discriminator according to the ICMP normal tunnel data and the ICMP extended tunnel data.
Further, the step of training a generator according to the ICMP confusing tunnel data includes:
and training a generator according to a preset multi-layer GRU model and the ICMP confusion tunnel data.
Further, the step of performing iterative training on the generator through the generating countermeasure network to obtain a simulated tunnel data generator includes:
performing iterative training on the generator through the generation countermeasure network to obtain a data generator;
judging whether the data generated by the data generator has quality problems or not;
when the data does not have the quality problem, the data generator is determined to be an analog tunnel data generator.
A second aspect of the embodiment of the present application provides an ICMP analog message generating device, where the ICMP analog message generating device includes:
the acquisition unit is used for acquiring the ICMP normal message and the ICMP attack message;
the training unit is used for training the discriminator according to the ICMP normal message and the ICMP attack message and training the generator according to the ICMP attack message;
a construction unit for constructing and generating an countermeasure network according to the discriminator and the generator;
the iteration unit is used for carrying out iteration training on the generator through the generation countermeasure network to obtain a simulated tunnel data generator;
the acquisition unit is further used for acquiring ICMP simulation tunnel data generated by the simulation tunnel data generator;
and the generating unit is used for generating an ICMP simulation message according to the ICMP simulation tunnel data.
In the implementation process, the generating device of the ICMP simulation message can automatically train a proper generation countermeasure network, iterate out a high-quality simulation tunnel data generator according to the generation countermeasure network, enable the simulation tunnel data generator to generate ICMP simulation tunnel data, and package the ICMP simulation tunnel data into the ICMP simulation message after generating the ICMP simulation tunnel data. It can be seen that by implementing this embodiment, a large number of reliable ICMP analog messages can be obtained so that the subsequent machine learning model has enough black samples to train.
A third aspect of the embodiment of the present application provides an electronic device, including a memory and a processor, where the memory is configured to store a computer program, and the processor runs the computer program to enable the electronic device to execute the method for generating the ICMP analog message according to any one of the first aspect of the embodiment of the present application.
A fourth aspect of the present application provides a computer readable storage medium storing computer program instructions which, when read and executed by a processor, perform the method for generating ICMP analog messages according to any one of the first aspect of the present application.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a method for generating an ICMP analog message according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of an ICMP analog message generating device according to an embodiment of the present application;
FIG. 3 is a schematic flow chart of an exemplary method for generating ICMP analog messages according to an embodiment of the present application;
fig. 4 is a schematic diagram of a framework of a GRU model according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
Example 1
Referring to fig. 1, fig. 1 is a flowchart of a method for generating an ICMP analog message according to an embodiment of the present application. The ICMP simulation message generation method comprises the following steps:
s101, acquiring an ICMP normal message and an ICMP attack message.
In this embodiment, both the ICMP normal message and the ICMP attack message are message data based on the ICMP protocol.
In this embodiment, the ICMP protocol is an internet control protocol based on the IP protocol. The ICMP protocol message is divided into ICMPv4 and ICMPv6 protocol messages. Wherein, although the header data of the two versions of the message are slightly different, the two versions can carry data load.
For example, taking ICMPv4 as an example, the composition of the ICMP message obtained in the method may be as follows:
wherein, APT attackers will generally perform confusion encryption on data transmitted by tunneling, and confusion refers to that the execution result of malicious codes is basically unchanged, but the code composition of the malicious codes is changed, for example, transformation functions and class names in script language codes, adding spaces and invalid characters, adding invalid notes and the like. Such obfuscation methods are used to combat rule-based and whole-hash-based (MD 5, SHA1, SHA256, etc.) detection methods, which are very common in the field of hacker penetration, and the obfuscation methods are very numerous, and an attacker can also invent the obfuscation method itself. Encryption is usually to avoid directly analyzing the transmission content, but because of the complex encryption means, the resource occupancy rate is high during decryption, the code is complex, which is unfavorable for hiding APT attack, and the simple encryption means such as base32, base64 and the like are usually used.
In this embodiment, the ICMP attack packet may be generated by the above means.
In this embodiment, the ICMP attack packet is an ICMP packet that has been found to be used by the APT attack.
S102, analyzing the ICMP normal message to obtain ICMP normal tunnel data.
In this embodiment, the ICMP packet is a packet sequence packet.
In this embodiment, the method may perform deep packet parsing on the ICMP packet sequence packet. Specifically, the method can acquire internal fields of the message sequences P1, P2 and … … Pn according to the ICMP protocol, and determine ICMP data according to the fields.
S103, analyzing the ICMP attack message to obtain hidden data stored in the optional data field.
In this embodiment, the suppressed data is used to represent the optional data field data.
S104, generating ICMP hidden tunnel data according to the hidden data.
In this embodiment, since the ICMP tunnel communication uses the optional data field of the ICMP protocol to store the hidden data, the method concatenates the optional data field data in P1, P2, … … Pn into a binary sequence M, and represents a complete ICMP hidden tunnel data with the binary sequence M.
S105, performing simulation confusion processing on the ICMP hidden tunnel data to obtain ICMP confusion tunnel data.
In this embodiment, the method manually adds the simulated confusion in the binary sequence M to obtain ICMP confusion tunnel data.
As an alternative embodiment, the step of performing analog confusion processing on the ICMP hidden tunnel data to obtain ICMP confusing tunnel data includes:
randomly generating a positive integer smaller than a preset numerical value, and randomly generating a random eight-bit binary number;
determining bytes with the number of byte bits equal to the multiple of the positive integer in the ICMP hidden tunnel data as to-be-simulated confusion bytes;
performing exclusive or processing according to the eight-bit binary number and the to-be-simulated confusion byte to obtain a simulation confusion byte;
ICMP obfuscated tunnel data is generated from the analog obfuscated bytes and the remaining bytes.
For example, the method may pre-select a positive integer N (i.e., a preset value), for example, n=5, and randomly select a positive integer between the positive integers of 1 to N by using a random number generator, denoted as N; then, counting from the first byte of the binary sequence M, and counting to the nth byte, wherein the byte is the byte to be confused (namely the byte to be confused to be simulated); second, the method randomly generates a positive integer with a uniform distribution between 0 and 255 using a random number generator, and converts the resulting integer into a binary number (i.e., an eight-bit binary number), for example, a binary number of 100 is 01100100. On the basis, the eight-bit binary number is exclusive-ored with the byte to be confused, for example, the original byte is 11111111, and the binary representation of the new byte can be obtained as 10011011 after the exclusive-ored with the randomly generated byte; in this step, each confusion byte to be simulated is xored by using a unified eight-bit binary number.
S106, training a discriminator according to the ICMP normal tunnel data and the ICMP hidden tunnel data.
In this embodiment, the method may define a discriminant D in advance, where the discriminant D may use any machine learning model with a discriminant capability, for example, a logistic regression model, a neural network model, a decision tree model, and the like.
As an alternative embodiment, the step of training the arbiter based on ICMP normal tunnel data and ICMP hidden tunnel data includes:
judging whether the data volume of the ICMP hidden tunnel data is smaller than a preset data volume or not;
when the data volume of the ICMP hidden tunnel data is smaller than the preset data volume, sampling and expanding the ICMP hidden tunnel data to obtain ICMP expanded tunnel data;
and training the discriminator according to the ICMP normal tunnel data and the ICMP extended tunnel data.
By implementing the implementation mode, when the number of the collected real ICMP tunnel flows is small, the tunnel data can be increased in an oversampling mode, so that the tunnel data and the normal ICMP message data are balanced.
S107, training a generator according to a preset multi-layer GRU model and ICMP confusion tunnel data.
In this embodiment, the method may predefine the network structure of the generator G. The network structure of the generator G is designed to be a multi-layer neural network structure.
Referring to fig. 4, fig. 4 illustrates an architecture of a GRU model. The following four formulas are adopted in the GRU model:
r t =σ(w r *[h t-1 ,x t ]);
h t =tanh(w*[r t *h t-1 ,x t ]);
z t =σ(w z *[h t-1 ,x t ]);
h t =(1-z t )*h t-1 +z t *h t ;
wherein the GRU is a cyclic neural network for extracting sequence information features, the GRU is a variant of the LSTM model, and the LSTM extraction capability of the LSTM is reserved while the parameter number is reduced. In the upper graph, xt represents the input, r represents the reset gate, and z represents the update gate; the calculation becomes simpler with respect to LSTM with one less control gate. The model generates a state value at the current moment through resetting the gate; (1-Zt) represents selective forgetting of the original hidden state, zt represents selective memorization of the current node information.
In the present embodiment, since the network output by the generator G is analog tunnel data, the number of network output nodes of the generator G is unified here in correspondence with the input tunnel data traffic dimension as a seed.
In this embodiment, the method takes ICMP obfuscated tunnel data as input to generator G; wherein, the data which is insufficient or exceeds the dimension of the input node is complemented with 0 or truncated.
S108, constructing and generating an countermeasure network according to the discriminator and the generator.
In this embodiment, the method may construct a generating countermeasure network GAN (GenerativeAdversarialNetwork) in advance, and the main structure thereof includes a Generator G (Generator) and a discriminator D (Discriminator). Wherein the generator G and the arbiter D are both a neural network model using the trained generator and arbiter described above. In this generation countermeasure network GAN, the generator G and the arbiter D may be further refined by training, so that it is difficult for the arbiter D to distinguish between the true and false of the data samples generated by the generator G, i.e., whether one data sample is generated by the generator G or is an already prepared training sample.
In this embodiment, the method may fix the relevant neural network parameters of the generator G in advance, train the discriminator D according to the known real ICMP tunnel traffic and the data segment data in the normal ICMP packet, iterate the internal network parameters, and train to make the loss function converge. Then, fixing the network parameters of the discriminator D, combining the generator G and the discriminator D, and outputting the simulated ICMP tunnel flow to the discriminator D with the fixed network parameters through the generator G; at this time, after the network parameters of the generator G are iterated several times by using the loss function, the network parameters of the generator G are fixed, and the arbiter D is iterated. The number of iterations of the generator G will generally exceed the number of iterations of the arbiter D, for example, using 5: 1.
In the present embodiment, after the above-described process is repeated several times, it is detected whether the loss function reaches the convergence index. If the convergence criterion is reached, the iteration is stopped.
And S109, performing iterative training on the generator through the generation countermeasure network to obtain a data generator.
In this embodiment, the discriminator D gives a discrimination conclusion for the ICMP simulated tunnel data generated by the generator G and added with confusion. The more the discriminator D discriminates the ICMP analog tunnel data as the actual tunnel traffic, the smaller the error fed back to the generator G, and the better the performance of the generator G.
S110, judging whether the data generated by the data generator has quality problems, if so, ending the flow; if not, step S111 is performed.
In this embodiment, the method may check the quality of the analog data generated by the generator G, and if there is convergence to a single mode or only a single binary sequence is output, a mode collapse problem occurs, and the training parameters, the neural network architecture and the activation function type need to be reselected, so as to avoid the occurrence of the mode collapse phenomenon and enable the loss function to converge to the index requirement.
In this embodiment, the quality problem includes the pattern collapse problem described above.
S111, determining the data generator as an analog tunnel data generator.
S112, ICMP simulation tunnel data generated by a simulation tunnel data generator are acquired.
S113, generating an ICMP simulation message according to the ICMP simulation tunnel data.
In this embodiment, the method may output ICMP simulated tunnel optional data field data which is mixed in batch and meets the machine learning detection requirement through the above steps. Then, this step adds fields such as the header of the ICMP message to restore it to a complete ICMP analog message.
In this embodiment, the ICMP analog packet may be used for performing supervised learning training with other normal ICMP traffic data, and performing a packet playback test in a network device.
As an optional implementation manner, after the step of generating the ICMP analog message according to the ICMP analog tunnel data, the method further includes:
training a preset machine learning model according to the ICMP simulation message to obtain an ICMP attack message identification model; the ICMP attack message identification model is used for identifying the ICMP attack message.
Referring to fig. 3, fig. 3 is a schematic flow chart illustrating an ICMP analog message generating method. The data segment is ICMP normal tunnel data and ICMP hidden tunnel data, the white sample is a sample without attack data, the black sample is a sample with attack data, the model training module is used for training and generating an countermeasure network GAN, and the ICMP tunnel data generated after training is ICMP confusion tunnel data.
For example, the method wants to collect ICMP message traffic from the existing network, screen the ICMP message traffic, and combine the expert knowledge of security researchers to screen a small amount of ICMP tunnel traffic belonging to the APT attack type as a black sample, and other normal message traffic as a white sample; then, taking a small amount of black sample ICMP tunnel flow collected by the existing network as input, and simulating to generate a certain amount of simulated hidden tunnel flow meeting the requirements by using the method; then, performing supervised learning training on the generated simulated ICMP tunnel flow and normal flow by using a machine learning training and detecting method to obtain a machine learning detecting model; and finally, deploying the model in a generating environment, inputting ICMP protocol traffic in the existing network, judging by the model, and identifying whether the input traffic is other similar APT attack traffic similar to the input APT attack type ICMP hidden tunnel or not, thereby realizing the function of detecting the APT attack type ICMP hidden tunnel with confusion.
By implementing the implementation mode, the problem that the conventional ICMP tunnel communication detection method based on the ICMP hidden tunnel is difficult to detect and the conventional ICMP tunnel communication detection method based on machine learning uses an open source ICMP tunnel tool to construct training flow data and cannot accurately detect ICMP communication in the APT attack can be solved. Specifically, the method can utilize a small amount of captured APT to attack the ICMP tunnel, simulate an attacker to add confusion, and then utilize the GAN network to simulate and generate batch ICMP tunnel communication flow, which is more accurate than the flow generated based on an open source tunnel tool, and can provide better help for the APT attack type ICMP tunnel communication detection by utilizing a machine learning detection model.
In the embodiment of the present application, the execution subject of the method may be a computing device such as a computer or a server, which is not limited in this embodiment.
In the embodiment of the present application, the execution body of the method may also be an intelligent device such as a smart phone, a tablet computer, etc., which is not limited in this embodiment.
It can be seen that, by implementing the method for generating ICMP simulation messages described in this embodiment, it is very difficult to obtain the flow of the APT type ICMP attack tunnel, and the flow simulated by using the open source tunnel tool cannot be directly used for training the machine learning detection model, because the intrinsic characteristic distribution of the flow may be completely different from the APT attack flow to be detected. In order to solve the problem of difficult flow acquisition, the method provides an ICMP tunnel flow simulation method added with confusion, and ICMP tunnel flow data meeting the training requirement of a machine learning detection model can be generated.
Example 2
Referring to fig. 2, fig. 2 is a schematic structural diagram of an ICMP analog message generating device according to an embodiment of the present application. As shown in fig. 2, the generating device of the ICMP analog message includes:
an obtaining unit 210, configured to obtain an ICMP normal message and an ICMP attack message;
training unit 220, configured to train the arbiter according to the ICMP normal message and the ICMP attack message, and train the generator according to the ICMP attack message;
a construction unit 230 for constructing and generating an countermeasure network according to the discriminator and the generator;
an iteration unit 240, configured to perform iterative training on the generator by generating an countermeasure network, so as to obtain a simulated tunnel data generator;
an obtaining unit 210, configured to obtain ICMP analog tunnel data generated by the analog tunnel data generator;
and the generating unit 250 is configured to generate an ICMP analog packet according to the ICMP analog tunnel data.
As an alternative to this embodiment of the present application,
as an alternative embodiment, the training unit 220 includes:
the parsing subunit 221 is configured to parse the ICMP normal message to obtain ICMP normal tunnel data;
the parsing subunit 221 is further configured to parse the ICMP attack packet to obtain ICMP hidden tunnel data;
the confusion subunit 222 is configured to perform analog confusion processing on the ICMP hidden tunnel data to obtain ICMP confusion tunnel data;
a training subunit 223, configured to train the discriminator according to the ICMP normal tunnel data and the ICMP hidden tunnel data;
training subunit 223 is further configured to train the generator according to ICMP aliased tunnel data.
As an alternative embodiment, the parsing subunit 221 includes:
the first analysis module is used for analyzing the ICMP attack message to obtain hidden data stored in the optional data field;
and the first generation module is used for generating ICMP hidden tunnel data according to the hidden data.
As an alternative embodiment, the obfuscation subunit 222 includes:
the second generation module is used for randomly generating a positive integer smaller than a preset numerical value and randomly generating a random eight-bit binary number;
the determining module is used for determining bytes with the number of bytes in the ICMP hidden tunnel data equal to the multiple of the positive integer as to-be-simulated confusion bytes;
the confusion module is used for carrying out exclusive or processing according to the eight-bit binary number and the to-be-simulated confusion byte to obtain a simulated confusion byte;
and the second generation module is also used for generating ICMP confusion tunnel data according to the simulation confusion bytes and the rest bytes.
As an alternative embodiment, the training subunit 223 comprises:
the judging module is used for judging whether the data volume of the ICMP hidden tunnel data is smaller than the preset data volume or not;
the sampling module is used for sampling and expanding the ICMP hidden tunnel data to obtain ICMP expanded tunnel data when the data volume of the ICMP hidden tunnel data is smaller than the preset data volume;
and the training module is used for training the discriminator according to the ICMP normal tunnel data and the ICMP extended tunnel data.
As an alternative embodiment, the training subunit 223 is specifically configured to train the generator according to a preset multi-layer GRU model and ICMP confusion tunnel data.
As an alternative embodiment, the iteration unit 240 includes:
an iteration subunit 241, configured to perform iterative training on the generator by generating an antagonism network, to obtain a data generator;
a judging subunit 242, configured to judge whether the data generated by the data generator has a quality problem;
a determining subunit 243 for determining the data generator as an analog tunnel data generator when the data has no quality problem.
In the embodiment of the present application, the explanation of the ICMP analog message generating device may refer to the description in embodiment 1 or embodiment 2, and the description is not repeated in this embodiment.
Therefore, by implementing the generating device of the ICMP simulation message described in this embodiment, a suitable generating countermeasure network can be automatically trained, and a high-quality simulated tunnel data generator can be iterated according to the generating countermeasure network, so that the simulated tunnel data generator generates ICMP simulated tunnel data, and the ICMP simulated tunnel data is packaged into the ICMP simulated message after being generated. It can be seen that by implementing this embodiment, a large number of reliable ICMP analog messages can be obtained so that the subsequent machine learning model has enough black samples to train.
The embodiment of the application provides electronic equipment, which comprises a memory and a processor, wherein the memory is used for storing a computer program, and the processor runs the computer program to enable the electronic equipment to execute the ICMP analog message generation method in the embodiment 1 of the application.
The embodiment of the application provides a computer readable storage medium storing computer program instructions which, when read and executed by a processor, perform the method for generating the ICMP analog message in embodiment 1 of the application.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, of the flowcharts and block diagrams in the figures that illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Claims (8)
1. The ICMP simulation message generation method is characterized by comprising the following steps:
acquiring an ICMP normal message and an ICMP attack message;
training a discriminator according to the ICMP normal message and the ICMP attack message, and training a generator according to the ICMP attack message;
constructing and generating an countermeasure network according to the discriminator and the generator;
performing iterative training on the generator through the generation countermeasure network to obtain a simulated tunnel data generator;
acquiring ICMP simulation tunnel data generated by the simulation tunnel data generator;
generating an ICMP simulation message according to the ICMP simulation tunnel data;
the step of training the discriminator according to the ICMP normal message and the ICMP attack message and training the generator according to the ICMP attack message comprises the following steps:
analyzing the ICMP normal message to obtain ICMP normal tunnel data;
analyzing the ICMP attack message to obtain ICMP hidden tunnel data;
performing simulation confusion processing on the ICMP hidden tunnel data to obtain ICMP confusion tunnel data;
training a discriminator according to the ICMP normal tunnel data and the ICMP hidden tunnel data;
training a generator according to the ICMP confusion tunnel data;
the step of performing simulation confusion processing on the ICMP hidden tunnel data to obtain ICMP hidden tunnel data comprises the following steps:
randomly generating a positive integer smaller than a preset numerical value, and randomly generating a random eight-bit binary number;
determining bytes of which the byte bit number is equal to the multiple of the positive integer in the ICMP hidden tunnel data as to-be-simulated confusion bytes;
performing exclusive or processing according to the eight-bit binary number and the to-be-simulated confusion byte to obtain a simulation confusion byte;
and generating ICMP confusion tunnel data according to the simulation confusion bytes and the rest bytes.
2. The method for generating an ICMP simulation message according to claim 1, wherein the step of parsing the ICMP attack message to obtain ICMP hidden tunnel data includes:
analyzing the ICMP attack message to obtain hidden data stored in an optional data field;
and generating ICMP hidden tunnel data according to the hidden data.
3. The method for generating an ICMP analog message according to claim 1, wherein the training the discriminator according to the ICMP normal tunnel data and the ICMP hidden tunnel data comprises:
judging whether the data volume of the ICMP hidden tunnel data is smaller than a preset data volume or not;
when the data volume of the ICMP hidden tunnel data is smaller than the preset data volume, sampling and expanding the ICMP hidden tunnel data to obtain ICMP expanded tunnel data;
and training a discriminator according to the ICMP normal tunnel data and the ICMP extended tunnel data.
4. The method for generating ICMP simulation messages according to claim 1, wherein the step of training the generator according to the ICMP confusing tunnel data comprises:
and training a generator according to a preset multi-layer GRU model and the ICMP confusion tunnel data.
5. The method for generating ICMP simulation messages according to claim 1, wherein the step of iteratively training the generator through the generation countermeasure network to obtain the simulated tunnel data generator comprises:
performing iterative training on the generator through the generation countermeasure network to obtain a data generator;
judging whether the data generated by the data generator has quality problems or not;
when the data does not have the quality problem, the data generator is determined to be an analog tunnel data generator.
6. The ICMP analog message generating device is characterized by comprising:
the acquisition unit is used for acquiring the ICMP normal message and the ICMP attack message;
the training unit is used for training the discriminator according to the ICMP normal message and the ICMP attack message and training the generator according to the ICMP attack message;
a construction unit for constructing and generating an countermeasure network according to the discriminator and the generator;
the iteration unit is used for carrying out iteration training on the generator through the generation countermeasure network to obtain a simulated tunnel data generator;
the acquisition unit is further used for acquiring ICMP simulation tunnel data generated by the simulation tunnel data generator;
the generating unit is used for generating an ICMP simulation message according to the ICMP simulation tunnel data;
wherein the training unit includes:
the analysis subunit is used for analyzing the ICMP normal message to obtain ICMP normal tunnel data;
the analysis subunit is further used for analyzing the ICMP attack message to obtain ICMP hidden tunnel data;
the confusion subunit is used for carrying out simulation confusion processing on the ICMP hidden tunnel data to obtain ICMP confusion tunnel data;
the training subunit is used for training the discriminator according to the ICMP normal tunnel data and the ICMP hidden tunnel data;
the training subunit is also used for training a generator according to the ICMP confusion tunnel data;
wherein the confusion subunit comprises:
the second generation module is used for randomly generating a positive integer smaller than a preset numerical value and randomly generating a random eight-bit binary number;
the determining module is used for determining bytes with the number of bytes in the ICMP hidden tunnel data equal to the multiple of the positive integer as to-be-simulated confusion bytes;
the confusion module is used for carrying out exclusive or processing according to the eight-bit binary number and the to-be-simulated confusion byte to obtain a simulated confusion byte;
and the second generation module is also used for generating ICMP confusion tunnel data according to the simulation confusion bytes and the rest bytes.
7. An electronic device comprising a memory for storing a computer program and a processor that runs the computer program to cause the electronic device to perform the method of generating ICMP analog messages according to any one of claims 1 to 5.
8. A readable storage medium having stored therein computer program instructions which, when read and executed by a processor, perform the method of generating ICMP analog messages according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111446474.5A CN114499923B (en) | 2021-11-30 | 2021-11-30 | ICMP simulation message generation method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111446474.5A CN114499923B (en) | 2021-11-30 | 2021-11-30 | ICMP simulation message generation method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114499923A CN114499923A (en) | 2022-05-13 |
| CN114499923B true CN114499923B (en) | 2023-11-10 |
Family
ID=81493064
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111446474.5A Active CN114499923B (en) | 2021-11-30 | 2021-11-30 | ICMP simulation message generation method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114499923B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016162748A1 (en) * | 2015-04-07 | 2016-10-13 | Umbra Technologies Ltd. | Multi-perimeter firewall in the cloud |
| CN110113353A (en) * | 2019-05-20 | 2019-08-09 | 桂林电子科技大学 | A kind of intrusion detection method based on CVAE-GAN |
| CN110535874A (en) * | 2019-09-17 | 2019-12-03 | 武汉思普崚技术有限公司 | A kind of network attack detecting method and system of antagonism network |
| CN113364793A (en) * | 2021-06-17 | 2021-09-07 | 北京天融信网络安全技术有限公司 | ICMP hidden tunnel detection method, device and storage medium |
| CN113395280A (en) * | 2021-06-11 | 2021-09-14 | 成都为辰信息科技有限公司 | Anti-confusion network intrusion detection method based on generation of countermeasure network |
| CN113392932A (en) * | 2021-07-06 | 2021-09-14 | 中国兵器工业信息中心 | Anti-attack system for deep intrusion detection |
| CN113497797A (en) * | 2020-04-08 | 2021-10-12 | 中国移动通信集团广东有限公司 | Method and device for detecting abnormality of ICMP tunnel transmission data |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190116159A9 (en) * | 1998-10-30 | 2019-04-18 | Virnetx, Inc. | Agile protocol for secure communications with assured system availability |
| US11151096B2 (en) * | 2013-03-15 | 2021-10-19 | Locus Lp | Dynamic syntactic affinity group formation in a high-dimensional functional information system |
| WO2019237240A1 (en) * | 2018-06-12 | 2019-12-19 | 中国科学院深圳先进技术研究院 | Enhanced generative adversarial network and target sample identification method |
-
2021
- 2021-11-30 CN CN202111446474.5A patent/CN114499923B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016162748A1 (en) * | 2015-04-07 | 2016-10-13 | Umbra Technologies Ltd. | Multi-perimeter firewall in the cloud |
| CN110113353A (en) * | 2019-05-20 | 2019-08-09 | 桂林电子科技大学 | A kind of intrusion detection method based on CVAE-GAN |
| CN110535874A (en) * | 2019-09-17 | 2019-12-03 | 武汉思普崚技术有限公司 | A kind of network attack detecting method and system of antagonism network |
| CN113497797A (en) * | 2020-04-08 | 2021-10-12 | 中国移动通信集团广东有限公司 | Method and device for detecting abnormality of ICMP tunnel transmission data |
| CN113395280A (en) * | 2021-06-11 | 2021-09-14 | 成都为辰信息科技有限公司 | Anti-confusion network intrusion detection method based on generation of countermeasure network |
| CN113364793A (en) * | 2021-06-17 | 2021-09-07 | 北京天融信网络安全技术有限公司 | ICMP hidden tunnel detection method, device and storage medium |
| CN113392932A (en) * | 2021-07-06 | 2021-09-14 | 中国兵器工业信息中心 | Anti-attack system for deep intrusion detection |
Non-Patent Citations (2)
| Title |
|---|
| 一种半监督网络入侵检测系统SSIDS-CV;刘宁;;计算机与数字工程(04);全文 * |
| 基于局部线性嵌入的免疫检测器优化生成算法;席亮;蒋涛;张凤斌;;控制与决策(05);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114499923A (en) | 2022-05-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Aljawarneh et al. | Anomaly-based intrusion detection system through feature selection analysis and building hybrid efficient model | |
| US20240121263A1 (en) | Autonomous report composer | |
| Zarrad et al. | Evaluating network test scenarios for network simulators systems | |
| WO2011032094A1 (en) | Extracting information from unstructured data and mapping the information to a structured schema using the naive bayesian probability model | |
| CN112385196B (en) | System and method for reporting computer security incidents | |
| Li et al. | Adversarial batch image steganography against CNN-based pooled steganalysis | |
| Faisal et al. | Modeling Modbus TCP for intrusion detection | |
| CN112395209A (en) | Industrial control protocol fuzzy test case generation method, device, equipment and storage medium | |
| Sethi et al. | A novel malware analysis for malware detection and classification using machine learning algorithms | |
| CN108470126A (en) | Data processing method, device and storage medium | |
| Mather et al. | Pinpointing side-channel information leaks in web applications | |
| Ferrag et al. | Revolutionizing Cyber Threat Detection with Large Language Models: A privacy-preserving BERT-based Lightweight Model for IoT/IIoT Devices | |
| CN116094850B (en) | Network protocol vulnerability detection method and system based on system state tracking graph guidance | |
| CN114499923B (en) | ICMP simulation message generation method and device | |
| CN112860549A (en) | Method and device for obtaining test sample | |
| KR101863569B1 (en) | Method and Apparatus for Classifying Vulnerability Information Based on Machine Learning | |
| CN112615713B (en) | Method and device for detecting hidden channel, readable storage medium and electronic equipment | |
| Whalen et al. | Hidden markov models for automated protocol learning | |
| CN112532562B (en) | Malicious data flow detection method and system for adversarial network | |
| KR101893029B1 (en) | Method and Apparatus for Classifying Vulnerability Information Based on Machine Learning | |
| Antunes et al. | Automatically complementing protocol specifications from network traces | |
| CN114968750A (en) | Test case generation method, device, equipment and medium based on artificial intelligence | |
| DeYoung | Dynamic protocol reverse engineering a grammatical inference approach | |
| CN109214212A (en) | Information leakage protection method and device | |
| Lai et al. | Detecting network intrusions using signal processing with query-based sampling filter |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |