CN114745139B - Network behavior detection method and device based on brain-like memory - Google Patents
Network behavior detection method and device based on brain-like memory Download PDFInfo
- Publication number
- CN114745139B CN114745139B CN202210640329.9A CN202210640329A CN114745139B CN 114745139 B CN114745139 B CN 114745139B CN 202210640329 A CN202210640329 A CN 202210640329A CN 114745139 B CN114745139 B CN 114745139B
- Authority
- CN
- China
- Prior art keywords
- data
- information
- network
- behavior
- brain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention discloses a network behavior detection method and a device based on brain-like memory, wherein the method comprises the following steps: establishing a brain-like memory and calculation integrated mapping table of credible business behaviors; and judging the credible service according to the brain-like storage and calculation integrated mapping table. The invention has the beneficial effects that: and mapping the legal service behaviors in the network system into information data in the network, thereby completing the mapping of the legal service behaviors to the corresponding data of the network. And through the characteristic extraction of the data information flow, the legal user behavior storage and calculation integrated table space mapping based on the data information flow is constructed, the complex business pattern matching process is converted into simple table look-up calculation, the calculation overhead of business comparison and judgment in the safety control is greatly reduced, the real-time control of the network behavior is possible, and the fine-grained safety control of a business system is fundamentally realized.
Description
Technical Field
The invention relates to the technical field of network security protection, in particular to a network behavior detection method and device based on brain-like memory.
Background
The traditional safety protection is an external defense mechanism based on a network boundary, but as an application architecture is continuously evolved along with the upgrading of a basic architecture and the internet evolves to a network space, the network boundary is fuzzy, and the protection capability of the traditional boundary safety mechanism is weakened. Therefore, the current safety development is moving towards the "deep fusion systematization", wherein the safety management and control system is the hot spot of the current research. In the technical system of the network security management and control system, the functional and performance deficiencies of the credible judgment of the network behavior are always a difficult point.
At present, the management and control of the legal behavior of the service in the network are mainly the technical means of external security protection mainly aiming at meeting the compliance, such as blacklist, firewall, access control and the like. The management and control of legal behaviors are not deeply researched, the application of the white list mainly adopts simple filtering mainly based on IP addresses, port numbers and the like, and the current safety management and control system rarely carries out deep analysis and control on the behaviors of legal users in the network. And few existing machine learning judgment algorithms for user credible behaviors have large requirements on computing resources and time consumption overhead, and cannot meet the actual use requirements of the existing system.
Disclosure of Invention
The invention provides a network behavior detection method and device based on brain-like storage, and solves the problems that the existing machine learning judgment algorithm of user credible behaviors has large requirements on computing resources and time consumption overhead, and the actual use requirements of the existing system cannot be met.
In order to solve the above problem, in one aspect, the present invention provides a network behavior detection method based on brain-like computing, including:
establishing a brain-like memory and calculation integrated mapping table of credible business behaviors;
and judging the credible service according to the brain-like storage and calculation integrated mapping table.
The brain-like memory-computation integrated mapping table for establishing the credible business behavior comprises the following steps:
establishing a white operation storage function mapping relation of a legal user according to the trusted business behavior;
and constructing a brain-like storage and calculation integrated mapping table according to the mapping relation.
The method for establishing the function mapping relation of the white operation storage integrated body table of the legal user according to the credible business behavior comprises the following steps:
decomposing the service into specific child behaviors;
mapping the child behavior into a specific network information data stream;
and analyzing the number of data blocks contained in the network information data stream according to a network model, a layer and a protocol to complete the mapping from the system service to the network data.
And analyzing the number of data blocks contained in the network information data stream according to a network model, a layer and a protocol to complete the mapping from the system service to the network data:
the number of the data blocks is the number of data frames in a data link layer or the number of IP packets in a network layer.
The method for constructing the brain-like storage and calculation integrated mapping table according to the mapping relation comprises the following steps:
storing the corresponding behavior into a row vector in a table, and storing a characteristic hash value, corresponding auxiliary position information, the number of data blocks and preset optional extension information contained in a network data information stream corresponding to the behavior into a column value corresponding to a table entry corresponding to a trusted behavior;
finding out the invariant features of a data block contained in a network data information flow in a header field according to a preset protocol and a data message format, then finding out the invariant data features of the data field part in the data block in a preset AI machine learning mode, and connecting the invariant features of the header field and the invariant features of the data field to form the invariant features of the message;
recording the corresponding position and length of the invariant feature in the data block as positioning auxiliary information;
connecting the invariant features in each data block in the data information flow to form an invariant information feature chain of the white service at a network data end;
carrying out hash calculation on the invariant information feature chain corresponding to each white behavior to generate an invariant feature chain hash value of the trusted service, then storing the invariant feature chain hash value in the corresponding white behavior item in the trusted service table, and connecting the corresponding invariant feature chain hash value with the positioning auxiliary information for storage; and finishing all white behavior items of the trusted service one by one, and storing the number of the corresponding data blocks, the invariant feature chain hash value, the corresponding positioning auxiliary information and the required extension information in a corresponding trusted service table.
The judging the credible service according to the brain-like storage and calculation integrated mapping table comprises the following steps:
acquiring related data from the trusted service table according to the service type;
acquiring a network data information stream corresponding to the operation behavior of the service to be detected from the related data, and analyzing the number of data blocks contained in the network data information stream to acquire the number of the data blocks to be detected;
judging whether the number of the data blocks to be detected is the same as the number of the corresponding data blocks in the brain-like storage and calculation integrated mapping table or not;
if the number of the data blocks to be detected is the same as the number of the corresponding data blocks in the brain-like calculation integrated mapping table, intercepting the characteristic information of the data blocks in the corresponding data information stream to be detected according to the positioning auxiliary information in the corresponding column value in the brain-like calculation integrated mapping table, and connecting the characteristic information to form the characteristic information to be detected of the data information stream;
generating corresponding hash values to be detected according to the same hash algorithm as the brain-like storage integrated mapping table for the characteristic information to be detected;
and comparing the hash value to be detected with the hash value in the brain-like memory integrated mapping table, if the hash value is the same as the hash value, the operation is a trusted service operation, otherwise, the operation contains illegal information or is tampered, and thus, the management and control of the service in the network system are completed.
In one aspect, a network behavior detection apparatus based on brain-like computing is provided, including:
the table establishing module is used for establishing a brain-like memory and calculation integrated mapping table of the credible business behavior;
and the judging module is used for judging the credible service according to the brain-like memory and computation integrated mapping table.
The table establishment module comprises:
the mapping relation establishing module is used for establishing a function mapping relation of a body surface according to the trusted business behavior and the white operation of a legal user;
the table construction module is used for constructing a brain-like storage and calculation integrated mapping table according to the mapping relation;
the mapping relation establishing module comprises:
the decomposition submodule is used for decomposing the service into specific child behaviors;
a mapping submodule, configured to map the child behavior into a specific network information data stream;
the analysis submodule is used for analyzing the number of data blocks contained in the network information data stream according to a network model, a layer and a protocol so as to complete the mapping from the system service to the network data; the number of the data blocks is the number of data frames in a data link layer or the number of IP packets in a network layer;
the table building module comprises:
the storage submodule is used for storing the corresponding behavior into a row vector in a table, and storing a characteristic hash value contained in a network data information stream corresponding to the behavior, corresponding auxiliary position information, the number of data blocks and preset optional extension information into a column value corresponding to a table entry corresponding to a credible behavior;
the characteristic forming submodule is used for finding out the invariant characteristic of a data block contained in the network data information flow in a head field according to a preset protocol and a data message format, then finding out the invariant data characteristic of a data field part in the data block in a preset AI machine learning mode, and connecting the invariant characteristic of the head field and the invariant characteristic of the data field to form the invariant characteristic of the message;
the positioning auxiliary module is used for recording the corresponding position and length of the invariant feature in the data block as positioning auxiliary information;
the characteristic chain forming submodule is used for connecting the invariant characteristics in each data block in the data information flow to form an invariant information characteristic chain of the white service at a network data end;
the hash calculation submodule is used for carrying out hash calculation on the invariant information feature chain corresponding to each white behavior to generate an invariant feature chain hash value of the trusted service, then storing the invariant feature chain hash value in the corresponding white behavior item in the trusted service table, and connecting the corresponding invariant feature chain hash value with the positioning auxiliary information for storage; and finishing all white behavior items of the trusted service one by one, and storing the number of the corresponding data blocks, the invariant feature chain hash value, the corresponding positioning auxiliary information and the required extension information in the corresponding trusted service table by utilizing a storage submodule.
The discrimination module includes:
the data acquisition submodule is used for acquiring related data from the credible business table according to the business type;
the data block obtaining submodule is used for obtaining a network data information stream corresponding to the operation behavior of the service to be detected from the related data and analyzing the number of data blocks contained in the network data information stream to obtain the number of the data blocks to be detected;
the judging submodule is used for judging whether the number of the data blocks to be detected is the same as the number of the corresponding data blocks in the brain-like storage and calculation integrated mapping table or not;
the characteristic intercepting submodule is used for intercepting the characteristic information of the data block in the corresponding to-be-detected data information flow according to the positioning auxiliary information in the corresponding column value in the brain-like calculation integral mapping table when the number of the to-be-detected data blocks is the same as the number of the corresponding data blocks in the brain-like calculation integral mapping table, and connecting the characteristic information to form the to-be-detected characteristic information of the data information flow;
the hash value generation submodule is used for generating a corresponding hash value to be detected according to the same hash algorithm of the brain-like storage integral mapping table for the characteristic information to be detected;
and the comparison submodule is used for comparing the hash value to be detected with the hash value in the brain-like storage integral mapping table, if the hash values are the same, the operation is a trusted service operation, otherwise, the operation contains illegal information or is tampered, and therefore management and control of the service in the network system are completed.
In one aspect, a computer-readable storage medium is provided, the storage medium having stored therein a plurality of instructions adapted to be loaded by a processor to perform a brain-like computation-based network behavior detection method as described above.
The beneficial effects of the invention are: and mapping the legal service behaviors in the network system into information data in the network, thereby completing the mapping from the legal service behaviors to the corresponding data of the network. And through the feature extraction of the data information flow, the legal user behavior storage and calculation integrated table space mapping based on the data information flow is constructed, the complex business pattern matching process is converted into simple table look-up calculation, the calculation cost of business comparison and judgment in the safety control is greatly reduced, the real-time control of the network behavior is possible, the fine-grained safety control of a business system is fundamentally realized, a safety protection mechanism which is in a deep integration systematization with the business is constructed, and the existing safety control and protection system is improved to a new height.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a network behavior detection method based on brain-like computing according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a network data-saving integrated mapping relationship of a business behavior provided in an embodiment of the present invention;
FIG. 3 is a schematic diagram of a structure design of a trusted service computing table according to an embodiment of the present invention;
FIG. 4 is a flow chart of business behavior discrimination provided by an embodiment of the present invention;
fig. 5 is a block diagram of a system architecture according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present invention, it is to be understood that the terms "center", "longitudinal", "lateral", "length", "width", "thickness", "upper", "lower", "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", etc. indicate orientations or positional relationships based on those shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be considered as limiting the present invention. Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more features. In the description of the present invention, "a plurality" means two or more unless specifically defined otherwise.
In the present disclosure, the word "exemplary" is used to mean "serving as an example, instance, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments. The following description is presented to enable any person skilled in the art to make and use the invention. In the following description, details are set forth for the purpose of explanation. It will be apparent to one of ordinary skill in the art that the present invention may be practiced without these specific details. In other instances, well-known structures and processes are not shown in detail to avoid obscuring the description of the invention with unnecessary detail. Thus, the present invention is not intended to be limited to the embodiments shown, but is to be accorded the widest scope consistent with the principles and features disclosed herein.
The traditional safety control technology mainly aims at meeting the requirement of compliance, has thick control granularity on behaviors in a network, is a filtering protection mode based on a blacklist, is limited by the problem of update lag of a namelist library, and has no capacity for unknown network attacks. The invention adopts the idea of tight coupling of safety protection and service to map the legal service behavior in the network system into the information data in the network, thereby completing the mapping of the legal service behavior to the corresponding data of the network. And through the feature extraction of the data information flow, the legal user behavior storage and calculation integrated table space mapping based on the data information flow is constructed, the complex business pattern matching process is converted into simple table look-up calculation, the calculation cost of business comparison and judgment in the safety control is greatly reduced, the real-time control of the network behavior is possible, the fine-grained safety control of a business system is fundamentally realized, a safety protection mechanism which is in a deep integration systematization with the business is constructed, and the existing safety control and protection system is improved to a new height.
The invention provides a network behavior detection method and system based on brain-like memory, aiming at solving the defects of the existing management and control system in function and efficiency. The method comprises the steps of mapping a business process and a sub-process into behaviors and sub-behaviors in a network, mapping the network behaviors to corresponding network information data, and extracting and storing the characteristic information of the information data in a mode of constructing and calculating a table function. Therefore, the purpose of judging whether the system service is credible or not through the data characteristics stored in the table space is achieved.
Therefore, the patent needs to construct a storage and calculation integral table function of the credible behavior of the legal service in the system, usually, an off-line training mode is adopted for the legal service of the system, the storage and calculation integral table function is used for establishing a feature table of the legal service behavior, the feature table is taken as a reference during actual operation, the pattern matching process of the complex network service behavior is converted into simple table look-up and comparison operation, and the rapid discrimination and control of the service behavior in the network system are realized. This has greatly promoted the management and control efficiency of system. When a storing and calculating integral table function is constructed, firstly, services are decomposed into specific behavior operations, then the operations are clarified to specific data information flow in a network, the number of corresponding data blocks is determined, then invariant contents in a header field and a data segment in the corresponding data block are respectively extracted through learning to serve as basic characteristic information, and position information of the invariant contents in the data block is used as message characteristic auxiliary positioning information. In consideration of the storage overhead and the calculation efficiency, the invention also adopts a mode of connecting the basic characteristic information of all the data blocks corresponding to the operation for hash calculation, outputs the fixed-length hash value, and takes the calculated value as the characteristic item of the operation behavior in the table, thereby reducing the storage overhead, lightening the processing burden, reducing the delay and simultaneously enhancing the safety of the data content in the table. When the judgment comparison is carried out, the characteristic information in the data information flow corresponding to the user operation is extracted in the same mode as the table building, and the hash value is generated by the same algorithm and then compared with the content in the table, so that whether the behavior operation is the credible operation or not is judged quickly.
Referring to fig. 1, fig. 1 is a flowchart of a network behavior detection method based on brain-like computation according to an embodiment of the present invention, where the network behavior detection method based on brain-like computation includes steps S1-S2:
s1, establishing a brain-like memory and calculation integrated mapping table of credible business behaviors; step S1 includes steps S11-S12:
s11, establishing a function mapping relation of a white operation storage integrated body table of a legal user according to the credible business behavior; step S11 includes steps S111-S113:
and S111, decomposing the service into specific child behaviors.
In this embodiment, each corresponding white business behavior is presented at the network data end (no matter which layer corresponds to the OSI seven layers) by a specific set of data information stream, so that a corresponding storage-computation-integrated mapping relationship is constructed based on the policy as shown in fig. 2, fig. 2 is a schematic diagram of a network data storage-computation-integrated mapping relationship of the business behavior provided by an embodiment of the present invention, that is, the business is firstly decomposed into specific behaviors (sub-behaviors).
And S112, mapping the child behavior into a specific network information data stream.
In this embodiment, the behavior is mapped to a specific network information data stream.
S113, analyzing the number of data blocks contained in the network information data stream according to a network model, a layer and a protocol to complete the mapping from the system service to the network data. The number of the data blocks is the number of data frames in a data link layer or the number of IP packets in a network layer.
In this embodiment, according to a specific network model, layer and protocol, the number of data blocks (for example, the number of data frames at a data link layer and the number of IP packets at a network layer) included in the network is analyzed, so as to complete mapping from the system service to the network data. In summary, a white operation calculation integral table function mapping relationship of a legal user is established according to a specific service, a corresponding trusted service table is constructed, the content of each row in the table corresponds to the feature representation of a specific behavior (namely, the white behavior) in the service, each column includes the invariant data feature of the corresponding white behavior, the number of data blocks included in the operation, and the feature positioning auxiliary information of each data block, as shown in fig. 3, fig. 3 is a structural design schematic diagram of the trusted service calculation integral table provided by an embodiment of the present invention.
And S12, constructing a brain-like storage and calculation integrated mapping table according to the mapping relation. Step S12 includes steps S121-S125:
s121, storing the corresponding behavior into a row vector in a table, and storing a characteristic hash value contained in a network data information stream corresponding to the behavior, the corresponding auxiliary position information, the number of data blocks and preset optional extension information into a column value corresponding to a table entry corresponding to the credible behavior.
In this embodiment, the corresponding behavior is first stored in the row vector in the table, and the number of data blocks included in the network information data stream corresponding to the behavior is stored in the column value corresponding to the table entry corresponding to the trusted behavior.
S122, according to a preset protocol and a preset data message format, finding out the invariant feature of a data block contained in the network data information flow in a header field, then finding out the invariant data feature of a data field part in the data block in a preset AI machine learning mode, and connecting the invariant feature of the header field and the invariant feature of the data field to form the invariant feature of the message.
In this embodiment, for each data block in the data information stream, a header field (for example, a fixed and unchangeable part corresponding to the service operation in the IP header and TCP header information) is found according to a corresponding protocol and a data packet format, then, for the data field part in the data block, a data feature that is unchangeable can be found in a corresponding AI machine learning manner, and the unchangeable features found in the packet header are connected to form the unchangeable feature of the packet.
And S123, recording the corresponding position and length of the invariant feature in the data block as positioning auxiliary information.
In this embodiment, the corresponding position and length of each of these feature information in the data block are recorded as the positioning assistance information of the feature.
And S124, connecting the invariant features in each data block in the data information flow to form an invariant information feature chain of the white service at a network data end.
In this embodiment, the invariant features in each data block in the group of data information streams are connected in this manner, so as to form an invariant information feature chain corresponding to the white service at the network data end. Similarly, each message has corresponding positioning assistance information.
S125, performing hash calculation on the invariant information feature chain corresponding to each white behavior to generate an invariant feature chain hash value of the trusted service, storing the invariant feature chain hash value in the corresponding white behavior item in the trusted service table, and connecting the corresponding invariant feature chain hash value and the positioning auxiliary information for storage; and finishing all white behavior items of the trusted service one by one, and storing the number of the corresponding data blocks, the invariant feature chain hash value, the corresponding positioning auxiliary information and the required extension information in a corresponding trusted service table.
In this embodiment, in order to reduce the storage cost of too long information features, hash calculation is performed on the invariant information feature chain corresponding to each white behavior to generate a fixed-length trusted service invariant feature chain hash value, and then the fixed-length trusted service invariant feature chain hash value is stored in a corresponding white behavior item in a trusted service table, and corresponding auxiliary location information is stored in a connected manner. And by analogy, finishing all corresponding white behavior items of the service one by one, and storing the corresponding data block number, the characteristic hash value, the corresponding position auxiliary information and the required expansion information in the corresponding credible service table. Then, corresponding legal service characteristic tables in other service systems are constructed in the same way, and the invariant characteristic storage integral table function space of all legal services in the system is generated. And the corresponding characteristic table can be increased, decreased and modified according to the change of the service during later maintenance.
And S2, judging the credible service according to the brain-like storage and calculation integrated mapping table. Step S2 includes steps S21-S26:
s21, acquiring related data from the credible service table according to the service type.
In this embodiment, on the basis of creating a trusted service computing integral table space that conforms to a specific application environment, a task of quickly determining the validity of a service in a system may be executed, as shown in fig. 4, where fig. 4 is a flowchart of determining a service behavior according to an embodiment of the present invention. When the actual service management and control is judged, firstly, the corresponding credible service table established in the front is selected according to the service type, and relevant data is obtained.
S22, obtaining the network data information flow corresponding to the operation behavior of the service to be detected from the related data, and analyzing the number of the data blocks contained in the network data information flow to obtain the number of the data blocks to be detected.
In this embodiment, a network data information stream corresponding to an operation behavior of a service to be detected is obtained, and the number of data blocks included in the network data information stream is analyzed.
And S23, judging whether the number of the data blocks to be detected is the same as the number of the corresponding data blocks in the brain-like storage and calculation integrated mapping table.
In this embodiment, the number of the data blocks to be detected is compared with the number of the corresponding data blocks in the table, if the number of the data blocks to be detected is the same as the number of the corresponding data blocks in the table, the detection in the step S24 is continued, otherwise, the processing module is directly called to process the data blocks according to a predefined management and control policy.
S24, if the number of the data blocks to be detected is the same as that of the corresponding data blocks in the brain-like calculation integrated mapping table, intercepting the characteristic information of the data blocks in the corresponding data information stream to be detected according to the positioning auxiliary information in the corresponding column value in the brain-like calculation integrated mapping table, and connecting the characteristic information to form the characteristic information to be detected of the data information stream.
In this embodiment, if step S23 passes, feature information of a data block in a corresponding data information stream to be detected is intercepted according to "feature positioning auxiliary information of a packet" in a corresponding column value in the table, and is connected to form feature information to be detected (i.e., feature information of a behavior to be detected) of the information data stream.
And S25, generating corresponding hash values to be detected according to the feature information to be detected and the same hash algorithm as the brain-like storage integrated mapping table.
In this embodiment, the obtained information to be checked is subjected to the hash algorithm in the same table to generate the corresponding hash value to be checked.
S26, comparing the hash value to be detected with the hash value in the brain-like storage integral mapping table, if the hash value is the same as the hash value, the operation is a trusted service operation, otherwise, the operation contains illegal information or is tampered, and therefore management and control of the service in the network system are completed.
In this embodiment, the hash value to be detected is compared with the hash value in the representation, if the hash value is the same as the hash value in the representation, the operation is a trusted service operation, otherwise, the service contains illegal information or is tampered, and a corresponding processing mechanism in the processing module is activated to process, so that management and control of the service in the network system are completed.
The present case still provides a network action detection device based on class brain calculation, includes:
the table establishing module is used for establishing a brain-like memory and calculation integrated mapping table of the credible business behavior;
and the judging module is used for judging the credible service according to the brain-like memory and computation integrated mapping table.
The table establishment module comprises:
the mapping relation establishing module is used for establishing a function mapping relation of a body table according to the trusted business behavior and the white operation of a legal user;
the table construction module is used for constructing a brain-like storage and calculation integrated mapping table according to the mapping relation;
the mapping relation establishing module comprises:
the decomposition submodule is used for decomposing the service into specific child behaviors;
a mapping submodule, configured to map the child behavior into a specific network information data stream;
the analysis submodule is used for analyzing the number of data blocks contained in the network information data stream according to a network model, a layer and a protocol so as to complete the mapping from the system service to the network data; the number of the data blocks is the number of data frames in a data link layer or the number of IP packets in a network layer;
the table building module comprises:
the storage submodule is used for storing the corresponding behavior into a row vector in a table, and storing a characteristic hash value contained in a network data information stream corresponding to the behavior, corresponding auxiliary position information, the number of data blocks and preset optional extension information into a column value corresponding to a table entry corresponding to a credible behavior;
the characteristic forming submodule is used for finding out the invariant characteristic of a data block contained in the network data information flow in a head field according to a preset protocol and a data message format, then finding out the invariant data characteristic of a data field part in the data block in a preset AI machine learning mode, and connecting the invariant characteristic of the head field and the invariant characteristic of the data field to form the invariant characteristic of the message;
the positioning auxiliary module is used for recording the corresponding position and length of the invariant feature in the data block as positioning auxiliary information;
the characteristic chain forming submodule is used for connecting the invariant characteristics in each data block in the data information flow to form an invariant information characteristic chain of the white service at a network data end;
the hash calculation submodule is used for carrying out hash calculation on the invariant information feature chain corresponding to each white behavior to generate an invariant feature chain hash value of the trusted service, then storing the invariant feature chain hash value in the corresponding white behavior item in the trusted service table, and connecting the corresponding invariant feature chain hash value with the positioning auxiliary information for storage; and finishing all white behavior items of the trusted service one by one, and storing the number of the corresponding data blocks, the invariant feature chain hash value, the corresponding positioning auxiliary information and the required extension information in the corresponding trusted service table by utilizing a storage submodule.
The discrimination module includes:
the data acquisition submodule is used for acquiring related data from the credible business table according to the business type;
the data block obtaining submodule is used for obtaining a network data information stream corresponding to the operation behavior of the service to be detected from the related data and analyzing the number of data blocks contained in the network data information stream to obtain the number of the data blocks to be detected;
the judging submodule is used for judging whether the number of the data blocks to be detected is the same as the number of the corresponding data blocks in the brain-like storage and calculation integrated mapping table or not;
the characteristic intercepting submodule is used for intercepting the characteristic information of the data block in the corresponding to-be-detected data information flow according to the positioning auxiliary information in the corresponding column value in the brain-like memory-computation-integrated mapping table when the number of the data blocks to be detected is the same as the number of the corresponding data blocks in the brain-like memory-computation-integrated mapping table, and connecting the characteristic information to form the to-be-detected characteristic information of the data information flow;
the hash value generation submodule is used for generating a corresponding hash value to be detected according to the same hash algorithm of the brain-like storage integral mapping table for the characteristic information to be detected;
and the comparison submodule is used for comparing the hash value to be detected with the hash value in the brain-like storage integral mapping table, if the hash values are the same, the operation is a trusted service operation, otherwise, the operation contains illegal information or is tampered, and therefore management and control of the service in the network system are completed.
To implement the method and apparatus, the system shown in fig. 5 may be designed, and fig. 5 is a block diagram of a system structure according to an embodiment of the present invention.
The whole system is designed into 5 modules: the trusted service partition mapping module stores an integrated table space construction module, a trusted task matching module, an AI algorithm engine and a disposal module, and has the structure shown in FIG. 5, and the specific functions are as follows:
the trusted service division mapping module: dividing the system service flow into individual and specific credible behaviors (splitting into specific and unsegmentable atomic credible behavior operations), and mapping the credible behavior operations into corresponding network data information flows. Training and finding out the unchanging characteristic data field and the corresponding position information in the corresponding data block through an AI algorithm,
a tablespace construction module: the system comprises a system trusted service storage and calculation integrated table space construction submodule and a maintenance submodule of a storage and calculation integrated table space.
The structure for storing and calculating the integral table space comprises: and connecting the characteristic information of all corresponding data blocks, calculating a hash value, and recording the hash value and the corresponding contents such as auxiliary position information, data block quantity information and the like into a corresponding credible behavior record in the feasible service table.
Maintaining the computed monolithic table space includes: and when the system service changes, increasing, decreasing and updating the trusted behavior table according to authorization.
A trusted task matching module: the system comprises an actual service feature extraction module and a search comparison module.
The actual service feature extraction module: and generating network data flow characteristic information of the service to be detected according to the credible service division mapping module and a corresponding HASH algorithm during training.
A search comparison module: and comparing the generated information to be detected with the credible service data characteristics generated in the table, wherein if the information to be detected is matched with the credible service data characteristics, the service smoothly passes through, and otherwise, starting a 'disposal module' for disposal.
A treatment module: and after the abnormal network service behavior is found, the abnormal network service behavior is treated according to a preset strategy.
An AI algorithm engine: the method provides an intelligent algorithm support for training information data flow and extracting invariant features, and integrates an algorithm library of relevant machine learning and intelligent calculation.
It will be understood by those skilled in the art that all or part of the steps of the methods of the above embodiments may be performed by instructions or by associated hardware controlled by the instructions, which may be stored in a computer readable storage medium and loaded and executed by a processor. To this end, embodiments of the present invention provide a storage medium, in which a plurality of instructions are stored, where the instructions can be loaded by a processor to execute the steps in any one of the network behavior detection methods based on brain-like computation provided by the embodiments of the present invention.
Wherein the storage medium may include: read Only Memory (ROM), random Access Memory (RAM), magnetic or optical disks, and the like.
Since the instructions stored in the storage medium may execute the steps in any one of the network behavior detection methods based on the brain-like computation provided by the embodiments of the present invention, the beneficial effects that can be achieved by any one of the network behavior detection methods based on the brain-like computation provided by the embodiments of the present invention may be achieved, which are detailed in the foregoing embodiments and will not be described herein again.
The above description is intended to be illustrative of the preferred embodiment of the present invention and should not be taken as limiting the invention, but rather, the intention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.
Claims (5)
1. A network behavior detection method based on brain-like computing is characterized by comprising the following steps:
establishing a brain-like memory and computation integrated mapping table of credible business behaviors;
judging the credible service according to the brain-like storage and calculation integrated mapping table;
the brain-like memory and computation integrated mapping table for establishing the credible business behavior comprises the following steps:
establishing a white operation storage function mapping relation of a legal user according to the trusted business behavior;
constructing a brain-like storage and calculation integrated mapping table according to the mapping relation;
the method for establishing the function mapping relation of the white operation storage integrated body table of the legal user according to the credible business behavior comprises the following steps:
decomposing the service into specific child behaviors;
mapping the child behavior into a specific network information data stream;
analyzing the number of data blocks contained in the network information data stream according to a network model, a layer and a protocol to complete the mapping from system service to network data;
and analyzing the number of data blocks contained in the network information data stream according to a network model, a layer and a protocol to complete the mapping from system service to network data:
the number of the data blocks is the number of data frames in a data link layer or the number of IP packets in a network layer;
the method for constructing the brain-like storage and calculation integrated mapping table according to the mapping relation comprises the following steps:
storing the corresponding behavior into a row vector in a table, and storing a characteristic hash value contained in a network data information stream corresponding to the behavior, corresponding auxiliary position information, the number of data blocks and preset optional extension information into a column value corresponding to a table entry corresponding to the credible behavior;
finding out the invariant features of a data block contained in a network data information flow in a header field according to a preset protocol and a data message format, then finding out the invariant data features of the data field part in the data block in a preset AI machine learning mode, and connecting the invariant features of the header field and the invariant features of the data field to form the invariant features of the message;
recording the corresponding position and length of the invariant feature in the data block as positioning auxiliary information;
connecting the invariant features in each data block in the data information flow to form an invariant information feature chain of the white service at a network data end;
performing hash calculation on the invariant information feature chain corresponding to each white behavior to generate an invariant feature chain hash value of the trusted service, then storing the invariant feature chain hash value in a corresponding white behavior item in a trusted service table, and connecting the corresponding invariant feature chain hash value and the positioning auxiliary information for storage; and finishing all white behavior items of the trusted service one by one, and storing the number of the corresponding data blocks, the hash value of the invariant feature chain, the corresponding positioning auxiliary information and the required extension information in a corresponding trusted service table.
2. The method according to claim 1, wherein the performing trusted service determination according to the brain-like storage-integrated mapping table includes:
acquiring related data from the trusted service table according to the service type;
acquiring a network data information stream corresponding to the operation behavior of the service to be detected from the related data, and analyzing the number of data blocks contained in the network data information stream to acquire the number of the data blocks to be detected;
judging whether the number of the data blocks to be detected is the same as the number of the corresponding data blocks in the brain-like storage and calculation integrated mapping table or not;
if the number of the data blocks to be detected is the same as the number of the corresponding data blocks in the brain-like calculation integrated mapping table, intercepting the characteristic information of the data blocks in the corresponding data information stream to be detected according to the positioning auxiliary information in the corresponding column value in the brain-like calculation integrated mapping table, and connecting the characteristic information to form the characteristic information to be detected of the data information stream;
generating a corresponding hash value to be detected according to the feature information to be detected and the same hash algorithm as the brain-like storage integral mapping table;
and comparing the hash value to be detected with the hash value in the brain-like memory integrated mapping table, if the hash value is the same as the hash value, the operation is a trusted service operation, otherwise, the operation contains illegal information or is tampered, and thus, the management and control of the service in the network system are completed.
3. A network behavior detection apparatus based on brain-like computing, comprising:
the table establishing module is used for establishing a brain-like memory and calculation integrated mapping table of the credible business behavior;
the judging module is used for judging the credible service according to the brain-like storage and calculation integrated mapping table;
the table establishment module comprises:
the mapping relation establishing module is used for establishing a function mapping relation of a body surface according to the trusted business behavior and the white operation of a legal user;
the table construction module is used for constructing a brain-like storage and calculation integrated mapping table according to the mapping relation;
the mapping relation establishing module comprises:
the decomposition submodule is used for decomposing the service into specific child behaviors;
a mapping submodule, configured to map the child behavior into a specific network information data stream;
the analysis submodule is used for analyzing the number of data blocks contained in the network information data stream according to a network model, a layer and a protocol so as to complete the mapping from the system service to the network data; the number of the data blocks is the number of data frames in a data link layer or the number of IP packets in a network layer;
the table building module comprises:
the storage submodule is used for storing the corresponding behavior into a row vector in a table, and storing a characteristic hash value contained in a network data information stream corresponding to the behavior, corresponding auxiliary position information, the number of data blocks and preset optional extension information into a column value corresponding to a table entry corresponding to a credible behavior;
the characteristic forming submodule is used for finding out the invariant characteristic of a data block contained in the network data information flow in a head field according to a preset protocol and a data message format, then finding out the invariant data characteristic of a data field part in the data block in a preset AI machine learning mode, and connecting the invariant characteristic of the head field and the invariant characteristic of the data field to form the invariant characteristic of the message;
the positioning auxiliary module is used for recording the corresponding position and length of the invariant feature in the data block as positioning auxiliary information;
the characteristic chain forming submodule is used for connecting the invariant characteristics in each data block in the data information flow to form an invariant information characteristic chain of the white service at a network data end;
the hash calculation submodule is used for carrying out hash calculation on the invariant information feature chain corresponding to each white behavior to generate an invariant feature chain hash value of the trusted service, then storing the invariant feature chain hash value in the corresponding white behavior item in the trusted service table, and connecting the corresponding invariant feature chain hash value with the positioning auxiliary information for storage; and finishing all white behavior items of the trusted service one by one, and storing the number of the corresponding data blocks, the hash value of the invariant feature chain, the corresponding positioning auxiliary information and the required extension information in the corresponding trusted service table by using a storage submodule.
4. The network behavior detection device according to claim 3, wherein the discrimination module comprises:
the data acquisition submodule is used for acquiring related data from the credible business table according to the business type;
the data block obtaining submodule is used for obtaining a network data information stream corresponding to the operation behavior of the service to be detected from the related data and analyzing the number of data blocks contained in the network data information stream to obtain the number of the data blocks to be detected;
the judging submodule is used for judging whether the number of the data blocks to be detected is the same as the number of the corresponding data blocks in the brain-like storage and calculation integrated mapping table or not;
the characteristic intercepting submodule is used for intercepting the characteristic information of the data block in the corresponding to-be-detected data information flow according to the positioning auxiliary information in the corresponding column value in the brain-like calculation integral mapping table when the number of the to-be-detected data blocks is the same as the number of the corresponding data blocks in the brain-like calculation integral mapping table, and connecting the characteristic information to form the to-be-detected characteristic information of the data information flow;
the hash value generation submodule is used for generating a corresponding hash value to be detected according to the same hash algorithm of the brain-like storage integral mapping table for the characteristic information to be detected;
and the comparison submodule is used for comparing the hash value to be detected with the hash value in the brain-like storage integral mapping table, if the hash values are the same, the operation is a trusted service operation, otherwise, the operation contains illegal information or is tampered, and therefore management and control of the service in the network system are completed.
5. A computer-readable storage medium having stored thereon a plurality of instructions adapted to be loaded by a processor to perform a method for brain-like computation based network behavior detection according to any of claims 1-2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210640329.9A CN114745139B (en) | 2022-06-08 | 2022-06-08 | Network behavior detection method and device based on brain-like memory |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210640329.9A CN114745139B (en) | 2022-06-08 | 2022-06-08 | Network behavior detection method and device based on brain-like memory |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114745139A CN114745139A (en) | 2022-07-12 |
| CN114745139B true CN114745139B (en) | 2022-10-28 |
Family
ID=82287271
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210640329.9A Active CN114745139B (en) | 2022-06-08 | 2022-06-08 | Network behavior detection method and device based on brain-like memory |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114745139B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103297440A (en) * | 2013-06-24 | 2013-09-11 | 北京星网锐捷网络技术有限公司 | Method, device and network equipment for establishing application traffic feature library |
| CN105141604A (en) * | 2015-08-19 | 2015-12-09 | 国家电网公司 | Method and system for detecting network security threat based on trusted business flow |
| CN109951491A (en) * | 2019-03-28 | 2019-06-28 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, equipment and storage medium |
| CN110661680A (en) * | 2019-09-11 | 2020-01-07 | 深圳市永达电子信息股份有限公司 | Method and system for detecting data stream white list based on regular expression |
| CN112887268A (en) * | 2021-01-07 | 2021-06-01 | 深圳市永达电子信息股份有限公司 | Network security guarantee method and system based on comprehensive detection and identification |
| CN113225359A (en) * | 2021-07-12 | 2021-08-06 | 深圳市永达电子信息股份有限公司 | Safety flow analysis system based on brain-like calculation |
| CN114221780A (en) * | 2021-10-26 | 2022-03-22 | 深圳市永达电子信息股份有限公司 | Industrial control system network security guarantee method, device and computer storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10367704B2 (en) * | 2016-07-12 | 2019-07-30 | At&T Intellectual Property I, L.P. | Enterprise server behavior profiling |
| CN112769825B (en) * | 2021-01-07 | 2023-02-21 | 深圳市永达电子信息股份有限公司 | Network security guarantee method, system and computer storage medium |
| CN113283594B (en) * | 2021-07-12 | 2021-11-09 | 深圳市永达电子信息股份有限公司 | Intrusion detection system based on brain-like calculation |
-
2022
- 2022-06-08 CN CN202210640329.9A patent/CN114745139B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103297440A (en) * | 2013-06-24 | 2013-09-11 | 北京星网锐捷网络技术有限公司 | Method, device and network equipment for establishing application traffic feature library |
| CN105141604A (en) * | 2015-08-19 | 2015-12-09 | 国家电网公司 | Method and system for detecting network security threat based on trusted business flow |
| CN109951491A (en) * | 2019-03-28 | 2019-06-28 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, equipment and storage medium |
| CN110661680A (en) * | 2019-09-11 | 2020-01-07 | 深圳市永达电子信息股份有限公司 | Method and system for detecting data stream white list based on regular expression |
| CN112887268A (en) * | 2021-01-07 | 2021-06-01 | 深圳市永达电子信息股份有限公司 | Network security guarantee method and system based on comprehensive detection and identification |
| CN113225359A (en) * | 2021-07-12 | 2021-08-06 | 深圳市永达电子信息股份有限公司 | Safety flow analysis system based on brain-like calculation |
| CN114221780A (en) * | 2021-10-26 | 2022-03-22 | 深圳市永达电子信息股份有限公司 | Industrial control system network security guarantee method, device and computer storage medium |
Non-Patent Citations (2)
| Title |
|---|
| Information Security Detection Technology for Industrial Control Equipment Modeling Generated by Excitation Traversal Test Based on Big Data;C. Cui等;《2021 IEEE Sixth International Conference on Data Science in Cyberspace (DSC)》;20220411;全文 * |
| 基于白名单机制的工控分级入侵检测算法;严彪等;《通信技术》;20180410(第04期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114745139A (en) | 2022-07-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Garg et al. | Statistical vertical reduction‐based data abridging technique for big network traffic dataset | |
| CN109347834B (en) | Method, device and equipment for detecting abnormal data in Internet of things edge computing environment | |
| CN107580699A (en) | For the actuating specific to behavior with the method and system of real-time white list | |
| CN104579974B (en) | The Hash Bloom Filter and data forwarding method of Name Lookup towards in NDN | |
| CN107135203B (en) | A kind of method and system of terminal access control strategy optimization | |
| CN112887268B (en) | Network security guarantee method and system based on comprehensive detection and identification | |
| CN109587125A (en) | A kind of network security big data analysis method, system and relevant apparatus | |
| CN110061921B (en) | Cloud platform data packet distribution method and system | |
| Karthiga et al. | Intelligent intrusion detection system for VANET using machine learning and deep learning approaches | |
| CN114745139B (en) | Network behavior detection method and device based on brain-like memory | |
| CN111526162B (en) | Multilevel comprehensive identification method and device for block chain attack nodes | |
| CN113938524A (en) | Method and system for monitoring sensitive information leakage of Internet of things terminal based on flow agent | |
| CN111163061B (en) | Method and device for analyzing policy information of gateway equipment | |
| CN110058949B (en) | Sensing cloud low-coupling control method based on intelligent edge computing | |
| CN114301632B (en) | IPsec data processing method, terminal and storage medium | |
| CN105243328A (en) | Behavioral characteristic based Ferry horse defense method | |
| CN106603471B (en) | A kind of firewall policy detection method and device | |
| Xu et al. | Toward software defined dynamic defense as a service for 5G-enabled vehicular networks | |
| CN114741426B (en) | Brain-like storage and calculation integration-based business behavior detection method and device | |
| CN111010362B (en) | Monitoring method and device for abnormal host | |
| CN106294375B (en) | Data request real-time processing method and device | |
| CN113283594B (en) | Intrusion detection system based on brain-like calculation | |
| Muhati et al. | A new cyber-alliance of artificial intelligence, internet of things, blockchain, and edge computing | |
| CN113656796B (en) | Oversampling method, device, equipment and storage medium | |
| CN114205816A (en) | Information security architecture of power mobile Internet of things and use method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |