CN114915502A - Asset abnormal behavior detection method and device, terminal equipment and storage medium - Google Patents
Asset abnormal behavior detection method and device, terminal equipment and storage medium Download PDFInfo
- Publication number
- CN114915502A CN114915502A CN202210829158.4A CN202210829158A CN114915502A CN 114915502 A CN114915502 A CN 114915502A CN 202210829158 A CN202210829158 A CN 202210829158A CN 114915502 A CN114915502 A CN 114915502A
- Authority
- CN
- China
- Prior art keywords
- asset
- feature vector
- model
- network communication
- encoder
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention discloses an asset abnormal behavior detection method, an asset abnormal behavior detection device, terminal equipment and a storage medium, wherein the method comprises the following steps: acquiring network communication behavior data; carrying out asset state feature extraction on the network communication behavior data to obtain an original asset state feature vector; inputting the original asset state feature vector into a pre-trained depth self-encoder model for processing and calculation to obtain a calculation result, wherein the depth self-encoder model is obtained based on depth self-encoding neural network training; and comparing the calculation result with a predetermined asset service baseline threshold value to determine whether the asset network communication behavior is abnormal, wherein the asset service baseline threshold value is determined based on the deep self-coder model. The invention realizes the effective detection of the abnormal behavior of the assets and reduces the dependence on the asset state in a limited time period.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an asset abnormal behavior detection method, an asset abnormal behavior detection device, terminal equipment and a storage medium.
Background
With the high development of computer technology, more and more functions can be realized by relying on an internet platform. The enterprise management becomes flexible and convenient, and a large amount of data interaction and asset change are generated, so that the potential safety hazard is greatly increased. In the field of network behavior safety, the anomaly detection of the whole asset is a difficult problem, and particularly in daily unmarked data, the anomaly in the data is detected, which needs to sufficiently find out asset business baseline information implied in historical data so as to form a reliable reference and determine whether the network behavior is abnormal.
At present, in an asset abnormal behavior detection method, a standard deviation and an average value are calculated according to a network behavior of an asset in a certain time period, and whether the asset behavior is abnormal at the present stage is determined based on the standard deviation and the average value. This method has a strong dependence on the status of the asset over a certain period of time. If the network behavior of the assets is changed greatly in a short time, the range of the asset service baseline is also changed greatly, which is not beneficial to judging abnormal asset behavior.
Disclosure of Invention
The invention mainly aims to provide a method and a device for detecting asset abnormal behaviors, a terminal device and a storage medium, aiming at effectively detecting the asset abnormal behaviors and reducing the dependence on asset states in a limited time period.
In order to achieve the above object, the present invention provides a method for detecting asset abnormal behavior, the method comprising the following steps:
acquiring network communication behavior data;
performing asset state feature extraction on the network communication behavior data to obtain an original asset state feature vector;
inputting the original asset state feature vector into a pre-trained depth self-encoder model for processing and calculation to obtain a calculation result, wherein the depth self-encoder model is obtained based on depth self-encoding neural network training;
comparing the calculation result with a predetermined asset traffic baseline threshold value to determine whether asset network communication behavior is abnormal, wherein the asset traffic baseline threshold value is determined based on the deep self-coder model.
Optionally, the step of inputting the original asset state feature vector into a pre-trained depth autoencoder model for processing and calculating to obtain a calculation result includes:
inputting the original asset state feature vector into a pre-trained depth self-encoder model, and encoding and decoding the original asset state feature vector through the depth self-encoder model to obtain an asset state reconstruction feature vector;
and calculating the mean square error of the asset state reconstruction characteristic vector and the original asset state characteristic vector to obtain a calculation result.
Optionally, the step of inputting the original asset state feature vector into a pre-trained depth autoencoder model for processing and calculating to obtain a calculation result further includes:
obtaining the depth self-coder model based on the training of the depth self-coding neural network, which specifically comprises the following steps:
acquiring a pre-collected network communication behavior data packet;
performing asset state feature extraction on the network communication behavior data packet at different moments to obtain a sample asset state feature vector;
and inputting the sample asset state feature vector into a pre-constructed deep self-coding neural network for model training, wherein the whole model is trained by utilizing the adam optimization algorithm and combining an encoder and a decoder through randomly initializing the weight of the model to obtain a trained deep self-coder model, and storing model parameters.
Optionally, the step of comparing the calculation result with a predetermined asset traffic baseline threshold to determine whether the asset network communication behavior is abnormal further includes, before the step of determining based on the deep self-coder model:
determining the asset service baseline threshold based on the depth self-encoder model specifically includes:
reading the stored model parameters;
acquiring real-time network communication behavior data, and performing asset state feature extraction on the real-time network communication behavior data to obtain a real-time asset state feature vector;
inputting the actual asset state feature vector into the depth self-encoder model, and encoding and decoding based on the model parameters to obtain a real-time asset state reconstruction feature vector;
calculating the mean square error of the real-time asset state reconstruction feature vector and the real-time asset state feature vector;
taking an asset number and a time sequence number as IDs, and recording the IDs and corresponding mean square errors;
reading all recorded IDs and corresponding mean square errors at preset time intervals;
calculating the probability distribution of each mean square error;
and obtaining a probability threshold value according to the probability distribution of each mean square error, using the probability threshold value as an asset service baseline threshold value, and storing the probability threshold value in a database.
Optionally, the step of obtaining an asset state reconstruction feature vector by encoding and decoding the original asset state feature vector through the depth self-encoder model includes:
performing dimensionality reduction on the original asset state feature vector through an encoder in the depth self-encoder model to obtain a low-dimensional feature vector;
and reconstructing the low-dimensional characteristic vector through a decoder in the depth self-encoder model to obtain the asset state reconstruction characteristic vector.
Optionally, the step of performing, by an encoder in the depth self-encoder model, dimension reduction processing on the original asset state feature vector to obtain a low-dimensional feature vector includes:
reducing the dimension of the high-dimensional original asset state feature vector through a convolutional layer, a pooling layer and a full-link layer in the encoder to obtain a low-dimensional feature vector;
the step of reconstructing the low-dimensional feature vector by a decoder in the depth self-encoder model to obtain the asset state reconstruction feature vector includes:
and performing dimensionality raising on the low-dimensional feature vector through an deconvolution layer, an upsampling layer and a full-link layer in the decoder to obtain a reconstructed feature vector.
Optionally, the step of comparing the calculation result with a predetermined asset traffic baseline threshold to determine whether the asset network communication behavior is abnormal includes:
comparing the calculation result with a predetermined asset traffic baseline threshold;
if the calculation result exceeds a predetermined asset service baseline threshold value, determining that the asset network communication behavior is abnormal;
the method further comprises the following steps:
and sending out an alarm prompt when the asset network communication behavior is determined to be abnormal.
The embodiment of the present invention further provides an asset abnormal behavior detection device, where the asset abnormal behavior detection device includes:
the acquisition module is used for acquiring network communication behavior data;
the characteristic extraction module is used for carrying out asset state characteristic extraction on the network communication behavior data to obtain an original asset state characteristic vector;
the processing and calculating module is used for inputting the original asset state feature vector into a pre-trained depth self-encoder model for processing and calculating to obtain a calculation result, and the depth self-encoder model is obtained based on depth self-encoding neural network training;
and the abnormity determining module is used for comparing the calculation result with a predetermined asset service baseline threshold value to determine whether the asset network communication behavior is abnormal, wherein the asset service baseline threshold value is determined based on the deep self-encoder model.
The embodiment of the present invention further provides a terminal device, where the terminal device includes a memory, a processor, and an asset abnormal behavior detection program stored in the memory and capable of running on the processor, and the asset abnormal behavior detection program, when executed by the processor, implements the steps of the asset abnormal behavior detection method described above.
An embodiment of the present invention further provides a computer-readable storage medium, where an asset abnormal behavior detection program is stored on the computer-readable storage medium, and when being executed by a processor, the asset abnormal behavior detection program implements the steps of the asset abnormal behavior detection method described above.
The embodiment of the invention provides a method, a device, a terminal device and a storage medium for detecting asset abnormal behavior, which are characterized in that network communication behavior data are obtained; performing asset state feature extraction on the network communication behavior data to obtain an original asset state feature vector; inputting the original asset state feature vector into a pre-trained depth self-encoder model for processing and calculation to obtain a calculation result, wherein the depth self-encoder model is obtained based on depth self-encoding neural network training; comparing the calculation result with a predetermined asset traffic baseline threshold value to determine whether asset network communication behavior is abnormal, wherein the asset traffic baseline threshold value is determined based on the deep self-coder model. The method adopts a deep self-encoder model to process the asset state characteristic data and combines an asset service baseline threshold value to judge the abnormality, thereby realizing the effective detection of the asset abnormal behavior.
Compared with the prior art, the scheme of the embodiment of the invention has the following advantages:
(1) other logs or safety information is not needed, only the communication flow of the assets is used as a basis, and the influence caused by incomplete logs or safety information or false alarm is reduced.
(2) Compared with the traditional method, the deep learning self-encoder can continuously learn along with the increase of samples, adjust parameters, and get close to the asset service baseline, and the deep learning self-encoder becomes more and more accurate along with the time.
(3) The method has the advantages that the occurrence of unknown threats is efficiently confirmed, historical data are continuously accumulated, and the influence of short-time severe fluctuation on the model is effectively avoided.
Drawings
FIG. 1 is a functional block diagram of a terminal device to which an asset abnormal behavior detection apparatus of the present invention belongs;
FIG. 2 is a schematic flow chart diagram illustrating an exemplary embodiment of a method for asset anomalous behavior detection in accordance with the present invention;
FIG. 3 is a schematic flow chart diagram illustrating a method for asset anomalous behavior detection in accordance with another exemplary embodiment of the present invention;
FIG. 4 is a schematic view of the general flow chart of an embodiment of the asset abnormal behavior detection method of the present invention;
fig. 5 is a functional module diagram of an exemplary embodiment of the asset abnormal behavior detection apparatus according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The main solution of the embodiment of the invention is as follows: obtaining network communication behavior data; performing asset state feature extraction on the network communication behavior data to obtain an original asset state feature vector; inputting the original asset state feature vector into a pre-trained depth self-encoder model for processing and calculation to obtain a calculation result, wherein the depth self-encoder model is obtained based on depth self-encoding neural network training; comparing the calculation result with a predetermined asset service baseline threshold value to determine whether the asset network communication behavior is abnormal, wherein the asset service baseline threshold value is determined based on the deep self-encoder model. The method adopts a deep self-encoder model to process the asset state characteristic data and combines an asset service baseline threshold value to judge the abnormality, thereby realizing the effective detection of the asset abnormal behavior.
In the prior art, an asset abnormal behavior detection method is adopted, in which a standard deviation and an average value are calculated according to a network behavior of an asset within a certain time period, and whether the asset behavior is abnormal at the present stage is determined based on the standard deviation and the average value. This method has a strong dependence on the status of the asset over a certain period of time. If the network behavior of the assets is changed greatly in a short time, the range of the asset service baseline is also changed greatly, which is not beneficial to judging abnormal asset behavior.
The asset abnormal behavior detection scheme based on the asset service baseline can realize effective detection of the asset abnormal behavior and reduce dependence on asset states in a limited time period.
Referring to fig. 1, fig. 1 is a functional module schematic diagram of a terminal device to which an asset abnormal behavior detection apparatus of the present invention belongs. The asset abnormal behavior detection device may be a device that is independent of the terminal device and capable of performing data processing, and may be carried on the terminal device in the form of hardware or software. The terminal device can be an intelligent mobile terminal with a data processing function, such as a mobile phone and a tablet personal computer, and can also be a fixed terminal device or a server with a data processing function.
In this embodiment, the terminal device to which the asset abnormal behavior detection apparatus belongs at least includes an output module 110, a processor 120, a memory 130, and a communication module 140.
The memory 130 stores an operating system and an asset abnormal behavior detection program, and the asset abnormal behavior detection device can store the acquired network communication behavior data, the original asset state feature vector extracted from the network communication behavior data, the processing result output by the depth self-encoder model, the calculation result and other information in the memory 130; the output module 110 may be a display screen or the like. The communication module 140 may include a WIFI module, a mobile communication module, a bluetooth module, and the like, and communicates with an external device or a server through the communication module 140.
Wherein the asset abnormal behavior detection program in the memory 130 when executed by the processor implements the steps of:
acquiring network communication behavior data;
performing asset state feature extraction on the network communication behavior data to obtain an original asset state feature vector;
inputting the original asset state feature vector into a pre-trained depth self-encoder model for processing and calculation to obtain a calculation result, wherein the depth self-encoder model is obtained based on depth self-encoding neural network training;
comparing the calculation result with a predetermined asset traffic baseline threshold value to determine whether asset network communication behavior is abnormal, wherein the asset traffic baseline threshold value is determined based on the deep self-coder model.
Further, the asset abnormal behavior detection program in the memory 130 when executed by the processor further implements the steps of:
inputting the original asset state feature vector into a pre-trained depth self-encoder model, and encoding and decoding the original asset state feature vector through the depth self-encoder model to obtain an asset state reconstruction feature vector;
and calculating the mean square error of the asset state reconstruction characteristic vector and the original asset state characteristic vector to obtain a calculation result.
Further, the asset abnormal behavior detection program in the memory 130 when executed by the processor further implements the steps of:
obtaining the depth self-coder model based on the training of the depth self-coding neural network, which specifically comprises the following steps:
acquiring a pre-collected network communication behavior data packet;
performing asset state feature extraction on the network communication behavior data packet at different moments to obtain a sample asset state feature vector;
and inputting the sample asset state feature vector into a pre-constructed deep self-coding neural network for model training, wherein the whole model is trained by utilizing the adam optimization algorithm and combining an encoder and a decoder through randomly initializing the weight of the model to obtain a trained deep self-coder model, and storing model parameters.
Further, the asset abnormal behavior detection program in the memory 130 when executed by the processor further implements the steps of:
determining the asset service baseline threshold based on the depth self-encoder model specifically includes:
reading the stored model parameters;
acquiring real-time network communication behavior data, and performing asset state feature extraction on the real-time network communication behavior data to obtain a real-time asset state feature vector;
inputting the actual asset state feature vector into the depth self-encoder model, and encoding and decoding based on the model parameters to obtain a real-time asset state reconstruction feature vector;
calculating the mean square error of the real-time asset state reconstruction feature vector and the real-time asset state feature vector;
taking an asset number and a time sequence number as IDs, and recording the IDs and corresponding mean square errors;
reading all recorded IDs and corresponding mean square errors at preset time intervals;
calculating a probability distribution according to each mean square error;
and obtaining a probability threshold value according to the probability distribution of each mean square error, using the probability threshold value as an asset service baseline threshold value, and storing the probability threshold value in a database.
Further, the asset abnormal behavior detection program in the memory 130 when executed by the processor further implements the steps of:
performing dimensionality reduction on the original asset state feature vector through an encoder in the depth self-encoder model to obtain a low-dimensional feature vector;
and reconstructing the low-dimensional characteristic vector through a decoder in the depth self-encoder model to obtain the asset state reconstruction characteristic vector.
Further, the asset abnormal behavior detection program in the memory 130 when executed by the processor further implements the steps of:
reducing the dimension of the high-dimensional original asset state feature vector through a convolutional layer, a pooling layer and a full-link layer in the encoder to obtain a low-dimensional feature vector;
the step of reconstructing the low-dimensional feature vector by a decoder in the depth self-encoder model to obtain the asset state reconstruction feature vector includes:
and performing dimensionality increase on the low-dimensional feature vector through an deconvolution layer, an upsampling layer and a full connection layer in the decoder to obtain a reconstructed feature vector.
Further, the asset abnormal behavior detection program in the memory 130 when executed by the processor further implements the steps of:
comparing the calculation result with a predetermined asset traffic baseline threshold;
if the calculation result exceeds a predetermined asset service baseline threshold value, determining that the asset network communication behavior is abnormal;
the method further comprises the following steps:
and sending out an alarm prompt when the asset network communication behavior is determined to be abnormal.
According to the scheme, the network communication behavior data are obtained; performing asset state feature extraction on the network communication behavior data to obtain an original asset state feature vector; inputting the original asset state feature vector into a pre-trained depth self-encoder model for processing and calculation to obtain a calculation result, wherein the depth self-encoder model is obtained based on depth self-encoding neural network training; comparing the calculation result with a predetermined asset traffic baseline threshold value to determine whether asset network communication behavior is abnormal, wherein the asset traffic baseline threshold value is determined based on the deep self-coder model. The method adopts a deep self-encoder model to process the asset state characteristic data and combines an asset service baseline threshold value to judge the abnormality, thereby realizing the effective detection of the asset abnormal behavior.
Based on the above terminal device architecture but not limited to the above architecture, embodiments of the method of the present application are provided.
The execution subject of the method of this embodiment may be an asset abnormal behavior detection device or a terminal device, and the asset abnormal behavior detection device is used for example in this embodiment.
Referring to fig. 2, fig. 2 is a flowchart illustrating an asset abnormal behavior detection method according to an exemplary embodiment of the present invention. The asset abnormal behavior detection method comprises the following steps:
step S101, network communication behavior data are obtained;
the network communication behavior data is network data which needs to be subjected to asset abnormal behavior evaluation in real time and can come from various network traffic data packets. For example, various network communication behavior data on the internet platform, and also a large amount of interaction data and asset change data of various enterprises based on the internet platform, etc. are not specifically limited in this embodiment.
Step S102, asset state feature extraction is carried out on the network communication behavior data to obtain an original asset state feature vector;
the asset state characteristics may include a number of open ports, a number of processes, a number of installed software, a memory usage rate, a disk usage rate, a CPU usage rate, a trojan virus number, a TCP flag ratio, an average packet length, an average session packet number, a data in-out degree, a DNS session ratio, an ICMP session ratio, a DNS resolution failure ratio, an HTTP connection exception ratio, an encryption session inflow and outflow byte number, a connection foreign address ratio, a connection foreign address inflow and outflow byte number, a connection non-common port ratio, a connection non-common port inflow and outflow byte number, a total data throughput, a sensitive port access ratio, an access port number, an access server ratio, an access terminal ratio, an access number, an access success rate, and the like.
As an implementation manner, the asset state feature extraction is performed on the network communication behavior data, and the extracted feature data may be subjected to word segmentation, and then embedded vectorization training is performed, so as to obtain a corresponding original asset state feature vector, so that the obtained original asset state feature vector is input into the deep self-encoder model for processing.
Step S103, inputting the original asset state feature vector into a pre-trained depth self-encoder model for processing and calculation to obtain a calculation result, wherein the depth self-encoder model is obtained based on depth self-encoding neural network training;
specifically, as an implementation manner, the original asset state feature vector is input into a pre-trained depth self-encoder model, and the original asset state feature vector is encoded and decoded by the depth self-encoder model to obtain an asset state reconstruction feature vector;
and then, calculating the mean square error of the asset state reconstruction characteristic vector and the original asset state characteristic vector to obtain a calculation result.
Thus, by calculating the mean square error of the asset state reconstructed feature vector and the original asset state feature vector, it can be determined whether the asset network communication behavior is abnormal or not in combination with the predetermined asset traffic baseline threshold.
In this embodiment, the depth self-encoder model may be trained based on a depth self-encoding neural network.
Specifically, the depth self-encoder neural network can be constructed based on a TensorFlow framework or other learning frameworks, and the depth self-encoder neural network with the depth of m layers is constructed through the TensorFlow framework or other learning frameworks, and the neural network is composed of a convolutional layer, a pooling layer, a Dropout layer, an anti-convolutional layer, an upsampling layer, a fully-connected layer and the like. The method mainly comprises an encoder and a decoder, wherein the asset network communication behavior data enters the encoder after feature extraction, and the dimension of the data enters the encoder and is reduced layer by layer. After the encoding is finished, the data enters the decoder part. In the decoding process, the data dimensionality rises layer by layer until the dimensionality of the original data is completely restored, and the reconstructed feature vector can be obtained.
The present mainstream learning framework includes TensorFlow, Keras, MXNet, pytorre, and other learning frameworks, and in the embodiment of the present invention, TensorFlow is taken as the learning framework for example, so as to construct a depth self-encoder neural network with a depth of m layers, where m is a positive integer greater than or equal to 1. The neural network of the depth self-encoder can be roughly divided into an encoder part and a decoder part, wherein the encoder part mainly comprises a convolution layer, a pooling layer, a full-connection layer and other structures and is used for reducing the dimension of data; the decoder part mainly comprises a deconvolution layer, an up-sampling layer, full connection layers and other structures, is used for the upscaling of data, and is additionally provided with a Dropout layer between all the full connection layers, so that model overfitting can be prevented.
As an embodiment, the step of obtaining an asset state reconstruction feature vector by encoding and decoding the original asset state feature vector through the depth self-encoder model may include:
performing dimensionality reduction on the original asset state feature vector through an encoder in the depth self-encoder model to obtain a low-dimensional feature vector;
and reconstructing the low-dimensional characteristic vector through a decoder in the depth self-encoder model to obtain the asset state reconstruction characteristic vector.
Further, the step of performing dimension reduction processing on the original asset state feature vector through an encoder in the depth self-encoder model to obtain a low-dimensional feature vector includes:
reducing the dimension of the high-dimensional original asset state feature vector through a convolutional layer, a pooling layer and a full-link layer in the encoder to obtain a low-dimensional feature vector;
the step of reconstructing the low-dimensional feature vector by a decoder in the depth self-encoder model to obtain the asset state reconstruction feature vector includes:
and performing dimensionality raising on the low-dimensional feature vector through an deconvolution layer, an upsampling layer and a full-link layer in the decoder to obtain a reconstructed feature vector.
And step S104, comparing the calculation result with a predetermined asset service baseline threshold value to determine whether the asset network communication behavior is abnormal, wherein the asset service baseline threshold value is determined based on the deep self-coder model.
Specifically, as one embodiment, the calculation is compared to a predetermined asset traffic baseline threshold;
and if the calculation result exceeds a predetermined asset service baseline threshold value, determining that the asset network communication behavior is abnormal.
Further, when the asset network communication behavior is determined to be abnormal, an alarm prompt may be issued.
According to the scheme, the network communication behavior data are obtained; performing asset state feature extraction on the network communication behavior data to obtain an original asset state feature vector; inputting the original asset state feature vector into a pre-trained depth self-encoder model for processing and calculation to obtain a calculation result, wherein the depth self-encoder model is obtained based on depth self-encoding neural network training; comparing the calculation result with a predetermined asset traffic baseline threshold value to determine whether asset network communication behavior is abnormal, wherein the asset traffic baseline threshold value is determined based on the deep self-coder model. The method adopts a deep self-encoder model to process the asset state characteristic data and combines an asset service baseline threshold value to judge the abnormality, thereby realizing the effective detection of the asset abnormal behavior.
Referring to fig. 3, fig. 3 is a flowchart illustrating an asset abnormal behavior detection method according to another exemplary embodiment of the present invention. On the basis of the embodiment shown in fig. 2, in the present embodiment, in step S104, inputting the original asset state feature vector into a pre-trained deep auto-encoder model for processing and calculating, and before obtaining a calculation result, the method further includes:
step S100, training to obtain the depth self-coder model based on a depth self-coding neural network,
compared with the embodiment shown in fig. 2, the present embodiment further includes a scheme of constructing a depth self-encoder model.
Specifically, the process of obtaining the depth self-coder model based on the training of the depth self-coding neural network in this embodiment may be as follows:
firstly, acquiring a pre-collected network communication behavior data packet;
the network communication behavior data packet may be various network traffic data packets collected in advance. For example, various network communication behavior data on the internet platform, and also a large amount of interaction data and asset change data of various enterprises based on the internet platform, etc. are not specifically limited in this embodiment.
Then, carrying out asset state feature extraction on the network communication behavior data packet at different moments to obtain a sample asset state feature vector;
the extracted asset state characteristics comprise a plurality of characteristics such as open port number, process number, number of installed software, memory usage rate, disk usage rate, CPU usage rate, Trojan virus number, TCP mark proportion, average packet length, average session packet number, data in-out degree, DNS session proportion, ICMP session proportion, DNS analysis failure proportion, HTTP connection exception proportion, encryption session inflow and outflow byte number, connection foreign address proportion, connection foreign address inflow and outflow byte number, connection non-common port proportion, connection non-common port inflow and outflow byte number, total data throughput, sensitive port access proportion, access port number, access server proportion, access terminal proportion, access number, access success rate and the like.
And then, inputting the sample asset state feature vector into a pre-constructed deep self-coding neural network for model training, wherein the whole model is trained by utilizing a adam optimization algorithm and combining an encoder and a decoder through randomly initializing the weight of the model to obtain a trained deep self-coder model, and storing model parameters.
Specifically, in this embodiment, the depth self-encoder model may be trained based on a depth self-encoding neural network.
Specifically, the deep self-encoder neural network can be constructed based on a TensorFlow framework or other learning frameworks, and the deep self-encoder neural network with the depth of m layers is constructed through the TensorFlow framework or other learning frameworks, and the neural network is composed of a convolutional layer, a pooling layer, a Dropout layer, an anti-convolutional layer, an upsampling layer, a fully-connected layer and other structures. The method can be divided into an encoder and a decoder, the asset network communication behavior data enters the encoder after feature extraction, and the dimension of the data descends layer by layer after entering the encoder. After the encoding is finished, the data enters the decoder part. In the decoding process, the data dimensionality rises layer by layer until the dimensionality of the original data is completely restored, and the reconstructed feature vector can be obtained.
The present mainstream learning framework includes TensorFlow, Keras, MXNet, pytorre, and other learning frameworks, and in the embodiment of the present invention, TensorFlow is taken as the learning framework for example, so as to construct a depth self-encoder neural network with a depth of m layers, where m is a positive integer greater than or equal to 1. The neural network of the depth self-encoder can be roughly divided into an encoder part and a decoder part, wherein the encoder part mainly comprises a convolution layer, a pooling layer, a full-connection layer and other structures and is used for reducing the dimension of data; the decoder part mainly comprises a deconvolution layer, an upsampling layer, a full connection layer and other structures and is used for the upscaling of data, and in addition, a Dropout layer is added between all the full connection layers, so that the overfitting of a model can be prevented. The overfitting means that noise in the fitted data and unrepresentative characteristics in the fitted data are caused by excessive learning iteration times and the like of the neural network model, so that the accuracy of an output result is influenced, and the model overfitting can be prevented by adopting Dropout.
As an implementation manner, when performing model training based on the deep self-coding neural network, the following scheme may be specifically adopted:
and (3) performing feature extraction on the network communication data in the asset t time through the steps to obtain a sample asset state feature vector X, and inputting the vector X as a model input value into the built deep self-encoder neural network for model training.
After the vector X enters the encoder, the convolution layer, the pooling layer and the full-connection layer in the encoder reduce the dimension of the high-dimensional feature vector, and the low-dimensional feature vector is obtained through convolution, pooling and full-connection.
After the low-dimensional feature vector is obtained by the encoder, the low-dimensional feature vector is input into a decoder, the low-dimensional feature vector is subjected to dimension raising by an deconvolution layer, an upsampling layer and a full-link layer in the decoder, and the feature vector is reconstructed by means of deconvolution, upsampling, full-link and the like. And (5) raising the dimension of the low-dimensional feature vector through decoding until the dimension of the final complete data is reached, so that a reconstructed feature vector can be obtained, and a model output value X' is obtained.
In the model training process, the weight of the neural network is initialized randomly, then the entire network is trained by utilizing the adam optimization algorithm, so that the Mean Square Error (MSE) of the output value X' and the input value X of the model is reduced as much as possible, the training is finished after two rounds, and model parameters are stored, wherein the model parameters comprise the weight of the neural network of the depth self-encoder model, the adam optimization algorithm and other related parameters.
Therefore, by the scheme, the depth self-coder model is obtained based on the training of the depth self-coding neural network.
Further, an asset traffic baseline threshold may be determined based on the trained deep self-coder model to determine whether asset behavior is abnormal in conjunction with the asset traffic baseline threshold.
The asset service baseline threshold is used as a judgment index of the asset behavior abnormal degree, and can be determined in the following way:
determining the asset service baseline threshold based on the depth self-encoder model specifically includes:
firstly, reading the stored model parameters;
then, acquiring real-time network communication behavior data, and performing asset state feature extraction on the real-time network communication behavior data to obtain a real-time asset state feature vector;
then, inputting the actual asset state feature vector into the depth self-encoder model, and encoding and decoding based on the model parameters to obtain a real-time asset state reconstruction feature vector;
then, calculating the mean square error of the real-time asset state reconstruction characteristic vector and the real-time asset state characteristic vector;
taking an asset number and a time sequence number as IDs, and recording the IDs and corresponding mean square errors;
reading all recorded IDs and corresponding mean square errors at preset time intervals;
and calculating the probability distribution of each mean square error, obtaining a probability threshold value according to the probability distribution of each mean square error, using the probability threshold value as an asset service baseline threshold value, and storing the probability threshold value in a database.
That is, all assets are subjected to the trained depth self-encoder model in the above steps, the Mean Square Error (MSE) of the model output value X' and the model input value X is calculated, the asset number and the time sequence number are used as ID, and the corresponding mean square error value of the ID is recorded. And reading all recorded data at intervals, and obtaining probability values according to data distribution. And obtaining a threshold value according to the probability distribution, storing the threshold value as an asset service baseline to a database, setting a rarity interface in the database, and providing the rarity interface for users to perform operations such as inquiry and the like.
Since normal communication of assets is typically overwhelming and repetitive, training data into a model, each training data will produce a small change in the model. The model learns a large number of normal features and a small number of abnormal features as noise, so that the model is more suitable for normal business of assets, and abnormal behaviors obtain higher error values and are far away from a business baseline.
And according to the asset service baseline threshold value obtained in the step, the method can be used as a judgment basis for the asset abnormal behavior to alarm the asset abnormal behavior.
The overall flow of the present embodiment can be referred to fig. 4.
The method is suitable for asset abnormal behavior detection, and asset state data is extracted by acquiring a network communication behavior data packet to form characteristics. And reducing the dimension of the high-dimensional feature vector in a convolution, pooling, full connection and other modes, and reconstructing the feature vector of the low-dimensional feature vector in a deconvolution, upsampling, full connection and other modes. And calculating the mean square error between the low-dimensional feature vector and the reconstruction vector, and determining the asset service baseline threshold according to the probability distribution of the mean square error in a period of time and the distribution. And (4) studying and judging the newly generated asset state data, and alarming abnormal behaviors.
In the scheme of the embodiment, the processed asset state characteristic data is input into the model for training by acquiring network communication behavior data, and each training data generates a tiny change of the model. Since normal flow is large and repetitive, the model learns a large number of normal features and a small number of abnormal features as noise. The method is characterized in that the method performs learning by extracting the state characteristic data of the assets at different moments, adaptively modifies the parameters of the asset abnormal behavior detection model, identifies the sudden asset behavior and finds the asset abnormality.
Compared with the prior art, the scheme of the embodiment of the invention does not need to rely on other logs or safety information, and only relies on the communication flow of the assets as a basis, thereby reducing the influence caused by incomplete logs or safety information or misinformation; the deep learning self-encoder can continuously learn along with the increase of samples, adjust parameters, get close to the asset service baseline and become more and more accurate along with the time; the method has the advantages that the occurrence of unknown threats is efficiently confirmed, historical data are continuously accumulated, and the influence of short-time severe fluctuation on the model is effectively avoided.
According to the scheme, a depth self-coding neural network training is carried out to obtain a depth self-coder model, the asset service baseline threshold value is determined based on the depth self-coder model, and when network communication behavior data with detection is obtained, asset state feature extraction is carried out on the network communication behavior data to obtain an original asset state feature vector; inputting the original asset state feature vector into a pre-trained depth self-encoder model for processing and calculation to obtain a calculation result, wherein the depth self-encoder model is obtained based on depth self-encoding neural network training; comparing the calculation result with a predetermined asset traffic baseline threshold value to determine whether asset network communication behavior is abnormal, wherein the asset traffic baseline threshold value is determined based on the deep self-coder model. The method adopts a deep self-encoder model to process the asset state characteristic data and combines an asset service baseline threshold value to judge the abnormality, thereby realizing the effective detection of the asset abnormal behavior.
In addition, as shown in fig. 5, an embodiment of the present invention further provides an asset abnormal behavior detection apparatus, where the apparatus includes:
the acquisition module is used for acquiring network communication behavior data;
the characteristic extraction module is used for carrying out asset state characteristic extraction on the network communication behavior data to obtain an original asset state characteristic vector;
the processing and calculating module is used for inputting the original asset state feature vector into a pre-trained depth self-encoder model for processing and calculating to obtain a calculation result, and the depth self-encoder model is obtained based on depth self-encoding neural network training;
and the abnormity determining module is used for comparing the calculation result with a predetermined asset service baseline threshold value to determine whether the asset network communication behavior is abnormal, wherein the asset service baseline threshold value is determined based on the deep self-encoder model.
For a specific principle of implementing asset abnormal behavior detection in this embodiment, please refer to the above embodiments, which are not described herein again.
In addition, the present invention further provides a terminal device, where the terminal device includes a memory, a processor, and an abnormal behavior detection program that is stored in the memory and can be run on the processor, and when the abnormal behavior detection program is executed by the processor, the steps of the abnormal behavior detection method according to the above embodiment are implemented.
Since the abnormal behavior detection program is executed by the processor, all technical solutions of all the embodiments are adopted, so that at least all the advantages brought by all the technical solutions of all the embodiments are achieved, and details are not repeated herein.
Furthermore, the present invention also provides a computer-readable storage medium, on which an abnormal behavior detection program is stored, which, when executed by a processor, implements the steps of the abnormal behavior detection method according to the above embodiment
Since the abnormal behavior detection program is executed by the processor, all technical solutions of all the foregoing embodiments are adopted, so that at least all the beneficial effects brought by all the technical solutions of all the foregoing embodiments are achieved, and details are not repeated herein.
Compared with the prior art, the asset abnormal behavior detection method, the asset abnormal behavior detection device, the terminal equipment and the storage medium provided by the embodiment of the invention acquire network communication behavior data; performing asset state feature extraction on the network communication behavior data to obtain an original asset state feature vector; inputting the original asset state feature vector into a pre-trained depth self-encoder model for processing and calculation to obtain a calculation result, wherein the depth self-encoder model is obtained based on depth self-encoding neural network training; comparing the calculation result with a predetermined asset traffic baseline threshold value to determine whether asset network communication behavior is abnormal, wherein the asset traffic baseline threshold value is determined based on the deep self-coder model. The method adopts a deep self-encoder model to process the asset state characteristic data and combines an asset service baseline threshold value to judge the abnormality, thereby realizing the effective detection of the asset abnormal behavior.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
Through the description of the foregoing embodiments, it is clear to those skilled in the art that the method of the foregoing embodiments may be implemented by software plus a necessary general hardware platform, and certainly may also be implemented by hardware, but in many cases, the former is a better implementation. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, a controlled terminal, or a network device) to execute the method of each embodiment of the present application.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. An asset abnormal behavior detection method, characterized in that the method comprises the following steps:
acquiring network communication behavior data;
performing asset state feature extraction on the network communication behavior data to obtain an original asset state feature vector;
inputting the original asset state feature vector into a pre-trained depth self-encoder model for processing and calculation to obtain a calculation result, wherein the depth self-encoder model is obtained based on depth self-encoding neural network training;
comparing the calculation result with a predetermined asset traffic baseline threshold value to determine whether asset network communication behavior is abnormal, wherein the asset traffic baseline threshold value is determined based on the deep self-coder model.
2. The method of claim 1, wherein the step of inputting the original asset state feature vector into a pre-trained deep auto-encoder model for processing and calculation to obtain a calculation result comprises:
inputting the original asset state feature vector into a pre-trained depth self-encoder model, and encoding and decoding the original asset state feature vector through the depth self-encoder model to obtain an asset state reconstruction feature vector;
and calculating the mean square error of the asset state reconstruction characteristic vector and the original asset state characteristic vector to obtain a calculation result.
3. The method of claim 1, wherein the step of inputting the original asset state feature vector into a pre-trained deep auto-encoder model for processing and calculation to obtain a calculation result further comprises:
obtaining the depth self-coder model based on the training of the depth self-coding neural network, which specifically comprises the following steps:
acquiring a pre-collected network communication behavior data packet;
performing asset state feature extraction on the network communication behavior data packet at different moments to obtain a sample asset state feature vector;
and inputting the sample asset state feature vector into a pre-constructed deep self-coding neural network for model training, wherein the whole model is trained by utilizing the adam optimization algorithm and combining an encoder and a decoder through randomly initializing the weight of the model to obtain a trained deep self-coder model, and storing model parameters.
4. The method of claim 3, wherein the step of comparing the computed result to a predetermined asset traffic baseline threshold to determine whether asset network communication behavior is abnormal further comprises, prior to the step of determining based on the deep self-coder model:
determining the asset service baseline threshold based on the depth self-encoder model specifically includes:
reading the stored model parameters;
acquiring real-time network communication behavior data, and performing asset state feature extraction on the real-time network communication behavior data to obtain a real-time asset state feature vector;
inputting the actual asset state feature vector into the depth self-encoder model, and encoding and decoding based on the model parameters to obtain a real-time asset state reconstruction feature vector;
calculating the mean square error of the real-time asset state reconstruction feature vector and the real-time asset state feature vector;
taking an asset number and a time sequence number as IDs, and recording the IDs and corresponding mean square errors;
reading all recorded IDs and corresponding mean square errors at preset time intervals;
calculating the probability distribution of each mean square error;
and obtaining a probability threshold value according to the probability distribution of each mean square error, using the probability threshold value as an asset service baseline threshold value, and storing the probability threshold value in a database.
5. The method of claim 2, wherein the step of encoding and decoding the original asset state feature vector by the deep self-coder model to obtain an asset state reconstruction feature vector comprises:
performing dimensionality reduction on the original asset state feature vector through an encoder in the depth self-encoder model to obtain a low-dimensional feature vector;
and reconstructing the low-dimensional characteristic vector through a decoder in the depth self-encoder model to obtain the asset state reconstruction characteristic vector.
6. The method of claim 5, wherein the step of performing dimension reduction on the original asset state feature vector by an encoder in the depth self-encoder model to obtain a low-dimensional feature vector comprises:
reducing the dimension of the high-dimensional original asset state feature vector through a convolutional layer, a pooling layer and a full-link layer in the encoder to obtain a low-dimensional feature vector;
the step of reconstructing the low-dimensional feature vector by a decoder in the depth self-encoder model to obtain the asset state reconstruction feature vector comprises:
and performing dimensionality raising on the low-dimensional feature vector through an deconvolution layer, an upsampling layer and a full-link layer in the decoder to obtain a reconstructed feature vector.
7. The method of claim 3, wherein the step of comparing the computed result to a predetermined asset traffic baseline threshold to determine whether asset network communication behavior is abnormal comprises:
comparing the calculation result with a predetermined asset business baseline threshold;
if the calculation result exceeds a predetermined asset service baseline threshold value, determining that the asset network communication behavior is abnormal;
the method further comprises the following steps:
and sending out an alarm prompt when the asset network communication behavior is determined to be abnormal.
8. An asset abnormal behavior detection apparatus, characterized in that the abnormal behavior detection apparatus comprises:
the acquisition module is used for acquiring network communication behavior data;
the characteristic extraction module is used for carrying out asset state characteristic extraction on the network communication behavior data to obtain an original asset state characteristic vector;
the processing and calculating module is used for inputting the original asset state feature vector into a pre-trained depth self-encoder model for processing and calculating to obtain a calculation result, and the depth self-encoder model is obtained based on depth self-encoding neural network training;
and the abnormity determining module is used for comparing the calculation result with a predetermined asset service baseline threshold value to determine whether the asset network communication behavior is abnormal, wherein the asset service baseline threshold value is determined based on the deep self-encoder model.
9. A terminal device comprising a memory, a processor and an asset abnormal behavior detection program stored on the memory and executable on the processor, the asset abnormal behavior detection program when executed by the processor implementing the steps of the asset abnormal behavior detection method according to any one of claims 1-7.
10. A computer-readable storage medium, having stored thereon an asset abnormal behavior detection program which, when executed by a processor, implements the steps of the asset abnormal behavior detection method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210829158.4A CN114915502B (en) | 2022-07-15 | 2022-07-15 | Asset abnormal behavior detection method and device, terminal equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210829158.4A CN114915502B (en) | 2022-07-15 | 2022-07-15 | Asset abnormal behavior detection method and device, terminal equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114915502A true CN114915502A (en) | 2022-08-16 |
| CN114915502B CN114915502B (en) | 2022-10-04 |
Family
ID=82772194
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210829158.4A Active CN114915502B (en) | 2022-07-15 | 2022-07-15 | Asset abnormal behavior detection method and device, terminal equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114915502B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109919489A (en) * | 2019-03-08 | 2019-06-21 | 北京工业大学 | Business equipment life-span prediction method based on enterprise asset management and GA-BP |
| CN110766329A (en) * | 2019-10-25 | 2020-02-07 | 华夏银行股份有限公司 | Risk analysis method, device, equipment and medium for information assets |
| CN112039903A (en) * | 2020-09-03 | 2020-12-04 | 中国民航大学 | Network security situation assessment method based on deep self-coding neural network model |
| CN113632027A (en) * | 2019-04-01 | 2021-11-09 | Abb瑞士股份有限公司 | Asset condition monitoring method using automatic anomaly detection |
| WO2022012429A1 (en) * | 2020-07-13 | 2022-01-20 | 华为技术有限公司 | Method for implementing terminal verification, apparatus, system, device, and storage medium |
-
2022
- 2022-07-15 CN CN202210829158.4A patent/CN114915502B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109919489A (en) * | 2019-03-08 | 2019-06-21 | 北京工业大学 | Business equipment life-span prediction method based on enterprise asset management and GA-BP |
| CN113632027A (en) * | 2019-04-01 | 2021-11-09 | Abb瑞士股份有限公司 | Asset condition monitoring method using automatic anomaly detection |
| CN110766329A (en) * | 2019-10-25 | 2020-02-07 | 华夏银行股份有限公司 | Risk analysis method, device, equipment and medium for information assets |
| WO2022012429A1 (en) * | 2020-07-13 | 2022-01-20 | 华为技术有限公司 | Method for implementing terminal verification, apparatus, system, device, and storage medium |
| CN112039903A (en) * | 2020-09-03 | 2020-12-04 | 中国民航大学 | Network security situation assessment method based on deep self-coding neural network model |
Non-Patent Citations (1)
| Title |
|---|
| 罗韦尔•阿蒂恩扎: "自编码器", 《KERAS高级深度学习》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114915502B (en) | 2022-10-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| TWI764640B (en) | Training method and device for anomaly detection model based on differential privacy | |
| CN109379379B (en) | Network intrusion detection method based on improved convolutional neural network | |
| CN108737406B (en) | Method and system for detecting abnormal flow data | |
| CN109902617B (en) | Picture identification method and device, computer equipment and medium | |
| CN112800116A (en) | Method and device for detecting abnormity of service data | |
| CN110837872B (en) | Industrial control network intrusion detection method and system | |
| CN111030992A (en) | Detection method, server and computer readable storage medium | |
| CN112418361A (en) | Industrial control system anomaly detection method and device based on deep learning | |
| CN113660196A (en) | Network traffic intrusion detection method and device based on deep learning | |
| CN112801155A (en) | Business big data analysis method based on artificial intelligence and server | |
| CN115017511A (en) | Source code vulnerability detection method and device and storage medium | |
| CN110659997A (en) | Data cluster identification method and device, computer system and readable storage medium | |
| CN115102779B (en) | Prediction model training and access request decision method, device and medium | |
| CN114915502B (en) | Asset abnormal behavior detection method and device, terminal equipment and storage medium | |
| CN110837638B (en) | Method, device and equipment for detecting lasso software and storage medium | |
| CN111026087B (en) | Weight-containing nonlinear industrial system fault detection method and device based on data | |
| CN113114489B (en) | Network security situation assessment method, device, equipment and storage medium | |
| CN116738302A (en) | Method for detecting anomalies in time-series data generated by an infrastructure device in a network | |
| WO2021243534A1 (en) | Behavior control method and apparatus and storage medium | |
| CN110990837A (en) | System call behavior sequence dimension reduction method, system, equipment and storage medium | |
| CN113935023A (en) | Database abnormal behavior detection method and device | |
| CN107770129B (en) | Method and device for detecting user behavior | |
| CN110659482A (en) | Industrial network intrusion detection method based on GAPSO-TWSVM | |
| KR20200048002A (en) | Improvement Of Regression Performance Using Asymmetric tanh Activation Function | |
| Ramakotti et al. | An analysis and implementation of a deep learning model for image steganography |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |