CN115085956A - Intrusion detection method and device, electronic equipment and storage medium - Google Patents
Intrusion detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115085956A CN115085956A CN202110269297.1A CN202110269297A CN115085956A CN 115085956 A CN115085956 A CN 115085956A CN 202110269297 A CN202110269297 A CN 202110269297A CN 115085956 A CN115085956 A CN 115085956A
- Authority
- CN
- China
- Prior art keywords
- intrusion detection
- access instruction
- real
- basic data
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 125
- 230000002159 abnormal effect Effects 0.000 claims abstract description 29
- 238000000034 method Methods 0.000 claims abstract description 28
- 230000006399 behavior Effects 0.000 claims description 100
- 238000013507 mapping Methods 0.000 claims description 24
- 238000012549 training Methods 0.000 claims description 20
- 238000004422 calculation algorithm Methods 0.000 claims description 11
- 238000012550 audit Methods 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 7
- 238000007635 classification algorithm Methods 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 description 16
- 230000008859 change Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 6
- 238000007726 management method Methods 0.000 description 6
- 238000013475 authorization Methods 0.000 description 4
- 238000012217 deletion Methods 0.000 description 4
- 230000037430 deletion Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000008054 signal transmission Effects 0.000 description 4
- 230000005856 abnormality Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000004140 cleaning Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000011946 reduction process Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides an intrusion detection method, an intrusion detection device, electronic equipment and a storage medium, wherein the method comprises the following steps: based on a special security channel for intrusion detection, executing an access instruction to obtain real-time multidimensional basic data of the service system equipment; and determining that the access instruction is abnormal based on an intrusion detection model and the real-time multidimensional basic data. According to the invention, after the access instruction is executed through the security channel, real-time multidimensional basic data of the service system equipment is obtained, and the anomaly detection is carried out on the real-time multidimensional basic data through the intrusion detection model, so that the anomaly of the access instruction is confirmed, the intrusion detection is carried out more safely, the intrusion detection capability is improved, and meanwhile, the resources of the service system equipment are not occupied.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to an intrusion detection method and apparatus, an electronic device, and a storage medium.
Background
With the rapid development of network technology, people rely more and more on networks for information processing. Therefore, network security is also becoming more important, and security intrusion detection technology is one of the core technologies for ensuring network security.
The existing intrusion detection technology detection modes mainly include a network-based intrusion detection technology and a system equipment-based intrusion detection technology. The network-based intrusion detection technology is characterized in that a data source is a data packet on a network, a network communication packet is acquired in a serial or bypass mode, and the communication packet is detected to make intrusion judgment and response. Based on the intrusion detection technology of system equipment, data sources are system logs, application program logs and the like, agent software is installed on the monitored system equipment, log files and running information of the system equipment are collected through the agent software, and the logs and records are analyzed to make judgment and response of intrusion.
However, the intrusion detection technologies based on the network and the system device need to consume internal resources of the monitored system, such as bandwidth, operation efficiency, and the like, and meanwhile, no effective management and control is provided for network monitoring and agent software, or additional security problems are brought by the problem of system compatibility.
Disclosure of Invention
The invention provides an intrusion detection method, an intrusion detection device, electronic equipment and a storage medium, which are used for solving the defects of internal resource safety and insufficient detection capability of a monitored system in the prior art, realizing safer intrusion detection, improving the intrusion detection capability and simultaneously not occupying the resources of business system equipment.
In a first aspect, the present invention provides an intrusion detection method, including:
based on a special security channel for intrusion detection, executing an access instruction to obtain real-time multidimensional basic data of the service system equipment;
and determining that the access instruction is abnormal based on an intrusion detection model and the real-time multidimensional basic data.
Optionally, according to an intrusion detection method provided by the present invention, the intrusion detection model includes a user frequent behavior relationship model;
correspondingly, the determining the access instruction exception based on the intrusion detection model and the real-time multidimensional basic data comprises:
and determining that the access instruction is abnormal based on the current user behavior data in the real-time multi-dimensional basic data and the user frequent behavior relation model.
Optionally, according to an intrusion detection method provided by the present invention, the intrusion detection model includes a behavior mapping relationship model;
correspondingly, the determining the access instruction exception based on the intrusion detection model and the real-time multidimensional basic data comprises:
determining a device hardware information prediction threshold value based on the current user behavior data in the real-time multi-dimensional basic data and the behavior mapping relation model;
if the current equipment hardware information in the real-time multidimensional basic data is determined not to be within the equipment hardware information prediction threshold range, determining that the access instruction is abnormal;
and the current equipment hardware information is the equipment hardware information in the real-time multidimensional basic data obtained by executing the access instruction.
Optionally, according to an intrusion detection method provided by the present invention, the method further includes:
training historical user behavior information based on an Apriori association rule algorithm to obtain the user frequent behavior relation model.
Optionally, according to an intrusion detection method provided by the present invention, the method further includes:
and training the historical user behavior information and the equipment hardware information corresponding to each piece of historical user behavior information based on a Bayesian classification algorithm to obtain the behavior mapping relation model.
Optionally, according to an intrusion detection method provided by the present invention, the executing an access instruction based on a security channel dedicated for intrusion detection to obtain real-time multidimensional basic data of a service system device includes:
authenticating and authenticating the access instruction based on authentication information provided by the access instruction;
and if the authentication and the authentication are both successful, executing the access instruction to obtain real-time multidimensional basic data of the service system equipment.
Optionally, according to an intrusion detection method provided by the present invention, after authenticating and authenticating the access instruction based on the authentication information provided by the access instruction, the method further includes:
and if the authentication and the authentication are both successful, performing post audit on the operation log of the access instruction.
In a second aspect, the present invention provides an intrusion detection device, comprising:
the acquisition module is used for executing an access instruction based on a special security channel for intrusion detection and acquiring real-time multidimensional basic data of the service system equipment;
and the determining module is used for determining that the access instruction is abnormal based on an intrusion detection model and the real-time multi-dimensional basic data.
In a third aspect, the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor implements the steps of the intrusion detection method provided in the first aspect when executing the program.
In a fourth aspect, the present invention also provides a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the intrusion detection method as provided in the first aspect.
According to the intrusion detection method, the intrusion detection device, the electronic equipment and the storage medium, after the access instruction is executed through the security channel, the real-time multidimensional basic data of the business system equipment is obtained, the anomaly detection is carried out on the real-time multidimensional basic data through the intrusion detection model, the anomaly of the access instruction is confirmed, the intrusion detection is carried out more safely, the intrusion detection capability is improved, and meanwhile, the resources of the business system equipment are not occupied.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a flow chart of an intrusion detection method provided by the present invention;
FIG. 2 is a schematic diagram of a branch-reducing process of Apriori association rule algorithm provided by the present invention;
FIG. 3 is a second schematic flowchart of an intrusion detection method according to the present invention;
FIG. 4 is a schematic structural diagram of an intrusion detection device provided by the present invention;
fig. 5 is a schematic structural diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Various network security technologies generated by a User Interface (UI) are continuously developed, such as static defense technologies like firewalls, encryption and the like, however, the security of the network is still difficult to guarantee by only relying on the technologies, and the security intrusion detection technology is one of core technologies for guaranteeing the network security, is an active defense technology, and can not only detect the intrusion of unauthorized objects, but also monitor the illegal use of system resources by authorized objects.
Fig. 1 is a schematic flowchart of an intrusion detection method provided in the present invention, and as shown in fig. 1, the method includes the following steps:
optionally, the dedicated security channel for intrusion detection may be an installation-free security channel, and the security channel uses an authentication password string, and forms a character string after encryption processing, so as to provide credentials for authentication of the security management and control platform.
Optionally, the secure channel is used to connect to the monitored service system device, and after the authentication and authorization is successful, the access instruction is executed, so as to collect real-time multidimensional basic data of the service system device.
Optionally, the real-time multidimensional basic data includes system device dynamic operation information, static configuration information, user behavior information, device hardware data, and the like.
Specifically, the system device dynamic operation information includes processes, services, network connections, and file changes. The process refers to resident process information of the system, the service refers to service information of the system, the network connection refers to information such as network ip and accumulated flow of the system, and the file change refers to file storage state information.
The static configuration information includes startup items, open ports, software, users, timed tasks, environment variables, firewall policies, HOSTS files. The starting item refers to a detailed list of starting item information of the system, the open port refers to open state information of a network port of the system, the software refers to software and service information of the system, the user refers to user information capable of logging in the system, the timing task refers to timing task information of the system, the environment variable refers to environment variable information of the system, the firewall policy refers to firewall policy information of the system, and the HOSTS file refers to HOSTS file information of the system.
The user behavior information comprises login information, file access and user history commands. The login information refers to a login time point when a user accesses the server, the file access refers to path information when the user accesses the file, and the user history command refers to a command line instruction statement executed during the login of the user.
The hardware data of the device comprises CPU occupancy rate, hard disk read-write rate and flow rate. The cpu occupancy rate refers to the system cpu occupancy state information, the hard disk reading and writing refers to the system hard disk reading and writing speed, and the flow rate refers to the system network flow rate.
And 120, determining that the access instruction is abnormal based on an intrusion detection model and the real-time multi-dimensional basic data.
Optionally, the intrusion detection model may include a user frequent behavior relationship model and a behavior mapping relationship model.
Optionally, before determining that the access instruction is abnormal based on an intrusion detection model and the real-time multidimensional basic data, the method further includes:
and preprocessing the collected historical user behavior information and the hardware data corresponding to the historical user behavior information to generate a user behavior data relation chain and a hardware data historical record during user execution.
Optionally, the user behavior data relationship chain is used as input, and the user behavior abnormality is determined according to the user frequent behavior relationship model. And if the user operation is determined to be abnormal, alarming the user, and if the user operation is not abnormal, not alarming.
Optionally, a hardware data threshold is predicted through the user behavior data relation chain and the behavior mapping relation model, and if it is determined that the current device hardware information in the real-time multidimensional basic data is not within the device hardware information prediction threshold range, an alarm is given to the user.
For example, if the CPU occupancy in the real-time multidimensional basic data is 50% and the CPU occupancy prediction threshold range of the device hardware information is 0 to 40%, the user is alerted to prompt the user that the CPU occupancy is too high.
And if the CPU occupancy rate in the real-time multi-dimensional basic data is 50 percent and the predicted maximum threshold value of the CPU occupancy rate of the hardware information of the equipment is 40 percent, giving an alarm to the user and prompting the user that the CPU occupancy rate is too high.
And if the hard disk read-write speed in the implementation multi-dimensional basic data is 300 MB/s, and the predicted minimum threshold value of the hard disk read-write speed of the hardware information of the equipment is 400 MB/s, giving an alarm to the user to prompt that the hard disk read-write speed of the user is too low.
Optionally, the alarm is checked, and the checking result is fed back to the intrusion detection model training module to improve the intrusion detection model.
For example, if the CPU occupancy is too high, the CPU occupancy is checked, and the check result is fed back to the behavior mapping relationship model to perfect the behavior mapping relationship model.
According to the invention, after the access instruction is executed through the security channel, real-time multidimensional basic data of the service system equipment is obtained, and the anomaly detection is carried out on the real-time multidimensional basic data through the intrusion detection model, so that the anomaly of the access instruction is confirmed, the intrusion detection is carried out more safely, the intrusion detection capability is improved, and meanwhile, the resources of the service system equipment are not occupied.
Optionally, the intrusion detection model comprises a user frequent behavior relationship model.
Correspondingly, the determining the access instruction exception based on the intrusion detection model and the real-time multidimensional basic data comprises:
and determining that the access instruction is abnormal based on the current user behavior data in the real-time multi-dimensional basic data and the user frequent behavior relation model.
Optionally, due to the service stability of the service server and the uniqueness of the operation and maintenance manufacturer, the operation of the account user of the server is relatively fixed, and the behavior pattern of the user changes less. Aiming at the characteristics, an Apriori association rule algorithm can be used for training historical user behavior data, the interdependency between different operations of a user is mined to obtain an association rule model, the association rule model is used for predicting the operation which is continuously executed after the user executes certain behaviors, and therefore the legality of the user operation is judged.
Specifically, the relevance of the user historical commands in the multi-dimensional basic data in the data set is calculated through multiple scanning of the historical data set in the multi-dimensional basic data, and a frequent item set related before and after a certain command of all users is found, so that a user frequent behavior relation model is generated. For example, common operations of a user on service system equipment include querying service system data and adding service system data, the user does not have a deletion operation authority on the service system data, at this time, the user has a deletion instruction on the service system data, and at this time, it can be determined that the user behavior is abnormal.
The invention can effectively discover the illegal operation of the user through the user frequent behavior relation model, so that the intrusion detection capability is stronger.
Optionally, the intrusion detection model comprises a behavior mapping relationship model;
correspondingly, the determining the access instruction exception based on the intrusion detection model and the real-time multidimensional basic data comprises:
determining a device hardware information prediction threshold value based on the current user behavior data in the real-time multi-dimensional basic data and the behavior mapping relation model;
if the current equipment hardware information in the real-time multidimensional basic data is determined not to be within the equipment hardware information prediction threshold range, determining that the access instruction is abnormal;
and the current equipment hardware information is the equipment hardware information in the real-time multidimensional basic data obtained by executing the access instruction.
Optionally, the change of the software and hardware information of the server caused by the user operation in the server is stable due to the service, and the data change or the periodic activity represented by the change has a certain rule, and the association rule model is used for predicting the behavior and classifying the user operation by using a naive Bayesian algorithm, so that the change of the software and hardware information of the server caused by the user operation is predicted. And performing classification training by inputting a historical user frequent behavior relation chain and hardware data after historical operation, and outputting a reference library of user access behaviors.
The hardware data after the historical operation refers to the changed data of the server in the time period after the user behavior based on the frequent behavior relation model is executed, such as the recorded data of memory occupation, CPU occupation and frequency, hard disk read-write change, network rate and occupation, and the like.
For example, when the service server accesses a certain service of the service system device, the predicted threshold value of the cpu occupancy rate of the service system device in the mapping relation reference library for the behavior is 0-40%, but the cpu occupancy rate in the service system device caused by the current access behavior of the service server reaches 50% at a certain moment, and the current access behavior at this moment may be determined to be abnormal.
According to the invention, through the behavior mapping relation model, abnormal data change can be effectively found, so that the intrusion detection capability is stronger.
Optionally, the method further comprises:
training historical user behavior information based on an Apriori association rule algorithm to obtain the user frequent behavior relation model.
Optionally, the main steps of training the historical user behavior information based on the Apriori association rule algorithm are as follows:
step 11, scanning all the characteristic data to generate a candidate 1-item set collection C 1 ;
step 14, by L k Performing join and branch-subtract operations to produce a set C of candidate k + 1-term sets k+1 ;
Step 15, according to the minimum degree of association, from the set C of candidate (k +1) -term sets k+1 Generating a set L of frequent (k +1) -term sets k+1 ;
Step 16, if L is not equal to L
If k is k +1, skipping step 4, otherwise ending;
and step 17, generating a user frequent behavior relation chain from the frequent item set according to the minimum confidence coefficient, and ending at the moment.
Wherein the connection operation is specifically to find the first L of the user login feature k (k>1) Through L k-1 Connecting with itself to produce a set C of candidate k-term sets k . Let l 1 ,l 2 Is L k-1 A set of items in (1). Note L i[j] Is represented by i Item j of (1). The Apriori algorithm assumes that the terms in the transaction or set of terms are ordered in lexicographic order; if L is k-1 Element l of (A) 1 ,l 2 The first k-2 term of (a) is equal to l 1 K-1 term of less than l 2 The term of k-1 of (1) is then regarded as l 1 And l 2 A connection may be made. Ligation result (l) 1[1] ,l 1[2] ,l 1[3] ,l 1[4] ,.......,l 1[k-1] ,l 2[k-1] )。
The branch reduction operation is specifically that, as known from Apriori property, any subset of the frequent item set k-item set is necessarily the frequent item set, and the set C generated by connection k Verification is required to remove the infrequent k-item sets that do not satisfy the relevancy. Fig. 2 is a schematic diagram of a branch reduction process of Apriori association rule algorithm provided in the present invention, as described in fig. 2 below:
representing an empty set without any feature, representing feature index values by 0, 1, 2 and 3, calculating the feature index set condition among each behavior through statistical analysis, analyzing the key features of a potential relation chain scene among each behavior, and removing the infrequent chain features.
The method can be used for training historical user behaviors through an Apriori association rule algorithm to obtain a user frequent behavior relation model, for example, a user frequently uses operations on service system equipment to inquire service system data and increase service system data, the user does not have a deletion operation authority on the service system data, the user has a deletion instruction on the service system data, the user behavior can be determined to be abnormal, and an alarm is given to the user. The invention can effectively discover the illegal operation of the user through the user frequent behavior relation model, so that the intrusion detection capability is stronger.
Optionally, the method further comprises:
and training the historical user behavior information and the equipment hardware information corresponding to each piece of historical user behavior information based on a Bayesian classification algorithm to obtain the behavior mapping relation model.
Optionally, based on a bayesian classification algorithm, the historical user behavior information and the device hardware information within a certain period corresponding to each piece of the historical user behavior information are trained. The method specifically comprises the following steps:
and step 21, in a data cleaning stage, inputting a historical frequent behavior relation chain and hardware data after historical operation to form a training sample set. The input of this stage is the historical training set in A, and the output is the training data sample.
And step 22, in the classifier training stage, calculating the occurrence frequency of each class behavior relationship chain in the training data sample and the conditional probability estimation of the corresponding hardware data change, and generating a model, namely an associated classifier according to the estimation probability. The input is training data samples and the output is an associated classifier.
And step 23, applying a stage, wherein the task of the stage is to classify the items to be classified by using the associated classifier, the input of the stage is the associated classifier and the items to be classified, and the output is the behavior mapping relation reference library.
And 24, forming a behavior mapping relation reference library according to the mapping relation of the item 3, and predicting a hardware data threshold value after a user frequent behavior relation chain.
And associating the historical user behavior information with the equipment hardware information in a certain period corresponding to each piece of historical user behavior information through a Bayesian classification algorithm, predicting to obtain a prediction threshold in a normal range, and when unified user behaviors are operated in real time, determining that the user behaviors are abnormal when the change of the equipment hardware information caused by the user behaviors in the certain period exceeds the prediction threshold. For example, when the service server accesses a certain service of the service system device, the predicted threshold value of the cpu occupancy rate of the service system device in the mapping relation reference library for the behavior is 0-40%, but the cpu occupancy rate in the service system device caused by the current access behavior of the service server reaches 50% at a certain moment, and the current access behavior at this moment may be determined to be abnormal. According to the invention, through the behavior mapping relation model, abnormal data change can be effectively found, so that the intrusion detection capability is stronger.
Optionally, the executing, based on the security channel dedicated for intrusion detection, an access instruction to obtain real-time multidimensional basic data of the service system device includes:
authenticating and authenticating the access instruction based on authentication information provided by the access instruction;
and if the authentication and the authentication are both successful, executing the access instruction to obtain real-time multidimensional basic data of the service system equipment.
Optionally, when the user side proposes an access instruction to the system device, the secure channel receives authentication information provided by the access instruction, and performs authentication and authorization through the authentication information.
Optionally, if both the authentication and the authentication are successful, opening an instruction channel for accessing the system device, and executing the access instruction.
The authentication information may include a system device IP, an account, and an authentication password string.
Optionally, the authentication password string may include authentication information such as account number, password, source IP, access time, and script content.
For example, the access right of the service background management system is only owned by an administrator account, and at this time, a general user wants to access the service background management system, and authenticates the general user account in the provided authentication password string, so that a result that the authentication fails can be obtained, and the general user is prohibited from accessing the service background management system. The security of user access is improved by the authentication and authorization of the access instruction.
The access instruction can be executed after the access instruction is successfully authenticated and authenticated through the safety channel, real-time multidimensional basic data are collected, the fact that the collection behavior is authenticated and authenticated is guaranteed, and safety risks such as hidden channel leakage can be avoided.
Optionally, after authenticating and authenticating the access instruction based on the authentication information provided by the access instruction, the method further includes:
and if the authentication and the authentication are both successful, performing post audit on the operation log of the access instruction.
Optionally, after the authentication and the authentication are both successful, the instruction channel may send the operation logs of all the instructions to the centralized audit management module for post audit, so as to supervise all the instructions and perform effective protection and authentication on network security.
Optionally, fig. 3 is a second flowchart of the intrusion detection method provided by the present invention, and as shown in fig. 3, the method includes an installation-free secure channel data acquisition module, a reference library multidimensional training module, and a reference model intrusion detection application module. Fig. 3 shows the actions and connections within and between modules.
The invention obtains real-time multidimensional basic data of business system equipment after executing an access instruction through a security channel, detects the abnormality of the real-time multidimensional basic data through an intrusion detection model, confirms the abnormality of the access instruction, firstly, because the analysis work is carried out at a server, avoids the problem of program compatibility, does not occupy the resources of monitored system equipment, realizes lower resource occupancy rate, secondly, adopts the security channel to carry out authentication and authorization on the access instruction, carries out audit afterwards, avoids introducing security risks such as hidden channel data leakage and the like, improves the security, and finally adopts a frequent behavior relation model and a behavior mapping relation model (an analysis method related to hardware data change), does not rely on historical intrusion detection record matching, breaks the limitation of an identification range, can effectively discover illegal operation or abnormal data change, making the detection capability stronger.
The signal transmission device provided by the present invention is described below, and the signal transmission device described below and the signal transmission method described above may be referred to correspondingly.
Fig. 4 is a schematic structural diagram of an intrusion detection device provided in the present invention, and as shown in fig. 4, the signal transmission device includes: an obtaining module 410 and a determining module 420, wherein:
an obtaining module 410, configured to execute an access instruction based on a security channel dedicated to intrusion detection, and obtain real-time multidimensional basic data of a service system device;
a determining module 420, configured to determine that the access instruction is abnormal based on an intrusion detection model and the real-time multidimensional basic data.
Optionally, the intrusion detection apparatus executes the access instruction based on the security channel dedicated for intrusion detection through the obtaining module 410 to obtain real-time multidimensional basic data of the service system device, and determines that the access instruction is abnormal based on the intrusion detection model and the real-time multidimensional basic data through the determining module 420.
After the access instruction is executed through the safety channel, real-time multidimensional basic data of the business system equipment are obtained, anomaly detection is carried out on the real-time multidimensional basic data through the intrusion detection model, the anomaly of the access instruction is confirmed, the intrusion detection is carried out more safely, the detection capability is stronger, and meanwhile, resources of the business system equipment are not occupied.
Optionally, according to an intrusion detection method provided by the present invention, the intrusion detection model includes a user frequent behavior relationship model;
correspondingly, the determining the access instruction exception based on the intrusion detection model and the real-time multidimensional basic data comprises:
and determining that the access instruction is abnormal based on the current user behavior data in the real-time multi-dimensional basic data and the user frequent behavior relation model.
Optionally, according to an intrusion detection method provided by the present invention, the intrusion detection model includes a behavior mapping relationship model;
correspondingly, the determining the access instruction exception based on the intrusion detection model and the real-time multidimensional basic data comprises:
determining a device hardware information prediction threshold value based on the current user behavior data in the real-time multi-dimensional basic data and the behavior mapping relation model;
if the current equipment hardware information in the real-time multidimensional basic data is determined not to be within the equipment hardware information prediction threshold range, determining that the access instruction is abnormal;
and the current equipment hardware information is the equipment hardware information in the real-time multidimensional basic data obtained by executing the access instruction.
Optionally, according to an intrusion detection method provided by the present invention, the method further includes:
training historical user behavior information based on an Apriori association rule algorithm to obtain the user frequent behavior relation model.
Optionally, according to an intrusion detection method provided by the present invention, the method further includes:
and training the historical user behavior information and the equipment hardware information corresponding to each piece of historical user behavior information based on a Bayesian classification algorithm to obtain the behavior mapping relation model.
Optionally, according to an intrusion detection method provided by the present invention, the executing an access instruction based on a security channel dedicated for intrusion detection to obtain real-time multidimensional basic data of a service system device includes:
authenticating and authenticating the access instruction based on authentication information provided by the access instruction;
and if the authentication and the authentication are both successful, executing the access instruction to obtain real-time multidimensional basic data of the service system equipment.
Optionally, according to an intrusion detection method provided by the present invention, after authenticating and authenticating the access instruction based on the authentication information provided by the access instruction, the method further includes:
and if the authentication and the authentication are both successful, performing post audit on the operation log of the access instruction.
Fig. 5 is a schematic physical structure diagram of an electronic device provided by the present invention, which includes a memory 510, a processor 530 and a computer program stored in the memory and executable on the processor, and when the processor executes the program, the method implements the intrusion detection method as described above, and the method includes:
based on a special security channel for intrusion detection, executing an access instruction to obtain real-time multidimensional basic data of the service system equipment;
and determining that the access instruction is abnormal based on an intrusion detection model and the real-time multidimensional basic data.
Furthermore, the logic instructions in the memory 510 may be implemented in software functional units and stored in a computer readable storage medium when sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor is implemented to perform the intrusion detection method provided above, the method comprising:
based on a special security channel for intrusion detection, executing an access instruction to obtain real-time multidimensional basic data of the service system equipment;
and determining that the access instruction is abnormal based on an intrusion detection model and the real-time multidimensional basic data.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. An intrusion detection method, comprising:
based on a special security channel for intrusion detection, executing an access instruction to obtain real-time multidimensional basic data of the service system equipment;
and determining that the access instruction is abnormal based on an intrusion detection model and the real-time multidimensional basic data.
2. The intrusion detection method of claim 1, wherein the intrusion detection model comprises a user frequent behavior relationship model;
correspondingly, the determining the access instruction exception based on the intrusion detection model and the real-time multidimensional basic data comprises:
and determining that the access instruction is abnormal based on the current user behavior data in the real-time multi-dimensional basic data and the user frequent behavior relation model.
3. The intrusion detection method according to claim 1, wherein the intrusion detection model comprises a behavior mapping relationship model;
correspondingly, the determining the access instruction exception based on the intrusion detection model and the real-time multidimensional basic data comprises:
determining a device hardware information prediction threshold value based on the current user behavior data in the real-time multi-dimensional basic data and the behavior mapping relation model;
if the current equipment hardware information in the real-time multidimensional basic data is determined not to be within the equipment hardware information prediction threshold range, determining that the access instruction is abnormal;
and the current equipment hardware information is the equipment hardware information in the real-time multidimensional basic data obtained by executing the access instruction.
4. The intrusion detection method according to claim 2, wherein the method further comprises:
training historical user behavior information based on an Apriori association rule algorithm to obtain the user frequent behavior relation model.
5. The intrusion detection method according to claim 3, wherein the method further comprises:
and training the historical user behavior information and the equipment hardware information corresponding to each piece of historical user behavior information based on a Bayesian classification algorithm to obtain the behavior mapping relation model.
6. The intrusion detection method according to claim 1, wherein the executing the access command based on the security channel dedicated for intrusion detection to obtain the real-time multidimensional basic data of the service system device comprises:
authenticating and authenticating the access instruction based on authentication information provided by the access instruction;
and if the authentication and the authentication are both successful, executing the access instruction to obtain real-time multidimensional basic data of the service system equipment.
7. The intrusion detection method according to claim 6, wherein after authenticating and authenticating the access command based on the authentication information provided by the access command, the method further comprises:
and if the authentication and the authentication are both successful, performing post audit on the operation log of the access instruction.
8. An intrusion detection device, comprising:
the acquisition module is used for executing an access instruction based on a special security channel for intrusion detection and acquiring real-time multidimensional basic data of the service system equipment;
and the determining module is used for determining that the access instruction is abnormal based on an intrusion detection model and the real-time multi-dimensional basic data.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the intrusion detection method according to any one of claims 1 to 7 when executing the program.
10. A non-transitory computer readable storage medium, having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the steps of the intrusion detection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110269297.1A CN115085956B (en) | 2021-03-12 | 2021-03-12 | Intrusion detection method, intrusion detection device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110269297.1A CN115085956B (en) | 2021-03-12 | 2021-03-12 | Intrusion detection method, intrusion detection device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115085956A true CN115085956A (en) | 2022-09-20 |
| CN115085956B CN115085956B (en) | 2023-11-24 |
Family
ID=83240431
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110269297.1A Active CN115085956B (en) | 2021-03-12 | 2021-03-12 | Intrusion detection method, intrusion detection device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115085956B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117749530A (en) * | 2024-02-19 | 2024-03-22 | 瑞达可信安全技术(广州)有限公司 | Network information security analysis method and system based on big data |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104484474A (en) * | 2014-12-31 | 2015-04-01 | 南京盾垒网络科技有限公司 | Database security auditing method |
| US9026840B1 (en) * | 2014-09-09 | 2015-05-05 | Belkin International, Inc. | Coordinated and device-distributed detection of abnormal network device operation |
| CN107426196A (en) * | 2017-06-30 | 2017-12-01 | 全球能源互联网研究院 | A kind of method and system of identification WEB invasions |
| CN110213215A (en) * | 2018-08-07 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of resource access method, device, terminal and storage medium |
| CN110691064A (en) * | 2018-09-27 | 2020-01-14 | 国家电网有限公司 | Safety access protection and detection system for field operation terminal |
| CN112199677A (en) * | 2020-11-03 | 2021-01-08 | 安徽中安睿御科技有限公司 | Data processing method and device |
-
2021
- 2021-03-12 CN CN202110269297.1A patent/CN115085956B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9026840B1 (en) * | 2014-09-09 | 2015-05-05 | Belkin International, Inc. | Coordinated and device-distributed detection of abnormal network device operation |
| CN104484474A (en) * | 2014-12-31 | 2015-04-01 | 南京盾垒网络科技有限公司 | Database security auditing method |
| CN107426196A (en) * | 2017-06-30 | 2017-12-01 | 全球能源互联网研究院 | A kind of method and system of identification WEB invasions |
| CN110213215A (en) * | 2018-08-07 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of resource access method, device, terminal and storage medium |
| CN110691064A (en) * | 2018-09-27 | 2020-01-14 | 国家电网有限公司 | Safety access protection and detection system for field operation terminal |
| CN112199677A (en) * | 2020-11-03 | 2021-01-08 | 安徽中安睿御科技有限公司 | Data processing method and device |
Non-Patent Citations (2)
| Title |
|---|
| 刘渊,赵强,姜建国,黄钧,崔蔚: "一种主机系统可适应综合安全模型的研究", 计算机应用研究, no. 11, pages 1 - 3 * |
| 姜永宏;: "入侵检测系统技术研究与应用", 计算机与网络, no. 08, pages 1 - 5 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117749530A (en) * | 2024-02-19 | 2024-03-22 | 瑞达可信安全技术(广州)有限公司 | Network information security analysis method and system based on big data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115085956B (en) | 2023-11-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11044264B2 (en) | Graph-based detection of lateral movement | |
| CN110958220B (en) | Network space security threat detection method and system based on heterogeneous graph embedding | |
| US10686829B2 (en) | Identifying changes in use of user credentials | |
| US10491630B2 (en) | System and method for providing data-driven user authentication misuse detection | |
| US11003773B1 (en) | System and method for automatically generating malware detection rule recommendations | |
| Hofmeyr et al. | Intrusion detection using sequences of system calls | |
| EP2040435B1 (en) | Intrusion detection method and system | |
| US8776241B2 (en) | Automatic analysis of security related incidents in computer networks | |
| US8375452B2 (en) | Methods for user profiling for detecting insider threats based on internet search patterns and forensics of search keywords | |
| US11403389B2 (en) | System and method of detecting unauthorized access to computing resources for cryptomining | |
| Stolfo et al. | A comparative evaluation of two algorithms for windows registry anomaly detection | |
| Ramprakash et al. | Host-based intrusion detection system using sequence of system calls | |
| US20110314549A1 (en) | Method and apparatus for periodic context-aware authentication | |
| US20180146002A1 (en) | Cyber Security System and Method Using Intelligent Agents | |
| CN109684833B (en) | System and method for adapting program dangerous behavior patterns to user computer system | |
| RU2610395C1 (en) | Method of computer security distributed events investigation | |
| CN115085956B (en) | Intrusion detection method, intrusion detection device, electronic equipment and storage medium | |
| KR102311997B1 (en) | Apparatus and method for endpoint detection and response terminal based on artificial intelligence behavior analysis | |
| US12010133B2 (en) | Security threat monitoring for network-accessible devices | |
| CN116418591A (en) | Intelligent computer network safety intrusion detection system | |
| Alserhani et al. | Event-based alert correlation system to detect SQLI activities | |
| Ren et al. | A hybrid intelligent system for insider threat detection using iterative attention | |
| CN117376030B (en) | Flow anomaly detection method, device, computer equipment and readable storage medium | |
| Elavarasi et al. | Intrusion Detection and Prevention Approach in Wlan Using Cyber Security | |
| Iudica | A monitoring system for embedded devices widely distributed |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |