CN115086000B - Network intrusion detection method and system - Google Patents

Network intrusion detection method and system Download PDF

Info

Publication number
CN115086000B
CN115086000B CN202210654293.XA CN202210654293A CN115086000B CN 115086000 B CN115086000 B CN 115086000B CN 202210654293 A CN202210654293 A CN 202210654293A CN 115086000 B CN115086000 B CN 115086000B
Authority
CN
China
Prior art keywords
intrusion
network
target
data
entity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210654293.XA
Other languages
Chinese (zh)
Other versions
CN115086000A (en
Inventor
高松涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Provincial Network And Information Security Evaluation Center
Original Assignee
Fujian Provincial Network And Information Security Evaluation Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Provincial Network And Information Security Evaluation Center filed Critical Fujian Provincial Network And Information Security Evaluation Center
Priority to CN202210654293.XA priority Critical patent/CN115086000B/en
Publication of CN115086000A publication Critical patent/CN115086000A/en
Application granted granted Critical
Publication of CN115086000B publication Critical patent/CN115086000B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application discloses network intrusion detection method and system, through obtain the target network intrusion data of treating the pursuit in the network monitoring data log from the network security protection process, follow track network intrusion entity data in the target network intrusion data, and follow track network intrusion orbit data in the network intrusion entity data, the basis network intrusion orbit data are confirmed the target intrusion purpose distribution that target network intrusion data correspond, according to each the target intrusion purpose distribution that target network intrusion data correspond to network security protection process corresponds carries out network intrusion detection result and reminds, from this through the automatic network intrusion orbit tracking and the invasion purpose analysis of network monitoring data log, improves the analysis accuracy of invasion target to be convenient for generate the basis of more reliable follow-up network security protection decision.

Description

Network intrusion detection method and system
Technical Field
The present application relates to the field of network security technologies, and in particular, to a network intrusion detection method and system.
Background
In the network intrusion detection process, intrusion purpose detection is a key step, and is related to the consideration basis of subsequent network security protection upgrading. However, in the related art, the intrusion purpose is usually analyzed for development work by pedestrians after the intrusion alarm, the analysis efficiency is low, the reliability of intrusion purpose prediction is not enough, and it is difficult to ensure the basis for obtaining more reliable subsequent network security protection decision.
Disclosure of Invention
The application provides a network intrusion detection method and a system.
In a first aspect, an embodiment of the present application provides a network intrusion detection method, which is applied to a network intrusion detection system, and includes:
acquiring target network intrusion data to be tracked from a network monitoring data log of a network security protection process;
tracking network intrusion entity data from the target network intrusion data, and tracking network intrusion track data from the network intrusion entity data;
carrying out intrusion target prediction according to intrusion penetration data expressed in the network intrusion track data to generate first intrusion target prediction information, wherein the intrusion penetration data represents penetration routing information and operation live invasion information of intrusion penetration objects in the network intrusion track data;
extracting a plurality of network intrusion entity data from the target network intrusion data to generate a network intrusion thinking network;
predicting an intrusion target according to state communication characteristics of network intrusion entities expressed in the network intrusion thinking network, and generating second intrusion target prediction information, wherein the state communication characteristics of the network intrusion entities represent state transition characteristics between the network intrusion entities in the network intrusion thinking network and state linkage characteristics between the network intrusion entities;
generating target intrusion target distribution corresponding to the target network intrusion data according to the first intrusion target prediction information and the second intrusion target prediction information;
and according to the target intrusion target distribution corresponding to each target network intrusion data, performing network intrusion detection result reminding on the network security server corresponding to the network security protection process.
For example, the method is performed by an AI model including an intrusion destination prediction network and a target intrusion destination prediction network, the method further comprising:
acquiring a first template network monitoring data group and a second template network monitoring data group, wherein the first template network monitoring data group comprises a plurality of first template network monitoring data, the first template network monitoring data are network intrusion track data traced from network intrusion entity data of target network intrusion data, the second template network monitoring data group comprises a plurality of second template network monitoring data, and the second template network monitoring data are network intrusion thinking networks acquired from the target network intrusion data;
performing parameter layer optimization and selection on the intrusion target prediction network according to the first template network monitoring data cluster, wherein the intrusion target prediction network is used for performing intrusion target prediction according to intrusion penetration data expressed in the network intrusion track data to generate first intrusion target prediction information, and the intrusion penetration data represents penetration routing information and operation live invasion information of intrusion penetration objects in the network intrusion track data;
performing parameter layer tuning and selection on the target intrusion target prediction network according to the second template network monitoring data cluster, wherein the target intrusion target prediction network is used for performing intrusion target prediction according to state communication characteristics of network intrusion entities expressed in the network intrusion thinking network to generate second intrusion target prediction information, and the state communication characteristics of the network intrusion entities represent state transition characteristics between the network intrusion entities in the network intrusion thinking network and state linkage characteristics between the network intrusion entities;
compare prior art, through the network monitoring data log from the network security protection process acquire the target network invasion data of treating the pursuit, follow in the target network invasion data track network invasion entity data, and follow track network invasion orbit data in the network invasion entity data, according to network invasion orbit data confirms the target invasion purpose distribution that target network invasion data correspond, according to each the target invasion purpose distribution that target network invasion data correspond to network security protection process carries out network invasion detection result and reminds, and automatic network invasion orbit tracking and the invasion purpose analysis through network monitoring data log improve the analytical accuracy of invasion target to the basis of the follow-up network security protection decision of generating more reliable.
Drawings
Fig. 1 is a schematic flowchart illustrating steps of a network intrusion detection method according to an embodiment of the present application;
fig. 2 is a schematic block diagram of an architecture of a network intrusion detection system for performing the network intrusion detection method in fig. 1 according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described clearly and completely below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, of the embodiments of the present application. All other embodiments obtained by a person of ordinary skill in the art without making any creative effort based on the embodiments in the present application belong to the protection scope of the present application.
STEP110, obtaining target network intrusion data to be tracked from a network monitoring data log of a network security protection process.
The target network intrusion data refers to various network event monitoring data of a network security protection process which is specifically output through network event monitoring, the target network intrusion data to be tracked is target network intrusion data of which the corresponding target intrusion destination distribution is not determined temporarily, and the determination of the target intrusion destination distribution corresponding to the target network intrusion data will be exemplarily described in the subsequent description.
STEP120, tracking network intrusion entity data from the target network intrusion data, and tracking network intrusion track data from the network intrusion entity data.
For some exemplary embodiments, first, network intrusion entity tracking is performed on target network intrusion data, and network intrusion entity data distribution of the target network intrusion data is generated, where the network intrusion entity data distribution includes each network intrusion entity data of the target network intrusion data. For some exemplary embodiments, network intrusion entity data is obtained from the network intrusion entity data distribution, and corresponding intrusion purpose prediction is performed.
For some exemplary embodiments, after obtaining the network intrusion entity data from the network intrusion entity data distribution, analyzing whether the network intrusion entity data has an intrusion penetration object, if so, using the network intrusion entity data to predict the intrusion purpose of the corresponding intrusion penetration object, and if not, obtaining the network intrusion entity data from the network intrusion entity data distribution again.
For some exemplary embodiments, after obtaining the network intrusion entity data distribution, the target network intrusion entity data distribution may be generated by removing the network intrusion entity data with the intrusion penetration object from the network intrusion entity data distribution. And then, network intrusion entity data are obtained from the data distribution of the target network intrusion entity, and the intrusion purpose prediction according to the intrusion penetration object is carried out.
For some exemplary embodiments, the obtaining scheme of the network intrusion entity data is not limited in detail. For example, the network intrusion entity data can be randomly obtained from the network intrusion entity data distribution, and the intrusion purpose prediction of the corresponding intrusion penetration object is performed. For another example, the network intrusion entity data for setting the security protection upgrade plan may also be obtained from the network intrusion entity data distribution, and the intrusion purpose prediction of the corresponding intrusion penetration object is performed.
For some example embodiments, the amount of network intrusion entity data obtained from the network intrusion entity data distribution is also not necessarily limited. And respectively predicting the intrusion purpose of the corresponding intrusion penetration object for each acquired network intrusion entity data.
For some exemplary embodiments, the network intrusion trace data may be generated by analyzing network intrusion trace nodes in the network intrusion entity data according to a neural network model. For example, the neural network model may be a CNN model.
STEP130, performing intrusion purpose prediction according to intrusion penetration data expressed in the network intrusion track data, and generating first intrusion purpose prediction information, wherein the intrusion penetration data represents penetration routing information and operation live invasion information of intrusion penetration objects in the network intrusion track data.
For some exemplary embodiments, in the process of predicting the intrusion target of the intrusion penetration object, the intrusion target is predicted according to intrusion penetration data expressed in the network intrusion track data, and first intrusion target prediction information is generated. The first intrusion target prediction information represents target intrusion target distribution corresponding to the target network intrusion data, or whether network intrusion entity data tracked from the target network intrusion data is cooperative network intrusion entity data of the intrusion penetration object.
For some exemplary embodiments, the network intrusion trajectory data is subjected to intrusion destination prediction according to an intrusion destination prediction network, and first intrusion destination prediction information is generated. The intrusion purpose prediction network may be obtained according to deep learning training, and for a specific example of the intrusion purpose prediction network, reference may be made to the following embodiments.
STEP140, extracting a plurality of network intrusion entity data from the target network intrusion data, and generating a network intrusion thinking network.
For some exemplary embodiments, a plurality of network intrusion entity data in the network intrusion entity data distribution are generated, and the plurality of network intrusion entity data are aggregated to generate a network intrusion thinking network. For some exemplary embodiments, a plurality of network intrusion entity data in the network intrusion entity data distribution may be randomly tracked, and the plurality of network intrusion entity data may be aggregated to generate a network intrusion thinking network. In another exemplary embodiment, a plurality of continuous network intrusion entity data in the network intrusion entity data distribution are generated, and the plurality of network intrusion entity data are aggregated to generate the network intrusion thinking network. The embodiment of extracting the data of the plurality of network intrusion entities from the target network intrusion data is not limited. The network intrusion thinking network is used for predicting the intrusion purpose of the intrusion permeable object.
In this embodiment, the sequence of each network intrusion entity data expressed in the network intrusion thinking network may be consistent with the sequence of the network intrusion entity data in the target network intrusion data, so as to express the time domain variation of the intrusion penetration object in the target network intrusion data.
STEP150, predicting the intrusion purpose according to the state communication characteristics of the network intrusion entities expressed in the network intrusion thinking network, and generating second intrusion purpose prediction information, wherein the state communication characteristics of the network intrusion entities represent the state transition characteristics between the network intrusion entities in the network intrusion thinking network and the state linkage characteristics between the network intrusion entities.
The state transition characteristics among network intrusion entities in the network intrusion thinking network represent the relationship change of intrusion penetration objects in target network intrusion data at different stages. The state linkage characteristics among network intrusion entities in the network intrusion thinking network reflect the relationship updating change of intrusion penetration objects in the target network intrusion data and the relationship updating change of the target network intrusion data. And predicting the intrusion purpose according to the state communication characteristics of the network intrusion entity expressed in the network intrusion thinking network to generate second intrusion purpose prediction information. And the second intrusion destination prediction information represents the target intrusion destination distribution corresponding to the target network intrusion data.
For some exemplary embodiments, the network intrusion thinking network is subjected to intrusion purpose prediction according to the target intrusion purpose prediction network, and second intrusion purpose prediction information is generated. The target intrusion target prediction network may be obtained according to deep learning, and the following embodiments refer to specific descriptions about the target intrusion target prediction network.
For some exemplary embodiments, a plurality of network intrusion entity data are obtained from the network intrusion entity data distribution, and an initial network intrusion thinking network is generated. And performing real-time optimization of the state communication characteristics of the network intrusion entity on each network intrusion entity data in the initial network intrusion thinking network, transmitting the state communication characteristics to the latest entity state communication characteristics, and generating the network intrusion entity data after the real-time optimization of the state communication characteristics. And constructing an intrusion thinking network according to the state communication characteristic flow direction of the network intrusion entity data subjected to real-time optimization of each state communication characteristic, and generating network intrusion entity data distributed according to the state communication characteristic flow direction. And generating a network intrusion thinking network according to the network intrusion entity data distributed according to the state communication characteristic flow direction, wherein the network intrusion thinking network is used as input data of a target intrusion target prediction network. Further, a plurality of network intrusion entity data can be obtained from the network intrusion entity data distribution to generate an initial network intrusion thinking network. And performing real-time optimization of the state communication characteristics of the network intrusion entity on each network intrusion entity data in the initial network intrusion thinking network, transmitting the state communication characteristics to the latest entity state communication characteristics, and generating the network intrusion entity data after the real-time optimization of the state communication characteristics. And finally, establishing an intrusion thinking network by the network intrusion entity data subjected to the real-time optimization of the state communication characteristics according to the flow direction of the state communication characteristics, generating network intrusion entity data distributed according to the flow direction of the state communication characteristics, and obtaining the network intrusion thinking network according to the network intrusion entity data distributed according to the flow direction of the state communication characteristics.
STEP160, generating target intrusion destination distribution corresponding to the target network intrusion data according to the first intrusion destination prediction information and the second intrusion destination prediction information.
And the STEP170 is used for performing network intrusion detection result reminding on the network security server corresponding to the network security protection process according to the target intrusion target distribution corresponding to each target network intrusion data.
Technical scheme more than adopting acquires the target network intrusion data of treating the pursuit through the network monitoring data log from the network security protection process in the target network intrusion data track network intrusion entity data, and follow track network intrusion orbit data in the network intrusion entity data, the basis network intrusion orbit data confirms the target intrusion purpose distribution that target network intrusion data correspond, according to each the target intrusion purpose distribution that target network intrusion data correspond to network security server that the network security protection process corresponds carries out network intrusion detection result and reminds, from this automation network intrusion orbit tracking and the analysis of invasion purpose through network monitoring data log improve the analytical accuracy of invasion target to in order to generate the basis of more reliable follow-up network security protection decision-making.
For some exemplary embodiments, a method flow for predicting an intrusion purpose according to network intrusion trace data will be described.
STEP210, tracking network intrusion entity data from the target network intrusion data, and tracking network intrusion track data from the network intrusion entity data.
This STEP can be referred to the introduction description of STEP120 above.
STEP220, tracking first intrusion penetration data from the network intrusion track data, wherein the first intrusion penetration data represents the penetration path field vector distribution of the intrusion penetration object.
For some example embodiments, the intrusion destination prediction network comprises a first intrusion destination prediction network. For some example embodiments, first intrusion penetration data is tracked from network intrusion trajectory data according to a first intrusion purpose prediction network, and intrusion purpose prediction is performed according to the first intrusion penetration data.
STEP230, performing intrusion destination prediction according to the first intrusion penetration data, and generating first intermediate intrusion destination prediction information.
The first intermediate intrusion destination prediction information is used for indicating target intrusion destination distribution corresponding to the target network intrusion data, or whether the network intrusion entity data traced from the target network intrusion data is cooperative network intrusion entity data of the intrusion penetration object.
For some example embodiments, the first intrusion purpose prediction network comprises a first encoding structure, a first feature denoising structure, and a first intrusion purpose prediction structure, wherein the first encoding structure is configured to encode network intrusion trajectory data to generate a first intrusion penetration coding feature distribution; the first feature denoising structure is configured to perform feature denoising on the first intrusion penetration coding feature distribution to generate first intrusion penetration data; the first intrusion target prediction structure is used for carrying out intrusion target prediction according to the first intrusion penetration data and generating first intermediate intrusion target prediction information.
For example, the first coding structure codes network intrusion track data according to the CNN to generate first intrusion penetration coding feature distribution; the first feature denoising structure is used for performing feature denoising on the first intrusion penetration coding feature distribution to generate first intrusion penetration data.
STEP240, tracking second intrusion penetration data from the network intrusion track data, wherein the second intrusion penetration data represents the operation condition invasion information of the intrusion penetration object.
For some exemplary embodiments, the intrusion destination prediction network further includes a second intrusion destination prediction network. For some exemplary embodiments, second intrusion penetration data is tracked from the network intrusion trajectory data according to a second intrusion purpose prediction network, and intrusion purpose prediction is performed according to the second intrusion penetration data.
STEP250, according to the second invasion penetration data, carrying out invasion purpose prediction to generate second intermediate invasion purpose prediction information.
And the second intermediate intrusion destination prediction information is used for indicating the target intrusion destination distribution corresponding to the target network intrusion data, or whether the network intrusion entity data tracked from the target network intrusion data is the cooperative network intrusion entity data of the intrusion penetration object.
For some example embodiments, the second intrusion-purpose prediction network includes a second coding structure, a second feature denoising structure, and a second intrusion-purpose prediction structure, where the second coding structure is configured to encode network intrusion trajectory data to generate a second intrusion penetration coding feature distribution; the second characteristic denoising structure is configured to perform characteristic denoising on the second intrusion penetration coding characteristic distribution to generate second intrusion penetration data; and the second intrusion target prediction structure is used for predicting the intrusion target according to the second intrusion penetration data and generating second intermediate intrusion target prediction information.
For example, the second coding structure codes the network intrusion track data according to the CNN to generate second intrusion penetration coding feature distribution; the second characteristic denoising structure is used for carrying out characteristic denoising on the second invasion penetration coding characteristic distribution according to the characteristic denoising to generate second invasion penetration data; the second intrusion target prediction structure can realize the prediction confidence degree of whether the intrusion target exists or not according to the second intrusion penetration data, and generate second intermediate intrusion target prediction information.
The architecture of the first intrusion destination prediction network and the architecture of the second intrusion destination prediction network may be the same or different. For example, the number of coding structures contained in the first intrusion destination prediction network and the second intrusion destination prediction network and the specific parameter layers of the coding structures can be different. In the parameter layer tuning and selecting process, performing parameter layer tuning and selecting on a first invasion target prediction network according to first template network monitoring data to obtain a first invasion target prediction network for carrying out invasion target prediction according to the penetration path field vector distribution of an invasion penetration object; correspondingly, parameter layer optimization and selection are carried out on the second intrusion target prediction network according to the first template network monitoring data, and the second intrusion target prediction network for carrying out intrusion target prediction according to the operation condition invasion information of the intrusion penetration object can be obtained.
STEP260 generates first intrusion destination prediction information based on the first intermediate intrusion destination prediction information and the second intermediate intrusion destination prediction information.
For some exemplary embodiments, in response to the first intermediate intrusion destination prediction information and the second intermediate intrusion destination prediction information representing that the target network intrusion data has the cooperative intrusion destination data, generating first intrusion destination prediction information representing that the target network intrusion data has the cooperative intrusion destination data; and responding to any one of the first intermediate intrusion target prediction information and the second intermediate intrusion target prediction information to represent that the target network intrusion data does not have the cooperative intrusion target data, and generating first intrusion target prediction information representing that the target network intrusion data does not have the cooperative intrusion target data. Therefore, if any one of the intermediate intrusion destination prediction information is judged to have no cooperative intrusion destination data, the first intrusion destination prediction information without the cooperative intrusion destination data can be generated, and the reliability of intrusion destination prediction is improved.
In addition, for some exemplary embodiments, in response to any one of the first intermediate intrusion destination prediction information and the second intermediate intrusion destination prediction information indicating that the target network intrusion data has the cooperative intrusion destination data, generating first intrusion destination prediction information indicating that the target network intrusion data has the cooperative intrusion destination data; and responding to the first intermediate intrusion target prediction information and the second intermediate intrusion target prediction information to represent that the target network intrusion data does not have the cooperative intrusion target data, and generating first intrusion target prediction information representing that the target network intrusion data does not have the cooperative intrusion target data. According to the method, when the two pieces of intermediate intrusion target prediction information are judged to have no cooperative intrusion target data, the first intrusion target prediction information without the cooperative intrusion target data is generated, so that the reliability of intrusion target prediction is improved.
In addition, when the first intermediate intrusion target prediction information represents that the target network intrusion data is the cooperative defect state information of the intrusion permeable object, and the second intermediate intrusion target prediction information represents that the target network intrusion data does not have the cooperative intrusion target data, the target intrusion target distribution corresponding to the target network intrusion data can be analyzed according to production optimization; or when the first intermediate intrusion target prediction information represents that the target network intrusion data does not have the cooperative intrusion target data and the second intermediate intrusion target prediction information represents that the target network intrusion data is the cooperative defect state information of the intrusion penetration object, analyzing the target intrusion target distribution corresponding to the target network intrusion data according to production optimization.
The above intrusion destination prediction network is described below. The intrusion destination prediction network may include, for example, a first intrusion destination prediction network and a second intrusion destination prediction network.
For example, the network intrusion track data is first subjected to unit data extraction to generate a plurality of network intrusion track unit data, and the plurality of network intrusion track unit data are transmitted to the first intrusion destination prediction network and the second intrusion destination prediction network. Taking a first intrusion destination prediction network as an example, tracking first intrusion penetration data from a plurality of network intrusion track unit data according to a first coding structure; transmitting the first invasion penetration data to a first feature denoising structure, and performing feature denoising processing on the first invasion penetration data to generate first invasion penetration data subjected to feature denoising processing; and transmitting the first intrusion penetration data subjected to the characteristic denoising processing to a first intrusion target prediction structure to generate first intermediate intrusion target prediction information. Correspondingly, tracking second intrusion penetration data from the network intrusion track unit data according to a second coding structure; transmitting the second invasion penetration data to a second characteristic denoising structure, and performing characteristic denoising processing on the second invasion penetration data to generate second invasion penetration data subjected to characteristic denoising processing; and transmitting the second intrusion penetration data subjected to the characteristic denoising processing to a second intrusion target prediction structure to generate second intermediate intrusion target prediction information. And finally, generating first intrusion target prediction information according to the first intermediate intrusion target prediction information and the second intermediate intrusion target prediction information.
For some exemplary embodiments, the execution timing of the first intrusion destination prediction network and the second intrusion destination prediction network is not particularly limited, and the second intrusion destination prediction network may start to be executed after the first intrusion destination prediction network, may start to be executed before the first intrusion destination prediction network, or may start to be executed simultaneously with the first intrusion destination prediction network.
For some exemplary embodiments, a method flow for predicting an intrusion target of an intrusion penetration object according to a network intrusion thinking network is described.
STEP410, extracting a plurality of network intrusion entity data from the target network intrusion data, and generating a network intrusion thinking network.
This STEP can be seen in the description of the embodiment for STEP 140.
STEP420, performing intrusion entity propagation feature coding on the network intrusion thinking network to generate a plurality of intrusion entity propagation features, wherein the intrusion entity propagation features represent the propagation coding features with intrusion propagation flow direction relations of the network intrusion thinking network.
The intrusion entity propagation characteristic coding of the network intrusion thinking network refers to coding network intrusion entity data in members among intrusion entity propagation characteristics in the network intrusion thinking network, wherein the intrusion entity propagation characteristic coding is used for tracking propagation coding characteristics with intrusion propagation flow direction relation of the network intrusion thinking network. The propagation coding features with the intrusion propagation flow direction relation refer to aggregation variables of state transition features between network intrusion entities and state linkage features between the network intrusion entities of network intrusion entity data in segments among the intrusion entity propagation features in the network intrusion thinking network. For example, the network intrusion thinking network is divided into a plurality of intrusion entity propagation characteristic segments, and the network intrusion thinking network carries out intrusion entity propagation characteristic coding aiming at each intrusion entity propagation characteristic segment to generate a plurality of intrusion entity propagation characteristics.
STEP430, performing intrusion entity propagation migration feature coding on the plurality of intrusion entity propagation features to generate a plurality of intrusion entity propagation migration features, wherein the intrusion entity propagation migration features represent the propagation coding features with intrusion propagation flow direction migration relation of the network intrusion thinking network.
STEP440, performing cross migration feature coding on the plurality of intrusion entity propagation migration features to generate a plurality of intrusion entity cross migration features, where the intrusion entity cross migration features represent propagation coding features of cross migration of network intrusion entities of the network intrusion thinking network.
The cross migration feature coding of the plurality of the intrusion entity propagation migration features refers to tracking the intrusion entity cross migration feature of each intrusion entity propagation migration feature, and the cross migration feature coding is used for tracking the propagation coding feature of the cross migration of the network intrusion entity of the network intrusion thinking network. The propagation coding characteristic of the network intrusion entity with cross migration refers to the state linkage characteristic among deep network intrusion entities of network intrusion entity data in a network intrusion thinking network. For example, cross migration signature coding is performed on the plurality of intrusion entity propagation migration signatures, so as to generate a plurality of intrusion entity cross migration signatures.
STEP450, performing cross migration extension feature coding on the multiple intrusion entity cross migration features to generate target intrusion entity cross migration features, wherein the target intrusion entity cross migration features represent propagation coding features of the network intrusion thinking network with the cross migration extension features.
The cross migration extension feature coding of the plurality of intrusion entity cross migration features refers to tracking of cross migration extension feature variables between adjacent network intrusion entity data in the network intrusion thinking network, and the cross migration extension feature coding is used for tracking target intrusion entity cross migration features of the network intrusion thinking network. The target intrusion entity cross migration feature refers to an aggregation feature of state migration features between network intrusion entities and state linkage features between the network intrusion entities in the network intrusion thinking network.
For some exemplary embodiments, performing cross-migration extension feature coding on a plurality of intrusion entity cross-migration features, and generating a target intrusion entity cross-migration feature includes: clustering the plurality of invading entity cross migration characteristics to generate invading entity cross migration characteristic clusters; respectively performing characteristic expansion on the invading entity cross migration characteristic clusters according to the propagation coding characteristic expansion structures of a plurality of preset expansion modes to generate a plurality of expansion characteristic clusters, wherein the expansion characteristic clusters represent the expanding invading entity cross migration characteristics of the network invading thinking network; aggregating the plurality of expansion characteristic clusters to generate an aggregated expansion characteristic cluster; and carrying out feature denoising on the aggregation expansion feature cluster to generate a target intrusion entity cross migration feature.
STEP460, performing intrusion target prediction according to the target intrusion entity cross migration feature, and generating second intrusion target prediction information.
For some example embodiments, the target intrusion destination prediction network includes an intrusion entity propagation signature coding structure, an intrusion entity propagation migration signature coding structure, a cross migration signature coding structure, a migration coding structure, and a third intrusion destination prediction structure.
The intrusion entity propagation feature coding structure is configured to perform intrusion entity propagation feature coding on the network intrusion thinking network to generate a plurality of intrusion entity propagation features.
The intrusion entity propagation migration feature coding structure is configured to perform intrusion entity propagation migration feature coding on the plurality of intrusion entity propagation features to generate a plurality of intrusion entity propagation migration features.
The cross migration feature coding structure is configured to cross migration feature code the plurality of intrusion entity propagation migration features to generate a plurality of intrusion entity cross migration features.
The migration coding structure is configured to perform cross migration extension feature coding on the plurality of intrusion entity cross migration features to generate target intrusion entity cross migration features.
And the third intrusion target prediction structure is used for predicting the intrusion target according to the cross migration characteristics of the target intrusion entity and generating second intrusion target prediction information.
For example, the above method may be implemented according to an AI model that includes an intrusion purpose prediction network and a target intrusion purpose prediction network. The method may include the following steps.
1. The method comprises the steps of obtaining a first template network monitoring data group and a second template network monitoring data group, wherein the first template network monitoring data group comprises a plurality of first template network monitoring data, the first template network monitoring data are network intrusion track data traced from network intrusion entity data of target network intrusion data, the second template network monitoring data group comprises a plurality of second template network monitoring data, and the second template network monitoring data are network intrusion thinking networks obtained from the target network intrusion data.
2. And performing parameter layer optimization and selection on an intrusion target prediction network according to the first template network monitoring data cluster, wherein the intrusion target prediction network is used for performing intrusion target prediction according to intrusion penetration data expressed in the network intrusion track data to generate first intrusion target prediction information, and the intrusion penetration data represents penetration routing information and operation live invasion information of intrusion penetration objects in the network intrusion track data.
3. And performing parameter layer optimization and selection on a target intrusion target prediction network according to a second template network monitoring data cluster, wherein the target intrusion target prediction network is used for predicting an intrusion target according to the state communication characteristics of network intrusion entities expressed in the network intrusion thinking network to generate second intrusion target prediction information, and the state communication characteristics of the network intrusion entities represent the state transition characteristics between the network intrusion entities in the network intrusion thinking network and the state linkage characteristics between the network intrusion entities.
According to some exemplary embodiments, calculating a loss function value corresponding to the target intrusion target prediction network according to the second intrusion target prediction information and training evaluation parameters corresponding to the second template network monitoring data, training the target intrusion target prediction network according to the loss function value, and generating a finally obtained target intrusion target prediction network when the target intrusion target prediction network is converged.
For example, on the basis of the above scheme, a first security protection upgrading scheme for performing protection upgrading on the network security protection process may be further obtained by combining the target intrusion object distribution, security protection upgrading is performed on a security protection program corresponding to the network security protection process by combining the first security protection upgrading scheme, and after a step intrusion object distribution corresponding to a network monitoring data log of the network security protection process is obtained again, whether an intrusion object with characteristic relation exists between the target intrusion object distribution and the step intrusion object distribution or not is analyzed; if the target intrusion object distribution and the advanced intrusion object distribution have intrusion objects with characteristic connection, tracking a target network monitoring data cluster corresponding to the intrusion objects with characteristic connection; and analyzing frequent event data of the target network monitoring data cluster, extracting a target intrusion purpose from the frequent event data obtained by analysis, acquiring a second security protection upgrading scheme for protecting and upgrading the network security protection process by combining the extracted target intrusion purpose, and performing enhanced security protection upgrading on the security protection program corresponding to the network security protection process by combining the second security protection upgrading scheme.
For example, the step of extracting the target intrusion purpose for the frequently acquired event data obtained by analysis includes: acquiring various target network event data which are output by network event monitoring application in a first network event monitoring stage for monitoring network events on safety protection data of safety protection upgrade running processes with different safety protection upgrade dimensions from the analyzed frequent event data; determining first target network event data associated with a forward threat-aware member contained in a plurality of said target network event data; determining, in conjunction with the first target network event data, targeted event data for the forward threat-aware member during the first network event monitoring phase; determining a target intrusion objective for the forward threat awareness member in conjunction with the targeted event data.
For example, generating first target network event data associated with a forward threat-aware member included in the plurality of target network event data includes: performing knowledge graph format arrangement on the multiple kinds of target network event data, and outputting second target network event data which meet the target knowledge graph structure and are contained in the multiple kinds of target network event data; determining first threat awareness member attribute information of a security protection upgrade running process with different security protection upgrade dimensions contained in the second target network event data; performing relevance quoting on the first threat perception member attribute information and second threat perception member attribute information in a threat perception member attribute information base, and outputting third threat perception member attribute information which is contained in the first threat perception member attribute information and is related to the forward threat perception member, wherein the threat perception member attribute information base comprises a plurality of kinds of threat perception member attribute information which has relevance quoting relation with a first target threat perception member, and the first target threat perception member comprises at least one target threat perception member with the same type as the forward threat perception member; determining target network event data corresponding to the third threat awareness member attribute information included in the second target network event data as the first target network event data.
For example, determining a target targeted intrusion objective for the forward threat awareness member in conjunction with the targeted event data includes: determining a target threat live feature segment item of target network event data corresponding to each target threat live feature segment contained in the targeted event data; corresponding to each target threat live characteristic segment, respectively executing the following steps, and outputting a first target intrusion purpose: analyzing whether the targeted event data contains a first threat live feature segment and a second threat live feature segment; wherein the first threat live feature segment is generated in a forward threat live time-space domain that generates the target threat live feature segment, and a first threat live feature segment item of the first threat live feature segment is most correlated with respect to the target threat live feature segment item, the second threat live feature segment is generated in a backward threat live time-space domain that generates the target threat live feature segment, and a second threat live feature segment item of a second threat live feature segment is most correlated with respect to the target threat live feature segment, the first threat live feature segment corresponding threat live feature member being different from the target threat live feature member corresponding to the target threat live feature segment, and the second threat live feature segment corresponding threat feature member being different from the threat live feature member corresponding to the target threat live feature segment; in response to that the targeted event data contains the first threat live feature segment and the second threat live feature segment, the feature distance between the first threat live feature segment item and the target threat live feature segment item is greater than a set feature distance, the feature distance between the second threat live feature segment item and the target threat live feature segment item is greater than the set feature distance, and a business operation plan corresponding to a threat live feature member corresponding to the target threat live feature segment is determined as the first targeted intrusion purpose; in response to that the targeted event data only contains the first threat live feature segment and the feature distance between the first threat live feature segment item and the target threat live feature segment item is greater than the set feature distance, determining a business operation plan corresponding to a threat live feature member corresponding to the first threat live feature segment as the first targeted intrusion purpose; in response to that the targeted event data only contains the second threat live characteristic segment and the characteristic distance between the second threat live characteristic segment item and the target threat live characteristic segment item is greater than the set characteristic distance, determining a service operation plan corresponding to a threat live characteristic member corresponding to the second threat live characteristic segment as the first targeted intrusion purpose; determining the target invasion objective in combination with the first target invasion objective.
For example, in response to a backward threat live time-space domain of a first threat live feature segment and a second threat live feature segment, the method further comprises: generating a threat live feature segment included in the first target network event data when the feature distance of the first threat live feature segment item from the target threat live feature segment item is not greater than the set feature distance and/or the feature distance of the second threat live feature segment item from the target threat live feature segment item is not greater than the set feature distance; determining a first target aggregation amount of information associated with the same threat scenario encompassed in the threat scenario feature segment is greater than a set aggregation amount in combination with the targeted event data; determining the target invasion objective in combination with the first target invasion objective.
For example, where a first target aggregate amount of information associated with the same threat scenario encompassed in the threat scenario feature segment is greater than a set aggregate amount, determining the first targeted intrusion objective in combination with the targeted event data comprises: determining, in conjunction with the targeted event data, whether a first set threat live feature segment term range is included, wherein the first set threat live feature segment term range is a range of threat live feature segment terms from a third threat live feature segment term that produces a third threat live feature segment to a fourth threat live feature segment term that produces a fourth threat live feature segment, the third threat live feature segment is produced at a forward live threat time that produces the target threat live feature segment, and the third threat live feature segment term is most associated with the target live feature segment term, the fourth threat live feature segment is produced at a backward live threat time that produces the target live feature segment, and the fourth threat live feature segment term is most associated with the target threat live feature segment, the third threat live feature segment corresponding threat live feature member and the target live feature segment corresponding live feature member being different, and the fourth threat live feature segment corresponding threat live feature member and the target live feature segment corresponding live feature member being different, and the live feature segment corresponding live feature member corresponding threat member corresponding to the threat being greater than the third set threat live feature segment distance, and the target live feature segment distance being greater than the third threat live feature segment and the target feature segment corresponding live feature segment distance; in response to the first set threat live characteristic segment range not being included, determining the business operation plan corresponding to the threat live characteristic member forward generated to the forward threat perception member and the threat live characteristic member last generated to the forward threat perception member included in the targeted event data as the first targeted intrusion purpose; responding to the range covering the first set threat live characteristic segment item, generating threat live communication data information of the target threat live characteristic segment item and the range of the first set threat live characteristic segment item, and determining the first target intrusion purpose by combining the threat live communication data information and the range of the first set threat live characteristic segment item.
For example, determining the first targeted intrusion objective in combination with the threat live connectivity data information and the first set threat live feature segment term range includes: responding to the fact that the live threat connection data information represents that the target live threat characteristic segment item is located between a second set live threat characteristic segment item range and a third set live threat characteristic segment item range which are covered in the first set live threat characteristic segment range and have relevance reference relations, and determining a service operation plan corresponding to a live threat characteristic member generated by a terminal live threat characteristic segment item of the second set live threat characteristic segment range and a starting live threat characteristic segment of the third set live threat characteristic segment range as the first target intrusion purpose; responding to the fact that the target threat live characteristic segment item is located in a fourth set threat live characteristic segment item range with the first threat live characteristic segment item covered in a first threat live characteristic segment item range and the first set threat live characteristic segment item range of the target event data, and determining a business operation plan corresponding to a threat live characteristic member generated by an initial threat live characteristic segment item of the first threat live characteristic segment item range and the fourth set threat live characteristic segment item range as the first target intrusion purpose; and when the threat live communication data information represents that the target threat live characteristic segment item is located between a last fifth set threat live characteristic segment range of the threat live characteristic segment items covered in the first set threat live characteristic segment range and a final threat live characteristic segment item of the targeted event data, determining a service operation plan corresponding to a terminal threat live characteristic segment item of the fifth set threat live characteristic segment range and a threat live characteristic member generated by the final threat live characteristic segment item as the first targeted intrusion purpose.
For example, determining the target intrusion objective in combination with the first target intrusion objective comprises: acquiring a second target intrusion target of the forward threat perception member in a second network event monitoring stage; determining the target invasion objective in combination with the first target invasion objective and the second target invasion objective.
According to the same inventive concept, embodiments of the present invention also provide a network intrusion detection system, and referring to fig. 2, fig. 2 is an architecture diagram of the network intrusion detection system 100 provided in the embodiments of the present invention, and the network intrusion detection system 100 may generate relatively large differences due to different configurations or performances, and may include one or more Central Processing Units (CPUs) 112 (e.g., one or more processors) and a memory 111. Wherein the memory 111 may be a transient storage or a persistent storage. The program stored in the memory 111 may include one or more modules, each of which may include a sequence of instructions operating on the network intrusion detection system 100. Still further, a central processor 112 may be disposed in communication with the memory 111 to execute a series of instruction operations in the memory 111 on the network intrusion detection system 100.
The network intrusion detection system 100 may also include one or more power supplies, one or more communication units 113, one or more load-to-output interfaces, and/or one or more operating systems, such as Windows Server, mac OS XTM, unixTM, linuxTM, freeBSDTM, and the like.
The steps performed by the network intrusion detection system in the above embodiments may be according to the network intrusion detection system structure shown in fig. 2.
In addition, a storage medium is provided in an embodiment of the present application, and the storage medium is used for storing a computer program, and the computer program is used for executing the method provided in the embodiment.
The embodiment of the present application also provides a computer program product including instructions, which when run on a computer, causes the computer to execute the method provided by the above embodiment.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium may be at least one of the following media: various media that can store program codes, such as a Read-only Memory (ROM), a RAM, a magnetic disk, or an optical disk.
It should be noted that each embodiment in the present specification is described in a progressive manner, and the same and similar parts between each embodiment may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus and system embodiments, since they are substantially similar to the method embodiments, they are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described embodiments of the apparatus and system are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only one specific embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (9)

1. A network intrusion detection method is applied to a network intrusion detection system and is characterized by comprising the following steps:
acquiring target network intrusion data to be tracked from a network monitoring data log of a network security protection process;
tracking network intrusion entity data from the target network intrusion data, and tracking network intrusion track data from the network intrusion entity data;
determining target intrusion target distribution corresponding to the target network intrusion data according to the network intrusion track data;
network intrusion detection result reminding is carried out on the network security server corresponding to the network security protection process according to the target intrusion target distribution corresponding to each target network intrusion data;
the step of determining the target intrusion target distribution corresponding to the target network intrusion data according to the network intrusion track data comprises the following steps:
carrying out intrusion target prediction according to intrusion penetration data expressed in the network intrusion track data to generate first intrusion target prediction information, wherein the intrusion penetration data represents penetration routing information and operation live invasion information of intrusion penetration objects in the network intrusion track data;
extracting a plurality of network intrusion entity data from the target network intrusion data to generate a network intrusion thinking network;
predicting an intrusion target according to state communication characteristics of network intrusion entities expressed in the network intrusion thinking network, and generating second intrusion target prediction information, wherein the state communication characteristics of the network intrusion entities represent state transition characteristics between the network intrusion entities in the network intrusion thinking network and state linkage characteristics between the network intrusion entities;
and generating target intrusion target distribution corresponding to the target network intrusion data according to the first intrusion target prediction information and the second intrusion target prediction information.
2. The method according to claim 1, wherein the predicting an intrusion destination according to intrusion penetration data expressed in the network intrusion trajectory data to generate first intrusion destination prediction information includes:
tracking first intrusion penetration data from the network intrusion trajectory data, the first intrusion penetration data characterizing penetration path field vector distribution of the intrusion penetration objects;
carrying out intrusion target prediction according to the first intrusion penetration data to generate first intermediate intrusion target prediction information;
tracking second intrusion penetration data from the network intrusion track data, wherein the second intrusion penetration data represent operation live invasion information of the intrusion penetration object;
carrying out intrusion target prediction according to the second intrusion penetration data to generate second intermediate intrusion target prediction information;
and generating the first intrusion target prediction information according to the first intermediate intrusion target prediction information and the second intermediate intrusion target prediction information.
3. The network intrusion detection method according to claim 2, wherein the first intermediate intrusion destination prediction information is determined by prediction based on a first intrusion destination prediction network, and the second intermediate intrusion destination prediction information is determined by prediction based on a second intrusion destination prediction network;
the first intrusion object prediction network comprises a first coding structure, a first characteristic denoising structure and a first intrusion object prediction structure;
wherein the first encoding structure is configured to encode the network intrusion trajectory data to generate a first intrusion penetration encoding feature distribution; the first feature denoising structure is configured to perform feature denoising on the first intrusion penetration coding feature distribution to generate the first intrusion penetration data;
the first intrusion target prediction structure is used for carrying out intrusion target prediction according to the first intrusion penetration data and generating first intermediate intrusion target prediction information;
the second intrusion target prediction network comprises a second coding structure, a second characteristic denoising structure and a second intrusion target prediction structure;
wherein the second encoding structure is configured to encode the network intrusion trajectory data to generate a second intrusion penetration encoding feature distribution;
the second feature denoising structure is configured to perform feature denoising on the second intrusion penetration coding feature distribution to generate second intrusion penetration data;
and the second intrusion destination prediction structure is used for predicting the intrusion destination according to the second intrusion penetration data and generating second intermediate intrusion destination prediction information.
4. The method according to claim 2, wherein the generating the first intrusion destination prediction information according to the first intermediate intrusion destination prediction information and the second intermediate intrusion destination prediction information includes:
responding to the first intermediate intrusion target prediction information and the second intermediate intrusion target prediction information to represent that the target network intrusion data has cooperative intrusion target data, and generating first intrusion target prediction information representing that the target network intrusion data has the cooperative intrusion target data;
responding any one of the first intermediate intrusion target prediction information and the second intermediate intrusion target prediction information to represent that the target network intrusion data does not have cooperative intrusion target data, and generating first intrusion target prediction information representing that the target network intrusion data does not have the cooperative intrusion target data;
or, in response to any one of the first intermediate intrusion destination prediction information and the second intermediate intrusion destination prediction information representing that the target network intrusion data has cooperative intrusion destination data, generating first intrusion destination prediction information representing that the target network intrusion data has cooperative intrusion destination data;
and responding to the first intermediate intrusion target prediction information and the second intermediate intrusion target prediction information to represent that the target network intrusion data does not have cooperative intrusion target data, and generating first intrusion target prediction information representing that the target network intrusion data does not have the cooperative intrusion target data.
5. The method of claim 1, wherein the predicting the intrusion destination according to the state connectivity characteristics of the network intrusion entity expressed in the network intrusion thinking network to generate second intrusion destination prediction information comprises:
carrying out intrusion entity propagation characteristic coding on the network intrusion thinking network to generate a plurality of intrusion entity propagation characteristics, wherein the intrusion entity propagation characteristics represent the propagation coding characteristics with intrusion propagation flow direction relation of the network intrusion thinking network;
carrying out intrusion entity propagation migration feature coding on the plurality of intrusion entity propagation features to generate a plurality of intrusion entity propagation migration features, wherein the intrusion entity propagation migration features represent the propagation coding features with intrusion propagation flow direction migration relation of the network intrusion thinking network;
carrying out cross migration feature coding on the plurality of intrusion entity propagation migration features to generate a plurality of intrusion entity cross migration features, wherein the intrusion entity cross migration features represent the propagation coding features of cross migration of the network intrusion entities of the network intrusion thinking network;
performing cross migration extension feature coding on the plurality of intrusion entity cross migration features to generate target intrusion entity cross migration features, wherein the target intrusion entity cross migration features represent propagation coding features of the network intrusion thinking network with the cross migration extension features;
and predicting the intrusion target according to the cross migration characteristics of the target intrusion entity to generate second intrusion target prediction information.
6. The method according to claim 5, wherein the performing cross-migration extension signature coding on the plurality of intrusion entity cross-migration signatures to generate a target intrusion entity cross-migration signature comprises:
clustering the plurality of invading entity cross migration characteristics to generate invading entity cross migration characteristic clusters;
respectively performing characteristic expansion on the intrusion entity cross migration characteristic clusters according to propagation coding characteristic expansion structures of a plurality of preset expansion modes to generate a plurality of expansion characteristic clusters, wherein the expansion characteristic clusters represent expansion intrusion entity cross migration characteristics of the network intrusion thinking network;
aggregating the plurality of expanded characteristic clusters to generate aggregated expanded characteristic clusters;
and carrying out feature denoising on the aggregation expansion feature cluster to generate the cross migration feature of the target intrusion entity.
7. The network intrusion detection method according to claim 5, wherein the second intrusion destination prediction information is determined by prediction according to a target intrusion destination prediction network, and the target intrusion destination prediction network includes an intrusion entity propagation feature coding structure, an intrusion entity propagation migration feature coding structure, a cross migration feature coding structure, a migration coding structure and a third intrusion destination prediction structure;
the intrusion entity propagation characteristic coding structure is configured to carry out intrusion entity propagation characteristic coding on the network intrusion thinking network to generate a plurality of intrusion entity propagation characteristics, and the intrusion entity propagation characteristics represent the propagation coding characteristics with intrusion propagation flow direction relation of the network intrusion thinking network;
the intrusion entity propagation migration feature coding structure is configured to perform intrusion entity propagation migration feature coding on the plurality of intrusion entity propagation features to generate a plurality of intrusion entity propagation migration features, and the intrusion entity propagation migration features represent the propagation coding features of the network intrusion thinking network, which have intrusion propagation flow direction migration relations;
the cross migration feature coding structure is configured to perform cross migration feature coding on the plurality of intrusion entity propagation migration features to generate a plurality of intrusion entity cross migration features, and the intrusion entity cross migration features represent that the network intrusion entities of the network intrusion thinking network have cross migration propagation coding features;
the migration coding structure is configured to perform cross migration extension feature coding on the plurality of intrusion entity cross migration features to generate target intrusion entity cross migration features, and the target intrusion entity cross migration features represent propagation coding features of the network intrusion thinking network, where the cross migration extension features exist;
and the third intrusion target prediction structure is used for predicting the intrusion target according to the cross migration characteristics of the target intrusion entity and generating the second intrusion target prediction information.
8. The method according to any one of claims 1-7, wherein the extracting a plurality of network intrusion entity data from the target network intrusion data to generate a network intrusion thinking network comprises:
network intrusion entity tracking is carried out on the target network intrusion data, and network intrusion entity data distribution of the target network intrusion data is generated;
acquiring a plurality of network intrusion entity data from the network intrusion entity data distribution to construct an intrusion thinking network and generate an initial network intrusion thinking network;
performing real-time optimization of state communication characteristics of network intrusion entities on each network intrusion entity data in the initial network intrusion thinking network, transmitting the state communication characteristics to the latest entity state communication characteristics, and generating network intrusion entity data after the state communication characteristics are optimized in real time;
establishing an intrusion thinking network according to the state communication characteristic flow direction by using the network intrusion entity data subjected to the real-time optimization of each state communication characteristic, and generating network intrusion entity data distributed based on the state communication characteristic flow direction;
and generating the network intrusion thinking network according to the network intrusion entity data distributed based on the state communication characteristic flow direction.
9. A network intrusion detection system, comprising:
a processor;
a memory having stored therein a computer program that, when executed, implements the network intrusion detection method of any one of claims 1-8.
CN202210654293.XA 2022-06-10 2022-06-10 Network intrusion detection method and system Active CN115086000B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210654293.XA CN115086000B (en) 2022-06-10 2022-06-10 Network intrusion detection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210654293.XA CN115086000B (en) 2022-06-10 2022-06-10 Network intrusion detection method and system

Publications (2)

Publication Number Publication Date
CN115086000A CN115086000A (en) 2022-09-20
CN115086000B true CN115086000B (en) 2023-01-03

Family

ID=83250628

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210654293.XA Active CN115086000B (en) 2022-06-10 2022-06-10 Network intrusion detection method and system

Country Status (1)

Country Link
CN (1) CN115086000B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7627900B1 (en) * 2005-03-10 2009-12-01 George Mason Intellectual Properties, Inc. Attack graph aggregation
CN101867498A (en) * 2009-04-17 2010-10-20 中国科学院软件研究所 Network security situation evaluating method
CN108418843A (en) * 2018-06-11 2018-08-17 中国人民解放军战略支援部队信息工程大学 Network attack target identification method based on attack graph and system
CN109191326A (en) * 2018-08-23 2019-01-11 东北大学 The interdependent deposit system network attack methods of risk assessment of power distribution network CPS based on attacker visual angle
CN112422537A (en) * 2020-11-06 2021-02-26 广州锦行网络科技有限公司 Behavior prediction method of network attack knowledge graph generated based on honeypot actual combat
CN112637207A (en) * 2020-12-23 2021-04-09 中国信息安全测评中心 Network security situation prediction method and device
CN113452673A (en) * 2021-05-18 2021-09-28 广西电网有限责任公司电力科学研究院 Network attack damage degree quantification method for power system
CN114124516A (en) * 2021-11-19 2022-03-01 上海纽盾科技股份有限公司 Situation awareness prediction method, device and system
CN114531298A (en) * 2022-03-09 2022-05-24 哈尔滨佰通科技有限公司 Threat vulnerability prediction method based on AI and big data analysis and cloud AI system

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7627900B1 (en) * 2005-03-10 2009-12-01 George Mason Intellectual Properties, Inc. Attack graph aggregation
CN101867498A (en) * 2009-04-17 2010-10-20 中国科学院软件研究所 Network security situation evaluating method
CN108418843A (en) * 2018-06-11 2018-08-17 中国人民解放军战略支援部队信息工程大学 Network attack target identification method based on attack graph and system
CN109191326A (en) * 2018-08-23 2019-01-11 东北大学 The interdependent deposit system network attack methods of risk assessment of power distribution network CPS based on attacker visual angle
CN112422537A (en) * 2020-11-06 2021-02-26 广州锦行网络科技有限公司 Behavior prediction method of network attack knowledge graph generated based on honeypot actual combat
CN112637207A (en) * 2020-12-23 2021-04-09 中国信息安全测评中心 Network security situation prediction method and device
CN113452673A (en) * 2021-05-18 2021-09-28 广西电网有限责任公司电力科学研究院 Network attack damage degree quantification method for power system
CN114124516A (en) * 2021-11-19 2022-03-01 上海纽盾科技股份有限公司 Situation awareness prediction method, device and system
CN114531298A (en) * 2022-03-09 2022-05-24 哈尔滨佰通科技有限公司 Threat vulnerability prediction method based on AI and big data analysis and cloud AI system

Also Published As

Publication number Publication date
CN115086000A (en) 2022-09-20

Similar Documents

Publication Publication Date Title
CN112800116B (en) Method and device for detecting abnormity of service data
CN114697128B (en) Big data denoising method and big data acquisition system through artificial intelligence decision
CN114580263A (en) Knowledge graph-based information system fault prediction method and related equipment
CN114124567A (en) Cloud service processing method based on big data vulnerability mining and artificial intelligence system
CN113360349A (en) Information optimization method based on big data and cloud service and artificial intelligence monitoring system
CN112801155B (en) Business big data analysis method based on artificial intelligence and server
CN116414948A (en) Abnormal data mining method and software product based on cloud data and artificial intelligence
CN115048370A (en) Artificial intelligence processing method for big data cleaning and big data cleaning system
CN116310914B (en) Unmanned aerial vehicle monitoring method and system based on artificial intelligence
CN115065545B (en) Safety protection construction method and AI protection system based on big data threat perception
CN115001753A (en) Method and device for analyzing associated alarm, electronic equipment and storage medium
CN113098888A (en) Abnormal behavior prediction method, device, equipment and storage medium
CN115514627A (en) Fault root cause positioning method and device, electronic equipment and readable storage medium
CN113674317B (en) Vehicle tracking method and device for high-level video
CN114157507A (en) Cloud service vulnerability analysis method and artificial intelligence system adopting big data analysis
CN113434857A (en) User behavior safety analysis method and system applying deep learning
CN115086000B (en) Network intrusion detection method and system
CN110837529B (en) Big data analysis monitoring method and device, server and readable storage medium
CN114978765B (en) Big data processing method for information attack defense and AI attack defense system
CN114780967B (en) Mining evaluation method based on big data vulnerability mining and AI vulnerability mining system
CN114117079B (en) Interception feedback processing method based on big data analysis interception and information interception system
CN114244588B (en) Big data analysis interception method and information interception system applying artificial intelligence analysis
CN115086002A (en) Network security protection method and system
CN113098884A (en) Network security monitoring method based on big data, cloud platform system and medium
CN114385472A (en) Abnormal data detection method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant