CN115296850A - Network attack and defense exercise distributed learning method based on artificial intelligence - Google Patents
Network attack and defense exercise distributed learning method based on artificial intelligence Download PDFInfo
- Publication number
- CN115296850A CN115296850A CN202210797079.XA CN202210797079A CN115296850A CN 115296850 A CN115296850 A CN 115296850A CN 202210797079 A CN202210797079 A CN 202210797079A CN 115296850 A CN115296850 A CN 115296850A
- Authority
- CN
- China
- Prior art keywords
- attack
- defense
- network
- drilling
- training
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000007123 defense Effects 0.000 title claims abstract description 199
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000013473 artificial intelligence Methods 0.000 title claims abstract description 19
- 238000012549 training Methods 0.000 claims abstract description 82
- 238000005553 drilling Methods 0.000 claims abstract description 55
- 238000004364 calculation method Methods 0.000 claims abstract description 10
- 238000004458 analytical method Methods 0.000 claims description 12
- 230000008569 process Effects 0.000 claims description 10
- 238000010276 construction Methods 0.000 claims description 3
- 230000000694 effects Effects 0.000 abstract description 3
- 230000006855 networking Effects 0.000 abstract description 3
- 230000010354 integration Effects 0.000 abstract 1
- 238000004088 simulation Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 5
- 238000012360 testing method Methods 0.000 description 5
- RTZKZFJDLAIYFH-UHFFFAOYSA-N Diethyl ether Chemical compound CCOCC RTZKZFJDLAIYFH-UHFFFAOYSA-N 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 238000011161 development Methods 0.000 description 4
- 238000013024 troubleshooting Methods 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 201000010099 disease Diseases 0.000 description 2
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000004931 aggregating effect Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000013522 software testing Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 238000010626 work up procedure Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Artificial Intelligence (AREA)
- Medical Informatics (AREA)
- Evolutionary Computation (AREA)
- Data Mining & Analysis (AREA)
- Mathematical Physics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network attack and defense drilling distributed learning method based on artificial intelligence, which comprises the following steps: the method comprises the following steps: constructing a distributed attack and defense drilling module, deploying a network strategy module, a defense program module and an attack program module by a central server, and constructing an attack and defense training model; step two: acquiring the attack and defense drilling and data, and performing the attack and defense drilling; step three: and updating the attack and defense training model. The method effectively solves the problems that the existing networking distributed network security strategies are different, the private data are inconvenient to participate in central attack and defense training and the training effect of a central attack and defense training model is not influenced, the training load of the central attack and defense model is greatly reduced, the network defense capability of the local area and the potential hazards are comprehensively tested through the integration of local attack and defense, attack and defense with an IP section and attack and defense in different places, the central attack and defense model is perfected through artificial intelligence learning and training, the problem of model deviation is effectively overcome, and the calculation complexity is reduced.
Description
Technical Field
The invention belongs to the field of network attack and defense, and particularly relates to a network attack and defense drilling distributed learning method based on artificial intelligence.
Background
With the rapid development of computer technology, information networks have become an important guarantee for social development. There are many sensitive information, even national secrets. It is inevitable to attract various human attacks from all over the world, such as information disclosure, information theft, data tampering, data deletion and addition, computer viruses, and the like. The network communication has the characteristic of whole-course whole-network combined operation. As far as communication is concerned, it consists of five major parts: transmission and switching, network standards, protocols and coding, communication terminals, communication sources, personnel. Most of these five major components are seriously threatened and attacked, and all of them become attack points for networks and information. In the network, ensuring information security is the core of network security. Under such a large network scale, the security test of the network is performed by periodically scanning for the vulnerability so as to check the network vulnerability, which hardly meets the timeliness requirement, so that a more intelligent method is introduced to improve the defense capability of the network equipment and transmission.
Comparison document 1 (CN 201811188070) discloses a method, a device and a computing device for simulating denial of service attack, and belongs to the technical field of computers. The method comprises the following steps: determining an attack packet intercepted in the previous round of denial of service simulation attack process; training a protection prediction model by using the intercepted attack packet to obtain a trained protection prediction model, wherein the protection prediction model is used for predicting a protection strategy adopted by a protection node; and carrying out the next round of denial of service simulation attack through the trained protection prediction model. Because the protection prediction model is trained and learned by the intercepted attack packet in the previous round and the next round of denial of service simulation attack is carried out by the trained protection prediction model, the accuracy of protection strategy prediction can be improved by a machine self-learning mode, and therefore the effectiveness of simulation attack and the efficiency of simulation attack can be improved.
The invention discloses a contrast document 2 (CN 201610018768) and discloses an automatic software testing method, which comprises a function verification step, a vulnerability scanning step, a simulation attack step and a monitoring test step, solves the problems that an illegal user obtains the right to access a system without authorization or expands the access right, attacks the system by using a system vulnerability and a common attack means, cannot effectively manage, diagnose and check the security threat of a network, has stable system detection function, solves the problems that the illegal user obtains the right to access the system without authorization or expands the access right, finds the security problem, manages, diagnoses and checks the security threat of the network.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a method for improving the defense capability of network equipment and transmission by introducing a more intelligent method aiming at the problems of large network service scale, complex application relation, multiple dependence layers and difficulty in troubleshooting under the operation and maintenance scene of a machine room and aiming at the problem that the network security test for troubleshooting the network by means of periodical troubleshooting vulnerability scanning is difficult to meet the timeliness requirement.
In order to realize the purpose, the invention adopts the following technical scheme:
a network attack and defense exercise distributed learning method based on artificial intelligence comprises the following steps:
the method comprises the following steps: constructing a distributed attack and defense drilling module, comprising: deploying a network strategy module, a defense program module and an attack program module in a central server to construct an attack and defense training model;
step two: acquiring the attack and defense drilling and data, and performing the attack and defense drilling;
step three: and updating the attack and defense training model.
Furthermore, the network strategy module executes a group of Linux system commands through a program deployed in the central server to complete the construction of a network strategy, protection rules are respectively set according to three parameters of an intranet IP, a network port and a protocol, and when network flow is matched with any rule, flow access is allowed.
Further, the defense program module sends an attack instruction to perform data sniffing and packet capturing on the network policy module which is just deployed, analyzes a message quintuple, namely a source address, a destination address, a source port, a destination port and a protocol, adds a timestamp to perform classified storage, analyzes message quintuple information by combining the timestamp, acquires message analysis characteristics in one day, judges the message as an attack message if the number of times that a certain source address accesses an application port of an intranet in one day exceeds an upper limit set value, and finally reports a defense data result to the database for storage, and meanwhile, the backdoor program updates a state execution self-destruction command according to the defense data result identifier stored in the database.
Furthermore, the attack program module comprises a local attack program module, a same network segment attack program module and a remote attack program module; the local attack program attacks the application and service corresponding to the local network port, the same network segment attack program attacks the local network port, and the different place attack program attacks the local third party flow hijacking attack.
Further, the second step is specifically as follows: sending an attack and defense training starting instruction through a central server program deployed in a headquarter, and issuing three program modules, namely a network strategy, a defense program and an attack program, to attack and defense servers in various regions; the method comprises the steps that after receiving an instruction, an attack and defense server searches a local attack and defense training model, if the local attack and defense training model exists, network attack and defense drilling is continued, if the local attack and defense training model does not exist, a request for obtaining an attack and defense training model instruction is sent to a central server, after the central server receives the request for obtaining the attack and defense training model instruction, an attack and defense training model is issued to a corresponding attack and defense server through program execution, network attack and defense drilling is continued, the network attack and defense drilling is started to be executed, the attack and defense server sends a network strategy and a defense program module to a server of an attacked target, after receiving the instruction, the attacked server automatically executes the network strategy and the defense program to build a local protection system, after three attacks of the attack and defense drilling are received, the attack and defense drilling formally starts, after the attack and defense drilling is finished, the results and data are stored in a training database of the attack and defense drilling process is completed.
Further, the attacking and defending training model accesses a training database on the attacking and defending server to obtain attacking and defending exercise data of an attacked server in a managed network domain, prior probability, conditional probability, adjusting factors and posterior probability data parameters are obtained through analysis and calculation and are put into the attacking and defending training model for training, the adjusting factors are referred to obtain optimal defense success probability indexes after various indexes are balanced, and optimal defense success probability results of various places are submitted to the central server to create the attacking and defending training model.
Further, the third step is specifically: accessing a training database on an attack and defense server to obtain attack and defense drilling data of an attacked server in a managed network domain, obtaining prior probability, conditional probability, adjustment factors and posterior probability data parameters through analysis and calculation, putting the parameters into an attack and defense training model for training, finally obtaining optimal defense success probability indexes after balancing various indexes by referring to the adjustment factors, and finally submitting the optimal defense success probability results of all the places to a central server to update the attack and defense training model so as to complete the whole attack and defense drilling and model training process.
The invention has the beneficial effects that: the invention creatively divides the attack program into three parts. 1. The local attacker mainly attacks objects: and the application and the service corresponding to the native network port. 2. The same network segment attack program mainly attacks objects: a native network port. 3. The remote attack program mainly attacks objects: native third party traffic hijacks attacks. The defense program has a self-destruction command, and the program is deleted when the attack and defense drilling is finished, so that the network security is improved. Distributed attack and defense drilling and model training: and the central server sends an attack and defense instruction to the attack and defense server, and the attack and defense server sends an instruction to execute attack and defense drilling. And finally, collecting the attack and defense drilling data to an attack and defense server to construct an attack and defense training model. And (3) obtaining prior probability, conditional probability, adjustment factors and posterior probability data parameters through analysis and calculation, putting the parameters into an attack and defense training model for training, and finally obtaining the optimal defense success probability index after balancing various indexes by referring to the adjustment factors. And finally, submitting the optimal defense success probability results of all the places to a central server to update an attack and defense training model, thereby completing the whole attack and defense drilling and model training process.
The invention highlights the advantages of artificial intelligence in the network attack and defense drilling process, effectively solves the problems that the existing networking distributed network security strategies are different, the private data are inconvenient to participate in central attack and defense training, the training effect of a central attack and defense training model is not influenced, the training load of the central attack and defense model is greatly reduced, the defense capability of the local area network and the potential hidden danger problem are comprehensively tested by combining the local attack and defense, the attack and defense with an IP section and the attack and defense in different places, and the central attack and defense model is perfected by artificial intelligence learning and training. The invention effectively overcomes the problem of model deviation and reduces the calculation complexity.
Drawings
Fig. 1 is a flowchart of an artificial intelligence-based network attack and defense drilling distributed learning method according to the present invention.
Detailed Description
The present invention will now be described in further detail with reference to the accompanying drawings.
As shown in fig. 1, a network attack and defense exercise distributed learning method based on artificial intelligence includes the following steps:
the method comprises the following steps: distributed attack and defense rehearsal module includes: a network strategy module, a defense program module, an attack program module and an attack and defense training model are deployed on a server.
The network strategy module completes the construction of a network strategy by executing a group of Linux system commands through a program deployed in the central server, the network strategy is mainly used for protecting the safety of an intranet, protection rules are mainly set according to three parameters of an intranet IP (Internet protocol), a network port and a protocol, and when network flow is matched with any rule, flow access is allowed.
And the defense program module is used for carrying out data sniffing and packet capturing on the network strategy module which is just deployed by sending an attack instruction, analyzing a message five-tuple, namely a source address, a destination address, a source port, a destination port and a protocol, aiming at the sniffed message, then adding a timestamp to carry out classified storage, analyzing message five-tuple information by combining the timestamp, and acquiring message analysis characteristics in a time range. If a certain source address accesses a large number of application ports of the intranet within a certain time range, the attack message can be judged; and finally, reporting the defense data result to a database for storage, and simultaneously executing a self-destruction command by a backdoor program according to the defense data result identification update state stored in the database, thereby completing strategy creation and simultaneously completing an attack and defense test.
The attack program module comprises a local attack program module, a same network segment attack program module and a remote attack program module.
The local attack program module mainly attacks objects: and the application and the service corresponding to the native network port.
The same network segment attack program module mainly attacks objects: a native network port.
The allopatric attack program module mainly attacks objects: the third party traffic of the native machine hijacks the attack.
1. The local attack program mainly attacks the application and the service corresponding to the local network port. The specific description is as follows: and installing a waiting program for the constructed network strategy. The waiting procedure includes 3 parts: 1. and the local attack program sends, sniffs, analyzes and forges the network data packet by using a third-party function library scapy of the python development language. And accessing the database by taking the received network port IP as a query condition to obtain the application corresponding to the network port.
2. The same-network-segment attack program mainly attacks the local network port, and specifically sends, sniffs, analyzes and forges the network data packet by using a third-party function library scapy of a python development language. And encapsulating the tcp and udp protocol messages of the traffic and setting a network port range by the scapy function library, orderly transmitting the tcp and udp protocol messages by using an sr1 module built in the program, and if a return result is received, indicating that the port is open. And sr1, sending three layers of data packets. And completing the simulation attack on the network port. Sending attacks via three-layer packets is equivalent to IP attacks on network traffic.
3. The main attack object of the allopatric attack program is the local third-party traffic hijacking attack. And aiming at the application encapsulation attack data packet, an Ether (IP (TCP ())) type message or an Ether (IP (UDP ()) type message is used, a sending interval (seconds) is set by using a sendp () module Inter, whether loop setting is required to be sent all the time is set, and a two-layer attack message is sent. sending a two-layer data packet at sendp, inter, sending interval (seconds) of the data packet, loop, setting whether the program is sent all the time, setting the item to be 1, and otherwise, setting 0. The two-layer data packet transmission attack is equivalent to a scene of simulating paths at two attacking and defending ends on a router, and sending a malicious packet to a defending end after the normal map of mac address and ip address is modified on the router to hijack the flow forgery identity of the attacking end.
4. Attack and defense training model
Firstly, a training database on an attack and defense server is accessed to obtain attack and defense exercise data of an attacked server in a managed network domain. And obtaining prior probability, conditional probability, adjustment factors and posterior probability data parameters through analysis and calculation, putting the parameters into an attack and defense training model for training, and finally obtaining the optimal defense success probability index after balancing various indexes by referring to the adjustment factors. And finally, submitting the optimal defense success probability results of all the places to a central server to create an attack and defense training model.
S1, classifying and aggregating the attack and defense servers to form real and effective model analysis data. The analysis content comprises (total number of attack and defense training, defense success times, defense failure times and several attack forms) and is classified into a data set of the following indexes (network packet loss number, network delay millisecond number, port traffic occupancy rate, memory utilization rate, CPU utilization rate and hard disk utilization rate).
And S2, prior probability = total number of network strategy historical attack and defense drilling data.
And S3, carrying out data statistics on the conditional probability = network strategy historical attack and defense exercise data according to (network packet loss number, network delay millisecond number, port traffic occupancy rate, memory utilization rate, CPU utilization rate and hard disk utilization rate) to obtain the exercise result.
And S4, adjusting factors = false alarm times/prior probability of historical attack and defense drilling data of the network strategy.
And S5, posterior probability = prior probability x adjusting factor.
Attack and defense training model mathematical formula:
ZY(D|+)=ZY(+|D)ZY(D)/(ZY(+|D)ZY(D)+ZY(+|N)ZY(N));
description of relevant parameters:
posterior probability = prior probability x adjustment factor;
the mathematical formula is described as: ZY (+ | D) x adjustment factor;
d represents the success probability of the historical attack and defense drilling;
represents a division symbol;
ZY represents the probability that the historical attacking and defending exercise data of the network strategy is close to the real data without considering the false alarm rate;
ZY (D | +) represents the probability that the historical attacking and defending exercise data of the network strategy is close to the real data in consideration of the false alarm rate;
ZY (+ | D) represents the accuracy rate of the historical attacking and defending exercise data of the network strategy, namely the prior probability is 1-false alarm rate, for example: when the network strategy history offense and defense exercise false alarm rate is one percent, ZY (+ | D) is 1-0.01=0.99.
Description of the formula:
ZY (+ | N) is the false alarm rate of the historical attacking and defending drilling data of the same network strategy = the false alarm times of the historical attacking and defending drilling data of the network strategy/the total number of the historical attacking and defending drilling data of the same network strategy;
ZY (N) represents the true occurrence probability of historical attack and defense exercise data of the same network strategy, namely 1-ZY (D).
Step two: and (4) performing attack and defense drilling and data acquisition.
Firstly, a central server program deployed in headquarters sends an attack and defense training starting instruction and issues three program modules, namely a network strategy, a defense program and an attack program, to attack and defense servers in various places, which are called attack and defense servers for short.
And secondly, after receiving the instruction, the attack and defense server searches a local attack and defense training model and continues to perform network attack and defense drilling if the local attack and defense training model exists. And if not, sending a request to the central server to acquire an attack and defense training model instruction, and after receiving the request instruction, the central server issues the attack and defense training model to the attack and defense server through program execution to continue network attack and defense drilling.
Then, starting to execute network attack and defense drilling;
and the attack and defense server sends a network strategy and a defense program module to the server of the attacked target. And after receiving the instruction, the attacked server automatically executes the network strategy and the defense program to build a local protection system. After receiving three kinds of attacks of the local attack program, the attack and defense exercise formally starts. After the attack and defense drilling is finished, the result and the data of the attack and defense drilling are stored in a training database of an attack and defense server, and one process of the attack and defense drilling is completed;
step three: updating the attack and defense training model;
firstly, a training database on an attack and defense server is accessed to obtain attack and defense exercise data of an attacked server in a managed network domain. And (3) obtaining prior probability, conditional probability, adjustment factors and posterior probability data parameters through analysis and calculation, putting the parameters into an attack and defense training model for training, and finally obtaining the optimal defense success probability index after balancing various indexes by referring to the adjustment factors. And finally, submitting the optimal defense success probability results of all regions to a central server to update an attack and defense training model. Thereby completing the whole process of attack and defense drilling and model training.
The invention highlights the advantages of artificial intelligence in the network attack and defense process, effectively solves the problems that the existing networking distributed local network security strategies are different, the private data are inconvenient to participate in central attack and defense training and the effect of central model training is not influenced, and greatly reduces the training load of the central attack and defense model. And the defense capability of the local area network and the potential problem are comprehensively tested by combining the local machine, the same IP section, and the different-place defense, and the central defense model is perfected by artificial intelligence learning and training. The invention effectively overcomes the problem of model deviation and reduces the calculation complexity.
Scapy is a powerful tool written by Python, and this module is used by many excellent network scan attack tools today. The module can also be used in the own program to realize the sending, monitoring and resolving of the network data packet. This module is the bottom layer with respect to Nmap. Various scanning attack behaviors in the network can be more intuitively known.
For example, when you go to a hospital to examine a body, the hospital gives you a test result on various indicators of the body, and the doctor tells you what disease you get or there is no disease. Then Nmap is like a doctor who makes his/her work-up and gives you the results according to his/her experience. The Scapy is a physical examination device, and only informs a user of various examination results, and if the user is a doctor with rich experience, the examination results are obviously more worth referring than suggestions of the same line.
pyton- > sendp module, sendp sending two-layer data packets, inter sending interval (seconds) of data packets, loop setting whether the program is sending all the time, setting the item to 1, otherwise setting 0.
It should be noted that the terms "upper", "lower", "left", "right", "front", "back", etc. used in the present invention are for clarity of description only, and are not intended to limit the scope of the present invention, and the relative relationship between the terms and the terms is not limited by the technical contents of the essential changes.
The above is only a preferred embodiment of the present invention, and the protection scope of the present invention is not limited to the above-mentioned embodiments, and all technical solutions belonging to the idea of the present invention belong to the protection scope of the present invention. It should be noted that modifications and embellishments within the scope of the invention may be made by those skilled in the art without departing from the principle of the invention.
Claims (7)
1. A network attack and defense exercise distributed learning method based on artificial intelligence is characterized by comprising the following steps:
the method comprises the following steps: constructing a distributed attack and defense drilling module, comprising: deploying a network strategy module, a defense program module and an attack program module in a central server to construct an attack and defense training model;
step two: acquiring the attack and defense drilling and data, and performing the attack and defense drilling;
step three: and updating the attack and defense training model.
2. The distributed learning method for network attack and defense drilling based on artificial intelligence as claimed in claim 1, wherein the network policy module executes a set of Linux system commands through a program deployed in the central server to complete the construction of a network policy, protection rules are respectively set according to three parameters of intranet IP, network port and protocol, and when network traffic matches any of the rules, traffic access is allowed.
3. The distributed learning method for network attack and defense drilling based on artificial intelligence as claimed in claim 1, wherein the defense program module performs data sniffing packet capture on the newly deployed network policy module by sending attack instruction, analyzes message quintuple, i.e. source address, destination address, source port, destination port, protocol, for the sniffed message, adds timestamp to perform classified storage, analyzes message quintuple information in combination with the timestamp to obtain message analysis characteristics in one day, if the number of times that a certain source address accesses an application port of an intranet in one day exceeds an upper limit set value, determines the message as an attack message, reports the defense data result to the database for storage, and the back-door program executes self-destruction command according to the defense data result identification update state stored in the database.
4. The network attack and defense exercise distributed learning method based on the artificial intelligence of claim 1, wherein the attack program module comprises a local attack program module, a same network segment attack program module and a different place attack program module; the local attack program attacks the application and service corresponding to the local network port, the same network segment attack program attacks the local network port, and the different place attack program attacks the local third party flow hijacking attack.
5. The network attack and defense exercise distributed learning method based on the artificial intelligence as claimed in claim 1, wherein the second step is specifically: sending an attack and defense training starting instruction through a central server program deployed in a headquarter, and issuing three program modules, namely a network strategy, a defense program and an attack program, to attack and defense servers in various regions; the method comprises the steps that after the attack and defense server receives an instruction, a local attack and defense training model is searched, if the local attack and defense training model exists, network attack and defense drilling is continued, if the local attack and defense training model does not exist, a request is sent to the central server to obtain an attack and defense training model instruction, the central server sends the attack and defense training model to the corresponding attack and defense server through program execution, network attack and defense drilling is continued, network attack and defense drilling is started to be executed, the attack and defense server sends a network strategy and defense program module to a server of an attacked target, the attack server automatically executes the network strategy and defense program after receiving the instruction to build a local protection system, after three attacks of the attack program are received, the attack and defense drilling formally starts, after the attack and defense drilling is finished, the attack and defense drilling result and data are stored in a training database of the attack and defense server, and one attack and defense drilling process is finished.
6. The network attack and defense drilling distributed learning method based on artificial intelligence is characterized in that an attack and defense training model accesses a training database on an attack and defense server to obtain attack and defense drilling data of an attacked server in a managed network domain, prior probability, conditional probability, an adjusting factor and posterior probability data parameters are obtained through analysis and calculation and are put into an attack and defense training model for training, the adjusting factor is referred to obtain optimal defense success probability indexes after various indexes are balanced, and optimal defense success probability results of various places are submitted to a central server to create the attack and defense training model.
7. The network attack and defense exercise distributed learning method based on artificial intelligence as claimed in claim 1, wherein the third step is specifically: the method comprises the steps of accessing a training database on an attack and defense server to obtain attack and defense drilling data of an attacked server in a managed network domain, obtaining prior probability, conditional probability, adjustment factors and posterior probability data parameters through analysis and calculation, putting the parameters into an attack and defense training model for training, finally obtaining optimal defense success probability indexes after various indexes are balanced by referring to the adjustment factors, and finally submitting optimal defense success probability results of various regions to a central server to update the attack and defense training model so as to complete the whole attack and defense drilling and model training process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210797079.XA CN115296850A (en) | 2022-07-08 | 2022-07-08 | Network attack and defense exercise distributed learning method based on artificial intelligence |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210797079.XA CN115296850A (en) | 2022-07-08 | 2022-07-08 | Network attack and defense exercise distributed learning method based on artificial intelligence |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115296850A true CN115296850A (en) | 2022-11-04 |
Family
ID=83821469
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210797079.XA Pending CN115296850A (en) | 2022-07-08 | 2022-07-08 | Network attack and defense exercise distributed learning method based on artificial intelligence |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115296850A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108898010A (en) * | 2018-06-25 | 2018-11-27 | 北京计算机技术及应用研究所 | A method of establishing the attacking and defending Stochastic Game Model towards malicious code defending |
| CN109639515A (en) * | 2019-02-16 | 2019-04-16 | 北京工业大学 | Ddos attack detection method based on hidden Markov and Q study cooperation |
| CN110166428A (en) * | 2019-04-12 | 2019-08-23 | 中国人民解放军战略支援部队信息工程大学 | Intelligence defence decision-making technique and device based on intensified learning and attacking and defending game |
| CN114143099A (en) * | 2021-12-03 | 2022-03-04 | 中国电信集团系统集成有限责任公司 | Network security policy self-checking attack and defense test method and device |
-
2022
- 2022-07-08 CN CN202210797079.XA patent/CN115296850A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108898010A (en) * | 2018-06-25 | 2018-11-27 | 北京计算机技术及应用研究所 | A method of establishing the attacking and defending Stochastic Game Model towards malicious code defending |
| CN109639515A (en) * | 2019-02-16 | 2019-04-16 | 北京工业大学 | Ddos attack detection method based on hidden Markov and Q study cooperation |
| CN110166428A (en) * | 2019-04-12 | 2019-08-23 | 中国人民解放军战略支援部队信息工程大学 | Intelligence defence decision-making technique and device based on intensified learning and attacking and defending game |
| CN114143099A (en) * | 2021-12-03 | 2022-03-04 | 中国电信集团系统集成有限责任公司 | Network security policy self-checking attack and defense test method and device |
Non-Patent Citations (3)
| Title |
|---|
| 任午令;赵翠文;姜国新;DAVID MAIMON;THEODORE WILSON;BERTRAND SOBESTO;: "基于攻击行为预测的网络防御策略", 浙江大学学报(工学版), vol. 48, no. 12, pages 2144 - 2151 * |
| 何宛余,赵珂,王楚裕: "给建筑师的人工智能导读", 6 February 2021, 同济大学出版社, pages: 127 - 135 * |
| 张志军: "大数据技术在高校中的应用研究", 30 September 2017, 北京邮电大学出版社, pages: 229 - 241 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Li et al. | Detection and defense of DDoS attack–based on deep learning in OpenFlow‐based SDN | |
| CN114257386B (en) | Training method, system, equipment and storage medium for detection model | |
| CN107135093B (en) | Internet of things intrusion detection method and detection system based on finite automaton | |
| CN101924757B (en) | Method and system for reviewing Botnet | |
| Mukherjee et al. | Network intrusion detection | |
| CN110324310A (en) | Networked asset fingerprint identification method, system and equipment | |
| CN111245793A (en) | Method and device for analyzing abnormity of network data | |
| CN109558729B (en) | Intelligent defense system for network attack | |
| CN110224990A (en) | A kind of intruding detection system based on software definition security architecture | |
| CN108289088A (en) | Abnormal traffic detection system and method based on business model | |
| CN107277039A (en) | A kind of network attack data analysis and intelligent processing method | |
| US20100235879A1 (en) | Systems, methods, and media for enforcing a security policy in a network including a plurality of components | |
| CN109861985A (en) | IP air control method, apparatus, equipment and the storage medium divided based on risk class | |
| CN103561004A (en) | Cooperative type active defense system based on honey nets | |
| CN106888106A (en) | The extensive detecting system of IT assets in intelligent grid | |
| WO2006071985A2 (en) | Threat scoring system and method for intrusion detection security networks | |
| CN111049827A (en) | Network system safety protection method, device and related equipment | |
| CN108632267A (en) | A kind of topology pollution attack defense method and system | |
| Frye et al. | An ontology-based system to identify complex network attacks | |
| CN117527412A (en) | Data security monitoring method and device | |
| Appiah-Kubi et al. | Decentralized intrusion prevention (DIP) against co-ordinated cyberattacks on distribution automation systems | |
| Yang et al. | Detecting DNS covert channels using stacking model | |
| Ping et al. | An incident response decision support system based on CBR and ontology | |
| CN117061257A (en) | Network security assessment system | |
| RU2703329C1 (en) | Method of detecting unauthorized use of network devices of limited functionality from a local network and preventing distributed network attacks from them |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |