CN115473672B - Leak-proof detection method based on online interactive WEB dynamic defense - Google Patents
Leak-proof detection method based on online interactive WEB dynamic defense Download PDFInfo
- Publication number
- CN115473672B CN115473672B CN202210927928.9A CN202210927928A CN115473672B CN 115473672 B CN115473672 B CN 115473672B CN 202210927928 A CN202210927928 A CN 202210927928A CN 115473672 B CN115473672 B CN 115473672B
- Authority
- CN
- China
- Prior art keywords
- neural network
- network model
- intrusion
- individuals
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 72
- 230000007123 defense Effects 0.000 title claims abstract description 31
- 230000002452 interceptive effect Effects 0.000 title claims abstract description 31
- 238000003062 neural network model Methods 0.000 claims abstract description 79
- 230000002068 genetic effect Effects 0.000 claims abstract description 38
- 230000006399 behavior Effects 0.000 claims abstract description 30
- 238000000034 method Methods 0.000 claims description 30
- 230000006870 function Effects 0.000 claims description 15
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 12
- 230000035772 mutation Effects 0.000 claims description 12
- 238000007405 data analysis Methods 0.000 claims description 8
- 238000003860 storage Methods 0.000 claims description 8
- 230000006978 adaptation Effects 0.000 claims description 5
- 238000012843 least square support vector machine Methods 0.000 claims description 5
- 108090000623 proteins and genes Proteins 0.000 claims description 5
- 238000012216 screening Methods 0.000 claims description 4
- 230000008859 change Effects 0.000 claims description 3
- 230000008569 process Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 8
- 238000004590 computer program Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 6
- 238000013528 artificial neural network Methods 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 210000000349 chromosome Anatomy 0.000 description 4
- 238000005457 optimization Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000007781 pre-processing Methods 0.000 description 3
- 230000001627 detrimental effect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 241000282414 Homo sapiens Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 210000004027 cell Anatomy 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/086—Learning methods using evolutionary algorithms, e.g. genetic algorithms or genetic programming
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Physiology (AREA)
- Data Mining & Analysis (AREA)
- Bioinformatics & Computational Biology (AREA)
- Artificial Intelligence (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to the technical field of network vulnerability detection, and particularly discloses a leak-proof detection method based on online interactive WEB dynamic defense, which comprises the steps of capturing data sent by a honeypot system through an intrusion detection system; establishing a neural network model, optimizing the linear weight of the neural network model by adopting a locally improved genetic algorithm, dividing the dangerous degree of the input data by the optimized neural network model, and generating a rule for distinguishing dangerous behaviors; inputting the captured and transmitted data into an optimized neural network model, outputting the type of the data by the optimized neural network model, marking and acquiring the intrusion rules according to the type, replacing the corresponding old rules by the new intrusion rules in the intrusion rules, and deleting the old rules at the same time, thereby expanding the rule base of the intrusion detection system. Under the condition that the honeypot system and the intrusion detection system are operated in a combined way, the system burden of the intrusion detection system is not increased, and the detection efficiency and the accuracy are improved.
Description
Technical Field
The invention belongs to the technical field of network vulnerability detection, and particularly relates to a leak-proof detection method based on online interactive WEB dynamic defense.
Background
With the continuous development of information technology, the traditional production and living modes of human beings are greatly changed, the development of productivity is greatly promoted, and meanwhile, the great network security threat is brought. How to prevent penetration and scanning of hackers becomes an important part of current network security. The traditional safety protection means lack initiative and timeliness in protection modes such as a firewall, a fort machine, encryption, intrusion detection and the like.
Aiming at the problem that the network security protection in the related technology lacks initiative and timeliness, no effective solution is proposed at present.
Disclosure of Invention
The main purpose of the application is to provide a leak protection hole detection method based on online interactive WEB dynamic defense, so as to solve the problem that network security protection lacks initiative and timeliness in the related technology.
In order to achieve the above purpose, the invention provides a leak protection hole detection method based on online interactive WEB dynamic defense, which comprises the following steps:
the intrusion detection system captures data sent by the honeypot system;
establishing a neural network model, optimizing the linear weight of the neural network model by adopting a locally improved genetic algorithm to obtain an optimized neural network model, dividing the dangerous degree of the input data by the optimized neural network model, and generating a rule for distinguishing dangerous behaviors;
inputting the captured and transmitted data into an optimized neural network model, outputting the type of the data by the optimized neural network model, marking according to the type, acquiring intrusion rules from the data marked as dangerous behaviors, replacing the corresponding old rules by new intrusion rules in the intrusion rules, and deleting the old rules, so that the generated new rules are expanded into a rule base of the intrusion detection system.
Optimizing the linear weights of the neural network model using a locally improved genetic algorithm includes: and the connection weight between the hidden layer and the output layer is calculated by adopting a least square method, and the number of hidden nodes is optimized by using a genetic algorithm.
Further, the optimizing the linear weight of the neural network model by adopting the locally improved genetic algorithm specifically comprises the following steps:
setting an initial value of a genetic algorithm;
binary coding is carried out on the number of hidden nodes according to the set range, and an initial population is randomly generated;
calculating the fitness of each individual in the population, wherein the classification accuracy of the least square support vector machine is used as a target function value, namely the fitness of the individual, and the higher the classification accuracy of the parameter corresponding to the individual is, the higher the fitness of the individual is;
according to the fitness of the individuals, selecting the individuals from the current population according to a set rule to enter the next generation;
selecting two individuals in the population as parents to perform crossover operation with crossover probability to generate two new individuals;
randomly selecting individuals in the population to perform mutation operation according to mutation probability, and generating new individuals by randomly changing certain genes in the individuals;
setting a termination condition, including: if T is not less than 1 and is the maximum iteration number, the initial population is randomly generated again; if T >1 or the average fitness value change continuously exceeds a certain constant by a certain algebra, the obtained individual with the maximum adaptation is used as the optimal solution output, and the algorithm is terminated;
and decoding the obtained optimal solution to obtain the optimal number of hidden nodes.
Further, individuals are selected from the current population for the next generation according to the fitness of the individuals and the roulette method.
Further, the neural network model classifies the data using unsupervised clustering.
Further, the knowledge base of the neural network model comprises a normal sample base and an abnormal behavior pattern base, wherein the normal sample base is used for screening abnormal behaviors, and the abnormal behavior pattern base is used for confirming specific attack patterns.
In order to achieve the above object, according to another aspect of the present application, there is also provided a leak prevention hole detection device based on online interactive WEB dynamic defense, the device including:
the intrusion detection system is used for acquiring data sent by the honeypot system; and
the data analysis unit is used for constructing a neural network model, and optimizing the linear weight of the neural network model by adopting a locally improved genetic algorithm to obtain an optimized neural network model; the method comprises the steps of inputting captured and transmitted data into an optimized neural network model, outputting the type of the data by the optimized neural network model, marking according to the type, acquiring intrusion rules from classified data, replacing the corresponding old rules by new intrusion rules in the intrusion rules, deleting the old rules, and expanding the generated new rules into a rule base.
According to another aspect of the embodiments of the present application, there is further provided a computer readable storage medium, where the storage medium includes a stored program, where the program executes the leak detection method based on online interactive WEB dynamic defense as described in any one of the above.
According to another aspect of the embodiments of the present application, there is also provided an electronic device including one or more processors, a memory, a display device, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, and the one or more programs include a leak detection method for performing any one of the above-mentioned online interactive WEB dynamic defenses.
Compared with the prior art, the invention has the following beneficial effects:
according to the leak protection hole detection method based on the online interactive WEB dynamic defense, the following steps are adopted: capturing data sent by the honeypot system through an intrusion detection system; establishing a neural network model, optimizing the linear weight of the neural network model by adopting a locally improved genetic algorithm to obtain an optimized neural network model, dividing the dangerous degree of the input data by the optimized neural network model, and generating a rule for distinguishing dangerous behaviors; inputting the captured and transmitted data into an optimized neural network model, outputting the type of the data by the optimized neural network model, marking according to the type, acquiring intrusion rules from the data marked as dangerous behaviors, replacing the corresponding old rules by new intrusion rules in the intrusion rules, and deleting the old rules, so that the generated new rules are expanded into a rule base of the intrusion detection system. Under the condition that the honeypot system and the intrusion detection system are operated in a combined mode, the knowledge base and the data sources of the intrusion rule base are connected, the system burden of the intrusion detection system is not increased, and the detection efficiency and the accuracy can be improved.
Drawings
In order to more clearly illustrate the technical solutions of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawing in the description below is only one embodiment of the present invention, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a leak detection method based on online interactive WEB dynamic defense according to an embodiment of the present application;
fig. 2 is a schematic diagram of a leak detection device based on online interactive WEB dynamic defense according to an embodiment of the application.
Detailed Description
It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other. The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate in order to describe the embodiments of the present application described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
According to the embodiment of the application, the leak-proof hole detection method based on online interactive WEB dynamic defense is provided.
In one type of honeypot system, honeypots are merely tools for observing hacking characteristics, performing classification processing, creating rules, and updating existing intrusion detection systems. The invention provides a method for collecting and transmitting behavior characteristic files of an attacker to an intrusion detection system by using log files generated by honeypots as data sources, and the log files are used as data sources of a rule base of the intrusion detection system for learning.
Fig. 1 is a flowchart of a leak detection method based on online interactive WEB dynamic defense according to an embodiment of the present application. As shown in fig. 1, the method comprises the steps of:
and step 10, the intrusion detection system captures data transmitted by the honeypot system, and the data can be considered as a log file for recording intrusion behaviors because the source data is from the honeypot system, so that the data can be directly learned through a neural network without being analyzed by a protocol of the intrusion detection system.
After capturing data, the intrusion detection system performs preprocessing on the data, namely, extracts data features through protocol analysis, stores the data features into a one-dimensional vector, and enters a neural network model for detection after preprocessing.
And 20, building a neural network model, optimizing the linear weight of the neural network model by adopting a locally improved genetic algorithm, obtaining an optimized neural network model, dividing the dangerous degree of the input data by the optimized neural network model, and generating a rule for distinguishing dangerous behaviors.
The dangerous degree of the behavior comprises safety behavior and dangerous behavior. The knowledge base of the neural network model comprises a normal sample base and an abnormal behavior pattern base, wherein the normal sample base is used for screening abnormal behaviors, and the abnormal behavior pattern base is used for confirming specific attack patterns.
Specifically, the determining process of the neural network structure includes a training stage and an evolution stage, including the process of determining the number of hidden nodes, central parameters of hidden nodes, width parameters and the like. The neural network adopts a global approximation method to search for the optimal solution, so that the convergence speed is low, the local optimal solution is easy to fall into, the error convergence in the initial stage is not ideal, and a divergence stage exists. This is detrimental to determining both the number of hidden layers and the number of hidden nodes. In this aspect, the genetic algorithm has a relatively high convergence rate, has the advantages of good personal searching and hidden parallelism, does not need objective functions and gradient information, does not need objective functions to be provided with continuous pieces, and is very suitable for optimizing the log file of the honeypot through the network for analysis. Thus, optimizing the linear weights of the neural network model with a locally improved genetic algorithm includes: and the connection weight between the hidden layer and the output layer is calculated by adopting a least square method, and the number of hidden nodes is optimized by using a genetic algorithm. The learning and optimization processes are alternated until the number of hidden nodes meets the minimum base function meeting the error requirement. In the genetic algorithm, the topological structure, the connection weight, the node center parameter and the width parameter of the network are all regarded as a whole, the codes are quantized into chromosomes, a large number of individuals and groups are generated in the initialization stage, and then the whole optimization is carried out.
The linear weight of the neural network model is optimized by adopting a locally improved genetic algorithm, and the method specifically comprises the following steps of:
in step 201, initial values of the genetic algorithm, such as initial population size, maximum genetic algebra T crossover probability, mutation probability, etc., of the genetic algorithm are set.
Step 202, binary coding is carried out on the number of hidden nodes according to the set range, and an initial population is randomly generated; the chromosome is formed by arranging the binary sequences of all parameters, and the length is the sum of the binary lengths of all parameters; alternatively, a genetics counter t=0 is set.
And 203, calculating the fitness of each individual in the population, wherein the fitness of the individual is increased as the classification accuracy of the parameter corresponding to the individual is increased by taking the classification accuracy of the least square support vector machine as an objective function value, namely the fitness of the individual.
And 204, selecting individuals from the current population according to the fitness of the individuals and the set rules to enter the next generation.
Alternatively, roulette is used to select individuals from the current population for the next generation.
In step 205, two individuals x1, x2 in the population are selected as parents to perform crossover operations with crossover probabilities, resulting in two new individuals.
Alternatively, a single point crossover is used, with a crossover probability set to 0.8.
At step 206, individuals in the population are randomly selected to undergo a mutation operation with a probability of mutation, and new individuals are generated by randomly changing certain genes in the individuals.
Alternatively, the variation probability is set to 0.05.
Step 207, setting a termination condition, including: if T is not less than 1 and is the maximum iteration number, turning to step 202 to randomly generate an initial population again; if T >1 or the average fitness value changes continuously and exceeds a certain constant for a certain algebra, the obtained individual with the largest adaptation is output as an optimal solution, and the algorithm is terminated.
And step 208, decoding the obtained optimal solution to obtain the optimal number of hidden nodes.
Setting a neural network model according to the obtained optimal hidden node number to obtain an optimized neural network model, wherein the optimized neural network model carries out the following processing on logs from honeypots:
(1) Data is classified using unsupervised clustering. The intrusion behavior added to the log records is significantly different from the normal behavior, and can be distinguished by attributes. Yet another behavior is that the number of intrusion lines is much greater than the number of normal actions.
(2) And (5) marking and classifying. And distinguishing normal behavior from intrusion behavior, and setting a mark.
(3) And extracting new intrusion rules from the classified data, comparing the generated new rules with the rules existing in the intrusion detection system, deleting the items with the same rules, and expanding the generated new rules into a rule base.
And step 30, inputting the captured and transmitted data into an optimized neural network model, outputting the type of the data by the optimized neural network model, marking according to the type, acquiring an intrusion rule from the data marked as dangerous behavior, replacing a corresponding old rule by a new intrusion rule in the intrusion rule, and deleting the old rule, so that the generated new rule is expanded into a rule base of the intrusion detection system.
In summary, according to the leak protection hole detection method based on online interactive WEB dynamic defense provided by the embodiment of the application, data sent by a honeypot system is captured through an intrusion detection system; establishing a neural network model, optimizing the linear weight of the neural network model by adopting a locally improved genetic algorithm, obtaining an optimized neural network model, dividing the dangerous degree of the behavior of the input data through the optimized neural network model, and generating a rule for distinguishing the dangerous behavior; inputting the captured and transmitted data into an optimized neural network model, outputting the type of the data by the optimized neural network model, marking according to the type, acquiring intrusion rules from the data marked as dangerous behaviors, replacing the corresponding old rules by the new intrusion rules in the intrusion rules, and deleting the old rules, so that the generated new rules are expanded into a rule base of the intrusion detection system. Under the condition that the honeypot system and the intrusion detection system are operated in a combined mode, the knowledge base and the data sources of the intrusion rule base are connected, the system burden of the intrusion detection system is not increased, and the detection efficiency and the accuracy can be improved.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowcharts, in some cases the steps illustrated or described may be performed in an order other than that illustrated herein.
The embodiment of the application also provides a leak-proof hole detection device based on the online interactive WEB dynamic defense, and it is to be noted that the leak-proof hole detection device based on the online interactive WEB dynamic defense of the embodiment of the application can be used for executing the leak-proof hole detection method based on the online interactive WEB dynamic defense provided by the embodiment of the application. The following describes a leak protection hole detection device based on online interactive WEB dynamic defense provided by the embodiment of the application.
Fig. 2 is a schematic diagram of a leak detection device based on online interactive WEB dynamic defense according to an embodiment of the present application, as shown in fig. 2, the device includes: intrusion detection system 302 and data analysis unit 302.
The intrusion detection system 302 is configured to acquire data sent by the honeypot system 301;
the data analysis unit 302 is configured to construct a neural network model, and optimize a linear weight of the neural network model by adopting a locally improved genetic algorithm to obtain an optimized neural network model; the method comprises the steps of inputting captured and transmitted data into an optimized neural network model, outputting the type of the data by the optimized neural network model, marking according to the type, obtaining intrusion rules from classified data, replacing old rules corresponding to new intrusion rules in the intrusion rules, deleting the old rules, and expanding the generated new rules into a rule base.
Heald Upper part The leak protection hole detection device based on online interactive WEB dynamic defense provided by the embodiment of the application is used for acquiring data sent by the honeypot system 301 through the intrusion detection system 302; the data analysis unit 302 builds a neural network model, adopts a locally improved genetic algorithm to optimize the linear weight of the neural network model, and obtains an optimized neural network model; the method comprises the steps of inputting captured and transmitted data into an optimized neural network model, outputting the type of the data by the optimized neural network model, marking according to the type, obtaining intrusion rules from classified data, replacing old rules corresponding to new intrusion rules in the intrusion rules, deleting the old rules, and expanding the generated new rules into a rule base. In the case where the honeypot system 301 and the intrusion detection system 302 operate in combination, the knowledge base and the data source of the intrusion rule base are linked, so that the system burden of the intrusion detection system 302 is not increased, and the detection efficiency and accuracy can be improved.
Optionally, after capturing the data, the intrusion detection system 302 pre-processes the data, i.e. extracts the data features through protocol analysis, stores the extracted data features into a one-dimensional vector, and enters the neural network model for detection after the pre-processing.
Optionally, the risk level of the behavior includes a safety behavior and a dangerous behavior. The knowledge base of the neural network model comprises a normal sample base and an abnormal behavior pattern base, wherein the normal sample base is used for screening abnormal behaviors, and the abnormal behavior pattern base is used for confirming specific attack patterns.
Correspondingly, the determining process of the neural network structure in the data analysis unit 302 includes a training stage and an evolution stage, including a process of determining the number of hidden nodes, central parameters of hidden nodes, width parameters and the like. The neural network adopts a global approximation method to search for the optimal solution, so that the convergence speed is low, the local optimal solution is easy to fall into, the error convergence in the initial stage is not ideal, and a divergence stage exists. This is detrimental to determining both the number of hidden layers and the number of hidden nodes. In this aspect, the genetic algorithm has a relatively high convergence rate, has the advantages of good personal searching and hidden parallelism, does not need objective functions and gradient information, does not need objective functions to be provided with continuous pieces, and is very suitable for optimizing the log file of the honeypot through the network for analysis. Thus, optimizing the linear weights of the neural network model with a locally improved genetic algorithm includes: and the connection weight between the hidden layer and the output layer is calculated by adopting a least square method, and the number of hidden nodes is optimized by using a genetic algorithm. The learning and optimization processes are alternated until the number of hidden nodes meets the minimum base function meeting the error requirement. In the genetic algorithm, the topological structure, the connection weight, the node center parameter and the width parameter of the network are all regarded as a whole, the codes are quantized into chromosomes, a large number of individuals and groups are generated in the initialization stage, and then the whole optimization is carried out.
Optionally, the data analysis unit 302 adopts a locally improved genetic algorithm to optimize the linear weight of the neural network model, and specifically includes the following steps:
in step 201, initial values of the genetic algorithm, such as initial population size, maximum genetic algebra T crossover probability, mutation probability, etc., of the genetic algorithm are set.
Step 202, binary coding is carried out on the number of hidden nodes according to the set range, and an initial population is randomly generated; the chromosome is formed by arranging the binary sequences of all parameters, and the length is the sum of the binary lengths of all parameters; alternatively, a genetics counter t=0 is set.
And 203, calculating the fitness of each individual in the population, wherein the fitness of the individual is increased as the classification accuracy of the parameter corresponding to the individual is increased by taking the classification accuracy of the least square support vector machine as an objective function value, namely the fitness of the individual.
And 204, selecting individuals from the current population according to the fitness of the individuals and the set rules to enter the next generation.
Alternatively, roulette is used to select individuals from the current population for the next generation.
In step 205, two individuals x1, x2 in the population are selected as parents to perform crossover operations with crossover probabilities, resulting in two new individuals.
Alternatively, a single point crossover is used, with a crossover probability set to 0.8.
At step 206, individuals in the population are randomly selected to undergo a mutation operation with a probability of mutation, and new individuals are generated by randomly changing certain genes in the individuals.
Alternatively, the variation probability is set to 0.05.
Step 207, setting a termination condition, including: if T is not less than 1 and is the maximum iteration number, turning to step 202 to randomly generate an initial population again; if T >1 or the average fitness value changes continuously and exceeds a certain constant for a certain algebra, the obtained individual with the largest adaptation is output as an optimal solution, and the algorithm is terminated.
And step 208, decoding the obtained optimal solution to obtain the optimal number of hidden nodes.
Optionally, in the data analysis unit 302, the neural network model is set according to the obtained number of the optimized hidden nodes to obtain an optimized neural network model, and the log from the honeypot is processed by the optimized neural network model:
(1) Data is classified using unsupervised clustering. The intrusion behavior added to the log records is significantly different from the normal behavior, and can be distinguished by attributes. Yet another behavior is that the number of intrusion lines is much greater than the number of normal actions.
(2) And (5) marking and classifying. And distinguishing normal behavior from intrusion behavior, and setting a mark.
(3) New intrusion rules are extracted from the classified data, and the generated new rules are compared to be different from existing rules in the intrusion detection system 302, and the same items as the rules are deleted, so that the generated new rules are expanded into a rule base.
The present embodiment provides a computer-readable storage medium having a program stored thereon, which when executed by a processor, implements a leak detection method based on online interactive WEB dynamic defense.
The embodiment provides a processor, which is used for running a program, wherein the program is executed in a running mode based on an online interactive WEB dynamic defense anti-leak detection method.
The present embodiment provides an apparatus comprising one or more processors, a memory, a display device, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs comprising a leak detection method for performing online interactive WEB dynamic defense.
The device herein may be a server, PC, PAD, cell phone, etc.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.
Claims (7)
1. A leak protection hole detection method based on online interactive WEB dynamic defense is characterized by comprising the following steps:
the intrusion detection system captures data sent by the honeypot system;
establishing a neural network model, optimizing the linear weight of the neural network model by adopting a locally improved genetic algorithm to obtain an optimized neural network model, dividing the dangerous degree of the input data by the optimized neural network model, and generating a rule for distinguishing dangerous behaviors;
inputting the captured and transmitted data into an optimized neural network model, outputting the type of the data by the optimized neural network model, marking according to the type, acquiring an intrusion rule from the data marked as dangerous behavior, replacing a corresponding old rule by a new intrusion rule in the intrusion rule, and deleting the old rule at the same time, so that the generated new rule is expanded into a rule base of an intrusion detection system;
optimizing the linear weights of the neural network model using a locally improved genetic algorithm includes: the connection weight between the hidden layer and the output layer is calculated by adopting a least square method, and the number of hidden nodes is optimized by using a genetic algorithm;
the optimizing the linear weight of the neural network model by adopting the locally improved genetic algorithm specifically comprises the following steps:
setting an initial value of a genetic algorithm;
binary coding is carried out on the number of hidden nodes according to the set range, and an initial population is randomly generated;
calculating the fitness of each individual in the population, wherein the classification accuracy of the least square support vector machine is used as a target function value, namely the fitness of the individual, and the higher the classification accuracy of the parameter corresponding to the individual is, the higher the fitness of the individual is;
according to the fitness of the individuals, selecting the individuals from the current population according to a set rule to enter the next generation;
selecting two individuals in the population as parents to perform crossover operation with crossover probability to generate two new individuals;
randomly selecting individuals in the population to perform mutation operation according to mutation probability, and generating new individuals by randomly changing certain genes in the individuals;
setting a termination condition, including: if T is not less than 1 and is the maximum iteration number, the initial population is randomly generated again; if T >1 or the average fitness value change continuously exceeds a certain constant by a certain algebra, the obtained individual with the maximum adaptation is used as the optimal solution output, and the algorithm is terminated;
and decoding the obtained optimal solution to obtain the optimal number of hidden nodes.
2. The method for detecting leakage holes based on online interactive WEB dynamic defense according to claim 1, wherein individuals are selected from the current population to enter the next generation according to roulette method according to fitness of the individuals.
3. The leak detection method based on online interactive WEB dynamic defense of claim 1, wherein the neural network model classifies data using unsupervised clustering.
4. The leak protection hole detection method based on online interactive WEB dynamic defense of claim 1, wherein the knowledge base of the neural network model comprises a normal sample library and an abnormal behavior pattern library, wherein the normal sample library is used for screening abnormal behaviors, and the abnormal behavior pattern library is used for confirming specific attack patterns.
5. Leak protection hole detection device based on online interactive WEB dynamic defense, characterized by comprising:
the intrusion detection system is used for acquiring data sent by the honeypot system; and
the data analysis unit is used for constructing a neural network model, and optimizing the linear weight of the neural network model by adopting a locally improved genetic algorithm to obtain an optimized neural network model; inputting the captured and transmitted data into an optimized neural network model, outputting the type of the data by the optimized neural network model, marking according to the type, acquiring intrusion rules from the classified data, replacing the corresponding old rules by the new intrusion rules in the intrusion rules, and deleting the old rules at the same time, so that the generated new rules are expanded into a rule base;
optimizing the linear weights of the neural network model using a locally improved genetic algorithm includes: the connection weight between the hidden layer and the output layer is calculated by adopting a least square method, and the number of hidden nodes is optimized by using a genetic algorithm;
the optimizing the linear weight of the neural network model by adopting the locally improved genetic algorithm specifically comprises the following steps:
setting an initial value of a genetic algorithm;
binary coding is carried out on the number of hidden nodes according to the set range, and an initial population is randomly generated;
calculating the fitness of each individual in the population, wherein the classification accuracy of the least square support vector machine is used as a target function value, namely the fitness of the individual, and the higher the classification accuracy of the parameter corresponding to the individual is, the higher the fitness of the individual is;
according to the fitness of the individuals, selecting the individuals from the current population according to a set rule to enter the next generation;
selecting two individuals in the population as parents to perform crossover operation with crossover probability to generate two new individuals;
randomly selecting individuals in the population to perform mutation operation according to mutation probability, and generating new individuals by randomly changing certain genes in the individuals;
setting a termination condition, including: if T is not less than 1 and is the maximum iteration number, the initial population is randomly generated again; if T >1 or the average fitness value change continuously exceeds a certain constant by a certain algebra, the obtained individual with the maximum adaptation is used as the optimal solution output, and the algorithm is terminated;
and decoding the obtained optimal solution to obtain the optimal number of hidden nodes.
6. A computer-readable storage medium, characterized in that the storage medium comprises a stored program, wherein the program performs the leak detection method based on online interactive WEB dynamic defense as claimed in any one of claims 1 to 4.
7. An electronic device comprising one or more processors, a memory, a display device, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs comprising means for performing the online interactive WEB dynamic defense-based leak detection method of any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210927928.9A CN115473672B (en) | 2022-08-03 | 2022-08-03 | Leak-proof detection method based on online interactive WEB dynamic defense |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210927928.9A CN115473672B (en) | 2022-08-03 | 2022-08-03 | Leak-proof detection method based on online interactive WEB dynamic defense |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115473672A CN115473672A (en) | 2022-12-13 |
| CN115473672B true CN115473672B (en) | 2024-03-29 |
Family
ID=84365885
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210927928.9A Active CN115473672B (en) | 2022-08-03 | 2022-08-03 | Leak-proof detection method based on online interactive WEB dynamic defense |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115473672B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105488528A (en) * | 2015-11-26 | 2016-04-13 | 北京工业大学 | Improved adaptive genetic algorithm based neural network image classification method |
| CN106777527A (en) * | 2016-11-24 | 2017-05-31 | 上海市特种设备监督检验技术研究院 | Monkey operation energy consumption analysis method based on neural network model |
| CN110070141A (en) * | 2019-04-28 | 2019-07-30 | 上海海事大学 | A kind of network inbreak detection method |
| WO2019227366A1 (en) * | 2018-05-31 | 2019-12-05 | 海能达通信股份有限公司 | Slice-based rtp streaming media storage method and device, and slice-based rtp streaming media reading method and device |
| CN111625816A (en) * | 2020-04-21 | 2020-09-04 | 江西理工大学 | Intrusion detection method and device |
| AU2020102142A4 (en) * | 2020-09-04 | 2020-10-15 | Acharya, Biswaranjan MR | Technique for multilayer protection from quantifiable vulnerabilities in industrial cyber physical system |
| CN112887304A (en) * | 2021-01-25 | 2021-06-01 | 山东省计算中心(国家超级计算济南中心) | WEB application intrusion detection method and system based on character-level neural network |
| CN112926265A (en) * | 2021-02-28 | 2021-06-08 | 珠海复旦创新研究院 | Atmospheric porous probe measurement calibration method based on genetic algorithm optimization neural network |
| US11061605B1 (en) * | 2020-01-09 | 2021-07-13 | International Business Machines Corporation | Dynamically performing managed file transfer based on policies |
| WO2022012144A1 (en) * | 2020-07-17 | 2022-01-20 | 湖南大学 | Parallel intrusion detection method and system based on unbalanced data deep belief network |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210114606A1 (en) * | 2020-12-23 | 2021-04-22 | Intel Corporation | Systems and methods for intrusion detection in vehicle systems |
-
2022
- 2022-08-03 CN CN202210927928.9A patent/CN115473672B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105488528A (en) * | 2015-11-26 | 2016-04-13 | 北京工业大学 | Improved adaptive genetic algorithm based neural network image classification method |
| CN106777527A (en) * | 2016-11-24 | 2017-05-31 | 上海市特种设备监督检验技术研究院 | Monkey operation energy consumption analysis method based on neural network model |
| WO2019227366A1 (en) * | 2018-05-31 | 2019-12-05 | 海能达通信股份有限公司 | Slice-based rtp streaming media storage method and device, and slice-based rtp streaming media reading method and device |
| CN110070141A (en) * | 2019-04-28 | 2019-07-30 | 上海海事大学 | A kind of network inbreak detection method |
| US11061605B1 (en) * | 2020-01-09 | 2021-07-13 | International Business Machines Corporation | Dynamically performing managed file transfer based on policies |
| CN111625816A (en) * | 2020-04-21 | 2020-09-04 | 江西理工大学 | Intrusion detection method and device |
| WO2022012144A1 (en) * | 2020-07-17 | 2022-01-20 | 湖南大学 | Parallel intrusion detection method and system based on unbalanced data deep belief network |
| AU2020102142A4 (en) * | 2020-09-04 | 2020-10-15 | Acharya, Biswaranjan MR | Technique for multilayer protection from quantifiable vulnerabilities in industrial cyber physical system |
| CN112887304A (en) * | 2021-01-25 | 2021-06-01 | 山东省计算中心(国家超级计算济南中心) | WEB application intrusion detection method and system based on character-level neural network |
| CN112926265A (en) * | 2021-02-28 | 2021-06-08 | 珠海复旦创新研究院 | Atmospheric porous probe measurement calibration method based on genetic algorithm optimization neural network |
Non-Patent Citations (4)
| Title |
|---|
| Hassan Ramchoun ; Youssef Ghanou ; Mohamed Ettaouil.Genetic algorithm for neural network architecture optimization.《2016 3rd International Conference on Logistics Operations Management (GOL)》.2016,全文. * |
| Liang-Kun Guo ; Xuan-Fang Yang ; Jia-Lin Wang.Research on Analysis of Power System Transient Signal by Neural Network and Genetic Algorithm.《2020 IEEE 4th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC)》.2020,903-907页. * |
| Mohammed Amine Janati Idrissi * |
| 入侵检测中粒子群优化算法的研究;刘涛;《中国优秀硕士学位论文全文数据库 信息科技辑》;20201215;I139-95页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115473672A (en) | 2022-12-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Kavitha et al. | An ensemble design of intrusion detection system for handling uncertainty using Neutrosophic Logic Classifier | |
| CN110505241B (en) | Network attack plane detection method and system | |
| CN109889538B (en) | User abnormal behavior detection method and system | |
| CN105337985A (en) | Attack detection method and system | |
| Zhao et al. | Intrusion detection based on clustering genetic algorithm | |
| CN113918367A (en) | Large-scale system log anomaly detection method based on attention mechanism | |
| Yassin et al. | Signature-Based Anomaly intrusion detection using Integrated data mining classifiers | |
| Shakeela et al. | Optimal ensemble learning based on distinctive feature selection by univariate ANOVA-F statistics for IDS | |
| CN117220978B (en) | Quantitative evaluation system and evaluation method for network security operation model | |
| CN115473672B (en) | Leak-proof detection method based on online interactive WEB dynamic defense | |
| CN112039907A (en) | Automatic testing method and system based on Internet of things terminal evaluation platform | |
| Sodiya et al. | An Improved Semi-Global Alignment Algorithm for Masquerade Detection. | |
| Bharathi et al. | Enhanced security for an IoT devices in cyber-physical system against cyber attacks | |
| Chandra et al. | A memetic framework for cooperative coevolution of recurrent neural networks | |
| Amro et al. | Evolutionary computation in computer security and forensics: An overview | |
| Iftikhar et al. | A supervised feature selection method for malicious intrusions detection in IoT based on genetic algorithm | |
| KR20230091529A (en) | Threat hunting system and method for against social issue-based advanced persistent threat using genetic algorithm | |
| ZHANG et al. | Integrated intrusion detection model based on artificial immune | |
| CN115514580B (en) | Method and device for detecting source-tracing intrusion of self-encoder | |
| CN106911462B (en) | Wireless router password analysis method based on gene expression programming | |
| Alyasiri et al. | Applying Cartesian Genetic Programming to Evolve Rules for Intrusion Detection System. | |
| CN111314327A (en) | Network intrusion detection method and system based on KNN outlier detection algorithm | |
| CN111581640A (en) | Malicious software detection method, device and equipment and storage medium | |
| CN111090858B (en) | Trojan detection method based on extended attack tree model | |
| Deepa et al. | Efficient intrusion detection system using random tree |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |