CN115632832B - Big data attack processing method and system applied to cloud service - Google Patents
Big data attack processing method and system applied to cloud service Download PDFInfo
- Publication number
- CN115632832B CN115632832B CN202211215456.0A CN202211215456A CN115632832B CN 115632832 B CN115632832 B CN 115632832B CN 202211215456 A CN202211215456 A CN 202211215456A CN 115632832 B CN115632832 B CN 115632832B
- Authority
- CN
- China
- Prior art keywords
- data
- target
- attack
- flow
- program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention relates to an artificial intelligence technology, and discloses a big data attack processing method applied to cloud service, which comprises the following steps: screening interception data from the received data of the cloud service according to the interception time domain, and extracting flow data, program data and content data from the interception data; detecting an attack event from the traffic data; detecting malicious codes from program data; performing event mining on the content data to obtain a behavior event, performing big data association analysis on the attack event, the malicious code and the behavior event to obtain an association attribute, and extracting attack characteristics from the association attribute; updating the interception time domain according to the attack characteristic, returning to the step of intercepting the received data of the cloud service according to the interception time domain, obtaining the standard attack characteristic, and filtering the received data according to the standard attack characteristic. The invention also provides a big data attack processing system applied to the cloud service. The cloud service attack processing method and the cloud service attack processing device can improve cloud service attack processing efficiency.
Description
Technical Field
The invention relates to the technical field of artificial intelligence, in particular to a big data attack processing method and system applied to cloud service.
Background
With the development of computer technology, the demand of people for cloud services is increasing, and in order to improve the security of cloud services and ensure the working efficiency of cloud services, a cloud service data processing system needs to be built to process data attacks aiming at cloud services.
Most of the existing cloud service attack processing technologies are single attack data detection based on flow analysis, so that targeted interception is realized. For example, based on session anomaly detection of cloud service, a sending IP of anomaly data is retrieved, and directional interception is further realized according to the sending IP, in practical application, the cloud service has a plurality of data information types, the concealment of an attack program is high, only single analysis is performed on traffic, the identification degree of attack detection is possibly low, and the data analysis speed is slow, so that the efficiency of attack processing on the cloud service is low.
Disclosure of Invention
The invention provides a big data attack processing method and a big data attack processing system applied to cloud services, and mainly aims to solve the problem of low efficiency when attack processing is carried out on cloud services.
In order to achieve the above object, the present invention provides a big data attack processing method applied to cloud service, including:
Screening interception data from the received data of the cloud service according to an interception time domain, and extracting flow data, program data and content data from the interception data;
extracting flow characteristics from the flow data, and detecting attack events from the flow data according to the flow characteristics;
extracting code features from the program data, and detecting malicious codes from the program data according to the code features;
performing event mining on the content data to obtain a behavior event, performing big data association analysis on the attack event, the malicious code and the behavior event to obtain an association attribute, and extracting attack characteristics from the association attribute;
updating the interception time domain according to the attack characteristic, returning to the step of intercepting the received data of the cloud service according to the interception time domain, obtaining a standard attack characteristic, and filtering the received data according to the standard attack characteristic.
Optionally, the extracting traffic data, program data and content data from the interception data includes:
performing flow monitoring on the interception data to obtain flow data;
Screening program data from the interception data according to the data type;
and carrying out behavior tracking on the interception data to obtain content data.
Optionally, the screening program data from the interception data according to the data type includes:
splitting the intercepted data into a plurality of data file packets;
selecting the data file packages one by one as target file packages, and taking the suffix names of the target file packages as target suffix names;
judging whether the target suffix name is matched with a program suffix name in a preset program suffix library;
returning to the step of selecting the data file packages one by one as target file packages when the target suffix name is not matched with the program suffix name
And when the target suffix name is matched with the program suffix name, adding the target file package into program data.
Optionally, the extracting the flow characteristic from the flow data includes:
dividing the flow data into a plurality of data streams, and carrying out data tracing on the data streams one by one to obtain a communication address set;
address verification is carried out on the addresses in the communication address set one by one to obtain the number of fake addresses, and the speed increase of the fake addresses is calculated according to the number of fake addresses;
Selecting the data streams one by one as target data streams, taking the flow of the target data streams as target flow, and extracting paired data proportions from the target data streams;
calculating the flow rate increase of the target data flow according to the target flow and the paired data proportion by using the following flow rate increase formula:
wherein G refers to the flow rate increase, n refers to the target flow rate, E refers to the paired data proportion, and T refers to the transmission time corresponding to the target data flow;
extracting the number of flow packets, the number of flow bits and the flow life cycle from the target data flow;
and collecting all the traffic acceleration, the traffic packet number, the traffic bit number, the traffic life cycle and the fake address acceleration into traffic characteristics.
Optionally, the detecting an attack event from the traffic data according to the traffic characteristics includes:
selecting data flows in the flow data one by one as target data flows, and taking flow characteristics corresponding to the target data flows as target flow characteristics;
obtaining average flow characteristics corresponding to the target flow characteristics from a preset flow characteristics library;
Calculating the characteristic deviation value of the target flow characteristic by using the following characteristic deviation algorithm:
wherein V is the characteristic deviation value, alpha, beta, gamma, delta, epsilon are preset flow characteristic weights, G is the flow acceleration in the target flow characteristic, D is the fake address acceleration in the target flow characteristic, p is the flow packet number in the target flow characteristic,is the average number of flow packets in said average flow characteristic, b is the number of flow bits in said target flow characteristic,/for>Is the average number of flow bits in the average flow characteristic, l is the flow life cycle in the target flow characteristic,/->Is an average flow life cycle in the average flow characteristic;
judging whether the characteristic deviation value is larger than a preset deviation threshold value or not;
returning to the step of selecting the data streams in the flow data one by one as target data streams when the characteristic deviation value is smaller than or equal to the deviation threshold value;
and when the characteristic deviation value is larger than the deviation threshold value, taking the target data stream as an abnormal data stream and taking an event corresponding to the target data stream as an attack event.
Optionally, the extracting the code feature from the program data includes:
Dividing the program data into a plurality of program packages;
selecting the program packages one by one as target program packages, performing byte code conversion on the target program packages to obtain target program byte codes, and performing byte feature extraction on the target program byte codes by using a preset byte sliding window to obtain byte entropy;
performing character code conversion on the target program package to obtain target program character codes, and performing character feature extraction on the target program character codes by utilizing a preset character sliding window to obtain character entropy;
extracting an executable file header from the target program package, and extracting protocol characteristics of the executable file header to obtain a protocol array;
extracting numerical information from the executable file header to obtain a compiled numerical value;
and taking the byte entropy, the character entropy, the protocol array and the compiling value as code characteristics of the target program package.
Optionally, the detecting malicious code from the program data according to the code feature includes:
selecting program packages in the program data one by one as target program packages, and performing attribute detection on code features corresponding to the target program packages to obtain program attributes;
Judging whether the program attribute is a malicious attribute or not;
when the program attribute is a malicious attribute, taking the target program package as malicious code;
when the program attribute is not a malicious attribute, extracting development attribute characteristics from a developer remark of the target program package, extracting name attribute characteristics from a package name of the target program package, and extracting program attribute characteristics from the program attribute;
calculating the suspicious degree of the target program package according to the development attribute feature, the name attribute feature and the program attribute feature by using the following suspicious degree formula:
wherein A is the suspicious degree, ω is a preset suspicious degree countermeasure coefficient, arccos is an arccos function, P is the program attribute feature, K is the development attribute feature, and N is the name attribute feature;
judging whether the suspicious degree is larger than a preset suspicious threshold value or not;
when the suspicious degree is larger than the suspicious threshold value, taking the target program package as malicious code;
and returning to the step of selecting the program packages in the program data one by one as target program packages when the suspicious degree is smaller than or equal to the suspicious threshold value.
In order to solve the above problems, the present invention further provides a big data attack processing system applied to cloud services, the system comprising:
the data classification module is used for screening interception data from the received data of the cloud service according to an interception time domain, and extracting flow data, program data and content data from the interception data;
the attack event module is used for extracting flow characteristics from the flow data and detecting attack events from the flow data according to the flow characteristics;
the malicious code module is used for extracting code characteristics from the program data and detecting malicious codes from the program data according to the code characteristics;
the association analysis module is used for carrying out event mining on the content data to obtain a behavior event, carrying out big data association analysis on the attack event, the malicious code and the behavior event to obtain an association attribute, and extracting attack characteristics from the association attribute;
and the attack processing module is used for updating the interception time domain according to the attack characteristics, returning to the step of intercepting the received data of the cloud service according to the interception time domain, obtaining standard attack characteristics, and filtering the received data according to the standard attack characteristics.
According to the embodiment of the invention, the flow data, the program data and the content data are extracted from the interception data, so that the interception data can be safely detected from three directions, hidden attack data can be conveniently found according to the relevance between the safety detection results in the three directions, and the recognition rate of the attack data is improved; by extracting the flow characteristics from the flow data, detecting the attack event from the flow data according to the flow characteristics, detecting the attack event according to the abnormal fluctuation of the flow data, and performing preliminary screening on the data attack, the step of executing the program data is omitted, and the time for detecting malicious codes is saved.
The identification rate of malicious code detection can be improved by detecting the malicious code from the program data through attribute detection and suspicious degree judgment, the detection precision of the malicious code is improved, the correlation attribute is obtained through carrying out big data correlation analysis on the attack event, the malicious code and the behavior event, the attack characteristic is extracted from the correlation attribute, the correlation analysis on the flow, the user behavior and the behavior event among the malicious program can be effectively carried out, the speed of big data processing is accelerated, the efficiency of attack processing is also improved, the standard attack characteristic is obtained by updating the interception time domain according to the attack characteristic, the cycle duration of detection can be adjusted according to the primary detection result, the comprehensive and applicability of attack detection are ensured, and the efficiency of attack processing is improved. Therefore, the big data attack processing method and system applied to the cloud service can solve the problem of low efficiency when the cloud service is attacked.
Drawings
Fig. 1 is a flow chart of a big data attack processing method applied to cloud service according to an embodiment of the present application;
FIG. 2 is a flow chart of extracting flow characteristics according to an embodiment of the present application;
FIG. 3 is a flow chart of performing big data association analysis according to an embodiment of the present application;
fig. 4 is a system architecture diagram of a big data attack processing system applied to cloud services according to an embodiment of the present application.
The achievement of the objects, functional features and advantages of the present application will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The embodiment of the application provides a big data attack processing method applied to cloud services. The execution main body of the big data attack processing method applied to the cloud service comprises at least one of a server side, a terminal and the like which can be configured to execute the method provided by the embodiment of the application. In other words, the big data attack processing method applied to the cloud service may be performed by software or hardware installed in a terminal device or a server device, and the software may be a blockchain platform. The service end includes but is not limited to: a single server, a server cluster, a cloud server or a cloud server cluster, and the like. The server may be an independent server, or may be a cloud server that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communications, middleware services, domain name services, security services, content delivery networks (Content Delivery Network, CDN), and basic cloud computing services such as big data and artificial intelligence platforms.
Referring to fig. 1, a flow chart of a big data attack processing method applied to cloud service according to an embodiment of the present invention is shown. In this embodiment, the big data attack processing method applied to cloud service includes:
s1, screening interception data from the received data of the cloud service according to an interception time domain, and extracting flow data, program data and content data from the interception data.
In the embodiment of the invention, the interception time domain refers to the interception time period.
In detail, the cloud service refers to a cloud computing service, namely a cloud computing product which can be used as a service for providing and using, and comprises a cloud host, a cloud space, cloud development, cloud testing, comprehensive products and the like.
In the embodiment of the invention, the step of screening interception data from the received data of the cloud service according to the interception time domain refers to intercepting data corresponding to the duration of the interception time domain from the received data as interception data.
In detail, the traffic data refers to information of communication data generated when the cloud service in the interception data performs network communication, and the information includes traffic size, communication IP address, communication duration and the like.
Specifically, the program data refers to information related to a program in the interception data, such as installation packages of software, application code, and the like.
In detail, the content data refers to network structure data of the interception data, content data, and the like, such as data of pictures, videos, web page information, and the like.
In the embodiment of the present invention, the extracting flow data, program data and content data from the interception data includes:
performing flow monitoring on the interception data to obtain flow data;
screening program data from the interception data according to the data type;
and carrying out behavior tracking on the interception data to obtain content data.
In detail, the interception data may be monitored in real time by using traffic monitoring software such as a network multi-route traffic display (MRTG, multi Router Traffic Grapher) or Sniffer (Sniffer Portable), to obtain traffic data.
In the embodiment of the present invention, the screening program data from the interception data according to a data type includes:
splitting the intercepted data into a plurality of data file packets;
selecting the data file packages one by one as target file packages, and taking the suffix names of the target file packages as target suffix names;
judging whether the target suffix name is matched with a program suffix name in a preset program suffix library;
Returning to the step of selecting the data file packages one by one as target file packages when the target suffix name is not matched with the program suffix name
And when the target suffix name is matched with the program suffix name, adding the target file package into program data.
Specifically, the program suffix library is a character set containing various program suffix names, wherein the program suffix names comprise characters such as java, exe, apk and the like.
Specifically, the behavior tracking refers to extracting a behavior log from the interception data, so as to obtain content data.
In the embodiment of the invention, the flow data, the program data and the content data are extracted from the interception data, so that the interception data can be safely detected from three directions, hidden attack data can be conveniently found according to the relevance among the safety detection results in the three directions, and the recognition rate of the attack data is improved.
S2, extracting flow characteristics from the flow data, and detecting attack events from the flow data according to the flow characteristics.
In an embodiment of the present invention, referring to fig. 2, the extracting a flow characteristic from the flow data includes:
S21, dividing the flow data into a plurality of data streams, and carrying out data tracing on the data streams one by one to obtain a communication address set;
s22, address verification is carried out on the addresses in the communication address set one by one to obtain the fake address quantity, and fake address speed increase is calculated according to the fake address quantity;
s23, selecting the data streams one by one as target data streams, taking the flow size of the target data streams as target flow, and extracting a pair of data proportions from the target data streams;
s24, calculating the flow rate acceleration of the target data flow according to the target flow and the pair of data proportions by using the following flow rate acceleration formula:
wherein G refers to the flow rate increase, n refers to the target flow rate, E refers to the paired data proportion, and T refers to the transmission time corresponding to the target data flow;
s25, extracting the number of flow packets, the number of flow bits and the flow life cycle from the target data flow;
s26, collecting all the flow speed-up, the flow packet number, the flow bit number, the flow life cycle and the fake address speed-up into flow characteristics.
In detail, the data flow can be traced by the methods of ping communication or communication log, etc., so as to obtain a communication address set.
Specifically, the step of calculating the fake address increase rate according to the fake address number refers to dividing the fake address number by the transmission time corresponding to the target data stream.
In detail, the number of the traffic packets refers to the number of the packets of the target data stream.
In the embodiment of the invention, the flow rate increase of the target data flow is calculated according to the target flow and the pair of data proportion by utilizing the flow rate increase formula, so that repeated received data caused by communication failure can be proposed, and a flow trend graph can be reflected more accurately.
In detail, the detecting an attack event from the traffic data according to the traffic characteristics includes:
selecting data flows in the flow data one by one as target data flows, and taking flow characteristics corresponding to the target data flows as target flow characteristics;
obtaining average flow characteristics corresponding to the target flow characteristics from a preset flow characteristics library;
calculating the characteristic deviation value of the target flow characteristic by using the following characteristic deviation algorithm:
wherein V is the characteristic deviation value, alpha, beta, gamma, delta, epsilon are preset flow characteristic weights, G is the flow acceleration in the target flow characteristic, D is the fake address acceleration in the target flow characteristic, p is the flow packet number in the target flow characteristic, Is the average number of flow packets in said average flow characteristic, b is the number of flow bits in said target flow characteristic,/for>Is the average number of flow bits in the average flow characteristic, l is the flow life cycle in the target flow characteristic,/->Is an average flow life cycle in the average flow characteristic;
judging whether the characteristic deviation value is larger than a preset deviation threshold value or not;
returning to the step of selecting the data streams in the flow data one by one as target data streams when the characteristic deviation value is smaller than or equal to the deviation threshold value;
and when the characteristic deviation value is larger than the deviation threshold value, taking the target data stream as an abnormal data stream and taking an event corresponding to the target data stream as an attack event.
In detail, the flow characteristic library comprises average flow characteristics of data flows similar to the target data flow, which are inquired by big data.
In detail, the flow characteristic weight is trained in advance from a plurality of abnormal flow test experiments.
In the embodiment of the invention, the characteristic deviation value of the target flow characteristic is calculated by utilizing the characteristic deviation algorithm, so that the abnormal condition of the flow can be detected from multiple dimensions, and the query success rate of the attack event is improved.
According to the embodiment of the invention, the flow characteristics are extracted from the flow data, the attack event is detected from the flow data according to the flow characteristics, and the detected attack event can be subjected to preliminary screening on the data attack according to the abnormal fluctuation of the flow data.
S3, extracting code features from the program data, and detecting malicious codes from the program data according to the code features.
In an embodiment of the present invention, the extracting the code feature from the program data includes:
dividing the program data into a plurality of program packages;
selecting the program packages one by one as target program packages, performing byte code conversion on the target program packages to obtain target program byte codes, and performing byte feature extraction on the target program byte codes by using a preset byte sliding window to obtain byte entropy;
performing character code conversion on the target program package to obtain target program character codes, and performing character feature extraction on the target program character codes by utilizing a preset character sliding window to obtain character entropy;
extracting an executable file header from the target program package, and extracting protocol characteristics of the executable file header to obtain a protocol array;
Extracting numerical information from the executable file header to obtain a compiled numerical value;
and taking the byte entropy, the character entropy, the protocol array and the compiling value as code characteristics of the target program package.
Specifically, the character code conversion means that the target package is converted into a file in an ASCII code format.
In detail, the executable header refers to a (PE, portable Executable) header.
Specifically, the extracting the protocol feature of the executable file header to obtain a protocol array refers to performing hash processing on a file name and a function name in an information technology protocol (IAT, information Technology Associates) form of the executable file header, and forming the protocol array according to the result of the hash processing.
In detail, the extracting the numerical information of the executable file header to obtain the compiling numerical value may be extracting numerical information such as compiling time in the executable file header to form information such as a timestamp.
In detail, the detecting malicious code from the program data according to the code feature includes:
selecting program packages in the program data one by one as target program packages, and performing attribute detection on code features corresponding to the target program packages to obtain program attributes;
Judging whether the program attribute is a malicious attribute or not;
when the program attribute is a malicious attribute, taking the target program package as malicious code;
when the program attribute is not a malicious attribute, extracting development attribute characteristics from a developer remark of the target program package, extracting name attribute characteristics from a package name of the target program package, and extracting program attribute characteristics from the program attribute;
calculating the suspicious degree of the target program package according to the development attribute feature, the name attribute feature and the program attribute feature by using the following suspicious degree formula:
wherein A is the suspicious degree, ω is a preset suspicious degree countermeasure coefficient, arccos is an arccos function, P is the program attribute feature, K is the development attribute feature, and N is the name attribute feature;
judging whether the suspicious degree is larger than a preset suspicious threshold value or not;
when the suspicious degree is larger than the suspicious threshold value, taking the target program package as malicious code;
and returning to the step of selecting the program packages in the program data one by one as target program packages when the suspicious degree is smaller than or equal to the suspicious threshold value.
Specifically, a pre-trained two-class convolutional neural network can be utilized to perform attribute detection on code features corresponding to the target program package, so as to obtain program attributes.
In detail, extracting the development attribute features from the developer remarks of the target program package refers to extracting keywords from the developer remarks, and performing word vector conversion on the keywords to obtain the development attribute features.
Specifically, the method for extracting the name attribute features from the package name of the target package is consistent with the method for extracting the development attribute features from the developer remarks of the target package, which is not described herein.
Specifically, the method for extracting the program attribute features from the program attributes is consistent with the method for extracting the development attribute features from the developer remarks of the target program package, which is not described herein.
In the embodiment of the invention, the step of executing the program data is omitted by extracting the code features from the program data, the time for detecting the malicious code is saved, the identification rate of detecting the malicious code can be improved by utilizing the attribute detection and the suspicious degree to judge that the malicious code is detected from the program data, and the detection precision of the malicious code is improved.
S4, carrying out event mining on the content data to obtain a behavior event, carrying out big data association analysis on the attack event, the malicious code and the behavior event to obtain an association attribute, and extracting attack characteristics from the association attribute.
In the embodiment of the present invention, the performing event mining on the content data to obtain a behavior event includes:
performing data cleaning on the content data to obtain standard content data;
and extracting a modification event and an abnormal event from the standard content data, and converging the modification event and the abnormal event into a behavior event.
In detail, the modification event and the abnormality event may be extracted from the standard content data through an API history of the calling system.
In detail, referring to fig. 3, the performing big data association analysis on the attack event, the malicious code and the behavior event to obtain association attributes includes:
s41, adding a time stamp for the attack event to obtain an attack event increment curve, adding a time stamp for the malicious code to obtain a malicious code increment curve, and adding a time stamp for the behavior event to obtain a behavior event increment curve;
S42, segmenting the attack event increment curve, the malicious code increment curve and the behavior event increment curve by utilizing a preset time window to obtain a plurality of time domain increment segments;
s43, selecting the time domain increment segments one by one as target time domain segments, and calculating the event association degree among the attack event, the malicious code and the behavior event in the target time domain segments by using the following association degree algorithm:
wherein C is the event correlation degree, m is the total duration of the preset time window, θ is the preset correlation degree countermeasure coefficient, i is the ith moment in the preset time window, and x i Refers to the value of the attack event increment curve corresponding to the ith moment in the preset time window,mean value, y of the attack event increment curve corresponding to the preset time window i Refers to the value of the malicious code increment curve corresponding to the ith moment in the preset time window, ++>Mean value, z of the malicious code increment curve corresponding to the preset time window i Refers to the value of the behavior event increment curve corresponding to the ith moment in the preset time window, ++>Mean value of the behavior event increment curve corresponding to the preset time window;
S44, taking the target time domain segment with the event association degree larger than a preset association threshold value as an association time domain segment, and extracting association attributes from the association time domain segment.
In the embodiment of the invention, the event association degree among the attack event, the malicious code and the behavior event in the target time domain segment is calculated by using the association degree algorithm, so that the activity degree relation among the attack event, the malicious code and the behavior event can be represented.
Specifically, the extracting the association attribute from the association time domain segment refers to extracting an attack intensity attribute from an attack event corresponding to the association speech segment, extracting an attack type attribute from malicious code corresponding to the association speech segment, and extracting an attack behavior attribute from a behavior event corresponding to the association speech segment.
In detail, the method for extracting the association attribute from the association time domain segment is consistent with the method for extracting the development attribute feature from the developer remark of the target package in the above step S3, and will not be described herein.
In detail, extracting the attack feature from the associated attribute refers to performing time domain feature analysis on the attack strength attribute, the attack type attribute and the attack behavior attribute of the associated attribute to obtain the attack feature.
Specifically, performing time domain feature analysis on the attack intensity attribute, the attack type attribute and the attack behavior attribute of the associated attribute to obtain attack features, namely predicting a predicted attack intensity attribute corresponding to a current interception time domain according to the attack type attribute and the attack behavior attribute, taking a difference value between the attack intensity attribute and the predicted attack intensity attribute as an attack time domain feature, extracting the attack type feature from the attack type attribute, extracting the attack behavior feature from the attack behavior attribute, and collecting the attack time domain feature, the attack type feature and the attack behavior feature into the attack feature.
In the embodiment of the invention, the big data association analysis is carried out on the attack event, the malicious code and the behavior event to obtain the association attribute, and the attack characteristic is extracted from the association attribute, so that the association analysis can be effectively carried out on the traffic, the user behavior and the behavior event among malicious programs, the big data processing speed is increased, and the attack processing efficiency is also improved.
S5, updating the interception time domain according to the attack characteristics, returning to the step of intercepting the received data of the cloud service according to the interception time domain, obtaining standard attack characteristics, and filtering the received data according to the standard attack characteristics.
In the embodiment of the present invention, updating the interception time domain according to the attack characteristic refers to adjusting a duration of the interception time domain according to an attack time domain characteristic in the attack characteristic.
In detail, filtering the received data according to the standard attack feature refers to adding the standard attack feature to a preset security analysis feature library, and intercepting data corresponding to the standard attack feature.
In the embodiment of the invention, the standard attack characteristic is obtained by updating the interception time domain according to the attack characteristic, the period duration of detection can be adjusted according to the result of primary detection, the comprehensiveness and applicability of attack detection are ensured, and the efficiency of attack processing is improved.
According to the embodiment of the invention, the flow data, the program data and the content data are extracted from the interception data, so that the interception data can be safely detected from three directions, hidden attack data can be conveniently found according to the relevance between the safety detection results in the three directions, and the recognition rate of the attack data is improved; by extracting the flow characteristics from the flow data, detecting the attack event from the flow data according to the flow characteristics, detecting the attack event according to the abnormal fluctuation of the flow data, and performing preliminary screening on the data attack, the step of executing the program data is omitted, and the time for detecting malicious codes is saved.
The identification rate of malicious code detection can be improved by detecting the malicious code from the program data through attribute detection and suspicious degree judgment, the detection precision of the malicious code is improved, the correlation attribute is obtained through carrying out big data correlation analysis on the attack event, the malicious code and the behavior event, the attack characteristic is extracted from the correlation attribute, the correlation analysis on the flow, the user behavior and the behavior event among the malicious program can be effectively carried out, the speed of big data processing is accelerated, the efficiency of attack processing is also improved, the standard attack characteristic is obtained by updating the interception time domain according to the attack characteristic, the cycle duration of detection can be adjusted according to the primary detection result, the comprehensive and applicability of attack detection are ensured, and the efficiency of attack processing is improved. Therefore, the big data attack processing method applied to the cloud service can solve the problem of low efficiency when the cloud service is attacked.
Fig. 4 is a system architecture diagram of a big data attack processing system applied to cloud services according to an embodiment of the present invention.
The big data attack processing system 100 applied to cloud service can be installed in electronic equipment. Depending on the implemented functions, the big data attack processing system 100 applied to cloud services may include a data classification module 101, an attack event module 102, a malicious code module 103, a correlation analysis module 104, and an attack processing module 105. The module of the invention, which may also be referred to as a unit, refers to a series of computer program segments, which are stored in the memory of the electronic device, capable of being executed by the processor of the electronic device and of performing a fixed function.
In the present embodiment, the functions concerning the respective modules/units are as follows:
the data classification module 101 is configured to screen interception data from received data of a cloud service according to an interception time domain, and extract flow data, program data and content data from the interception data;
the attack event module 102 is configured to extract a flow characteristic from the flow data, and detect an attack event from the flow data according to the flow characteristic;
the malicious code module 103 is configured to extract code features from the program data, and detect malicious code from the program data according to the code features;
the association analysis module 104 is configured to perform event mining on the content data to obtain a behavior event, perform big data association analysis on the attack event, the malicious code and the behavior event to obtain an association attribute, and extract an attack feature from the association attribute;
the attack processing module 105 is configured to update the interception time domain according to the attack feature, return to the step of intercepting the received data of the cloud service according to the interception time domain, obtain a standard attack feature, and filter the received data according to the standard attack feature.
In detail, each module in the big data attack processing system 100 applied to cloud service in the embodiment of the present invention adopts the same technical means as the big data attack processing method applied to cloud service in the above-mentioned fig. 1 to 3, and can generate the same technical effects, which is not repeated here.
In the several embodiments provided in the present invention, it should be understood that the disclosed methods and systems may be implemented in other ways. For example, the embodiments of the system described above are merely illustrative, e.g., the division of the modules is merely a logical functional division, and there may be additional divisions when actually implemented.
The modules described as separate components may or may not be physically separate, and components shown as modules may or may not be physical units, may be located in one place, or may be distributed over multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units can be realized in a form of hardware or a form of hardware and a form of software functional modules.
It will be evident to those skilled in the art that the application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential characteristics thereof.
The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference signs in the claims shall not be construed as limiting the claim concerned.
The embodiment of the application can acquire and process the related data based on the artificial intelligence technology. Among these, artificial intelligence (Artificial Intelligence, AI) is the theory, method, technique and application system that uses a digital computer or a digital computer-controlled machine to simulate, extend and extend human intelligence, sense the environment, acquire knowledge and use knowledge to obtain optimal results.
Furthermore, it is evident that the word "comprising" does not exclude other elements or steps, and that the singular does not exclude a plurality. A plurality of units or means recited in the system claims can also be implemented by means of software or hardware by means of one unit or means. The terms first, second, etc. are used to denote a name, but not any particular order.
Finally, it should be noted that the above-mentioned embodiments are merely for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications and equivalents may be made to the technical solution of the present invention without departing from the spirit and scope of the technical solution of the present invention.
Claims (8)
1. A big data attack processing method applied to cloud service, the method comprising:
s1: screening interception data from the received data of the cloud service according to an interception time domain, and extracting flow data, program data and content data from the interception data;
s2: extracting flow characteristics from the flow data, and detecting attack events from the flow data according to the flow characteristics;
s3: extracting code features from the program data, and detecting malicious codes from the program data according to the code features;
s4: performing event mining on the content data to obtain a behavior event, performing big data association analysis on the attack event, the malicious code and the behavior event to obtain an association attribute, and extracting attack features from the association attribute, wherein the performing big data association analysis on the attack event, the malicious code and the behavior event to obtain the association attribute comprises:
S41: adding a time stamp for the attack event to obtain an attack event increment curve, adding a time stamp for the malicious code to obtain a malicious code increment curve, and adding a time stamp for the behavior event to obtain a behavior event increment curve;
s42: segmenting the attack event increment curve, the malicious code increment curve and the behavior event increment curve by utilizing a preset time window to obtain a plurality of time domain increment segments;
s43: selecting the time domain increment segments one by one as target time domain segments, and calculating the event association degree among the attack event, the malicious code and the behavior event in the target time domain segments by using the following association degree algorithm:
wherein C is the event correlation degree, m is the total duration of the preset time window, θ is the preset correlation degree countermeasure coefficient, i is the ith moment in the preset time window, and x i Refers to the value of the attack event increment curve corresponding to the ith moment in the preset time window,mean value, y of the attack event increment curve corresponding to the preset time window i Refers to the value of the malicious code increment curve corresponding to the ith moment in the preset time window, ++ >Mean value, z of the malicious code increment curve corresponding to the preset time window i Refers to the value of the behavior event increment curve corresponding to the ith moment in the preset time window, ++>Mean value of the behavior event increment curve corresponding to the preset time window;
s44: taking the target time domain segment with the event association degree larger than a preset association threshold value as an association time domain segment, and extracting association attributes from the association time domain segment;
s5: updating the interception time domain according to the attack characteristic, returning to the step of intercepting the received data of the cloud service according to the interception time domain, obtaining a standard attack characteristic, and filtering the received data according to the standard attack characteristic.
2. The big data attack processing method applied to cloud service according to claim 1, wherein the extracting traffic data, program data, and content data from the interception data includes:
performing flow monitoring on the interception data to obtain flow data;
screening program data from the interception data according to the data type;
and carrying out behavior tracking on the interception data to obtain content data.
3. The big data attack processing method applied to cloud service according to claim 2, wherein the screening program data from the interception data according to data type includes:
splitting the intercepted data into a plurality of data file packets;
selecting the data file packages one by one as target file packages, and taking the suffix names of the target file packages as target suffix names;
judging whether the target suffix name is matched with a program suffix name in a preset program suffix library;
returning to the step of selecting the data file packages one by one as target file packages when the target suffix name is not matched with the program suffix name
And when the target suffix name is matched with the program suffix name, adding the target file package into program data.
4. The big data attack processing method applied to cloud service according to claim 1, wherein the extracting the traffic feature from the traffic data comprises:
dividing the flow data into a plurality of data streams, and carrying out data tracing on the data streams one by one to obtain a communication address set;
address verification is carried out on the addresses in the communication address set one by one to obtain the number of fake addresses, and the speed increase of the fake addresses is calculated according to the number of fake addresses;
Selecting the data streams one by one as target data streams, taking the flow of the target data streams as target flow, and extracting paired data proportions from the target data streams;
calculating the flow rate increase of the target data flow according to the target flow and the paired data proportion by using the following flow rate increase formula:
wherein G refers to the flow rate increase, n refers to the target flow rate, E refers to the paired data proportion, and T refers to the transmission time corresponding to the target data flow;
extracting the number of flow packets, the number of flow bits and the flow life cycle from the target data flow;
and collecting all the traffic acceleration, the traffic packet number, the traffic bit number, the traffic life cycle and the fake address acceleration into traffic characteristics.
5. The big data attack processing method applied to cloud service according to claim 4, wherein the detecting an attack event from the traffic data according to the traffic characteristics comprises:
selecting data flows in the flow data one by one as target data flows, and taking flow characteristics corresponding to the target data flows as target flow characteristics;
Obtaining average flow characteristics corresponding to the target flow characteristics from a preset flow characteristics library;
calculating the characteristic deviation value of the target flow characteristic by using the following characteristic deviation algorithm:
wherein V is the characteristic deviation value, alpha, beta, gamma, delta, epsilon are preset flow characteristic weights, G is the flow acceleration in the target flow characteristic, D is the fake address acceleration in the target flow characteristic, p is the flow packet number in the target flow characteristic,is the average number of flow packets in said average flow characteristic, b is the number of flow bits in said target flow characteristic,/for>Is the average number of flow bits in the average flow characteristic, l is the flow life cycle in the target flow characteristic,/->Is an average flow life cycle in the average flow characteristic;
judging whether the characteristic deviation value is larger than a preset deviation threshold value or not;
returning to the step of selecting the data streams in the flow data one by one as target data streams when the characteristic deviation value is smaller than or equal to the deviation threshold value;
and when the characteristic deviation value is larger than the deviation threshold value, taking the target data stream as an abnormal data stream and taking an event corresponding to the target data stream as an attack event.
6. The big data attack processing method applied to cloud service according to claim 1, wherein the extracting code features from the program data includes:
dividing the program data into a plurality of program packages;
selecting the program packages one by one as target program packages, performing byte code conversion on the target program packages to obtain target program byte codes, and performing byte feature extraction on the target program byte codes by using a preset byte sliding window to obtain byte entropy;
performing character code conversion on the target program package to obtain target program character codes, and performing character feature extraction on the target program character codes by utilizing a preset character sliding window to obtain character entropy;
extracting an executable file header from the target program package, and extracting protocol characteristics of the executable file header to obtain a protocol array;
extracting numerical information from the executable file header to obtain a compiled numerical value;
and taking the byte entropy, the character entropy, the protocol array and the compiling value as code characteristics of the target program package.
7. The big data attack handling method applied to cloud services according to claim 6, wherein said detecting malicious code from the program data according to the code feature comprises:
Selecting program packages in the program data one by one as target program packages, and performing attribute detection on code features corresponding to the target program packages to obtain program attributes;
judging whether the program attribute is a malicious attribute or not;
when the program attribute is a malicious attribute, taking the target program package as malicious code;
when the program attribute is not a malicious attribute, extracting development attribute characteristics from a developer remark of the target program package, extracting name attribute characteristics from a package name of the target program package, and extracting program attribute characteristics from the program attribute;
calculating the suspicious degree of the target program package according to the development attribute feature, the name attribute feature and the program attribute feature by using the following suspicious degree formula:
wherein A is the suspicious degree, ω is a preset suspicious degree countermeasure coefficient, arccos is an arccos function, P is the program attribute feature, K is the development attribute feature, and N is the name attribute feature;
judging whether the suspicious degree is larger than a preset suspicious threshold value or not;
when the suspicious degree is larger than the suspicious threshold value, taking the target program package as malicious code;
And returning to the step of selecting the program packages in the program data one by one as target program packages when the suspicious degree is smaller than or equal to the suspicious threshold value.
8. A big data attack handling system for cloud services, the system comprising:
the data classification module is used for screening interception data from the received data of the cloud service according to an interception time domain, and extracting flow data, program data and content data from the interception data;
the attack event module is used for extracting flow characteristics from the flow data and detecting attack events from the flow data according to the flow characteristics;
the malicious code module is used for extracting code characteristics from the program data and detecting malicious codes from the program data according to the code characteristics;
the association analysis module is configured to perform event mining on the content data to obtain a behavior event, perform big data association analysis on the attack event, the malicious code and the behavior event to obtain an association attribute, and extract attack features from the association attribute, where the performing big data association analysis on the attack event, the malicious code and the behavior event to obtain the association attribute includes: adding a time stamp for the attack event to obtain an attack event increment curve, adding a time stamp for the malicious code to obtain a malicious code increment curve, and adding a time stamp for the behavior event to obtain a behavior event increment curve; segmenting the attack event increment curve, the malicious code increment curve and the behavior event increment curve by utilizing a preset time window to obtain a plurality of time domain increment segments; selecting the time domain increment segments one by one as target time domain segments, and calculating the event association degree among the attack event, the malicious code and the behavior event in the target time domain segments by using the following association degree algorithm:
Wherein C is the event correlation degree, m is the total duration of the preset time window, θ is the preset correlation degree countermeasure coefficient, i is the ith moment in the preset time window, and x i Refers to the value of the attack event increment curve corresponding to the ith moment in the preset time window,mean value, y of the attack event increment curve corresponding to the preset time window i Refers to the value of the malicious code increment curve corresponding to the ith moment in the preset time window, ++>Mean value, z of the malicious code increment curve corresponding to the preset time window i Refers to the value of the behavior event increment curve corresponding to the ith moment in the preset time window, ++>Means that the behavior event corresponding to the preset time windowAverage value of the incremental curve; taking the target time domain segment with the event association degree larger than a preset association threshold value as an association time domain segment, and extracting association attributes from the association time domain segment;
and the attack processing module is used for updating the interception time domain according to the attack characteristics, returning to the step of intercepting the received data of the cloud service according to the interception time domain, obtaining standard attack characteristics, and filtering the received data according to the standard attack characteristics.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211215456.0A CN115632832B (en) | 2022-09-30 | 2022-09-30 | Big data attack processing method and system applied to cloud service |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211215456.0A CN115632832B (en) | 2022-09-30 | 2022-09-30 | Big data attack processing method and system applied to cloud service |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115632832A CN115632832A (en) | 2023-01-20 |
| CN115632832B true CN115632832B (en) | 2023-09-12 |
Family
ID=84904981
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211215456.0A Active CN115632832B (en) | 2022-09-30 | 2022-09-30 | Big data attack processing method and system applied to cloud service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115632832B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113422785A (en) * | 2021-08-20 | 2021-09-21 | 北京生泰尔科技股份有限公司 | Malicious attack detection method and system based on network traffic and readable storage medium |
| WO2022143511A1 (en) * | 2020-12-31 | 2022-07-07 | 华为技术有限公司 | Malicious traffic identification method and related apparatus |
| KR102424014B1 (en) * | 2022-02-09 | 2022-07-25 | 주식회사 샌즈랩 | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7743415B2 (en) * | 2002-01-31 | 2010-06-22 | Riverbed Technology, Inc. | Denial of service attacks characterization |
| US8245295B2 (en) * | 2007-07-10 | 2012-08-14 | Samsung Electronics Co., Ltd. | Apparatus and method for detection of malicious program using program behavior |
| TWI547823B (en) * | 2015-09-25 | 2016-09-01 | 緯創資通股份有限公司 | Method and system for analyzing malicious code, data processing apparatus and electronic apparatus |
-
2022
- 2022-09-30 CN CN202211215456.0A patent/CN115632832B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022143511A1 (en) * | 2020-12-31 | 2022-07-07 | 华为技术有限公司 | Malicious traffic identification method and related apparatus |
| CN113422785A (en) * | 2021-08-20 | 2021-09-21 | 北京生泰尔科技股份有限公司 | Malicious attack detection method and system based on network traffic and readable storage medium |
| KR102424014B1 (en) * | 2022-02-09 | 2022-07-25 | 주식회사 샌즈랩 | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115632832A (en) | 2023-01-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109951500B (en) | Network attack detection method and device | |
| CN109450842B (en) | Network malicious behavior recognition method based on neural network | |
| CN109117634B (en) | Malicious software detection method and system based on network traffic multi-view fusion | |
| CN103733590B (en) | Compiler for regular expressions | |
| CN111600850B (en) | Method, equipment and storage medium for detecting mine digging virtual currency | |
| CN106534114B (en) | Malicious attack prevention system based on big data analysis | |
| US8762298B1 (en) | Machine learning based botnet detection using real-time connectivity graph based traffic features | |
| CN111818103B (en) | Traffic-based tracing attack path method in network target range | |
| CN104836702A (en) | Host network abnormal behavior detection and classification method under large flow environment | |
| Krishnaveni et al. | Ensemble approach for network threat detection and classification on cloud computing | |
| CN114244564B (en) | Attack defense method, device, equipment and readable storage medium | |
| CN110768946A (en) | Industrial control network intrusion detection system and method based on bloom filter | |
| CN110855649A (en) | Method and device for detecting abnormal process in server | |
| US20230252145A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| Tekiner et al. | A Lightweight IoT Cryptojacking Detection Mechanism in Heterogeneous Smart Home Networks. | |
| Praseed et al. | Fuzzy request set modelling for detecting multiplexed asymmetric ddos attacks on http/2 servers | |
| CN111314379A (en) | Attacked domain name identification method and device, computer equipment and storage medium | |
| CN115632832B (en) | Big data attack processing method and system applied to cloud service | |
| Kumar et al. | Detection and analysis of ddos attack at application layer using naive bayes classifier | |
| Tian et al. | A transductive scheme based inference techniques for network forensic analysis | |
| CN105493096A (en) | Distributed pattern discovery | |
| Tann et al. | Filtering ddos attacks from unlabeled network traffic data using online deep learning | |
| Shakya et al. | Intrusion detection system using back propagation algorithm and compare its performance with self organizing map | |
| CN114169540A (en) | Webpage user behavior detection method and system based on improved machine learning | |
| CN101854341A (en) | Pattern matching method and device for data streams |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20230817 Address after: Room l227x, 1f, No. 179, Maotai Road, Changning District, Shanghai 200050 Applicant after: Shanghai Baoyun Network Information Service Co.,Ltd. Address before: Room 2108-1, Building 1, Niushan Square, Xinqiao Street, Ouhai District, Wenzhou City, Zhejiang Province, 325000 Applicant before: Wenzhou Jiarun Technology Development Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |