CN115913634A - Network security abnormity detection method and system based on deep learning - Google Patents
Network security abnormity detection method and system based on deep learning Download PDFInfo
- Publication number
- CN115913634A CN115913634A CN202211256732.8A CN202211256732A CN115913634A CN 115913634 A CN115913634 A CN 115913634A CN 202211256732 A CN202211256732 A CN 202211256732A CN 115913634 A CN115913634 A CN 115913634A
- Authority
- CN
- China
- Prior art keywords
- information
- alarm
- abnormal
- generating
- comparison
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of network security, in particular to a method and a system for detecting network security abnormity based on deep learning. The method comprises the following steps: monitoring data files under a key path of the power Internet of things equipment system in real time, and generating an abnormal alarm according to change information of the data files; monitoring real-time behavior information of the equipment process in real time, comparing the real-time behavior information with a local behavior baseline set, and generating an abnormal alarm according to an abnormal result; respectively comparing the data file under the key path of the monitored electric power Internet of things equipment system and the process file corresponding to the equipment process with a local trusted software base, uploading the data file with abnormal comparison, and performing cloud searching and killing; and generating alarm information of different levels according to the cloud searching and killing result. According to the invention, by scanning fingerprint information, multiple engines are jointly checked and killed, illegal and forged terminals are automatically isolated, attackers are prevented from accessing the network, and the safety protection capability of the intranet is improved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method and a system for detecting network security abnormity based on deep learning.
Background
The terminal equipment is an important component of a computer information system, is equipment for processing data in the information system, and in the computer information system, the number of computer terminals is large, the distribution is wide, the technical level of terminal users is uneven, so that the computer terminals are easy to become targets of network attack, and security attack events aiming at the computer terminals sometimes occur. Often, the computer terminal is also used by an attacker as an attack springboard to launch an attack against a particular server or a particular network.
However, in the prior art, there are the problems of independence, unable linkage and the like between the systems, the isolated protection to some aspect from the traditional technical mode has comprehensively entered the big data stage, the integration, analysis and disposal through various data are effective methods for dealing with the novel threat, and a plurality of safety protection systems generated by a single protection engine are isolated from each other, no matter from the system level or the data level, effective integration can not be carried out, thereby causing the actual protection effect to be reduced, there is not enough in dealing with the unknown threat, the protection of network safety and the requirement of customers can not be satisfied. Therefore, how to provide a method and a system for detecting network security anomaly based on deep learning is a technical problem that needs to be solved urgently by those skilled in the art.
Disclosure of Invention
The invention aims to provide a method and a system for detecting network security abnormity based on deep learning.
In order to achieve the purpose, the invention provides the following technical scheme:
a method for detecting network security abnormity based on deep learning comprises the following steps:
monitoring data files under a key path of the power Internet of things equipment system in real time, and generating an abnormal alarm according to change information of the data files;
monitoring real-time behavior information of the equipment process in real time, comparing the real-time behavior information with a local behavior baseline set, and generating an abnormal alarm according to an abnormal result;
respectively comparing the monitored data files under the key paths of the power Internet of things equipment system and the process files corresponding to the equipment processes with a local trusted software base, uploading the data files with abnormal comparison, and performing cloud searching and killing;
generating alarm information of different levels according to the cloud searching and killing result; wherein the content of the first and second substances,
the alarm level information is divided into the following parts from high to low: a first level alarm, a second level alarm and a third level alarm;
and when the alarm information generated by the cloud searching and killing result is the third-level alarm, storing the type of the data file with abnormal comparison and carrying out deep autonomous learning, and when the type of the data file with abnormal comparison appears again, directly generating the third-level alarm.
In some embodiments of the present application, further comprising:
acquiring software static fingerprint information and process dynamic behavior information when the power Internet of things equipment system normally operates, locally storing the information and uploading the information to a service terminal;
and constructing the local trusted software base according to the software static fingerprint information, and constructing the local behavior baseline set according to the process dynamic behavior information.
In some embodiments of the present application, the change information of the data file includes: changes in information content and changes in information rights;
when the information content change of the data file is less than or equal to 30%, the alarm information generated by the cloud searching and killing result is the third-level alarm;
when the information content change of the data file is more than or equal to 30% and less than 60%, the alarm information generated by the cloud searching and killing result is the secondary alarm;
and when the information content change of the data file is more than or equal to 60%, the alarm information generated by the cloud searching and killing result is the first-level alarm.
In some embodiments of the present application, the uploading and cloud searching and killing the data file with abnormal comparison includes: known viruses or unknown viruses are searched and killed through one or more of an OWL OWL engine, a main defense engine and an artificial intelligence engine;
further comprising:
collecting DNS server logs, virus access URL (Uniform resource locator) characteristic information and IP address division information of all associated hosts in the power Internet of things equipment system;
establishing a virus characteristic table according to the acquired virus access URL characteristic information;
acquiring DNS server logs from the associated host, analyzing and standardizing the DNS server logs through comparison, comparing the DNS server logs with the virus characteristic table, and generating alarm information of different levels according to comparison results; wherein the content of the first and second substances,
when the feature comparison fails, cleaning the data;
and when the characteristic comparison is successful, generating alarm information of different levels according to the compared virus characteristics in the virus characteristic table.
In some embodiments of the present application, the software static fingerprint information includes one or more of name information, version information, and software HASH.
In order to achieve the above object, the present invention further provides a system for detecting network security anomaly based on deep learning, which includes:
the monitoring unit is used for monitoring data files under a key path of the power Internet of things equipment system in real time and generating an abnormal alarm according to change information of the data files;
the monitoring unit is also used for monitoring the real-time behavior information of the equipment process in real time, comparing the real-time behavior information with the local behavior baseline set and generating an abnormal alarm according to an abnormal result;
the processing unit is used for respectively comparing the monitored data files under the key path of the electric power Internet of things equipment system and the process files corresponding to the equipment processes with a local trusted software base, uploading the data files with abnormal comparison and performing cloud searching and killing;
the alarm unit is used for generating alarm information of different levels according to the cloud searching and killing result; wherein the content of the first and second substances,
the alarm level information is divided into the following parts from high to low: primary alarm, secondary alarm and tertiary alarm;
and the deep learning unit is used for storing the type of the data file with abnormal comparison and carrying out deep autonomous learning when the alarm information generated by the cloud searching and killing result is the three-level alarm, and directly generating the three-level alarm when the type of the data file with abnormal comparison appears again.
In some embodiments of the application, the monitoring unit is further configured to collect software static fingerprint information and process dynamic behavior information when the power internet of things device system operates normally, perform local storage, and upload the information to a service terminal; and constructing the local trusted software base according to the software static fingerprint information, and constructing the local behavior baseline set according to the process dynamic behavior information.
In some embodiments of the present application, the change information of the data file includes: changes in information content and changes in information rights;
when the information content change of the data file is less than or equal to 30%, the alarm information generated by the cloud searching and killing result is the third-level alarm;
when the information content change of the data file is more than or equal to 30% and less than 60%, the alarm information generated by the cloud searching and killing result is the secondary alarm;
and when the information content of the data file changes by more than or equal to 60%, the alarm information generated by the cloud searching and killing result is the first-level alarm.
In some embodiments of the present application, the processing unit is further configured to perform a search and kill on a known virus or an unknown virus through one or more of an OWL engine, a main defense engine, and an artificial intelligence engine;
the processing unit is further used for collecting DNS server logs, virus access URL characteristic information and IP address division information of all associated hosts in the power Internet of things equipment system;
establishing a virus characteristic table according to the acquired virus access URL characteristic information;
acquiring DNS server logs from the associated host, analyzing and standardizing the DNS server logs through comparison, comparing the DNS server logs with the virus characteristic table, and generating alarm information of different levels according to comparison results; wherein the content of the first and second substances,
when the feature comparison fails, cleaning the data;
and when the characteristic comparison is successful, generating alarm information of different levels according to the compared virus characteristics in the virus characteristic table.
In some embodiments of the present application, the software static fingerprint information includes one or more of name information, version information, and software HASH.
The invention provides a method and a system for detecting network security abnormity based on deep learning, compared with the prior art, the method and the system have the advantages that:
the invention solves the requirement of the safety protection of the internet of things in enterprise end scenes and partial consumer scenes, realizes the agent-free safety protection method, can effectively help solve the problems of the visibility and the safety control of the internet of things terminal in the network environment, and can automatically discover abnormal situation information in the network. Based on discovery, identification and accurate classification of terminals such as Internet of things equipment, an operation technology system, peripheral equipment, network infrastructure components and the like, learning establishment of an equipment fingerprint baseline, a network baseline and a behavior baseline is carried out, and on the basis of the baseline, when equipment counterfeiting invasion, illegal connection and illegal behaviors occur, the equipment gives an alarm. The invention takes the detection technology as the core and the recovery technology as the postshield, and integrates the technologies of protection, detection, response, recovery and the like. Through detection and recovery technology, abnormal user behaviors in a network system are discovered, alarm information of different levels is generated according to the severity of an event, and corresponding measures are taken.
Drawings
FIG. 1 is a flow chart of a method of detecting a deep learning based network security anomaly of the present invention;
FIG. 2 is a flowchart of uploading and cloud searching and killing abnormal data files according to the present invention;
fig. 3 is a functional block diagram of the system for detecting network security anomalies based on deep learning of the present invention.
Detailed Description
The following detailed description of embodiments of the present invention is provided in connection with the accompanying drawings and examples. The following examples are intended to illustrate the invention, but are not intended to limit the scope of the invention.
In the description of the present application, it is to be understood that the terms "center", "upper", "lower", "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", and the like indicate orientations or positional relationships based on those shown in the drawings, and are only for convenience in describing the present application and simplifying the description, but do not indicate or imply that the referred device or element must have a particular orientation, be constructed in a particular orientation, and be operated, and thus should not be construed as limiting the present application.
The terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of the present application, "a plurality" means two or more unless otherwise specified.
In the description of the present application, it is to be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be directly connected or indirectly connected through an intermediate member, or they may be connected to each other through an intermediate member. The specific meaning of the above terms in the present application can be understood in a specific case by those of ordinary skill in the art.
In the prior art, there are independence between the system, unable linkage scheduling problem, the protection to certain aspect from among the traditional technical mode has got into the big data stage comprehensively, integration through various data, analysis, the processing is the effective way of coping with novel threat, and it is isolated each other between the produced a plurality of safety protection systems through single protection engine, no matter can't effectively integrate from the system level or the data level, thereby cause the actual protective effect to discount greatly, exist not enoughly when coping with unknown threat, can't satisfy network security's protection and customer's demand scheduling problem.
Therefore, the invention provides a method and a system for detecting network security abnormity based on deep learning.
Referring to fig. 1, a disclosed embodiment of the present invention provides a method for detecting network security anomaly based on deep learning, including:
monitoring data files under a key path of the power Internet of things equipment system in real time, and generating an abnormal alarm according to change information of the data files;
monitoring real-time behavior information of the equipment process in real time, comparing the real-time behavior information with a local behavior baseline set, and generating an abnormal alarm according to an abnormal result;
respectively comparing the monitored data files under the key paths of the power Internet of things equipment system and the process files corresponding to the equipment processes with a local trusted software base, uploading the data files with abnormal comparison, and performing cloud searching and killing;
generating alarm information of different levels according to the cloud searching and killing result; wherein the content of the first and second substances,
the alarm level information is divided into the following parts from high to low: primary alarm, secondary alarm and tertiary alarm;
and when the alarm information generated by the cloud searching and killing result is a three-level alarm, storing the type of the data file with abnormal comparison, performing deep autonomous learning, and directly generating the three-level alarm when the type of the data file with abnormal comparison appears again.
It is understood that the data files and the process files corresponding to the processes under the critical path may include static state and dynamic state, the static state refers to that it is only an executable program but not necessarily running, the dynamic state refers to a running program, and the critical path may be understood as several critical directories such as/bin,/sbin, etc.
In a specific embodiment of the present application, the method further includes:
acquiring software static fingerprint information and process dynamic behavior information when the power Internet of things equipment system normally operates, locally storing the information and uploading the information to a service terminal;
and constructing a local trusted software base according to the static fingerprint information of the software, and constructing a local behavior base set according to the dynamic behavior information of the process.
In a specific embodiment of the present application, the change information of the data file includes: changes in information content and changes in information rights;
when the information content change of the data file is less than or equal to 30%, the alarm information generated by the cloud searching and killing result is a three-level alarm;
when the information content change of the data file is more than or equal to 30% and less than 60%, the alarm information generated by the cloud searching and killing result is a secondary alarm;
and when the information content change of the data file is more than or equal to 60%, the alarm information generated by the cloud searching and killing result is a primary alarm.
In a specific embodiment of the present application, referring to fig. 2, uploading and cloud searching and killing the abnormal data file includes: the known virus or unknown virus is searched and killed through one or more of an OWL OWL engine, a main defense engine and an artificial intelligence engine;
further comprising:
collecting DNS server logs, virus access URL (Uniform resource locator) characteristic information and IP address division information of all associated hosts in an electric power Internet of things equipment system;
establishing a virus characteristic table according to the collected virus access URL characteristic information;
acquiring DNS server logs from an associated host, analyzing and standardizing the DNS server logs through comparison, then performing characteristic comparison with a virus characteristic table, and generating alarm information of different levels according to comparison results; wherein the content of the first and second substances,
when the feature comparison fails, cleaning the data;
and when the characteristic comparison is successful, generating alarm information of different grades according to the compared virus characteristics in the virus characteristic table.
It can be understood that the OWL OWL engine has rich format recognition and analysis capability, supports PE and non-PE virus searching and killing, can perfectly repair infected files, and can detect high-risk vulnerabilities of nearly ten years. The OWL OWL engine supports Windows, linux, mac and a trusted operating system, and simultaneously supports various CPU architectures such as x86/x64, MIPS, ARM, ALPHA and the like; the artificial intelligence engine can learn and recognize the capability of the new form of malware killing through an algorithm analyzed by artificial intelligence. And the data security is protected to the maximum extent by a black list and white list verification method.
In one embodiment of the present application, the software static fingerprint information includes one or more of name information, version information, and software HASH.
Based on the same technical concept, referring to fig. 3, the present invention further provides a system for detecting network security anomaly based on deep learning, which includes:
the monitoring unit is used for monitoring data files under the key path of the power Internet of things equipment system in real time and generating an abnormal alarm according to the change information of the data files;
the monitoring unit is also used for monitoring the real-time behavior information of the equipment process in real time, comparing the real-time behavior information with the local behavior baseline set and generating an abnormal alarm according to an abnormal result;
the processing unit is used for respectively comparing the data files under the key path of the monitored electric power Internet of things equipment system and the process files corresponding to the equipment processes with the local trusted software base, uploading the data files with abnormal comparison and performing cloud searching and killing;
the alarm unit is used for generating alarm information of different levels according to the cloud searching and killing result; wherein the content of the first and second substances,
the alarm level information is divided into the following parts from high to low: a first level alarm, a second level alarm and a third level alarm;
and the deep learning unit is used for storing the types of the data files with abnormal comparison and performing deep autonomous learning when the alarm information generated by the cloud searching and killing result is a three-level alarm, and directly generating the three-level alarm when the types of the data files with abnormal comparison appear again.
It can be understood that, for the data file and the process file corresponding to the process under the critical path, static and dynamic may be included, static refers to that it is only an executable program, but not necessarily running, dynamic refers to a running program, and the critical path may be understood as several critical directories, such as/bin,/sbin, etc.
In a specific embodiment of the application, the monitoring unit is further configured to collect software static fingerprint information and process dynamic behavior information when the power internet of things equipment system operates normally, store the information locally and upload the information to the service terminal; and constructing a local trusted software base according to the static fingerprint information of the software, and constructing a local behavior base set according to the dynamic behavior information of the process.
In a specific embodiment of the present application, the change information of the data file includes: changes in information content and changes in information rights;
when the information content change of the data file is less than or equal to 30%, the alarm information generated by the cloud searching and killing result is a three-level alarm;
when the information content change of the data file is more than or equal to 30% and less than 60%, the alarm information generated by the cloud searching and killing result is a secondary alarm;
and when the information content of the data file changes by more than or equal to 60%, the alarm information generated by the cloud searching and killing result is a first-level alarm.
In a specific embodiment of the present application, the processing unit is further configured to perform a search and kill on a known virus or an unknown virus through one or more of an OWL engine, a main defense engine, and an artificial intelligence engine;
the processing unit is also used for collecting DNS server logs, virus access URL characteristic information and IP address division information of all associated hosts in the power Internet of things equipment system;
establishing a virus characteristic table according to the collected virus access URL characteristic information;
acquiring DNS server logs from an associated host, analyzing and standardizing the DNS server logs through comparison, then performing characteristic comparison with a virus characteristic table, and generating alarm information of different levels according to comparison results; wherein, the first and the second end of the pipe are connected with each other,
when the feature comparison fails, cleaning the data;
and when the characteristic comparison is successful, generating alarm information of different grades according to the compared virus characteristics in the virus characteristic table.
It can be understood that the OWL OWL engine has rich format recognition and analysis capability, supports PE and non-PE virus searching and killing, can perfectly repair infected files, and can detect high-risk vulnerabilities of nearly ten years. The OWL OWL engine supports Windows, linux, mac and trusted operating systems, and also supports various CPU architectures such as x86/x64, MIPS, ARM, ALPHA and the like; the artificial intelligence engine can learn and recognize the capability of the new form of malware killing through an algorithm analyzed by artificial intelligence. And the data security is protected to the maximum extent by a verification method of verifying a black list and a white list.
In one embodiment of the present application, the software static fingerprint information includes one or more of name information, version information, and software HASH.
In summary, the method and system for detecting network security anomaly of the present invention can not only effectively help to solve the problems of visibility and security control of the terminal of the internet of things in the network environment, but also automatically discover the abnormal situation information in the network. Based on discovery, identification and accurate classification of terminals such as Internet of things equipment, an operation technology system, peripheral equipment, network infrastructure components and the like, learning establishment of an equipment fingerprint baseline, a network baseline and a behavior baseline is carried out, and on the basis of the baseline, when equipment counterfeiting invasion, illegal connection and illegal behaviors occur, the equipment gives an alarm. The invention takes the detection technology as the core and the recovery technology as the postshield, and integrates the technologies of protection, detection, response, recovery and the like. Through detection and recovery technology, abnormal user behaviors in a network system are discovered, alarm information of different levels is generated according to the severity of an event, and corresponding measures are taken.
The above description is only an embodiment of the present invention, but not intended to limit the scope of the present invention, and any structural changes made according to the present invention should be considered as being limited within the scope of the present invention without departing from the spirit of the present invention.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process and related description of the system described above may refer to the corresponding process in the foregoing method embodiments, and will not be described herein again.
It should be noted that, the system provided in the foregoing embodiment is only illustrated by dividing the functional modules, and in practical applications, the functions may be distributed by different functional modules according to needs, that is, the modules or steps in the embodiments of the present invention are further decomposed or combined, for example, the modules in the foregoing embodiment may be combined into one module, or may be further split into multiple sub-modules, so as to complete all or part of the functions described above. The names of the modules and steps involved in the embodiments of the present invention are only for distinguishing the modules or steps, and are not to be construed as unduly limiting the present invention.
Those of skill in the art will appreciate that the various illustrative modules, method steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that programs corresponding to the software modules, method steps may be located in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. To clearly illustrate this interchangeability of electronic hardware and software, various illustrative components and steps have been described above generally in terms of their functionality. Whether these functions are performed in electronic hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
So far, the technical solutions of the present invention have been described in connection with the preferred embodiments shown in the drawings, but it is apparent to those skilled in the art that the scope of the present invention is not limited to these specific embodiments. Equivalent changes or substitutions of related technical features can be made by those skilled in the art without departing from the principle of the invention, and the technical scheme after the changes or substitutions can fall into the protection scope of the invention.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.
Claims (10)
1. A method for detecting network security abnormity based on deep learning is characterized by comprising the following steps:
monitoring data files under a key path of the power Internet of things equipment system in real time, and generating an abnormal alarm according to change information of the data files;
monitoring real-time behavior information of the equipment process in real time, comparing the real-time behavior information with a local behavior baseline set, and generating an abnormal alarm according to an abnormal result;
respectively comparing the monitored data files under the key path of the power Internet of things equipment system and the process files corresponding to the equipment processes with a local trusted software base, uploading the data files with abnormal comparison, and performing cloud searching and killing;
generating alarm information of different levels according to the cloud searching and killing result; wherein, the first and the second end of the pipe are connected with each other,
the alarm level information is divided into the following parts from high to low: a first level alarm, a second level alarm and a third level alarm;
and when the alarm information generated by the cloud searching and killing result is the third-level alarm, storing the type of the data file with abnormal comparison and carrying out deep autonomous learning, and when the type of the data file with abnormal comparison appears again, directly generating the third-level alarm.
2. The method for detecting the network security anomaly based on the deep learning of claim 1, further comprising:
acquiring software static fingerprint information and process dynamic behavior information when the power Internet of things equipment system normally operates, locally storing the information and uploading the information to a service terminal;
and constructing the local trusted software base according to the software static fingerprint information, and constructing the local behavior baseline set according to the process dynamic behavior information.
3. The method for detecting the network security abnormity based on the deep learning as claimed in claim 1, wherein the change information of the data file comprises: changes in information content and changes in information rights;
when the information content change of the data file is less than or equal to 30%, the alarm information generated by the cloud searching and killing result is the third-level alarm;
when the information content change of the data file is more than or equal to 30% and less than 60%, the alarm information generated by the cloud searching and killing result is the secondary alarm;
and when the information content change of the data file is more than or equal to 60%, the alarm information generated by the cloud searching and killing result is the first-level alarm.
4. The method for detecting the network security anomaly based on the deep learning of claim 1, wherein the uploading and cloud searching and killing of the data files with the anomaly comparison comprises: the known virus or unknown virus is searched and killed through one or more of an OWL OWL engine, a main defense engine and an artificial intelligence engine;
further comprising:
collecting DNS server logs, virus access URL (Uniform resource locator) characteristic information and IP address division information of all associated hosts in the power Internet of things equipment system;
establishing a virus characteristic table according to the acquired virus access URL characteristic information;
acquiring DNS server logs from the associated host, analyzing and standardizing the DNS server logs through comparison, comparing the DNS server logs with the virus characteristic table, and generating alarm information of different levels according to comparison results; wherein the content of the first and second substances,
when the feature comparison fails, cleaning the data;
and when the characteristic comparison is successful, generating alarm information of different grades according to the virus characteristics compared in the virus characteristic table.
5. The method for detecting network security anomaly based on deep learning according to claim 1,
the software static fingerprint information comprises one or more of name information, version information and software HASH.
6. A system for detecting network security anomalies based on deep learning, comprising:
the monitoring unit is used for monitoring data files under a key path of the power Internet of things equipment system in real time and generating an abnormal alarm according to change information of the data files;
the monitoring unit is also used for monitoring the real-time behavior information of the equipment process in real time, comparing the real-time behavior information with the local behavior baseline set and generating an abnormal alarm according to an abnormal result;
the processing unit is used for respectively comparing the monitored data files under the key paths of the power Internet of things equipment system and the process files corresponding to the equipment processes with the local trusted software base, uploading the abnormal data files and performing cloud searching and killing;
the alarm unit is used for generating alarm information of different levels according to the cloud searching and killing result; wherein, the first and the second end of the pipe are connected with each other,
the alarm level information is divided into the following parts from high to low: a first level alarm, a second level alarm and a third level alarm;
and the deep learning unit is used for storing the type of the data file with abnormal comparison and carrying out deep autonomous learning when the alarm information generated by the cloud searching and killing result is the three-level alarm, and directly generating the three-level alarm when the type of the data file with abnormal comparison appears again.
7. The system for detecting network security anomaly based on deep learning according to claim 6,
the monitoring unit is also used for acquiring software static fingerprint information and process dynamic behavior information when the power Internet of things equipment system normally operates, locally storing the information and uploading the information to a service terminal; and constructing the local trusted software base according to the software static fingerprint information, and constructing the local behavior baseline set according to the process dynamic behavior information.
8. The system for detecting network security anomaly based on deep learning according to claim 6,
the change information of the data file comprises: changes in information content and changes in information rights;
when the information content change of the data file is less than or equal to 30%, the alarm information generated by the cloud searching and killing result is the three-level alarm;
when the information content change of the data file is more than or equal to 30% and less than 60%, the alarm information generated by the cloud searching and killing result is the secondary alarm;
and when the information content of the data file changes by more than or equal to 60%, the alarm information generated by the cloud searching and killing result is the first-level alarm.
9. The system for detecting network security anomaly based on deep learning according to claim 6,
the processing unit is also used for killing known viruses or unknown viruses through one or more of an OWL OWL engine, a main defense engine and an artificial intelligence engine;
the processing unit is also used for acquiring DNS server logs, virus access URL (uniform resource locator) characteristic information and IP (Internet protocol) address division information of all associated hosts in the power Internet of things equipment system;
establishing a virus characteristic table according to the acquired virus access URL characteristic information;
acquiring DNS server logs from the associated host, analyzing and standardizing the DNS server logs through comparison, comparing the DNS server logs with the virus characteristic table, and generating alarm information of different levels according to comparison results; wherein the content of the first and second substances,
when the feature comparison fails, cleaning the data;
and when the characteristic comparison is successful, generating alarm information of different grades according to the virus characteristics compared in the virus characteristic table.
10. The system for detecting network security anomaly based on deep learning according to claim 6,
the software static fingerprint information comprises one or more of name information, version information and software HASH.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211256732.8A CN115913634A (en) | 2022-10-13 | 2022-10-13 | Network security abnormity detection method and system based on deep learning |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211256732.8A CN115913634A (en) | 2022-10-13 | 2022-10-13 | Network security abnormity detection method and system based on deep learning |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115913634A true CN115913634A (en) | 2023-04-04 |
Family
ID=86488684
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211256732.8A Pending CN115913634A (en) | 2022-10-13 | 2022-10-13 | Network security abnormity detection method and system based on deep learning |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115913634A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117097558A (en) * | 2023-10-10 | 2023-11-21 | 武汉季隆数据科技有限公司 | Computer network safety control device and system |
-
2022
- 2022-10-13 CN CN202211256732.8A patent/CN115913634A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117097558A (en) * | 2023-10-10 | 2023-11-21 | 武汉季隆数据科技有限公司 | Computer network safety control device and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110719291B (en) | Network threat identification method and identification system based on threat information | |
| CN110730175B (en) | Botnet detection method and detection system based on threat information | |
| CN112637220B (en) | Industrial control system safety protection method and device | |
| US10721245B2 (en) | Method and device for automatically verifying security event | |
| CN112887341B (en) | External threat monitoring method | |
| CN110210213B (en) | Method and device for filtering malicious sample, storage medium and electronic device | |
| CN111460445A (en) | Method and device for automatically identifying malicious degree of sample program | |
| CN110149319B (en) | APT organization tracking method and device, storage medium and electronic device | |
| CN110868403B (en) | Method and equipment for identifying advanced persistent Attack (APT) | |
| CN110099044A (en) | Cloud Host Security detection system and method | |
| CN112131571B (en) | Threat tracing method and related equipment | |
| Djanali et al. | SQL injection detection and prevention system with raspberry Pi honeypot cluster for trapping attacker | |
| CN110768949B (en) | Vulnerability detection method and device, storage medium and electronic device | |
| CN117454376A (en) | Industrial Internet data security detection response and tracing method and device | |
| CN115913634A (en) | Network security abnormity detection method and system based on deep learning | |
| JP2013152497A (en) | Black list extraction device, extraction method and extraction program | |
| EP4111660B1 (en) | Cyberattack identification in a network environment | |
| KR20070077517A (en) | Profile-based web application intrusion detection system and the method | |
| CN115361235B (en) | Network security detection method, equipment, device, electronic equipment and medium | |
| CN114257403B (en) | False alarm detection method, equipment and readable storage medium | |
| TWI640891B (en) | Method and apparatus for detecting malware | |
| CN116248397A (en) | Vulnerability detection method and device, electronic equipment and readable storage medium | |
| CN115348052A (en) | Multi-dimensional blacklist protection method, device, equipment and readable storage medium | |
| EP3982594A1 (en) | Method for assessing the quality of network-related indicators of compromise | |
| CN116155519A (en) | Threat alert information processing method, threat alert information processing device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |