CN116155622A - Network homologous attack analysis method, system, equipment and storage medium - Google Patents
Network homologous attack analysis method, system, equipment and storage medium Download PDFInfo
- Publication number
- CN116155622A CN116155622A CN202310406576.7A CN202310406576A CN116155622A CN 116155622 A CN116155622 A CN 116155622A CN 202310406576 A CN202310406576 A CN 202310406576A CN 116155622 A CN116155622 A CN 116155622A
- Authority
- CN
- China
- Prior art keywords
- features
- attack
- homologous
- field
- attack analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 84
- 238000003860 storage Methods 0.000 title claims abstract description 20
- 230000007246 mechanism Effects 0.000 claims abstract description 14
- 238000005457 optimization Methods 0.000 claims abstract description 12
- 239000013598 vector Substances 0.000 claims description 32
- 239000011159 matrix material Substances 0.000 claims description 26
- 230000006870 function Effects 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 17
- 238000004364 calculation method Methods 0.000 claims description 16
- 230000015654 memory Effects 0.000 claims description 15
- 238000012545 processing Methods 0.000 claims description 15
- 238000009826 distribution Methods 0.000 claims description 14
- 230000004913 activation Effects 0.000 claims description 12
- 238000004422 calculation algorithm Methods 0.000 claims description 11
- 238000011176 pooling Methods 0.000 claims description 9
- 238000007781 pre-processing Methods 0.000 claims description 8
- 230000008520 organization Effects 0.000 claims description 6
- 238000010606 normalization Methods 0.000 claims description 5
- 238000000034 method Methods 0.000 abstract description 18
- 238000013527 convolutional neural network Methods 0.000 description 16
- 238000010586 diagram Methods 0.000 description 8
- 239000004973 liquid crystal related substance Substances 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000012549 training Methods 0.000 description 4
- 238000011156 evaluation Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000005284 excitation Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 238000003012 network analysis Methods 0.000 description 1
- 230000001537 neural effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000006403 short-term memory Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/084—Backpropagation, e.g. using gradient descent
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Artificial Intelligence (AREA)
- General Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Life Sciences & Earth Sciences (AREA)
- Molecular Biology (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network homologous attack analysis method, a system, equipment and a storage medium, wherein a historical data set is established according to historical attack events, sequence features and field features in a data stream are selected from the historical data set based on Modbus TCP data stream features, and a homologous attack analysis model is established based on the acquired sequence features and field features; the method and the device can quickly and accurately acquire the homologous classification information of the attack data through comparing the sequence characteristics and the field characteristics, so that the latest attack and vulnerability launched by the server can be effectively prevented. By the model optimization method based on the attention mechanism, the accuracy of model classification is greatly improved, and the accuracy of homologous attack analysis is improved.
Description
Technical Field
The invention belongs to the technical field of network analysis and processing, and particularly relates to a network homologous attack analysis method, a system, equipment and a storage medium.
Background
With the development of network technology, honeypot technology is increasingly applied, and is a technology for cheating an attacker, and by arranging a host, network service or information serving as a bait, the attacker is induced to attack the honeypot technology, so that attack behaviors can be captured and analyzed, tools and methods used by the attacker are known, attack intention and motivation are presumed, the defensive party can clearly know security threats faced by the attacker, and the security protection capability of an actual system is enhanced through technology and management means. At present, the method for carrying out the homologous analysis by adopting a mode of carrying out the manual analysis after intercepting aiming at the data of the homologous attack and the tissue thereof has low efficiency, is influenced by the artificial factors and has low precision.
Disclosure of Invention
The invention aims to provide a network homologous attack analysis method, a system, equipment and a storage medium, which are used for solving the problems of low analysis efficiency and low accuracy aiming at the network homologous attack in the prior art.
A network homology attack analysis method comprises the following steps:
s1, establishing a historical data set according to a historical attack event, selecting sequence features and field features in a data stream from the historical data set based on Modbus TCP data stream features, and establishing a homologous attack analysis model based on the acquired sequence features and field features;
s2, sequence features and field features of an attacker about the data stream are obtained from the to-be-detected attack data and are respectively compared with the sequence features and the field features in the homologous attack analysis model, so that attack source or attack organization information of the attack data is obtained.
Preferably, the establishing a historical data set according to the historical attack event, selecting sequence features and field features in the data stream from the historical data set based on Modbus TCP data stream features, and establishing a homologous attack analysis model based on the acquired sequence features and field features includes:
based on Modbus TCP data message format, converting sequence features and field features in data streams of a historical dataset into multidimensional vectors which can be used for feature learning in CNN according to key fields in honeypot data streams, and inputting the converted multidimensional vectors into CNN for convolution operation and maximum value pooling operation; and then taking the feature vector output by the CNN as an input layer of the LSTM, and calculating a weight matrix based on an attention mechanism to obtain a homologous attack analysis model.
Preferably, the weight matrix calculation based on the attention mechanism, to obtain a homologous attack analysis model, includes: and performing iterative optimization on the weight matrix by using a back propagation algorithm so as to obtain a homologous attack analysis model of the optimal feature vector.
Preferably, the comparing with the sequence feature and the field feature in the analysis model of homologous attack respectively further includes: normalizing the sequence features and the field features by a softmax activation function, and classifying according to the statistical distribution calculation probability of the normalization processing result to obtain a probability distribution result.
Preferably, the sequence features and the field features are normalized through the softmax activation function, the probability distribution results are obtained by classifying according to the statistical distribution calculation probability of the normalization processing results, and then model evaluation is carried out on the probability distribution results generated by the softmax activation function based on cross entropy loss.
A network homologous attack analysis system comprises a preprocessing module and an analysis module;
the preprocessing module is used for establishing a historical data set according to the historical attack event, selecting sequence features and field features in the data stream from the historical data set based on Modbus TCP data stream features, and establishing a homologous attack analysis model based on the acquired sequence features and field features;
the analysis module acquires sequence characteristics and field characteristics of an attacker about the data flow from the to-be-detected attack data, and compares the sequence characteristics and the field characteristics with the sequence characteristics and the field characteristics in the homologous attack analysis model respectively, so that attack source or attack organization information of the attack data is obtained.
Preferably, the preprocessing module establishes a historical data set according to the historical attack event, selects sequence features and field features in the data stream from the historical data set based on Modbus TCP data stream features, and establishes a homologous attack analysis model based on the acquired sequence features and field features, wherein the establishing the homologous attack analysis model comprises the following steps: based on Modbus TCP data message format, converting sequence features and field features in data streams of a historical dataset into multidimensional vectors which can be used for feature learning in CNN according to key fields in honeypot data streams, and inputting the converted multidimensional vectors into CNN for convolution operation and maximum value pooling operation; then, taking the feature vector output by the CNN as an input layer of the LSTM, and carrying out weight matrix calculation based on an attention mechanism to obtain a homologous attack analysis model;
the weight matrix calculation is performed based on the attention mechanism to obtain a homologous attack analysis model, which comprises the following steps: and performing iterative optimization on the weight matrix by using a back propagation algorithm so as to obtain a homologous attack analysis model of the optimal feature vector.
Preferably, the analysis module is respectively compared with sequence features and field features in the homologous attack analysis model, and further includes: and normalizing the sequence features and the field features by a softmax activation function, and classifying according to the statistical distributive calculation probability of the normalization processing result.
A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the network homology attack analysis method described above when the computer program is executed.
A computer readable storage medium storing a computer program which, when executed by a processor, implements the steps of the network homology attack analysis method described above.
Compared with the prior art, the invention has the following beneficial technical effects:
the invention relates to a network homologous attack analysis method, which comprises the steps of establishing a historical data set according to a historical attack event, selecting sequence features and field features in a data stream from the historical data set based on Modbus TCP data stream features, and establishing a homologous attack analysis model based on the acquired sequence features and field features; the method and the device can quickly and accurately acquire the homologous classification information of the attack data through comparing the sequence characteristics and the field characteristics, so that the latest attack and vulnerability launched by the server can be effectively prevented.
By means of the model optimization method based on the attention mechanism, unsupervised training and supervised adjustment are carried out on the homologous attack analysis model, so that the accuracy of model classification is greatly improved, and the accuracy of homologous attack analysis is improved.
Drawings
Fig. 1 is a schematic diagram of a system structure according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The invention provides a network homologous attack analysis method, which specifically comprises the following steps:
s1, establishing a historical data set according to a historical attack event, selecting sequence features and field features in a data stream from the historical data set based on Modbus TCP data stream features, and establishing a homologous attack analysis model based on the acquired sequence features and field features;
s2, sequence features and field features of an attacker about the data stream are obtained from the to-be-detected attack data and are respectively compared with the sequence features and the field features in the homologous attack analysis model, so that attack source or attack organization information of the attack data is obtained.
Network traffic contains many redundant and trace-independent attributes that reduce the accuracy of detection and increase computational load and complexity. In the invention, the Modbus-based TCP data stream characteristics comprise data stream duration, TCP port number, average time interval of two inputs of a data packet, time interval variance of two inputs of the data packet and average size of a payload (payload).
According to the Modbus TCP data flow characteristics, modbus TCP data flow characteristic selection based on flow statistics characteristics is performed according to the specific data flow and data message characteristics of the cloud server protocol Modbus TCP. 15 cloud server flow characteristics are selected, the selected cloud server flow characteristics and the selected cloud server flow characteristics are described in table 1, wherein the first 6 characteristics are characteristics of Modbus TCP protocol, and the characteristics are respectively Modbus transaction processing marks, modbus protocol marks, MBAP data length, unit marks, IP packet header length and function codes in Modbus TCP. The rest is the traditional characteristics of the traffic, including total byte number, sequence duration, data packet transmission rate, time interval average value, time interval variance, time interval standard deviation, time interval maximum value, time interval minimum value and connection request number.
TABLE 1 flow layer characterization
Based on Modbus TCP data message format, converting sequence features and field features in data streams of a historical dataset into multidimensional vectors which can be used for feature learning in a CNN (convolutional neural network) according to key fields in honeypot data streams, and inputting the converted multidimensional vectors into the CNN for convolutional operation and maximum value pooling operation; and then taking the feature vector output by the CNN as an input layer of an LSTM (long short term memory network), and calculating a weight matrix based on an attention mechanism to obtain a homologous attack analysis model.
The invention uses a back propagation algorithm (Back propagation algorithm, BP algorithm) to carry out iterative optimization on the weight matrix, so as to find a homologous attack analysis model of the optimal feature vector; and classifying the attack data to be detected and evaluating the model by using the obtained homologous attack analysis model.
Specifically, according to the binary form of a data packet in a historical data set, the key word segment length is m/8 bytes, data in the historical data set is embedded into an m-dimensional space, and the total data amount is n, so that an m multiplied by n bit matrix is generated;
according to Modbus TCP data flow characteristics, performing convolution calculation in CNN by using a one-dimensional convolution layer; wherein the number of convolution kernels is k=5, the filter size is m×q, the stride is 2, and the layer output matrix size is 5× (n/2); at the Pooling layer, reducing the dimension of the characteristic value by using a maximum Pooling method (Max Pooling), and generating a corresponding characteristic diagram; the window value is 2; CNN output feature map size is 5× (n/4);
the feature map output by CNN is input into the constructed LSTM network, and the input is 5-dimensional feature vector c 0 ;
Data characteristics are obtained by performing unsupervised learning training and supervised adjustment in LSTM networkl 0 And then, using a model optimization method based on an attention mechanism to perform weight matrix iterative optimization on the feature vectors of the all-connection layer by using a back propagation algorithm to obtain an optimal weight matrix, and obtaining the optimal feature vector according to the optimal weight matrix so as to obtain a homologous attack analysis model.
The attention mechanism calculation formula is shown as follows:
wherein, the liquid crystal display device comprises a liquid crystal display device,
for neuronal output, +.>
Represents->
Weight matrix of time,/>
Representing data characteristics->
Matrix of>
The deviation value is the deviation value under the supervision and fine adjustment; />
For attention vector, ++>
Weight matrix representing iterative optimization, +.>
Representing the expression of the data stream based on the attention mechanism.
Normalizing the sequence features and the field features by the softmax activation function, classifying the calculated probability according to the statistical distribution of the normalized processing result to obtain a probability distribution result, and then carrying out model evaluation on the probability distribution result generated by the softmax activation function based on cross entropy loss.
And adopting a back propagation algorithm to carry out iterative optimization on the weight matrix so as to minimize the deviation value of the model feature vector. The back propagation algorithm comprises two stages of excitation propagation and weight updating, wherein the first stage obtains excitation through a training input network, and then obtains errors of a hidden layer and an output layer through a target corresponding to the back input; in the second stage, the weight is updated by the following formula to obtain a weight vector
。
Wherein, the liquid crystal display device comprises a liquid crystal display device,
for initial weight, ++>
Data characteristic>
For iteration->
Weight of secondary->
For the correction of the gradient, +.>
Is->
And b is a bias vector.
After the feature vector value is obtained according to a CNN and LSTM-based homologous attack analysis model, in order to solve the problem of flow classification, the probability is calculated through a softmax activation function; the softmax calculation formula is shown as follows:
wherein the method comprises the steps of
For classifying output +.>
Is the j-th input of softmax; calculating the deviation between the true value and the estimated value, and evaluating the output of the model by using cross entropy loss so as to cope with the influence of multiple factors such as model parameters, vector prediction, high complexity and the like; probability of cross entropyThe distribution calculation formula is shown as follows:
wherein, the liquid crystal display device comprises a liquid crystal display device,
for cross entropy function, X is sample, +.>
For the desired output, ++>
Is the actual output; cross entropy loss is reduced by iterating the attention vector and the attention matrix.
According to the network homologous attack analysis method, homologous attack analysis is carried out on Modbus TCP data streams; firstly, selecting characteristics of attack data to be detected based on Modbus TCP data flow characteristics; then, extracting sequence features and field features in the data stream, carrying out data stream feature convolution and pooling operation through CNN, inputting the generated feature vector into an LSTM long-short-term memory network through the feature vector output by CNN to learn sequence content, and adding an attention matrix in the part. And performing iterative optimization and weight updating of all weights in the attention matrix by using a back propagation algorithm, and then performing evaluation on the basis of the CNN-LSTM model by using a cross entropy loss function while obtaining a classification probability value based on a softmax activation function.
Based on Modbus TCP data flow characteristics, the cloud server protocol homologous attack analysis method based on CNN-LSTM is provided for the first time, unsupervised training and supervised adjustment are carried out on a homologous attack analysis model, so that the classification accuracy of the homologous attack analysis model is greatly improved, and the accuracy of the homologous attack analysis is improved.
In one embodiment of the present invention, as shown in fig. 1, a network homologous attack analysis system includes a preprocessing module and an analysis module;
the preprocessing module is used for establishing a historical data set according to the historical attack event, selecting sequence features and field features in the data stream from the historical data set based on Modbus TCP data stream features, and establishing a homologous attack analysis model based on the acquired sequence features and field features;
the analysis module acquires sequence characteristics and field characteristics of an attacker about the data flow from the to-be-detected attack data, and compares the sequence characteristics and the field characteristics with the sequence characteristics and the field characteristics in the homologous attack analysis model respectively, so that attack source or attack organization information of the attack data is obtained.
In yet another embodiment of the present invention, a terminal device is provided, the terminal device including a processor and a memory, the memory for storing a computer program, the computer program including program instructions, the processor for executing the program instructions stored by the computer storage medium. The processor may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf Programmable gate arrays (FPGAs) or other Programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc., which are the computational core and control core of the terminal adapted to implement one or more instructions, in particular adapted to load and execute one or more instructions to implement a corresponding method flow or a corresponding function; the processor provided by the embodiment of the invention can be used for the operation of the network homologous attack analysis method.
In a further embodiment of the present invention, the present invention also provides a storage medium, in particular, a computer readable storage medium (Memory), which is a Memory device in a terminal device, for storing programs and data. It will be appreciated that the computer readable storage medium herein may include both a built-in storage medium in the terminal device and an extended storage medium supported by the terminal device. The computer-readable storage medium provides a storage space storing an operating system of the terminal. Also stored in the memory space are one or more instructions, which may be one or more computer programs (including program code), adapted to be loaded and executed by the processor. The computer readable storage medium herein may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory. One or more instructions stored in a computer-readable storage medium may be loaded and executed by a processor to implement the corresponding steps of the method for analysis of network homology attacks in the above-described embodiments.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical aspects of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, which is intended to be covered by the claims.
Claims (10)
1. The network homology attack analysis method is characterized by comprising the following steps of:
s1, establishing a historical data set according to a historical attack event, selecting sequence features and field features in a data stream from the historical data set based on Modbus TCP data stream features, and establishing a homologous attack analysis model based on the acquired sequence features and field features;
s2, sequence features and field features of an attacker about the data stream are obtained from the to-be-detected attack data and are respectively compared with the sequence features and the field features in the homologous attack analysis model, so that attack source or attack organization information of the attack data is obtained.
2. The network homology attack analysis method as claimed in claim 1, wherein said establishing a historical data set based on historical attack events, selecting sequence features and field features in the data stream from the historical data set based on Modbus TCP data stream features, and establishing a homology attack analysis model based on the obtained sequence features and field features comprises:
based on Modbus TCP data message format, converting sequence features and field features in data streams of a historical dataset into multidimensional vectors which can be used for feature learning in CNN according to key fields in honeypot data streams, and inputting the converted multidimensional vectors into CNN for convolution operation and maximum value pooling operation; and then taking the feature vector output by the CNN as an input layer of the LSTM, and calculating a weight matrix based on an attention mechanism to obtain a homologous attack analysis model.
3. The network homology attack analysis method as claimed in claim 2, wherein the weight matrix calculation based on the attention mechanism to obtain a homology attack analysis model comprises: and performing iterative optimization on the weight matrix by using a back propagation algorithm so as to obtain a homologous attack analysis model of the optimal feature vector.
4. The network homology attack analysis method as claimed in claim 2, wherein the comparison with the sequence features and the field features in the homology attack analysis model respectively further comprises: normalizing the sequence features and the field features by a softmax activation function, and classifying according to the statistical distribution calculation probability of the normalization processing result to obtain a probability distribution result.
5. The network homology attack analysis method as claimed in claim 4, wherein the sequence features and field features are normalized by a softmax activation function, the probability distribution results are obtained by classifying the statistical distribution calculation probabilities of the normalized processing results, and then the probability distribution results generated by the softmax activation function are model-evaluated based on cross entropy loss.
6. The network homologous attack analysis system is characterized by comprising a preprocessing module and an analysis module;
the preprocessing module is used for establishing a historical data set according to the historical attack event, selecting sequence features and field features in the data stream from the historical data set based on Modbus TCP data stream features, and establishing a homologous attack analysis model based on the acquired sequence features and field features;
the analysis module acquires sequence characteristics and field characteristics of an attacker about the data flow from the to-be-detected attack data, and compares the sequence characteristics and the field characteristics with the sequence characteristics and the field characteristics in the homologous attack analysis model respectively, so that attack source or attack organization information of the attack data is obtained.
7. The cyber-homologous attack analysis system according to claim 6, wherein the preprocessing module establishes a historical data set according to the historical attack event, selects sequence features and field features in the data stream from the historical data set based on Modbus TCP data stream features, and establishes the homologous attack analysis model based on the obtained sequence features and field features, comprising: based on Modbus TCP data message format, converting sequence features and field features in data streams of a historical dataset into multidimensional vectors which can be used for feature learning in CNN according to key fields in honeypot data streams, and inputting the converted multidimensional vectors into CNN for convolution operation and maximum value pooling operation; then, taking the feature vector output by the CNN as an input layer of the LSTM, and carrying out weight matrix calculation based on an attention mechanism to obtain a homologous attack analysis model;
the weight matrix calculation is performed based on the attention mechanism to obtain a homologous attack analysis model, which comprises the following steps: and performing iterative optimization on the weight matrix by using a back propagation algorithm so as to obtain a homologous attack analysis model of the optimal feature vector.
8. The cyber-homologous attack analysis system according to claim 7, wherein the analysis module is configured to compare the sequence feature and the field feature in the cyber-homologous attack analysis model, respectively, and further comprising: and normalizing the sequence features and the field features by a softmax activation function, and classifying according to the statistical distributive calculation probability of the normalization processing result.
9. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the steps of the network homology attack analysis method according to any one of claims 1 to 5 when the computer program is executed.
10. A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the steps of the network homology attack analysis method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310406576.7A CN116155622A (en) | 2023-04-17 | 2023-04-17 | Network homologous attack analysis method, system, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310406576.7A CN116155622A (en) | 2023-04-17 | 2023-04-17 | Network homologous attack analysis method, system, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116155622A true CN116155622A (en) | 2023-05-23 |
Family
ID=86354556
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310406576.7A Pending CN116155622A (en) | 2023-04-17 | 2023-04-17 | Network homologous attack analysis method, system, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116155622A (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111818052A (en) * | 2020-07-09 | 2020-10-23 | 国网山西省电力公司信息通信分公司 | CNN-LSTM-based industrial control protocol homologous attack detection method |
| US20230025695A1 (en) * | 2021-07-19 | 2023-01-26 | National University Of Defense Technology | Cross-site scripting (xss) risk analysis method and apparatus based on bayesian network and stride model |
-
2023
- 2023-04-17 CN CN202310406576.7A patent/CN116155622A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111818052A (en) * | 2020-07-09 | 2020-10-23 | 国网山西省电力公司信息通信分公司 | CNN-LSTM-based industrial control protocol homologous attack detection method |
| US20230025695A1 (en) * | 2021-07-19 | 2023-01-26 | National University Of Defense Technology | Cross-site scripting (xss) risk analysis method and apparatus based on bayesian network and stride model |
Non-Patent Citations (1)
| Title |
|---|
| 王建华: "面向工控蜜罐的同源攻击分析研究", 硕士学位论文, pages 4 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112003870B (en) | Network encryption traffic identification method and device based on deep learning | |
| WO2021204272A1 (en) | Privacy protection-based target service model determination | |
| CN111967609B (en) | Model parameter verification method, device and readable storage medium | |
| CN109918498B (en) | Problem warehousing method and device | |
| CN112910859B (en) | Internet of things equipment monitoring and early warning method based on C5.0 decision tree and time sequence analysis | |
| WO2019199769A1 (en) | Cyber chaff using spatial voting | |
| CN110912908B (en) | Network protocol anomaly detection method and device, computer equipment and storage medium | |
| CN112163412B (en) | Data verification method and device, electronic equipment and storage medium | |
| CN112488183A (en) | Model optimization method and device, computer equipment and storage medium | |
| CN110929806A (en) | Picture processing method and device based on artificial intelligence and electronic equipment | |
| CN111144546B (en) | Scoring method, scoring device, electronic equipment and storage medium | |
| CN111935185A (en) | Method and system for constructing large-scale trapping scene based on cloud computing | |
| CN109121133B (en) | Location privacy protection method and device | |
| CN113282920B (en) | Log abnormality detection method, device, computer equipment and storage medium | |
| US20220277219A1 (en) | Systems and methods for machine learning data generation and visualization | |
| CN117061254B (en) | Abnormal flow detection method, device and computer equipment | |
| CN116155622A (en) | Network homologous attack analysis method, system, equipment and storage medium | |
| CN115037790B (en) | Abnormal registration identification method, device, equipment and storage medium | |
| CN110197066B (en) | Virtual machine monitoring method and system in cloud computing environment | |
| CN113836300A (en) | Log analysis method, system, device and storage medium | |
| CN115580490B (en) | Industrial Internet edge device behavior detection method, device, equipment and medium | |
| CN115361231B (en) | Host abnormal flow detection method, system and equipment based on access baseline | |
| CN115277177B (en) | Police cloud security data fusion method, system, device and storage medium | |
| CN116996310B (en) | Active defense-based server network security protection method and device | |
| CN117375855A (en) | Abnormality detection method, model training method and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20230627 Address after: 102209 building a, Huaneng talent innovation and entrepreneurship base, Beiqijia future science and Technology City, Changping District, Beijing Applicant after: HUANENG CLEAN ENERGY Research Institute Applicant after: HUANENG GROUP TECHNOLOGY INNOVATION CENTER Co.,Ltd. Address before: 102209 building a, Huaneng talent innovation and entrepreneurship base, Beiqijia future science and Technology City, Changping District, Beijing Applicant before: HUANENG CLEAN ENERGY Research Institute |
|
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20230523 |