CN116248362A - User abnormal network access behavior identification method based on double-layer hidden Markov chain - Google Patents

User abnormal network access behavior identification method based on double-layer hidden Markov chain Download PDF

Info

Publication number
CN116248362A
CN116248362A CN202310040216.XA CN202310040216A CN116248362A CN 116248362 A CN116248362 A CN 116248362A CN 202310040216 A CN202310040216 A CN 202310040216A CN 116248362 A CN116248362 A CN 116248362A
Authority
CN
China
Prior art keywords
user
behavior
access
abnormal
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310040216.XA
Other languages
Chinese (zh)
Inventor
赵磊
邹云峰
徐超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Jiangsu Electric Power Co ltd Marketing Service Center
State Grid Corp of China SGCC
State Grid Jiangsu Electric Power Co Ltd
Original Assignee
State Grid Jiangsu Electric Power Co ltd Marketing Service Center
State Grid Corp of China SGCC
State Grid Jiangsu Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Jiangsu Electric Power Co ltd Marketing Service Center, State Grid Corp of China SGCC, State Grid Jiangsu Electric Power Co Ltd filed Critical State Grid Jiangsu Electric Power Co ltd Marketing Service Center
Priority to CN202310040216.XA priority Critical patent/CN116248362A/en
Publication of CN116248362A publication Critical patent/CN116248362A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention designs a user abnormal network access behavior identification method based on a double-layer hidden Markov chain, which aims at the problem of difficult identification of abnormal access behaviors of users of an information system, models normal service access behaviors of the users by adopting the double-layer hidden Markov chain, identifies abnormal access behaviors of the users of the system by establishing a normal service access behavior probability matrix, and provides an accurate positioning effect for processing network attack behaviors. In addition, the problem that the traditional Markov chain prediction user behavior cannot be modeled aiming at discrete single network abnormal behaviors under a long time span, and the regularity represented by the association relationship among multiple sessions of the user is ignored is solved, and the data abnormal recognition under the long time span is realized.

Description

User abnormal network access behavior identification method based on double-layer hidden Markov chain
Technical Field
The invention belongs to the field of information security, and provides a user abnormal network access behavior identification method based on a double-layer hidden Markov chain.
Background
In recent years, according to analysis and statistics of network attack events by related research institutions, many network attack events are composed of a plurality of attack steps, and before an attacker launches an attack, an attacker can first perform some detection activities on an attack target, and generally the threat level of the operations is low, so that the operations cannot draw attention of network security managers. After the information of the host is detected, an attacker can launch further attack on the host by using the detected information, the attack strength can be gradually enhanced, and finally the attack on the attack target is realized. There is a certain time and space relation between these attack steps, and this type of attack mode is called multi-step attack, by means of which a more complex attack process can be realized. A complete attack process comprises a plurality of attack steps, a certain logic relation exists among the attack steps, and only the current attack step is successfully completed, the later attack steps can be started. Generally, multi-step attacks can be divided into multiple steps such as information detection, vulnerability scanning, vulnerability exploitation, rights improvement, attack launch, back door leaving, etc.
In specific attacks at present, certain logic relations and time sequences are always provided among all steps, massive and isolated alarm data generated by various network security devices are required to be subjected to association analysis, frequent item sets existing in the alarm data can be mined, multi-step attack modes with undefined causal relations can be found, abnormal business access behaviors can be better identified, and the network threat detection and risk early warning capabilities can be effectively improved
The key problem of abnormal detection of user behavior based on network communication flow is to model user behavior, so that a complete and accurate behavior mode is difficult to build for users, most of the current user behavior modeling methods take user session as a research object, mainly aim at a single user session building mode, pay attention to characteristic attributes and relations thereof in the session, and neglect regularity of association relations among multiple sessions of users.
Disclosure of Invention
In order to solve the defects in the prior art, the invention aims to provide a user abnormal network access behavior identification method based on a double-layer hidden Markov chain, which solves the problem that the traditional Markov chain predicts that the user behavior cannot be modeled for discrete single network abnormal behavior under a long time span, ignores the regularity represented by the association relation among multiple sessions of the user and realizes data abnormal identification under the long time span.
The invention adopts the following technical scheme.
A user abnormal network access behavior identification method based on a double-layer hidden Markov chain comprises the following steps:
step 1, collecting a full amount of historical user access behavior data, decomposing the behavior data, and forming a training sample; the user access behavior is the access behavior of the user to the network.
Step 2, data training is carried out based on the training sample, and a behavior model of user behavior is obtained;
step 3, performing double-layer Markov chain modeling based on user access behavior characteristics, detecting real-time network user behaviors by using a behavior model of the user behaviors, and identifying abnormal users;
step 4, continuously tracking the access operation user behavior of the abnormal user;
and 5, identifying abnormal user behaviors.
On the other hand, the invention also provides an abnormal user behavior recognition system, which comprises:
the acquisition unit is used for acquiring the total historical user access behavior data, decomposing the behavior data and forming a training sample;
the training unit is used for carrying out data training based on the training sample to obtain a behavior model of the user behavior;
the learning unit is used for carrying out double-layer Markov chain modeling based on the user access behavior characteristics, detecting the real-time network user behavior by utilizing the behavior model of the user behavior, and identifying abnormal users;
the tracking unit is used for continuously tracking the access operation user behavior of the abnormal user;
and the identification unit is used for identifying abnormal user behaviors.
The method has the beneficial effects that the method for identifying the abnormal network access behavior of the user based on the double-layer hidden Markov chain is invented, and the abnormal network access behavior detection algorithm of the user based on the double-layer hidden Markov chain is designed to obtain the abnormal service access behavior of a longer time span. Abnormal user behaviors can be analyzed and identified in a targeted manner, and accurate positioning is provided for processing of malicious user behaviors. The hidden Markov chain at the bottom layer is used for identifying discrete single network abnormal behaviors, and the hidden Markov chain at the upper layer obtains user abnormal behaviors with longer time span from a plurality of independent abnormal events identified at the lower layer, so that the difficulty of identifying network abnormal business access behaviors formed by a plurality of attack steps is well solved.
Drawings
Fig. 1: is a flow chart of steps 1 to 5 provided by the invention.
Fig. 2: is a flow chart of steps 1-1 to 1-3 provided by the invention;
fig. 3: is a flow chart of the steps 2-1 to 2-3 provided by the invention;
fig. 4: is a flow chart of steps 6-1 to 6-2 provided by the invention.
Detailed Description
The invention provides a user abnormal network access behavior identification method based on a double-layer hidden Markov chain, which takes the user behavior of a service application system as an evaluation object and realizes the real-time detection of the large-span user abnormal network access behavior based on the double-layer hidden Markov chain.
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following detailed description of the specific embodiments of the present invention will be given with reference to the accompanying drawings. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
As shown in fig. 1, the present invention provides a method for identifying abnormal network access behavior of a user based on a double-layer hidden markov chain, which comprises the following steps:
step 1, collecting a full amount of historical user access behavior data, decomposing the behavior data, and forming a training sample;
in practical applications, network behavior data in a current network can be captured through internet behavior management such as a network probe, and the captured network behavior data is input to a built-in user behavior analyzer. The behavior analysis module can perform preliminary analysis on the network behavior data and process the network behavior data. Since the online behavior will actually be continuously generated, the behavior analysis module needs to store all the historical user access behavior data to be processed in at least one analysis period.
Step 2, data training is carried out based on the training sample, and a behavior model of user behavior is obtained;
the conventional markov risk assessment model is based on the assumption that the system state transition probability matrix is time-invariant, however, in the power marketing network environment, the transition probability of the state is constantly changing. In the invention, from the time point of view, the state transition probability matrix is updated in real time according to the transition probability of the behavior state switching time of the user access behavior, namely the service access behavior. Firstly, after a user logs in a page, embedded points are inserted in each page, and by collecting information of the user in the page, including user behaviors (the user behaviors are user access behaviors) and behavior duration and the like, accurate data collection of the user behaviors is realized, and embedded point collection information is obtained. The buried point acquisition information comprises:
user ID (uid), interface path (url), interface element (element), event time (eventTime), user local time (localTime), device type (deviceType), device ID (deviceId), system type (osType), system version (osVersion), application version (appVersion), event type (eventType), event duration (eventTimes).
The weight value of each behavior action is determined by calculating the ratio of the time spent by each behavior action of the user network access behavior mode to the time spent by the life cycle of the whole behavior mode, so that the transfer weight of each stage in the same behavior mode can be objectively calculated.
The front-end point burying technology extracts point burying codes into a global scope, and collects user behavior information in a global monitoring mode, namely, the front-end point burying scheme buries all points in a page.
And secondly, calculating the transition probability of each state of the behavior mode according to the transition weights of different behaviors, wherein the transition probability is larger as the weight is smaller, and conversely, the transition probability is smaller as the weight is larger.
Each layer is a sequence of HMMs, and the upper HMM constructs layer 2 training data using a sequence of possible states of each HMM of the lower layer. It will be used to train the upper HMM that will be able to learn new patterns that the lower HMM may not recognize using information from the lower HMM.
The double-layer hidden Markov chain is represented by M= { A1, B1, pi 1, A2, B2, pi 2, H }, A1, B1, pi 1 and A2, B2, pi 2 represent the hidden Markov chains of the bottom layer and the upper layer respectively, and H represents the conditional probability matrix of the upper layer HMM to the lower layer HMM.
With m= (a 1 ,B 1 ,π 1 ,A 2 ,B 2 ,π 2 μ } to represent the double layer hidden Markov chain, A 1 ,B 1 ,π 1 And A 2 ,B 2 ,π 2 The hidden markov chains of the lower layer and the upper layer are represented, respectively. Defining states
Figure BDA0004050603010000041
d=1or 2 represents any state in the model, where d represents a hierarchical sequence number, d=1 represents an upper layer, and d=2 represents a lower layer; i is a state sequence number, and x is a first-order logical variable, which may be a certain variable or a set of variables. Let->
Figure BDA0004050603010000042
Representing the internal state->
Figure BDA0004050603010000043
Is a sub-state number of (c). Without causing ambiguity, the first order logical description in the state, abbreviated as q, is omitted d . μ is the selection probability μ, μ designates the slave force set G for the abstract state or observation symbol A in each logical symbol table Σ (A) The probability of an instantiation is chosen and is denoted μ (|A).
For a network behavior of a specific service access behavior, the parameter set M is:
1) State transition matrix a i : in the i-layer hidden markov chain, the current state can only transition to the next state, but cannot return to the previous state,
Figure BDA0004050603010000044
2) State output probability matrix B i : the probability that the state (the state is just like the clicking action of the user accessing the page menu, and the state is acquired by a buried point acquisition mode) outputs a certain observation value at the current moment is represented. The definition is as follows:
Figure BDA0004050603010000051
/>
wherein the method comprises the steps of
Figure BDA0004050603010000052
3) Probability distribution pi of initial state i : due to state transition always from S B The state starts, so there is a definition:
Figure BDA0004050603010000053
let the observation sequence be 0= { O 1 ,O 2 ,…,0 T Each observation consists of observations based on large-scale network behavior features and small-scale network behavior operational features, using
Figure BDA0004050603010000054
Represents the t-th timeThe carved observations, large scale, refer to long time behavior in days, and small scale short time behavior in minutes.
Step 3, performing double-layer Markov chain modeling based on user access behavior characteristics, detecting real-time network user behaviors by using a behavior model of the user behaviors, and identifying abnormal users;
step 4, continuously tracking the access operation user behavior of the abnormal user;
and 5, identifying abnormal user behaviors.
In addition, warning information identifying abnormal user behavior may also be sent. On the basis that the judging result is that the user behavior contains abnormal user behavior, warning information is sent through a preset path, and a related manager is timely reminded to defend or make corresponding treatment on the abnormal user behavior.
The preset path has various expression modes, for example, warning mails containing user behaviors of data to be detected, which are judged to belong to abnormal user behaviors, are sent to a specified mailbox; the information communication tool used by the relevant administrator is sent with abnormal user behavior occurrence information to prompt and make corresponding defenses and treatments in time, and the same or similar operations are carried out in a manner such as QQ, weChat, security log record and the like, and the method is not particularly limited herein.
In a preferred but non-limiting embodiment of the present invention, as shown in fig. 2, the step 1 of collecting a total amount of historical user access behavior data, decomposing the behavior data to form a training sample specifically includes:
step 1-1, extracting a total amount of historical user access behavior data by a network probe, wherein the behavior data is a total set of all access user behavior data;
how to completely and completely obtain all historical user access behavior data generated in the running process of the data user behavior sample and how to ensure that the data user access behavior sample does not damage an actual running environment can be realized in various modes, and the proper modes can be comprehensively considered and selected according to the actual situation and in combination with all limiting factors under specific conditions, so that the method is not particularly limited.
Step 1-2, a user behavior analyzer compares access users in different time periods and removes sporadic user access user behaviors;
other processing operations may also be performed, such as data cleansing, preprocessing, and the like. The data cleaning operation comprises means such as data consistency check, invalid value and missing value processing, and aims to find and correct errors of behavior data in a data sample library; the preprocessing operation includes protocol parsing, format conversion, data selection, base decoding, embedding operation, etc., and can be flexibly selected according to different actual data and different subsequent double-layer Markov chain modeling algorithm selections to realize better data processing.
Step 1-3, the user behavior analyzer counts the same access users in all data.
In a preferred but non-limiting embodiment of the present invention, the network probe is deployed on a middleware server of the gateway portal, and is deployed in a bypass manner in the form of a plug-in.
Preferably, the total set of behavior data needs information capable of characterizing the current network behavior data, which may be actual data directly extracted from the network behavior data content or analysis data obtained by analyzing the network behavior data. For example, IP, access time, access page, page residence time of the user access terminal; the access page is a web page url address; the page dwell time is the time from access to closing of a website page/access to the next website page by the user. Information for subsequent analysis may also be included, such as time of receipt of the data packet, user behavior type, total capacity of the data packet, etc.
In a preferred but non-limiting embodiment of the present invention, as shown in fig. 3, the step 2 of performing data training based on a training sample to obtain a behavior model of user behavior specifically includes:
step 2-1, generating all access operation sets of the service;
step 2-2, counting the first N operations of the user in the user behavior training sample;
step 2-3, generating a hidden Markov chain, constructing a behavior model structure of user behavior and estimating model parameters;
step 2-4, predicting the operation of the user step N+1, comparing with the actual operation of the user step N+1 in a training sample, and correcting the model structure and the model parameters;
and 2-5, obtaining a behavior model of the trained user behavior.
In a preferred but non-limiting embodiment of the present invention, as shown in fig. 4, the step 4 of continuously tracking the abnormal user access operation user behavior specifically includes:
step 6-1, marking the abnormal user to an alarm list;
and 6-2, continuously recording the access user behavior and the access operation interval of the user marked to the alarm list.
In a preferred but non-limiting embodiment of the present invention, the step 5 of identifying abnormal user behavior specifically includes: and identifying whether the access user behavior is abnormal, judging whether the access operation interval presents normal distribution, and marking the access user behavior of the user as abnormal user behavior if the access user behavior is abnormal and the access operation interval does not present normal distribution. The user operation intervals are statistically approximately normally distributed.
The recognition result can be realized in a scoring mode, and a corresponding form is set according to the actual analysis requirement, for example, the score of the recognition result can be a numerical value between 0 and 1, and the closer the value is to 1, the more likely the recognition result is abnormal user behavior; the closer its value is to 0, the more likely it is for normal user behavior.
To determine whether the current network behavior data is abnormal user behavior, a determination may be made as to the recognition result score of the model output. The specific judging method can be that a judging threshold value is set, when the score of the identification result exceeds the set judging threshold value, that is, most of the characteristics corresponding to the current network behavior data meet the characteristics of abnormal user behaviors, and the current network user behaviors are considered to be the abnormal user behaviors of all the user behaviors in the corresponding session. Otherwise, when the score of the identification result does not exceed the set judgment threshold value, the current network user behavior is considered to be not abnormal user behavior.
Preferably, a security level may also be set. After the identification result score is obtained, further judgment can be carried out on the identification result score, and the security level corresponding to the network user behavior is determined by comparing the identification result score with the security level threshold. The safety level threshold is a preset judgment value within the range of 0-1. For example, three security levels are set, the security level thresholds are 0.2 and 0.6, respectively, i.e. security level: 0 to 0.2; dangerous gear: 0.2 to 0.6; malicious gear: 0.6 to 1. For the network behavior data of the security file, the network behavior data can be determined to have no malicious behavior, and the subsequent analysis can be omitted; for network behavior data of a dangerous gear, the possible malicious behavior of the dangerous gear can be determined, and continuous analysis is needed; for the malicious file, the malicious behavior of the malicious file is determined, and the data application of the user can be directly refused or the corresponding network connection can be blocked. The classification is determined empirically.
The invention also provides an abnormal user behavior recognition system, which comprises:
the acquisition unit is used for acquiring the total historical user access behavior data, decomposing the behavior data and forming a training sample;
in practical applications, network behavior data in a current network can be captured through internet behavior management such as a network probe, and the captured network behavior data is input to a built-in user behavior analyzer. The behavior analysis module can perform preliminary analysis on the network behavior data and process the network behavior data. Since the online behavior will actually be continuously generated, the behavior analysis module needs to store all the historical user access behavior data to be processed in at least one analysis period.
The training unit is used for carrying out data training based on the training sample to obtain a behavior model of the user behavior;
the learning unit is used for carrying out double-layer Markov chain modeling based on the user access behavior characteristics, detecting the real-time network user behavior by utilizing the behavior model of the user behavior, and identifying abnormal users;
the tracking unit is used for continuously tracking the access operation user behavior of the abnormal user;
and the identification unit is used for identifying abnormal user behaviors.
Preferably, a warning message identifying abnormal user behavior may also be sent. On the basis that the judging result is that the user behavior contains abnormal user behavior, warning information is sent through a preset path, and a related manager is timely reminded to defend or make corresponding treatment on the abnormal user behavior.
The preset path has various expression modes, for example, warning mails containing user behaviors of data to be detected, which are judged to belong to abnormal user behaviors, are sent to a specified mailbox; the information communication tool used by the relevant administrator is sent with abnormal user behavior occurrence information to prompt and make corresponding defenses and treatments in time, and the same or similar operations are carried out in a manner such as QQ, weChat, security log record and the like, and the method is not particularly limited herein.
Preferably, the collecting unit is configured to collect a total amount of historical user access behavior data, decompose the behavior data, and form a training sample, and specifically includes:
an extraction subunit, configured to extract, by using a network probe, a total amount of historical user access behavior data, where the behavior data is a total set of all access user behavior data;
the preprocessing unit is used for comparing access users in different time periods by the user behavior analyzer and removing sporadic user access user behaviors;
and the statistics unit is used for the user behavior analyzer to count the same access user in all the data.
Preferably, the information which can characterize the current network behavior data is required by the behavior data total set, and the information can be actual data directly extracted from the network behavior data content or analysis data obtained through analysis of the network behavior data. For example, IP, access time, access page, page residence time of the user access terminal; the access page is a web page url address; the page dwell time is the time from access to closing of a website page/access to the next website page by the user. Information for subsequent analysis may also be included, such as time of receipt of the data packet, user behavior type, total capacity of the data packet, etc.
Preferably, the identifying unit is configured to identify abnormal user behavior, and specifically includes: and identifying whether the access user behavior is abnormal, judging whether the access operation interval presents normal distribution, and marking the access user behavior of the user as abnormal user behavior if the access user behavior is abnormal and the access operation interval does not present normal distribution.
The recognition result can be realized in a scoring mode, and a corresponding form is set according to the actual analysis requirement, for example, the score of the recognition result can be a numerical value between 0 and 1, and the closer the value is to 1, the more likely the recognition result is abnormal user behavior; the closer its value is to 0, the more likely it is for normal user behavior.
To determine whether the current network behavior data is abnormal user behavior, a determination may be made as to the recognition result score of the model output. The specific judging method can be that a judging threshold value is set, when the score of the identification result exceeds the set judging threshold value, that is, most of the characteristics corresponding to the current network behavior data meet the characteristics of abnormal user behaviors, and the current network user behaviors are considered to be the abnormal user behaviors of all the user behaviors in the corresponding session. Otherwise, when the score of the identification result does not exceed the set judgment threshold value, the current network user behavior is considered to be not abnormal user behavior.
Preferably, a security level may also be set. After the identification result score is obtained, further judgment can be carried out on the identification result score, and the security level corresponding to the network user behavior is determined by comparing the identification result score with the security level threshold. The safety level threshold is a preset judgment value within the range of 0-1. For example, three security levels are set, the security level thresholds are 0.2 and 0.6, respectively, i.e. security level: 0 to 0.2; dangerous gear: 0.2 to 0.6; malicious gear: 0.6 to 1. For the network behavior data of the security file, the network behavior data can be determined to have no malicious behavior, and the subsequent analysis can be omitted; for network behavior data of a dangerous gear, the possible malicious behavior of the dangerous gear can be determined, and continuous analysis is needed; for the malicious file, the malicious behavior of the malicious file is determined, and the data application of the user can be directly refused or the corresponding network connection can be blocked.
The method has the beneficial effects that the method for identifying the abnormal network access behaviors of the user based on the double-layer hidden Markov chain is invented, and aims at the problems that the number of times and the frequency of user access which possibly occur at the Internet side APP such as the national network are greatly increased, and malicious user behaviors are difficult to identify, suspicious user behaviors are dynamically divided by adopting the double-layer Markov chain modeling technology, and the hidden Markov chain is used for predicting the user access behaviors for a small number of user behaviors, so that the abnormal user behaviors can be analyzed and identified in a targeted manner, and accurate positioning is provided for the processing of the malicious user behaviors.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that the foregoing embodiments are merely for illustrating the technical solutions of the present application and not for limiting the scope of protection thereof, and although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those skilled in the art that various changes, modifications or equivalents may be made to the specific embodiments of the application after reading the present application, and these changes, modifications or equivalents are within the scope of protection of the claims appended hereto.

Claims (10)

1. The method for identifying the abnormal network access behavior of the user based on the double-layer hidden Markov chain is characterized by comprising the following steps of:
step 1, collecting a full amount of historical user access behavior data, decomposing the behavior data, and forming a training sample;
step 2, data training is carried out based on the training sample, and a behavior model of user behavior is obtained;
step 3, performing double-layer Markov chain modeling based on user access behavior characteristics, detecting real-time network user behaviors by using a behavior model of the user behaviors, and identifying abnormal users;
step 4, continuously tracking the access operation user behavior of the abnormal user;
and 5, identifying abnormal user behaviors.
2. The method according to claim 1, wherein the step 1 is to collect a total amount of historical user access behavior data, decompose the behavior data, and form training samples, and specifically includes:
step 1-1, extracting a total amount of historical user access behavior data by a network probe, wherein the behavior data is a total set of all access user behavior data;
step 1-2, a user behavior analyzer compares access users in different time periods and removes sporadic user access user behaviors;
step 1-3, the user behavior analyzer counts the same access users in all data.
3. The method of claim 2, wherein the network probe is deployed on a middleware server of a gateway portal, in a plug-in bypass manner.
4. The method of claim 2, wherein the aggregate set of behavioral data includes user access time, page click menu order, page dwell time; the page dwell time is the time from access to closing of a website page/access to the next website page by the user.
5. The method according to claim 1, wherein the step 2 performs data training based on the training sample to obtain a behavior model of the user behavior, and each abnormal service access behavior event may be described by a plurality of network attack actions according to the characteristics of the abnormal service access behavior, and each network attack action may be formed by a set of data time sequences of the abnormal behavior. Therefore, a double-layer hidden Markov chain model can be constructed to describe the abnormal business access behavior characteristics of a large time span. The method specifically comprises the following steps:
step 2-1, generating all access operation sets of the service;
step 2-2, counting the first N operations of the user in the user behavior training sample;
step 2-3, generating a double-layer Markov chain, constructing a user normal behavior model structure and estimating model parameters;
step 2-4, predicting the operation of the user step N+1, comparing with the actual operation of the user step N+1 in a training sample, and correcting the model structure and the model parameters;
and 2-5, obtaining a trained user behavior state transition matrix.
6. The method according to claim 1, wherein the step 4 of continuously tracking the abnormal user access operation user behavior specifically includes:
step 6-1, marking the abnormal user to an alarm list;
and 6-2, for the user marked on the alarm list, continuously recording the access user behavior of the user, and predicting the user behavior for a long time.
7. The method according to claim 1, wherein the step 5 of identifying abnormal user behavior specifically comprises: and identifying whether the access user behavior is abnormal, judging whether the access operation interval presents normal distribution, and marking the access user behavior of the user as abnormal user behavior if the access user behavior is abnormal and the access operation interval does not present normal distribution.
8. An abnormal user behavior recognition system, comprising:
the acquisition unit is used for acquiring the total historical user access behavior data, decomposing the behavior data and forming a training sample;
the training unit is used for carrying out data training based on the training sample to obtain a behavior model of the user behavior;
the learning unit is used for carrying out double-layer Markov chain modeling based on the user access behavior characteristics, detecting the real-time network user behavior by utilizing the behavior model of the user behavior, and identifying abnormal users;
the tracking unit is used for continuously tracking the access operation user behavior of the abnormal user;
and the identification unit is used for identifying abnormal user behaviors.
9. The system according to claim 8, wherein the collecting unit is configured to collect a full amount of historical user access behavior data, decompose the behavior data, and form a training sample, and specifically includes:
an extraction subunit, configured to extract, by using a network probe, a total amount of historical user access behavior data, where the behavior data is a total set of all access user behavior data;
the preprocessing unit is used for comparing access users in different time periods by the user behavior analyzer and removing sporadic user access user behaviors;
and the statistics unit is used for the user behavior analyzer to count the same access user in all the data.
10. The system according to claim 8, wherein the identifying unit is configured to identify abnormal user behavior, and specifically includes: and identifying whether the access user behavior is abnormal, judging whether the access operation interval presents normal distribution, and marking the access user behavior of the user as abnormal user behavior if the access user behavior is abnormal and the access operation interval does not present normal distribution.
CN202310040216.XA 2023-01-12 2023-01-12 User abnormal network access behavior identification method based on double-layer hidden Markov chain Pending CN116248362A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310040216.XA CN116248362A (en) 2023-01-12 2023-01-12 User abnormal network access behavior identification method based on double-layer hidden Markov chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310040216.XA CN116248362A (en) 2023-01-12 2023-01-12 User abnormal network access behavior identification method based on double-layer hidden Markov chain

Publications (1)

Publication Number Publication Date
CN116248362A true CN116248362A (en) 2023-06-09

Family

ID=86625406

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310040216.XA Pending CN116248362A (en) 2023-01-12 2023-01-12 User abnormal network access behavior identification method based on double-layer hidden Markov chain

Country Status (1)

Country Link
CN (1) CN116248362A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116668192A (en) * 2023-07-26 2023-08-29 国网山东省电力公司信息通信公司 Network user behavior anomaly detection method and system
CN117575028A (en) * 2023-11-13 2024-02-20 无锡商业职业技术学院 Network security analysis method and system based on Markov chain

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116668192A (en) * 2023-07-26 2023-08-29 国网山东省电力公司信息通信公司 Network user behavior anomaly detection method and system
CN116668192B (en) * 2023-07-26 2023-11-10 国网山东省电力公司信息通信公司 Network user behavior anomaly detection method and system
CN117575028A (en) * 2023-11-13 2024-02-20 无锡商业职业技术学院 Network security analysis method and system based on Markov chain

Similar Documents

Publication Publication Date Title
CN108881194B (en) Method and device for detecting abnormal behaviors of users in enterprise
CN109347801B (en) Vulnerability exploitation risk assessment method based on multi-source word embedding and knowledge graph
CN111428231B (en) Safety processing method, device and equipment based on user behaviors
CN108471429B (en) Network attack warning method and system
Ektefa et al. Intrusion detection using data mining techniques
Park et al. An enhanced AI-based network intrusion detection system using generative adversarial networks
Hu et al. A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection
CN108683687B (en) Network attack identification method and system
CN108881263B (en) Network attack result detection method and system
CN116248362A (en) User abnormal network access behavior identification method based on double-layer hidden Markov chain
Murtaza et al. A host-based anomaly detection approach by representing system calls as states of kernel modules
CN105471882A (en) Behavior characteristics-based network attack detection method and device
US20210126931A1 (en) System and a method for detecting anomalous patterns in a network
CN108833185B (en) Network attack route restoration method and system
CN104836781A (en) Method distinguishing identities of access users, and device
Dhakar et al. A novel data mining based hybrid intrusion detection framework
Ajdani et al. Introduced a new method for enhancement of intrusion detection with random forest and PSO algorithm
CN116957049B (en) Unsupervised internal threat detection method based on countermeasure self-encoder
CN114090406A (en) Electric power Internet of things equipment behavior safety detection method, system, equipment and storage medium
CN113282920B (en) Log abnormality detection method, device, computer equipment and storage medium
CN111177725A (en) Method, device, equipment and storage medium for detecting malicious click operation
Yang et al. Cloud-edge coordinated traffic anomaly detection for industrial cyber-physical systems
CN116319065A (en) Threat situation analysis method and system applied to business operation and maintenance
CN116405261A (en) Malicious flow detection method, system and storage medium based on deep learning
Saini et al. Modelling intrusion detection system using hidden Markov model: A review

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination