CN116582347A - Security detection method, security detection device, electronic equipment and medium - Google Patents
Security detection method, security detection device, electronic equipment and medium Download PDFInfo
- Publication number
- CN116582347A CN116582347A CN202310655214.1A CN202310655214A CN116582347A CN 116582347 A CN116582347 A CN 116582347A CN 202310655214 A CN202310655214 A CN 202310655214A CN 116582347 A CN116582347 A CN 116582347A
- Authority
- CN
- China
- Prior art keywords
- data
- flow
- feature
- determining
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 75
- 238000000034 method Methods 0.000 claims abstract description 35
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 33
- 238000004590 computer program Methods 0.000 claims description 20
- 230000006399 behavior Effects 0.000 claims description 12
- 238000005206 flow analysis Methods 0.000 claims description 12
- 238000003860 storage Methods 0.000 claims description 8
- 238000009499 grossing Methods 0.000 claims description 5
- 238000007619 statistical method Methods 0.000 claims description 5
- 238000007689 inspection Methods 0.000 claims 1
- 230000008569 process Effects 0.000 abstract description 8
- 238000004458 analytical method Methods 0.000 description 14
- 230000000694 effects Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 238000009776 industrial production Methods 0.000 description 6
- 239000000243 solution Substances 0.000 description 6
- 238000007621 cluster analysis Methods 0.000 description 5
- 238000003064 k means clustering Methods 0.000 description 5
- 238000012544 monitoring process Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000009826 distribution Methods 0.000 description 4
- 238000013459 approach Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 230000033228 biological regulation Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000009123 feedback regulation Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000003909 pattern recognition Methods 0.000 description 1
- 230000036632 reaction speed Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure relates to the technical field of network security, and provides a security detection method, a security detection device, electronic equipment and a security detection medium. The method comprises the following steps: acquiring target flow data, analyzing the target flow data, and determining flow characteristic data; judging the flow characteristic data based on a clustering algorithm, and determining a judging result; the judging result of the clustering algorithm is based on the feature category in a feature database, and the feature database is generated based on historical flow data; and under the condition that the judging result is network attack, determining a safety rule corresponding to the flow characteristic data, and executing the safety rule. According to the embodiment, through the process, under the condition that the judging result is network attack, the security rule corresponding to the flow characteristic data is determined, and the security rule is executed, so that the identification accuracy is improved, the network security performance is also improved, and the security of the system and the data is better protected.
Description
Technical Field
The disclosure relates to the field of computer technology, and in particular, to a security detection method, a security detection device, an electronic device and a medium.
Background
In recent years, as the coverage of the internet has been expanding, applications 6 have rapidly expanded, and computer networks play a particularly important role in human daily life and industrial production activities. However, with rapid development of the internet, network security problems are more and more emphasized, and especially in industrial production activities, production security hidden hazards caused by the network security problems are more prominent, and once the network security problems occur, production stagnation and leakage of internal data of enterprises often bring immeasurable losses to enterprises. Thus, in order to protect network security, various protection measures are required to detect potential network intrusion and network attack.
The intrusion detection technique (Intrusion Detection System, IDS) is capable of monitoring and analyzing network traffic in real-time, and alerting or taking proactive action when suspicious transmissions are found, thereby ensuring the security of the network system. The intrusion detection system is a complex system integrating various technologies such as network sniffing, traffic analysis, rule matching, anomaly detection and response mechanisms. The core task of the intrusion detection system is to monitor and analyze network traffic in real time so as to find potential intrusion behaviors and timely take corresponding defensive measures.
At present, the continuous development of network attack means and methods, such as viruses, trojans, worms, DDoS attacks and the like, has gradually lost the effectiveness of the traditional intrusion detection technology. The existing IDS intrusion detection system, when faced with new network attacks and approaches, mainly faces the following problems: (1) the false alarm rate is high: when the IDS judges the attack characteristics according to the preset rules, the normal flow is misjudged as attack, which causes trouble of a network administrator and reduces the credibility and practicability of the IDS; (2) attack detection efficiency is low: when an IDS system detects an attack, the network flow needs to be comprehensively judged and analyzed, but as the network flow is continuously increased and complicated, the flow analysis efficiency of the IDS system is greatly reduced, and the intrusion behavior cannot be timely alarmed and countered; (3) failure to detect a new type of attack: IDS systems often detect based on known attack patterns and rules. The novel attack cannot be dealt with; (4) defensive ability is limited: the IDS system only has the functions of detection and alarm, and cannot defend and deal with in real time.
Disclosure of Invention
In view of this, the embodiments of the present disclosure provide a security detection method, apparatus, electronic device, and medium, so as to solve the problem in the prior art how to perform security detection to ensure network security.
In a first aspect of an embodiment of the present disclosure, a security detection method is provided, including: acquiring target flow data, analyzing the target flow data, and determining flow characteristic data; judging the flow characteristic data based on a clustering algorithm, and determining a judging result; the judging result of the clustering algorithm is based on the feature category in a feature database, and the feature database is generated based on historical flow data; and under the condition that the judging result is network attack, determining a safety rule corresponding to the flow characteristic data, and executing the safety rule.
In a second aspect of embodiments of the present disclosure, there is provided a security detection device comprising: the data determining unit is configured to acquire target flow data, analyze the target flow data and determine flow characteristic data; the data judging unit is configured to judge the flow characteristic data based on a clustering algorithm and determine a judging result; the judging result of the clustering algorithm is based on the feature category in a feature database, and the feature database is generated based on historical flow data; and the rule execution unit is configured to determine a security rule corresponding to the flow characteristic data and execute the security rule when the judging result is network attack.
In a third aspect of the disclosed embodiments, an electronic device is provided, comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the above method when executing the computer program.
In a fourth aspect of the disclosed embodiments, a computer-readable storage medium is provided, which stores a computer program which, when executed by a processor, implements the steps of the above-described method.
Compared with the prior art, the embodiment of the disclosure has the beneficial effects that: firstly, obtaining target flow data, analyzing the target flow data, and determining flow characteristic data; then, judging the flow characteristic data based on a clustering algorithm, and determining a judging result, wherein the judging result of the clustering algorithm is based on the characteristic category in a characteristic database, and the characteristic database is generated based on the historical flow data; and finally, under the condition that the judging result is network attack, determining the security rule corresponding to the flow characteristic data, and executing the security rule. According to the safety detection method, the target flow data are acquired, the flow characteristic data are determined by analyzing the target flow data, the flow characteristic data are judged based on the clustering algorithm, the judgment result is determined, the safety rule corresponding to the flow characteristic data is determined and executed under the condition that the judgment result is network attack, the identification accuracy is improved, the network safety performance is also improved, and the safety of a system and data is better protected.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings that are required for the embodiments or the description of the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and other drawings may be obtained according to these drawings without inventive effort for a person of ordinary skill in the art.
FIG. 1 is a schematic illustration of one application 6 of a security detection method according to some embodiments of the present disclosure;
FIG. 2 is a flow chart of some embodiments of a security detection method according to the present disclosure;
FIG. 3 is a system block diagram of some embodiments of a security detection method according to the present disclosure;
FIG. 4 is a graph of cluster analysis results according to some embodiments of the security detection method of the present disclosure;
FIG. 5 is a schematic structural view of some embodiments of a security detection device according to the present disclosure;
fig. 6 is a schematic structural diagram of an electronic device suitable for use in implementing some embodiments of the present disclosure.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete. It should be understood that the drawings and embodiments of the present disclosure are for illustration purposes only and are not intended to limit the scope of the present disclosure.
It should be noted that, for convenience of description, only the portions related to the present application are shown in the drawings. Embodiments of the present disclosure and features of embodiments may be combined with each other without conflict.
It should be noted that the terms "first," "second," and the like in this disclosure are merely used to distinguish between different devices, modules, or units and are not used to define an order or interdependence of functions performed by the devices, modules, or units.
It should be noted that references to "one", "a plurality" and "a plurality" in this disclosure are intended to be illustrative rather than limiting, and those of ordinary skill in the art will appreciate that "one or more" is intended to be understood as "one or more" unless the context clearly indicates otherwise.
The names of messages or information interacted between the various devices in the embodiments of the present disclosure are for illustrative purposes only and are not intended to limit the scope of such messages or information.
First, terms related to one or more embodiments of the present specification will be explained.
DDos attacks are processes in which a normal user cannot access a service or network device by sending a large amount of data traffic and requests to a target server or network device, occupying its resources.
The present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
Fig. 1 is a schematic diagram of one application 6 of a security detection method according to some embodiments of the present disclosure.
In the application of fig. 1, first, the computing device 101 acquires target flow data 102. The computing device 101 may then analyze the target flow data 102 to determine flow characteristic data 103. Thereafter, the computing device 101 may determine the discrimination result 104 based on the clustering algorithm discriminating the flow characteristic data 103. Finally, the computing device 101 may determine a security rule corresponding to the flow feature data, as indicated by reference numeral 105, in the case that the discrimination result 104 is a network attack.
The computing device 101 may be hardware or software. When the computing device 101 is hardware, it may be implemented as a distributed cluster of multiple servers or terminal devices, or as a single server or single terminal device. When the computing device 101 is embodied as software, it may be installed in the hardware devices listed above. It may be implemented as a plurality of software or software modules, for example, for providing distributed services, or as a single software or software module. The present application is not particularly limited herein.
It should be understood that the number of computing devices in fig. 1 is merely illustrative. There may be any number of computing devices, as desired for an implementation.
Fig. 2 is a flow chart of some embodiments of a security detection method according to the present disclosure. The security detection method of fig. 2 may be performed by the computing device 101 of fig. 1. As shown in fig. 2, the security detection method includes:
step S201, obtaining target flow data, analyzing the target flow data and determining flow characteristic data.
In some embodiments, before performing the security detection, further comprising: the execution subject of the security detection method (e.g., computing device 101 shown in fig. 1) may construct a data feature library from the historical traffic feature data, the constructing the data feature library from the historical traffic feature data comprising: and analyzing the historical flow characteristic data through a network flow analysis module to obtain at least one characteristic value, and constructing a data characteristic library according to the at least one characteristic value.
In practical application, constructing a multi-element data feature library containing a plurality of novel network attack means: and (3) carrying out data characteristic analysis on all common network attack means in the current network by using a network flow analysis module, acquiring the digital characteristics and related thresholds of each network attack means, and establishing a multi-element data characteristic library. Network attack means for feature library generation include common Trojan horse, virus, denial of service attack, port scan attack, etc. In addition, the method also comprises novel network attack means which pose a great threat to industrial production activities, such as Internet of things attack, supply chain attack, AI attack, cloud security attack and the like.
Specifically, a network traffic analysis module integrating multiple network security monitoring methods is used for analyzing the existing common network attack means, and a network attack data feature library is established according to analysis results: the IDS equipment with the self-adaptive intrusion detection system provided by the application utilizes the network traffic analysis module to analyze all the existing known common network attack means in advance before the IDS equipment is put into use, wherein the analysis means comprise three modules of signature detection, behavior detection and traffic statistics analysis, and the extracted data characteristics comprise pearson correlation coefficient (r), euclidean distance (d), cosine similarity (CosS), the number of network data packets, a transmission protocol, network traffic distribution, traffic speed and traffic protocol. The analyzed targets include DDos attacks, SQL injection attacks, phishing attacks, malware attacks, phishing attacks, and the like. The database established in this step is shown in table 1, and is limited to a space, only four attack means are listed, and the actual feature library content is richer.
Table 1 network attack feature library
The embodiment of the disclosure constructs the multi-element data feature library containing various novel network attack means, can rapidly identify new network attack types, rapidly update defense strategies, improve reaction speed, timely prevent novel network attacks, and help security teams to better know the behavior features of network threats and attackers, thereby better protecting the security of systems and data.
In some optional implementations of some embodiments, obtaining the target flow data, analyzing the target flow data, determining flow characteristic data, includes: the execution main body can grasp the target flow data through the network sniffing module; the execution main body can perform signature detection, behavior detection and flow statistical analysis on the target flow data to obtain target information; the execution body may determine the flow characteristic data based on the target information.
In practical application, a network flow analysis module integrating a plurality of network security monitoring methods is designed: the network flow analysis module performs data analysis on the industrial Internet flow grabbed by the network sniffing module, and the analysis comprises three pieces of content, signature detection, behavior detection and flow statistical analysis. Signature detection compares the digital signatures of network traffic to determine if the source of the traffic is compliant. The signature detection determines whether the signature is true or not by comparing the similarity of the two signatures, and the index for determining the similarity comprises three index parameters of pearson correlation coefficient, euclidean distance and cosine similarity, the behavior detection comprises analysis on network data packets, transmission protocols, network flow distribution, time sequence data and the like, and the flow statistical analysis comprises statistical information on flow, flow rate, flow protocols and the like.
(1)
(2)
(3)
Wherein,,i-th feature point representing original signature, < ->The i-th feature point of the signature in the data packet is represented, n is the total number of the feature points extracted, r is the pearson correlation coefficient, d is the Euclidean distance,>is cosine similarity.
For example, a large number of data packets are captured from the industrial internet by using a network sniffing module, and the captured data packets are analyzed by using a network flow analysis module shown in fig. 3, so that 9 digital features of r, d, cosS and the like of signature detection, behavior detection and flow statistics analysis are obtained.
The network flow analysis module integrating the multiple network security monitoring methods can analyze the network flow from different angles by integrating the multiple network security monitoring methods, identify more security threats and attack behaviors, and improve the detection accuracy. When a certain method cannot identify certain novel threats, other methods may find the threats, so compared with the traditional IDS flow analysis module, the method can further enhance the robustness of the network flow analysis module, support various applications 6, and play an important role in improving the network security.
Step S202, judging the flow characteristic data based on a clustering algorithm, and determining a judging result, wherein the judging result of the clustering algorithm is based on the characteristic category in a characteristic database, and the characteristic database is generated based on the historical flow data.
In some embodiments, the executing body may input the flow feature data into a network model based on a clustering algorithm, match the flow feature data with feature categories in a feature database, and determine feature categories corresponding to the flow feature data. Then, the executing body may determine the discrimination result according to the feature class corresponding to the flow feature data.
In practical application, network attack detection and network attack means classification based on K-means clustering algorithm: the K-means clustering algorithm is an unsupervised learning algorithm, has a good effect on pattern recognition, and is very suitable for detecting and recognizing network intrusion.
Further, a clustering result is output: and matching the data of each category with the data characteristics of each network attack in the network attack characteristic library, if the K clustering centers do not have the characteristics capable of being matched with the characteristic library, no network attack exists in the current network, and if the K clustering centers are matched with the characteristics library, the network attack is indicated to occur, and an alarm needs to be sent immediately and corresponding measures are required.
In some optional implementations of some embodiments, matching the flow feature data with feature categories in the feature database, determining a feature category corresponding to the flow feature data includes: and randomly determining a plurality of clustering centers, wherein the clustering centers are in one-to-one correspondence with the feature categories, performing iterative computation on the flow feature data based on the clustering centers, and determining the feature categories corresponding to the flow feature data.
In practical application, the application particularly provides intrusion detection by adopting a K-means clustering algorithm, wherein D represents a data characteristic data set obtained by sniffing a network flow packet through a network flow analysis module, and the specific flow is as follows:
(1) Initializing: randomly selecting K cluster centers,
(2) Iterative calculation: the following operations are repeatedly performed until the cluster center is not changed any more or the maximum iteration number is reached:
a) And (5) distribution clustering: for each data set, characteristic parametersCalculating the distance +.>:/>(4)
b) Updating a clustering center: for each cluster, the mean of all data points in the cluster is calculated, and the cluster center is updated:
(5)
wherein,,representing all data points contained in the jth cluster, +.>Representing the number of data points in the cluster.
For example, the data feature library shares a class 5 attack approach as shown in table 1, then K is set to 6. The results of the cluster analysis are shown in fig. 4. The dimension of the actual cluster analysis, which relates to the total number of digital features, should be 9 dimensions, here reduced to 2 dimensions for ease of presentation. Analysis results show that there are a large number of DDos attack data packets in addition to normal traffic packets in the network.
The K-means clustering algorithm is used for network attack detection and network attack means classification, network attack can be automatically detected and classified, input of human resources is reduced, meanwhile, the K-means clustering algorithm can be used for classifying a large number of network data packets at the same time, processing speed is high, intrusion detection under a large-scale high-complexity network environment can be supported, and the method cannot be realized by most IDS systems at present.
Step S203, if the judging result is network attack, determining the security rule corresponding to the flow characteristic data and executing the security rule.
In some embodiments, the executing body may determine, according to the identifier of the feature class, a security rule corresponding to the flow feature data from the data corresponding table when the discrimination result is a network attack.
Along the above example, the data feature library shares a class 5 attack approach as shown in table 1, then K is set to 6. The dimension of the actual cluster analysis, which relates to the total number of digital features, should be 9 dimensions, here reduced to 2 dimensions for ease of presentation. Analysis results show that there are a large number of DDos attack data packets in addition to normal traffic packets in the network. Therefore, an alarm of DDos attack should be sent at this time, and corresponding defensive measures, such as shielding DNS response information which is not requested to be sent, discarding fast retransmission data packets, etc. are adopted to ensure the stability of the industrial production network.
In some optional implementations of some embodiments, after determining the security rule corresponding to the flow characteristic data, further includes: and smoothing the threshold corresponding to the feature class in the feature database according to the discrimination result.
In practical application, the self-adaptive adjustment of the network attack feature library: the network attack feature library contains a plurality of data features, and the detection and identification of the network attack of the application mainly depend on the data features. Considering that the key discrimination parameters such as the flow, the flow speed, the access frequency and the like of the network are inconsistent under different industrial production 6, if the dynamic regulation is not carried out, the detection success rate of network attack is greatly reduced, therefore, the application creatively provides the self-adaptive feedback regulation algorithm of the feature library, and the parameter threshold value of the database is smoothed according to the analysis result and the clustering result of the network data packet in specific production activities, as shown in the formula (6)(6)
Wherein,,characteristic index representing time t, < >>The cluster analysis result of the characteristic index at the time t is shown,is a smoothing factor.
For example, after the detection and countering of the DDos attack are completed, we obtain the data characteristics of the data packet of the DDos attack of the current network and the clustering result thereof, and the step uses the information to iteratively update the data characteristic library shown in table 1, so that the data characteristic library can adapt to the current network environment and the detection success rate is improved. Taking the flow as a digital feature as an example, the flow of the adaptive adjustment of the feature library is described: according to the clustering analysis result of the DDos attack, the flow of the network when the network encounters the DDos attack is about 962MB, the discrimination threshold in table 1 is 1000MB, if the threshold is continuously taken as the discrimination basis, the characteristic index is obviously in and out of the actual condition of the local network, so that the characteristic index needs to be iteratively updated, as shown in a formula (7), the iterative result is 988.6MB, and the index is updated in a database.
(7)
Wherein,,judging threshold value for new DDos attack flow, < ->The threshold value is determined for the old DDos attack flow, is a smoothing factor, and is taken as 0.3 here, and is the flow of the DDos attack.
The self-adaptive adjustment of the network attack feature library can analyze and process new network attack means in real time, and adjust parameters and configuration of the feature library so as to improve detection and defense effects. Meanwhile, the traditional feature library may generate false alarms, so that normal flow or behavior is misjudged. The self-adaptive adjustment can automatically adjust the parameters and the configuration of the feature library in real time according to the actual industrial production 6, so that the false alarm rate is reduced, the detection efficiency is improved, and the self-adaptive adjustment method has good adaptability.
Compared with the prior art, the embodiment of the disclosure has the beneficial effects that: firstly, obtaining target flow data, analyzing the target flow data, and determining flow characteristic data; then, judging the flow characteristic data based on a clustering algorithm, and determining a judging result, wherein the judging result of the clustering algorithm is based on the characteristic category in a characteristic database, and the characteristic database is generated based on the historical flow data; and finally, under the condition that the judging result is network attack, determining the security rule corresponding to the flow characteristic data, and executing the security rule. According to the safety detection method, the target flow data are acquired, the flow characteristic data are determined by analyzing the target flow data, the flow characteristic data are judged based on the clustering algorithm, the judgment result is determined, the safety rule corresponding to the flow characteristic data is determined and executed under the condition that the judgment result is network attack, the identification accuracy is improved, the network safety performance is also improved, and the safety of a system and data is better protected.
Any combination of the above optional solutions may be adopted to form an optional embodiment of the present application, which is not described herein.
The following are device embodiments of the present disclosure that may be used to perform method embodiments of the present disclosure. For details not disclosed in the embodiments of the apparatus of the present disclosure, please refer to the embodiments of the method of the present disclosure.
Fig. 5 is a schematic structural view of some embodiments of a security detection device according to the present disclosure. As shown in fig. 5, the safety detection device includes: a data determination unit 501, a data discrimination unit 502, and a rule execution unit 503. The data determining unit 501 is configured to obtain target flow data, analyze the target flow data, and determine flow characteristic data; a data discriminating unit 502 configured to discriminate the flow characteristic data based on a clustering algorithm, and determine a discrimination result; the judging result of the clustering algorithm is based on the feature category in a feature database, and the feature database is generated based on historical flow data; and a rule execution unit 503 configured to determine a security rule corresponding to the flow characteristic data and execute the security rule when the discrimination result is a network attack.
In some optional implementations of some embodiments, the data determination unit 501 of the security detection device is further configured to: capturing the target flow data through a network sniffing module; performing signature detection, behavior detection and flow statistical analysis on the target flow data to obtain target information; and determining flow characteristic data according to the target information.
In some optional implementations of some embodiments, the data discrimination unit 502 of the security detection device is further configured to: inputting the flow characteristic data into a network model based on a clustering algorithm, matching the flow characteristic data with characteristic categories in the characteristic database, and determining the characteristic categories corresponding to the flow characteristic data; and determining a judging result according to the characteristic category corresponding to the flow characteristic data.
In some optional implementations of some embodiments, the matching the flow feature data with feature categories in the feature database, and determining a feature category corresponding to the flow feature data includes: randomly determining a plurality of cluster centers; wherein the cluster centers are in one-to-one correspondence with the feature categories; and carrying out iterative computation on the flow characteristic data based on the clustering center, and determining the characteristic category corresponding to the flow characteristic data.
In some optional implementations of some embodiments, the rule execution unit 503 of the security detection device is further configured to: and under the condition that the judging result is network attack, determining the security rule corresponding to the flow characteristic data from the data corresponding table according to the identification of the characteristic class.
In some optional implementations of some embodiments, the security detection device is further configured to: and smoothing the threshold corresponding to the feature class in the feature database according to the judging result.
In some optional implementations of some embodiments, the security detection device is further configured to: constructing a data feature library according to the historical flow feature data; the constructing a data feature library according to the historical flow feature data includes: analyzing the historical flow characteristic data through a network flow analysis module to obtain at least one characteristic value; and constructing the data feature library according to the at least one feature value. .
It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic of each process, and should not constitute any limitation on the implementation process of the embodiments of the disclosure.
Fig. 6 is a schematic diagram of a computer device 6 provided by an embodiment of the present disclosure. As shown in fig. 6, the computer device 6 of this embodiment includes: a processor 601, a memory 602 and a computer program 603 stored in the memory 602 and executable on the processor 601. The steps of the various method embodiments described above are implemented by the processor 601 when executing the computer program 603. Alternatively, the processor 601, when executing the computer program 603, performs the functions of the modules/units of the apparatus embodiments described above.
Illustratively, the computer program 603 may be partitioned into one or more modules/units that are stored in the memory 602 and executed by the processor 601 to complete the present disclosure. One or more of the modules/units may be a series of computer program instruction segments capable of performing a specific function for describing the execution of the computer program 603 in the computer device 6.
The computer device 6 may be a desktop computer, a notebook computer, a palm computer, a cloud server, or the like. The computer device 6 may include, but is not limited to, a processor 601 and a memory 602. It will be appreciated by those skilled in the art that fig. 6 is merely an example of computer device 6 and is not limiting of computer device 6, and may include more or fewer components than shown, or may combine certain components, or different components, e.g., a computer device may also include an input-output device, a network access device, a bus, etc.
The processor 601 may be a central processing unit (Central Processing Unit, CPU) or other general purpose processor, digital signal processor (Digital Signal Processor, DSP), application specific integrated circuit (Application Specific Integrated Circuit, ASIC), field programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 602 may be an internal storage unit of the computer device 6, for example, a hard disk or a memory of the computer device 6. The memory 602 may also be an external storage device of the computer device 6, for example, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash Card (Flash Card) or the like, which are provided on the computer device 6. Further, the memory 602 may also include both internal storage units and external storage devices of the computer device 6. The memory 602 is used to store computer programs and other programs and data required by the computer device. The memory 602 may also be used to temporarily store data that has been output or is to be output.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-described functions. The functional units and modules in the embodiment may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit, where the integrated units may be implemented in a form of hardware or a form of a software functional unit. In addition, the specific names of the functional units and modules are only for distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working process of the units and modules in the above system may refer to the corresponding process in the foregoing method embodiment, which is not described herein again.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
In the embodiments provided in the present disclosure, it should be understood that the disclosed apparatus/computer device and method may be implemented in other manners. For example, the apparatus/computer device embodiments described above are merely illustrative, e.g., the division of modules or elements is merely a logical functional division, and there may be additional divisions of actual implementations, multiple elements or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection via interfaces, devices or units, which may be in electrical, mechanical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present disclosure may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated modules/units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the present disclosure may implement all or part of the flow of the method of the above-described embodiments, or may be implemented by a computer program to instruct related hardware, and the computer program may be stored in a computer readable storage medium, where the computer program, when executed by a processor, may implement the steps of the method embodiments described above. The computer program may comprise computer program code, which may be in source code form, object code form, executable file or in some intermediate form, etc. The computer readable medium may include: any entity or device capable of carrying computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth. It should be noted that the content of the computer readable medium can be appropriately increased or decreased according to the requirements of the jurisdiction's jurisdiction and the patent practice, for example, in some jurisdictions, the computer readable medium does not include electrical carrier signals and telecommunication signals according to the jurisdiction and the patent practice.
The above embodiments are merely for illustrating the technical solution of the present disclosure, and are not limiting thereof; although the present disclosure has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the disclosure, and are intended to be included in the scope of the present disclosure.
Claims (10)
1. A security detection method, comprising:
acquiring target flow data, analyzing the target flow data, and determining flow characteristic data;
judging the flow characteristic data based on a clustering algorithm, and determining a judging result; the judging result of the clustering algorithm is based on the feature category in a feature database, and the feature database is generated based on historical flow data;
and under the condition that the judging result is network attack, determining a safety rule corresponding to the flow characteristic data, and executing the safety rule.
2. The safety inspection method according to claim 1, wherein acquiring target flow data, analyzing the target flow data, determining flow characteristic data, comprises:
capturing the target flow data through a network sniffing module;
performing signature detection, behavior detection and flow statistical analysis on the target flow data to obtain target information;
and determining flow characteristic data according to the target information.
3. The safety detection method according to claim 1, wherein the determining the determination result based on the clustering algorithm to determine the flow characteristic data includes:
inputting the flow characteristic data into a network model based on a clustering algorithm, matching the flow characteristic data with characteristic categories in the characteristic database, and determining the characteristic categories corresponding to the flow characteristic data;
and determining a judging result according to the characteristic category corresponding to the flow characteristic data.
4. A safety detection method according to claim 3, wherein matching the flow characteristic data with characteristic categories in the characteristic database, and determining the characteristic category corresponding to the flow characteristic data comprises:
randomly determining a plurality of cluster centers; wherein the clustering centers are in one-to-one correspondence with the feature categories;
and carrying out iterative computation on the flow characteristic data based on the clustering center, and determining the characteristic category corresponding to the flow characteristic data.
5. The method for detecting security according to claim 1, wherein the determining the security rule corresponding to the traffic feature data when the discrimination result is a network attack includes:
and under the condition that the judging result is network attack, determining the security rule corresponding to the flow characteristic data from a data corresponding table according to the identification of the characteristic class.
6. The security detection method of claim 1, wherein the method further comprises:
and smoothing the threshold corresponding to the feature class in the feature database according to the discrimination result.
7. The security detection method of claim 1, wherein the method further comprises:
constructing a data feature library according to the historical flow feature data;
the constructing a data feature library according to the historical flow feature data comprises the following steps of;
analyzing the historical flow characteristic data through a network flow analysis module to obtain at least one characteristic value;
and constructing the data feature library according to the at least one feature value.
8. A security detection device, comprising:
the data determining unit is configured to acquire target flow data, analyze the target flow data and determine flow characteristic data;
the data judging unit is configured to judge the flow characteristic data based on a clustering algorithm and determine a judging result; the judging result of the clustering algorithm is based on the feature category in a feature database, and the feature database is generated based on historical flow data;
and the rule execution unit is configured to determine a security rule corresponding to the flow characteristic data and execute the security rule under the condition that the judging result is network attack.
9. An electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the steps of the method according to any of claims 1 to 7 when the computer program is executed.
10. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310655214.1A CN116582347A (en) | 2023-06-05 | 2023-06-05 | Security detection method, security detection device, electronic equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310655214.1A CN116582347A (en) | 2023-06-05 | 2023-06-05 | Security detection method, security detection device, electronic equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116582347A true CN116582347A (en) | 2023-08-11 |
Family
ID=87539634
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310655214.1A Pending CN116582347A (en) | 2023-06-05 | 2023-06-05 | Security detection method, security detection device, electronic equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116582347A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108282460A (en) * | 2017-12-19 | 2018-07-13 | 中国科学院信息工程研究所 | A kind of the chain of evidence generation method and device of network-oriented security incident |
| CN111107102A (en) * | 2019-12-31 | 2020-05-05 | 上海海事大学 | Real-time network flow abnormity detection method based on big data |
| CN113486343A (en) * | 2021-07-13 | 2021-10-08 | 深信服科技股份有限公司 | Attack behavior detection method, device, equipment and medium |
| CN113645232A (en) * | 2021-08-10 | 2021-11-12 | 克拉玛依和中云网技术发展有限公司 | Intelligent flow monitoring method and system for industrial internet and storage medium |
| US20210359977A1 (en) * | 2020-05-15 | 2021-11-18 | Arbor Networks, Inc. | Detecting and mitigating zero-day attacks |
-
2023
- 2023-06-05 CN CN202310655214.1A patent/CN116582347A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108282460A (en) * | 2017-12-19 | 2018-07-13 | 中国科学院信息工程研究所 | A kind of the chain of evidence generation method and device of network-oriented security incident |
| CN111107102A (en) * | 2019-12-31 | 2020-05-05 | 上海海事大学 | Real-time network flow abnormity detection method based on big data |
| US20210359977A1 (en) * | 2020-05-15 | 2021-11-18 | Arbor Networks, Inc. | Detecting and mitigating zero-day attacks |
| CN113486343A (en) * | 2021-07-13 | 2021-10-08 | 深信服科技股份有限公司 | Attack behavior detection method, device, equipment and medium |
| CN113645232A (en) * | 2021-08-10 | 2021-11-12 | 克拉玛依和中云网技术发展有限公司 | Intelligent flow monitoring method and system for industrial internet and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 范硕: "分布式环境下的实时网络流量检测与分析", 中国知网, pages 3 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10728263B1 (en) | Analytic-based security monitoring system and method | |
| CN110149350B (en) | Network attack event analysis method and device associated with alarm log | |
| CN112738015B (en) | Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection | |
| US10462169B2 (en) | Lateral movement detection through graph-based candidate selection | |
| US8931099B2 (en) | System, method and program for identifying and preventing malicious intrusions | |
| Calderon | The benefits of artificial intelligence in cybersecurity | |
| US20230012220A1 (en) | Method for determining likely malicious behavior based on abnormal behavior pattern comparison | |
| Bohara et al. | Intrusion detection in enterprise systems by combining and clustering diverse monitor data | |
| US10652259B2 (en) | Information processing apparatus, method and medium for classifying unauthorized activity | |
| US10178109B1 (en) | Discovery of groupings of security alert types and corresponding complex multipart attacks, from analysis of massive security telemetry | |
| Rosli et al. | Clustering analysis for malware behavior detection using registry data | |
| Pathak et al. | Study on decision tree and KNN algorithm for intrusion detection system | |
| Kaur et al. | Efficient hybrid technique for detecting zero-day polymorphic worms | |
| Jiang et al. | Novel intrusion prediction mechanism based on honeypot log similarity | |
| Chopra et al. | Evaluating machine learning algorithms to detect and classify DDoS attacks in IoT | |
| CN113904795A (en) | Rapid and accurate flow detection method based on network security probe | |
| Debashi et al. | Sonification of network traffic for detecting and learning about botnet behavior | |
| Bortolameotti et al. | Headprint: detecting anomalous communications through header-based application fingerprinting | |
| Alsajri et al. | Intrusion Detection System Based on Machine Learning Algorithms:(SVM and Genetic Algorithm) | |
| Sukhni et al. | A systematic analysis for botnet detection using genetic algorithm | |
| Coulibaly | An overview of intrusion detection and prevention systems | |
| Seo et al. | Abnormal behavior detection to identify infected systems using the APChain algorithm and behavioral profiling | |
| Gautam et al. | Anomaly detection system using entropy based technique | |
| Kang et al. | Actdetector: A sequence-based framework for network attack activity detection | |
| Sulaiman et al. | Big data analytic of intrusion detection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |