CN116760747A - Intelligent detection method and device for network information security - Google Patents
Intelligent detection method and device for network information security Download PDFInfo
- Publication number
- CN116760747A CN116760747A CN202310809816.8A CN202310809816A CN116760747A CN 116760747 A CN116760747 A CN 116760747A CN 202310809816 A CN202310809816 A CN 202310809816A CN 116760747 A CN116760747 A CN 116760747A
- Authority
- CN
- China
- Prior art keywords
- flow
- data
- flow characteristic
- value
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 67
- 230000002159 abnormal effect Effects 0.000 claims abstract description 106
- 239000011159 matrix material Substances 0.000 claims abstract description 68
- 239000013598 vector Substances 0.000 claims abstract description 35
- 238000012545 processing Methods 0.000 claims abstract description 24
- 238000013507 mapping Methods 0.000 claims abstract description 12
- 238000000354 decomposition reaction Methods 0.000 claims abstract description 8
- 238000000034 method Methods 0.000 claims description 17
- 238000007781 pre-processing Methods 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 12
- 238000003860 storage Methods 0.000 claims description 11
- 238000007405 data analysis Methods 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 10
- 230000006399 behavior Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 5
- 238000004364 calculation method Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000004075 alteration Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 230000000717 retained effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000017105 transposition Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
- H04L43/0888—Throughput
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0823—Errors, e.g. transmission errors
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Environmental & Geological Engineering (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a network information security intelligent detection method and a device, which are used for carrying out standardized processing on flow data acquired in network information to obtain standard flow data and constructing a flow characteristic correlation matrix, carrying out characteristic value decomposition on the flow characteristic correlation matrix to obtain a flow characteristic vector and a flow characteristic value, selecting the flow characteristic vector as a flow characteristic according to the flow characteristic value, mapping the standard flow data onto the flow characteristic to obtain preprocessed flow characteristic data, determining an abnormal flow detection model according to the standard deviation and the average value of the preprocessed flow characteristic data, detecting the preprocessed flow characteristic data through the abnormal flow detection model to obtain a flow abnormal value, judging that the preprocessed flow characteristic data is the abnormal flow data when the flow abnormal value is larger than a preset abnormal threshold, and sending warning information to a control center when the abnormal flow data is detected, so that the problem that the network information security detection result is low in accuracy and high in false alarm can be solved.
Description
Technical Field
The present application relates to the field of network information security technologies, and in particular, to a method and an apparatus for intelligently detecting network information security.
Background
Network information security intelligent detection refers to a method for automatically monitoring, identifying and coping with network security threats by utilizing artificial intelligence and machine learning technologies. The method can help discover potential network attacks, malicious behaviors and abnormal activities, and take corresponding measures in time to deal with.
Anomaly detection is an important component of network information security intelligent detection that aims at discovering abnormal activities that do not coincide with normal behavior patterns, which may be indicative of potential network attacks, malicious behavior, or system failure. The method comprises the steps of establishing a baseline model of normal behavior, then monitoring and analyzing user behavior and system activity in real time, identifying abnormal conditions inconsistent with the baseline model, establishing the baseline model by using a machine learning and statistical analysis method, monitoring the user behavior and the system activity to detect abnormal activities inconsistent with the normal behavior mode, and helping to find unknown attacks and novel threats.
Disclosure of Invention
The embodiment of the application provides a network information security intelligent detection method and device, which are used for solving the technical problems of low accuracy and high false alarm of network information security detection results in the prior art.
In order to solve the technical problems, the application adopts the following technical scheme:
in a first aspect, the present application provides a network information security intelligent detection method, including the following steps:
collecting flow data in network information, and carrying out standardized processing on the collected flow data to obtain standard flow data;
constructing a flow characteristic correlation matrix according to the standard flow data, decomposing a characteristic value of the flow characteristic correlation matrix to obtain a flow characteristic vector and a flow characteristic value, selecting the flow characteristic vector as a flow characteristic according to the flow characteristic value, and mapping the standard flow data to the flow characteristic to obtain preprocessed flow characteristic data;
calculating the preprocessed flow characteristic data to obtain standard deviation and average value, determining an abnormal flow detection model according to the standard deviation and the average value, and detecting the preprocessed flow characteristic data through the abnormal flow detection model to obtain a flow abnormal value;
when the abnormal flow value is larger than a preset abnormal threshold value, judging that the preprocessed flow characteristic data is abnormal flow data, and when the abnormal flow data is detected, sending warning information to a control center.
In some embodiments, the normalizing the collected flow data to obtain standard flow data specifically includes:
determining a maximum value and a minimum value of flow data by traversing the flow data;
and carrying out standardization processing on the flow data according to the maximum value and the minimum value to obtain standard flow data, wherein the standard flow data is determined according to the following formula:
wherein X is s Represents standard flow data after standardized processing, X represents flow data, X max Represents the maximum value of flow data, X min Representing the minimum value of the flow data.
In some embodiments, the constructing a flow characteristic correlation matrix according to the standard flow data specifically includes:
determining the number n and the average mu of standard flow data;
determining a matrix phi of standard flow data;
constructing a flow characteristic correlation matrix according to the number n and the mean value mu of the standard flow data and a matrix phi of the standard flow data, wherein the flow characteristic correlation matrix is determined according to the following formula:
wherein, psi represents the flow characteristic correlation matrix, n represents the number of standard flow data, phi represents the matrix of standard flow data, mu represents the average value of standard flow data, (phi-mu) T Representing momentAnd (3) transposition of the array.
In some embodiments, performing eigenvalue decomposition on the flow characteristic correlation matrix to obtain a flow characteristic vector and a flow characteristic value specifically includes:
obtaining a flow characteristic value sequence according to a solution equation of the flow characteristic value, wherein the solution equation of the flow characteristic value is determined by the following formula:
|ψ-αθ|=0
wherein, psi represents a flow characteristic correlation matrix, alpha represents a flow characteristic value, and theta represents a unit matrix;
and determining a flow characteristic vector through the flow characteristic value sequence, wherein a solution equation of the flow characteristic vector is determined by the following formula:
|ψ-α i θ|β i =0
wherein, psi represents a flow characteristic correlation matrix, alpha i Represents the ith flow characteristic value in the flow characteristic value sequence, theta represents the identity matrix and beta i Representing alpha i Corresponding flow characteristic vectors.
In some embodiments, the flow feature values are ranked according to the size, and the flow feature vector is selected as the flow feature from the ranked flow feature values according to the preset dimension.
In some embodiments, the mapping the standard flow data onto the flow characteristic to obtain the preprocessed flow characteristic data specifically includes:
multiplying a matrix formed by standard flow data by a matrix formed by flow characteristics to obtain a preprocessed flow characteristic matrix;
and determining preprocessing flow characteristic data according to the preprocessing flow characteristic matrix.
In some embodiments, the predetermined anomaly threshold is determined by historical data analysis of the anomaly traffic.
In a second aspect, the present application provides an intelligent network information security detection device, including:
the standard flow data determining module is used for collecting flow data in the network information, and carrying out standardized processing on the collected flow data to obtain standard flow data;
the preprocessing flow characteristic data determining module is used for constructing a flow characteristic correlation matrix according to the standard flow data, decomposing characteristic values of the flow characteristic correlation matrix to obtain flow characteristic vectors and flow characteristic values, selecting the flow characteristic vectors as flow characteristics according to the flow characteristic values, and mapping the standard flow data to the flow characteristics to obtain preprocessing flow characteristic data;
the flow abnormal value determining module is used for calculating the preprocessed flow characteristic data to obtain standard deviation and average value, determining an abnormal flow detection model according to the standard deviation and the average value, and detecting the preprocessed flow characteristic data through the abnormal flow detection model to obtain a flow abnormal value;
and the warning module is used for judging that the preprocessed flow characteristic data is abnormal flow data when the flow abnormal value is larger than a preset abnormal threshold value, and sending warning information to the control center when the abnormal flow data is detected.
In a third aspect, the present application provides a computer device comprising a memory storing code and a processor configured to obtain the code and to perform the above-described network information security intelligent detection method.
In a fourth aspect, the present application provides a computer readable storage medium storing a computer program which, when executed by a processor, implements the network information security intelligent detection method described above.
The technical scheme provided by the embodiment of the application has the following beneficial effects:
in the intelligent network information security detection method and device disclosed by the application, the standard flow data is obtained by collecting flow data in network information, the collected flow data is standardized, a flow characteristic correlation matrix is constructed according to the standard flow data, characteristic value decomposition is carried out on the flow characteristic correlation matrix to obtain a flow characteristic vector and a flow characteristic value, the flow characteristic vector is selected according to the flow characteristic value to serve as flow characteristic, the standard flow data is mapped onto the flow characteristic to obtain preprocessed flow characteristic data, the preprocessed flow characteristic data is calculated to obtain standard deviation and mean value, an abnormal flow detection model is determined according to the standard deviation and the mean value, the preprocessed flow characteristic data is detected through the abnormal flow detection model to obtain a flow abnormal value, when the flow abnormal value is larger than a preset abnormal threshold value, the preprocessed flow characteristic data is judged to be the abnormal flow data, and when the abnormal flow data is detected, warning information is sent to a system, and the technical problems of low accuracy and high error rate of network information security detection result in the prior art can be solved.
Drawings
FIG. 1 is an exemplary flow chart of a network information security intelligent detection method according to some embodiments of the application;
FIG. 2 is a schematic diagram of exemplary hardware and/or software of a network information security intelligent detection device, according to some embodiments of the present application;
fig. 3 is a schematic diagram illustrating an exemplary architecture of a computer device to which a network information security intelligent detection method is applied according to some embodiments of the present application.
Detailed Description
The application provides a network information security intelligent detection method and device, which are characterized by collecting flow data in network information, carrying out standardization processing on the collected flow data to obtain standard flow data, constructing a flow characteristic correlation matrix according to the standard flow data, carrying out characteristic value decomposition on the flow characteristic correlation matrix to obtain a flow characteristic vector and a flow characteristic value, selecting the flow characteristic vector as a flow characteristic according to the flow characteristic value, mapping the standard flow data onto the flow characteristic to obtain preprocessed flow characteristic data, calculating the preprocessed flow characteristic data to obtain standard deviation and mean value, determining an abnormal flow detection model according to the standard deviation and the mean value, detecting the preprocessed flow characteristic data through the abnormal flow detection model to obtain a flow abnormal value, judging the preprocessed flow characteristic data to be the abnormal flow data when the flow abnormal value is larger than a preset abnormal threshold, and sending warning information to a system when the abnormal flow data is detected, so that the technical problems of low and high reporting rate of network information security detection results in the prior art can be solved.
In order to better understand the above technical solutions, the following detailed description will refer to the accompanying drawings and specific embodiments. Referring to fig. 1, which is an exemplary flowchart of a network information security intelligent detection method according to some embodiments of the present application, the network information security intelligent detection method 100 mainly includes the steps of:
in step 101, traffic data in network information is collected, and standard traffic data is obtained by performing standardization processing on the collected traffic data.
In some embodiments, the normalizing the collected flow data to obtain standard flow data specifically includes: determining the maximum value and the minimum value of flow data by traversing the flow data, and carrying out standardization processing on the flow data according to the maximum value and the minimum value to obtain standard flow data, wherein the standard flow data is determined according to the following formula:
wherein X is s Represents standard flow data after standardized processing, X represents flow data, X max Represents the maximum value of flow data, X min Representing the minimum value of the flow data.
In some embodiments, assuming a data set of data flows [120, 60, 95, 110, 75, 130, 90], the maximum value of the flow data is 130 and the minimum value is 75 by traversing the flow data, and then the flow is normalized by the maximum and minimum values to obtain standard flow data [0.4167,0.0833,0.25,0.375,0,0.5833,0.1667].
It should be noted that, through the standardization processing, the flow data is mapped into a range, so that the minimum value corresponds to the lower limit of the target range, and the maximum value corresponds to the upper limit of the target range.
In step 102, a flow characteristic correlation matrix is constructed according to the standard flow data, characteristic value decomposition is carried out on the flow characteristic correlation matrix to obtain a flow characteristic vector and a flow characteristic value, the flow characteristic vector is selected as a flow characteristic according to the flow characteristic value, and the standard flow data is mapped onto the flow characteristic to obtain preprocessed flow characteristic data.
In some embodiments, the constructing the flow characteristic correlation matrix according to the standard flow data may specifically adopt the following manner:
firstly, determining the number n and the average value mu of standard flow data, further determining a matrix phi of the standard flow data, and finally constructing a flow characteristic correlation matrix according to the number n and the average value mu of the standard flow data and the matrix phi of the standard flow data, wherein the flow characteristic correlation matrix is determined according to the following formula:
wherein, psi represents the flow characteristic correlation matrix, n represents the number of standard flow data, phi represents the matrix of standard flow data, mu represents the average value of standard flow data, (phi-mu) T It should be noted that constructing the traffic feature correlation matrix may help to enhance correlation between features in the traffic data.
In some embodiments, the flow characteristic value sequence is derived from a solution equation for the flow characteristic value, which is determined by:
|ψ-αθ|=0
wherein, psi represents a flow characteristic correlation matrix, alpha represents a flow characteristic value, and theta represents a unit matrix;
determining a flow characteristic vector through a flow characteristic value sequence, wherein a solution equation of the flow characteristic vector is determined by the following formula:
|ψ-α i θ|β i =0
wherein, psi represents a flow characteristic correlation matrix, alpha i Represents the ith flow characteristic value in the flow characteristic value sequence, theta represents the identity matrix and beta i Representing alpha i Corresponding flow characteristic vectors.
It should be noted that, the eigenvalue decomposition may help to enhance the correlation and importance between the features in the flow data set, and in an actual implementation, the calculation of the eigenvalue decomposition may also be implemented using a function provided by a numerical calculation library or a linear algebraic library, which will not be described in detail.
In some embodiments, the flow feature values are ranked according to the size, and the flow feature vector is selected from the ranked flow feature values according to a preset dimension, where the preset dimension is the dimension in which the standard flow data is to be reduced, the flow feature values are ranked in order from large to small, and the order of the flow feature vectors is adjusted accordingly, so that the flow feature vector with a larger flow feature value corresponds to a more important flow feature in the standard flow data, for example, when the preset dimension is 3, the first three flow feature vectors with the largest flow feature value are selected as the flow feature, and it should be noted that the flow feature is the most important flow feature retained by the standard flow data.
In some embodiments, mapping standard flow data onto flow characteristics to obtain preprocessed flow characteristic data may be implemented in the following manner, that is:
the matrix formed by the standard flow data is multiplied by the matrix formed by the flow characteristics to obtain a preprocessing flow characteristic matrix, preprocessing flow characteristic data is determined according to the preprocessing flow characteristic matrix, standard flow data with higher dimensionality can be converted into preprocessing flow characteristic data with lower dimensionality by mapping the standard flow data onto the flow characteristics, and meanwhile key characteristics of the standard flow data are reserved as far as possible.
In step 103, the preprocessed flow characteristic data is calculated to obtain standard deviation and mean value, an abnormal flow detection model is determined according to the standard deviation and the mean value, and the preprocessed flow characteristic data is detected through the abnormal flow detection model to obtain a flow abnormal value.
In some embodiments, the preprocessed flow characteristic data is calculated to obtain a standard deviation and an average value, the preprocessed flow characteristic data is assumed to be collected within a period of time, for example, the network flow transmission rate per minute is used for carrying out statistical description on the characteristics, the average value and the standard deviation are calculated, the average value τ=100 is assumed to obtain a statistical result, the standard deviation λ=10, it is to be noted that the units of the average value and the standard deviation are Mbps (Million bits per second) megabits per second, and the calculation process of the average value and the standard is not repeated here.
In some embodiments, the abnormal flow detection model may be determined by first determining the preprocessed flow characteristic data x, and further determining the standard deviation λ and the mean τ of the preprocessed flow characteristic data x, and finally determining the abnormal flow detection model according to the preprocessed flow characteristic data x, the standard deviation λ and the mean τ, where, as a preferred embodiment, the abnormal flow detection model may be determined by the following formula:
wherein ω (x) represents a flow anomaly value, x represents the preprocessed flow characteristic data, τ represents the mean value of the preprocessed flow characteristic data, λ represents the standard deviation of the preprocessed flow characteristic data, e represents the euler number, pi represents the circumference ratio, and a represents an intermediate substitution variable.
It should be noted that the abnormal flow detection model is critical to realizing network information security, and the method can discover potential network threat, identify abnormal behavior, optimize defense strategy, and help to perform emergency response and malicious activity analysis through the abnormal flow detection model, and can improve the security and stability of the network and protect important data and resources through effective abnormal flow detection.
In some embodiments, the abnormal flow detection model is used to detect the preprocessed flow feature data to obtain a flow abnormal value, for example, it is assumed that a preprocessed flow feature data represents a transmission rate of the flow, the transmission rate is 92Mbps, and the preprocessed flow feature data is substituted into the abnormal flow detection model to obtain the flow abnormal value of 0.048, and a calculation process of the substituted abnormal flow detection model is not described herein.
In step 104, when the abnormal flow value is greater than a preset abnormal threshold, the preprocessed flow characteristic data is judged to be abnormal flow data, and when abnormal flow data is detected, warning information is sent to a control center.
In some embodiments, the preset abnormal threshold is determined by analyzing historical data of abnormal flow, for example, historical flow data including normal flow and sample data of known abnormal flow in a period of time is collected, the collected historical flow data is preprocessed, including operations such as data cleaning, data filtering and data standardization, etc., without limitation, statistical indexes, for example, mean value, standard deviation, etc., are calculated according to the preprocessed historical flow data, and these statistical indexes can reflect the distribution situation of the historical flow data.
The preset anomaly threshold is determined from the standard deviation and the mean of the historical flow data, and in some embodiments, the preset anomaly threshold is determined using a mean plus or minus a plurality of standard deviations, e.g., one may choose to use the mean minus twice the standard deviation as the lower anomaly threshold and the mean plus twice the standard deviation as the upper anomaly threshold.
It should be noted that, when comparing the preset abnormal threshold value and the abnormal flow value, the preset abnormal threshold value needs to be reduced by one hundred times, so that the comparison is convenient, the determination of the preset abnormal threshold value is a key step, adjustment and optimization are required according to the actual scene and the requirement, and meanwhile, as the flow data change and the new abnormal situation occur, the preset abnormal threshold value may also need to be periodically updated and adjusted so as to maintain the effectiveness of the abnormal flow detection model.
In some embodiments, when the abnormal flow value is greater than the preset abnormal threshold, the preprocessed flow feature data is determined to be abnormal flow data, for example, assuming that we have a preprocessed flow feature data of 92Mbps, the upper threshold of the preset threshold is 3.9, and the preprocessed flow feature data is reduced by one hundred times to be 0.039, the abnormal flow value may be compared with the preset abnormal threshold, and if the abnormal flow value is greater than the reduced flow value of the upper threshold (0.048 > 0.039), the preprocessed flow feature data is determined to be abnormal flow data.
In some embodiments, when abnormal traffic data is detected, a system administrator or related personnel may be notified by sending alert information to the control center, so that measures may be taken in time to handle abnormal situations, prevent possible network problems or security threats, and alert information may be sent in various manners, such as email, sms, instant messaging tool, etc., without limitation. By sending the warning information, abnormal traffic can be found and processed in time, stability and safety of a network are ensured, and meanwhile, timely warning is also beneficial to reducing potential influence and loss.
It should be noted that, in the foregoing embodiment, detection of the traffic data may provide more comprehensive analysis, so as to distinguish between normal traffic data and abnormal traffic data, and perform more accurate judgment, improve accuracy and reduce false alarm rate, by performing standardization processing on the traffic data, the traffic data may be mapped into a certain range, by using a traffic feature correlation matrix, the correlation between features in the traffic data may be enhanced, by mapping the standard traffic data onto the traffic features, the standard traffic data with higher dimensions may be converted into preprocessed traffic feature data with lower dimensions, while key features of the standard traffic data may be retained as much as possible, by using an abnormal traffic detection model to detect a traffic abnormal value, and comparing the traffic abnormal value with a preset threshold to determine, compared with a conventional detection method based on rules or behavior patterns, detection of the traffic data may capture more details and changes, and may improve accuracy of network information security detection results, and reduce false alarm rate.
Additionally, in some embodiments, referring to fig. 2, which is a schematic diagram of exemplary hardware and/or software of a network information security intelligent detection device according to some embodiments of the present application, the network information security intelligent detection device 200 may include: the standard flow data determining module 201, the preprocessed flow characteristic data determining module 202, the flow abnormal value determining module 203 and the warning module 204 are respectively described as follows:
the standard flow data determining module 201 is mainly used for collecting flow data in network information, and performing standardized processing on the collected flow data to obtain standard flow data;
the preprocessing flow characteristic data determining module 202 is mainly used for constructing a flow characteristic correlation matrix according to the standard flow data, decomposing characteristic values of the flow characteristic correlation matrix to obtain flow characteristic vectors and flow characteristic values, selecting the flow characteristic vectors as flow characteristics according to the flow characteristic values, and mapping the standard flow data to the flow characteristics to obtain preprocessing flow characteristic data;
the flow abnormal value determining module 203 is mainly used for calculating the preprocessed flow characteristic data to obtain standard deviation and average value, determining an abnormal flow detection model according to the standard deviation and the average value, and detecting the preprocessed flow characteristic data through the abnormal flow detection model to obtain a flow abnormal value;
the warning module 204 in the present application, the warning module 204 is mainly configured to determine that the preprocessed flow characteristic data is abnormal flow data when the flow abnormal value is greater than a preset abnormal threshold, and send warning information to a control center when the abnormal flow data is detected.
In some embodiments, the present application also provides a computer device comprising a memory and a processor; the memory stores codes, and the processor is configured to acquire the codes and execute the intelligent network information security detection method.
In some embodiments, reference is made to fig. 3, which is a schematic structural diagram of a computer device for a network information security intelligent detection method according to an embodiment of the present application. The above-described network information security intelligent detection method in the above-described embodiment may be implemented by a computer device shown in fig. 3, where the computer device 300 includes at least one processor 301, a communication bus 302, a memory 303, and at least one communication interface 304.
Processor 301 may be a general purpose central processing unit (central processing unit, CPU), application Specific Integrated Circuit (ASIC) or one or more of the intelligent detection methods for controlling the execution of network information security in the present application.
Communication bus 302 may include a path to transfer information between the above components.
The Memory 303 may be, but is not limited to, a read-only Memory (ROM) or other type of static storage device that can store static information and instructions, a random access Memory (random access Memory, RAM) or other type of dynamic storage device that can store information and instructions, an electrically erasable programmable read-only Memory (electrically erasable programmable read-only Memory, EEPROM), a compact disc (compact disc read-only Memory) or other optical disk storage, a compact disc storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), a magnetic disk or other magnetic storage device, or any other medium that can be used to carry or store the desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory 303 may be stand alone and be coupled to the processor 301 via the communication bus 302. Memory 303 may also be integrated with processor 301.
The memory 303 is used for storing program codes for executing the scheme of the present application, and the processor 301 controls the execution. The processor 301 is configured to execute program code stored in the memory 303. One or more software modules may be included in the program code. The network information security intelligent detection method in the above embodiment may be implemented by one or more software modules in the program codes in the processor 301 and the memory 303.
Communication interface 304, using any transceiver-like device for communicating with other devices or communication networks, such as ethernet, radio access network (radio access network, RAN), wireless local area network (wireless local area networks, WLAN), etc.
In a specific implementation, as an embodiment, a computer device may include a plurality of processors, where each of the processors may be a single-core (single-CPU) processor or may be a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
The computer device may be a general purpose computer device or a special purpose computer device. In particular implementations, the computer device may be a desktop, laptop, web server, palmtop (personal digital assistant, PDA), mobile handset, tablet, wireless terminal device, communication device, or embedded device. Embodiments of the application are not limited to the type of computer device.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
For example, in some embodiments, the present application further provides a computer readable storage medium storing a computer program that when executed by a processor implements the network information security intelligent detection method described above.
The present application is described in terms of flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (10)
1. The intelligent network information security detection method is characterized by comprising the following steps:
collecting flow data in network information, and carrying out standardized processing on the collected flow data to obtain standard flow data;
constructing a flow characteristic correlation matrix according to the standard flow data, decomposing a characteristic value of the flow characteristic correlation matrix to obtain a flow characteristic vector and a flow characteristic value, selecting the flow characteristic vector as a flow characteristic according to the flow characteristic value, and mapping the standard flow data to the flow characteristic to obtain preprocessed flow characteristic data;
calculating the preprocessed flow characteristic data to obtain standard deviation and average value, determining an abnormal flow detection model according to the standard deviation and the average value, and detecting the preprocessed flow characteristic data through the abnormal flow detection model to obtain a flow abnormal value;
when the abnormal flow value is larger than a preset abnormal threshold value, judging that the preprocessed flow characteristic data is abnormal flow data, and when the abnormal flow data is detected, sending warning information to a control center.
2. The method of claim 1, wherein the normalizing the collected flow data to obtain standard flow data specifically comprises:
determining a maximum value and a minimum value of flow data by traversing the flow data;
and carrying out standardization processing on the flow data according to the maximum value and the minimum value to obtain standard flow data, wherein the standard flow data is determined according to the following formula:
wherein X is s Represents standard flow data after standardized processing, X represents flow data, X max Represents the maximum value of flow data, X min Representing the minimum value of the flow data.
3. The method of claim 1, wherein constructing a flow characteristic correlation matrix from the standard flow data comprises:
determining the number n and the average mu of standard flow data;
determining a matrix phi of standard flow data;
constructing a flow characteristic correlation matrix according to the number n and the mean value mu of the standard flow data and a matrix phi of the standard flow data, wherein the flow characteristic correlation matrix is determined according to the following formula:
wherein, psi represents the flow characteristic correlation matrix, n represents the number of standard flow data, phi represents the matrix of standard flow data, mu represents the average value of standard flow data, (phi-mu) T Representing the transpose of the matrix.
4. The method of claim 1, wherein performing eigenvalue decomposition on the flow characteristic correlation matrix to obtain a flow characteristic vector and a flow characteristic value specifically comprises:
obtaining a flow characteristic value sequence according to a solution equation of the flow characteristic value, wherein the solution equation of the flow characteristic value is determined by the following formula:
|ψ-αθ|=0
wherein, psi represents a flow characteristic correlation matrix, alpha represents a flow characteristic value, and theta represents a unit matrix;
and determining a flow characteristic vector through the flow characteristic value sequence, wherein a solution equation of the flow characteristic vector is determined by the following formula:
|ψ-α i θ|β i =0
wherein, psi represents a flow characteristic correlation matrix, alpha i Represents the ith flow characteristic value in the flow characteristic value sequence, theta represents the identity matrix and beta i Representing alpha i Corresponding flow characteristic vectors.
5. The method of claim 1 wherein the flow feature values are ranked by size and a flow feature vector is selected as a flow feature from the ranked flow feature values according to a predetermined dimension.
6. The method of claim 1, wherein mapping the standard flow data onto the flow characteristics to obtain pre-processed flow characteristic data comprises:
multiplying a matrix formed by standard flow data by a matrix formed by flow characteristics to obtain a preprocessed flow characteristic matrix;
and determining preprocessing flow characteristic data according to the preprocessing flow characteristic matrix.
7. The method of claim 1, wherein the predetermined anomaly threshold value is determined by historical data analysis of anomaly traffic.
8. The utility model provides a network information security intelligent detection device which characterized in that includes:
the standard flow data determining module is used for collecting flow data in the network information and carrying out standardized processing on the collected flow data to obtain standard flow data;
the preprocessing flow characteristic data determining module is used for constructing a flow characteristic correlation matrix according to the standard flow data, decomposing the characteristic value of the flow characteristic correlation matrix to obtain a flow characteristic vector and a flow characteristic value, selecting the flow characteristic vector as a flow characteristic according to the flow characteristic value, and mapping the standard flow data to the flow characteristic to obtain preprocessing flow characteristic data;
the flow abnormal value determining module is used for calculating the preprocessed flow characteristic data to obtain standard deviation and average value, determining an abnormal flow detection model according to the standard deviation and the average value, and detecting the preprocessed flow characteristic data through the abnormal flow detection model to obtain a flow abnormal value;
and the warning module is used for judging that the preprocessed flow characteristic data is abnormal flow data when the flow abnormal value is larger than a preset abnormal threshold value, and sending warning information to the control center when the abnormal flow data is detected.
9. A computer device comprising a memory storing code and a processor configured to obtain the code and to perform the network information security intelligent detection method of any of claims 1 to 7.
10. A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the network information security intelligent detection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310809816.8A CN116760747A (en) | 2023-07-04 | 2023-07-04 | Intelligent detection method and device for network information security |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310809816.8A CN116760747A (en) | 2023-07-04 | 2023-07-04 | Intelligent detection method and device for network information security |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116760747A true CN116760747A (en) | 2023-09-15 |
Family
ID=87957005
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310809816.8A Withdrawn CN116760747A (en) | 2023-07-04 | 2023-07-04 | Intelligent detection method and device for network information security |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116760747A (en) |
-
2023
- 2023-07-04 CN CN202310809816.8A patent/CN116760747A/en not_active Withdrawn
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107579986B (en) | Network security detection method in complex network | |
| KR102091076B1 (en) | Intelligent security control system and method using mixed map alert analysis and non-supervised learning based abnormal behavior detection method | |
| CN112165471B (en) | Industrial control system flow abnormity detection method, device, equipment and medium | |
| CN116366374B (en) | Security assessment method, system and medium for power grid network management based on big data | |
| CN105376193A (en) | Intelligent association analysis method and intelligent association analysis device for security events | |
| CN112749097B (en) | Performance evaluation method and device for fuzzy test tool | |
| CN115348080B (en) | Comprehensive analysis system and method for vulnerability of network equipment based on big data | |
| CN114268954B (en) | Security monitoring method, device and equipment of Internet of things equipment and storage medium | |
| CN114629728B (en) | Network attack tracking method and device based on Kalman filtering | |
| CN115561546A (en) | Abnormity detection and alarm system for power system | |
| CN117220920A (en) | Firewall policy management method based on artificial intelligence | |
| CN117156442A (en) | Cloud data security protection method and system based on 5G network | |
| CN108805427A (en) | A kind of distribution Running State Warning System based on big data | |
| CN116846612A (en) | Attack chain completion method and device, electronic equipment and storage medium | |
| CN117580046A (en) | Deep learning-based 5G network dynamic security capability scheduling method | |
| CN116760747A (en) | Intelligent detection method and device for network information security | |
| CN115221471B (en) | Abnormal data identification method and device, storage medium and computer equipment | |
| CN115913652A (en) | Abnormal access behavior detection method and device, electronic equipment and readable storage medium | |
| CN113162904B (en) | Power monitoring system network security alarm evaluation method based on probability graph model | |
| CN117134997B (en) | Edge sensor energy consumption attack detection method, device and storage medium | |
| CN113032774B (en) | Training method, device and equipment of anomaly detection model and computer storage medium | |
| CN115085965B (en) | Power system information network attack risk assessment method, device and equipment | |
| Smith et al. | Behavioural Intrusion Detection for Wireless Sensor Networks | |
| Shi et al. | Intelligent monitoring of malicious intrusion behavior for power communication network channel | |
| CN113032774A (en) | Training method, device and equipment of anomaly detection model and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20230915 |
|
| WW01 | Invention patent application withdrawn after publication |