CN116915450A - Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction - Google Patents
Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction Download PDFInfo
- Publication number
- CN116915450A CN116915450A CN202310794173.4A CN202310794173A CN116915450A CN 116915450 A CN116915450 A CN 116915450A CN 202310794173 A CN202310794173 A CN 202310794173A CN 116915450 A CN116915450 A CN 116915450A
- Authority
- CN
- China
- Prior art keywords
- attack
- network
- data
- node
- pruning
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013138 pruning Methods 0.000 title claims abstract description 70
- 238000000034 method Methods 0.000 title claims abstract description 56
- 238000005457 optimization Methods 0.000 title claims abstract description 33
- 238000003066 decision tree Methods 0.000 claims abstract description 25
- 238000013527 convolutional neural network Methods 0.000 claims abstract description 21
- 230000008569 process Effects 0.000 claims abstract description 15
- 238000007781 pre-processing Methods 0.000 claims abstract description 11
- 239000000523 sample Substances 0.000 claims description 28
- 239000011159 matrix material Substances 0.000 claims description 18
- 238000010586 diagram Methods 0.000 claims description 17
- 238000004891 communication Methods 0.000 claims description 16
- 230000004913 activation Effects 0.000 claims description 14
- 230000008859 change Effects 0.000 claims description 10
- 238000011176 pooling Methods 0.000 claims description 10
- 230000006870 function Effects 0.000 claims description 8
- 230000002159 abnormal effect Effects 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 claims description 5
- 238000000605 extraction Methods 0.000 claims description 5
- 238000013528 artificial neural network Methods 0.000 claims description 4
- 238000011156 evaluation Methods 0.000 claims description 4
- 238000003062 neural network model Methods 0.000 claims description 4
- ORILYTVJVMAKLC-UHFFFAOYSA-N Adamantane Natural products C1C(C2)CC3CC1CC2C3 ORILYTVJVMAKLC-UHFFFAOYSA-N 0.000 claims description 2
- 208000025174 PANDAS Diseases 0.000 claims description 2
- 208000021155 Paediatric autoimmune neuropsychiatric disorders associated with streptococcal infection Diseases 0.000 claims description 2
- 240000000220 Panda oleosa Species 0.000 claims description 2
- 235000016496 Panda oleosa Nutrition 0.000 claims description 2
- 230000009471 action Effects 0.000 claims description 2
- 238000004458 analytical method Methods 0.000 claims description 2
- 238000010276 construction Methods 0.000 claims description 2
- 238000010219 correlation analysis Methods 0.000 claims description 2
- 230000001351 cycling effect Effects 0.000 claims description 2
- 238000007405 data analysis Methods 0.000 claims description 2
- 238000009434 installation Methods 0.000 claims description 2
- 238000003064 k means clustering Methods 0.000 claims description 2
- 238000010801 machine learning Methods 0.000 claims description 2
- 238000005192 partition Methods 0.000 claims description 2
- 238000012098 association analyses Methods 0.000 abstract 1
- 238000001514 detection method Methods 0.000 description 4
- 230000002085 persistent effect Effects 0.000 description 3
- 238000011160 research Methods 0.000 description 3
- XEEYBQQBJWHFJM-UHFFFAOYSA-N Iron Chemical compound [Fe] XEEYBQQBJWHFJM-UHFFFAOYSA-N 0.000 description 2
- 238000013459 approach Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 241001508399 Elaeagnus Species 0.000 description 1
- 238000006424 Flood reaction Methods 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008094 contradictory effect Effects 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 229910052742 iron Inorganic materials 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/243—Classification techniques relating to the number of classes
- G06F18/24323—Tree-organised classifiers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/0464—Convolutional networks [CNN, ConvNet]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/082—Learning methods modifying the architecture, e.g. adding, deleting or silencing nodes or connections
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/16—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention discloses a topology pruning optimization method based on multi-step network attack recognition and scene reconstruction, which specifically comprises the following steps: step 1, defining data flow five-tuple, topological graph nodes and related attributes of directed edges; step 2, preprocessing the Pcap data packet, and constructing an initial network topology graph G of the whole attack process for the data set start Step 3, providing a model based on a convolutional neural network and a decision tree; step 4, identifying the attack type based on the convolutional neural network in the step 3, pruning the attack type and the attack mode for the second time, pruning the third time based on the time sequence relevance among the attack steps of the multi-step attack, and finally pruning the image, namely the reconstructed simplified multi-step network attack scene; according to the invention, an initial attack scene can be obtained through topology association analysis, a large amount of redundant information is further removed, and finally, the most simplified and closest topological graph of the attack scene is constructed.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a topology pruning optimization method based on multi-step network attack recognition and scene reconstruction.
Background
In recent years, with the global popularization of the internet, the relationship between personal information and a network is becoming more and more intimate. However, with the rapid development of information technology, network security problems become more prominent. The network attack means are increasingly complex, the phenomena of hacking attack, virus Trojan horse, fraud and the like are layered endlessly, various network attack events continuously occur, the attack modes are more complex and various, the characteristics of more concealment and greater harm are presented, and the network attack means are more difficult to discover and prevent. Thus, protection systems and data security have become a problem that businesses and individuals must face and solve.
A malicious attacker typically uses a combination of multiple steps and multiple vulnerabilities, and attack methods to penetrate the target system to achieve the undesirable goals of stealing data, controlling the system, or damaging services. This attack approach is often more complex and difficult to discover than a single attack, making traditional single security approaches difficult to deal with, and thus more threatening. The number of network attack organizations in 2019 of siamesed iron corporation, as described in the report of internet security threat, has shown a 25% increase in 2018, and these organizations have shown a high degree of organization and planning, and the attack steps are clear.
In addition, according to the report on global Advanced Persistent Threat (APT) research by 360 security companies, 2021, the global advanced persistent threat (Advanced Persistent Threat, APT) still brings a serious situation, and the number of reported APT attacks is significantly increased compared with the last year. By ending in the last half year, 492 APT attack reports have been publicly reported worldwide, 90 of which relate to APT organizations, the first disclosed organization number reaching 17, both the number of reports and the number of organizations having exceeded the last year. With the increase of years, the number of APT attacks is in an increasing trend year by year, and a plurality of attack targets are subjected to multi-level and staged attacks by adopting diversified means, so that the attack targets are difficult to detect. Therefore, the research on security situation awareness methods such as abnormal event exploration, attack event identification, plan attack prediction and the like is extremely necessary, and the method has an important role in suppressing complex and diverse network attack forms.
Denial of service attacks are a typical class of multi-step network attack events in which the attack proceeds in multiple steps. The distributed denial of service attack (Distributed Denial of Service, DDoS) is a special form based on the denial of service attack (Denial of Service, doS), and the DDoS becomes the most common attack form at present due to the characteristics of high success rate, short time consumption, high destructiveness, flexible and changeable attack technique of an attacker and the like. According to the DDoS attack report of third quarter of 2022 in Kaspersky laboratory, the first three most common DDoS types are still UDP flood attack, SYN flood attack and TCP flood attack by third quarter of 2022. Unlike before, the fraction of UDP flooding drops from 62.53% to 51.84%; in contrast, the second most common SYN flood increases its share to 26.96%; the TCP floods and twists the elaeagnus, the fluctuation range exceeds 4 percentage points, reaches 15.73%, and is stable in the third step; GRE flooding and HTTP flooding account for 3.70% and 1.77% of the total number of attacks, respectively.
The network attack is often gradually permeated and implemented by utilizing a plurality of nodes, and the multi-step network attack has more killing power and destructive power than the traditional single-step attack, because the attack process is more, the concealment is strong, and the attack means are flexible and changeable. However, most of the conventional intrusion detection systems can only identify single-step network attacks, and cannot capture a complete attack chain. Meanwhile, the conventional method for processing the multi-step attack focuses on directly correlating alarms extracted from the intrusion detection system, and the alarms can be detected only by largely relying on manual rules, so that many false alarms can be generated, and the whole multi-step network attack scene cannot be accurately constructed.
Aiming at the problems, how to identify and prune a multi-step network attack scene is discussed by taking the multi-step network attack as a research object, and a topological pruning optimization method based on multi-step network attack identification and scene reconstruction is provided. And finally reconstructing a multi-step attack scene to obtain a simplified multi-step attack chain.
Disclosure of Invention
The invention provides a topology pruning optimization method based on multi-step network attack recognition and scene reconstruction, which solves the problems that the existing intrusion detection system cannot recognize multi-step network attack and cannot capture a complete attack chain.
The invention discloses a topology pruning optimization method based on multi-step network attack recognition and scene reconstruction, which is implemented according to the following steps:
step 1, defining data flow five-tuple, topological graph nodes and related attributes of directed edges;
step 2, preprocessing the Pcap data packet, wherein the preprocessing process comprises extraction of the data flow packet and remolding of the data flow tensor, generating a two-dimensional tensor, namely a data set, and constructing an initial network topology graph G of the whole attack process for the data set start ,
Step 3, a model based on a convolutional neural network and a decision tree is provided, and the model is named as a CTree model;
step 4, identifying the attack type based on the convolutional neural network in the step 3, pruning the normal flow for the first time, obtaining the attack mode of the data flow based on the CTreee model in the step 3, pruning the attack type and the attack mode for the second time which are not matched, pruning the third time based on the time sequence relevance among the attack steps of the multi-step attack, and finally obtaining the pruned image which is the simplified multi-step network attack scene after reconstruction;
the step 1 is specifically implemented according to the following steps:
step 1.1, defining a directed graph g= (V, E), G representing a network state graph, V representing nodes in the network, E representing directed edges between hosts in the network; the node V and the directed edge E are unique, and the nodes are distinguished by IP addresses;
step 1.2, defining a data stream quintuple: the processing of the network dataset is according to five-tuple (host s ,port s ,host e ,port e Protocol), namely dividing all communication data packets of two hosts under two fixed ports into one stream according to five-tuple information; wherein host s Representing the source IP address, host e Representing destination IP address, port s Representing source port, port e A protocol represents a communication protocol used;
table 1 attributes of nodes and edges in directed graphs and corresponding detailed description
The step 2 is specifically implemented according to the following steps:
step 2.1, selecting a data set: the original data set trained by the model is DALPA 1999, the DALPA 2000 data set added with no-attack data is tested, the DALPA 1999 data set totally comprises 5 types of attacks, each type of attack comprises a plurality of different attack modes, and the total of the attack modes is 55;
step 2.2, data preprocessing: converting hexadecimal data in a data packet into decimal numbers according to a Tcpdump format data packet provided by a DARRA series data set;
step 2.3, data preprocessing: extracting a data stream with a fixed length from a network data packet, and converting the format and the dimension of the data stream to enable the data stream to be changed into a two-dimensional tensor with a consistent size for being input by a neural network model;
step 2.4, constructing an initial network topology graph G of the whole attack process aiming at the data flow based on the five-tuple partition in step 2.3 start ;
Table 2 attack types and corresponding attack pattern table
The step 3 is specifically implemented according to the following steps:
step 3.1, automatically extracting hidden features in the data tensor by using a convolutional neural network technology, and classifying attack types through the hidden features;
step 3.2, constructing a decision tree based on convolutional neural network technology for further attack evaluation;
the step 4 is specifically implemented according to the following steps:
step 4.1, the input and output of the conceived algorithm are input as the initial network topology graph G in step 2.4 start Output is a topology graph G reconstructed for attack scene end ;
Step 4.2, find initial network topology graph G start All nodes with zero degree of entry, and will initiate network topology graph G start All nodes with zero degree are stored in a root node list root;
step 4.3, traversing each node in the root node list root, and obtaining a network topology graph G from the initial start Deleting all edges taking the current node as a starting point, namely pruning operation, and displaying an attack scene reconstruction topological graph G after pruning operation end 。
Preferably, the step 2.3 specifically includes:
(1) Dividing a network data packet into individual stream information by using five-tuple, wherein each five-tuple comprises n data packets from a network data packet Package1 to a network data packet Package, m bytes are extracted from each data packet, and the extraction position of the data packet starts from the 16 th byte, so that the interference information of the MAC address of a data link layer and the version number of the network layer in the data packet can be removed, and only important header information and information of the rest loads are contained;
(2) 0 filling is carried out on the data packet with the message length smaller than m+16 bytes, and interception is carried out when the message length is larger than m+16;
(3) Splicing the results of the step (2), namely splicing the head and tail of n data packets into a data stream with the length of n multiplied by m bytes;
(4) Finally, the n×m byte tensors are transformed into h×h two-dimensional tensors for the neural network to input.
Preferably, the step 2.4 specifically includes:
(1) Traversing each five-tuple, abstracting each IP address into nodes by looking up host contained in each five-tuple s And host e Whether the abstracted nodes are in the attack directed graph or not is determined, and gradually adding the nodes;
(2) Since each five tuple represents a set of communication data between designated nodes, the five tuple contains host s And host e The positive connection is established, and the directed edges are gradually added;
(3) A time attribute is added to the directed edge.
Preferably, the step 3.1 specifically includes:
(1) The data type tag includes 6 types, normal, IPsweep, probe, breakin, installation, action respectively; these labels are used to train neural network models for classification, where Normal represents Normal traffic and attach 1 through attach 5 represent various different types of attacks;
(2) Selecting a ResNet18 convolution structure as a main frame of the convolution neural network, wherein an optimizer is Adam, a loss function is Cross-Entropy, and an activation function is Softmax; the network layer depth of the ResNet18 model is 18 layers, and the ResNet18 model consists of 5 convolution layers, 5 global average pooling layers and the last 1 full connection layers, wherein the output of the full connection layers is of a normal type and five multi-step network attack types which need to be classified;
(3) Some parameters in the standard ResNet18 model were modified; specifically, the name of each layer, the output size, the convolution kernel size, the step size, and the width size parameters of pixels around the input data are modified.
TABLE 3 CNN model parameters
Preferably, each layer of parameters and meanings of the ResNet18 network model modified in the step (3) in the step (3.1) are specifically as follows:
(1) 3 x 3 convolutional layer
The convolution kernel size of the first convolution layer of the standard ResNet18 is 7 multiplied by 7, the step length is 2, the width of pixels around input data is 3, namely padding is 3, and the output channel is 64; modifying the convolution kernel size to be 3 multiplied by 3, the step length to be 1, the width of pixels around the input data to be 1, and calculating a formula according to the size after convolution:
the input size is W×W, the convolution kernel size is F×F, the width of the pixels around the input data is P, i.e. padding is P, the step size is S, and N is the output size;
(2) pooling layer
The size of the convolution kernel of the layer is 3 multiplied by 3 through a maximum pooling layer, the step length is 1, the width of pixels around input data is 1, namely padding is 1; pooling does not change the number of channels of data, but reduces the size of the data by half;
(3) first 3 x 3 convolutional layer
The first convolution layer, the convolution kernel size is 3×3, the step size is 1, the width of the pixels around the input data is 1, i.e. padding is 1; this layer does not change the size and number of channels of the data;
(4) second 3 x 3 convolutional layer
First, a 3 x 3 convolution layer is passed through and downsampled by; doubling the output channel, and reducing the output data size by half;
(5) third 3×3 convolutional layer
Also 3 x 3 convolutions, and downsampling; doubling the output channel, and reducing the output data size by half;
(6) fourth 3 x 3 convolutional layer
Doubling the output channel, and reducing the output data size by half;
(7) average pooling layer
Output data size
(8) Linear layer
And outputting the classified number.
Preferably, the step 3.2 specifically includes:
the step 3.2 specifically comprises the following steps:
(1) Extracting a weight matrix through a full connection layer of the CNN model;
(2) Obtaining a class activation diagram of the traffic sample under the corresponding class by carrying out weighted summation by using the weight matrix and the feature diagram output by the CNN model;
(3) Obtaining attack details of the abnormal stream by extracting corresponding position data of the original stream, the position of which is a highlight position of the CAM;
(4) Clustering the attack details according to each attack mode to obtain a plurality of attack clusters, wherein each attack mode has a corresponding attack cluster;
(5) The Euclidean distance between the attack details and the attack clustering center is calculated; and finally, inputting the Euclidean distance into a trained decision tree to obtain a corresponding attack mode.
Preferably, the detailed explanation of the weight matrix, the class activation graph, the attack details, the clusters and the final decision tree in the step 3.2 is specifically:
(1) a weight matrix; the full-connection layer calculates a feature map output by the last convolution layer, and generates corresponding classification probability; extracting parameters of the full-connection layer to obtain a corresponding scoring matrix as a weight matrix for analyzing more important feature images of a certain category; the weight matrix is shown in formula (2),
W i,j ,i=1,2,3,…,n,j=1,2,…,m (2)
where i is the number of channels of the last layer convolution and m is the number of streams to be classified;
(2) class activation diagrams; the CAM is obtained by multiplying the weight coefficient in the weight matrix by the weight coefficient in the feature map, and is expressed by the formula (3):
wherein CAms is label Class activation map representing positive sample image, label representing class corresponding to stream sample passing through convolution layer, W i,lable Representing the weight matrix in step (2), feature i An ith channel representing the feature map output by the last convolutional layer; the class activation map can extract the highlight position of the feature map in the classification task;
(3) attack details; CAM represents the focal region of the model during classification; thus, the classified related information is obtained by extracting the corresponding position data in the sample; acquiring attack details by extracting an intersection of the CAM and the original sample, as shown in formula (4); and, a threshold is set such that elements smaller than the threshold are replaced with 0 in the CAM; otherwise, replacing the element greater than or equal to the threshold value with 1 in the CAM; the extracted attack details are vectorized vec x In order to improve the representation of the device,
Detail(i,j)=Cams(i,j)×sample(i,j) (4)
where i=1, 2,3, …, h, j=1, 2,3, …, h, h is the original CNN input sample size, detail (i, j) represents attack details of the sample, cab (i, j) represents position data in the class activation map, and sample (i, j) represents sample position data;
(4) clustering; network attack has a looksClustering details according to each attack mode by using a corresponding attack category, so as to analyze a decision basis of CNN, and clustering the extracted attack details by using a K-Means clustering model to obtain a plurality of attack clusters AM i I=1, 2, …, n, consistent with the number of attack modes, each attack mode having a corresponding attack cluster;
(5) constructing a decision tree; the decision tree added with priori knowledge is used for classifying the attack modes, the classified specific attack modes are corresponding to the attack types of ResNet classification, false alarm is reduced, and meanwhile the interpretability of CNN processing network flow data is improved; the distance vector Dis is used as the input of a decision tree, dis is determined by calculating Euclidean distance between attack details of samples and attack cluster centers, and is shown in a formula (5):
wherein Dis represents a distance vector, vec x A vectorized representation of the details of the attack is represented,representing vectorization representation of attack cluster centers and EDis Euclidean distance; the decision tree is input as shown in formula (6):
Input={(Dis 1 ,y 1 ),(Dis 2 ,y 2 ),…,(Dis n ,y n )} (6)
wherein Input is the Input of the decision tree, y is the label of the sample attack mode, and n is the number of the sample attack modes;
a decision tree for performing an operation by using the coefficient of the radix key; the radix factor is used to describe the degree of confusion in evaluating the branch samples; the higher the coefficient of the radix, the higher the degree of confusion of the branch sample, namely the more impure, the decision tree division needs to be continued until the index value of the Gini branch node is smaller than a specified value; the construction of the decision number model selects a decision tree model in a machine learning library, wherein important parameters are criterion=gini, random_state=123, and the data set is divided by using a data set dividing method in a model selection and evaluation tool set sklearn.
Preferably, the step 4.2 specifically includes:
(1) Creates an empty root node list root and initializes a network topology graph G with the original start All-zero-number groups visit with the same number of nodes;
(2) Cycling through an initial network topology graph G start Setting a flag bit to indicate whether the node is traversed or not, and setting all initial nodes as false to indicate that the node is not accessed yet;
(3) Judging whether the degree of entering of the current node is zero or not; if yes, the node is indicated to have no dependency relationship, the node is regarded as a root node, and the current node is added into a root node list root.
Preferably, the pruning operation in the step 4.3 specifically includes:
(1) A function named prune is defined to complete three pruning operations, which accepts two parameters: graph G and current node curNode;
(2) Acquiring all adjacent nodes of the current node curNode, and storing the adjacent nodes in an adjacent node list nextNodes;
(3) Checking the size of the neighbor node list nextNodes, if zero, the current node has no neighbor nodes available for traversal, so the current node returns directly;
(4) Traversing each node in the adjacent node list nextNodes, acquiring all adjacent nodes of the current node, and storing the adjacent nodes in the nextNextNodes list;
(5) If the current node is not accessed, setting an access flag bit of the current node as true;
(6) Executing recursion call trunk function (G, node), and pruning adjacent nodes of the current node;
(7) Judging whether the traffic is normal, if so, deleting the directed edge between the current node curNode and the adjacent node next node;
(8) Judging whether the attack mode is matched with the attack type, if not, deleting the directed edge between the current node curNode and the adjacent node next node;
(9) If the time of the current step is longer than the time of the next step, deleting the directed edges between the adjacent node and the next subsequent node, and the directed edges between the current node curNode and the adjacent node;
preferably, the step 3.1 is a process of whether the flow type in the step (7) in the step 4.3 is a normal flow;
preferably, the attack type and attack pattern matching process in step (8) in step 4.3 is specifically:
identifying the attack type and the attack mode of the detected flow by using the CTreemodel constructed in the step 3, and evaluating whether the IDS marks the flow truly and effectively by matching the detected attack type and the mode according to the matching relation of the attack type and the attack mode; if the matching is successful, the IDS marks the flow as correct; otherwise, the IDS marks the inaccurate flow, if the flow belongs to the false report condition, the data flow should be directly pruned; therefore, the attack type and the attack mode are combined with each other, whether the attack information marked by the IDS is credible or not can be determined more accurately, and therefore certain false alarm information is removed, and the second pruning is completed.
Preferably, the time sequence association process in the step (9) in the step 4.3 is specifically:
the directed edges between the associated nodes in the constructed network topology graph are time-characterized; therefore, according to the time sequence correlation analysis, pruning is carried out for the third time, and the directed edges with time conflict are pruned; the time sequence relativity means that the network attack is often divided into different attack stages, and the successful occurrence of the attack in the former stage is the premise of the attack in the next stage, so that the time sequence among the attack stages has a fore-and-aft relationship;
(1) reading data of a network topological graph and node change data, constructing the network topological graph by using a network library NetworkX, and drawing the graph by using a drawing library Matplotlib;
(2) carrying out node change trend analysis by using a data analysis library Pandas, and drawing a node change graph by using a drawing library Matplotlib;
(3) and finally, eliminating the attack path or node which does not accord with the characteristics of the attack stage, thereby obtaining an image after pruning for three times, namely a simplified multi-step network attack scene after reconstruction.
Compared with the prior art, the invention has the following beneficial effects:
a topology pruning optimization method for multi-step network attack rapid identification and scene reconstruction aims at solving the problems that the existing intrusion detection system cannot identify multi-step network attack and cannot capture a complete attack chain. The invention identifies multi-step network attack by analyzing and processing the initial data in the Pcap data packet format, thereby being capable of reconstructing multi-step network attack scenes. Firstly, preprocessing a Pcap data packet, including extraction of a data traffic packet and remolding of a data traffic tensor, and generating a two-dimensional tensor. Then, an initial topological graph taking IP as a node, taking a timestamp and a port as an edge is constructed, and pruning is further carried out on the initial topological graph. Finally, the pruned image is the topological graph which is the most simplified and closest to the multi-step attack scene, and compared with the existing multi-step attack scene reconstruction method, the method is more concise, effective and has expandability, and finally, the multi-step network attack scene graph is restored.
Drawings
The technical scheme of the invention will be described in further detail below with reference to the accompanying drawings and examples.
FIG. 1 is a schematic diagram of a data preprocessing process in a topology pruning optimization method based on multi-step network attack recognition and scene reconstruction;
FIG. 2 is a CTreee model diagram in a topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to the present invention;
FIG. 3 is a schematic diagram of a LLDOS 1.0 network communication scenario including normal traffic in a topology pruning optimization method based on multi-step network attack recognition and scenario reconstruction according to the present invention;
FIG. 4 is a schematic diagram of a scene reconstruction of LLDOS 1.0 network communications including normal traffic in a topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to the present invention;
FIG. 5 is a communication diagram of a topology pruning optimization method based on multi-step network attack recognition and scene reconstruction after pruning based on normal traffic;
FIG. 6 is a communication diagram of a topology pruning optimization method based on multi-step network attack recognition and scene reconstruction after pruning based on mismatch of attack types and attack modes;
FIG. 7 is a communication diagram after pruning based on time sequence conflict in the topology pruning optimization method based on multi-step network attack identification and scene reconstruction according to the present invention;
FIG. 8 is a view of a multi-step attack scenario after pruning in the topology pruning optimization method based on multi-step network attack identification and scenario reconstruction of the present invention;
fig. 9 is a view of a reconstructed multi-step attack scenario in the topology pruning optimization method based on multi-step network attack identification and scenario reconstruction of the present invention.
Detailed Description
Various embodiments of the present invention are disclosed in the following drawings, which are presented in sufficient detail to provide a thorough understanding of the present invention. However, it should be understood that these physical details should not be used to limit the invention. That is, in some embodiments of the present invention, these physical details are not necessary. Moreover, for the sake of simplicity of illustration, some well-known and conventional structures and components are shown in the drawings in a simplified schematic manner.
In addition, the technical solutions of the embodiments may be combined with each other, but it is necessary to base that the technical solutions can be realized by those skilled in the art, and when the technical solutions are contradictory or cannot be realized, the combination of the technical solutions should be considered to be absent and not within the scope of protection claimed in the present invention.
1-9, in order to verify the effectiveness of the proposed topology pruning optimization method based on multi-step network attack recognition and scene reconstruction, an initial topological graph is firstly constructed, then a three-time pruning algorithm is carried out on the initial topological graph to delete unnecessary or redundant network connections, and finally the whole network multi-step attack scene is reconstructed.
(1) Constructing an initial network topology
An initial attack scenario diagram is constructed for the original data in step 2.1, and fig. 3 shows a network communication scenario based on the DARPA2000 dataset and a part of the non-attack dataset.
However, since the amount of data involved in this experiment is large, a large number of nodes are aggregated together as shown in the upper right of fig. 3. Thus, the graph can be reconstructed to better present the relevant information. FIG. 4 is a network communication scenario reconstructed according to FIG. 3, with a large aggregate set of points denoted by other.
(2) Pruning based on normal flow
The DALPA 2000 dataset added with no attack data is input into the ResNet18 model for classification by step 3.1. Based on the classification results, a large amount of normal traffic in the attack scenario represented in fig. 3 is removed, which is time-redundant for constructing the abnormal traffic communication graph. Similarly, a large aggregate set of points is represented by other, and the resulting reconstructed overall abnormal traffic communication graph is shown in FIG. 5. In fig. 5, various types of abnormal traffic and their network communication relationships and interactions can be seen, which can be further analyzed and processed.
(3) Matching pruning based on attack type and mode
According to the matching relationship between the attack type and the attack pattern shown in table 2, pruning is performed for the second time based on fig. 5, the path of the unmatched attack type and the unmatched attack model is removed, and the network topology diagram drawn by using network x and Matplotlib is shown in fig. 6.
(4) Pruning based on time sequence relevance
The directed edge with time conflict is pruned, and a network topology diagram drawn by using network X and Matplotlib is shown in figure 7.
Fig. 8 shows an overall multi-step network attack scenario for a dataset representation of LLDOS 1.0 after three pruning operations. An attacker of 202.77.162.213 enters the network to start network scanning, and sends a vulnerability query packet to an online host. Rights are then obtained using the vulnerabilities of hosts 172.16.112.10, 172.16.112.50, 172.16.115.20. The attacker uses them as springboards to implement the next attack activity. And injecting DDoS attack software into the three springboard hosts, and launching DDoS attack to the target host 131.84.1.31. Finally, a large number of false IP address malicious packets are sent to the target host 131.84.1.31 using hosts 172.16.112.10, 172.16.112.50, 172.16.115.20.
The multi-step attack scene after pruning is not very intuitive due to the large data volume. Therefore, the reconstruction is carried out on FIG. 8, a large number of aggregated point sets are represented by other, and a reconstructed multi-step attack scene diagram is shown in FIG. 9.
The foregoing description is only illustrative of the invention and is not to be construed as limiting the invention. Various modifications and variations of the present invention will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, or the like, which is within the spirit and principle of the present invention, should be included in the scope of the claims of the present invention.
Claims (12)
1. The topological pruning optimization method based on multi-step network attack recognition and scene reconstruction is characterized by comprising the following steps of:
step 1, defining data flow five-tuple, topological graph nodes and related attributes of directed edges;
step 2, preprocessing the Pcap data packet, wherein the preprocessing process comprises extraction of the data flow packet and remolding of the data flow tensor, generating a two-dimensional tensor, namely a data set, and constructing an initial network topology graph G of the whole attack process for the data set start ,
Step 3, a model based on a convolutional neural network and a decision tree is provided, and the model is named as a CTree model;
step 4, identifying the attack type based on the convolutional neural network in the step 3, pruning the normal flow for the first time, obtaining the attack mode of the data flow based on the CTreee model in the step 3, pruning the attack type and the attack mode for the second time which are not matched, pruning the third time based on the time sequence relevance among the attack steps of the multi-step attack, and finally obtaining the pruned image which is the simplified multi-step network attack scene after reconstruction;
the step 1 is specifically implemented according to the following steps:
step 1.1, defining a directed graph g= (V, E), G representing a network state graph, V representing nodes in the network, E representing directed edges between hosts in the network; the node V and the directed edge E are unique, and the nodes are distinguished by IP addresses;
step 1.2, defining a data stream quintuple: the processing of the network dataset is according to five-tuple (host s ,port s ,host e ,port e Protocol), namely dividing all communication data packets of two hosts under two fixed ports into one stream according to five-tuple information; wherein host s Representing the source IP address, host e Representing destination IP address, port s Representing source port, port e A protocol represents a communication protocol used;
the step 2 is specifically implemented according to the following steps:
step 2.1, selecting a data set: the original data set trained by the model is DALPA 1999, the DALPA 2000 data set added with no-attack data is tested, the DALPA 1999 data set totally comprises 5 types of attacks, each type of attack comprises a plurality of different attack modes, and the total of the attack modes is 55;
step 2.2, data preprocessing: converting hexadecimal data in a data packet into decimal numbers according to a Tcpdump format data packet provided by a DARRA series data set;
step 2.3, data preprocessing: extracting a data stream with a fixed length from a network data packet, and converting the format and the dimension of the data stream to enable the data stream to be changed into a two-dimensional tensor with a consistent size for being input by a neural network model;
step 2.4, constructing an initial network topology graph G of the whole attack process aiming at the data flow based on the five-tuple partition in step 2.3 start ;
The step 3 is specifically implemented according to the following steps:
step 3.1, automatically extracting hidden features in the data tensor by using a convolutional neural network technology, and classifying attack types through the hidden features;
step 3.2, constructing a decision tree based on convolutional neural network technology for further attack evaluation;
the step 4 is specifically implemented according to the following steps:
step 4.1, the input and output of the conceived algorithm are input as the initial network topology graph G in step 2.4 start Output is a topology graph G reconstructed for attack scene end ;
Step 4.2, find initial network topology graph G start All nodes with zero degree of entry, and will initiate network topology graph G start All nodes with zero degree are stored in a root node list root;
step 4.3, traversing each node in the root node list root, and obtaining a network topology graph G from the initial start Deleting all edges taking the current node as a starting point, namely pruning operation, and displaying an attack scene reconstruction topological graph G after pruning operation end 。
2. The topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to claim 1, wherein the topology pruning optimization method is characterized by: the step 2.3 specifically comprises the following steps:
(1) Dividing a network data packet into individual stream information by using five-tuple, wherein each five-tuple comprises n data packets from a network data packet Package1 to a network data packet Package, m bytes are extracted from each data packet, and the extraction position of the data packet starts from the 16 th byte, so that the interference information of the MAC address of a data link layer and the version number of the network layer in the data packet can be removed, and only important header information and information of the rest loads are contained;
(2) 0 filling is carried out on the data packet with the message length smaller than m+16 bytes, and interception is carried out when the message length is larger than m+16;
(3) Splicing the results of the step (2), namely splicing the head and tail of n data packets into a data stream with the length of n multiplied by m bytes;
(4) Finally, the n×m byte tensors are transformed into h×h two-dimensional tensors for the neural network to input.
3. The topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to claim 1, wherein the topology pruning optimization method is characterized by: the step 2.4 specifically comprises the following steps:
(1) Traversing each five-tuple, abstracting each IP address into nodes by looking up host contained in each five-tuple s And host e Whether the abstracted nodes are in the attack directed graph or not is determined, and gradually adding the nodes;
(2) Since each five tuple represents a set of communication data between designated nodes, the five tuple contains host s And host e The positive connection is established, and the directed edges are gradually added;
(3) A time attribute is added to the directed edge.
4. The topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to claim 1, wherein the topology pruning optimization method is characterized by: the step 3.1 specifically comprises the following steps:
(1) The data type tag includes 6 types, normal, IPsweep, probe, breakin, installation, action respectively; these labels are used to train neural network models for classification, where Normal represents Normal traffic and attach 1 through attach 5 represent various different types of attacks;
(2) Selecting a ResNet18 convolution structure as a main frame of the convolution neural network, wherein an optimizer is Adam, a loss function is Cross-Entropy, and an activation function is Softmax; the network layer depth of the ResNet18 model is 18 layers, and the ResNet18 model consists of 5 convolution layers, 5 global average pooling layers and the last 1 full connection layers, wherein the output of the full connection layers is of a normal type and five multi-step network attack types which need to be classified;
(3) Some parameters in the standard ResNet18 model were modified; specifically, the name of each layer, the output size, the convolution kernel size, the step size, and the width size parameters of pixels around the input data are modified.
5. The topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to claim 1, wherein the step 3.2 is specifically:
(1) Extracting a weight matrix through a full connection layer of the CNN model;
(2) Obtaining a class activation diagram of the traffic sample under the corresponding class by carrying out weighted summation by using the weight matrix and the feature diagram output by the CNN model;
(3) Obtaining attack details of the abnormal stream by extracting corresponding position data of the original stream, the position of which is a highlight position of the CAM;
(4) Clustering the attack details according to each attack mode to obtain a plurality of attack clusters, wherein each attack mode has a corresponding attack cluster;
(5) The Euclidean distance between the attack details and the attack clustering center is calculated; and finally, inputting the Euclidean distance into a trained decision tree to obtain a corresponding attack mode.
6. The topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to claim 1, wherein the step 4.2 is specifically:
(1) Creates an empty root node list root and initializes a network topology graph G with the original start All-zero-number groups visit with the same number of nodes;
(2) Cycling through an initial network topology graph G start Setting a flag bit to indicate whether the node is traversed or not, and setting all initial nodes as false to indicate that the node is not accessed yet;
(3) Judging whether the degree of entering of the current node is zero or not; if yes, the node is indicated to have no dependency relationship, the node is regarded as a root node, and the current node is added into a root node list root.
7. The topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to claim 1, wherein the pruning operation in step 4.3 is specifically:
(1) A function named prune is defined to complete three pruning operations, which accepts two parameters: graph G and current node curNode;
(2) Acquiring all adjacent nodes of the current node curNode, and storing the adjacent nodes in an adjacent node list nextNodes;
(3) Checking the size of the neighbor node list nextNodes, if zero, the current node has no neighbor nodes available for traversal, so the current node returns directly;
(4) Traversing each node in the adjacent node list nextNodes, acquiring all adjacent nodes of the current node, and storing the adjacent nodes in the nextNextNodes list;
(5) If the current node is not accessed, setting an access flag bit of the current node as true;
(6) Executing recursion call trunk function (G, node), and pruning adjacent nodes of the current node;
(7) Judging whether the traffic is normal, if so, deleting the directed edge between the current node curNode and the adjacent node next node;
(8) Judging whether the attack mode is matched with the attack type, if not, deleting the directed edge between the current node curNode and the adjacent node next node;
(9) If the time of the current step is greater than the time of the next step, deleting the directed edges between the adjacent node and the next following node, and the directed edges between the current node curNode and the adjacent node.
8. The topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to claim 4, wherein each layer of parameters and meanings of the ResNet18 network model modified in the step (3) in the step 3.1 are specifically as follows:
(1) 3 x 3 convolutional layer
The convolution kernel size of the first convolution layer of the standard ResNet18 is 7 multiplied by 7, the step length is 2, the width of pixels around input data is 3, namely padding is 3, and the output channel is 64; modifying the convolution kernel size to be 3 multiplied by 3, the step length to be 1, the width of pixels around the input data to be 1, and calculating a formula according to the size after convolution:
the input size is W×W, the convolution kernel size is F×F, the width of the pixels around the input data is P, i.e. padding is P, the step size is S, and N is the output size;
(2) pooling layer
The size of the convolution kernel of the layer is 3 multiplied by 3 through a maximum pooling layer, the step length is 1, the width of pixels around input data is 1, namely padding is 1; pooling does not change the number of channels of data, but reduces the size of the data by half;
(3) first 3 x 3 convolutional layer
The first convolution layer, the convolution kernel size is 3×3, the step size is 1, the width of the pixels around the input data is 1, i.e. padding is 1; this layer does not change the size and number of channels of the data;
(4) second 3 x 3 convolutional layer
First, a 3 x 3 convolution layer is passed through and downsampled by; doubling the output channel, and reducing the output data size by half;
(5) third 3×3 convolutional layer
Also 3 x 3 convolutions, and downsampling; doubling the output channel, and reducing the output data size by half;
(6) fourth 3 x 3 convolutional layer
Doubling the output channel, and reducing the output data size by half;
(7) average pooling layer
Output data size
(8) Linear layer
And outputting the classified number.
9. The topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to claim 5, wherein the detailed explanation of the weight matrix, class activation graph, attack details, clusters and final decision tree in step 3.2 is specifically:
(1) a weight matrix; the full-connection layer calculates a feature map output by the last convolution layer, and generates corresponding classification probability; extracting parameters of the full-connection layer to obtain a corresponding scoring matrix as a weight matrix for analyzing more important feature images of a certain category; the weight matrix is shown in formula (2),
W i,j ,i=1,2,3,…,n,j=1,2,…,m (2)
where i is the number of channels of the last layer convolution and m is the number of streams to be classified;
(2) class activation diagrams; the CAM is obtained by multiplying the weight coefficient in the weight matrix by the weight coefficient in the feature map, and is expressed by the formula (3):
wherein CAms is label Class activation map representing positive sample image, label representing class corresponding to stream sample passing through convolution layer, W i,lable Representing the weight matrix in step (2), feature i An ith channel representing the feature map output by the last convolutional layer; the class activation map can extract the highlight position of the feature map in the classification task;
(3) attack details; CAM represents the focal region of the model during classification; thus, the classified related information is obtained by extracting the corresponding position data in the sample; acquiring attack details by extracting an intersection of the CAM and the original sample, as shown in formula (4); and, a threshold is set such that elements smaller than the threshold are replaced with 0 in the CAM; otherwise, replacing the element greater than or equal to the threshold value with 1 in the CAM; the extracted attack details are vectorized vec x In order to improve the representation of the device,
Detail(i,j)=Cams(i,j)×sample(i,j) (4)
where i=1, 2,3, …, h, j=1, 2,3, …, h, h is the original CNN input sample size, detail (i, j) represents attack details of the sample, cab (i, j) represents position data in the class activation map, and sample (i, j) represents sample position data;
(4) clustering; the network attacks have corresponding attack categories, details are clustered according to each attack mode, a decision basis of CNN is analyzed, and the extracted attack details are clustered by using a K-Means clustering model to obtain a plurality of attack clusters AM i I=1, 2, …, n, consistent with the number of attack modes, each attack mode having a corresponding attack cluster;
(5) constructing a decision tree; the decision tree added with priori knowledge is used for classifying the attack modes, the classified specific attack modes are corresponding to the attack types of ResNet classification, false alarm is reduced, and meanwhile the interpretability of CNN processing network flow data is improved; the distance vector Dis is used as the input of a decision tree, dis is determined by calculating Euclidean distance between attack details of samples and attack cluster centers, and is shown in a formula (5):
wherein Dis represents a distance vector, vec x A vectorized representation of the details of the attack is represented,representing vectorization representation of attack cluster centers and EDis Euclidean distance; the decision tree is input as shown in formula (6):
Input={(Dis 1 ,y 1 ),(Dis 2 ,y 2 ),…,(Dis n ,y n )} (6)
wherein Input is the Input of the decision tree, y is the label of the sample attack mode, and n is the number of the sample attack modes;
a decision tree for performing an operation by using the coefficient of the radix key; the radix factor is used to describe the degree of confusion in evaluating the branch samples; the higher the coefficient of the radix, the higher the degree of confusion of the branch sample, namely the more impure, the decision tree division needs to be continued until the index value of the Gini branch node is smaller than a specified value; the construction of the decision number model selects a decision tree model in a machine learning library, wherein important parameters are criterion=gini, random_state=123, and the data set is divided by using a data set dividing method in a model selection and evaluation tool set sklearn.
10. The topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to claim 7, wherein the process of whether the traffic type in the step (7) in the step 4.3 is a normal flow is step 3.1.
11. The topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to claim 7, wherein the attack type and attack pattern matching process in step (8) in step 4.3 is specifically:
identifying the attack type and the attack mode of the detected flow by using the CTreemodel constructed in the step 3, and evaluating whether the IDS marks the flow truly and effectively by matching the detected attack type and the mode according to the matching relation of the attack type and the attack mode; if the matching is successful, the IDS marks the flow as correct; otherwise, the IDS marks the inaccurate flow, if the flow belongs to the false report condition, the data flow should be directly pruned; therefore, the attack type and the attack mode are combined with each other, whether the attack information marked by the IDS is credible or not can be determined more accurately, and therefore certain false alarm information is removed, and the second pruning is completed.
12. The topology pruning optimization method based on multi-step network attack recognition and scene reconstruction according to claim 7, wherein the time sequence correlation process in step (9) in step 4.3 is specifically:
the directed edges between the associated nodes in the constructed network topology graph are time-characterized; therefore, according to the time sequence correlation analysis, pruning is carried out for the third time, and the directed edges with time conflict are pruned; the time sequence relativity means that the network attack is often divided into different attack stages, and the successful occurrence of the attack in the former stage is the premise of the attack in the next stage, so that the time sequence among the attack stages has a fore-and-aft relationship;
(1) reading data of a network topological graph and node change data, constructing the network topological graph by using a network library NetworkX, and drawing the graph by using a drawing library Matplotlib;
(2) carrying out node change trend analysis by using a data analysis library Pandas, and drawing a node change graph by using a drawing library Matplotlib;
(3) and finally, eliminating the attack path or node which does not accord with the characteristics of the attack stage, thereby obtaining an image after pruning for three times, namely a simplified multi-step network attack scene after reconstruction.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310794173.4A CN116915450A (en) | 2023-06-30 | 2023-06-30 | Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310794173.4A CN116915450A (en) | 2023-06-30 | 2023-06-30 | Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116915450A true CN116915450A (en) | 2023-10-20 |
Family
ID=88352183
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310794173.4A Pending CN116915450A (en) | 2023-06-30 | 2023-06-30 | Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116915450A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117575004A (en) * | 2024-01-16 | 2024-02-20 | 北京壁仞科技开发有限公司 | Nuclear function determining method, computing device and medium based on double-layer decision tree |
CN117829242B (en) * | 2024-03-04 | 2024-05-03 | 腾讯科技(深圳)有限公司 | Model processing method and related equipment |
-
2023
- 2023-06-30 CN CN202310794173.4A patent/CN116915450A/en active Pending
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117575004A (en) * | 2024-01-16 | 2024-02-20 | 北京壁仞科技开发有限公司 | Nuclear function determining method, computing device and medium based on double-layer decision tree |
CN117829242B (en) * | 2024-03-04 | 2024-05-03 | 腾讯科技(深圳)有限公司 | Model processing method and related equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112738015B (en) | Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection | |
CN111565205B (en) | Network attack identification method and device, computer equipment and storage medium | |
Gogoi et al. | MLH-IDS: a multi-level hybrid intrusion detection method | |
CN111431939B (en) | CTI-based SDN malicious flow defense method | |
Kumar et al. | Intrusion Detection System using decision tree algorithm | |
Yang et al. | TLS/SSL encrypted traffic classification with autoencoder and convolutional neural network | |
US10187412B2 (en) | Robust representation of network traffic for detecting malware variations | |
US11269995B2 (en) | Chain of events representing an issue based on an enriched representation | |
Soe et al. | Rule generation for signature based detection systems of cyber attacks in iot environments | |
CN113821793B (en) | Multi-stage attack scene construction method and system based on graph convolution neural network | |
CN112003869B (en) | Vulnerability identification method based on flow | |
Rupa Devi et al. | A review on network intrusion detection system using machine learning | |
CN112800424A (en) | Botnet malicious traffic monitoring method based on random forest | |
CN117216660A (en) | Method and device for detecting abnormal points and abnormal clusters based on time sequence network traffic integration | |
Wang et al. | APT attack detection algorithm based on spatio-temporal association analysis in industrial network | |
Kozik et al. | Pattern extraction algorithm for netflow-based botnet activities detection | |
CN113904881A (en) | Intrusion detection rule false alarm processing method and device | |
CN116915450A (en) | Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction | |
CN117454376A (en) | Industrial Internet data security detection response and tracing method and device | |
Umbarkar et al. | Analysis of heuristic based feature reduction method in intrusion detection system | |
Martins et al. | Automatic detection of computer network traffic anomalies based on eccentricity analysis | |
Shaikh et al. | Advanced signature-based intrusion detection system | |
Srilatha et al. | DDoSNet: A Deep Learning Model for detecting Network Attacks in Cloud Computing | |
Hoque et al. | An alert analysis approach to DDoS attack detection | |
Kozik | Distributed system for botnet traffic analysis and anomaly detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |