CN116961926A - Abnormal traffic attack identification method and device, electronic equipment and storage medium - Google Patents

Abnormal traffic attack identification method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN116961926A
CN116961926A CN202210377907.4A CN202210377907A CN116961926A CN 116961926 A CN116961926 A CN 116961926A CN 202210377907 A CN202210377907 A CN 202210377907A CN 116961926 A CN116961926 A CN 116961926A
Authority
CN
China
Prior art keywords
abnormal
attack
access request
sample
training
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210377907.4A
Other languages
Chinese (zh)
Inventor
张萍
卫丽
汤萌萌
郑绪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Henan Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Henan Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Henan Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202210377907.4A priority Critical patent/CN116961926A/en
Publication of CN116961926A publication Critical patent/CN116961926A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses an abnormal flow attack identification method, which aims to solve the problem that abnormal events cannot be accurately identified. The method comprises the following steps: acquiring an access request to be identified; inputting the access request into a pre-trained abnormal attack request identification model to obtain an output result; the abnormal attack request recognition model is obtained by training a normal access request sample and an abnormal access request sample through a gradient lifting tree model, and the nodes of the base learner of the abnormal attack request recognition model comprise abnormal attack recognition rules obtained by training the normal access request sample and the abnormal access request sample; and identifying whether the access request is abnormal attack access flow according to the output result. The application also discloses an abnormal flow attack identification device, electronic equipment and a computer readable storage medium.

Description

Abnormal traffic attack identification method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and apparatus for identifying an abnormal traffic attack, an electronic device, and a computer readable storage medium.
Background
With the continuous expansion of the overall network scale of telecommunication and internet enterprises, multi-layer network security threats and security risks are also continuously increased, and network attack behaviors are gradually developed towards the trends of distribution, scale, complexity and the like. At present, network security requirements cannot be met by only relying on single network security protection technologies such as a firewall, intrusion detection, virus prevention and access control, so that new technologies are urgently needed so that abnormal events in a network can be timely found, network security conditions can be mastered in real time, the abnormal events are processed, network security risks are reduced, and network security intelligent management and control capability is improved.
In the related art, when an abnormal attack event in a network is identified, feature matching is mainly performed based on an abnormal attack identification rule and a network event to be identified, so as to determine whether the network event to be identified is an abnormal attack event. However, when the method provided by the related technology is adopted, because the abnormal attack recognition rule lacks automatic learning capability, the abnormal attack recognition rule is easy to update untimely and the like, so that on one hand, abnormal events such as network attacks and the like cannot be timely and effectively discovered; on the other hand, once the attack means of the abnormal attack event changes, the existing abnormal attack identification rule may fail, so that the abnormal event cannot be accurately identified.
Based on this, how to accurately identify the abnormal attack event is a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The embodiment of the application provides an abnormal traffic attack identification method, which is used for solving the problem that an abnormal attack event cannot be accurately identified in the prior art.
The embodiment of the application also provides an abnormal flow attack identification device, electronic equipment and a computer readable storage medium.
The embodiment of the application adopts the following technical scheme:
an abnormal traffic attack identification method, comprising:
acquiring an access request to be identified;
inputting the access request into a pre-trained abnormal attack request identification model to obtain an output result; the abnormal attack request recognition model is obtained by training a normal access request sample and an abnormal access request sample through a gradient lifting tree model, and the nodes of the base learner of the abnormal attack request recognition model comprise abnormal attack recognition rules obtained by training the normal access request sample and the abnormal access request sample;
and identifying whether the access request is abnormal attack access flow according to the output result.
Optionally, before the access request is input into the pre-trained abnormal attack request identification model to obtain the output result, the method further comprises:
Training a first base learner of the gradient lifting tree model based on a training set to obtain a trained first base learner, wherein the training sample set comprises a normal access request sample and an abnormal access request sample;
calculating the residual error of the trained first base learner;
performing fitting training on the second base learner of the gradient lifting tree model according to the residual error to obtain a second base learner after fitting training;
and obtaining an abnormal attack request identification model based on the fitted second base learner.
Optionally, before training the first base learner of the gradient lifting tree model based on the training set to obtain the trained first base learner, the method further includes:
constructing an attack packet corresponding to the network attack type according to the preset network attack type;
acquiring an attack log based on the attack packet by a packet grabbing analysis method, wherein the attack log contains characteristic information of abnormal attack access flow;
and extracting the characteristic rule according to the characteristic information.
Optionally, the method further comprises:
inputting the identification result of the access request into an abnormal handling decision model which is trained in advance to obtain the event studying and judging probability of the access request; the abnormal handling decision model is obtained by training the attack confidence, IP credibility, IP region, attack dispersion and attack direction of the access request;
Determining a treatment strategy of the access request according to the event research and judgment probability of the access request and the association relation between a preset treatment strategy and the event research and judgment probability;
the access request is handled based on the handling policy.
Optionally, before inputting the identification result of the access request into the pre-trained exception handling decision model to obtain the event judgment probability of the access request, the method further includes:
acquiring a normal access request sample and an abnormal access request sample;
respectively determining attack confidence, IP reputation, IP region, attack dispersion and attack direction of a normal access request sample and an abnormal access request sample;
performing quantitative assignment on the attack confidence, the IP reputation, the IP region, the attack dispersion and the attack direction to respectively obtain input vectors corresponding to the normal access request sample and the abnormal access request sample;
training the genetic optimization fully-connected neural network model according to the input vector to obtain an abnormal handling decision model.
Optionally, the method further comprises:
acquiring a normal access request sample or event judgment probability output by the abnormal access request sample after passing through an abnormal handling decision model;
calculating an error of an abnormal handling decision model according to the event judging probability and the true value of the normal access request sample or the true value of the abnormal access request sample;
And iteratively updating the network weight of the abnormal handling decision model based on the error until the error of the abnormal handling decision model is smaller than a preset error threshold.
The abnormal flow attack identification device comprises an acquisition module, an input module and an identification module, wherein:
the acquisition module is used for acquiring an access request to be identified;
the input module is used for inputting the access request into the abnormal attack request identification model which is obtained through pre-training, and obtaining an output result; the abnormal attack request recognition model is obtained by training a normal access request sample and an abnormal access request sample through a gradient lifting tree model, and the nodes of the base learner of the abnormal attack request recognition model comprise abnormal attack recognition rules obtained by training the normal access request sample and the abnormal access request sample;
and the identification module is used for identifying whether the access request is abnormal attack access flow according to the output result.
Optionally, the device is further configured to:
training a first base learner of the gradient lifting tree model based on a training set to obtain a trained first base learner, wherein the training sample set comprises a normal access request sample and an abnormal access request sample;
calculating the residual error of the trained first base learner;
Performing fitting training on the second base learner of the gradient lifting tree model according to the residual error to obtain a second base learner after fitting training;
and obtaining an abnormal attack request identification model based on the fitted second base learner.
Optionally, the device is further configured to:
constructing an attack packet corresponding to the network attack type according to the preset network attack type;
acquiring an attack log based on the attack packet by a packet grabbing analysis method, wherein the attack log contains characteristic information of abnormal attack access flow;
and extracting the characteristic rule according to the characteristic information.
Optionally, the device is further configured to:
inputting the identification result of the access request into an abnormal handling decision model which is trained in advance to obtain the event studying and judging probability of the access request; the abnormal handling decision model is obtained by training the attack confidence, IP credibility, IP region, attack dispersion and attack direction of the access request;
determining a treatment strategy of the access request according to the event research and judgment probability of the access request and the association relation between a preset treatment strategy and the event research and judgment probability;
the access request is handled based on the handling policy.
Optionally, the device is further configured to:
acquiring a normal access request sample and an abnormal access request sample;
Respectively determining attack confidence, IP reputation, IP region, attack dispersion and attack direction of a normal access request sample and an abnormal access request sample;
performing quantitative assignment on the attack confidence, the IP reputation, the IP region, the attack dispersion and the attack direction to respectively obtain input vectors corresponding to the normal access request sample and the abnormal access request sample;
training the genetic optimization fully-connected neural network model according to the input vector to obtain an abnormal handling decision model.
Optionally, the device is further configured to:
acquiring a normal access request sample or event judgment probability output by the abnormal access request sample after passing through an abnormal handling decision model;
calculating an error of an abnormal handling decision model according to the event judging probability and the true value of the normal access request sample or the true value of the abnormal access request sample;
and iteratively updating the network weight of the abnormal handling decision model based on the error until the error of the abnormal handling decision model is smaller than a preset error threshold.
An electronic device, comprising: a memory, a processor and a computer program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the abnormal traffic attack identification method as described above.
A computer readable storage medium, wherein a computer program is stored on the computer readable storage medium, which when executed by a processor, implements the steps of the abnormal traffic attack identification method as described above.
The above at least one technical scheme adopted by the embodiment of the application can achieve the following beneficial effects:
by adopting the method provided by the embodiment of the application, the access request can be identified based on the abnormal attack identification rule included in the node of the base learner of the abnormal attack request identification model, wherein the abnormal attack identification rule is obtained by training a normal access request sample and an abnormal access request sample, so that the abnormal attack identification rule can be updated along with the change of the normal access request sample and the abnormal access request sample, the problem that the abnormal attack identification rule is not updated timely due to the lack of automatic learning capability in the related technology can be solved, and the problem that the abnormal attack identification rule possibly fails due to the change of an attack means of an abnormal attack event can be avoided, thereby improving the accuracy of abnormal flow attack identification.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
fig. 1 is a schematic implementation flow chart of an abnormal traffic attack identification method according to an embodiment of the present application;
fig. 2 is a schematic implementation flow chart of a training method of an abnormal attack request recognition model according to an embodiment of the present application;
fig. 3 is a schematic implementation flow chart of a method for handling an abnormal attack request according to an embodiment of the present application;
FIG. 4 is a schematic structural diagram of a genetic optimized fully-connected neural network model according to an embodiment of the present application;
fig. 5 is a schematic diagram of a specific structure of an abnormal traffic attack recognition device according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be clearly and completely described below with reference to specific embodiments of the present application and corresponding drawings. It will be apparent that the described embodiments are only some, but not all, embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The following describes in detail the technical solutions provided by the embodiments of the present application with reference to the accompanying drawings.
Example 1
In order to solve the problem that an abnormal attack event cannot be accurately identified in the prior art, the embodiment of the application provides an abnormal traffic attack identification method.
The method may be performed by various types of computing devices, or may be an Application or Application (APP) installed on a computing device. The computing device can be a user terminal such as a mobile phone, a tablet computer, an intelligent wearable device and the like, and also can be a server and the like.
For convenience of description, the embodiment of the present application uses an execution body of the method as a server as an example, and introduces the method. It will be appreciated by those skilled in the art that the embodiment of the present application is described by taking the server as an example, and is only an exemplary illustration, and does not limit the scope of protection of the claims corresponding to the present scheme.
Specifically, an implementation flow of the method provided by the embodiment of the application is shown in fig. 1, and the implementation flow comprises the following steps:
and 11, acquiring an access request to be identified.
The access request to be identified, i.e. the access request to be identified by the exception attack request. In the application, the access request to be identified can be determined according to actual requirements, for example, the access request suspected to be an abnormal attack request can be used as the access request to be identified.
In the embodiment of the application, the access request to be identified can be obtained from internet traffic data and log data, wherein the log data can comprise file operation log data, network connection log data, process log data and human-computer interaction state log data, for example. The log data may be obtained by, for example, obtaining http traffic log data at a network outlet of a resource pool by using a spectroscopic device.
It should be noted that the above exemplary manner of obtaining the access request, and the exemplary log data are only an exemplary illustration of the embodiment of the present application, and are not intended to limit the embodiment of the present application in any way.
Step 12, inputting the access request into a pre-trained abnormal attack request identification model to obtain an output result; the abnormal attack request recognition model is obtained by training a normal access request sample and an abnormal access request sample through a gradient lifting tree model, and nodes of a base learner of the abnormal attack request recognition model comprise abnormal attack recognition rules obtained by training the normal access request sample and the abnormal access request sample.
The abnormal attack request identification model can be used for identifying abnormal attack requests, and the output result comprises attack confidence of the requests to be accessed, wherein the attack confidence can be used for representing whether the access requests are abnormal attack requests.
As shown in fig. 2, in one embodiment, the anomaly attack request identification model may be trained by the following steps S21 to S24:
s21, training the first base learner of the gradient lifting tree model based on a training set to obtain a trained first base learner, wherein the training sample set comprises a normal access request sample and an abnormal access request sample.
Wherein the training set may be determined from the http dataset csic2010 data set.
Alternatively, given that the http dataset csic2010 data set is used as the training set, the timeliness and integrity of the training set may be different from the actual access request, which may easily negatively affect the training result. In order to avoid the problem, the normal access request data and the abnormal attack request data which are determined by the existing network can be added into the http dataset csic2010 data set to be used as training samples, so that the training set samples are expanded, and the problems of negative effects and the like which can occur when only the http dataset csic2010 data set is used as the training set are solved.
In practical application, spectroscopic equipment can be adopted at the network outlet of the resource pool to acquire http flow log data, and metadata information is extracted to acquire the normal access request and the abnormal access request determined by the existing network. Optionally, considering that the formats of the collected traffic log data may be different, in the embodiment of the present application, the collected traffic log data may be further subjected to a preprocessing operation, and the traffic log data may be subjected to a normalization process. Wherein the standardized traffic log data format is: time, sip, dip, sport, dport, method, proto, app, status, host, uri, referer, content-encoding, content-length, user_ agent, cookies, proxy-authorization, proxy-connection, content-location, link.
It should be noted that the above-mentioned manner of obtaining the normal access request and the abnormal access request determined by the current network and the preprocessing manner are only an exemplary illustration of the embodiment of the present application, and are not limited to the embodiment of the present application.
After the training set is determined according to the method, feature rule refinement can be further performed on the training set. Specifically, an attack packet corresponding to the network attack type can be constructed according to the preset network attack type; then, based on the attack packet, acquiring an attack log by a packet grabbing analysis method, wherein the attack log contains characteristic information of abnormal attack access flow; and finally, extracting the feature rule of the training set according to the feature information. Optionally, the network attack type actually required to be identified may be used as a preset network attack type.
For example, assuming that the network attack types actually required to be identified include brute force cracking, SQL injection, buffer overflow, information leakage, cross-site scripting, denial of service, remote command execution, path traversal, remote file inclusion, web crawlers and the like, the network attack types can be determined as preset network attack types, then an attack log is obtained through a packet capturing analysis method based on an attack packet, and characteristic information such as IP access frequency, character string length, keywords and the like is determined according to parameter analysis such as URL, HOST, REFERER, GET, PUT, POST, cookies in the attack log; further, for the abnormal attack request, the network attack type information, the attack frequency per unit time, the sql injection frequency, the buffer overflow frequency and other multidimensional characteristic information of the abnormal attack request can be further determined; and finally, extracting the feature rule of the training set according to the feature information.
After feature rule refinement is performed on the training set, the first base learner of the gradient lifting tree model may be trained based on the counted feature information, to obtain a trained first base learner.
Wherein the first base learner may be a classification regression tree (Classification and Regression Tree, CART).
In the embodiment of the application, a gradient lifting tree model can be constructed based on M CARTs, then the first CART is trained based on a training set, and the trained gradient lifting tree model is marked as f 1 (x)。
S22, calculating the residual error of the trained first base learner.
In the application, the training set can be predicted based on the trained first base learner to obtain a predicted value; and then calculating the residual error of the first base learner based on the predicted value and the actual value of the training set.
For example, assume that the actual value of the training set is y and the predicted value is f 1 (x) Residual error r can be obtained 1 =y-f 1 (x)。
S23, performing fitting training on the second base learner of the gradient lifting tree model according to the residual error to obtain a second base learner after fitting training.
The second base learner refers to a classification regression tree included in the gradient-lifting tree model except for the first base learner.
Obtaining residual error r of the first base learner by using the above example 1 Then, the residual is used as an input of one of the classification regression trees C1 in the second base learner, and then the classification regression tree C1 carries out fitting training on the residual, so that the second base learner C1 after fitting training is obtained.
Then, the predicted value f of the training set is determined by the trained second base learner C1 2 (x) And the residual r2, then taking the residual r2 as the input of another classification regression tree C2 in the second base learner, and then carrying out fitting training on the residual r2 by the classification regression tree C2, thereby obtaining a second base learner C2 after fitting training, and the like until all the second base learners are traversed.
S24, based on the second base learner, obtaining an abnormal attack request identification model.
Along the above example, assuming that the gradient lifting tree model includes M CART, after S23 is executed, an mth CART tree model, f, may be obtained m (x)=f m-1 (x)+T m (x) Wherein f m (x) Represents the Mth CART tree model, f m-1 (x) Representing the (M-1) th CART tree model, T m (x) Representing the fitting residual error of the Mth CART tree to the (M-1) th CART tree, and adding by a plurality of weak classifiers to obtain a final gradient lifting tree model strong learner:i.e. an abnormal attack request recognition model, where f M (x) Strong learner representing final gradient lifting tree model, < ->Representing the accumulated sum of the fit residuals of the first to mth CART trees.
And step 13, identifying whether the access request is abnormal attack access flow according to the output result.
In the application, the output result comprises the attack confidence coefficient of the request to be accessed, wherein the attack confidence coefficient can be used for representing whether the access request is an abnormal attack request or not.
Alternatively, the problem that the exception attack request cannot be effectively handled due to the lack of an effective dynamic handling method in the related art is considered. In order to solve the technical problem, the application further provides a method for handling the abnormal attack request after the identification result of the access request to be identified is obtained. As shown in fig. 3, the method for handling the abnormal attack request includes the following steps S31 to S33:
s31, inputting the identification result of the access request into an abnormal handling decision model trained in advance to obtain the event studying and judging probability of the access request; the exception handling decision model is trained by the attack confidence, IP credibility, IP region, attack dispersion and attack direction of the access request.
In one embodiment, the anomaly handling decision model may be trained by the following steps (1) - (4):
(1) And acquiring a normal access request sample and an abnormal access request sample.
(2) And respectively determining the attack confidence, IP reputation, IP region, attack dispersion and attack direction of the normal access request sample and the abnormal access request sample.
Optionally, in an embodiment, the number of attacks within a preset period of time (for example, within about ten days) may also be counted according to the attack IP; and/or, counting the mean, variance, skewness and kurtosis of a preset data amount (for example, 200 pieces of data) according to the attack IP; and/or respectively carrying out gray prediction according to the event research probability and the attack confidence coefficient of the attack record of which the attack IP statistics is preset, so as to obtain a preliminary prediction probability of time dimension, and carrying out feature dimension lifting on the training sample by introducing time sequence features, thereby improving the accuracy of the model.
(3) And carrying out quantitative assignment on the attack confidence, the IP reputation, the IP region, the attack dispersion and the attack direction to respectively obtain input vectors corresponding to the normal access request sample and the abnormal access request sample.
When the attack confidence, the IP reputation, the IP region, the attack dispersion and the attack direction are quantitatively assigned, for example, the quantitative assignment may be implemented in a manner shown in the following table 1.
TABLE 1
The attack confidence is an output result of the abnormal attack request identification model, and the format is as follows: type plus confidence, e.g., SQL injection: 0.8.IP credibility refers to the malicious degree of the IP; the attack IP region refers to an attack party IP attribution region; the attack dispersion is used for selecting a time window to judge the IP access behaviors of multiple attack sources; the attack direction refers to the network location where the attack source and the attack target are located.
(4) Training the genetic optimization fully-connected neural network model according to the input vector to obtain an abnormal handling decision model.
Fig. 4 is a schematic structural diagram of a genetic optimized fully-connected neural network model according to an embodiment of the present application. As can be seen from the figure, the structure of the genetic optimization fully-connected neural network model is 6×512×256×128×64×1, and the optimized parameter number is (6×512+512×256+256×128+128×64+64×1) (weight number) + (512+256+128+64+1) (threshold number).
In the embodiment of the application, the obtained normal access request sample and the abnormal access request sample can be divided into a training set and a testing set according to the proportion of 8:2; and then performing sample data preprocessing operation, wherein the sample data preprocessing comprises the following steps: and (3) processing the missing value and the abnormal value, and normalizing, namely taking indexes such as attack confidence, IP reputation value, IP region, attack dispersion, attack direction and the like as multidimensional characteristic samples, and normalizing to ensure that the values are between 0 and 1.
In the embodiment of the application, the normalized transfer function is as follows:
wherein x is * Representing the normalized index; x represents the assignment of the index; min and max respectively represent the minimum sum of indexesMaximum value.
S32, determining the treatment strategy of the access request according to the event judgment probability of the access request and the association relation between the preset treatment strategy and the event judgment probability.
In the embodiment of the application, a dynamic 0 treatment strategy can be formulated according to the event judging probability, and then different blocking strategies are executed at different treatment points according to the treatment strategy by utilizing the IP blocking capability of an operator network layer. Wherein, the treatment points in the treatment policy may include an outer network and an inner network; the blocking duration strategy in the treatment strategy comprises long-time blocking, short-time blocking and intermittent blocking.
For example, in one embodiment, the association between the preset treatment policy and the incident grinding probability may be as shown in table 2 below.
TABLE 2
Probability interval for research and judgment of things Treatment point Duration of plugging
[90%-100%] Outer network For 7 days
[80%-90%) Outer network For 1 day
[60%-80%) Inner network/outer network 1 day/1 hour
[40%-60%) Inner network 1 hour
[0%-40%) Not to be disposed of Not to be disposed of
In the above-mentioned treatment policy, the outer network mainly performs black hole routing on the egress router, so that the blocking of the source address and the destination address can be completed. In addition, the higher the probability value of the event research probability is, the larger the event influence is, so that the large-scale blocking can be performed on the outer network for the event, and the near-source blocking can be performed on the firewall of the inner network for the event with the lower output probability value, wherein the near-source blocking can reduce the service influence surface caused by event disposal.
For example, assuming that the probability of a matter decision is 65%, that is, the probability of a matter decision is in the interval of [60% -80%), the corresponding treatment strategy is: and taking the inner layer network or the outer layer network as a treatment point, and plugging for 1 day/1 hour.
S33, processing the access request based on the processing strategy.
Following the example in S32, after determining the handling policy, the access request may then be correspondingly handled based on the handling policy.
Optionally, in one embodiment, after obtaining the exception handling decision model, a genetic optimization full-join algorithm may also be employed to globally optimize the network. Specifically, the optimization mode is as follows: acquiring a normal access request sample or event judgment probability output by the abnormal access request sample after passing through an abnormal handling decision model; calculating an error of an abnormal handling decision model according to the event judging probability and the true value of the normal access request sample or the true value of the abnormal access request sample; and iteratively updating the network weight of the abnormal handling decision model based on the error until the error of the abnormal handling decision model is smaller than a preset error threshold.
In practical application, the deviation of each network weight and output node in the abnormal handling decision model can be initialized, and random numbers between-0.5 and 0.5 are initially defaulted; then, inputting a training sample (i.e., a normal access request sample or an abnormal access request sample) into an abnormal handling decision model to obtain an output value; calculating an error between the output value and the true value, and correcting the network weight if the error is greater than a preset entropy value; specifically, the method can be used for carrying out iteration, selection, crossing and variation of a genetic algorithm to update the weight, so as to obtain the network weight with the error meeting the preset error requirement. The method for updating the weight through iteration, selection, crossover and variation of the genetic algorithm can refer to the related content of the genetic optimization full-connection algorithm in the related technology, and is not repeated here.
By adopting the method provided by the embodiment of the application, the access request can be identified based on the abnormal attack identification rule included in the node of the base learner of the abnormal attack request identification model, wherein the abnormal attack identification rule is trained by the normal access request sample and the abnormal access request sample, so that the abnormal attack identification rule can be updated along with the change of the normal access request sample and the abnormal access request sample, the problem that the abnormal attack identification rule is not updated timely due to the lack of automatic learning capability in the related technology can be solved, and the problem that the abnormal attack identification rule possibly fails due to the change of an attack means of an abnormal attack event can be avoided, thereby improving the accuracy of abnormal flow attack identification.
Example 2
In order to solve the problem that the abnormal attack event cannot be accurately identified in the prior art, an embodiment of the present application provides an abnormal traffic attack identification device, and a specific structural schematic diagram of the device is shown in fig. 5, and the device includes an acquisition module 51, an input module 52 and an identification module 53. The functions of each unit are as follows:
the obtaining module 51 is configured to obtain an access request to be identified.
The input module 52 is configured to input an access request into a pre-trained abnormal attack request recognition model, to obtain an output result; the abnormal attack request recognition model is obtained by training a normal access request sample and an abnormal access request sample through a gradient lifting tree model, and nodes of a base learner of the abnormal attack request recognition model comprise abnormal attack recognition rules obtained by training the normal access request sample and the abnormal access request sample.
The identifying module 53 is configured to identify whether the access request is an abnormal attack access flow according to the output result.
Optionally, the abnormal traffic attack identification device is further configured to:
training a first base learner of the gradient lifting tree model based on a training set to obtain a trained first base learner, wherein the training sample set comprises a normal access request sample and an abnormal access request sample;
calculating the residual error of the trained first base learner;
performing fitting training on the second base learner of the gradient lifting tree model according to the residual error to obtain a second base learner after fitting training;
and obtaining an abnormal attack request identification model based on the fitted second base learner.
Optionally, the abnormal traffic attack identification device is further configured to:
Constructing an attack packet corresponding to the network attack type according to the preset network attack type;
acquiring an attack log based on the attack packet by a packet grabbing analysis method, wherein the attack log contains characteristic information of abnormal attack access flow;
and extracting the characteristic rule according to the characteristic information.
Optionally, the abnormal traffic attack identification device is further configured to:
inputting the identification result of the access request into an abnormal handling decision model which is trained in advance to obtain the event studying and judging probability of the access request; the abnormal handling decision model is obtained by training the attack confidence, IP credibility, IP region, attack dispersion and attack direction of the access request;
determining a treatment strategy of the access request according to the event research and judgment probability of the access request and the association relation between a preset treatment strategy and the event research and judgment probability;
the access request is handled based on the handling policy.
Optionally, the abnormal traffic attack identification device is further configured to:
acquiring a normal access request sample and an abnormal access request sample;
respectively determining attack confidence, IP reputation, IP region, attack dispersion and attack direction of a normal access request sample and an abnormal access request sample;
Performing quantitative assignment on the attack confidence, the IP reputation, the IP region, the attack dispersion and the attack direction to respectively obtain input vectors corresponding to the normal access request sample and the abnormal access request sample;
training the genetic optimization fully-connected neural network model according to the input vector to obtain an abnormal handling decision model.
Optionally, the abnormal traffic attack identification device is further configured to:
acquiring a normal access request sample or event judgment probability output by the abnormal access request sample after passing through an abnormal handling decision model;
calculating an error of an abnormal handling decision model according to the event judging probability and the true value of the normal access request sample or the true value of the abnormal access request sample;
and iteratively updating the network weight of the abnormal handling decision model based on the error until the error of the abnormal handling decision model is smaller than a preset error threshold.
By adopting the device provided by the embodiment of the application, the access request can be identified based on the abnormal attack identification rule included in the node of the base learner of the abnormal attack request identification model, wherein the abnormal attack identification rule is trained by the normal access request sample and the abnormal access request sample, so that the abnormal attack identification rule can be updated along with the change of the normal access request sample and the abnormal access request sample, the problem that the abnormal attack identification rule is not updated timely due to the lack of automatic learning capability in the related technology can be solved, and the problem that the abnormal attack identification rule possibly fails due to the change of an attack means of an abnormal attack event can be avoided, thereby improving the accuracy of abnormal flow attack identification.
Example 4
The embodiment of the application relates to electronic equipment, as shown in fig. 6. At the hardware level, the electronic device comprises a processor, optionally an internal bus, a network interface, a memory. The Memory may include a Memory, such as a Random-Access Memory (RAM), and may further include a non-volatile Memory (non-volatile Memory), such as at least 1 disk Memory. Of course, the electronic device may also include hardware required for other services.
The processor, network interface, and memory may be interconnected by an internal bus, which may be an ISA (Industry Standard Architecture ) bus, a PCI (PeripheralComponent Interconnect, peripheral component interconnect standard) bus, or EISA (Extended Industry StandardArchitecture ) bus, among others. The buses may be classified as address buses, data buses, control buses, etc. For ease of illustration, fig. 5 is represented by only one double-headed arrow, but does not represent only one bus or one type of bus.
And the memory is used for storing programs. In particular, the program may include program code including computer-operating instructions. The memory may include memory and non-volatile storage and provide instructions and data to the processor.
The processor reads the corresponding computer program from the nonvolatile memory to the memory and then runs the computer program to form the abnormal flow attack identification device on the logic level. The processor is used for executing the programs stored in the memory and is specifically used for executing the following operations: acquiring an access request to be identified; inputting the access request into a pre-trained abnormal attack request identification model to obtain an output result; the abnormal attack request recognition model is obtained by training a normal access request sample and an abnormal access request sample through a gradient lifting tree model, and the nodes of the base learner of the abnormal attack request recognition model comprise abnormal attack recognition rules obtained by training the normal access request sample and the abnormal access request sample; and identifying whether the access request is abnormal attack access flow according to the output result.
Optionally, before the access request is input into the pre-trained abnormal attack request identification model to obtain the output result, the method is further used for:
training a first base learner of the gradient lifting tree model based on a training set to obtain a trained first base learner, wherein the training sample set comprises a normal access request sample and an abnormal access request sample;
Calculating the residual error of the trained first base learner;
performing fitting training on the second base learner of the gradient lifting tree model according to the residual error to obtain a second base learner after fitting training;
and obtaining an abnormal attack request identification model based on the fitted second base learner.
Optionally, before training the first base learner of the gradient lifting tree model based on the training set to obtain the trained first base learner, the method is further used for
Constructing an attack packet corresponding to the network attack type according to the preset network attack type;
acquiring an attack log based on the attack packet by a packet grabbing analysis method, wherein the attack log contains characteristic information of abnormal attack access flow;
and extracting the characteristic rule according to the characteristic information.
Optionally, the method is further used for: inputting the identification result of the access request into an abnormal handling decision model which is trained in advance to obtain the event studying and judging probability of the access request; the abnormal handling decision model is obtained by training the attack confidence, IP credibility, IP region, attack dispersion and attack direction of the access request; determining a treatment strategy of the access request according to the event research and judgment probability of the access request and the association relation between a preset treatment strategy and the event research and judgment probability; the access request is handled based on the handling policy.
Optionally, before inputting the identification result of the access request into the pre-trained exception handling decision model to obtain the event judgment probability of the access request, the method is also used for
Acquiring a normal access request sample and an abnormal access request sample;
respectively determining attack confidence, IP reputation, IP region, attack dispersion and attack direction of a normal access request sample and an abnormal access request sample;
performing quantitative assignment on the attack confidence, the IP reputation, the IP region, the attack dispersion and the attack direction to respectively obtain input vectors corresponding to the normal access request sample and the abnormal access request sample;
training the genetic optimization fully-connected neural network model according to the input vector to obtain an abnormal handling decision model.
Optionally, the method is further used for: acquiring a normal access request sample or event judgment probability output by the abnormal access request sample after passing through an abnormal handling decision model; calculating an error of an abnormal handling decision model according to the event judging probability and the true value of the normal access request sample or the true value of the abnormal access request sample; and iteratively updating the network weight of the abnormal handling decision model based on the error until the error of the abnormal handling decision model is smaller than a preset error threshold.
The abnormal traffic attack identification method provided by the specification can be applied to a processor or realized by the processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or by instructions in the form of software. The processor may be a general-purpose processor, including a central processing unit (CentralProcessing Unit, CPU), a network processor (Network Processor, NP), etc.; but also digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific IntegratedCircuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of this specification may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The steps of a method disclosed in connection with the embodiments of the present specification may be embodied directly in hardware, in a decoded processor, or in a combination of hardware and software modules in a decoded processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory, and the processor reads the information in the memory and, in combination with its hardware, performs the steps of the above method.
The embodiments of the present specification also propose a computer-readable storage medium storing one or more programs, the one or more programs comprising instructions, which when executed by an electronic device comprising a plurality of application programs, enable the electronic device to perform an abnormal traffic attack identification method, and in particular to perform:
acquiring an access request to be identified; inputting the access request into a pre-trained abnormal attack request identification model to obtain an output result; the abnormal attack request recognition model is obtained by training a normal access request sample and an abnormal access request sample through a gradient lifting tree model, and the nodes of the base learner of the abnormal attack request recognition model comprise abnormal attack recognition rules obtained by training the normal access request sample and the abnormal access request sample; and identifying whether the access request is abnormal attack access flow according to the output result.
Optionally, before the access request is input into the pre-trained abnormal attack request identification model to obtain the output result, the method is further used for:
training a first base learner of the gradient lifting tree model based on a training set to obtain a trained first base learner, wherein the training sample set comprises a normal access request sample and an abnormal access request sample;
Calculating the residual error of the trained first base learner;
performing fitting training on the second base learner of the gradient lifting tree model according to the residual error to obtain a second base learner after fitting training;
and obtaining an abnormal attack request identification model based on the fitted second base learner.
Optionally, before training the first base learner of the gradient lifting tree model based on the training set to obtain the trained first base learner, the method is further used for
Constructing an attack packet corresponding to the network attack type according to the preset network attack type;
acquiring an attack log based on the attack packet by a packet grabbing analysis method, wherein the attack log contains characteristic information of abnormal attack access flow;
and extracting the characteristic rule according to the characteristic information.
Optionally, the method is further used for: inputting the identification result of the access request into an abnormal handling decision model which is trained in advance to obtain the event studying and judging probability of the access request; the abnormal handling decision model is obtained by training the attack confidence, IP credibility, IP region, attack dispersion and attack direction of the access request; determining a treatment strategy of the access request according to the event research and judgment probability of the access request and the association relation between a preset treatment strategy and the event research and judgment probability; the access request is handled based on the handling policy.
Optionally, before inputting the identification result of the access request into the pre-trained exception handling decision model to obtain the event judgment probability of the access request, the method is also used for
Acquiring a normal access request sample and an abnormal access request sample;
respectively determining attack confidence, IP reputation, IP region, attack dispersion and attack direction of a normal access request sample and an abnormal access request sample;
performing quantitative assignment on the attack confidence, the IP reputation, the IP region, the attack dispersion and the attack direction to respectively obtain input vectors corresponding to the normal access request sample and the abnormal access request sample;
training the genetic optimization fully-connected neural network model according to the input vector to obtain an abnormal handling decision model.
Optionally, the method is further used for: acquiring a normal access request sample or event judgment probability output by the abnormal access request sample after passing through an abnormal handling decision model; calculating an error of an abnormal handling decision model according to the event judging probability and the true value of the normal access request sample or the true value of the abnormal access request sample; and iteratively updating the network weight of the abnormal handling decision model based on the error until the error of the abnormal handling decision model is smaller than a preset error threshold.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. One typical implementation is a computer.
For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of each element may be implemented in one or more software and/or hardware elements when implemented in the present specification.
It will be apparent to one of ordinary skill in the art that embodiments of the present description may be provided as a method, apparatus, or computer program product. Accordingly, the present specification may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present description can take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The present description is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the specification. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.

Claims (10)

1. An abnormal traffic attack identification method, comprising:
acquiring an access request to be identified;
inputting the access request into an abnormal attack request identification model which is obtained through pre-training, and obtaining an output result; the abnormal attack request identification model is obtained by training a normal access request sample and an abnormal access request sample through a gradient lifting tree model, and nodes of a base learner of the abnormal attack request identification model comprise abnormal attack identification rules obtained by training the normal access request sample and the abnormal access request sample;
and identifying whether the access request is abnormal attack access flow according to the output result.
2. The method of claim 1, wherein prior to inputting the access request into a pre-trained anomaly attack request recognition model to obtain an output result, the method further comprises:
training the first base learner of the gradient lifting tree model based on a training set to obtain a trained first base learner, wherein the training sample set comprises the normal access request sample and the abnormal access request sample;
calculating the residual error of the trained first base learner;
Performing fitting training on a second base learner of the gradient lifting tree model according to the residual error to obtain a second base learner after fitting training;
and obtaining the abnormal attack request identification model based on the fitted second base learner.
3. The method of claim 2, wherein prior to training the first base learner of the gradient-lifted tree model based on a training set to obtain a trained first base learner, the method further comprises:
constructing an attack packet corresponding to a network attack type according to the preset network attack type;
acquiring an attack log based on the attack packet by a packet grabbing analysis method, wherein the attack log contains characteristic information of abnormal attack access flow;
and extracting the characteristic rule according to the characteristic information.
4. The method of claim 1, wherein the method further comprises:
inputting the identification result of the access request into an abnormal handling decision model which is trained in advance to obtain the event studying and judging probability of the access request; the abnormal handling decision model is obtained by training attack confidence, IP reputation, IP region, attack dispersion and attack direction of an access request;
Determining a treatment strategy of the access request according to the event judgment probability of the access request and the association relation between a preset treatment strategy and the event judgment probability;
and processing the access request based on the processing policy.
5. The method of claim 4, wherein prior to inputting the recognition result of the access request into a pre-trained exception handling decision model to obtain an event decision probability for the access request, the method further comprises:
acquiring the normal access request sample and the abnormal access request sample;
respectively determining attack confidence, IP reputation, IP region, attack dispersion and attack direction of the normal access request sample and the abnormal access request sample;
performing quantitative assignment on the attack confidence, the IP reputation, the IP region, the attack dispersion and the attack direction to respectively obtain input vectors corresponding to the normal access request sample and the abnormal access request sample;
training the genetic optimization fully-connected neural network model according to the input vector to obtain the abnormal treatment decision model.
6. The method of claim 5, wherein the method further comprises:
acquiring the event judging probability output by the normal access request sample or the abnormal access request sample after passing through the abnormal handling decision model;
calculating an error of the abnormal handling decision model according to the event judging probability and the true value of the normal access request sample or the true value of the abnormal access request sample;
and iteratively updating the network weight of the abnormal handling decision model based on the error until the error of the abnormal handling decision model is smaller than a preset error threshold.
7. The abnormal flow attack identification device is characterized by comprising an acquisition module, an input module and an identification module, wherein:
the acquisition module is used for acquiring an access request to be identified;
the input module is used for inputting the access request into a pre-trained abnormal attack request recognition model to obtain an output result; the abnormal attack request identification model is obtained by training a normal access request sample and an abnormal access request sample through a gradient lifting tree model, and nodes of a base learner of the abnormal attack request identification model comprise abnormal attack identification rules obtained by training the normal access request sample and the abnormal access request sample;
And the identification module is used for identifying whether the access request is abnormal attack access flow according to the output result.
8. The apparatus of claim 7, wherein the apparatus is further configured to:
training the first base learner of the gradient lifting tree model based on a training set to obtain a trained first base learner, wherein the training sample set comprises the normal access request sample and the abnormal access request sample;
calculating the residual error of the trained first base learner;
performing fitting training on a second base learner of the gradient lifting tree model according to the residual error to obtain a second base learner after fitting training;
and obtaining the abnormal attack request identification model based on the fitted second base learner.
9. An electronic device, comprising: memory, a processor and a computer program stored on the memory and executable on the processor, which when executed by the processor, implements the steps of the abnormal traffic attack identification method according to any of claims 1 to 6.
10. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the abnormal traffic attack identification method according to any of claims 1 to 6.
CN202210377907.4A 2022-04-12 2022-04-12 Abnormal traffic attack identification method and device, electronic equipment and storage medium Pending CN116961926A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210377907.4A CN116961926A (en) 2022-04-12 2022-04-12 Abnormal traffic attack identification method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210377907.4A CN116961926A (en) 2022-04-12 2022-04-12 Abnormal traffic attack identification method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116961926A true CN116961926A (en) 2023-10-27

Family

ID=88455141

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210377907.4A Pending CN116961926A (en) 2022-04-12 2022-04-12 Abnormal traffic attack identification method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116961926A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117455890A (en) * 2023-11-20 2024-01-26 浙江大学 Child intussusception air enema result prediction device based on improved integrated deep learning

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117455890A (en) * 2023-11-20 2024-01-26 浙江大学 Child intussusception air enema result prediction device based on improved integrated deep learning
CN117455890B (en) * 2023-11-20 2024-05-31 浙江大学 Child intussusception air enema result prediction device based on improved integrated deep learning

Similar Documents

Publication Publication Date Title
Tang et al. Detection of SQL injection based on artificial neural network
CN108449342B (en) Malicious request detection method and device
CN107241352B (en) Network security event classification and prediction method and system
CN110602029B (en) Method and system for identifying network attack
CN112417477A (en) Data security monitoring method, device, equipment and storage medium
CN105072089A (en) WEB malicious scanning behavior abnormity detection method and system
CN111107096A (en) Web site safety protection method and device
CN109698823B (en) Network threat discovery method
CN112989348B (en) Attack detection method, model training method, device, server and storage medium
CN106033516B (en) A kind of method, apparatus and system detecting terminal source code security
US11550937B2 (en) Privacy trustworthiness based API access
CN112966865B (en) Number-carrying network-switching prediction method, device and equipment
CN116961926A (en) Abnormal traffic attack identification method and device, electronic equipment and storage medium
CN107846402B (en) BGP stability abnormity detection method and device and electronic equipment
CN116186759A (en) Sensitive data identification and desensitization method for privacy calculation
CN114205146B (en) Processing method and device for multi-source heterogeneous security log
CN112437085B (en) Network attack identification method and device
CN109902831B (en) Service decision processing method and device
CN117473225A (en) Log data management method and device, electronic equipment and readable storage medium
CN116915506B (en) Abnormal flow detection method and device, electronic equipment and storage medium
CN117978545B (en) Network security risk assessment method, system, equipment and medium based on large model
CN116915459B (en) Network threat analysis method based on large language model
CN113034123B (en) Abnormal resource transfer identification method and device, electronic equipment and readable storage medium
Vitkus et al. Dynamic expert system-based geographically adapted malware risk evaluation method
Song Model Construction and Analysis of Deep Learning-based Cybersecurity Awareness Enhancement for College Students

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination