CN117220920A - Firewall policy management method based on artificial intelligence - Google Patents
Firewall policy management method based on artificial intelligence Download PDFInfo
- Publication number
- CN117220920A CN117220920A CN202311056683.8A CN202311056683A CN117220920A CN 117220920 A CN117220920 A CN 117220920A CN 202311056683 A CN202311056683 A CN 202311056683A CN 117220920 A CN117220920 A CN 117220920A
- Authority
- CN
- China
- Prior art keywords
- data
- detection
- network
- policy management
- entropy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims abstract description 25
- 238000013473 artificial intelligence Methods 0.000 title claims abstract description 21
- 238000001514 detection method Methods 0.000 claims abstract description 106
- 239000013598 vector Substances 0.000 claims abstract description 38
- 238000003745 diagnosis Methods 0.000 claims abstract description 36
- 238000000034 method Methods 0.000 claims abstract description 36
- 230000002159 abnormal effect Effects 0.000 claims abstract description 24
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 21
- 238000004458 analytical method Methods 0.000 claims abstract description 19
- 238000012549 training Methods 0.000 claims abstract description 16
- 239000011159 matrix material Substances 0.000 claims abstract description 13
- 238000007637 random forest analysis Methods 0.000 claims abstract description 8
- 230000007246 mechanism Effects 0.000 claims description 18
- 238000013145 classification model Methods 0.000 claims description 14
- 238000006243 chemical reaction Methods 0.000 claims description 12
- 238000005457 optimization Methods 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 11
- 238000000605 extraction Methods 0.000 claims description 8
- 238000003860 storage Methods 0.000 claims description 8
- 230000006399 behavior Effects 0.000 claims description 7
- 230000015654 memory Effects 0.000 claims description 6
- 238000011478 gradient descent method Methods 0.000 claims description 5
- 238000007635 classification algorithm Methods 0.000 claims description 4
- 241000287828 Gallus gallus Species 0.000 claims description 2
- 241000700605 Viruses Species 0.000 claims description 2
- 238000005336 cracking Methods 0.000 claims description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims description 2
- 230000005856 abnormality Effects 0.000 abstract description 10
- 238000010219 correlation analysis Methods 0.000 abstract description 3
- 230000007547 defect Effects 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 17
- 238000004590 computer program Methods 0.000 description 11
- 230000004927 fusion Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000013135 deep learning Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 238000004140 cleaning Methods 0.000 description 3
- 238000009826 distribution Methods 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 238000012706 support-vector machine Methods 0.000 description 3
- 230000004075 alteration Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000013480 data collection Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000007781 pre-processing Methods 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008033 biological extinction Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013075 data extraction Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 210000003275 diaphysis Anatomy 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000000691 measurement method Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000006403 short-term memory Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to a firewall policy management method based on artificial intelligence, which deeply analyzes the characteristic of abnormal flow, provides a multidimensional entropy approximate efficient estimation algorithm, can effectively reduce the time and space complexity of an entropy calculation algorithm, and improves the distinguishing capability of an entropy sequence on the abnormality; on the basis of correlation analysis, modeling a detection statistic by using a support vector regression machine, and predicting an optimal detection threshold; the correlation of the abnormal trend is fully utilized by the multi-window correlation detection algorithm, so that the detection precision of a single detection system is improved; the random forest, the OC-SVM classifier and the online increase-decrease training method are adopted, so that the detection precision can be effectively improved, the dependence on users is reduced, and the safety defect is avoided; by researching an intelligent diagnosis prediction model based on wavelet packet analysis and a two-dimensional matrix, the security event data context correlation detection analysis and the accurate prediction of high-duration threat attack under the condition of no sample or few samples are realized.
Description
Technical Field
The application relates to the technical field of computers, in particular to a firewall policy management method based on artificial intelligence.
Background
In recent years, the strong computing power of hardware and the increasing data volume of the hardware, the deep learning is applied to the research of network space safety, and particularly, a set of effective model construction methods are provided for malicious software detection and intrusion detection. The deep learning is applied to multidimensional complex systems oriented to industrial field computing, network, control and physical environments, and the intelligent diagnosis of security threat on asset, flow, log, boundary and link global data is realized by carrying out data fusion on traditional network facilities such as backbone network nodes, user networks and user terminals and the industrial field systems, so that unknown threat and potential risk behavior prediction are effectively identified.
The application of the fusion of large-scale industrial control network and deep learning in the new global trend is very challenging in the field of network space safety, and the serious scientific problems are presented in the following steps: the multi-layer network needs to be compatible through a protocol, so that a complex network structure is simplified, and the adaptability is improved; the data samples are different due to a single sample and a complex system, the samples are uneven, and the recognition rate is low; the modeling is low, the modeling efficiency is low, and the real-time requirement of industrial control network behavior prediction is not met.
Disclosure of Invention
Aiming at the technical problems in the prior art, the application provides a firewall policy management method based on artificial intelligence, which aims at solving the problems that in the prior art, a plurality of layers of network samples are single, a complex system causes different data samples, the samples are uneven, the recognition rate is low, the modeling efficiency is low, and the real-time requirement of industrial control network behavior prediction is not met.
The present application solves the above technical problems, and in a first aspect, an embodiment of the present application provides a technical solution as follows: a firewall policy management method based on artificial intelligence, the method comprising:
step S1, acquiring multi-dimensional heterogeneous data in an industrial control network, wherein the multi-dimensional heterogeneous data is network flow data of a multi-layer network in the industrial control network, and the multi-layer network comprises backbone network nodes, user networks and user terminals;
s2, determining time sequence data of each network flow data in a time window, performing anomaly detection on the time sequence data through a classification model, dividing the time sequence data into anomaly data and normal data, and extracting multi-dimensional security events in the time sequence data;
and S3, constructing a data context feature set according to the abnormal data and the normal data, constructing an intelligent diagnosis prediction model based on wavelet packet analysis and a two-dimensional matrix, performing model training on the intelligent diagnosis prediction model based on the multi-dimensional security event and the data context feature set, and performing intelligent diagnosis and prediction on security threat of an industrial control network based on the trained intelligent diagnosis prediction model.
Preferably, in the step S2, the method further includes:
for backbone network nodes, based on a multidimensional entropy approximate estimation algorithm, determining the commonality characteristic of network flow data, based on the correlation between entropy sequences of the network flow data, arranging the multidimensional entropy sequences of each time window into detection vectors, based on a detection vector classification algorithm of an OC-SVM, comprehensively detecting the detection vectors with the error classification proportion being greater than a preset proportion threshold value, and carrying out comprehensive detection at a plurality of next moments by an acquisition precision optimization algorithm.
Preferably, in the step S2, the multi-dimensional entropy sequence includes one or more of the following: a source IP dimension entropy sequence, a destination IP dimension entropy sequence, a source port dimension entropy sequence, a destination port dimension entropy sequence and an IP packet length dimension entropy sequence.
Preferably, the step S1 specifically includes:
multidimensional heterogeneous data in an industrial control network is collected based on an IPv4/IPv6 protocol and a modbus/S7 industrial protocol, classified and multithreaded data are automatically extracted based on a predetermined extraction and format conversion rule base, data format conversion, processing analysis and unified data format are carried out according to a Hadoop big data method.
Preferably, in the step S2, the classification model includes a random forest classifier and an SVM classifier;
and carrying out anomaly detection on the time sequence data through a classification model, wherein the method specifically comprises the following steps:
constructing a detection engine, wherein the detection engine comprises a plurality of abnormal detection systems, modeling is carried out on detection statistics of each abnormal detection system based on a support vector regression machine, an optimal detection threshold is predicted, the detection capability of the detection statistics is determined based on an information gain method, and the detection capability is used as a weight of each abnormal detection system;
and carrying out primary classification and feature combination on the time sequence data based on a random forest classifier, carrying out secondary classification on the combined features based on the SVM classifier, and combining the features subjected to secondary classification according to the weight of an anomaly detection system and then inputting the combined features into a detection engine.
Preferably, the multi-dimensional security event comprises one or more of the following: abnormal network connections, broiler behavior, trojan backlinks, unauthorized downloads, brute force cracking, webShell, DDOS, worm viruses, and unknown threats.
Preferably, the data context feature set is constructed according to the abnormal data and the normal data, and specifically includes:
and determining a conversion mechanism of the implicit feature vector based on the initialized feature vector to generate a data context feature set of the multi-dimensional security event of the multi-layer network.
In a second aspect, the embodiment of the present application provides the following technical solutions: an artificial intelligence based firewall policy management system comprising:
the system comprises an acquisition module, a control module and a control module, wherein the acquisition module acquires multidimensional heterogeneous data in an industrial control network, the multidimensional heterogeneous data is network flow data of a multi-layer network in the industrial control network, and the multi-layer network comprises backbone network nodes, a user network and a user terminal;
the classifier module is used for determining time sequence data of each network flow data in a time window, performing anomaly detection on the time sequence data through a classification model, dividing the time sequence data into anomaly data and normal data, and extracting multi-dimensional security events in the time sequence data;
the anomaly detection module is used for determining a conversion mechanism of the implicit feature vector based on an implicit feature vector learning mechanism of a gradient descent method and an initialized feature vector so as to generate a complete feature set of a multi-dimensional security event of the multi-layer network; and constructing an intelligent diagnosis prediction model based on wavelet packet analysis and a two-dimensional matrix, performing model training on the intelligent diagnosis prediction model based on the multidimensional safety event and the complete feature set, and performing intelligent diagnosis and prediction on the safety threat of the industrial control network based on the trained intelligent diagnosis prediction model.
In a third aspect, the present application provides a technical solution as follows: an electronic device, comprising:
a memory for storing a computer software program;
and the processor is used for reading and executing the computer software program so as to realize the firewall policy management method based on artificial intelligence according to the embodiment of the first aspect.
In a fourth aspect, the present application provides a technical solution as follows: a non-transitory computer readable storage medium having stored therein a computer software program for implementing the artificial intelligence based firewall policy management method according to an embodiment of the first aspect.
The beneficial effects of the application are as follows: the characteristic of abnormal flow is deeply analyzed, a multidimensional entropy approximate efficient estimation algorithm is provided, the time and space complexity of an entropy calculation algorithm can be effectively reduced, and the distinguishing capability of an entropy sequence on the abnormality is improved; aiming at the correlation existing between entropy sequences, each time window multidimensional entropy sequence is arranged into a detection vector, and an OC-SVM classification method is adopted to improve the detection precision and generalization capability; when an abnormality occurs, similar change trend of detection vectors between adjacent windows occurs, and a corresponding detection precision optimization method is provided; on the basis of correlation analysis, modeling a detection statistic by using a support vector regression machine, and predicting an optimal detection threshold; the correlation of the abnormal trend is fully utilized by the multi-window correlation detection algorithm, so that the detection precision of a single detection system is improved; the random forest, the OC-SVM classifier and the online increase-decrease training method are adopted, so that the detection precision can be effectively improved, the dependence on users is reduced, and the safety defect is avoided; the method comprises the steps of providing a complete reference feature set production mechanism, exploring an implicit feature vector learning mechanism based on a gradient descent method, researching an implicit feature conversion mechanism based on an initialized feature vector, and generating a complete feature set integrating multi-layer network security events such as backbone network nodes, user networks and user terminals; by researching an intelligent diagnosis prediction model based on wavelet packet analysis and a two-dimensional matrix, the security event data context correlation detection analysis and the accurate prediction of high-duration threat attack under the condition of no sample or few samples are realized. And a feedback optimization mechanism is established to realize continuous optimization of the model.
Drawings
FIG. 1 is a flowchart of a firewall policy management method based on artificial intelligence according to an embodiment of the application;
FIG. 2 is a diagram illustrating a multi-level network data automated acquisition and data processing technique according to an embodiment of the present application;
FIG. 3 is a schematic diagram of efficient collection and data processing of multi-level network data according to an embodiment of the present application;
FIG. 4 is a diagram illustrating a time series based data classification and anomaly detection technique according to an embodiment of the present application;
FIG. 5 is a schematic diagram of time series based data classification and anomaly detection in accordance with an embodiment of the present application;
FIG. 6 is a diagram illustrating a predictive engine technique based on time series data in accordance with an embodiment of the application;
FIG. 7 is a schematic diagram of intelligent diagnosis based on deep learning according to an embodiment of the present application;
FIG. 8 is a schematic diagram of an embodiment of an electronic device provided by the present application;
fig. 9 is a schematic diagram of an embodiment of a computer readable storage medium according to the present application.
Detailed Description
The principles and features of the present application are described below with reference to the drawings, the examples are illustrated for the purpose of illustrating the application and are not to be construed as limiting the scope of the application.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
The field of cyber-space security is extremely challenging, and significant scientific problems that exist are represented by: the multi-layer network needs to be compatible through a protocol, so that a complex network structure is simplified, and the adaptability is improved; the data samples are different due to a single sample and a complex system, the samples are uneven, and the recognition rate is low; the modeling is low, the modeling efficiency is low, and the real-time requirement of industrial control network behavior prediction is not met.
Therefore, the embodiment of the application provides a firewall policy management method and a firewall policy management system based on artificial intelligence, aiming at collaborative attack events, through four stages of data collection and preprocessing, model training and verification, security event prediction and prediction performance monitoring, historical events are used as initial inputs, probability distribution is predicted, given ordering, the event with the highest probability is selected as a prediction result, in order to keep the prediction accuracy, the prediction performance monitoring can track whether a report predicts a correct event, and if the prediction accuracy is reduced below a certain threshold, the system automatically retrains the model. An artificial intelligence based firewall policy management method and system are described below with reference to the accompanying drawings.
Fig. 1 to fig. 7 are diagrams illustrating a firewall policy management method based on artificial intelligence according to an embodiment of the application, where, as shown in fig. 1, the method includes:
step S1, acquiring multi-dimensional heterogeneous data in an industrial control network, wherein the multi-dimensional heterogeneous data is network flow data of a multi-layer network in the industrial control network, and the multi-layer network comprises backbone network nodes, user networks and user terminals.
As shown in fig. 2, in this embodiment, multidimensional heterogeneous data in an industrial control network is collected based on an IPv4/IPv6 protocol and a modbus/S7 industrial protocol, and common feature extraction of the multi-source and multidimensional heterogeneous data is achieved through a distribution mode and a data type of the multi-level network data, a flow collection mode is explored, feature extraction rules of various heterogeneous data are achieved, classified and multithreaded automatic extraction is performed on the data, and data format conversion and processing analysis are performed by combining with a Hadoop big data technology, so that unified and standard data formats are achieved.
As shown in fig. 3, for the problem of how to fuse data with an industrial field system by using a traditional network facility such as a backbone network node, a user network, a user terminal, and the like, a data extraction and format conversion rule base is first constructed. And exploring a mechanism for automatically acquiring and processing data, and constructing an acquisition engine for intelligently identifying a multi-level network protocol. A cleaning and classifying method for multi-mode massive multi-dimensional heterogeneous data is researched, a data cleaning frame based on a time sequence is constructed, a data cleaning and multi-layer fusion ordering model is realized, a massive multi-dimensional heterogeneous flow data storage frame based on a TSDB (Time Series Database, time sequence column database) is built, and high-quality flow data is generated.
And S2, determining time sequence data of each network flow data in a time window, performing anomaly detection on the time sequence data through a classification model, dividing the time sequence data into anomaly data and normal data, and extracting multi-dimensional security events in the time sequence data.
In this embodiment, by using a multidimensional entropy efficient approximate calculation algorithm, feature commonality extraction of multimode massive data in network traffic is realized on the basis of analysis of large-scale network attack principles such as worms and DDoS (Distributed Denial of Service, distributed denial of service attack), a detection vector classification algorithm based on OC-SVM is explored, detection vectors which are possibly misclassified are comprehensively detected at the next moments by using an acquisition precision optimization algorithm, a multi-layer fusion anomaly detection framework based on time sequences is realized, and a high-quality anomaly knowledge map is generated on the basis of accurately identifying anomaly data. Aiming at the application requirement of detecting high-speed bandwidth by the diaphysis network node abnormality, the characteristic of abnormal flow is deeply analyzed, a multidimensional entropy approximate efficient estimation algorithm is provided, the time and space complexity of the entropy calculation algorithm can be effectively reduced, and the abnormality distinguishing capability of an entropy sequence is improved; aiming at the correlation existing between entropy sequences, each time window multidimensional entropy sequence is arranged into a detection vector, and an OC-SVM classification method is adopted to improve the detection precision and generalization capability; when an abnormality occurs, similar variation trend of detection vectors between adjacent windows occurs, and a corresponding detection precision optimization method is provided.
As shown in fig. 4, for backbone network nodes, a common characteristic of network traffic data is determined based on a multidimensional entropy approximate estimation algorithm, multidimensional entropy sequences of each time window are arranged into detection vectors based on correlation among entropy sequences of the network traffic data, detection vectors with error classification ratio larger than a preset ratio threshold are detected based on a detection vector classification algorithm of an OC-SVM, and an acquisition accuracy optimization algorithm performs comprehensive detection at a plurality of next moments.
The multi-dimensional entropy sequence includes one or more of: a source IP dimension entropy sequence, a destination IP dimension entropy sequence, a source port dimension entropy sequence, a destination port dimension entropy sequence and an IP packet length dimension entropy sequence.
As shown in fig. 5, in the process of analyzing and detecting the traffic of the large-scale industrial control network, a certain measurement method is generally used to describe the normal mode of the network traffic, and if the normal mode is far away from the normal mode, the abnormality is considered to occur, and the core of the method is to select the traffic characteristics and measure the traffic by adopting proper statistics (time sequence). The present embodiment mainly focuses on the comprehensive detection of multiple sequences and the comprehensive application of the related technology of data mining. The method for detecting the abnormality by adopting the statistical or classifying method on the time series of the related statistics of the plurality of network flows is a widely applied method, and the method for adopting the classifier and the like on the multi-time series has better expandability and is suitable for detecting the abnormality on a high-speed network. The method comprises the steps of learning a classification model from a given training data set by a statistical or machine learning method, classifying the collected samples by using the classification model, separating abnormal conditions from normal conditions, and finally achieving the purpose of abnormality detection.
Aiming at industrial protocols such as IPv4/IPv6, modbus/S7 and the like, different anomaly detection systems adopt different detection measures, the detection capacities corresponding to the different detection measures are different, but more or less correlation exists among detection statistics, the detection statistics can be described by a random process under normal conditions on the basis of analysis of detection statistics of several typical anomaly detection systems, and the influence of anomalies on network traffic is continuous. In addition, there is a correlation between different detection statistics, either in normal or abnormal situations. On the basis of correlation analysis, modeling a detection statistic by using a support vector regression machine, and predicting an optimal detection threshold; the correlation of the abnormal trend is fully utilized by the multi-window correlation detection algorithm, so that the detection precision of a single detection system is improved; the method comprises the steps of providing a multi-measure association detection algorithm to fuse results of a plurality of abnormal detection systems; aiming at the problem of difficulty in weight determination in the proposed algorithm, the detection capability of each detection statistic is described by adopting an information gain method, and the detection capability is used as the weight of each detection system.
In this embodiment, the construction of classification vectors in the flow anomaly detection system, the selection of the classifier and the training of the classifier seriously affect the detection precision of the system, the problems occurring in the use of the classifier are analyzed from four angles of detection precision, operation efficiency, safety and usability, and it is proposed that a random forest, a single-class support vector machine OC-SVM classifier and an online increase-decrease training method are adopted to effectively improve the detection precision, the time series data are primarily classified and feature combined based on the random forest classifier, the combined features are secondarily classified based on the SVM (Support Vector Machines, support vector machine) classifier, the secondarily classified features are combined according to the weight of the anomaly detection system and then are input to the detection engine, so that the dependence on users is reduced and the safety defect is avoided. Aiming at the drift characteristic of network flow, a self-adaptive increase-decrease type online training algorithm is provided first, and then abnormal samples are removed in the online operation process of the system, so that the accuracy of the classifier is effectively improved.
And S3, constructing a data context feature set according to the abnormal data and the normal data, constructing an intelligent diagnosis prediction model based on wavelet packet analysis and a two-dimensional matrix, performing model training on the intelligent diagnosis prediction model based on the multi-dimensional security event and the data context feature set, and based on trained intelligence.
As shown in fig. 6, in this embodiment, multi-dimensional security event integration of time series data is extracted, association mapping modes of factors such as users, events, logs, traffic, application operation and the like are studied, a complete reference feature set production mechanism is provided, an implicit feature vector learning mechanism based on a gradient descent method is explored, and a transformation mechanism of the implicit features is studied based on an initialized feature vector, so that a complete feature set integrating multi-layer network security events such as backbone network nodes, user networks and user terminals is generated. On the basis, various sensor signals in the processing process of the workpiece are synchronously collected by researching an intelligent diagnosis prediction model based on wavelet packet analysis and a two-dimensional matrix, and wavelet packet decomposition transformation is carried out on data to be analyzed so as to obtain a plurality of wavelet packet coefficient two-dimensional matrices; each wavelet packet coefficient two-dimensional matrix is correspondingly used as the input of a feature extraction model, and one-dimensional feature matrixes output by each feature extraction model block are spliced into a longer one-dimensional matrix, so that feature fusion is carried out, and a two-layer fully connected network is established, so that an intelligent diagnosis prediction model is obtained; and the security event data context correlation detection analysis and the accurate prediction of the high-duration threat attack under the condition of no sample or few samples are realized. And a feedback optimization mechanism is established to realize continuous optimization of the model and solve the security threat prediction of multi-level network space and heterogeneous complex attack behaviors. And a feedback optimization mechanism is established to realize continuous optimization of the model.
As shown in fig. 7, the conventional RNN has a major problem of gradient extinction, and only a short time series can be modeled because errors expand or decay over time without accessing a remote context. For this difficulty, a reverse propagation co-learning time series algorithm based on an LSTM (Long Short-Term Memory network) is studied, for a collaborative attack event, historical events are used as initial inputs and probability distribution is predicted through four stages of data collection and preprocessing, model training and verification, safety event prediction and prediction performance monitoring, the event with the highest probability is selected as a prediction result given the sorting, in order to keep the prediction accuracy, the prediction performance monitoring can track whether a correct event is predicted by a report, and if the prediction accuracy is reduced below a certain threshold, the system automatically retrains the model.
In a second aspect, the embodiment of the present application provides the following technical solutions: an artificial intelligence based firewall policy management system comprising:
the system comprises an acquisition module, a control module and a control module, wherein the acquisition module acquires multidimensional heterogeneous data in an industrial control network, the multidimensional heterogeneous data is network flow data of a multi-layer network in the industrial control network, and the multi-layer network comprises backbone network nodes, a user network and a user terminal;
the classifier module is used for determining time sequence data of each network flow data in a time window, performing anomaly detection on the time sequence data through a classification model, dividing the time sequence data into anomaly data and normal data, and extracting multi-dimensional security events in the time sequence data;
the anomaly detection module is used for determining a conversion mechanism of the implicit feature vector based on an implicit feature vector learning mechanism of a gradient descent method and an initialized feature vector so as to generate a complete feature set of a multi-dimensional security event of the multi-layer network; and constructing an intelligent diagnosis prediction model based on wavelet packet analysis and a two-dimensional matrix, performing model training on the intelligent diagnosis prediction model based on the multidimensional safety event and the complete feature set, and performing intelligent diagnosis and prediction on the safety threat of the industrial control network based on the trained intelligent diagnosis prediction model.
Referring to fig. 8, fig. 8 is a schematic diagram of an embodiment of an electronic device according to an embodiment of the application. As shown in fig. 8, an embodiment of the present application provides an electronic device 500, including a memory 510, a processor 520, and a computer program 511 stored in the memory 510 and executable on the processor 520, wherein the processor 520 executes the computer program 511 to implement the following steps:
step S1, acquiring multi-dimensional heterogeneous data in an industrial control network, wherein the multi-dimensional heterogeneous data is network flow data of a multi-layer network in the industrial control network, and the multi-layer network comprises backbone network nodes, user networks and user terminals;
s2, determining time sequence data of each network flow data in a time window, performing anomaly detection on the time sequence data through a classification model, dividing the time sequence data into anomaly data and normal data, and extracting multi-dimensional security events in the time sequence data;
and S3, constructing a data context feature set according to the abnormal data and the normal data, constructing an intelligent diagnosis prediction model based on wavelet packet analysis and a two-dimensional matrix, performing model training on the intelligent diagnosis prediction model based on the multi-dimensional security event and the data context feature set, and performing intelligent diagnosis and prediction on security threat of an industrial control network based on the trained intelligent diagnosis prediction model.
Referring to fig. 6, fig. 6 is a schematic diagram of an embodiment of a computer readable storage medium according to an embodiment of the application. As shown in fig. 6, the present embodiment provides a computer-readable storage medium 600 having stored thereon a computer program 611, which computer program 611 when executed by a processor implements the steps of:
step S1, acquiring multi-dimensional heterogeneous data in an industrial control network, wherein the multi-dimensional heterogeneous data is network flow data of a multi-layer network in the industrial control network, and the multi-layer network comprises backbone network nodes, user networks and user terminals;
s2, determining time sequence data of each network flow data in a time window, performing anomaly detection on the time sequence data through a classification model, dividing the time sequence data into anomaly data and normal data, and extracting multi-dimensional security events in the time sequence data;
and S3, constructing a data context feature set according to the abnormal data and the normal data, constructing an intelligent diagnosis prediction model based on wavelet packet analysis and a two-dimensional matrix, performing model training on the intelligent diagnosis prediction model based on the multi-dimensional security event and the data context feature set, and performing intelligent diagnosis and prediction on security threat of an industrial control network based on the trained intelligent diagnosis prediction model.
In the foregoing embodiments, the descriptions of the embodiments are focused on, and for those portions of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (10)
1. A firewall policy management method based on artificial intelligence, the method comprising:
step S1, acquiring multi-dimensional heterogeneous data in an industrial control network, wherein the multi-dimensional heterogeneous data is network flow data of a multi-layer network in the industrial control network, and the multi-layer network comprises backbone network nodes, user networks and user terminals;
s2, determining time sequence data of each network flow data in a time window, performing anomaly detection on the time sequence data through a classification model, dividing the time sequence data into anomaly data and normal data, and extracting multi-dimensional security events in the time sequence data;
and S3, constructing a data context feature set according to the abnormal data and the normal data, constructing an intelligent diagnosis prediction model based on wavelet packet analysis and a two-dimensional matrix, performing model training on the intelligent diagnosis prediction model based on the multi-dimensional security event and the data context feature set, and performing intelligent diagnosis and prediction on security threat of an industrial control network based on the trained intelligent diagnosis prediction model.
2. The firewall policy management method according to claim 1, wherein in step S2, further comprising:
for backbone network nodes, based on a multidimensional entropy approximate estimation algorithm, determining the commonality characteristic of network flow data, based on the correlation between entropy sequences of the network flow data, arranging the multidimensional entropy sequences of each time window into detection vectors, based on a detection vector classification algorithm of an OC-SVM, comprehensively detecting the detection vectors with the error classification proportion being greater than a preset proportion threshold value, and carrying out comprehensive detection at a plurality of next moments by an acquisition precision optimization algorithm.
3. The firewall policy management method according to claim 2, wherein in step S2, the multi-dimensional entropy sequence comprises one or more of: a source IP dimension entropy sequence, a destination IP dimension entropy sequence, a source port dimension entropy sequence, a destination port dimension entropy sequence and an IP packet length dimension entropy sequence.
4. The firewall policy management method based on artificial intelligence according to claim 1, wherein the step S1 specifically comprises:
multidimensional heterogeneous data in an industrial control network is collected based on an IPv4/IPv6 protocol and a modbus/S7 industrial protocol, classified and multithreaded data are automatically extracted based on a predetermined extraction and format conversion rule base, data format conversion, processing analysis and unified data format are carried out according to a Hadoop big data method.
5. The firewall policy management method according to claim 1, wherein in step S2, the classification model includes a random forest classifier and an SVM classifier;
and carrying out anomaly detection on the time sequence data through a classification model, wherein the method specifically comprises the following steps:
constructing a detection engine, wherein the detection engine comprises a plurality of abnormal detection systems, modeling is carried out on detection statistics of each abnormal detection system based on a support vector regression machine, an optimal detection threshold is predicted, the detection capability of the detection statistics is determined based on an information gain method, and the detection capability is used as a weight of each abnormal detection system;
and carrying out primary classification and feature combination on the time sequence data based on a random forest classifier, carrying out secondary classification on the combined features based on the SVM classifier, and combining the features subjected to secondary classification according to the weight of an anomaly detection system and then inputting the combined features into a detection engine.
6. The artificial intelligence based firewall policy management method of claim 5, wherein the multi-dimensional security event comprises one or more of: abnormal network connections, broiler behavior, trojan backlinks, unauthorized downloads, brute force cracking, webShell, DDOS, worm viruses, and unknown threats.
7. The artificial intelligence based firewall policy management system of claim 1, wherein constructing a set of data context features from the exception data and the normal data, comprises:
and determining a conversion mechanism of the implicit feature vector based on the initialized feature vector to generate a data context feature set of the multi-dimensional security event of the multi-layer network.
8. An artificial intelligence based firewall policy management system, comprising:
the system comprises an acquisition module, a control module and a control module, wherein the acquisition module acquires multidimensional heterogeneous data in an industrial control network, the multidimensional heterogeneous data is network flow data of a multi-layer network in the industrial control network, and the multi-layer network comprises backbone network nodes, a user network and a user terminal;
the classifier module is used for determining time sequence data of each network flow data in a time window, performing anomaly detection on the time sequence data through a classification model, dividing the time sequence data into anomaly data and normal data, and extracting multi-dimensional security events in the time sequence data;
the anomaly detection module is used for determining a conversion mechanism of the implicit feature vector based on an implicit feature vector learning mechanism of a gradient descent method and an initialized feature vector so as to generate a complete feature set of a multi-dimensional security event of the multi-layer network; and constructing an intelligent diagnosis prediction model based on wavelet packet analysis and a two-dimensional matrix, performing model training on the intelligent diagnosis prediction model based on the multidimensional safety event and the complete feature set, and performing intelligent diagnosis and prediction on the safety threat of the industrial control network based on the trained intelligent diagnosis prediction model.
9. An electronic device, comprising:
a memory for storing a computer software program;
a processor for reading and executing the computer software program to implement the artificial intelligence based firewall policy management method of any one of claims 1-7.
10. A non-transitory computer readable storage medium having stored therein a computer software program for implementing the artificial intelligence based firewall policy management method of any one of claims 1-7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311056683.8A CN117220920A (en) | 2023-08-21 | 2023-08-21 | Firewall policy management method based on artificial intelligence |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311056683.8A CN117220920A (en) | 2023-08-21 | 2023-08-21 | Firewall policy management method based on artificial intelligence |
Publications (1)
Publication Number | Publication Date |
---|---|
CN117220920A true CN117220920A (en) | 2023-12-12 |
Family
ID=89045174
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202311056683.8A Pending CN117220920A (en) | 2023-08-21 | 2023-08-21 | Firewall policy management method based on artificial intelligence |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN117220920A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117435870A (en) * | 2023-12-21 | 2024-01-23 | 国网天津市电力公司营销服务中心 | Load data real-time filling method, system, equipment and medium |
CN117579393A (en) * | 2024-01-16 | 2024-02-20 | 国网浙江省电力有限公司 | Information terminal threat monitoring method, device, equipment and storage medium |
CN117688505A (en) * | 2024-02-04 | 2024-03-12 | 河海大学 | Prediction method and system for vegetation large-range regional negative abnormality |
-
2023
- 2023-08-21 CN CN202311056683.8A patent/CN117220920A/en active Pending
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117435870A (en) * | 2023-12-21 | 2024-01-23 | 国网天津市电力公司营销服务中心 | Load data real-time filling method, system, equipment and medium |
CN117435870B (en) * | 2023-12-21 | 2024-03-29 | 国网天津市电力公司营销服务中心 | Load data real-time filling method, system, equipment and medium |
CN117579393A (en) * | 2024-01-16 | 2024-02-20 | 国网浙江省电力有限公司 | Information terminal threat monitoring method, device, equipment and storage medium |
CN117579393B (en) * | 2024-01-16 | 2024-03-22 | 国网浙江省电力有限公司 | Information terminal threat monitoring method, device, equipment and storage medium |
CN117688505A (en) * | 2024-02-04 | 2024-03-12 | 河海大学 | Prediction method and system for vegetation large-range regional negative abnormality |
CN117688505B (en) * | 2024-02-04 | 2024-04-19 | 河海大学 | Prediction method and system for vegetation large-range regional negative abnormality |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112398779B (en) | Network traffic data analysis method and system | |
CN111600919B (en) | Method and device for constructing intelligent network application protection system model | |
CN117220920A (en) | Firewall policy management method based on artificial intelligence | |
Tabash et al. | Intrusion detection model using naive bayes and deep learning technique. | |
CN105471882A (en) | Behavior characteristics-based network attack detection method and device | |
CN112738014B (en) | Industrial control flow anomaly detection method and system based on convolution time sequence network | |
CN112492059A (en) | DGA domain name detection model training method, DGA domain name detection device and storage medium | |
Zhao et al. | A semi-self-taught network intrusion detection system | |
CN112468347A (en) | Security management method and device for cloud platform, electronic equipment and storage medium | |
Kozik et al. | Pattern extraction algorithm for NetFlow‐based botnet activities detection | |
Lambert II | Security analytics: Using deep learning to detect cyber attacks | |
CN113904881A (en) | Intrusion detection rule false alarm processing method and device | |
Harbola et al. | Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set | |
CN117473571B (en) | Data information security processing method and system | |
Shukla et al. | UInDeSI4. 0: An efficient Unsupervised Intrusion Detection System for network traffic flow in Industry 4.0 ecosystem | |
Laptiev et al. | Algorithm for Recognition of Network Traffic Anomalies Based on Artificial Intelligence | |
Abdulganiyu et al. | Towards an efficient model for network intrusion detection system (IDS): systematic literature review | |
CN117349618A (en) | Method and medium for constructing malicious encryption traffic detection model of network information system | |
Maidamwar et al. | Ensemble learning approach for classification of network intrusion detection in IoT environment | |
Thanthrige | Hidden markov model based intrusion alert prediction | |
Gonzalez-Granadillo et al. | An improved live anomaly detection system (i-lads) based on deep learning algorithm | |
CN111343205B (en) | Industrial control network security detection method and device, electronic equipment and storage medium | |
CN115086018A (en) | Video front-end equipment clustering analysis intrusion detection method | |
Balega et al. | IoT Anomaly Detection Using a Multitude of Machine Learning Algorithms | |
Mankodiya et al. | Deep learning-based secure machine-to-machine communication in edge-enabled industrial iot |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |