CN117997650B - Attack detection system based on artificial intelligence - Google Patents
Attack detection system based on artificial intelligence Download PDFInfo
- Publication number
- CN117997650B CN117997650B CN202410396276.XA CN202410396276A CN117997650B CN 117997650 B CN117997650 B CN 117997650B CN 202410396276 A CN202410396276 A CN 202410396276A CN 117997650 B CN117997650 B CN 117997650B
- Authority
- CN
- China
- Prior art keywords
- processor
- information
- unit
- feature
- fusion
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 44
- 238000013473 artificial intelligence Methods 0.000 title claims abstract description 13
- 230000004927 fusion Effects 0.000 claims abstract description 58
- 238000004458 analytical method Methods 0.000 claims abstract description 25
- 230000006399 behavior Effects 0.000 claims abstract description 11
- 238000007499 fusion processing Methods 0.000 claims abstract description 8
- 238000013528 artificial neural network Methods 0.000 claims abstract description 5
- 238000004364 calculation method Methods 0.000 claims description 36
- 230000008859 change Effects 0.000 claims description 36
- 238000000605 extraction Methods 0.000 claims description 23
- 239000013598 vector Substances 0.000 claims description 16
- 238000007621 cluster analysis Methods 0.000 claims description 12
- 230000005540 biological transmission Effects 0.000 claims description 7
- 238000000034 method Methods 0.000 claims description 5
- 230000008569 process Effects 0.000 claims description 4
- 238000007781 pre-processing Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 5
- 125000004122 cyclic group Chemical group 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides an attack detection system based on artificial intelligence, which relates to the field of network security and comprises a feature acquisition module, a feature fusion module, an intelligent analysis module and an attack detection module, wherein the feature acquisition module is used for acquiring time sequence feature information and structure feature information from log information, the feature fusion module is used for carrying out fusion processing on the time sequence feature information and the structure feature information to obtain intermediate features, the intelligent analysis module is used for carrying out neural network analysis on the intermediate features to obtain advanced features, and the attack detection module is used for detecting network attack behaviors based on the advanced features; the system can take a large amount of network behavior data as a sample and conduct intelligent analysis, divide an analysis result into a plurality of areas, judge whether the network behavior is attacked by judging whether the analysis result of the real-time data is in the areas or not, and accurately identify the network attack behavior.
Description
Technical Field
The invention relates to the field of network security, in particular to an attack detection system based on artificial intelligence.
Background
In the existing attack detection system, a mode of comparing characteristic information is generally adopted to detect, but the mode is not intelligent enough, and a novel attack mode cannot be effectively detected, so that a more intelligent detection mode is needed to detect the attack.
The foregoing discussion of the background art is intended to facilitate an understanding of the present invention only. This discussion is not an admission or admission that any of the material referred to was common general knowledge.
Many attack detection systems have been developed, and through a great deal of searching and reference, the existing attack detection systems are found to have a system as disclosed in publication number CN117375998a, these systems generally include inputting log information of a device to be detected in a preset period of time into an attack detection model, where the attack detection model includes a structural feature extraction layer, a timing feature extraction layer and a threat discovery layer; carrying out feature extraction on the log information based on the structural feature extraction layer to obtain structural features; the structural features are used for representing the features of network interaction behaviors corresponding to the log information; processing the time stamp and the structural feature of the log information based on the time sequence feature extraction layer to obtain a structure-time sequence feature fused with the structure and the time sequence; and analyzing the structure-time sequence characteristics through a threat discovery layer to obtain an attack detection result. However, the main principle of the system is to detect the attack by comparing the attack behavior characteristics, so that a new attack mode is not easy to identify and the system is not intelligent enough.
Disclosure of Invention
The invention aims at providing an attack detection system based on artificial intelligence aiming at the defects.
The invention adopts the following technical scheme:
an attack detection system based on artificial intelligence comprises a feature acquisition module, a feature fusion module, an intelligent analysis module and an attack detection module;
The characteristic acquisition module is used for acquiring time sequence characteristic information and structural characteristic information from log information, the characteristic fusion module is used for carrying out fusion processing on the time sequence characteristic information and the structural characteristic information to obtain intermediate characteristics, the intelligent analysis module is used for carrying out neural network analysis on the intermediate characteristics to obtain advanced characteristics, and the attack detection module is used for detecting network attack behaviors based on the advanced characteristics;
The characteristic acquisition module comprises a log supervision unit, a time sequence characteristic acquisition unit and a structural characteristic acquisition unit, wherein the log supervision unit is used for acquiring log information in a target system, the time sequence characteristic acquisition unit is used for analyzing the log information to obtain time sequence characteristics, and the structural characteristic acquisition unit is used for analyzing the log information to obtain structural characteristics;
The feature fusion module comprises an information fusion unit and a feature coding unit, wherein the information fusion unit is used for carrying out fusion processing on time sequence features and structural features, and the feature coding unit is used for carrying out coding processing on fusion results to obtain intermediate features;
The intelligent analysis module comprises a feedforward input management unit and a nonlinear change unit, wherein the feedforward input management unit is used for receiving intermediate characteristics and inputting the intermediate characteristics to a feedforward network for control management, and the nonlinear change unit is used for carrying out nonlinear change on data and outputting advanced characteristics;
The attack detection module comprises a cluster analysis unit and a detection and identification unit, wherein the cluster analysis unit is used for analyzing the advanced features to obtain a cluster area, and the detection and identification unit is used for detecting whether the advanced features are in the cluster area and identifying the attacked state;
Further, the time sequence feature acquisition unit comprises a time marking processor, an event serialization processor and a time sequence feature extraction processor, wherein the time marking processor is used for marking time stamp information of a specific event, the event serialization processor is used for sorting marking information of the same specific event into an event sequence, and the time sequence feature extraction processor is used for processing the sequence to obtain a time sequence feature;
The structure characteristic acquisition unit comprises an acquisition setting processor, an event statistics processor and a structure characteristic extraction processor, wherein the acquisition setting processor is used for setting acquisition time parameters, the event statistics processor is used for counting the occurrence times of all specific events in a corresponding time period, and the structure characteristic extraction processor is used for sorting statistical data into structure characteristics;
further, the information fusion unit comprises a fulcrum control processor, a feature selection processor and a fusion calculation processor, wherein the fulcrum control processor is used for selecting fulcrum information formed by events and time, the feature selection processor is used for selecting corresponding time sequence features and structural features based on the fulcrum information and preprocessing the time sequence features and the structural features, and the fusion calculation processor is used for carrying out calculation fusion on the time sequence features and the structural features;
the fusion calculation processor calculates a fusion value Fu according to the following formula:
;
Wherein x i is the i-th element value in the time sequence vector, FN is the number of elements in the time sequence vector, SN is the event position number, pr1 is the front proportion, pr2 is the rear proportion, and m is the specific event number;
Further, the feature encoding unit comprises an information register, a checking generation processor and an encoding transmission processor, wherein the information register is used for receiving and storing pairing information, the checking generation processor is used for checking the pairing information and generating intermediate feature codes, and the encoding transmission processor is used for sending a plurality of continuous intermediate feature codes to the intelligent analysis module;
Further, the nonlinear change unit comprises a plurality of change calculation processors, each change calculation processor is used as a node, the nodes are connected in a unidirectional way to form a feed-forward network, the change calculation processors are used for processing two binary numbers and outputting a binary number, and the number of binary numbers processed and obtained in the change calculation processors is the same as the number of intermediate feature code bits;
The process of the change calculation processor for processing the input data comprises the following steps:
S1, circularly shifting a second input parameter b 1 left or right by a plurality of bits to obtain a binary number b 2;
S2, adding or subtracting the first input parameter a 1 and the first input parameter b 2 to obtain a binary number c 1;
S3, reserving the lower position of c 1 The bit number is used for obtaining and outputting a binary number c 2;
the first input parameter and the second input parameter are two binary numbers input, and the shifting direction, the shifting bit number and the addition and subtraction mode are the processing parameters of the change calculation processor;
the nonlinear variation unit finally outputs N binary numbers as advanced features.
The beneficial effects obtained by the invention are as follows:
The system obtains the advanced features by acquiring the time sequence information and the structure information in the log information, fusing the time sequence information and the structure information, then performing intelligent processing through the feedforward network to obtain the clustered regions based on a large number of sample advanced features, and judging whether the advanced features are in the clustered regions or not by judging real-time data processing to judge that network attack is enough received.
For a further understanding of the nature and the technical aspects of the present invention, reference should be made to the following detailed description of the invention and the accompanying drawings, which are provided for purposes of reference only and are not intended to limit the invention.
Drawings
FIG. 1 is a schematic diagram of the overall structural framework of the present invention;
FIG. 2 is a schematic diagram of a feature collection module according to the present invention;
FIG. 3 is a schematic diagram of a feature fusion module according to the present invention;
FIG. 4 is a schematic diagram of an information fusion unit according to the present invention;
FIG. 5 is a schematic diagram of a cluster analysis unit according to the present invention.
Detailed Description
The following embodiments of the present invention are described in terms of specific examples, and those skilled in the art will appreciate the advantages and effects of the present invention from the disclosure herein. The invention is capable of other and different embodiments and its several details are capable of modification and variation in various respects, all without departing from the spirit of the present invention. The drawings of the present invention are merely schematic illustrations, and are not intended to be drawn to actual dimensions. The following embodiments will further illustrate the related art content of the present invention in detail, but the disclosure is not intended to limit the scope of the present invention.
Embodiment one: the embodiment provides an attack detection system based on artificial intelligence, which comprises a feature acquisition module, a feature fusion module, an intelligent analysis module and an attack detection module, wherein the attack detection system is combined with fig. 1;
The characteristic acquisition module is used for acquiring time sequence characteristic information and structural characteristic information from log information, the characteristic fusion module is used for carrying out fusion processing on the time sequence characteristic information and the structural characteristic information to obtain intermediate characteristics, the intelligent analysis module is used for carrying out neural network analysis on the intermediate characteristics to obtain advanced characteristics, and the attack detection module is used for detecting network attack behaviors based on the advanced characteristics;
The characteristic acquisition module comprises a log supervision unit, a time sequence characteristic acquisition unit and a structural characteristic acquisition unit, wherein the log supervision unit is used for acquiring log information in a target system, the time sequence characteristic acquisition unit is used for analyzing the log information to obtain time sequence characteristics, and the structural characteristic acquisition unit is used for analyzing the log information to obtain structural characteristics;
The feature fusion module comprises an information fusion unit and a feature coding unit, wherein the information fusion unit is used for carrying out fusion processing on time sequence features and structural features, and the feature coding unit is used for carrying out coding processing on fusion results to obtain intermediate features;
The intelligent analysis module comprises a feedforward input management unit and a nonlinear change unit, wherein the feedforward input management unit is used for receiving intermediate characteristics and inputting the intermediate characteristics to a feedforward network for control management, and the nonlinear change unit is used for carrying out nonlinear change on data and outputting advanced characteristics;
The attack detection module comprises a cluster analysis unit and a detection and identification unit, wherein the cluster analysis unit is used for analyzing the advanced features to obtain a cluster area, and the detection and identification unit is used for detecting whether the advanced features are in the cluster area and identifying the attacked state;
The time sequence feature acquisition unit comprises a time marking processor, an event serialization processor and a time sequence feature extraction processor, wherein the time marking processor is used for marking time stamp information of specific events, the event serialization processor is used for sorting marking information of the same specific event into an event sequence, and the time sequence feature extraction processor is used for processing the sequence to obtain time sequence features;
The structure characteristic acquisition unit comprises an acquisition setting processor, an event statistics processor and a structure characteristic extraction processor, wherein the acquisition setting processor is used for setting acquisition time parameters, the event statistics processor is used for counting the occurrence times of all specific events in a corresponding time period, and the structure characteristic extraction processor is used for sorting statistical data into structure characteristics;
The information fusion unit comprises a fulcrum control processor, a feature selection processor and a fusion calculation processor, wherein the fulcrum control processor is used for selecting fulcrum information formed by events and time, the feature selection processor is used for selecting corresponding time sequence features and structural features based on the fulcrum information and preprocessing the time sequence features and the structural features, and the fusion calculation processor is used for carrying out calculation fusion on the time sequence features and the structural features;
the fusion calculation processor calculates a fusion value Fu according to the following formula:
;
Wherein x i is the i-th element value in the time sequence vector, FN is the number of elements in the time sequence vector, SN is the event position number, pr1 is the front proportion, pr2 is the rear proportion, and m is the specific event number;
The feature coding unit comprises an information register, a checking generation processor and a coding transmission processor, wherein the information register is used for receiving and storing pairing information, the checking generation processor is used for checking the pairing information and generating intermediate feature codes, and the coding transmission processor is used for sending a plurality of continuous intermediate feature codes to the intelligent analysis module;
The nonlinear change unit comprises a plurality of change calculation processors, each change calculation processor is used as a node, the nodes are connected in one way to form a feed-forward network, the change calculation processors are used for processing two binary numbers and outputting a binary number, and the number of binary numbers processed and obtained in the change calculation processors is the same as the number of bits of the intermediate feature code;
The process of the change calculation processor for processing the input data comprises the following steps:
S1, circularly shifting a second input parameter b 1 left or right by a plurality of bits to obtain a binary number b 2;
S2, adding or subtracting the first input parameter a 1 and the first input parameter b 2 to obtain a binary number c 1;
S3, reserving the lower position of c 1 The bit number is used for obtaining and outputting a binary number c 2;
the first input parameter and the second input parameter are two binary numbers input, and the shifting direction, the shifting bit number and the addition and subtraction mode are the processing parameters of the change calculation processor;
the nonlinear variation unit finally outputs N binary numbers as advanced features.
Embodiment two: the embodiment comprises the whole content of the first embodiment, and provides an attack detection system based on artificial intelligence, which comprises a feature acquisition module, a feature fusion module, an intelligent analysis module and an attack detection module;
The characteristic acquisition module is used for acquiring time sequence characteristic information and structural characteristic information from log information, the characteristic fusion module is used for carrying out fusion processing on the time sequence characteristic information and the structural characteristic information to obtain intermediate characteristics, the intelligent analysis module is used for carrying out neural network analysis on the intermediate characteristics to obtain advanced characteristics, and the attack detection module is used for detecting network attack behaviors based on the advanced characteristics;
Referring to fig. 2, the feature collection module includes a log supervision unit, a time sequence feature collection unit and a structural feature collection unit, where the log supervision unit is used to obtain log information in the target system, the time sequence feature collection unit is used to analyze the log information to obtain time sequence features, and the structural feature collection unit is used to analyze the log information to obtain structural features;
Referring to fig. 3, the feature fusion module includes an information fusion unit and a feature coding unit, where the information fusion unit is used to fuse the time sequence feature and the structural feature, and the feature coding unit is used to code the fusion result to obtain an intermediate feature;
The intelligent analysis module comprises a feedforward input management unit and a nonlinear change unit, wherein the feedforward input management unit is used for receiving intermediate characteristics and inputting the intermediate characteristics to a feedforward network for control management, and the nonlinear change unit is used for carrying out nonlinear change on data and outputting advanced characteristics;
The attack detection module comprises a cluster analysis unit and a detection and identification unit, wherein the cluster analysis unit is used for analyzing the advanced features to obtain a cluster area, and the detection and identification unit is used for detecting whether the advanced features are in the cluster area and identifying the attacked state;
The time sequence feature acquisition unit comprises a time marking processor, an event serialization processor and a time sequence feature extraction processor, wherein the time marking processor is used for marking time stamp information of specific events, the event serialization processor is used for sorting marking information of the same specific event into an event sequence, and the time sequence feature extraction processor is used for processing the sequence to obtain time sequence features;
For said sequence of events Indicating that a represents a specific event, and T i represents the i-th mark time;
The time sequence feature extraction processor calculates the time difference between two adjacent mark times Will { (A,/>)) As timing characteristic information;
The structure characteristic acquisition unit comprises an acquisition setting processor, an event statistics processor and a structure characteristic extraction processor, wherein the acquisition setting processor is used for setting acquisition time parameters, the event statistics processor is used for counting the occurrence times of all specific events in a corresponding time period, and the structure characteristic extraction processor is used for sorting statistical data into structure characteristics;
the structural feature extraction processor sorts the specific events according to the occurrence frequency from high to low to obtain a structural sequence Acquiring an event number of each event in the structure sequence to obtain a first structure vectorAcquiring the occurrence times of each event in the structure sequence to obtain a second structure vectorThe method comprises the steps that a first structural vector and a second structural vector form structural features, wherein m is the number of specific events, nu () is an acquired event number function, and n () is an acquired event occurrence frequency function;
For example, if there are 3 specific events A 1、A2 and A 3, the number of occurrences is 5, 3, 2, A 1 numbered 2, A 2 numbered 3, A 3 numbered 1, then the first structural vector is The second structural vector is/>;
The specific event is an event needing to be concerned in log information, and is preset by a person skilled in the art;
Referring to fig. 4, the information fusion unit includes a fulcrum control processor, a feature selection processor, and a fusion calculation processor, where the fulcrum control processor is configured to select fulcrum information composed of events and time, the feature selection processor selects and preprocesses corresponding time sequence features and structural features based on the fulcrum information, and the fusion calculation processor is configured to perform calculation fusion on the time sequence features and the structural features;
the event in the pivot information is called a pivot event, and the time in the pivot information is called a pivot time;
After the feature selection processor receives the fulcrum information, acquiring time sequence feature information of a fixed number of fulcrum events after fulcrum time according to the fulcrum information, wherein the fixed number is recorded as FN, and rearranging time differences in the time sequence feature information into time sequence vectors according to the sequence The relationship between the element x i in the timing vector and the time difference is:
;
Wherein, Is the standard time difference;
The feature selection processor acquires the structural feature of the time period where the fulcrum time is located, determines the position serial number of the feature selection processor in the first structural vector according to the fulcrum event number, marks the serial number as SN, and calculates the front proportion Pr1 and the rear proportion Pr2 according to the second structural vector:
;
;
the fusion calculation processor calculates a fusion value Fu according to the following formula:
;
the fulcrum control processor receives the fusion value and matches the fusion value with corresponding fulcrum information, and continuously updates the fulcrum information to obtain the corresponding fusion value until the fulcrum information in a period of time is processed, and then all the matched information is sent to the feature coding unit;
the number of the pairing information in each time period is the same as the number of the specific events, namely, each specific event in the same time period only has one corresponding fulcrum information;
The time periods in the event statistics processor and the fulcrum control processor are in one-to-one correspondence and are called basic time periods;
The feature coding unit comprises an information register, a checking generation processor and a coding transmission processor, wherein the information register is used for receiving and storing pairing information, the checking generation processor is used for checking the pairing information and generating intermediate feature codes, and the coding transmission processor is used for sending a plurality of continuous intermediate feature codes to the intelligent analysis module;
The collation generation processor acquires and compares the fusion values of the two paired information in the same basic time period, when the fusion value of the specific event with the front number is larger than the fusion value of the specific event with the rear number, the value of the corresponding digit of the intermediate feature code is set to be 1, and conversely, the value of the corresponding position of the intermediate feature code is set to be 0, the intermediate feature code is a binary number, and the included digit is The corresponding relation between two specific events and digits is preset in a checking generation processor, and each basic time period generates an intermediate feature code;
The nonlinear change unit comprises a plurality of change calculation processors, each change calculation processor is used as a node, the nodes are connected in one way to form a feed-forward network, the change calculation processors are used for processing two binary numbers and outputting a binary number, and the number of binary numbers processed and obtained in the change calculation processors is the same as the number of bits of the intermediate feature code;
The process of the change calculation processor for processing the input data comprises the following steps:
S1, circularly shifting a second input parameter b 1 left or right by a plurality of bits to obtain a binary number b 2;
S2, adding or subtracting the first input parameter a 1 and the first input parameter b 2 to obtain a binary number c 1;
S3, reserving the lower position of c 1 The bit number is used for obtaining and outputting a binary number c 2;
the first input parameter and the second input parameter are two binary numbers input, and the shifting direction, the shifting bit number and the addition and subtraction mode are the processing parameters of the change calculation processor;
during the cyclic left shift or cyclic right shift, the high data may be supplemented to the low bit or the low data may be supplemented to the high bit, for example, 10010 cyclic left shift by one bit becomes 00101 instead of 100100;
The nonlinear change unit finally outputs N binary numbers as advanced features;
Referring to fig. 5, the cluster analysis unit includes a spatial conversion processor for converting the high-level features into N-dimensional spatial coordinates each of which is one sample, a cluster division processor for dividing the sample into a plurality of categories, and a region setting processor for setting a corresponding one of the cluster regions for each of the categories;
The clustering dividing processor calculates the distance between any two samples, when the distance is smaller than a distance threshold value, the two samples are judged to have strong relevance, and when the number of the samples with strong relevance exceeds a cluster threshold value, the samples are in a quasi class with the samples with the same quasi class, and the samples with the same quasi class form a class;
the following examples illustrate strong associations, quasi classes and categories:
Samples Y1, Y2 and Y3 have strong correlations, the number of samples with strong correlations exceeds a cluster threshold, Y1 and Y2 are in a quasi class, Y1 and Y3 are in a quasi class, the number of samples with strong correlations of Y2 does not exceed the cluster threshold, Y2 and Y1 are not in a quasi class, the number of samples with strong correlations of Y3 exceeds the cluster threshold, Y3 and Y1 are in a quasi class, therefore, Y1 and Y3 are in one class, and Y2 does not belong to the class;
The cluster analysis unit divides all samples into a plurality of categories and discrete samples which do not belong to any category, the discrete samples are regarded as samples with network attack, and each category is regarded as a normal network behavior;
The detection and identification unit comprises a data transfer processor and an attack identification processor, wherein the data transfer processor is used for receiving real-time advanced characteristic data and then sending the real-time advanced characteristic data to the cluster analysis unit to serve as sample data, the attack identification processor is used for storing the cluster area information of each category and judging whether space coordinates converted by the advanced characteristic data are in a cluster area or not, and when the space coordinates are not in any type of cluster area, network attack is judged to occur at the moment;
The i appearing above is an ordinal number used to represent a sequence number.
The foregoing disclosure is only a preferred embodiment of the present invention and is not intended to limit the scope of the invention, so that all equivalent technical changes made by applying the description of the present invention and the accompanying drawings are included in the scope of the present invention, and in addition, elements in the present invention can be updated as the technology develops.
Claims (5)
1. An attack detection system based on artificial intelligence is characterized by comprising a feature acquisition module, a feature fusion module, an intelligent analysis module and an attack detection module;
The characteristic acquisition module is used for acquiring time sequence characteristic information and structural characteristic information from log information, the characteristic fusion module is used for carrying out fusion processing on the time sequence characteristic information and the structural characteristic information to obtain intermediate characteristics, the intelligent analysis module is used for carrying out neural network analysis on the intermediate characteristics to obtain advanced characteristics, and the attack detection module is used for detecting network attack behaviors based on the advanced characteristics;
The characteristic acquisition module comprises a log supervision unit, a time sequence characteristic acquisition unit and a structural characteristic acquisition unit, wherein the log supervision unit is used for acquiring log information in a target system, the time sequence characteristic acquisition unit is used for analyzing the log information to obtain time sequence characteristics, and the structural characteristic acquisition unit is used for analyzing the log information to obtain structural characteristics;
The feature fusion module comprises an information fusion unit and a feature coding unit, wherein the information fusion unit is used for carrying out fusion processing on time sequence features and structural features, and the feature coding unit is used for carrying out coding processing on fusion results to obtain intermediate features;
The intelligent analysis module comprises a feedforward input management unit and a nonlinear change unit, wherein the feedforward input management unit is used for receiving intermediate characteristics and inputting the intermediate characteristics to a feedforward network for control management, and the nonlinear change unit is used for carrying out nonlinear change on data and outputting advanced characteristics;
The attack detection module comprises a cluster analysis unit and a detection and identification unit, wherein the cluster analysis unit is used for analyzing the advanced features to obtain a cluster area, and the detection and identification unit is used for detecting whether the advanced features are in the cluster area and identifying the attacked state.
2. The attack detection system based on artificial intelligence according to claim 1, wherein the timing feature acquisition unit comprises a time stamp processor, an event serialization processor and a timing feature extraction processor, the time stamp processor is used for marking time stamp information of a specific event, the event serialization processor is used for sorting marking information of the same specific event into an event sequence, and the timing feature extraction processor is used for processing the sequence to obtain timing features;
The structure feature acquisition unit comprises an acquisition setting processor, an event statistics processor and a structure feature extraction processor, wherein the acquisition setting processor is used for setting acquisition time parameters, the event statistics processor is used for counting the occurrence times of all specific events in a corresponding time period, and the structure feature extraction processor is used for sorting statistical data into structure features.
3. The attack detection system based on artificial intelligence according to claim 2, wherein the information fusion unit comprises a fulcrum control processor, a feature selection processor and a fusion calculation processor, the fulcrum control processor is used for selecting fulcrum information composed of events and time, the feature selection processor is used for selecting and preprocessing corresponding time sequence features and structural features based on the fulcrum information, and the fusion calculation processor is used for carrying out calculation fusion on the time sequence features and the structural features;
the fusion calculation processor calculates a fusion value Fu according to the following formula:
;
Wherein x i is the i-th element value in the time sequence vector, FN is the number of elements in the time sequence vector, SN is the event position number, pr1 is the front proportion, pr2 is the rear proportion, and m is the specific event number.
4. An artificial intelligence based attack detection system according to claim 3 wherein the feature encoding unit includes an information register for receiving stored pairing information, a collation generation processor for collating pairing information and generating intermediate feature codes, and an encoding transmission processor for transmitting a continuous plurality of intermediate feature codes to the intelligent parsing module.
5. The attack detection system based on artificial intelligence according to claim 4, wherein the nonlinear variation unit comprises a plurality of variation computation processors, each variation computation processor is used as a node, the nodes are connected in a unidirectional way to form a feed-forward network, the variation computation processors are used for processing two binary numbers and outputting a binary number, and the number of binary numbers processed and obtained in the variation computation processors is the same as the number of intermediate feature code bits;
The process of the change calculation processor for processing the input data comprises the following steps:
S1, circularly shifting a second input parameter b 1 left or right by a plurality of bits to obtain a binary number b 2;
S2, adding or subtracting the first input parameter a 1 and the first input parameter b 2 to obtain a binary number c 1;
S3, reserving the lower position of c 1 The bit number is used for obtaining and outputting a binary number c 2;
the first input parameter and the second input parameter are two binary numbers input, and the shifting direction, the shifting bit number and the addition and subtraction mode are the processing parameters of the change calculation processor;
the nonlinear variation unit finally outputs N binary numbers as advanced features.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202410396276.XA CN117997650B (en) | 2024-04-03 | 2024-04-03 | Attack detection system based on artificial intelligence |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202410396276.XA CN117997650B (en) | 2024-04-03 | 2024-04-03 | Attack detection system based on artificial intelligence |
Publications (2)
Publication Number | Publication Date |
---|---|
CN117997650A CN117997650A (en) | 2024-05-07 |
CN117997650B true CN117997650B (en) | 2024-05-28 |
Family
ID=90887683
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202410396276.XA Active CN117997650B (en) | 2024-04-03 | 2024-04-03 | Attack detection system based on artificial intelligence |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN117997650B (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113259316A (en) * | 2021-04-02 | 2021-08-13 | 国家电网有限公司 | Method and system for visualizing attack path in power system and electronic equipment |
CN115086029A (en) * | 2022-06-15 | 2022-09-20 | 河海大学 | Network intrusion detection method based on two-channel space-time feature fusion |
CN115982473A (en) * | 2023-03-21 | 2023-04-18 | 环球数科集团有限公司 | AIGC-based public opinion analysis arrangement system |
CN117650899A (en) * | 2022-08-10 | 2024-03-05 | 国网上海市电力公司 | Cloud security anomaly detection method based on graph neural network |
-
2024
- 2024-04-03 CN CN202410396276.XA patent/CN117997650B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113259316A (en) * | 2021-04-02 | 2021-08-13 | 国家电网有限公司 | Method and system for visualizing attack path in power system and electronic equipment |
CN115086029A (en) * | 2022-06-15 | 2022-09-20 | 河海大学 | Network intrusion detection method based on two-channel space-time feature fusion |
CN117650899A (en) * | 2022-08-10 | 2024-03-05 | 国网上海市电力公司 | Cloud security anomaly detection method based on graph neural network |
CN115982473A (en) * | 2023-03-21 | 2023-04-18 | 环球数科集团有限公司 | AIGC-based public opinion analysis arrangement system |
Also Published As
Publication number | Publication date |
---|---|
CN117997650A (en) | 2024-05-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111475804B (en) | Alarm prediction method and system | |
Li et al. | Information fusion of passive sensors for detection of moving targets in dynamic environments | |
CN111600919B (en) | Method and device for constructing intelligent network application protection system model | |
CN105471882A (en) | Behavior characteristics-based network attack detection method and device | |
CN109446804B (en) | Intrusion detection method based on multi-scale feature connection convolutional neural network | |
CN117041017B (en) | Intelligent operation and maintenance management method and system for data center | |
CN116070206B (en) | Abnormal behavior detection method, system, electronic equipment and storage medium | |
CN117040917A (en) | Intelligent switch with monitoring and early warning functions | |
CN111898129B (en) | Malicious code sample screener and method based on Two-Head anomaly detection model | |
CN117155706B (en) | Network abnormal behavior detection method and system | |
CN113438114A (en) | Method, device, equipment and storage medium for monitoring running state of Internet system | |
CN114897085A (en) | Clustering method based on closed subgraph link prediction and computer equipment | |
CN117997650B (en) | Attack detection system based on artificial intelligence | |
CN115842645A (en) | UMAP-RF-based network attack traffic detection method and device and readable storage medium | |
CN110650130B (en) | Industrial control intrusion detection method based on multi-classification GoogLeNet-LSTM model | |
CN114385472A (en) | Abnormal data detection method, device, equipment and storage medium | |
CN113850222A (en) | Method for realizing vehicle-mounted bus signal classification and monitoring by adopting support vector machine | |
OLASEHINDE et al. | Performance evaluation of bayesian classifier on filter-based feature selection techniques | |
WO2022211180A1 (en) | Model generation method for easy interpretation, device for same, data classification method using model generated using same, and device for same | |
CN113901452B (en) | Sub-graph fuzzy matching security event identification method based on information entropy | |
CN117749448B (en) | Intelligent early warning method and device for network potential risk | |
CN113569122B (en) | Recognition method and system for map tile data crawler | |
Prabhu et al. | Network Intrusion Detection Using Sequence Models | |
CN115865458B (en) | Network attack behavior detection method, system and terminal based on LSTM and GAT algorithm | |
CN118278002A (en) | Software back door detection method and device based on API call sequence feature mining |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |