CN118138374A - Network security protection method and system based on cloud computing - Google Patents
Network security protection method and system based on cloud computing Download PDFInfo
- Publication number
- CN118138374A CN118138374A CN202410537731.3A CN202410537731A CN118138374A CN 118138374 A CN118138374 A CN 118138374A CN 202410537731 A CN202410537731 A CN 202410537731A CN 118138374 A CN118138374 A CN 118138374A
- Authority
- CN
- China
- Prior art keywords
- flow table
- feature set
- flow
- representing
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 238000001514 detection method Methods 0.000 claims abstract description 79
- 238000004140 cleaning Methods 0.000 claims abstract description 31
- 238000000605 extraction Methods 0.000 claims abstract description 21
- 239000002131 composite material Substances 0.000 claims abstract description 17
- 239000013598 vector Substances 0.000 claims description 15
- 238000005070 sampling Methods 0.000 claims description 12
- 238000013527 convolutional neural network Methods 0.000 claims description 11
- 230000001133 acceleration Effects 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 6
- 230000000903 blocking effect Effects 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 claims description 3
- 239000007788 liquid Substances 0.000 claims description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000010926 purge Methods 0.000 description 1
- 238000007670 refining Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of network security protection, in particular to a network security protection method and system based on cloud computing, comprising the following steps: acquiring flow table information of the target network flow from the target switch according to a preset collection period; extracting a plurality of basic flow table features from the flow table information to obtain a basic flow table feature set, extracting a plurality of composite flow table features through a feature extraction formula to obtain a composite flow table feature set, and combining the basic flow table feature set and the composite flow table feature set to obtain a flow table feature set. The invention can monitor the target network flow in real time and automatically respond according to the preset rules, including intrusion detection and flow cleaning, thereby effectively dealing with network security threat, and can more comprehensively analyze the target network flow, improve detection accuracy and reduce false alarm rate by extracting a plurality of basic flow table features and composite flow table features.
Description
Technical Field
The invention relates to the technical field of network security protection, in particular to a network security protection method and system based on cloud computing.
Background
There is a close relationship between cloud servers and cloud computing, they are usually complementary relationships, the cloud servers are an application of the cloud computing, the cloud computing is an infrastructure supporting services such as the cloud servers, the cloud servers are virtual servers providing computing power through the internet, the servers can be hosted on a cloud computing platform, and users can remotely access and manage through a network.
In distributed denial of service attack (DDoS), a hacker commonly initiates an attack by using a plurality of computers or devices, and by sending a large number of requests to a target network or server, the target system occupies bandwidth, processing capacity or other key resources of the target system, so that the target system cannot normally provide services, even the target system is paralyzed, the DDoS attack is usually implemented through a zombie network, i.e. a network cooperation attack target system consisting of a large number of infected computers, internet of things devices and the like, and an attacker sends a large number of data packets or requests by controlling the infected devices, so that the target system is overloaded to operate, cannot normally respond to the requests of legal users, and service rejection is caused.
The traditional network security protection method generally needs to manually or regularly analyze and detect network traffic, cannot respond to network security threats in time, and in the network traffic analysis, the traditional network security protection method usually only can rely on manual rules to extract features and screen matching degrees, so that network traffic is difficult to comprehensively and accurately analyze, false alarms or false alarms are easy to generate, the intrusion detection and classification technology of the traditional network security protection method is relatively single, various network security threats cannot be covered comprehensively, information among security devices in the traditional network security protection method is blocked, and quick information sharing and response are difficult to realize.
Disclosure of Invention
The invention aims at solving the problems in the background technology and provides a network security protection method and system based on cloud computing.
The technical scheme of the invention is as follows: a network security protection method based on cloud computing, comprising:
Acquiring flow table information of the target network flow from the target switch according to a preset collection period;
Extracting a plurality of basic flow table features from the flow table information to obtain a basic flow table feature set, extracting a plurality of composite flow table features through a feature extraction formula to obtain a composite flow table feature set, and combining the basic flow table feature set and the composite flow table feature set to obtain a flow table feature set;
Matching the flow table feature set with a malicious flow table feature set sequence pre-stored in a flow table database, so as to obtain the matching degree of the flow table feature set and the malicious flow table feature set sequence;
If the matching degree is higher than a preset matching degree threshold value, performing intrusion detection on the target network traffic corresponding to the flow table feature set through a network intrusion detection model so as to obtain an intrusion detection result, otherwise, indicating that the target network traffic corresponding to the flow table feature set is safe network traffic;
If the intrusion detection result shows that the target network flow is the intrusion network flow, uploading the flow table feature set to a malicious flow table feature set sequence in the flow table database, and cleaning the intrusion network flow by a flow cleaning method.
Preferably, the set of elementary stream table features is as follows:
;
Wherein, A set of flow table features is represented,Representing the source address of the source and,Which represents the destination address of the object,Representing the number of the source port and,Represents the number of the destination port and,The type of protocol is indicated and,Indicating the number of data packets to be transmitted,The size of the data packet is indicated,Representing the source TCP port number and,Representing the number of the destination TCP port,Representing the number of the source UDP port,Representing the destination UDP port number.
Preferably, the flow table database is arranged in a cloud server, a plurality of cloud servers form a flow table database cluster together, and sharing and synchronization of data are realized among all nodes in the flow table database cluster.
Preferably, the feature extraction formula includes a first formula, a second formula, a third formula, and a fourth formula, and the first formula is as follows:
;
Wherein, Which is indicative of the rate of the flow table entry,Representing the number of entries in the stream per unit time,Representing a sampling period;
the second formula is as follows:
;
Wherein, Indicating the source IP acceleration rate,Indicating the number of source IP address changes,Representing a sampling period;
The third formula is as follows:
;
Wherein, Indicating the source port acceleration rate,Representing the number of source port address changes,Representing a sampling period;
the fourth formula is as follows:
;
Wherein, Indicating the speed increase of the destination port,Indicating the number of destination ports and,Representing the sampling period.
Preferably, the matching of the flow table feature set with a malicious flow table feature set sequence pre-stored in a flow table database to obtain a matching degree of the flow table feature set and the malicious flow table feature set sequence includes:
calculating importance degree of the flow table items in the flow table item category in the flow table feature set, wherein the importance degree expression is as follows:
;
Wherein, Represents the importance of the jth flow table entry in the flow table feature set,Represents a flow table entry in the flow table feature set,Indicating the number of occurrences of a flow entry in the flow table feature set in a flow entry class,Representing a first one of the set of flow table featuresThe number of entries in the stream table is,Representing the total flow table item number in the flow table feature set;
calculating an average value of importance vectors in each flow table item category based on the importance degree of the flow table item in the flow table item category in the flow table feature set, wherein the average value expression of the importance vectors in each flow table item category is as follows:
;
Wherein, Represents the average value of the importance vectors in each flow entry category,Representing the number of flow entries in the flow table feature set,And representing the importance of the jth flow table item in the flow table feature set.
Preferably, the matching between the flow table feature set and a malicious flow table feature set sequence pre-stored in a flow table database is performed, so as to obtain the matching degree between the flow table feature set and the malicious flow table feature set sequence, and the method further includes:
Comparing the average value of the importance vectors in the various flow table item categories with the average value of the importance vectors in the malicious flow table item categories, thereby obtaining comparison difference values;
Normalizing the comparison difference value to obtain a normalized comparison difference value, and calculating the matching degree of the flow table feature set and the malicious flow table feature set based on the normalized comparison difference value, wherein the matching degree expression is as follows:
;
Wherein, Representing a degree of matching of the flow table feature set with the malicious flow table feature set,Representing the normalized comparison difference value,Representing the absolute value of the normalized alignment difference.
Preferably, the network intrusion detection model includes a convolutional neural network, a two-way long-short-term memory network, three decision classifiers and a K-nearest neighbor classifier, where the convolutional neural network is used to perform local feature extraction on network traffic corresponding to the feature set of the flow table, so as to obtain a local feature sequence, the two-way long-short-term memory network is used to perform time feature extraction on the local feature sequence, so as to obtain a time sequence feature sequence, and the three decision classifiers are used to classify the time sequence feature sequence, so as to obtain a positive domain intrusion detection result, a boundary domain intrusion detection result and a negative domain intrusion detection result, and perform intrusion detection on the target network traffic corresponding to the boundary domain intrusion detection result again through the network intrusion detection model, and if the target network traffic corresponding to the boundary domain intrusion detection result is classified into a boundary domain again, classify the time sequence corresponding to the target network traffic corresponding to the boundary domain intrusion detection result through the K-nearest neighbor classifier, so as to obtain a positive domain intrusion detection result and a negative domain intrusion detection result.
Preferably, the flow cleaning method includes:
Monitoring server port is used for controlling the flow rate of the air in real time, real time of (a) the flow rate of the liquid is controlled, blocking said aggressor network traffic at the network layer, otherwise, the intrusion network traffic is not processed;
judging whether the port rate of the server exceeds a protection threshold, if so, carrying out traffic speed limiting on the network of the target user according to the tolerance of the target user, and transferring the intrusion network traffic of an application layer to a traffic network cleaning node, otherwise, not processing the intrusion network traffic;
Judging whether the port rate of the server exceeds a threshold value, and if so, transferring the flow in the server to the network cleaning node.
The technical scheme of the invention is as follows: the network security protection system based on cloud computing is suitable for the network security protection method based on cloud computing, and comprises a flow table information acquisition module, a flow table feature extraction module, a flow table feature matching module, an intrusion detection module, a flow cleaning module and a cloud service module;
The flow table information acquisition module is used for acquiring flow table information of the target network flow from the target switch according to a preset collection period;
The flow table feature extraction module is used for extracting a plurality of basic flow table features from the flow table information and extracting a plurality of composite flow table features according to a feature extraction formula so as to obtain a complete flow table feature set;
The flow table feature matching module is used for matching the extracted flow table feature set with a pre-stored malicious flow table feature set sequence, and calculating whether the matching degree is lower than a preset matching degree threshold value;
the intrusion detection module is used for triggering the network intrusion detection model to perform intrusion detection on the target network flow when the matching degree is higher than the matching degree threshold value, and generating a corresponding intrusion detection result;
the flow cleaning module is used for uploading the flow table feature set to a malicious flow table feature set sequence to update a safe flow table database and triggering a flow cleaning method to clean the flow of the intrusion network if the intrusion detection result shows that the intrusion exists in the target network flow;
the cloud service module is used for sharing and synchronizing data among all nodes in the flow table database cluster.
Compared with the prior art, the technical scheme provided by the invention has the following beneficial technical effects:
1. The invention can monitor the target network flow in real time and automatically respond according to the preset rules, including intrusion detection and flow cleaning, thereby effectively dealing with network security threat, and can analyze the target network flow more comprehensively by extracting a plurality of basic flow table features and composite flow table features, improve detection accuracy, reduce false alarm rate, and rapidly judge the security of the target network flow by matching with malicious flow table feature sets, reduce unnecessary intrusion detection operation and improve efficiency.
2. The invention adopts a plurality of technologies of a convolutional neural network, a two-way long-short-term memory network, three decision classifiers and a K neighbor classifier through a network intrusion detection model, realizes multi-level classification detection of network traffic, improves the accuracy and comprehensiveness of detection, can transfer the detected intrusion network traffic to a traffic network cleaning node for cleaning treatment according to a threshold speed limit, ensures normal operation of network services, ensures that each node in a cluster has the same data copy through sharing and synchronizing the content of a flow table database, ensures the consistency and accuracy of data, can share a malicious flow table feature set sequence, and can immediately acquire and apply the information by other nodes if a certain node detects malicious traffic or abnormal behavior and adds the malicious flow table feature set, thereby rapidly responding and preventing similar attacks.
Drawings
FIG. 1 is a flow chart of an overall method according to an embodiment of the present invention;
FIG. 2 is a flow chart of matching a flow table feature set with a malicious flow table feature set in an embodiment of the present invention;
FIG. 3 is a flow chart of a flow cleaning method according to an embodiment of the present invention;
Fig. 4 is a flow chart of the overall system according to an embodiment of the present invention.
Reference numerals: 1. the flow table information acquisition module; 2. a flow table feature extraction module; 3. a flow table feature matching module; 4. an intrusion detection module; 5. a flow cleaning module; 6. and the cloud service module.
Detailed Description
In a first embodiment, as shown in fig. 1, the network security protection method based on cloud computing provided by the present invention includes:
S1, acquiring flow table information of target network flow from a target switch according to a preset collection period;
S2, extracting a plurality of basic flow table features from the flow table information to obtain a basic flow table feature set, extracting a plurality of composite flow table features through a feature extraction formula to obtain a composite flow table feature set, and combining the basic flow table feature set and the composite flow table feature set to obtain a flow table feature set;
s3, matching the flow table feature set with a malicious flow table feature set sequence pre-stored in a flow table database, so as to obtain the matching degree of the flow table feature set and the malicious flow table feature set sequence;
s4, if the matching degree is higher than a preset matching degree threshold value, performing intrusion detection on the target network traffic corresponding to the flow table feature set through a network intrusion detection model so as to obtain an intrusion detection result, otherwise, indicating that the target network traffic corresponding to the flow table feature set is safe network traffic;
S5, if the intrusion detection result shows that the target network traffic is the intrusion network traffic, uploading the flow table feature set to a malicious flow table feature set sequence in a flow table database, and cleaning the intrusion network traffic by a traffic cleaning method.
In the invention, the collection period is generally 5 minutes to 30 minutes, and can be set in real time according to the actual condition of the network.
In the second embodiment, as shown in fig. 2-3, the network security protection method based on cloud computing according to the present invention further includes: the elementary stream table feature set is as follows:
;
Wherein, A set of flow table features is represented,Representing the source address of the source and,Which represents the destination address of the object,Representing the number of the source port and,Represents the number of the destination port and,The type of protocol is indicated and,Indicating the number of data packets to be transmitted,The size of the data packet is indicated,Representing the source TCP port number and,Representing the number of the destination TCP port,Representing the number of the source UDP port,Representing the destination UDP port number.
In an alternative embodiment, the flow table database is arranged in the cloud servers, and a plurality of cloud servers jointly form a flow table database cluster, so that data sharing and synchronization are realized among all nodes in the flow table database cluster.
It should be noted that, by sharing and synchronizing the contents of the flow table database, each node in the cluster can be ensured to have the same data copy, and consistency and accuracy of data are ensured, so that a malicious flow table feature set sequence can be shared, if a certain node detects malicious flow or abnormal behavior and adds the malicious flow or abnormal behavior into the malicious flow table feature set, other nodes can immediately acquire and apply the information, thereby quickly responding and preventing similar attacks.
In an alternative embodiment, the feature extraction formula includes a first formula, a second formula, a third formula, and a fourth formula, the first formula being as follows:
;
Wherein, Which is indicative of the rate of the flow table entry,Representing the number of entries in the stream per unit time,Representing a sampling period;
The second formula is as follows:
;
Wherein, Indicating the source IP acceleration rate,Indicating the number of source IP address changes,Representing a sampling period;
The third formula is as follows:
;
Wherein, Indicating the source port acceleration rate,Representing the number of source port address changes,Representing a sampling period;
the fourth formula is as follows:
;
Wherein, Indicating the speed increase of the destination port,Indicating the number of destination ports and,Representing the sampling period.
In an alternative embodiment, matching the flow table feature set with a malicious flow table feature set sequence pre-stored in the flow table database, thereby obtaining a matching degree of the flow table feature set and the malicious flow table feature set sequence, including:
a1, calculating importance degree of flow table items in a flow table feature set in a flow table item category, wherein an importance degree expression is as follows:
;
Wherein, Represents the importance of the jth flow entry in the flow table feature set,Representing the flow table entries in the flow table feature set,Indicating the number of occurrences of a flow entry in the flow table feature set in the flow entry class,Representing a first in a set of flow table featuresThe number of entries in the stream table is,Representing the total flow table item number in the flow table feature set;
a2, calculating the average value of importance vectors in each flow table item category based on the importance degree of the flow table item in the flow table item category in the flow table feature set, wherein the average value expression of the importance vectors in each flow table item category is as follows:
;
Wherein, Represents the average value of the importance vectors in each flow entry category,Representing the number of flow entries in the flow table feature set,Representing the importance of the jth flow entry in the flow table feature set.
In an alternative embodiment, the matching between the flow table feature set and the malicious flow table feature set sequence pre-stored in the flow table database is performed to obtain the matching degree between the flow table feature set and the malicious flow table feature set sequence, and the method further includes:
A3, comparing the average value of the importance vectors in the various flow table item categories with the average value of the importance vectors in the malicious flow table item categories, so as to obtain a comparison difference value;
And A4, normalizing the comparison difference value to obtain a normalized comparison difference value, and calculating the matching degree of the flow table feature set and the malicious flow table feature set based on the normalized comparison difference value, wherein the matching degree expression is as follows:
;
Wherein, Representing the degree of matching of the flow table feature set with the malicious flow table feature set,The normalized comparison difference value is represented by the formula,Representing the absolute value of the normalized alignment difference.
In an alternative embodiment, the network intrusion detection model includes a convolutional neural network, a bidirectional long-short-term memory network, three decision classifiers and a K-nearest neighbor classifier, the convolutional neural network is used for extracting local features of network traffic corresponding to a flow chart feature set to obtain a local feature sequence, the bidirectional long-short-term memory network is used for extracting time features of the local feature sequence to obtain a time sequence feature sequence, the three decision classifiers are used for classifying the time sequence feature sequence to obtain a positive domain intrusion detection result, a boundary domain intrusion detection result and a negative domain intrusion detection result, intrusion detection is performed again on target network traffic corresponding to the boundary domain intrusion detection result through the network intrusion detection model, and if the target network traffic corresponding to the boundary domain intrusion detection result is classified again into the boundary domain, the K-nearest neighbor classifier is used for classifying the time sequence feature sequence corresponding to the target network traffic corresponding to the boundary domain intrusion detection result to obtain the positive domain intrusion detection result and the negative domain intrusion detection result.
It should be noted that, the Convolutional Neural Network (CNN) is used for extracting local features of network traffic corresponding to the flow table feature set, where the CNN is good at extracting spatial local features from the input data, and is very useful for extracting features of the network traffic, and in network intrusion detection, the CNN can help the system capture and understand local modes and features in the network traffic; the Bi-directional long-short-term memory network (Bi-LSTM) is used for extracting time features of a local feature sequence, LSTM is a cyclic neural network suitable for processing time sequence data, and Bi-directional LSTM can simultaneously consider past and future information, is helpful for capturing more comprehensive time dependence, and in network intrusion detection, bi-LSTM can help to understand time related features in network traffic data and model and analyze the time related features; the three decision classifiers have the functions of classifying the sequence feature sequences to obtain intrusion detection results of a positive domain, a boundary domain and a negative domain, wherein the three branches possibly indicate that the classifier can divide input data into three types, namely normal traffic, potential boundary traffic and malicious traffic, and play a key role in network intrusion detection to help a system to judge and classify different types of network traffic; the K neighbor classifier is used for classifying a time sequence feature sequence corresponding to the target network flow corresponding to the boundary domain intrusion detection result, is an example-based learning method, classifies the target network flow by comparing the similarity of a new sample and a sample in a training set, and is used for further refining the classification of the boundary domain flow in the network intrusion detection model so as to improve the identification accuracy of network intrusion.
In an alternative embodiment, a flow purging method includes:
B1, monitoring real-time traffic of a server port, judging whether the rate of the server port exceeds an alarm threshold, blocking the intrusion network traffic of a network layer if the rate exceeds the alarm threshold, otherwise, not processing the intrusion network traffic;
B2, judging whether the port rate of the server exceeds a protection threshold, if so, carrying out traffic speed limitation on the network of the target user according to the tolerance of the target user, and transferring the intrusion network traffic of the application layer to a traffic network cleaning node, otherwise, not processing the intrusion network traffic;
And B3, judging whether the port rate of the server exceeds a threshold value, and if so, transferring the flow in the server to a network cleaning node.
It should be noted that, the user tolerance is obtained by the following method, firstly, the historical data of the user when the user faces network attack or service quality is reduced is required to be collected, including the behavior data, system logs and complaint records of the user, the data can include the access mode, response time, retry frequency and complaint content of the user, the collected data is cleaned and tidied, including removing abnormal values, filling up missing data and unified data format, so as to be used for subsequent analysis, the data analysis algorithm is used for carrying out deep analysis on the user history records, statistical analysis and machine learning model methods can be adopted to explore the reaction and behavior rules of the user under different conditions, the tolerance level of the user when the user faces similar conditions can be inferred by establishing a prediction model of the user tolerance according to the user history data, and the tolerance degree of the user for different situations can be predicted by utilizing a supervised learning or unsupervised learning method; network cleaning nodes refer to nodes disposed in a network that are dedicated to detecting, filtering, and cleaning network traffic flowing through, and are typically deployed at network edges or critical locations for protecting the network from malicious traffic, network attacks, and security threats.
In the third embodiment, as shown in fig. 4, the network security protection system based on cloud computing provided by the invention is applicable to the network security protection method based on cloud computing, and comprises a flow table information acquisition module 1, a flow table feature extraction module 2, a flow table feature matching module 3, an intrusion detection module 4, a flow cleaning module 5 and a cloud service module 6;
The flow table information acquisition module 1 is used for acquiring flow table information of the target network flow from the target switch according to a preset collection period;
The flow table feature extraction module 2 is used for extracting a plurality of basic flow table features from the flow table information, and extracting a plurality of composite flow table features according to a feature extraction formula so as to obtain a complete flow table feature set;
The flow table feature matching module 3 is used for matching the extracted flow table feature set with a pre-stored malicious flow table feature set sequence, and calculating whether the matching degree is lower than a preset matching degree threshold value;
The intrusion detection module 4 is configured to trigger the network intrusion detection model to perform intrusion detection on the target network traffic when the matching degree is higher than the matching degree threshold value, so as to generate a corresponding intrusion detection result;
The flow cleaning module 5 is used for uploading the flow table feature set to the malicious flow table feature set sequence to update the safe flow table database and triggering the flow cleaning method to clean the flow of the intrusion network if the intrusion detection result indicates that the intrusion exists in the target network flow;
The cloud service module 6 is used for sharing and synchronizing data between each node in the flow table database cluster.
The embodiments of the present invention have been described in detail with reference to the drawings, but the present invention is not limited thereto, and various changes can be made within the knowledge of those skilled in the art without departing from the spirit of the present invention.
Claims (9)
1. The network security protection method based on cloud computing is characterized by comprising the following steps of:
Acquiring flow table information of the target network flow from the target switch according to a preset collection period;
Extracting a plurality of basic flow table features from the flow table information to obtain a basic flow table feature set, extracting a plurality of composite flow table features through a feature extraction formula to obtain a composite flow table feature set, and combining the basic flow table feature set and the composite flow table feature set to obtain a flow table feature set;
Matching the flow table feature set with a malicious flow table feature set sequence pre-stored in a flow table database, so as to obtain the matching degree of the flow table feature set and the malicious flow table feature set sequence;
If the matching degree is higher than a preset matching degree threshold value, performing intrusion detection on the target network traffic corresponding to the flow table feature set through a network intrusion detection model so as to obtain an intrusion detection result, otherwise, indicating that the target network traffic corresponding to the flow table feature set is safe network traffic;
If the intrusion detection result shows that the target network flow is the intrusion network flow, uploading the flow table feature set to a malicious flow table feature set sequence in the flow table database, and cleaning the intrusion network flow by a flow cleaning method.
2. The cloud computing-based network security protection method according to claim 1, wherein: the elementary stream table feature set is as follows:
;
Wherein, Representing a set of flow table features,/>Representing a source address,/>Representing destination address,/>Representing a source port number,/>Representing the destination port number,/>Representing protocol type,/>Indicating the number of data packets to be transmitted,Representing data packet size,/>Representing source TCP port number,/>Representing destination TCP port number,/>Representing source UDP port number,/>Representing the destination UDP port number.
3. The cloud computing-based network security protection method according to claim 1, wherein: the flow table database is arranged in the cloud servers, a plurality of cloud servers form a flow table database cluster together, and data sharing and synchronization are realized among all nodes in the flow table database cluster.
4. The cloud computing-based network security protection method according to claim 1, wherein: the feature extraction formula comprises a first formula, a second formula, a third formula and a fourth formula, wherein the first formula is as follows:
;
Wherein, Representing flow entry rate,/>Representing the number of entries in the flow per unit time,/>Representing a sampling period;
the second formula is as follows:
;
Wherein, Representing source IP acceleration,/>Representing the number of source IP address changes,/>Representing a sampling period;
The third formula is as follows:
;
Wherein, Representing source port acceleration,/>Representing the number of source port address changes,/>Representing a sampling period;
the fourth formula is as follows:
;
Wherein, Representing the speed increase of the destination port,/>Representing the number of destination ports,/>Representing the sampling period.
5. The cloud computing-based network security protection method according to claim 1, wherein: matching the flow table feature set with a malicious flow table feature set sequence pre-stored in a flow table database to obtain the matching degree of the flow table feature set and the malicious flow table feature set sequence, wherein the matching degree comprises the following steps:
calculating importance degree of the flow table items in the flow table item category in the flow table feature set, wherein the importance degree expression is as follows:
;
Wherein, Representing the importance of the jth flow table item in the flow table feature set,/>Representing flow table items in the flow table feature set,/>Representing the frequency of occurrence of the flow table item in the flow table feature set in the flow table item category,/>, andRepresenting the first/>, in the set of flow table featuresIndividual flow entry,/>Representing the total flow table item number in the flow table feature set;
calculating an average value of importance vectors in each flow table item category based on the importance degree of the flow table item in the flow table item category in the flow table feature set, wherein the average value expression of the importance vectors in each flow table item category is as follows:
;
Wherein, Mean value of importance vectors in each flow entry class,/>Representing the number of flow table items in the flow table feature set,/>And representing the importance of the jth flow table item in the flow table feature set.
6. The cloud computing-based network security protection method according to claim 5, wherein: matching the flow table feature set with a malicious flow table feature set sequence pre-stored in a flow table database, thereby obtaining the matching degree of the flow table feature set and the malicious flow table feature set sequence, and further comprising:
Comparing the average value of the importance vectors in the various flow table item categories with the average value of the importance vectors in the malicious flow table item categories, thereby obtaining comparison difference values;
Normalizing the comparison difference value to obtain a normalized comparison difference value, and calculating the matching degree of the flow table feature set and the malicious flow table feature set based on the normalized comparison difference value, wherein the matching degree expression is as follows:
;
Wherein, Representing the matching degree of the flow table feature set and the malicious flow table feature set,/>Representing the normalized alignment difference,/>Representing the absolute value of the normalized alignment difference.
7. The cloud computing-based network security protection method according to claim 1, wherein: the network intrusion detection model comprises a convolutional neural network, a two-way long-short-term memory network, three decision classifiers and a K neighbor classifier, wherein the convolutional neural network is used for carrying out local feature extraction on network traffic corresponding to a feature set of a flow table so as to obtain a local feature sequence, the two-way long-short-term memory network is used for carrying out time feature extraction on the local feature sequence so as to obtain a time sequence feature sequence, the three decision classifiers are used for classifying the time sequence feature sequence so as to obtain a positive domain intrusion detection result, a boundary domain intrusion detection result and a negative domain intrusion detection result, intrusion detection is carried out on the target network traffic corresponding to the boundary domain intrusion detection result through the network intrusion detection model again, and if the target network traffic corresponding to the boundary domain intrusion detection result is classified into a boundary domain again, the time sequence feature sequence corresponding to the target network traffic corresponding to the boundary domain intrusion detection result is classified through the K neighbor classifier so as to obtain the positive domain intrusion detection result and the negative domain intrusion detection result.
8. The cloud computing-based network security protection method according to claim 1, wherein: the flow cleaning method comprises the following steps:
Monitoring server port is used for controlling the flow rate of the air in real time, real time of (a) the flow rate of the liquid is controlled, blocking said aggressor network traffic at the network layer, otherwise, the intrusion network traffic is not processed;
judging whether the port rate of the server exceeds a protection threshold, if so, carrying out traffic speed limiting on the network of the target user according to the tolerance of the target user, and transferring the intrusion network traffic of an application layer to a traffic network cleaning node, otherwise, not processing the intrusion network traffic;
Judging whether the port rate of the server exceeds a threshold value, and if so, transferring the flow in the server to the network cleaning node.
9. The network security protection system based on cloud computing, which is applicable to the network security protection method based on cloud computing as claimed in any one of claims 1-8, comprises a flow table information acquisition module (1), a flow table feature extraction module (2), a flow table feature matching module (3), an intrusion detection module (4), a flow cleaning module (5) and a cloud service module (6), and is characterized in that:
the flow table information acquisition module (1) is used for acquiring flow table information of the target network flow from the target switch according to a preset collection period;
The flow table feature extraction module (2) is used for extracting a plurality of basic flow table features from the flow table information and extracting a plurality of composite flow table features according to a feature extraction formula so as to obtain a complete flow table feature set;
the flow table feature matching module (3) is used for matching the extracted flow table feature set with a pre-stored malicious flow table feature set sequence, and calculating whether the matching degree is lower than a preset matching degree threshold value;
the intrusion detection module (4) is used for triggering the network intrusion detection model to perform intrusion detection on the target network flow when the matching degree is higher than the matching degree threshold value, and generating a corresponding intrusion detection result;
The flow cleaning module (5) is used for uploading the flow table feature set to a malicious flow table feature set sequence to update a safe flow table database and triggering a flow cleaning method to clean the flow of the target network if the intrusion detection result shows that the intrusion exists;
the cloud service module (6) is used for sharing and synchronizing data among all nodes in the flow table database cluster.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410537731.3A CN118138374B (en) | 2024-04-30 | 2024-04-30 | Network security protection method and system based on cloud computing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410537731.3A CN118138374B (en) | 2024-04-30 | 2024-04-30 | Network security protection method and system based on cloud computing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118138374A true CN118138374A (en) | 2024-06-04 |
| CN118138374B CN118138374B (en) | 2024-06-28 |
Family
ID=91231974
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410537731.3A Active CN118138374B (en) | 2024-04-30 | 2024-04-30 | Network security protection method and system based on cloud computing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118138374B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109274673A (en) * | 2018-09-26 | 2019-01-25 | 广东工业大学 | A kind of detection of exception of network traffic and defence method |
| CN111294342A (en) * | 2020-01-17 | 2020-06-16 | 深圳供电局有限公司 | Method and system for detecting DDos attack in software defined network |
| CN111756719A (en) * | 2020-06-17 | 2020-10-09 | 哈尔滨工业大学 | DDoS attack detection method combining SVM and optimized LSTM model under SDN network architecture |
| CN114978667A (en) * | 2022-05-17 | 2022-08-30 | 安捷光通科技成都有限公司 | SDN network DDoS attack detection method based on graph neural network |
-
2024
- 2024-04-30 CN CN202410537731.3A patent/CN118138374B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109274673A (en) * | 2018-09-26 | 2019-01-25 | 广东工业大学 | A kind of detection of exception of network traffic and defence method |
| CN111294342A (en) * | 2020-01-17 | 2020-06-16 | 深圳供电局有限公司 | Method and system for detecting DDos attack in software defined network |
| CN111756719A (en) * | 2020-06-17 | 2020-10-09 | 哈尔滨工业大学 | DDoS attack detection method combining SVM and optimized LSTM model under SDN network architecture |
| CN114978667A (en) * | 2022-05-17 | 2022-08-30 | 安捷光通科技成都有限公司 | SDN network DDoS attack detection method based on graph neural network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118138374B (en) | 2024-06-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Karatas et al. | Deep learning in intrusion detection systems | |
| CN108494746B (en) | Method and system for detecting abnormal flow of network port | |
| CN111935170B (en) | Network abnormal flow detection method, device and equipment | |
| CN103368979B (en) | Network security verifying device based on improved K-means algorithm | |
| CN113067804B (en) | Network attack detection method and device, electronic equipment and storage medium | |
| Amoli et al. | Unsupervised network intrusion detection systems for zero-day fast-spreading attacks and botnets | |
| Kong et al. | Identification of abnormal network traffic using support vector machine | |
| CN102130920A (en) | Botnet discovery method and system thereof | |
| CN110839042B (en) | Flow-based self-feedback malicious software monitoring system and method | |
| CN107360190B (en) | Trojan communication behavior detection method based on sequence pattern recognition | |
| CN115134250A (en) | Network attack source tracing evidence obtaining method | |
| Mohd et al. | Anomaly-based nids: A review of machine learning methods on malware detection | |
| Al-Fawa'reh et al. | Detecting stealth-based attacks in large campus networks | |
| Gangwar et al. | A survey on anomaly and signature based intrusion detection system (IDS) | |
| Upadhyaya et al. | Hybrid approach for network intrusion detection system using k-medoid clustering and Naïve Bayes classification | |
| CN111490976B (en) | Dynamic baseline management and monitoring method for industrial control network | |
| Manandhar et al. | Towards practical anomaly-based intrusion detection by outlier mining on TCP packets | |
| CN118138374B (en) | Network security protection method and system based on cloud computing | |
| Sapozhnikova et al. | Intrusion detection system based on data mining technics for industrial networks | |
| Sulaiman et al. | Big data analytic of intrusion detection system | |
| Yange et al. | A data analytics system for network intrusion detection using decision tree | |
| CN114268484A (en) | Malicious encrypted flow detection method and device, electronic equipment and storage medium | |
| He et al. | Fine-grained P2P traffic classification by simply counting flows | |
| Huang et al. | A Protocol-based Intrusion Detection System using Dual Autoencoders | |
| Uymin | Application of machine learning in the classification of traffic in telecommunication networks: working with network modeling systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |