CN118157992B - Intelligent network security protection method and system - Google Patents
Intelligent network security protection method and system Download PDFInfo
- Publication number
- CN118157992B CN118157992B CN202410573015.0A CN202410573015A CN118157992B CN 118157992 B CN118157992 B CN 118157992B CN 202410573015 A CN202410573015 A CN 202410573015A CN 118157992 B CN118157992 B CN 118157992B
- Authority
- CN
- China
- Prior art keywords
- image
- feature
- network
- network traffic
- reference network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 58
- 239000013598 vector Substances 0.000 claims abstract description 198
- 238000012512 characterization method Methods 0.000 claims abstract description 105
- 238000012216 screening Methods 0.000 claims abstract description 37
- 238000001514 detection method Methods 0.000 claims abstract description 33
- 238000000605 extraction Methods 0.000 claims abstract description 28
- 230000007123 defense Effects 0.000 claims abstract description 20
- 238000003062 neural network model Methods 0.000 claims description 17
- 102100026278 Cysteine sulfinic acid decarboxylase Human genes 0.000 claims description 12
- 108010064775 protein C activator peptide Proteins 0.000 claims description 12
- 238000013527 convolutional neural network Methods 0.000 claims description 11
- 238000005457 optimization Methods 0.000 claims description 10
- 238000004458 analytical method Methods 0.000 claims description 9
- 238000006243 chemical reaction Methods 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 8
- 238000001914 filtration Methods 0.000 claims description 4
- 238000013481 data capture Methods 0.000 claims description 3
- 238000010606 normalization Methods 0.000 claims description 3
- 230000004044 response Effects 0.000 claims description 3
- 238000013501 data transformation Methods 0.000 claims 1
- 230000002159 abnormal effect Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 8
- 230000008569 process Effects 0.000 description 6
- 238000004422 calculation algorithm Methods 0.000 description 5
- 238000004364 calculation method Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000004590 computer program Methods 0.000 description 3
- 230000002265 prevention Effects 0.000 description 3
- 238000013473 artificial intelligence Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000019771 cognition Effects 0.000 description 2
- 238000013135 deep learning Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 101100001674 Emericella variicolor andI gene Proteins 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- ZPUCINDJVBIVPJ-LJISPDSOSA-N cocaine Chemical compound O([C@H]1C[C@@H]2CC[C@@H](N2C)[C@H]1C(=O)OC)C(=O)C1=CC=CC=C1 ZPUCINDJVBIVPJ-LJISPDSOSA-N 0.000 description 1
- 238000013136 deep learning model Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000003012 network analysis Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000011176 pooling Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000013024 troubleshooting Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/213—Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/0464—Convolutional networks [CNN, ConvNet]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/12—Network monitoring probes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Data Mining & Analysis (AREA)
- Computing Systems (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Evolutionary Computation (AREA)
- General Physics & Mathematics (AREA)
- Biophysics (AREA)
- Biomedical Technology (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Computational Linguistics (AREA)
- Evolutionary Biology (AREA)
- Bioinformatics & Computational Biology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
An intelligent network security protection method and system. Firstly, converting network traffic data into a detection network traffic gray level image, then, respectively carrying out feature extraction on each reference network traffic pattern gray level image marked as normal through a network traffic local time sequence pattern feature extractor to obtain a set of reference network traffic image characterization feature vectors, then, carrying out essential feature screening on the set of reference network traffic image characterization feature vectors to obtain a reference network traffic image characterization essential feature vector, carrying out feature extraction on the detection network traffic gray level image through the network traffic local time sequence pattern feature extractor to obtain a detection network traffic image characterization feature vector, and finally, determining whether to start network defense based on the Hash similarity between the reference network traffic image characterization essential feature vector and the detection network traffic image characterization feature vector.
Description
Technical Field
The disclosure relates to the field of network security protection, in particular to an intelligent network security protection method and system.
Background
Network security is critical because it can protect network systems and data from unauthorized access, vandalism, or theft. However, conventional network security protection methods, such as firewalls and Intrusion Detection Systems (IDS), have limitations in detecting and preventing network attacks. For example, firewalls protect a network by blocking unauthorized network traffic. However, firewalls can only detect and block known attack patterns. For new or unknown attacks, a firewall may not be able to defend effectively. The IDS can monitor network traffic and detect suspicious activity. However, IDS typically relies on signatures or rules to identify attacks. For a zero day attack or Advanced Persistent Threat (APT), the IDS may not be able to detect in time. Thus, with the increasing complexity and concealment of network attacks, traditional security approaches have been difficult to deal with new types of threats.
Accordingly, an intelligent network security scheme is desired.
Disclosure of Invention
The present disclosure has been made in view of the above problems. An object of the present disclosure is to provide an intelligent network security protection method and system.
The embodiment of the disclosure provides an intelligent network security protection method, which comprises the following steps:
capturing network traffic data using a network sniffer;
converting the network traffic data into a detected network traffic gray scale image;
Extracting a set of reference network traffic pattern gray scale images marked as normal from a background database;
respectively carrying out feature extraction on each reference network flow mode gray level image in the set of the reference network flow mode gray level images marked as normal through a network flow local time sequence mode feature extractor based on a depth neural network model so as to obtain a set of reference network flow image characterization feature vectors;
performing intrinsic feature screening on the set of the characteristic feature vectors of the reference network flow image to obtain the characteristic intrinsic feature vectors of the reference network flow image;
extracting features of the detected network flow gray level image through the network flow local time sequence pattern feature extractor based on the deep neural network model to obtain a characteristic feature vector of the detected network flow image; and
And calculating the hash similarity between the characteristic feature vector of the reference network flow image and the characteristic feature vector of the detection network flow image, and determining whether to start network defense.
For example, an intelligent network security method according to an embodiment of the present disclosure, wherein converting the network traffic data into a detected network traffic grayscale image, includes:
Saving the network traffic data as a PCAP file;
Extracting data packet information from the PCAP file, wherein the data packet information includes a source IP address, a destination IP address, a port number, and a data packet length;
converting the data packet information into a plurality of data frames, wherein each data frame comprises a hash value of a source IP address, a hash value of a target IP address, a hash value of a port number and a data packet length; and normalizing the data packet length in the plurality of data frames to between 0 and 255 to obtain the detected network traffic grayscale image.
For example, an intelligent network security method according to an embodiment of the present disclosure, wherein the deep neural network model is a convolutional neural network model.
For example, according to an embodiment of the present disclosure, the method for intelligent network security protection, wherein performing the intrinsic feature screening on the set of reference network traffic image characterizing feature vectors to obtain the reference network traffic image characterizing intrinsic feature vectors includes:
Performing feature optimization on each reference network flow image characterization feature vector in the set of reference network flow image characterization feature vectors to obtain a set of optimized reference network flow image characterization feature vectors;
And the optimized set of the characterization feature vectors of the reference network flow image passes through a feature screening essential feature network to obtain the characterization essential feature vector of the reference network flow image.
For example, according to an embodiment of the present disclosure, the intelligent network security protection method, wherein the step of screening the set of optimized reference network traffic image characterization feature vectors through a feature screening feature network to obtain the reference network traffic image characterization feature vector includes:
Processing the optimized set of the characteristic feature vectors of the reference network flow image through the characteristic screening intrinsic feature network according to the following characteristic screening formula to obtain the characteristic intrinsic feature vector of the reference network flow image; wherein, the characteristic screening formula is:
Wherein, Is the first in the set of the optimized reference network flow image characterization feature vectorsThe optimized reference network traffic image characterizes the feature vector,Is the first in the set of the optimized reference network flow image characterization feature vectorsThe optimized reference network traffic image characterizes the feature vector,Representing 1 norm of feature vectorCharacterizing the length-1 of the set of feature vectors for the optimized reference network traffic image,Characterizing a representation of a set of feature vectors for the optimized reference network traffic image,The characteristic difference coefficient is represented by a characteristic,Representing the operation of a natural exponential function,Representing the total number of the characteristic difference coefficients,And characterizing an essential feature vector for the reference network traffic image. For example, according to an embodiment of the present disclosure, an intelligent network security protection method, wherein performing feature optimization on each reference network traffic image characterization feature vector in the set of reference network traffic image characterization feature vectors to obtain a set of optimized reference network traffic image characterization feature vectors includes:
carrying out probability logic association reasoning on each reference network flow image characterization feature vector in the set of reference network flow image characterization feature vectors to obtain a plurality of logic association coefficients; and
And taking the plurality of logic association coefficients as weighting coefficients to carry out weighted optimization on each reference network flow image characteristic vector in the set of reference network flow image characteristic vectors so as to obtain the set of optimized reference network flow image characteristic vectors.
For example, an intelligent network security method according to an embodiment of the present disclosure, wherein calculating a hash similarity between the reference network traffic image characterization feature vector and the detected network traffic image characterization feature vector, and determining whether to turn on network defense, includes:
calculating hash similarity between the reference network flow image representation intrinsic feature vector and the detection network flow image representation feature vector; and
Based on a comparison between the hash similarity and a predetermined threshold, it is determined whether to turn on a network defense.
For example, an intelligent network security method in accordance with an embodiment of the present disclosure, wherein the opening of the network defense is determined in response to the hash similarity being less than the predetermined threshold.
Embodiments of the present disclosure also provide an intelligent network security system, comprising:
a data capture module for capturing network traffic data using a network sniffer;
The data conversion module is used for converting the network traffic data into a gray level image of the detected network traffic;
The image extraction module is used for extracting a set of gray images marked as normal reference network flow mode from the background database;
The reference feature extraction module is used for respectively carrying out feature extraction on each reference network flow mode gray level image in the set of the reference network flow mode gray level images marked as normal through a network flow local time sequence mode feature extractor based on a deep neural network model so as to obtain a set of reference network flow image characterization feature vectors;
The intrinsic feature screening module is used for carrying out intrinsic feature screening on the set of the characteristic feature vectors of the reference network flow image so as to obtain the characteristic intrinsic feature vectors of the reference network flow image; the detection feature extraction module is used for carrying out feature extraction on the detection network flow gray level image through the network flow local time sequence pattern feature extractor based on the deep neural network model so as to obtain a detection network flow image characterization feature vector; and
The hash similarity analysis module is used for calculating the hash similarity between the characteristic feature vector of the reference network flow image and the characteristic feature vector of the detection network flow image, and determining whether to start network defense.
For example, an intelligent network security system according to an embodiment of the present disclosure, wherein the data conversion module comprises:
a storage unit, configured to store the network traffic data as a PCAP file;
a packet information extraction unit configured to extract packet information from the PCAP file, where the packet information includes a source IP address, a destination IP address, a port number, and a packet length;
a data frame conversion unit, configured to convert the data packet information into a plurality of data frames, where each data frame includes a hash value of a source IP address, a hash value of a destination IP address, a hash value of a port number, and a data packet length; and
And the normalization unit is used for normalizing the lengths of the data packets in the plurality of data frames to be between 0 and 255 so as to obtain the gray level image of the detected network traffic. According to the intelligent network security protection method and system, network traffic data are captured in real time through a network sniffer and converted into network traffic gray images, analysis and feature extraction of the detected network traffic gray images are performed at the rear end through image processing and analysis algorithms based on artificial intelligence and deep learning, and meanwhile network abnormal mode detection is assisted through learning of a normal network traffic mode, so that whether network defense is started is determined. Therefore, the limitation of traditional detection and prevention of network attack can be avoided by an intelligent method, and the efficiency and accuracy of network security protection are improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings of the embodiments of the present disclosure will be briefly described below. It is apparent that the figures in the following description relate only to some embodiments of the present disclosure and are not limiting of the present disclosure.
FIG. 1 is a schematic diagram of an application architecture of an intelligent network security method in an embodiment of the disclosure;
FIG. 2 illustrates a flow chart of an intelligent network security method in an embodiment of the present disclosure;
FIG. 3 shows a flowchart of substep S520 of the intelligent network security method in an embodiment of the present disclosure;
FIG. 4 shows a flowchart of substep S550 of the intelligent network security method in an embodiment of the present disclosure;
FIG. 5 shows a flowchart of substep S570 of the intelligent network security method in an embodiment of the present disclosure;
FIG. 6 illustrates a schematic diagram of an intelligent network security system in an embodiment of the present disclosure;
FIG. 7 illustrates an application scenario diagram of an intelligent network security method in an embodiment of the present disclosure;
fig. 8 shows a schematic diagram of a storage medium according to an embodiment of the present disclosure.
Detailed Description
The following description of the embodiments of the present disclosure will be made clearly and fully with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some, but not all embodiments of the disclosure. All other embodiments, which can be made by one of ordinary skill in the art without undue burden based on the embodiments of the present disclosure, are also within the scope of the present disclosure.
The terms used in the present specification are those general terms that are currently widely used in the art in view of the functions of the present disclosure, but may vary according to the intention, precedent, or new technology in the art of the person of ordinary skill in the art. Furthermore, specific terms may be selected by the applicant, and in this case, their detailed meanings will be described in the detailed description of the present disclosure. Accordingly, the terms used in the specification should not be construed as simple names, but rather based on the meanings of the terms and the general description of the present disclosure.
While the present disclosure makes various references to certain modules in a system according to embodiments of the present disclosure, any number of different modules may be used and run on a user terminal and/or server. The modules are merely illustrative, and different aspects of the systems and methods may use different modules.
A flowchart is used in this disclosure to describe the operations performed by a system according to embodiments of the present disclosure. It should be understood that the preceding or following operations are not necessarily performed in order precisely. Rather, the various steps may be processed in reverse order or simultaneously, as desired. Also, other operations may be added to or removed from these processes.
Fig. 1 shows an application architecture schematic diagram of an intelligent network security protection method in an embodiment of the disclosure, including a server 100 and a terminal device 200.
The terminal device 200 and the server 100 may be connected to each other through the internet to realize communication therebetween. Optionally, the internet described above uses standard communication techniques and/or protocols. The internet is typically the internet, but may be any network including, but not limited to, a local area network (Local Area Network, LAN), metropolitan area network (Metropolitan AreaNetwork, MAN), wide area network (Wide Area Network, WAN), a mobile, wired or wireless network, a private network, or any combination of virtual private networks. In some embodiments, the data exchanged over the network is represented using techniques and/or formats including hypertext markup language (Hyper Text MarkupLanguage, HTML), extensible markup language (Extensible Markup Language, XML), and the like. All or some of the links may also be encrypted using conventional encryption techniques such as Secure socket layer (Secure SocketLayer, SSL), transport layer security (Transport Layer Security, TLS), virtual private network (VirtualPrivate Network, VPN), internet protocol security (Internet Protocol Security, IPsec), etc. In other embodiments, custom and/or dedicated data communication techniques may also be used in place of or in addition to the data communication techniques described above. The server 100 may provide various network services for the terminal device 200, wherein the server 100 may be a server, a server cluster formed by a plurality of servers, or a cloud computing center. In particular, the server 100 may include a processor 110 (Center Processing Unit, CPU), a memory 120, an input device 130, and an output device 140, etc., the input device 130 may include a keyboard, a mouse, a touch screen, etc., and the output device 140 may include a display device such as a Liquid crystal display (Liquid CRYSTAL DISPLAY, LCD), a Cathode Ray Tube (CRT), etc.
The memory 120 may include Read Only Memory (ROM) and Random Access Memory (RAM) and provides the processor 110 with program instructions and data stored in the memory 120. In the disclosed embodiments, the memory 120 may be used to store programs of the intelligent network security method in the disclosed embodiments.
Processor 110 is configured to execute the steps of any of the intelligent network security protection methods of the embodiments of the present disclosure in accordance with the obtained program instructions by calling the program instructions stored by memory 120.
In addition, the application architecture diagram in the embodiments of the present disclosure is to more clearly illustrate the technical solution in the embodiments of the present disclosure, and does not limit the technical solution provided in the embodiments of the present disclosure, and certainly, for other application architectures and service applications, the technical solution provided in the embodiments of the present disclosure is also applicable to similar problems.
The intelligent network security method provided according to at least one embodiment of the present disclosure is described below in terms of several examples or embodiments, and as described below, different features of these specific examples or embodiments may be combined with each other without contradiction, thereby resulting in new examples or embodiments, which also fall within the scope of the present disclosure.
Aiming at the technical problems, the technical concept of the application is that network traffic data is captured in real time through a network sniffer and is converted into a network traffic gray image, so that analysis and feature extraction of the detected network traffic gray image are performed at the rear end by utilizing an image processing and analysis algorithm based on artificial intelligence and deep learning, and meanwhile, network abnormal mode detection is assisted by learning a normal network traffic mode, and whether network defense is started is determined. Therefore, the limitation of traditional detection and prevention of network attack can be avoided by an intelligent method, and the efficiency and accuracy of network security protection are improved.
Fig. 2 illustrates a flow chart of an intelligent network security method in an embodiment of the present disclosure. For example, the intelligent network security method may be performed by a server, which may be the server 100 shown in fig. 1. As shown in fig. 2, an intelligent network security protection method according to an embodiment of the present disclosure includes the steps of: s510, capturing network traffic data by using a network sniffer; s520, converting the network traffic data into a gray level image of the detected network traffic; s530, extracting a set of gray images marked as normal reference network traffic patterns from a background database; s540, respectively carrying out feature extraction on each reference network flow mode gray level image in the set of the reference network flow mode gray level images marked as normal by a network flow local time sequence mode feature extractor based on a deep neural network model so as to obtain a set of reference network flow image characterization feature vectors; s550, carrying out intrinsic feature screening on the set of the characteristic feature vectors of the reference network flow image to obtain the characteristic intrinsic feature vectors of the reference network flow image; s560, extracting features of the detected network flow gray level image through the network flow local time sequence pattern feature extractor based on the deep neural network model to obtain a detected network flow image characterization feature vector; and S570, calculating the hash similarity between the reference network flow image characterization intrinsic feature vector and the detection network flow image characterization feature vector, and determining whether to start network defense.
It is worth mentioning that the network sniffer is a software tool for capturing and analyzing network traffic, which can monitor all traffic on the network and record details of the data packets, such as source and destination IP addresses, port numbers, protocol types and data packet content. The network sniffer may be: wireshark: a popular open source network sniffer for analyzing network traffic and troubleshooting; tcpdump: a command line network sniffer for capturing and analyzing network traffic; snort: a Network Intrusion Detection System (NIDS) that uses network sniffing functions to detect network attacks; metasploit: a penetration test framework comprising a network sniffer module for capturing and analyzing network traffic; cain and Abel: a tool for password recovery and network analysis includes a network sniffer function. These network sniffers may be used to: identifying and resolving network connection problems, detecting and analyzing network attacks, measuring network traffic and identifying bottlenecks, studying network protocols and data packet formats, or collecting and analyzing network evidence.
Specifically, in the technical scheme of the application, firstly, the network sniffer is used for capturing network traffic data. Then, the image data can provide more sufficient and rich network traffic semantics in consideration of the one-dimensional data form which is time-ordered relative to the network traffic data, so that abnormal patterns and changes of the traffic can be identified. Based on this, in the technical solution of the present application, the network traffic data needs to be converted into the detected network traffic gray scale image. The network traffic data is converted into the gray level image to provide visual visualization, so that the network traffic pattern and the characteristics can be more intuitively expressed, and the method is also beneficial to the subsequent extraction and identification of the image characteristics by utilizing an image processing and analysis algorithm, and is beneficial to the rapid identification of abnormal traffic and attack patterns.
Accordingly, in step S520, as shown in fig. 3, the converting the network traffic data into the detected network traffic gray scale image includes: s521, saving the network flow data as a PCAP file; s522, extracting data packet information from the PCAP file, wherein the data packet information comprises a source IP address, a target IP address, a port number and a data packet length; s523, converting the data packet information into a plurality of data frames, wherein each data frame comprises a hash value of a source IP address, a hash value of a target IP address, a hash value of a port number and a data packet length; and S524, normalizing the lengths of the data packets in the plurality of data frames to be between 0 and 255 to obtain the gray scale image of the detected network traffic.
It should be understood that in the actual network traffic anomaly detection process, analysis of network traffic data is subject to noise interference, so as to generate misjudgment and misinformation, so that in order to reduce the misinformation rate, that is, reduce the situation of misjudging normal traffic as anomaly, and improve the reliability of the system, in the technical scheme of the application, it is necessary to extract a set of gray level images marked as normal reference network traffic mode from a background database, and by comparing the detected network traffic image with the normal reference mode image, the system can more accurately detect anomaly that does not match the normal mode. That is, reference network traffic pattern gray scale images marked as normal can be extracted to help establish a reference model, i.e., a typical pattern of normal network traffic, which images represent characteristics of the network when operating normally, to help identify anomalies and attacks, thereby helping the system to more quickly identify and respond to network security threats.
Then, in order to capture the network traffic pattern and the characteristics when the network operates normally, a reference model is established to be compared with the detected network traffic pattern, in the technical scheme of the application, a local time sequence pattern characteristic extractor of the network traffic based on the convolution neural network model with excellent performance in the aspect of implicit characteristic extraction of images is used for respectively extracting the characteristics of each reference network traffic pattern gray level image in the set of the reference network traffic pattern gray level images marked as normal so as to extract the pattern characteristics about the normal network traffic in each reference network traffic pattern gray level image, thereby obtaining the set of the characteristic vectors of the reference network traffic image.
Accordingly, the deep neural network model is a convolutional neural network model, that is, the network traffic local time sequence pattern feature extractor based on the deep neural network model is a network traffic local time sequence pattern feature extractor based on the convolutional neural network model. It should be appreciated that Convolutional Neural Network (CNN) is a deep learning model that is specifically used to process data having a grid-like structure. The principle of operation of convolutional neural networks is to extract local features of data by using special layers called convolutional layers. The convolution layer slides over the input data using a set of weights called filters, calculating a weighted sum for each location, which helps extract patterns and features in the image, such as edges, shapes, and textures. Convolutional neural networks are typically composed of the following layers: convolution layer: extracting local characteristics of the data; pooling layer: the size of the feature map is reduced, and the robustness is improved; full tie layer: the extracted features are mapped to output categories. The main advantages of convolutional neural networks include: local connection: the convolution layer processes only a small portion of the input data, which helps extract local features; weight sharing: the filters in the convolutional layer are shared across the entire input data, which reduces the number of parameters of the model and promotes translational invariance; multi-layer feature extraction: convolutional neural networks may stack multiple convolutional layers to extract higher and higher levels of features from the data.
And similarly, the detected network flow gray level image is subjected to feature capture through the local time sequence pattern feature extractor of the network flow based on the convolutional neural network model so as to extract the feature information about the detected network flow pattern in the detected network flow gray level image, thereby obtaining the characteristic feature vector of the detected network flow image.
Furthermore, in consideration of the fact that in different network traffic mode characteristics during normal operation of the network, implicit correlation exists among the network traffic modes, and meanwhile, information deviating from the network normal operation essential characteristic mode exists, and the information has small effect on abnormal detection and judgment of the network traffic. Therefore, in order to remove unnecessary features and redundant information, thereby simplifying data representation, improving calculation efficiency and reducing risk of overfitting, in the technical scheme of the application, the set of the reference network flow image characterization feature vectors is further subjected to feature screening to obtain the reference network flow image characterization feature vectors. It should be appreciated that the feature screening feature network may select representative and distinguishing features from a set of reference network traffic image characterization feature vectors that are critical to identifying normal network traffic patterns. In this way, robustness to noise and interference can be improved, thereby improving accuracy in flow anomaly detection and classification. Accordingly, in step S550, as shown in fig. 4, the filtering the set of reference network traffic image characterizing feature vectors to obtain reference network traffic image characterizing feature vectors includes: s551, performing feature optimization on each reference network flow image characterization feature vector in the set of reference network flow image characterization feature vectors to obtain a set of optimized reference network flow image characterization feature vectors; and S552, the optimized set of the characterization feature vectors of the reference network flow image is passed through a feature screening essential feature network to obtain the characterization essential feature vector of the reference network flow image.
Wherein in a specific example, in step S552, the step of filtering the set of optimized reference network traffic image characterization feature vectors through a feature screening intrinsic feature network to obtain the reference network traffic image characterization intrinsic feature vector includes: processing the optimized set of the characteristic feature vectors of the reference network flow image through the characteristic screening intrinsic feature network according to the following characteristic screening formula to obtain the characteristic intrinsic feature vector of the reference network flow image; wherein, the characteristic screening formula is:
Wherein, Is the first in the set of the optimized reference network flow image characterization feature vectorsThe optimized reference network traffic image characterizes the feature vector,Is the first in the set of the optimized reference network flow image characterization feature vectorsThe optimized reference network traffic image characterizes the feature vector,Representing 1 norm of feature vectorCharacterizing the length-1 of the set of feature vectors for the optimized reference network traffic image,Characterizing a representation of a set of feature vectors for the optimized reference network traffic image,The characteristic difference coefficient is represented by a characteristic,Representing the operation of a natural exponential function,Representing the total number of the characteristic difference coefficients,And characterizing an essential feature vector for the reference network traffic image.
Then, in order to compare and analyze the detected network traffic pattern feature and the network traffic pattern feature when the network works normally, so as to determine whether an abnormal traffic pattern exists, the reference network traffic image characterization feature vector and the detected network traffic image characterization feature vector need to be compared in a quantitative manner. It should be appreciated that since hash similarity is a fast and efficient way to measure similarity of two feature vectors. By calculating the hash similarity, the system can quantify the degree of similarity between the reference network traffic and the detected network traffic. Therefore, in the technical scheme of the application, the hash similarity between the reference network traffic image representation essential feature vector and the detection network traffic image representation feature vector is further calculated, and whether to start network defense is determined based on the comparison between the hash similarity and a preset threshold value. That is, by setting a predetermined threshold for hash similarity, the system can distinguish between normal and abnormal network traffic. When the hash similarity of the detected network traffic is below a predetermined threshold, it is marked as abnormal or suspicious. Therefore, the limitation of traditional detection and prevention of network attack can be avoided by an intelligent method, and the efficiency and accuracy of network security protection are improved. Accordingly, in step S570, as shown in fig. 5, calculating the hash similarity between the reference network traffic image characterization feature vector and the detected network traffic image characterization feature vector, and determining whether to turn on the network defense, including: s571, calculating the hash similarity between the characteristic feature vector of the reference network flow image and the characteristic feature vector of the detection network flow image; and S572, determining whether to start network defense based on the comparison between the hash similarity and a predetermined threshold.
Further, responsive to the hash similarity being less than the predetermined threshold, it is determined to turn on a network defense. In the technical scheme of the application, each reference network flow image characterization feature vector in the set of reference network flow image characterization feature vectors expresses the image semantic feature of the reference network flow pattern gray level image marked as normal, but considering the source image semantic difference of the reference network flow pattern gray level image marked as normal, the feature vector integral image semantic feature distribution inconsistency exists among the reference network flow image characterization feature vectors in the set of reference network flow image characterization feature vectors, thereby influencing the certainty and the robustness of the semantic feature expression of the reference network flow image characterization intrinsic feature vector obtained by the set of reference network flow image characterization feature vectors through a feature screening intrinsic feature network, and further influencing the calculation accuracy of the hash similarity between the reference network flow image characterization intrinsic feature vector and the detection network flow image characterization feature vector.
Thus, the applicant of the present application optimizes each feature vector in the set of reference network traffic image characterization feature vectors. Accordingly, in one example, in step S551, performing feature optimization on each reference network traffic image characterization feature vector in the set of reference network traffic image characterization feature vectors to obtain a set of optimized reference network traffic image characterization feature vectors, including: carrying out probability logic association reasoning on each reference network flow image characterization feature vector in the set of reference network flow image characterization feature vectors to obtain a plurality of logic association coefficients; and performing weighted optimization on each reference network traffic image characterization feature vector in the set of reference network traffic image characterization feature vectors by taking the plurality of logic association coefficients as weighting coefficients to obtain the set of optimized reference network traffic image characterization feature vectors. The method comprises the steps of carrying out probability logic association reasoning on each reference network flow image characteristic feature vector in the set of reference network flow image characteristic feature vectors to obtain a plurality of logic association coefficients, and comprising the following steps: carrying out probability logic association reasoning on each reference network flow image characterization feature vector in the set of reference network flow image characterization feature vectors by using the following coefficient calculation formula to obtain a plurality of logic association coefficients; wherein, the coefficient calculation formula is:
Wherein, Is each of the set of reference network traffic image characterization feature vectorsIndividual feature vectorsIs the first of (2)The characteristic value of the individual position is used,Probability function representing eigenvalues, i.e. eigenvaluesMapping toA probability function of the interval of time,Is the length of the feature vector in question,Is a feature vectorDivided by the sum of eigenvalues of said eigenvectorsAnd probability values obtained by the sum of the eigenvalues of the characterization eigenvectors of the corresponding reference network traffic images, andIs the weight of the parameter to be exceeded,Is each of the set of reference network traffic image characterization feature vectorsIndividual feature vectorsCorresponding logical association coefficients. That is, for each feature scene corresponding to each feature vector in the set of feature vectors of the reference network traffic image representation feature vector, the semantic association probability reasoning logic association of scene saturation is accepted through probability distribution foreground constraint and relative probability mapping response hypothesis, so that the feature set of each feature vector in the set of feature vectors of the reference network traffic image representation feature vector is endowed with scene concept ontology cognition, that is, integral distribution and semantic association probability logic reasoning based on the scene in the semantic expression process are internally aligned, so that the understanding capability of the feature vector scene distribution of the set of feature vectors of the reference network traffic image representation feature vector on the semantic association cognition is improved. Thus, again by the coefficientCharacterizing each feature vector in a set of feature vectors for the reference network traffic imageAnd performing weighted optimization to improve the consistency of image semantic feature distribution among all the reference network flow image characterization feature vectors in the set of the reference network flow image characterization feature vectors, thereby improving the certainty and the robustness of semantic feature expression of the reference network flow image characterization intrinsic feature vector and further improving the calculation accuracy of the hash similarity between the reference network flow image characterization intrinsic feature vector and the detection network flow image characterization feature vector. Therefore, the system can be helped to quickly and effectively measure the similarity between the actual network traffic mode and the network traffic mode in normal operation, and abnormal detection and classification of the network traffic are carried out based on the similarity threshold.
Based on the above embodiments, referring to fig. 6, a schematic structural diagram of an intelligent network security system 800 according to an embodiment of the disclosure is shown. The intelligent network security system 800 includes: a data capture module 810 for capturing network traffic data using a network sniffer; a data conversion module 820, configured to convert the network traffic data into a detected network traffic grayscale image; an image extraction module 830, configured to extract, from a background database, a set of reference network traffic pattern grayscale images that are labeled as normal; the reference feature extraction module 840 is configured to perform feature extraction on each reference network traffic pattern gray level image in the set of reference network traffic pattern gray level images marked as normal by using a network traffic local time sequence pattern feature extractor based on a deep neural network model, so as to obtain a set of reference network traffic pattern characterization feature vectors; the intrinsic feature screening module 850 is configured to perform intrinsic feature screening on the set of reference network traffic image characterization feature vectors to obtain reference network traffic image characterization intrinsic feature vectors; the detection feature extraction module 860 is configured to perform feature extraction on the detected network traffic gray level image by using the network traffic local time sequence pattern feature extractor based on the deep neural network model to obtain a detected network traffic image characterization feature vector; and a hash similarity analysis module 870 for calculating a hash similarity between the reference network traffic image characterization feature vector and the detected network traffic image characterization feature vector, and determining whether to turn on a network defense.
In one example, in the intelligent network security system 800 described above, the data conversion module 820 includes: a storage unit, configured to store the network traffic data as a PCAP file; a packet information extraction unit configured to extract packet information from the PCAP file, where the packet information includes a source IP address, a destination IP address, a port number, and a packet length; a data frame conversion unit, configured to convert the data packet information into a plurality of data frames, where each data frame includes a hash value of a source IP address, a hash value of a destination IP address, a hash value of a port number, and a data packet length; and a normalization unit, configured to normalize the lengths of the data packets in the plurality of data frames to be between 0 and 255 to obtain the grayscale image of the detected network traffic.
Here, it will be appreciated by those skilled in the art that the specific functions and operations of the respective modules in the above-described intelligent network security system 800 have been described in detail in the above description of the intelligent network security method with reference to fig. 2 to 5, and thus, repetitive descriptions thereof will be omitted.
Fig. 7 is an application scenario diagram of an intelligent network security method according to an embodiment of the present disclosure. As shown in fig. 7, in this application scenario, first, network traffic data (e.g., D1 illustrated in fig. 7) is captured using a network sniffer and a set of reference network traffic pattern gray images labeled as normal (e.g., D2 illustrated in fig. 7) is extracted from a background database, then the network traffic data and the set of reference network traffic pattern gray images labeled as normal are input into a server (e.g., S illustrated in fig. 7) deployed with an intelligent network security protection algorithm, wherein the server is able to process the network traffic data and the set of reference network traffic pattern gray images labeled as normal using the intelligent network security protection algorithm to obtain a hash similarity, and then, based on a comparison between the hash similarity and a predetermined threshold, a determination is made as to whether to turn on a network defense.
Based on the foregoing embodiments, an electronic device of another exemplary implementation is also provided in the embodiments of the present disclosure. In some possible implementations, the electronic device in the embodiments of the present disclosure may include a memory, a processor, and a computer program stored on the memory and capable of running on the processor, where the steps of the intelligent network security method in the above embodiments may be implemented when the processor executes the program.
For example, taking an electronic device as an example for describing the server 100 in fig. 1 of the present disclosure, a processor in the electronic device is the processor 110 in the server 100, and a memory in the electronic device is the memory 120 in the server 100.
Embodiments of the present disclosure also provide a computer-readable storage medium. Fig. 8 shows a schematic diagram of a computer-readable storage medium 1000 according to an embodiment of the disclosure. As shown in fig. 8, the computer-readable storage medium 1000 has stored thereon computer-executable instructions 1001. The computer-executable instructions 1001, when executed by a processor, may perform the intelligent network security method according to embodiments of the present disclosure described with reference to the above figures. The computer-readable storage medium includes, but is not limited to, for example, volatile memory and/or nonvolatile memory. The volatile memory may include, for example, random Access Memory (RAM) and/or cache memory (cache), and the like. The non-volatile memory may include, for example, read Only Memory (ROM), hard disk, flash memory, and the like. Embodiments of the present disclosure also provide a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. A processor of a computer device reads the computer instructions from a computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform an intelligent network security method according to an embodiment of the present disclosure.
Those skilled in the art will appreciate that various modifications and improvements can be made to the disclosure. For example, the various devices or components described above may be implemented in hardware, or may be implemented in software, firmware, or a combination of some or all of the three.
Further, while the present disclosure makes various references to certain elements in a system according to embodiments of the present disclosure, any number of different elements may be used and run on a client and/or server. The units are merely illustrative and different aspects of the systems and methods may use different units.
Those of ordinary skill in the art will appreciate that all or a portion of the steps of the methods described above may be implemented by a program that instructs associated hardware, and the program may be stored on a computer readable storage medium such as a read-only memory, a magnetic or optical disk, etc. Alternatively, all or part of the steps of the above embodiments may be implemented using one or more integrated circuits. Accordingly, each module/unit in the above embodiment may be implemented in the form of hardware, or may be implemented in the form of a software functional module. The present disclosure is not limited to any specific form of combination of hardware and software.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein. The foregoing is illustrative of the present disclosure and is not to be construed as limiting thereof. Although exemplary embodiments of the present disclosure have been described, those skilled in the art will readily appreciate that many modifications are possible in the exemplary embodiments without materially departing from the novel teachings and advantages of this disclosure. Accordingly, all such modifications are intended to be included within the scope of this disclosure as defined in the claims. It is to be understood that the foregoing is illustrative of the present disclosure and is not to be construed as limited to the specific embodiments disclosed, and that modifications to the disclosed embodiments, as well as other embodiments, are intended to be included within the scope of the appended claims. The disclosure is defined by the claims and their equivalents.
Claims (8)
1. An intelligent network security protection method, comprising:
capturing network traffic data using a network sniffer;
converting the network traffic data into a detected network traffic gray scale image;
Extracting a set of reference network traffic pattern gray scale images marked as normal from a background database;
respectively carrying out feature extraction on each reference network flow mode gray level image in the set of the reference network flow mode gray level images marked as normal through a network flow local time sequence mode feature extractor based on a depth neural network model so as to obtain a set of reference network flow image characterization feature vectors;
performing intrinsic feature screening on the set of the characteristic feature vectors of the reference network flow image to obtain the characteristic intrinsic feature vectors of the reference network flow image;
extracting features of the detected network flow gray level image through the network flow local time sequence pattern feature extractor based on the deep neural network model to obtain a characteristic feature vector of the detected network flow image; and
Calculating hash similarity between the reference network flow image representation essential feature vector and the detection network flow image representation feature vector, and determining whether to start network defense;
The step of screening the intrinsic characteristics of the set of the characteristic feature vectors of the reference network flow image to obtain the characteristic intrinsic feature vector of the reference network flow image comprises the following steps:
Performing feature optimization on each reference network flow image characterization feature vector in the set of reference network flow image characterization feature vectors to obtain a set of optimized reference network flow image characterization feature vectors;
The optimized set of the characterization feature vectors of the reference network flow image passes through a feature screening essential feature network to obtain the characterization essential feature vector of the reference network flow image;
Wherein, the step of filtering the set of the optimized reference network traffic image characterization feature vectors through a feature screening intrinsic feature network to obtain the reference network traffic image characterization intrinsic feature vector comprises the following steps:
Processing the optimized set of the characteristic feature vectors of the reference network flow image through the characteristic screening intrinsic feature network according to the following characteristic screening formula to obtain the characteristic intrinsic feature vector of the reference network flow image; wherein, the characteristic screening formula is: Wherein, Is the first in the set of the optimized reference network flow image characterization feature vectorsThe optimized reference network traffic image characterizes the feature vector,Is the first in the set of the optimized reference network flow image characterization feature vectorsThe optimized reference network traffic image characterizes the feature vector,Representing the 1-norm of the feature vector,Characterizing the length-1 of the set of feature vectors for the optimized reference network traffic image,Characterizing a representation of a set of feature vectors for the optimized reference network traffic image,The characteristic difference coefficient is represented by a characteristic,Representing the operation of a natural exponential function,Representing the total number of the characteristic difference coefficients,And characterizing an essential feature vector for the reference network traffic image.
2. The intelligent network security method of claim 1, wherein converting the network traffic data into a detected network traffic grayscale image comprises:
Saving the network traffic data as a PCAP file;
Extracting data packet information from the PCAP file, wherein the data packet information includes a source IP address, a destination IP address, a port number, and a data packet length;
Converting the data packet information into a plurality of data frames, wherein each data frame comprises a hash value of a source IP address, a hash value of a target IP address, a hash value of a port number and a data packet length; and
And normalizing the data packet length in the plurality of data frames to be between 0 and 255 to obtain the gray scale image of the detected network traffic.
3. The intelligent network security method of claim 2, wherein the deep neural network model is a convolutional neural network model.
4. The intelligent network security method of claim 3 wherein feature optimizing each of the set of reference network traffic image characterization feature vectors to obtain the set of optimized reference network traffic image characterization feature vectors comprises:
carrying out probability logic association reasoning on each reference network flow image characterization feature vector in the set of reference network flow image characterization feature vectors to obtain a plurality of logic association coefficients; and
And taking the plurality of logic association coefficients as weighting coefficients to carry out weighted optimization on each reference network flow image characteristic vector in the set of reference network flow image characteristic vectors so as to obtain the set of optimized reference network flow image characteristic vectors.
5. The intelligent network security method of claim 4, wherein calculating the hash similarity between the reference network traffic image characterization feature vector and the detected network traffic image characterization feature vector and determining whether to turn on network defense comprises:
calculating hash similarity between the reference network flow image representation intrinsic feature vector and the detection network flow image representation feature vector; and
Based on a comparison between the hash similarity and a predetermined threshold, it is determined whether to turn on a network defense.
6. The intelligent network security method of claim 5, wherein the opening of the network defense is determined in response to the hash similarity being less than the predetermined threshold.
7. An intelligent network security system, comprising:
a data capture module for capturing network traffic data using a network sniffer;
The data conversion module is used for converting the network traffic data into a gray level image of the detected network traffic;
The image extraction module is used for extracting a set of gray images marked as normal reference network flow mode from the background database;
The reference feature extraction module is used for respectively carrying out feature extraction on each reference network flow mode gray level image in the set of the reference network flow mode gray level images marked as normal through a network flow local time sequence mode feature extractor based on a deep neural network model so as to obtain a set of reference network flow image characterization feature vectors;
The intrinsic feature screening module is used for carrying out intrinsic feature screening on the set of the characteristic feature vectors of the reference network flow image so as to obtain the characteristic intrinsic feature vectors of the reference network flow image;
The detection feature extraction module is used for carrying out feature extraction on the detection network flow gray level image through the network flow local time sequence pattern feature extractor based on the deep neural network model so as to obtain a detection network flow image characterization feature vector; and
The hash similarity analysis module is used for calculating the hash similarity between the characteristic feature vector of the reference network flow image and the characteristic feature vector of the detection network flow image and determining whether to start network defense;
Wherein, the essential characteristic screening module includes:
Performing feature optimization on each reference network flow image characterization feature vector in the set of reference network flow image characterization feature vectors to obtain a set of optimized reference network flow image characterization feature vectors;
The optimized set of the characterization feature vectors of the reference network flow image passes through a feature screening essential feature network to obtain the characterization essential feature vector of the reference network flow image;
Wherein, the step of filtering the set of the optimized reference network traffic image characterization feature vectors through a feature screening intrinsic feature network to obtain the reference network traffic image characterization intrinsic feature vector comprises the following steps:
Processing the optimized set of the characteristic feature vectors of the reference network flow image through the characteristic screening intrinsic feature network according to the following characteristic screening formula to obtain the characteristic intrinsic feature vector of the reference network flow image; wherein, the characteristic screening formula is: Wherein, Is the first in the set of the optimized reference network flow image characterization feature vectorsThe optimized reference network traffic image characterizes the feature vector,Is the first in the set of the optimized reference network flow image characterization feature vectorsThe optimized reference network traffic image characterizes the feature vector,Representing the 1-norm of the feature vector,Characterizing the length-1 of the set of feature vectors for the optimized reference network traffic image,Characterizing a representation of a set of feature vectors for the optimized reference network traffic image,The characteristic difference coefficient is represented by a characteristic,Representing the operation of a natural exponential function,Representing the total number of the characteristic difference coefficients,And characterizing an essential feature vector for the reference network traffic image.
8. The intelligent network security system of claim 7 wherein said data transformation module comprises:
a storage unit, configured to store the network traffic data as a PCAP file;
a packet information extraction unit configured to extract packet information from the PCAP file, where the packet information includes a source IP address, a destination IP address, a port number, and a packet length;
a data frame conversion unit, configured to convert the data packet information into a plurality of data frames, where each data frame includes a hash value of a source IP address, a hash value of a destination IP address, a hash value of a port number, and a data packet length; and
And the normalization unit is used for normalizing the lengths of the data packets in the plurality of data frames to be between 0 and 255 so as to obtain the gray level image of the detected network traffic.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410573015.0A CN118157992B (en) | 2024-05-10 | 2024-05-10 | Intelligent network security protection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410573015.0A CN118157992B (en) | 2024-05-10 | 2024-05-10 | Intelligent network security protection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118157992A CN118157992A (en) | 2024-06-07 |
| CN118157992B true CN118157992B (en) | 2024-08-09 |
Family
ID=91296981
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410573015.0A Active CN118157992B (en) | 2024-05-10 | 2024-05-10 | Intelligent network security protection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118157992B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107070943A (en) * | 2017-05-05 | 2017-08-18 | 兰州理工大学 | Industry internet intrusion detection method based on traffic characteristic figure and perception Hash |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11914674B2 (en) * | 2011-09-24 | 2024-02-27 | Z Advanced Computing, Inc. | System and method for extremely efficient image and pattern recognition and artificial intelligence platform |
| US9730643B2 (en) * | 2013-10-17 | 2017-08-15 | Siemens Healthcare Gmbh | Method and system for anatomical object detection using marginal space deep neural networks |
| CN109961507B (en) * | 2019-03-22 | 2020-12-18 | 腾讯科技(深圳)有限公司 | Face image generation method, device, equipment and storage medium |
| CN114666162B (en) * | 2022-04-29 | 2023-05-05 | 北京火山引擎科技有限公司 | Flow detection method, device, equipment and storage medium |
| CN115690178A (en) * | 2022-10-21 | 2023-02-03 | 上海精劢医疗科技有限公司 | Cross-module non-rigid registration method, system and medium based on deep learning |
-
2024
- 2024-05-10 CN CN202410573015.0A patent/CN118157992B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107070943A (en) * | 2017-05-05 | 2017-08-18 | 兰州理工大学 | Industry internet intrusion detection method based on traffic characteristic figure and perception Hash |
Non-Patent Citations (1)
| Title |
|---|
| 基于卷积神经网络与Simhash的网络异常流量检测技术研究;张荣葳;《中国优秀硕博论文》;20200115;第31-44页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118157992A (en) | 2024-06-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112738015B (en) | Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection | |
| CN111107102A (en) | Real-time network flow abnormity detection method based on big data | |
| US20230089187A1 (en) | Detecting abnormal packet traffic using fingerprints for plural protocol types | |
| WO2016082284A1 (en) | Modbus tcp communication behaviour anomaly detection method based on ocsvm dual-profile model | |
| CN117113262B (en) | Network traffic identification method and system | |
| CN112003869A (en) | Vulnerability identification method based on flow | |
| EP3732844A1 (en) | Intelligent defense and filtration platform for network traffic | |
| CN107204991A (en) | A kind of server exception detection method and system | |
| Zhu et al. | CMTSNN: A deep learning model for multiclassification of abnormal and encrypted traffic of Internet of Things | |
| CN116915450A (en) | Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction | |
| Mohamed et al. | Denoising autoencoder with dropout based network anomaly detection | |
| Ageyev et al. | Traffic monitoring and abnormality detection methods analysis | |
| CN115706671A (en) | Network security defense method, device and storage medium | |
| CN118157992B (en) | Intelligent network security protection method and system | |
| KR20110107880A (en) | Ddos detection method using fast information entropy and adaptive moving average window detector | |
| Zhang et al. | Anomaly detection for application level network attacks using payload keywords | |
| Oh et al. | Attack Classification Based on Data Mining Technique and Its Application for Reliable Medical Sensor Communication. | |
| CN113542222B (en) | Zero-day multi-step threat identification method based on dual-domain VAE | |
| CN115622720B (en) | Network anomaly detection method, device and detection equipment | |
| Garg et al. | Identifying anomalies in network traffic using hybrid Intrusion Detection System | |
| CN115499251B (en) | Abnormal flow and attack detection method and system for edge IoT (Internet of things) equipment | |
| CN118101349B (en) | Network security visual monitoring method based on artificial intelligence | |
| CN117938496B (en) | AI-driven data transmission threat detection method and system | |
| CN118353724B (en) | Encryption malicious traffic detection method and system based on multi-feature selection stacking | |
| Oh et al. | Real-time intrusion detection system based on self-organized maps and feature correlations |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |