CN120675813B - Malicious host detection method, device, equipment and medium - Google Patents
Malicious host detection method, device, equipment and mediumInfo
- Publication number
- CN120675813B CN120675813B CN202511121747.7A CN202511121747A CN120675813B CN 120675813 B CN120675813 B CN 120675813B CN 202511121747 A CN202511121747 A CN 202511121747A CN 120675813 B CN120675813 B CN 120675813B
- Authority
- CN
- China
- Prior art keywords
- target
- trust
- host
- malicious
- time window
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a malicious host detection method, a malicious host detection device, malicious host detection equipment and a malicious host detection medium. The method comprises the steps of counting congestion participation times, access address change times and continuous participation times of each target host mark based on a plurality of access address change events and a plurality of congestion events in a current time window to calculate initial trust degrees of each target host mark in the current time window, obtaining historical trust degrees of each target host mark corresponding to the historical time window, calculating target trust degrees of each target host mark according to the initial trust degrees and the corresponding historical trust degrees of each target host mark, obtaining a current state data set, inputting the state data set into a target decision model to obtain a target trust degree threshold, and carrying out malicious host recognition according to the target trust degree threshold and the target trust degrees of each target host mark. Therefore, the identification accuracy of the malicious host is improved, and the attack of the malicious host on the network transmission link is blocked.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a medium for detecting a malicious host.
Background
In the power network system, the expansion of service types and service objects enables power nodes to be distributed more and more widely and the number of power nodes to be more and more huge, so that the more network transmission links related to power network services are, the more the risk that the network transmission links are attacked maliciously is increased. For example, an attacker may attack the transmission link through a plurality of hosts that have passed identity verification in the intrusion network by cooperating with different hosts to maliciously occupy network bandwidth resources of the transmission link, so that congestion occurs in the original normal network transmission link, and thus a user cannot normally access the power service provided by the power network system. Thus, there is a need to identify malicious hosts that cause congestion of network transmission links.
The related art identifies the malicious host by a malicious traffic monitoring mode, but the mode relies on the mining of relevant characteristics of malicious traffic, benign traffic and malignant traffic are similar in the transmission link attack, the mode is difficult to mine traffic characteristic difference between the benign traffic and the malignant traffic, and therefore, the benign traffic and the malignant traffic are difficult to distinguish, and the accuracy of identifying the malicious host is reduced, so that the mode only can suspend congestion of a network transmission link and cannot thoroughly block the attack of the malicious host.
Disclosure of Invention
The embodiment of the application provides a malicious host detection method, a device, equipment and a medium, which can improve the identification accuracy of the malicious host and block the attack of the malicious host on a network transmission link.
In a first aspect, a malicious host detection method provided by an embodiment of the present application includes:
Acquiring a plurality of access address changing events and a plurality of congestion events in a current time window, wherein each access address changing event comprises a target host identifier for changing an access address, and each congestion event comprises a target host identifier for participating in network link congestion;
Based on the access address changing events and the congestion events, counting congestion participation times, access address changing times and continuous participation times of each target host mark;
calculating the initial trust degree of each target host identifier in the current time window based on the congestion participation times, the access address change times and the continuous participation times of each target host identifier in the current time window;
acquiring the historical trust degree corresponding to each target host identifier in a historical time window, and calculating the target trust degree of each target host identifier according to the initial trust degree and the corresponding historical trust degree of each target host identifier;
Acquiring a current state data set, and inputting the state data set into a target decision model to obtain a target trust threshold;
And identifying the malicious host mark according to the target trust threshold and the target trust degree of each target host mark.
In a second aspect, an embodiment of the present application provides a malicious host detection apparatus, including:
The system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a plurality of access address changing events and a plurality of congestion events in a current time window, each access address changing event comprises a target host identifier for changing an access address, and each congestion event comprises a target host identifier for participating in network link congestion;
the statistics unit is used for counting congestion participation times, access address change times and continuous participation times of each target host mark based on the access address change events and the congestion events;
the first calculating unit is used for calculating the initial trust degree of each target host identifier in the current time window based on the congestion participation times, the access address change times and the continuous participation times of each target host identifier in the current time window;
the second calculation unit is used for acquiring the historical trust degree corresponding to each target host identifier in the historical time window and calculating the target trust degree of each target host identifier according to the initial trust degree of each target host identifier and the corresponding historical trust degree;
the input unit is used for acquiring a current state data set, inputting the state data set into a target decision model and obtaining a target trust threshold;
and the identification unit is used for identifying the malicious host mark according to the target trust threshold and the target trust of each target host mark.
In some embodiments, the first computing unit is further configured to:
Determining a direct participation score for each target host identifier based on the congestion participation times of each target host identifier in the current time window;
calculating a continuous participation score based on the continuous participation times of each target host identifier in the current time window;
Calculating an address change score based on the number of access address changes of each target host identifier in the current time window;
and carrying out weighted calculation on the direct participation score, the continuous participation score and the address change score to obtain the initial trust degree of each target host identifier in the current time window.
In some embodiments, the first computing unit is further configured to:
determining a first evidence weight factor associated with the direct participation score, a second evidence weight factor associated with the continuous participation score, and a third evidence weight factor associated with the change of address score;
wherein the sum of the first evidence weight factor, the second evidence weight factor, and the third evidence weight factor is 1;
and weighting calculation is carried out on the direct participation score, the continuous participation score and the address change score according to the first evidence weight factor, the second evidence weight factor and the third evidence weight factor, so that the initial trust degree of each target host mark in the current time window is obtained.
In some embodiments, the historical time window is a plurality, and the second computing unit is further configured to:
Determining a current trust weight factor corresponding to the current time window and a historical trust weight factor corresponding to each historical time window, wherein the historical trust weight factors become exponentially smaller based on the fact that the distance between the corresponding historical time window and the current time window becomes larger;
According to the current trust weight factor and each historical trust weight factor, carrying out weighted summation on the initial trust degree of each target host identity and a plurality of corresponding historical trust degrees to obtain a target total trust score corresponding to each target host identity;
And determining a total trust weight coefficient by combining the current trust weight factor and each historical trust weight factor, and determining the target trust degree of each target host identifier according to the ratio between the target total trust score of each target host identifier and the total trust weight coefficient.
In some embodiments, the identification unit is further configured to:
Comparing the target trust degree of each target host mark with the target trust degree threshold value to obtain a comparison result;
And determining the target host identity with the target trust degree smaller than the target trust degree threshold value as a malicious host identity based on the comparison result.
In some embodiments, the malicious host detection apparatus further comprises a penalty control unit for:
determining the continuous punishment times of each malicious host identity in a plurality of historical time windows, and determining corresponding punishment parameters according to the difference between the number of the historical time windows and the continuous punishment times;
Determining a target trust ratio between the target trust degree of each malicious host identifier and the target trust degree threshold value, and determining a target trust deficiency ratio of each malicious host identifier according to the target trust ratio;
Performing the corresponding power operation of the punishment parameters on the target trust deficiency ratio of each malicious host mark to obtain the flow rate limiting proportion of each malicious host mark;
The traffic rate limiting proportion of each malicious host identity is sent to each network device, so that each network device limits the traffic rate of each malicious host identity according to the traffic rate limiting proportion of each malicious host identity.
In some embodiments, the malicious host detection device further includes a training unit configured to:
obtaining sample target trust of each sample host mark, sample average trust among a plurality of sample host marks, a sample history trust threshold, the number of sample malicious hosts, the change rate of the number of sample congestion events and the sample average flow rate limiting proportion corresponding to the plurality of sample host marks, wherein the sample benign host marks and the sample malicious host marks in the plurality of sample host marks;
Constructing a sample state data set according to the sample average trust, the sample historical trust threshold, the number of sample malicious hosts, the sample congestion event number change rate and the sample average flow rate limiting proportion, and determining a first number of samples of sample benign host identities and a second number of samples of sample malicious host identities in the plurality of sample host identities;
inputting the sample state data set into a preset decision model to obtain a prediction trust threshold, and identifying a prediction malicious host identity according to the prediction trust threshold and the sample target trust degree of each sample host identity;
Combining the predicted malicious host identity, the sample benign host identity and the sample malicious host identity, determining a balance score of detection accuracy and recall rate for the sample malicious host identity and a misjudgment rate for misjudging the sample benign host identity as the predicted malicious host identity;
Determining a predicted average flow rate limiting ratio based on each predicted malicious host identity and a sample target trust level of each sample host identity;
Determining a target difference value between the balance score and the misjudgment rate and between the balance score and the predicted average flow rate limiting proportion, and constructing a reward function according to the target difference value as a variable, wherein the reward function takes the maximum target difference value as an optimization target;
and adjusting model parameters of the preset decision model according to the optimization target by combining the output value of the reward function to obtain the target decision model.
In addition, the embodiment of the application also provides computer equipment, which comprises a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the processor realizes the malicious host detection method when executing the computer program.
In addition, the embodiment of the application also provides a computer readable storage medium, which stores a plurality of instructions, wherein the instructions are suitable for being loaded by a processor to execute the malicious host detection method.
The embodiment of the application comprises the steps of obtaining a plurality of access address changing events and a plurality of congestion events in a current time window, wherein each access address changing event comprises a target host identifier for changing an access address, each congestion event comprises a target host identifier for participating in network link congestion, counting congestion participation times, access address changing times and continuous participation times of each target host identifier based on the plurality of access address changing events and the plurality of congestion events, calculating initial trust degree of each target host identifier in the current time window based on the congestion participation times, access address changing times and continuous participation times of each target host identifier in the current time window, obtaining historical trust degree corresponding to each target host identifier in a historical time window, calculating target trust degree of each target host identifier according to the initial trust degree and the corresponding historical trust degree of each target host identifier, obtaining a current state data set, inputting the state data set into a target decision model to obtain a target trust degree threshold, and identifying malicious host identifiers according to the target trust degree threshold and the target trust degree of each target host identifier.
According to the method, a plurality of access address change events and a plurality of congestion events in a current time window can be obtained first, each access address change event comprises a target host identifier for changing an access address, each congestion event comprises a target host identifier for participating in network link congestion, further, congestion participation times, access address change times and continuous participation times of each target host identifier are counted based on the plurality of access address change events and the plurality of congestion events, multidimensional evidence data can be constructed as basic data for trust level calculation of the target host identifiers, then, initial trust level of each target host identifier in the current time window is calculated based on multidimensional evidence data, the initial trust level of each target host identifier is combined with the historical trust level of each target host identifier in the historical time window, so that the target trust level of each target host identifier in the current time window is calculated, the historical trust level of each target host identifier in the historical time window is combined with the initial trust level of the current time window, the number of times of congestion between the malicious hosts and the network link is prevented from being judged as the basis of trust level calculation of the host, and finally, a target state of the malicious host is further determined by combining the trust level of the current state with the current state of the target host identifier, and the threshold value is determined, and the target state of the target state is further determined, and the target state of the target state is input to the target state is determined. Compared with the scheme that malicious hosts are identified through malicious traffic characteristics in the related art and the accuracy is low, the method is directly based on a host trust degree mechanism, the initial trust degree is calculated through the multiple dimensions of congestion participation times, access address change times and continuous participation congestion times of each target host identification corresponding to network link congestion data, the malicious hosts are not required to be detected through mining of the malicious traffic characteristics, the final target trust degree of each target host identification is calculated by combining the trust degree condition of a historical time window, so that the trust degree of each host is calculated more accurately, the malicious hosts can be punished for a long time, and the attack of the malicious hosts on a network transmission link can be blocked subsequently, so that the identification accuracy of the malicious hosts is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of a malicious host detection system according to an embodiment of the present application;
FIG. 2 is a diagram of a malicious host detection system according to an embodiment of the present application;
FIG. 3 is a flowchart illustrating steps of a method for detecting a malicious host according to an embodiment of the present application;
FIG. 4 is a diagram illustrating a scenario for updating host trust based on a sliding window according to an embodiment of the present application;
Fig. 5 is a schematic structural diagram of a malicious host detection device according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a network device according to an embodiment of the present application;
Fig. 7 is a schematic structural diagram of a server according to an embodiment of the present application.
Detailed Description
In order that those skilled in the art will better understand the solution of the present application, a technical solution of an embodiment of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiment of the present application, and it is apparent that the described embodiment is only a part of the embodiment of the present application, not all the embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to fall within the scope of the application.
It will be appreciated that in the specific embodiments of the present application, network link congestion data, target host identification, access address, number of congestion participants, number of access address changes, number of consecutive participants, historical trust level, initial trust level, target trust level, and malicious host identification are involved, and when the above embodiments of the present application are applied to specific products or technologies, subject permissions or consents need to be obtained, and the collection, use, and processing of relevant data need to comply with relevant legal regulations and standards.
In addition, when the embodiment of the application needs to acquire related data, the network link congestion data, the target host identifier, the access address, the congestion participation number, the access address change number, the continuous participation number, the historical trust degree, the initial trust degree, the target trust degree, the malicious host identifier and other related data are acquired through a popup window or a jump to a confirmation page and other modes, and after the network link congestion data, the target host identifier, the access address, the congestion participation number, the access address change number, the continuous participation number, the historical trust degree, the initial trust degree, the target trust degree, the malicious host identifier and other related data are acquired, the necessary data for enabling the embodiment of the application to normally operate are acquired.
It should be noted that, in some of the processes described in the specification, claims and drawings above, a plurality of steps appearing in a particular order are included, but it should be clearly understood that the steps may be performed out of order or performed in parallel, the step numbers are merely used to distinguish between the different steps, and the numbers themselves do not represent any order of execution. Furthermore, the description of "first," "second," or "object" and the like herein is for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order.
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to fall within the scope of the application.
The embodiment of the application provides a malicious host detection method, a malicious host detection device, malicious host detection equipment and a malicious host detection medium. Specifically, the method for detecting the malicious host in the embodiment of the application can be used in a computer device, and the computer device can be a server or a network device. The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligence platforms. The network device may be, but is not limited to, a network switch, router, firewall, bridge, hub, gateway, VPN server, wireless Access Point (WAP), modem, etc.
According to the malicious host detection method provided by the embodiment of the application, congestion participation times, access address change times and continuous participation times of each target host mark can be counted based on a plurality of access address change events and a plurality of congestion events in a current time window, multidimensional evidence data can be constructed to serve as basic data for trust calculation of the target host mark, initial trust of each target host mark in the current time window is calculated, the current target trust is calculated by combining the historical trust in the historical time window and the initial trust of the current time window, the phenomenon that the malicious host is misjudged as a benign host due to less times of congestion of a network link in the current time window is avoided, further, a current state data set is obtained, the current state data set is input into a target decision model to determine a target trust threshold for the current time window, and finally, the malicious host mark is identified by combining the target trust and the target trust threshold of each target host mark. Based on the host trust degree mechanism, the initial trust degree is calculated through the congestion participation times, the access address change times and the continuous participation congestion times of each target host mark corresponding to the network link congestion data, the malicious hosts are not required to be detected in a malicious traffic feature mining mode, the final target trust degree of each target host mark is calculated by combining the trust degree condition of a historical time window, so that the trust degree of each host is calculated more accurately, the malicious hosts can be penalized for a long time, and the attack of the malicious hosts on the network transmission link can be blocked subsequently. Please refer to the following examples.
It should be noted that, the malicious host detection method may be performed by the network device and the server together.
For example, taking a method for detecting a malicious host jointly executed by a network device and a server as an example, referring to fig. 1, a schematic view of a scenario of a malicious host detection system provided by an embodiment of the present application is shown, where the system includes a plurality of network devices 110 and a server 120.
The network device 110 may include two types of network devices located at an edge and an intermediate network device, which is specific to a practical scenario, for example, when the network device is used as an edge when the network device accesses to a local target host, and when the network device is used as one of passing points in a network transmission link, the network device may also directly serve as a fixed type of role according to a transmission function, for example, a part of network devices always serve as network devices of an access layer, and a part of network devices always serve as intermediate network devices in a network transmission link, which is not limited herein.
It should be noted that, the network device 110 may be provided with a target application, and may run a corresponding application service through the target application, where the network device 110 may detect whether there is a change in an access address of a target host in a target period relative to a last historical access address when acting as an edge network device of an access layer, if a change is detected, generate an access address change event, and send the access address change event to the server 120, and when acting as an intermediate network device of a network transmission link, may detect a length of a data transmission queue and a transmission age, and if it is detected that the length of the data transmission queue is too large and the transmission delay is too long, determine that congestion exists in a current network transmission link, determine that a target host participating in network link congestion exists, and send the congestion event to the server 120. The server 120 may be a single service node, a distributed system formed by a plurality of service nodes, or one service node in the distributed system.
The server 120 performs the steps of a malicious host detection method, specifically, a plurality of access address change events and a plurality of congestion events in a current time window can be acquired, each access address change event comprises a target host identifier for changing an access address, each congestion event comprises a target host identifier for participating in network link congestion, congestion participation times, access address change times and continuous participation times of each target host identifier are counted based on the plurality of access address change events and the plurality of congestion events, initial trust degree of each target host identifier in the current time window is calculated based on the congestion participation times, access address change times and continuous participation times of each target host identifier in the current time window, historical trust degree corresponding to each target host identifier in the historical time window is acquired, target trust degree of each target host identifier is calculated according to the initial trust degree and the corresponding historical trust degree of each target host identifier, a current state data set is acquired, a target trust degree threshold is obtained by inputting the state data set into a target model, and malicious host identifiers are identified according to the target trust degree threshold and the target trust degree of each target host identifier. Thereafter, the server 120 may return the malicious host identifier to the network device 110 for punishment, so that the network device 110 limits the traffic rate of the malicious host, and reduces the traffic of the malicious host, which is not limited herein.
Fig. 2 is a diagram of a malicious host detection system architecture according to an embodiment of the present application, and in order to facilitate understanding of the above embodiments, the malicious host detection system architecture is described with reference to fig. 2, which specifically includes the following steps:
The malicious host detection system comprises a host, an access layer, a core network, a computing center and a server in architecture.
The host is a host which has passed the authentication of the network, and an attacker mainly invades the host end to control the host to initiate low-speed flow to the network transmission link so as to maliciously occupy the bandwidth and cause the network transmission link to be congested.
The access layer refers to the outermost layer of the network accessed by the host, and is directly oriented to the host, which may be understood as an edge network device, and represents a first layer network device directly oriented to the host, where the access layer may include a plurality of first layer network devices.
The core network refers to a network transmission link system formed by network equipment (such as a switch).
The computing force center refers to a computing force service center, and can provide computing force support for business services of any host or terminal equipment.
The server refers to a server for detecting a malicious host, that is, the server 120 described above.
Specifically, an attacker controls the host to send low-speed traffic through the invasion host, so that a network key link in a network transmission link system corresponding to the core network generates a congestion event. At this time, when each congestion event is detected, the network device uploads the network link congestion data such as the destination host identifier, the access address, the changed access destination address, and the like, which participate in the congestion event, to the server 120 to update the observation variable. The server 120 constructs multidimensional trust evidences based on the received network link congestion data (i.e. observation variables), the trust evidences include direct participation evidences (congestion participation times), behavior consistency evidences (continuous participation times) and direct change evidences (access address change times), further calculates initial trust degrees of each target host in the current time window based on the multidimensional trust evidences, and performs weighted calculation with the initial trust degrees of each target host by combining a plurality of historical trust degrees corresponding to a plurality of historical time windows of each target host in the sliding window, so as to obtain host trust, i.e. target trust degrees of each target host.
Further, a dynamic target trust threshold is generated based on a deep reinforcement learning algorithm, and a state data set can be specifically constructed, wherein the state data set comprises average trust, a historical trust threshold of a last historical time window, a congestion event number change rate, the number of malicious hosts of the last historical time window and overall average punishment of the last historical time window. In this way, as an input to deep reinforcement learning, an action, i.e., a target confidence threshold, is obtained.
Finally, the target trust level of each target host is compared with the target trust level threshold to identify the malicious host, as shown in fig. 2, if the target trust levels of the host H1 and the host H4 are lower than the target trust level threshold, the host H1 and the host H4 are determined to be malicious hosts, and finally, the malicious host H1 and the malicious host H4 are punished, so that the traffic rates of the malicious host H1 and the malicious host H4 are limited in an access layer.
Therefore, a plurality of access address change events and a plurality of congestion events in the current time window can be obtained first, each access address change event comprises a target host identifier for changing an access address, each congestion event comprises a target host identifier for participating in network link congestion, further, congestion participation times, access address change times and continuous participation times of each target host identifier are counted based on the plurality of access address change events and the plurality of congestion events, multidimensional evidence data can be constructed as basic data for trust level calculation of the target host identifiers, then, initial trust level of each target host identifier in the current time window is calculated based on multidimensional evidence data, the initial trust level of each target host identifier is combined with the historical trust level of each target host identifier in the historical time window, so that the target trust level of each target host identifier in the current time window is calculated, the current target trust level is calculated by combining the historical trust level in the historical time window and the initial trust level of the current time window, the malicious host is prevented from being judged as the basis of the trust level calculation of the host in the current time window, the trust level of each target host is further combined with the trust level of the current host identifier, and the trust level of the target host is further determined to be the threshold value, and the trust level of the target host is further determined, and the trust level of the target host is input to the threshold value is determined for the current state of the target host identifier. Compared with the scheme that malicious hosts are identified through malicious traffic characteristics in the related art and the accuracy is low, the method is directly based on a host trust degree mechanism, the initial trust degree is calculated through the multiple dimensions of congestion participation times, access address change times and continuous participation congestion times of each target host identification corresponding to network link congestion data, the malicious hosts are not required to be detected through mining of the malicious traffic characteristics, the final target trust degree of each target host identification is calculated by combining the trust degree condition of a historical time window, so that the trust degree of each host is calculated more accurately, the malicious hosts can be punished for a long time, and the attack of the malicious hosts on a network transmission link can be blocked subsequently, so that the identification accuracy of the malicious hosts is improved.
For ease of understanding, each step of the malicious host detection method will be described in detail below, respectively. The order of the following examples is not limited to the preferred order of the examples.
Referring to fig. 3, fig. 3 is a flowchart illustrating steps of a malicious host detection method according to an embodiment of the present application, where in the embodiment of the present application, the malicious host detection method may be executed by a computer device, for example, a server executes the malicious host detection method, and the specific flowchart is as follows:
101. a plurality of access address change events and a plurality of congestion events within a current time window are acquired.
In the power network system, the expansion of service types and service objects enables power nodes to be distributed more and more widely and the number of power nodes to be more and more huge, so that the more network transmission links related to power network services are, the more the risk that the network transmission links are attacked maliciously is increased. For example, an attacker may attack the transmission link through a plurality of hosts that have passed identity verification in the intrusion network by cooperating with different hosts to maliciously occupy network bandwidth resources of the transmission link, so that congestion occurs in the original normal network transmission link, and thus a user cannot normally access the power service provided by the power network system. Thus, there is a need to identify malicious hosts that cause congestion of network transmission links.
The related art generally identifies the malicious host through a malicious traffic monitoring mode, but the mode relies on the mining of related characteristics of malicious traffic, in the attack of a transmission link, benign traffic and malignant traffic are similar, the mode is difficult to mine traffic characteristic difference between the benign traffic and the malignant traffic, and therefore, the benign traffic and the malignant traffic are difficult to distinguish, so that the accuracy of identifying the malicious host is reduced, and the mode only can suspend congestion of the transmission link of the network and cannot thoroughly block the attack of the malicious host.
It should be noted that, when an attacker attacks a network transmission link, a link flooding attack is generally adopted, and the link flooding attack is a typical dynamic hidden attack, and the network key link (i.e. a certain network transmission link) is selected by rolling, i.e. different network key links are selected each time, so that different network key links are continuously switched, and different malicious hosts can be controlled to initiate low-speed traffic to block the link for each network key link, so as to achieve the purpose of attack. For example, in an attack scenario of a malicious host, an attacker controls some low-security terminals in the network (i.e., the host, which now acts as a malicious host), initiates low-speed traffic to a perimeter server that is served around the computing center, and because the routing of the host to the perimeter server is through a network critical link, traffic sent by the attacker through the malicious host is aggregated in the network critical link, causing congestion of the network critical link.
In order to cope with the problems, the embodiment of the application calculates the initial trust degree of each target host mark in the current time window by counting the congestion participation times, the access address change times and the continuous participation times of each target host mark based on the target host mark which participates in network link congestion and corresponds to each congestion event in the current time window and the target host mark which changes the access address and corresponds to each access address change event, and finally, the application identifies the malicious host mark by combining the target trust degree and the target trust degree threshold of each target host mark and identifying the target trust degree threshold of each target host mark. Based on the host trust degree mechanism, the initial trust degree is calculated through the congestion participation times, the access address change times and the continuous participation congestion times of each target host mark in the current time window, the malicious hosts are not required to be detected in a malicious traffic feature mining mode, the final target trust degree of each target host mark is calculated by combining the trust degree conditions of the historical time window, so that the trust degree of each host is calculated more accurately, the malicious hosts can be punished for a long time, and the attack of the malicious hosts on a network transmission link can be blocked later.
Specifically, in order to identify a malicious host which is low in security and controlled by an attacker from a plurality of hosts which pass identity verification, the embodiment of the application acquires a plurality of access address change events and a plurality of congestion events in a current time window so as to identify the malicious host based on a host trust degree mechanism, for example, a target host identifier which participates in network link congestion and corresponds to each congestion event in the current time window and a target host identifier which changes an access address and corresponds to each access address change event can be combined, and multi-dimensional host trust evidence of each target host is constructed so as to calculate the trust degree of each target host, thereby identifying the malicious host based on the trust degree.
Wherein the time window may be a window for representing the number of attack events, the time window defining the number of attack events, i.e. the size of each time window represents how many attack events it accommodates. For example, assuming that one time window is in units of 10 attack events, after the previous history time window is finished, 10 attack events are accumulated, one time window is represented, and based on 10 access address change events corresponding to 10 attack events in the time window, host participation information about the number of access address change times in the time window is counted. It should be noted that, an attack event refers to an event when the network device detects that there is a target host changing access address, that is, there are one or more at a certain moment. It should be noted that, each time of attack event may be uploaded to the server by the first network device directly interfacing with the corresponding target host, and the congestion event may be uploaded to the server by one of the intermediate network devices forming the network transmission link, each time of attack event may not necessarily cause a congestion event of the network transmission link, in order to enable the congestion event to be associated with the time window, when it may be determined that the number of times of attack event in the current time window reaches the event length defined by the current time window, the first time information of the first time of attack event in the current time window and the second time information of the last time of attack event in the current time window are determined, a target time range corresponding to the current time window is determined by combining the first time information and the second event information, and a mapping relationship is established between the received congestion event in the target time range and the current time window, so as to subsequently construct a multi-dimensional host trust evidence by combining the plurality of attack events in the current time window and the congestion event mapped by the current time window.
In addition, the time window may be a window for defining a time range, for example, the time window is 1 minute in length, and may specifically correspond to a time range, for example, a time range from xx time 00 minutes to xx time 01 minutes is defined, through which attack events uploaded by each network device in the statistically corresponding time range and congestion events uploaded by each network device are collected, so as to construct multidimensional host trust evidence in combination with one or more attack events and one or more congestion events in the current time window.
It should be noted that, each access address change event is uploaded by one of the network devices in the network link system, and each congestion event is uploaded by one of the network devices in the network link system. The network device may be a switch, a router, a firewall, a bridge, a hub, a gateway, a VPN server, a Wireless Access Point (WAP), or a modem, which is not limited herein.
In some embodiments, step 101 may include obtaining a plurality of event information uploaded by a plurality of network devices, the plurality of event information including a plurality of access address change events and a plurality of congestion events, and determining a plurality of target event information within a current time window based on the plurality of event information.
Each access address change event and each congestion event can be understood as host participation information, each access address change event comprises a target host identifier for changing an access address, each congestion event comprises a target host identifier for participating in network link congestion, and access time information of each target host identifier can be recorded. The access time information may be specific to time information of "xx year xx month xx day xx hour xx minute xx seconds".
The target host identifier may be a unique identifier of the target host, an internet protocol address (IP), a physical address of the target host (such as world coordinates, longitude and latitude, street number, etc.), etc., which are not limited herein, and are used to identify the identity of the target host to distinguish different hosts.
It should be noted that a congestion event represents a congestion occurring in a network transmission link. The network device can detect the length of the data transmission queue in real time, namely the quantity of the traffic data needing to be waited for transmission, detect the transmission time delay of each traffic data in the data transmission queue, and determine that the network transmission link corresponding to the network device is in a congestion state when the length of the data transmission queue is greater than a preset length threshold or the transmission time delay is greater than a preset time delay threshold, and acquire the identification, access time and the like of each target host causing the network transmission link to be in the congestion state at the moment so as to generate a congestion event. Thus, congestion events are generated based on the length of the data transmission queues and the transmission delay triggers corresponding to the network devices.
It should be noted that, the network device may detect whether the access address of each target host in the target period changes relative to the last historical access address, and if a change is detected, obtain the target host identifier of the access address changed in the target period (for example, 10 seconds), and generate the access address change event, so that each access address change event is generated based on the target host identifier of the reference access address changed in the target period.
In addition, the network device may also directly send the access address of each target host identifier in the target period to the server. The server detects whether the access address of each target host in the target period changes relative to the last historical access address, and if so, the server acquires the target host identification of the access address changed in the target period and generates an access address change event. Specifically, the server determines access time sequence relations of a plurality of access addresses corresponding to each target host identifier according to the receiving time sequence among the plurality of access addresses of each target host identifier, compares any two adjacent access addresses according to the access time sequence relations for each target host identifier to obtain a comparison result, and determines the access address change times corresponding to each target host identifier according to the comparison result. The access address may be an address of a business service to be accessed by the corresponding target host when congestion occurs in a network transmission link, for example, the access address may be an internet protocol address (IP) of the business service.
By the method, a plurality of access address change events and a plurality of congestion events in the current time window can be acquired, so that multi-dimensional host trust evidence data are built by combining the plurality of access address change events and the plurality of congestion events in the specific time window, the trust degree of each target host is calculated, and malicious hosts are identified based on a host trust degree mechanism.
102. Based on the multiple access address change events and the multiple congestion events, the congestion participation times, the access address change times and the continuous participation times of each target host identification are counted.
In the embodiment of the application, after a plurality of access address change events and a plurality of congestion events in a current time window are obtained, a multi-dimensional host trust evidence is constructed by taking the current time window as a unit and combining a target host identifier corresponding to each congestion event and participating in network link congestion and a target host identifier corresponding to each access address change event and changing access address in the current time window, for example, the congestion participation times, the access address change times and the continuous participation times of each target host identifier are counted, so that the multi-dimensional host trust evidence representing the host participating in network transmission link congestion is obtained, and the initial trust degree corresponding to each target host identifier is calculated based on the multi-dimensional host trust evidence, so that a malicious host can be identified without mining the flow characteristics of each host, and the identification accuracy of the malicious host is improved.
The congestion participation number may be the participation number of the corresponding target host in multiple congestion events within the current time window, for example, in a congestion event, if the target host requests access to the corresponding service address through the corresponding network transmission link, the congestion participation number is indicated to participate in the congestion event, at this time, the congestion participation number identified by the target host is accumulated by 1, if the target host has no access requirement in the congestion event, the congestion participation number identified by the target host is indicated to not participate in the congestion event, at this time, the congestion participation number identified by the target host is not accumulated by 1. Because the current time window contains the congestion events with the target number, if one target host accesses the corresponding service address through the corresponding network transmission link in one congestion event, the congestion participation times are added up by 1, and the congestion participation times corresponding to each target host identification are counted based on a plurality of congestion events.
It should be noted that, in the link flooding attack, an attacker initiates the attack on different network key links by controlling host rolling, while one network transmission link is selected to attack each congestion event, and the network transmission link involves a part of benign hosts, the number of congestion events participated by the benign hosts is smaller than that of the malicious hosts, so that the participation number of the congestion events can be used as one of trust evidences for evaluating the trust degree of the hosts.
The number of access address changes may be the number of times that the corresponding target host performs the change of the access address in the multiple access address change events in the current time window, and the access address change may be understood that the destination address of the current access service of the target host is different from the historical destination address of the last access. For example, when the target host accesses the a service destination address in the last access address change event and accesses the B service destination address in the current access address change event, it indicates that there is a behavior of changing the access address, and at this time, the number of access address changes is added up by 1. Because the current time window contains the access address changing events with the target number, if the access address in the current access address changing event of a target host is different from the access address of the last access address changing event, the access address changing times are added by 1 in an accumulated way, so that the access address changing times corresponding to each target host identifier are counted based on a plurality of access address changing events in the current time window.
It should be noted that, in the link flooding attack, an attacker initiates an attack on different network key links by controlling host rolling, so that the host needs to be controlled to frequently change the destination address of the access destination server, so that the attack traffic reaches the network transmission link that needs to be attacked. Unlike the behavior of a malicious host, a benign host generally cannot easily change and access other destination servers in order to ensure the continuity of a service flow, so if a destination host frequently changes a destination address when sending traffic, the destination host may be a malicious host, and based on this, the number of access address changes is used as one of trust evidences for evaluating the trust level of the host.
The continuous participation times may be continuous times of participation of the corresponding target host in the congestion event in the current time window. Illustratively, assuming that a time window is in units of 10 congestion events, a target host continuously participates in congestion events from 1 st to 4 th and continuously participates in congestion events from 6 th to 8 th, the number of continuous parameters is 2, the length of the first continuous participation is 4 congestion events, and the length of the second continuous participation is 3 congestion events.
It should be noted that, the number of hosts that an attacker can control is limited, and some of the hosts may be reused as malicious hosts to launch a low-traffic attack on the network transmission link. Thus, if the target host continues to participate in a congestion event more often, it may be a malicious host, and thus the number of continuous participation serves as one of the trust evidences for evaluating the trust of the host. The target host identification corresponding to each congestion event and participating in network link congestion and the target host identification corresponding to each access address change event and changing the access address.
In some implementations, multidimensional proof of trust is constructed for multiple access address change events and multiple congestion events within a current time window. For example, statistics are performed based on the target host identities involved in network link congestion and included in each congestion event in the current time window, and the target host identities of changed access addresses corresponding to each access address change event. The congestion participation times of each target host mark are counted based on the target host mark involved in network link congestion contained in each congestion event, meanwhile, the continuous participation times of each target host mark aiming at the congestion event in the current time window are counted based on the target host mark involved in network link congestion contained in each congestion event in the current time window, and furthermore, the access address changing times of each target host mark in the current time window are counted based on the target host mark of the changed access address corresponding to each access address changing event in the current time window. Therefore, the multi-dimensional host trust evidence for evaluating the trust degree of the target host is constructed based on the participation information of each host in the current time window, so that the initial trust degree of the target host is calculated based on the multi-dimensional host trust evidence.
By the method, the target host identifications of the congestion of the network link corresponding to each congestion event in the current time window and the target host identifications of the changed access addresses corresponding to each access address change event can be combined to construct the multi-dimensional host trust evidence, for example, the congestion participation times, the access address change times and the continuous participation times of each target host identification are counted, so that the multi-dimensional host trust evidence representing the congestion of the network transmission link of the host is obtained, the initial trust degree corresponding to each target host identification is calculated based on the multi-dimensional host trust evidence, malicious hosts can be identified without excavating the flow characteristics of each host, and the accuracy of the subsequent identification of the malicious hosts is improved.
103. And calculating the initial trust degree of each target host identifier in the current time window based on the congestion participation times, the access address change times and the continuous participation times of each target host identifier in the current time window.
In the embodiment of the application, after three-dimensional host trust evidence of congestion participation times, access address change times and continuous participation times of each target host mark is constructed, the congestion participation times, access address change times and continuous participation times of each target host mark in a current time window can be combined, the initial trust degree of each target host mark in the current time window can be calculated, specifically, the direct participation scores of the corresponding target hosts can be calculated based on the congestion participation times respectively, the continuous participation scores of the corresponding target hosts can be calculated based on the continuous participation times, the address change scores of the corresponding target hosts can be calculated based on the access address change times, and then the direct participation scores, the continuous participation scores and the address change scores are combined to determine the initial trust degree of each target host. Therefore, the initial trust degree corresponding to each target host identity is calculated through the constructed multidimensional host trust evidence, so that malicious host identification is performed based on the trust degree, the malicious host can be identified without excavating the flow characteristics of each host, and the accuracy of identifying the malicious host is improved.
The initial trust level may be a host trust value reflecting the corresponding target host in the current time window, and is determined according to the situation that the corresponding target host participates in the congestion event in the current time window, for example, is comprehensively determined according to the congestion participation times, the access address change times and the continuous participation times of the target host for the congestion event in the current time window, that is, the trust level of the target host is evaluated according to the situation that the target host participates in the congestion event in the current time window, and the initial trust level may be understood as a trust value indicating that the corresponding target host belongs to a benign host class.
In some embodiments, a direct participation score may be calculated based on the congestion participation count of each target host identifier, a continuous participation score may be calculated based on the continuous participation count of each target host identifier, an address change score may be calculated based on the access address change count of each target host identifier, and the direct participation score, the continuous participation score, and the address change score may be weighted to obtain an initial confidence level corresponding to each target host identifier in the current time window. For example, step 103 may include:
(103.1) determining a direct participation score for each target host identity based on the number of congestion participation times for each target host identity within the current time window;
(103.2) calculating a continuous participation score based on the number of continuous participation of each target host identity within the current time window;
(103.3) calculating a change of address score based on the number of access address changes identified by each target host within the current time window;
and (103.4) weighting and calculating the direct participation score, the continuous participation score and the address change score to obtain the initial trust degree of each target host identity in the current time window.
The direct participation score may be a sub-trust score representing the number of congestion participation times of the corresponding target host identifier for the congestion event in the current time window, and if one target host participates in the congestion event in the current time window more times, the direct participation score is smaller, the probability of being judged as a malicious host is larger, and the probability of being trusted is smaller. Illustratively, beta distribution is used to calculate the number of direct participation times of the target host in relation to the congestion event, so as to calculate the direct participation score as one of the multidimensional host trust evidences. Since it cannot be confirmed whether the host is a malicious host at the initial time, the uniform distribution is used as the initial distribution of the direct participation evidence, and the calculation process of the direct participation score of each target host identifier in the current time window is as follows:
wherein, the Representing a corresponding target hostIn the current time windowIs a direct participation in the scoring of (a),Representing the target hostThe number of times that a congestion event is not engaged in within the current time window,Representing the host computerThe number of congestion events, i.e. congestion participation times, is consulted in the current time window.
The continuous participation score may be a sub-trust score indicating the number of continuous participation times of the corresponding target host identifier for the congestion event in the current time window, if one target host continuously participates in the congestion event in the current time window more times, the continuous participation score is smaller, the probability of being judged as a malicious host is larger, the probability of being trusted is smaller, that is, the trust of the target host is lower. Illustratively, the calculation of the continuous participation score for each target host identity over the current time window is as follows:
wherein, the Representing a corresponding target hostIn the current time windowThe continuous participation score within the network,Representing target hostsThe number of consecutive sequences of joining congestion events, i.e. consecutive participation times,Representing target hostsThe length of the continuous sequence of congestion events, i.e. how many times congestion events are continuously engaged in without interruption, is consulted in the current time window.
The address change score may be a sub-trust score indicating the number of address changes of the corresponding target host identifier for the access address change event in the current time window, if one target host changes the access address more times in the current time window, the smaller the address change score, the greater the probability of being judged as a malicious host, and the less the probability of being trusted, i.e. the trust of the target host is lower.
The statistics based on the number of access address changes per target host identity within the current time window are represented as follows:
wherein, the Representing a corresponding target hostThe number of access address changes within the current time window,Indicating the number of access address change events contained within the current time window,It may be a two-dimensional array of numbers,Represent the firstTarget host under secondary access address change eventIf the access address change event is participated, the value is 1 when the access address change event is participated, and if not, the value is 0.
Further, the address change score is calculated as follows:
wherein, the Representing a corresponding target hostIn the current time windowThe address change score within the range is used,Representing a corresponding target hostThe number of access address changes within the current time window.
Finally, the direct participation score, the continuous participation score and the address change score can be weighted and calculated to obtain the initial trust degree of each target host mark in the current time window. Therefore, the initial trust degree corresponding to each target host identity is calculated through the constructed multidimensional host trust evidence, so that malicious host identification is performed based on the trust degree, the malicious host can be identified without excavating the flow characteristics of each host, and the accuracy of identifying the malicious host is improved.
In some embodiments, different evidence weight factors can be respectively allocated to the direct participation score, the continuous participation score and the address change score, and the direct participation score, the continuous participation score and the address change score are weighted according to the different evidence weight factors, so that the initial trust degree of each target host identifier in the current time window is obtained. For example, the step (103.4) may include determining a first evidence weight factor associated with the direct participation score, a second evidence weight factor associated with the continuous participation score, and a third evidence weight factor associated with the address change score, wherein the sum of the first evidence weight factor, the second evidence weight factor, and the third evidence weight factor is 1, and performing weighted calculation on the direct participation score, the continuous participation score, and the address change score according to the first evidence weight factor, the second evidence weight factor, and the third evidence weight factor to obtain an initial trust degree of each target host identifier in the current time window.
The first evidence weight factor is used for measuring the importance degree of the direct participation score in the process of identifying the malicious host, and the larger the first evidence weight factor is, the larger the specific gravity of the direct participation score in the process of calculating the initial trust degree of the corresponding target host mark is, so that the host trust evidence that the participation times of the congestion event need to be considered in the process of identifying the malicious host is illustrated.
The second evidence weight factor is used for measuring the importance degree of the continuous participation score in the process of identifying the malicious host, and the larger the second evidence weight factor is, the larger the continuous participation score is in the process of calculating the initial trust degree of the corresponding target host mark, which indicates host trust evidence that the continuous participation times of the congestion event need to be considered in the process of identifying the malicious host.
The third evidence weight factor is used for measuring the importance degree of the address change score in the process of identifying the malicious host, and the greater the third evidence weight factor is, the greater the proportion of the address change score in the process of calculating the initial trust degree of the corresponding target host mark is, which indicates host trust evidence that the access address change times of the congestion event need to be considered in the process of identifying the malicious host.
Specifically, a first evidence weight factor directly participating in scoring association, a second evidence weight factor continuously participating in scoring association and a third evidence weight factor associated with address change scoring association are determined. For example, in a first aspect, if the number of direct participation congestion events is more considered when a malicious host is identified, a first evidence weight factor may be increased, if the behaviors of short-term participation congestion events and long-term congestion events need to be balanced, the first evidence weight factor may be set to a corresponding value to ensure that the influence of the number of direct participation is moderate, in a second aspect, if the malicious host in a link flooding attack is more prone to repeatedly participate in the attack, a second evidence weight factor may be increased to make the influence of continuous participation on the trust degree greater, in a third aspect, if the attack relies on frequent changes of access destinations to hide identities, a third evidence weight factor may be increased to highlight the role of address change score, and in the above manner, the first evidence weight factor, the second evidence weight factor and the third evidence weight factor are respectively set to have a sum of 1, so that the weighted calculation of the subsequent multidimensional scores is ensured to have normative, interpretability and practicability. Further, multiplying the direct participation score by a first evidence weight factor to obtain a first sub-score, multiplying the continuous participation score by a second evidence weight factor to obtain a second sub-score, multiplying the address change score by a third evidence weight factor to obtain a third sub-score, and adding the first sub-score, the second sub-score and the third sub-score to obtain the initial trust degree of each target host mark in the current time window. Therefore, the initial trust degree corresponding to each target host identity is calculated through the constructed multidimensional host trust evidence, so that malicious host identification is performed based on the trust degree, the malicious host can be identified without excavating the flow characteristics of each host, and the accuracy of identifying the malicious host is improved.
Illustratively, the initial trust of each target host in the current time window is calculated in a weighted manner by combining the three dimensions of the direct participation score, the continuous participation score and the address change score. The calculation process of the initial trust of each target host in the current time window is as follows:
wherein, the Representing a corresponding target hostIn the current time windowAn initial degree of trust in the database,Representing the first evidence weight factor,Representing the second evidence weight factor,Representing a third evidence weight factor. Thus, an initial trust level of each target host in the current time window is obtained.
By the method, the congestion participation times, the access address change times and the continuous participation times of each target host mark in the current time window can be combined, the initial trust degree of each target host mark in the current time window is calculated, and the initial trust degree corresponding to each target host mark is calculated according to constructed multidimensional host trust evidence so as to facilitate subsequent malicious host identification based on the trust degree, so that the malicious host can be identified without excavating the flow characteristics of each host, and the subsequent identification accuracy of the malicious host is improved.
104. And acquiring the historical trust degree corresponding to each target host identifier in the historical time window, and calculating the target trust degree of each target host identifier according to the initial trust degree and the corresponding historical trust degree of each target host identifier.
In the embodiment of the application, since the initial trust is only used for evaluating the participation condition of the congestion event of each target host in the current time window, when the number of times of participation of the malicious host in the current time window is small, if the participation condition of each host in the current time window is only considered to identify the malicious host, the original malicious host can be misjudged as a benign host, and further, the risk that the malicious host attacks the network transmission link again in a large amount is increased, which is unfavorable for the safety and stability of the subsequent network transmission link. Therefore, after obtaining the initial trust degree corresponding to each target host identifier, the historical trust degree corresponding to each target host identifier in the historical time window can be obtained, and the target trust degree of each target host identifier is calculated by combining the initial trust degree and the corresponding historical trust degree of each target host identifier. Therefore, the final target trust degree of each target host mark is determined by combining the initial trust degree of each target host mark in the current time window and the historical trust degree of each target host in the historical time window, the phenomenon that the malicious host is misjudged as a benign host due to the fact that the malicious host reduces the times of participating in congestion events in the current time window is avoided, the subsequent identification accuracy of the malicious host is improved, the risk that the malicious host attacks a network transmission link again in a large quantity is avoided, and the safety and stability of the subsequent network transmission link are improved.
The historical time window may be a time window of historical time located before the current time window, specifically, the historical time window may be a target historical time window located in a sliding window before the current time window, the sliding window may accommodate a plurality of target historical time windows, and then the initial trust degree of each target host identifier is combined with a plurality of historical trust degrees corresponding to the plurality of historical time windows in the sliding window to perform weighted calculation. The explanation of the historical time window may also refer to the previous description of the "current time window", which is not described herein.
The historical trust level can be a historical target trust level of a corresponding target host in a corresponding historical time window, namely a final trust level, each historical time window corresponds to one historical trust level, and the historical trust level is calculated by combining a historical initial trust level calculated by congestion event participation of the corresponding historical time window and a historical trust level of an earlier historical time window. For example, starting with the current time window, defining a history time window closest and adjacent to the current time window as a first history time window, defining a second history event window, a third history time window and a fourth history time window, and so on, after calculating the history initial trust level of each target host identifier according to the history host participation information in the first history time window, calculating the history trust level of each target host identifier in the first history time window by combining the history trust level of the corresponding target host identifier in the second history event window, the history trust level of the corresponding target host identifier in the third history time window and the history trust level of the corresponding target host identifier in the fourth history time window with the history initial trust level. It should be noted that, the calculation manners of the historical trust degree of the second historical event window, the historical trust degree of the third historical time window, and the historical trust degree of the fourth historical time window may refer to the calculation process of the historical trust degree of each target host identifier in the first historical time window, which is not listed here.
In the embodiment of the application, as malicious hosts used by each congestion event can be different, part of malicious hosts participate in the congestion event in certain time windows less, so that trust evaluation of the malicious hosts is increased, and misjudgment of the malicious hosts as benign hosts is caused. Therefore, in order to avoid blind increase of host trust, a sliding window mechanism is introduced in consideration of the history evaluation condition, and trust weight of a history time window is designed to combine the weight of the history time window and the weight of a current event window to calculate the initial trust degree of each target host identifier and the corresponding history trust degree so as to obtain the target trust degree of each target host identifier. The identification accuracy of the malicious host is improved.
In some embodiments, a current trust weight factor corresponding to the current time window and a historical trust weight factor corresponding to the historical time window may be determined respectively, and the initial trust level and the corresponding historical trust level of each target host identifier are weighted by combining the current trust weight factor and each historical trust weight factor, so as to obtain the target trust level of each target host identifier. For example, the step 104 of calculating the target trust level of each target host identifier according to the initial trust level of each target host identifier and the corresponding historical trust level may include determining a current trust weight factor corresponding to the current time window and a historical trust weight factor corresponding to each historical time window, the historical trust weight factors becoming exponentially smaller based on the increasing distance between the corresponding historical time window and the current time window, weighting and summing the initial trust level of each target host identifier and the corresponding plurality of historical trust levels according to the current trust weight factor and each historical trust weight factor to obtain a target total trust score corresponding to each target host identifier, determining a total trust weight coefficient in combination with the current trust weight factor and each historical trust weight factor, and determining the target trust level of each target host identifier according to the ratio between the target total trust score of each target host identifier and the total trust weight coefficient.
The current trust weight factor may be used to perform a weighted operation with the target trust level of the corresponding target host identifier, so as to participate in calculating the target trust level of each target host in the current time window. If the current trust weight factor is greater, the initial trust level of each target host representation of the current time window is more emphasized. It should be noted that, the current time window corresponds to behavior data of the latest participating congestion event of each target host, and because the current behavior can best reflect the real-time state of the target host, the highest trust weight factor can be given to the current time window.
The historical trust weight factor may be a weight factor of a corresponding certain historical time window, and is used for performing a weighted operation with the historical trust degree of the corresponding target host in the corresponding certain historical time window, so as to participate in calculating the target trust degree of each target host in the current time window. It should be noted that, with the current time window as a starting point, the historical trust weight factor of each historical time window decreases exponentially as the window distance becomes larger, so that the influence of the "historical trust degree" of the historical time window which is farther from the current time window on the calculation of the "target trust degree" of the current time window is smaller, and the "recent behavior is more critical" logic is met.
Specifically, the current trust weight factor corresponding to the current time window is determined, the current trust weight factor may be set to 1, and the historical trust weight factor corresponding to each historical time window is calculated as follows:
wherein, the Representing a corresponding target hostIth historical time window within sliding windowThe historical trust weight factor within the range,Representing a historical time window within the sliding window that precedes the current time window,The current time window is indicated and the current time window is indicated,Representing historical time windows within a sliding windowIs used to determine the degree of historical trust of the host,Indicating the first in the sliding windowA historical confidence threshold under a historical time window,Is indicative of the recovery parameter, and it should be noted that,. On the one hand, if in the history time windowThe history trust degree of a host is lower than the corresponding history trust degree threshold, and the recovery parameter is thatMake the firstThe historical trust weight factor of each historical time window is relatively large to avoid blind increase of the final target trust degree of the host, on the other hand, if at the firstThe historical trust degree of a host under a historical time window is higher than the corresponding historical trust degree threshold, and the recovery parameter is thatMake the firstThe historical trust weight factor for each historical time window is normal.
Further, after determining the current trust weight factor corresponding to the current time window and the historical trust weight factor corresponding to each historical time window, weighting and summing the initial trust degree of each target host identifier and the corresponding plurality of historical trust degrees according to the current trust weight factor and each historical trust weight factor to obtain a target total trust score corresponding to each target host identifier, and finally, adding the current trust weight factor and each historical trust weight factor to obtain a total trust weight coefficient, and dividing the target total trust score of each target host identifier by the total trust weight coefficient to obtain the target trust degree of each target host identifier. Illustratively, the calculation process of the target trust level of each target host identifier in the current time window is as follows:
wherein, the Representing a corresponding target hostIth historical time window within sliding windowThe degree of trust of the target within the network,Representing the size of the sliding window, i.e. the number of historical time windows involved.Representing the ith historical time window within the sliding window.Representing a historical time windowIs a historical trust weight factor of (1),Representing a historical time windowThe historical confidence of the lower host,Corresponding target host representing current time windowIs used to determine the initial confidence level of the product.
Fig. 4 is a diagram illustrating a scenario for updating host trust based on a sliding window according to an embodiment of the present application. Referring to fig. 4, a scenario of replacing host trust of a sliding window is described, which is specifically as follows:
In the current time window, the plurality of network devices report the destination address change M times at the same time, which means that M times of destination address change events occur in the current time window, the plurality of network devices upload N congestion events, which means that N times of network transmission link congestion occur in the current time window, each congestion event comprises a target host identifier participating in network link congestion, and each access address change event comprises a target host identifier for changing an access address. For example, taking the first congestion event as an example, including the sequence of the target host identities participating in the congestion event, i.e. "IE1" in fig. 4, and taking the first access address change event as an example, including the sequence of the target host identities changing the access address, i.e. "CE1" in fig. 4, where "IE1" indicates that the host 2 (IP 2) and the host 4 (IP 4) participate in the first congestion event, and "CE1" indicates that the host 2 (IP 2) participates in the change of the access destination address, it should be noted that the network device may also directly upload the access address of each host to the server, so that the server determines whether the access address change event occurs for each host based on the access address of each host. Based on the above data, multidimensional trust evidence of host 1, host 2, host 3, and..host n, i.e. congestion participation number, continuous participation number, access address change number, is respectively constructed to calculate the initial trust degree of each host.
Further, 4 historical time windows before the current time window are selected through the sliding window and are respectively Ti, ti-1, ti-2 and Ti-3, the historical trust degree of each host corresponding to each historical time window is determined, and finally, for each host, weighting calculation is carried out by combining the weight factor corresponding to each historical time window and the corresponding historical trust degree, so that the final target trust degree of each host in the current time window is obtained.
By the method, the final target trust degree of each target host mark can be determined by combining the initial trust degree of each target host mark in the current time window and the historical trust degree of each target host in the historical time window, the phenomenon that the malicious host is misjudged as a benign host due to the fact that the malicious host reduces the times of participating in congestion events in the current time window is avoided, the subsequent identification accuracy of the malicious host is improved, the risk that the malicious host attacks the network transmission link again in a large number is avoided, and the safety and stability of the subsequent network transmission link are improved.
105. And acquiring a current state data set, and inputting the state data set into a target decision model to obtain a target trust threshold.
In the embodiment of the application, after the target trust level corresponding to each target host identifier in the current time window is obtained, in order to identify the malicious host, a current target trust level threshold value can be calculated by combining with a reinforcement learning algorithm, and the target trust level threshold value is used for comparing and identifying the malicious host. In this way, the host trust degree based mechanism is realized subsequently, the malicious host is identified according to the target trust degree of each target host identifier in the current time window, and the identification accuracy of the malicious host is improved subsequently.
The target trust threshold is a threshold for judging a malicious host in a current time window, and is specifically used for comparing with a target trust level of a corresponding target host identifier to identify the malicious host. It should be noted that, the trust threshold corresponding to different time windows is different, and each historical time window corresponds to a historical trust threshold.
Wherein the current state data set may be state data describing characteristics of the current network environment and characteristics of participation of the target host in the current time window, which may include an average confidence level of all target hosts in the current time windowHistorical target trust threshold for a previous historical time windowNumber of malicious hosts detected in previous historical time windowThe degree of change of the congestion event in the current time window from the congestion event in the previous time windowAnd the penalty level mean of all target hosts in the previous time window。
The process of obtaining the current state data set includes first calculating an average confidence level based on the target confidence levels of each target host identity;
Acquiring historical congestion event times in a previous historical time windowAnd obtaining the current congestion event times in the current time windowDetermining the ratio of the times of the historical congestion event to the current congestion event, and subtracting a constant value 1 to obtain the change degreeThe concrete representation is as follows:
then, a penalty degree of each target host is determined, wherein the penalty degree can be understood as a flow rate limiting proportion for the malicious host, and the specific calculation process is as follows:
wherein, the Represent the firstThe target host computer is in the current time windowIs a penalty level of (2).Is a target confidence threshold within the current time window.Representing the size of the sliding window, i.e. the number of historical time windows involved.Represents the firstThe number of consecutive penalties of the target host within the sliding window,Represent the firstThe target host computer is in the current time windowTarget trust level of (2).
Average punishment degree corresponding to multiple target hostsThe calculation process of (2) is as follows:
wherein, the Representing the average penalty level of multiple target hosts within the current window,Representing the number of all target hosts, i.e. the number of history time windows involved,Represent the firstThe target host computer is in the current time windowIs a penalty level of (2).
According to the calculation mode of the average punishment degree, the punishment degree average value of all target hosts in the previous time window is determined。
Then, directly acquiring a historical target trust threshold of the previous historical time windowAnd the number of malicious hosts detected in the previous historical time window。
Finally, based on the average trust of all target hosts in the current time windowHistorical target trust threshold for a previous historical time windowNumber of malicious hosts detected in previous historical time windowThe degree of change of the congestion event in the current time window from the congestion event in the previous time windowAnd the penalty level mean of all target hosts in the previous time windowThe current state dataset is constructed as follows:
It should be noted that the state data set may be time-sensitive and may be obtained by " "Represents the time step of the state data set, assuming the current time step is 3, then. The state dataset is represented as。
In the embodiment of the application, after the current state data set is acquired, the current state data set is input into the trained target decision model, so that the target decision model outputs a target trust threshold value for comparing and identifying the malicious host based on the current state data set.
The trained target decision model is mainly obtained by training a preset decision model based on a sample state data set to output a prediction trust threshold value and taking maximization of a reward value corresponding to a reward function as an optimization target, wherein the reward value corresponding to the reward function obtains the maximum value when a target difference value between balance score and misjudgment rate and a prediction average punishment degree is maximum. The reward function is constructed according to balance score, misjudgment rate and predicted average punishment degree, the balance score and the misjudgment rate are determined by combining sample benign host identities and sample malicious host identities in the sample host identities after the predicted malicious host identities and the predicted benign host identities are detected through comparison of a predicted trust threshold and sample target trust degrees of each sample host identity, and the predicted average punishment degree (namely predicted flow rate limiting proportion) is determined based on the difference proportion between the predicted trust threshold and the sample target trust degrees of each sample host identity.
For ease of understanding, the following describes a training process for a target decision model, which is as follows:
The method comprises the steps of obtaining sample target trust of each sample host mark, sample average trust among a plurality of sample host marks, sample historical trust threshold, sample malicious host quantity, sample congestion event number change rate, sample average flow rate limiting proportion corresponding to the plurality of sample host marks, sample benign host marks and sample malicious host marks in the plurality of sample host marks, constructing sample state data sets according to the sample average trust, the sample historical trust threshold, the sample malicious host quantity, sample congestion event number change rate and the sample average flow rate limiting proportion, inputting the sample state data sets into a preset decision model to obtain a prediction trust threshold, identifying predicted malicious host marks according to the prediction trust threshold and the sample target trust of each sample host mark, combining the predicted malicious host marks, the sample benign host marks and the sample malicious host marks, determining the balance points of the detection precision and recall rates of the sample malicious host marks, and the sample benign host marks as the predicted malicious host marks, constructing a sample state data set according to the sample average judgment rate limiting proportion, optimizing the target flow limiting proportion according to a preset decision function, optimizing the target flow limiting proportion, optimizing the target state data set according to the prediction trust threshold and the sample target trust threshold, and the sample malicious host marks and the sample host marks.
Specifically, the sample target trust degree of each sample host identity is obtained, and the sample average trust degree among the plurality of sample host identities is calculated according to the plurality of sample target trust degrees corresponding to the plurality of sample host identitiesAnd acquiring a sample history trust thresholdNumber of sample malicious hostsRate of change of number of sample congestion eventsSample average flow rate limit ratio corresponding to multiple sample host identities. Constructing a sample state data set based on the above state data, the sample state data set being expressed as。
Further, the sample state data set is input to a preset decision model, resulting in a predictive confidence threshold, which can be understood as an action belonging to the range of [0,1], expressed as。
Then, comparing the sample target trust level of each sample host mark with a prediction trust level threshold value, identifying a prediction malicious host mark and a prediction benign host mark, so as to determine the punishment degree corresponding to each sample host mark, namely the prediction flow rate limit proportion corresponding to each sample host mark, wherein the calculation process of the prediction flow rate limit proportion corresponding to each sample host mark is as follows:
Further, a predicted average flow rate limit ratio is calculated in combination with a predicted flow rate limit ratio corresponding to each sample host identifier, and the calculation process of the predicted average flow rate limit ratio is as follows:
Then, identifying the predicted malicious host identity and the predicted benign host identity according to the predicted trust threshold and the sample target trust of each sample host identity, calculating the predicted first number of the predicted benign hosts and the predicted second number of the predicted malicious hosts, and comparing the predicted malicious host identity, the predicted benign host identity, the sample benign host identity and the sample malicious host identity to count the correct detection number of the correctly detected predicted malicious host identity Misjudging sample benign host identity as error detection quantity of predicted malicious host identityMiss count of sample malicious host identities for miss detection. Further, a balance score of detection accuracy and recall for sample malicious host identities is determinedFor example, F1-Score is used to measure the detection accuracy and recall rate for sample malicious host identities, and the specific calculation process is as follows:
And determining a misjudgment rate for misjudging the sample benign host identity as the predicted malicious host identity The specific calculation process is as follows:
where U represents the number of all sample host identities, i.e. the number of sample hosts, and Z represents the number of all sample malicious host identities, i.e. the number of sample malicious hosts.
Further, a target difference between the balance score and the misjudgment rate, the predicted average flow rate limit proportion is determined, and the target difference is expressed as'". Further, a bonus function may be constructed based on the target difference as a variable.
It should be noted that, the correct predictive confidence threshold may effectively detect a malicious host and prevent congestion events of the network transmission link, so that the congestion events show a decreasing trend, and therefore, require the number of congestion events in the latter time windowShould be compared to the number of congestion events in the previous time windowLess, expressed as'”。
Based on the above, a constraint optimization problem is constructed to train a preset decision model through the constraint optimization problem, and the constraint optimization problem is expressed as follows:
,,。
To facilitate understanding, the constraint optimization problem above is converted into a reward function. Wherein the rate of change of the number of congestion events between the preceding and following time windows can be expressed as' ", In addition, the number of malicious host identities may be predicted in combinationNumber of malicious host identities with respect to a sampleRatio of (2)'"Whereby a reward function is constructed in combination with the target difference, the rate of change of the number of congestion events between the preceding and following time windows, and the ratio between the predicted malicious host identity and the sample malicious host identity. The bonus functionThe expression is as follows:
It should be noted that, the objective of optimizing the reward function is to improve the accuracy of identifying the sample malicious host identity, and simultaneously reduce the misjudgment rate of misjudging the sample benign host identity as the predicted malicious host identity, and reduce the number of congestion events and the average traffic rate limiting proportion (i.e. the average punishment degree). Namely, the maximization of the target difference between the balance score and the false positive rate and the predicted average punishment degree serves as an optimization target, and the reward value corresponding to the reward function is the maximum value when the target difference between the balance score and the false positive rate and the predicted average punishment degree is the maximum.
Finally, the model parameters of the preset decision model are adjusted according to the optimization target by combining the output value of the reward function until the output value of the reward function reaches the maximum value, training is stopped, and the trained target decision model is obtained.
Through the method, the current target trust threshold can be calculated by combining with the reinforcement learning algorithm, so that malicious hosts can be compared and identified based on the target trust threshold, a host trust mechanism can be realized, the malicious hosts can be identified according to the target trust of each target host identifier in the current time window, and the identification accuracy of the malicious hosts is improved.
106. And identifying the malicious host mark according to the target trust threshold and the target trust of each target host mark.
In the embodiment of the application, after the target trust threshold is obtained, the target trust threshold and the target trust of each target host identifier can be combined to identify the malicious host identifier from a plurality of target host identifiers, so that the malicious host is identified according to the target trust of each target host identifier in the current time window based on a host trust mechanism, the identification accuracy of the malicious host is improved, the malicious host is accurately punished subsequently, the subsequent continuous flow attack to the network transmission link by the malicious host is avoided, the occurrence of congestion events of the subsequent network transmission link is reduced, and the safety and stability of the network transmission link are improved.
The malicious host identifier is one of a plurality of target host identifiers, and it should be noted that, through a target trust threshold, one or more malicious host identifiers may be identified from the plurality of target host identifiers, where the specific number depends on the actual situation, and is not limited herein.
In some implementations, the target trust level of each target host identity may be compared to a target trust level threshold to identify malicious host identities having a target trust level less than the target trust level threshold. For example, step 106 may include comparing the target trust level of each target host identity with a target trust level threshold to obtain a comparison result, and determining a target host identity having a target trust level less than the target trust level threshold as a malicious host identity based on the comparison result.
Specifically, after the target trust threshold corresponding to the current time window is obtained, the target trust of each target host identifier in the current time window can be compared with the target trust threshold to obtain a comparison result. Further, the malicious host identity and the benign host identity in the plurality of target host identities are determined according to the comparison result, on one hand, if the comparison result is that the target trust degree is greater than or equal to the target trust degree threshold value, the corresponding target host identity is determined to be the benign host identity, and on the other hand, if the comparison result is that the target trust degree is smaller than the target trust degree threshold value, the corresponding target host identity is determined to be the malicious host identity. In this way, the malicious host identities are identified in a mode of comparing the target trust degree of each target host identity with the target trust degree threshold, so that a host trust degree-based mechanism is realized, the malicious hosts are identified according to the target trust degree of each target host identity in the current time window, and the identification accuracy of the malicious hosts is improved.
In some embodiments, for example, step 106 may include comparing the target trust level of each target host identifier with a target trust level threshold to obtain a comparison result, obtaining each historical comparison result corresponding to each historical time window in the sliding window, and identifying a malicious host identifier from the plurality of target host identifiers by combining the current comparison result and each historical comparison result.
The method comprises the steps of comparing target trust degree of each target host mark with a target trust degree threshold to obtain a current comparison result, obtaining each history comparison result corresponding to each history time window in a sliding window, wherein each history comparison result comprises a size relation between the history trust degree of a plurality of target host marks in a corresponding history time window and the corresponding history trust degree threshold, determining a candidate host mark set with the target trust degree smaller than the target trust degree threshold from the plurality of target host marks according to the comparison result, determining intersection information between the candidate host mark set and the plurality of candidate host mark sets when the history candidate host mark set with the history trust degree smaller than the history trust degree threshold is determined based on each comparison result, and determining malicious marks from the target host marks in the intersection information. In this way, the target host identifier with the target trust degree smaller than the target trust degree threshold value in the current time window is used as the malicious host identifier to be confirmed, further, the identification accuracy of the malicious host is improved, and the risk of misjudging the benign host as the malicious host is reduced for the malicious host by inquiring the relation between the historical trust degree of each historical time window contained in the sliding window and the corresponding historical trust degree threshold value, if the target trust degree of one target host identifier in the current time window is lower than the target trust degree threshold value, and the historical trust degrees of a plurality of continuous historical time windows are lower than the corresponding historical trust degree threshold value in the sliding window, the target host identifier with the trust degree continuously lower than the trust degree threshold value is judged as the malicious host identifier, so that the malicious host can be accurately punished later, and the network link security and stability can be maintained.
In the embodiment of the application, after the malicious host identification is identified, in order to avoid the malicious host from continuously launching the flow attack to the network transmission link, the malicious host needs to be accurately punished, for example, the network transmission rate, the flow and the like of the malicious host are limited, so that the occurrence of congestion events of the subsequent network transmission link is reduced, and the safety and the stability of the network transmission link are improved.
In some implementations, the traffic rate limiting proportion for each malicious host identity may be determined based on a trust difference proportion between the target trust level and the target trust level threshold for each malicious host identity. For example, after step 106, the method may further include determining a continuous punishment number of each malicious host identifier in a plurality of historical time windows, determining a corresponding punishment parameter according to a difference between the number of historical time windows and the continuous punishment number, determining a target trust ratio between a target trust degree and a target trust degree threshold of each malicious host identifier, determining a target trust deficiency ratio of each malicious host identifier according to the target trust ratio, performing a power operation of the corresponding punishment parameter on the target trust deficiency ratio of each malicious host identifier to obtain a flow rate limiting proportion of each malicious host identifier, and transmitting the flow rate limiting proportion of each malicious host identifier to each network device, so that each network device limits the flow rate of each malicious host identifier according to the flow rate limiting proportion of each malicious host identifier.
The number of continuous penalties refers to the number of penalties (limited network transmission rate) that a corresponding malicious host receives in a plurality of historical time windows.
Wherein the number of history time windows may be the length of the sliding time window, i.e. the number of history time windows accommodated by the sliding time window.
Illustratively, the traffic rate limiting ratio for each malicious host identityThe calculation process of (2) is as follows:
Where the number of the elements in the process is, Represent the firstThe target host computer is in the current time windowI.e. the traffic rate limiting ratio.Is a target confidence threshold within the current time window.Representing the size of the sliding window, i.e. the number of historical time windows involved.Represents the firstThe number of consecutive penalties of the target host within the sliding window.Represent the firstThe target host computer is in the current time windowTarget trust level of (2).
And then, sending the flow rate limiting proportion of each malicious host mark to each network device, so that each network device limits the flow rate of each malicious host mark according to the flow rate limiting proportion of each malicious host mark, for example, limits the network transmission rate, the flow rate and the like of the malicious host, thereby reducing the occurrence of congestion events of subsequent network transmission links and improving the safety and the stability of the network transmission links.
In some embodiments, after determining the traffic rate limiting proportion for each malicious host identity, in order to avoid hijacking and tampering with the traffic rate limiting proportion by the malicious host, the traffic rate limiting proportion for each malicious host identity may be encrypted by a blockchain technique and uploaded to a blockchain for sharing to each network device by the blockchain, and the local service node (server) belongs to one of the service nodes in the blockchain system. For example, the step of "sending the traffic rate limiting proportion of each malicious host identifier to each network device" may include obtaining a target node private key in a public-private key pair of a local node (server), signing the traffic rate limiting proportion of each malicious host identifier according to the target node private key to obtain a target hash value of the traffic rate limiting proportion of each malicious host identifier, further, according to the traffic rate limiting proportion of each malicious host identifier and each target hash value, packaging to generate a target block, broadcasting the target block to other service nodes in the blockchain system to perform consensus verification to obtain a consensus verification result, and adding the target block to the blockchain when the consensus verification result is that the consensus verification is passed, so that each network device obtains the traffic rate limiting proportion of each malicious host identifier from the target block on the blockchain to limit the traffic rate of each malicious host identifier according to the traffic rate limiting proportion of each malicious host identifier. Therefore, not only can the hijacking and tampering of the traffic rate limiting proportion by a malicious host be avoided, but also the decentralization mode is adopted to avoid that a single server (for example, the server is invaded by an attacker) deliberately cover up malicious hosts, for example, the traffic rate limiting proportion is counterfeited for the malicious hosts so as to attempt to reduce the influence of the malicious hosts on the traffic rate, therefore, the problems can be effectively eliminated through the blockchain technology, the occurrence of congestion events of the subsequent network transmission link is reduced, and the safety and the stability of the network transmission link are improved.
By the method, the malicious host identifications can be identified from the plurality of target host identifications by combining the target trust threshold and the target trust of each target host identification, so that the malicious host is identified according to the target trust of each target host identification in the current time window based on a host trust mechanism, the identification accuracy of the malicious host is improved, further, the malicious host is accurately punished, the malicious host is prevented from continuously initiating flow attack to the network transmission link, congestion events of the subsequent network transmission link are reduced, and the safety and stability of the network transmission link are improved.
As can be seen from the foregoing, the malicious host detection method according to the embodiment of the present application includes obtaining a plurality of access address change events and a plurality of congestion events in a current time window, wherein each access address change event includes a target host identifier for changing an access address, each congestion event includes a target host identifier for participating in network link congestion, counting congestion participation times, access address change times and continuous participation times of each target host identifier based on the plurality of access address change events and the plurality of congestion events, calculating initial trust degrees of each target host identifier in the current time window based on the congestion participation times, access address change times and continuous participation times of each target host identifier in the current time window, obtaining historical trust degrees of each target host identifier corresponding to the historical time window, calculating target trust degrees of each target host identifier according to the initial trust degrees and the corresponding historical trust degrees of each target host identifier, obtaining a current state data set, inputting the state data set into a target decision model to obtain a target trust degree threshold, and identifying the malicious host according to the target trust degree threshold and the target trust degrees of each target host identifier.
Based on the method, a plurality of access address change events and a plurality of congestion events in a current time window can be acquired firstly, each access address change event comprises a target host identifier for changing an access address, each congestion event comprises a target host identifier for participating in network link congestion, further, based on the plurality of access address change events and the plurality of congestion events, the congestion participation times, the access address change times and the continuous participation times of each target host identifier are counted, so that multidimensional evidence data can be constructed as basic data for trust level calculation of the target host identifier, then, initial trust level of each target host identifier in the current time window is calculated based on multidimensional evidence data, the initial trust level of each target host identifier is combined with the historical trust level of each target host identifier in a historical time window, so that the target trust level of each target host identifier in the current time window is calculated, the historical trust level of each target host identifier in the current time window is combined with the initial trust level of the current time window, the number of times of malicious hosts and network link congestion are prevented from being judged as the basis data for trust level calculation of the target host, the trust level of each target host is further combined with the trust level of the current state, and the trust level of the target host is further determined to be the threshold value, and the trust level of the target state is further combined with the target state data is determined for the current state of the target host identifier, and the target state is determined for the target state. Compared with the scheme that malicious hosts are identified through malicious traffic characteristics in the related art and the accuracy is low, the method is directly based on a host trust degree mechanism, the initial trust degree is calculated through the congestion participation times, the access address change times and the continuous participation congestion times of each target host mark corresponding to the current time window, the malicious hosts are not required to be detected through the way of mining the malicious traffic characteristics, the final target trust degree of each target host mark is calculated by combining the trust degree condition of a historical time window, so that the trust degree of each host is calculated more accurately, the malicious hosts can be punished for a long time, and the attack of the malicious hosts on a network transmission link is blocked subsequently, so that the identification accuracy of the malicious hosts is improved.
The specific implementation of the above steps can be referred to the previous embodiments, and will not be repeated here.
In order to facilitate better implementation of the malicious host detection method provided by the embodiment of the application, the embodiment of the application also provides a malicious host detection device based on the malicious host detection method. The meaning of the nouns is the same as that of the malicious host detection method, and specific implementation details can refer to the description in the embodiment of the method.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a malicious host detection apparatus according to an embodiment of the present application, which is integrated in a computer device of the present application, wherein the malicious host detection apparatus may include an obtaining unit 401, a statistics unit 402, a first calculating unit 403, a second calculating unit 404, an input unit 405, and an identifying unit 406.
An obtaining unit 401, configured to obtain a plurality of access address change events and a plurality of congestion events within a current time window, where each access address change event includes a target host identifier for changing an access address, and each congestion event includes a target host identifier for participating in network link congestion;
A statistics unit 402, configured to, based on the multiple access address change events and the multiple congestion events, count congestion participation times, access address change times, and continuous participation times of each target host identifier;
a first calculating unit 403, configured to calculate an initial trust level of each target host identifier in the current time window based on the congestion participation number, the access address change number, and the continuous participation number of each target host identifier in the current time window;
A second calculating unit 404, configured to obtain a historical trust level corresponding to each target host identifier in a historical time window, and calculate a target trust level of each target host identifier according to the initial trust level and the corresponding historical trust level of each target host identifier;
The input unit 405 is configured to obtain a current state data set, input the state data set into a target decision model, and obtain a target confidence threshold;
the identifying unit 406 is configured to identify a malicious host identifier according to the target trust threshold and the target trust level of each target host identifier.
In some embodiments, the first computing unit 403 is further configured to:
The method comprises the steps of determining a direct participation score of each target host identifier based on congestion participation times of each target host identifier in a current time window, calculating a continuous participation score based on continuous participation times of each target host identifier in the current time window, calculating an address change score based on access address change times of each target host identifier in the current time window, and carrying out weighted calculation on the direct participation score, the continuous participation score and the address change score to obtain initial trust degree of each target host identifier in the current time window.
In some embodiments, the first computing unit 403 is further configured to:
Determining a first evidence weight factor associated with direct participation score, a second evidence weight factor associated with continuous participation score and a third evidence weight factor associated with address change score, wherein the sum of the first evidence weight factor, the second evidence weight factor and the third evidence weight factor is 1, and carrying out weighted calculation on the direct participation score, the continuous participation score and the address change score according to the first evidence weight factor, the second evidence weight factor and the third evidence weight factor to obtain the initial trust degree of each target host mark in the current time window.
In some embodiments, the historical time window is multiple, the second computing unit 404 is further configured to:
The method comprises the steps of determining a current trust weight factor corresponding to a current time window and a history trust weight factor corresponding to each history time window, wherein the history trust weight factor becomes exponentially smaller based on that the distance between the corresponding history time window and the current time window becomes larger, carrying out weighted summation on initial trust degree of each target host identity and a plurality of corresponding history trust degrees according to the current trust weight factor and each history trust weight factor to obtain a target total trust score corresponding to each target host identity, determining a total trust weight coefficient by combining the current trust weight factor and each history trust weight factor, and determining target trust degree of each target host identity according to the ratio between the target total trust score and the total trust weight coefficient of each target host identity.
In some embodiments, the identifying unit 406 is further configured to:
and determining the target host identity with the target trust degree smaller than the target trust degree threshold value as a malicious host identity based on the comparison result.
In some embodiments, the malicious host detection apparatus further comprises a penalty control unit for:
The method comprises the steps of determining continuous punishment times of each malicious host identity in a plurality of historical time windows, determining corresponding punishment parameters according to differences between the number of the historical time windows and the continuous punishment times, determining a target trust ratio between a target trust degree and a target trust degree threshold of each malicious host identity, determining a target trust deficiency ratio of each malicious host identity according to the target trust ratio, performing power operation of the corresponding punishment parameters on the target trust deficiency ratio of each malicious host identity to obtain a flow rate limiting proportion of each malicious host identity, and sending the flow rate limiting proportion of each malicious host identity to each network device so that each network device limits the flow rate of each malicious host identity according to the flow rate limiting proportion of each malicious host identity.
In some embodiments, the malicious host detection apparatus further comprises a training unit for:
The method comprises the steps of obtaining sample target trust of each sample host mark, sample average trust among a plurality of sample host marks, sample historical trust threshold, sample malicious host number, sample congestion event number change rate and sample average flow rate limiting proportion corresponding to the plurality of sample host marks, identifying a predicted host mark according to the sample average trust, the sample historical trust threshold, the sample malicious host number, sample congestion event number change rate and sample average flow rate limiting proportion, constructing sample state data sets, determining sample benign host mark sample first number and sample malicious host mark sample second number in the plurality of sample host marks, inputting the sample state data sets into a preset decision model, obtaining a predicted trust threshold, identifying the predicted host mark according to the predicted trust threshold and the sample target trust of each sample host mark, combining the predicted host mark, the sample malicious host mark, and the sample malicious host mark, determining the balance score of the detection precision and the malicious host mark aiming at the sample malicious host mark according to the sample average trust threshold, the sample malicious host mark and the sample malicious host mark, and the average flow rate limiting proportion, taking the sample benign host mark and the average value as a predicted host mark threshold and the maximum value as a predicted host error value, optimizing a target flow rate limiting and a predicted host function, optimizing a target function according to the average value of the predicted host mark, and the predicted host mark and the average flow rate, and the average value of the predicted host mark has a predicted target trust threshold value and the predicted host mark and the sample state data value, and adjusting model parameters of a preset decision model according to the optimization target to obtain a target decision model.
As can be seen from the foregoing, in the embodiment of the present application, a plurality of access address change events and a plurality of congestion events in a current time window may be obtained first, each access address change event includes a target host identifier for changing an access address, each congestion event includes a target host identifier for participating in network link congestion, further, based on the plurality of access address change events and the plurality of congestion events, congestion participation times, access address change times and continuous participation times of each target host identifier are counted, so multidimensional evidence data may be constructed as basic data for trust calculation of the target host identifier, then, an initial trust of each target host identifier in the current time window is calculated based on multidimensional evidence data, and the initial trust of each target host identifier is combined with a historical trust of each target host identifier in the historical time window, so as to calculate a target trust of each target host identifier in the current time window, and the initial trust of the historical time window are combined, so as to avoid the occurrence of malicious hosts and network link congestion in the current time window, and the current trust of the target host is further combined with the current trust of the historical time window, and the current state of the target host identifier is determined, and the current state of the target host is further combined with the current state of the target host identifier, and the threshold value is determined, and the current state of the target host is further, and the target host is determined. Compared with the scheme that malicious hosts are identified through malicious traffic characteristics in the related art and the accuracy is low, the method is directly based on a host trust degree mechanism, the initial trust degree is calculated through the congestion participation times, the access address change times and the continuous participation congestion times of each target host mark corresponding to the current time window, the malicious hosts are not required to be detected through the way of mining the malicious traffic characteristics, the final target trust degree of each target host mark is calculated by combining the trust degree condition of a historical time window, so that the trust degree of each host is calculated more accurately, the malicious hosts can be punished for a long time, and the attack of the malicious hosts on a network transmission link is blocked subsequently, so that the identification accuracy of the malicious hosts is improved.
The specific implementation of each unit can be referred to the previous embodiments, and will not be repeated here.
Fig. 6 is a block diagram of a portion of a network device 110 implementing an embodiment of the present disclosure, where the network device 110 includes a Radio Frequency (RF) circuit 510, a memory 515, an input unit 530, a display unit 540, a sensor 550, an audio circuit 560, a wireless fidelity (WIRELESS FIDELITY, wiFi) module 570, a processor 580, and a power supply 590. Those skilled in the art will appreciate that the network device 110 structure shown in the figures is not limiting to a cell phone or computer, and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.
The RF circuit 510 may be used for receiving and transmitting signals during a message or a call, specifically, receiving downlink information from a base station, processing the downlink information by the processor 580, and transmitting uplink data to the base station.
The memory 515 may be used to store software programs and modules, and the processor 580 performs various functional applications of the terminal and data processing by executing the software programs and modules stored in the memory 515.
The input unit 530 may be used to receive input numerical or character information and generate key signal inputs related to the setting and function control of the terminal. Specifically, the input unit 530 may include a touch panel 531 and other input devices 532.
The display unit 540 may be used to display input information or provided information and various menus of the terminal. The display unit 540 may include a display panel 541.
Audio circuitry 560, speakers 561, and microphone 562 may provide an audio interface.
In this embodiment, the processor 580 included in the network device 110 may perform the malicious host detection method of the previous embodiment.
The network device 110 of the disclosed embodiments includes, but is not limited to, a cell phone, a computer, an intelligent voice interaction device, an intelligent home appliance, a vehicle-mounted terminal, an aircraft, and the like. The embodiment of the invention can be applied to various scenes, including but not limited to cloud technology, artificial intelligence, intelligent transportation, auxiliary driving and the like.
Fig. 7 is a block diagram of a portion of a server 120 implementing an embodiment of the present disclosure. The server 120 may vary considerably in configuration or performance and may include one or more central processing units (Central Processing Units, simply CPUs) 622 (e.g., one or more processors) and memory 632, one or more storage mediums 620 (e.g., one or more mass storage devices) that store applications 642 or data 644. Wherein memory 632 and storage medium 620 may be transitory or persistent. The program stored in the storage medium 620 may include one or more modules (not shown), each of which may include a series of instruction operations on the server 120. Still further, the central processor 622 may be configured to communicate with the storage medium 620 and execute a series of instruction operations in the storage medium 620 on the server 120.
The server 120 may also include one or more power supplies 626, one or more wired or wireless network interfaces 650, one or more input/output interfaces 658, and/or one or more operating systems 641, such as Windows ServerTM, mac OS XTM, unixTM, linuxTM, freeBSDTM, and the like.
The central processor 622 in the server 120 may be used to perform the malicious host detection methods of embodiments of the present disclosure.
Embodiments of the present disclosure also provide a computer-readable storage medium storing program code for executing the malicious host detection method of the foregoing embodiments.
The disclosed embodiments also provide a computer program product comprising a computer program. The processor of the computer device reads the computer program and executes it, so that the computer device executes the method for detecting a malicious host described above.
Furthermore, the terms "comprises," "comprising," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, apparatus, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus.
It should be understood that in this disclosure, "at least one" means one or more, and "a plurality" means two or more. "and/or" is used to describe an association relationship of an associated object, and indicates that three relationships may exist, for example, "a and/or B" may indicate that only a exists, only B exists, and three cases of a and B exist simultaneously, where a and B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one of a, b or c may represent a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
It should be understood that in the description of the embodiments of the present disclosure, the meaning of a plurality (or multiple) is two or more, and that greater than, less than, exceeding, etc. is understood to not include the present number, and that greater than, less than, within, etc. is understood to include the present number.
In the several embodiments provided in the present disclosure, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of elements is merely a logical functional division, and there may be additional divisions of actual implementation, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present disclosure may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present disclosure may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the various embodiments of the present disclosure. The storage medium includes various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory RAM), a magnetic disk, or an optical disk.
It should also be appreciated that the various implementations provided by the embodiments of the present disclosure may be arbitrarily combined to achieve different technical effects.
In the present embodiment, the term "module" or "unit" refers to a computer program or a part of a computer program having a predetermined function and working together with other relevant parts to achieve a predetermined object, and may be implemented in whole or in part by using software, hardware (such as a processing circuit or a memory), or a combination thereof. Also, a processor (or multiple processors or memories) may be used to implement one or more modules or units. Furthermore, each module or unit may be part of an overall module or unit that incorporates the functionality of the module or unit.
The above is a specific description of the embodiments of the present disclosure, but the present disclosure is not limited to the above embodiments, and various equivalent modifications and substitutions can be made by those skilled in the art without departing from the spirit of the present disclosure, and are included in the scope of the present disclosure as defined in the claims.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202511121747.7A CN120675813B (en) | 2025-08-12 | 2025-08-12 | Malicious host detection method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202511121747.7A CN120675813B (en) | 2025-08-12 | 2025-08-12 | Malicious host detection method, device, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN120675813A CN120675813A (en) | 2025-09-19 |
| CN120675813B true CN120675813B (en) | 2025-10-28 |
Family
ID=97059153
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202511121747.7A Active CN120675813B (en) | 2025-08-12 | 2025-08-12 | Malicious host detection method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN120675813B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115345620A (en) * | 2021-05-13 | 2022-11-15 | 腾讯科技(深圳)有限公司 | Malicious account identification method and device, storage medium and electronic equipment |
| CN118250095A (en) * | 2024-05-27 | 2024-06-25 | 鹏城实验室 | Internet protocol address identification method, device, computer equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US12236112B2 (en) * | 2022-04-25 | 2025-02-25 | SanDisk Technologies, Inc. | Securing a data storage device against rogue hosts |
-
2025
- 2025-08-12 CN CN202511121747.7A patent/CN120675813B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115345620A (en) * | 2021-05-13 | 2022-11-15 | 腾讯科技(深圳)有限公司 | Malicious account identification method and device, storage medium and electronic equipment |
| CN118250095A (en) * | 2024-05-27 | 2024-06-25 | 鹏城实验室 | Internet protocol address identification method, device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN120675813A (en) | 2025-09-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11516240B2 (en) | Detection of anomalies associated with fraudulent access to a service platform | |
| CN112422556B (en) | Internet of things terminal trust model construction method and system | |
| US9661019B2 (en) | System and method for distributed denial of service identification and prevention | |
| CN110059747B (en) | Network traffic classification method | |
| CN112348204A (en) | A method for data security sharing of marine Internet of things under the framework of edge computing based on federated learning and blockchain technology | |
| CN109218090B (en) | Internet of things node trust degree evaluation method | |
| Zhang et al. | AI-based security design of mobile crowdsensing systems: Review, challenges and case studies | |
| CN119155116B (en) | Terminal zero-trust security capability system based on trusted environment perception | |
| Sedar et al. | Reinforcement learning based misbehavior detection in vehicular networks | |
| CN106850583B (en) | A Utility-Based Distributed Cooperative Spectrum Sensing Attack Defense Method | |
| WO2022267455A1 (en) | Method, apparatus and device for predicting area in which fraudulent users are concentrated, and storage medium | |
| CN102833107B (en) | Safety access method and system | |
| CN120675813B (en) | Malicious host detection method, device, equipment and medium | |
| CN113938292B (en) | A vulnerability attack traffic detection method and detection system based on concept drift | |
| CN116915432A (en) | A computing power network security orchestration method, device, equipment and storage medium | |
| CN116527307A (en) | Botnet detection algorithm based on community discovery | |
| US12464331B2 (en) | Wireless device detection systems and methods incorporating streaming survival modeling for discrete rotating identifier data | |
| CN116560764A (en) | Application program interface control method and device | |
| KR102862680B1 (en) | Forged Basic Safety Message Detection System for Internet of Vehicles | |
| CN120979834B (en) | Distributed network security early warning method based on cloud computing | |
| CN118713931B (en) | A method, system and device for identifying access rights based on network security | |
| CN116599733B (en) | Honeypot-based network attack protection method and system | |
| US20250184335A1 (en) | Security breach detection and mitigation in a cloud-based environment | |
| KR101074597B1 (en) | Intrusion Induction System based on Virtual Web Server and Its Method | |
| Sreelekshmi et al. | TRAFFIC SEASONALITY AWARE ADAPTIVE THRESHOLD ALGORITHM FOR DETECTION OF FLOODING BASED DENIAL-OF-SERVICE ATTACKS IN IoT NETWORKS |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |