KR100628329B1 - Generation apparatus and method of detection rules for attack behavior based on information of network session - Google Patents

Abstract

The present invention relates to a method and apparatus for automatically generating and automatically updating attack behavior detection rules for network session characteristic information. The network data classified by session characteristic information may be divided into session characteristic information and normal data type, attack type, and unknown type. Network session feature information extracting unit converting to input data format including properties of belonging network data type and extended C4.5 algorithm applied to network data converted to input data format to construct decision tree, and final node of decision tree Generates the accuracy of decision tree based on error rate, and generates detection rule patterned by network data type based on the characteristics of network data type, conditional expression for selecting node with optimal information gain of decision tree, and accuracy. Detection including automatic detection rule generation Create and update rules automatically.

Network session property information, detection rule, decision tree, auto generation, auto update

Description

Generation Apparatus and Method of detection rules for attack behavior based on information of network session}

1 is an overall configuration diagram of a method for automatically generating and updating a rule for detection of an attack based on network session characteristic information.

FIG. 2 (a) is session total statistical information of the network session characteristic information extraction unit illustrated in FIG. 1.

FIG. 2 (b) is network protocol connection information of the network session characteristic information extraction unit shown in FIG. 1.

FIG. 2 (c) is network protocol header information of the network session characteristic information extracting unit shown in FIG. 1.

2 (d) and 2 (e) are connection information between two hosts of the network session characteristic information extracting unit shown in FIG.

3 is a flowchart for extracting feature information of data collected by the network session feature information extractor 130 of FIG. 1.

4 is a flowchart automatically generating a detection rule in the detection rule automatic generation unit shown in FIG. 1.

FIG. 5 is a flowchart for verifying a detection rule generated by a detection rule verification unit in the detection rule verification and update unit shown in FIG. 1.

6 is a flowchart for updating the accuracy of the detection rule generated by the detection rule automatic update unit in the detection rule verification and update unit shown in FIG. 1.

7 is an overall flowchart for automatically generating a detection rule.

8 is a view showing the effect of the present invention compared to one of the conventional attack detection method.

9 is a diagram illustrating the improvement of accuracy of a detection rule by converting continuous data into discrete data.

10 and 11 illustrate results of applying detection rule formation to experimental data according to an embodiment of the present invention.

The present invention relates to a method and apparatus for automatically generating and automatically updating attack behavior detection rules for network session characteristic information. The present invention relates to automatically generating detection rules for each attack behavior for network session characteristic information, and to accurately correcting the generated rules. It is automatically updated through the calculation of detection accuracy to detect the known attack and similar attack type, normal behavior and other types through more accurate detection rules.

In general, intrusion detection methods are divided into feature-based rule detection and abnormal behavior detection. The feature-based method is to determine an attack by analyzing and patterning known attack packets and checking whether they match the pattern. The detection accuracy of known attacks is quite high, but it is not suitable for detection of modified attack behavior or unknown new attacks. There is a limit.

The abnormal behavior detection method to overcome this drawback is mainly used to detect an unknown attack by modeling the data generated by the normal behavior and detecting the attack according to the deviation from the normal model.

Finding features related to intrusion from large amounts of network data is mostly analyzed by expert knowledge, which is more accurate but expensive to analyze and less able to cope with new types of attacks.

On the other hand, anomaly detection methods are effective in detecting unknown attacks, but are difficult to characterize and are less accurate than feature-based. In addition, there is little research on how to use the characteristic information of the network session unit to extract the characteristics of the attack type that do not appear in the network packet or cannot be clearly distinguished from the normal network data flow.

In order to solve the above problems, an object of the present invention is to automatically generate and update attack behavior detection rules for network session characteristic information to generate more accurate detection rules.

In an exemplary embodiment of the present invention, the apparatus for generating an attack behavior detection rule may include network data classified by the session characteristic information, and the characteristics of the network data type to which the network data belongs among the session characteristic information and the normal type, the attack type, and the unknown type. Network session characteristic information extraction unit for converting into an input data format comprising a; and to form a decision tree by applying a classification algorithm to the network data converted to the input data format, based on the error rate in the last node of the decision tree Generating an accuracy of a decision tree, and generating a detection rule patterned for each network data type based on the characteristics of the network data type, a conditional expression for selecting a node having an optimal information gain of the decision tree, and the accuracy Detection rule automatic generation unit; includes .

In an exemplary embodiment of the present invention, the apparatus for generating an attack behavior detection rule may include the error rate for each network data type corresponding to the error rate when the previously generated detection rule and the newly generated detection rule match. And a detection rule verification and updating unit which multiplies and generates an error rate targeting only data types and updates the accuracy of the decision tree based on the generated error rates for each data type.

In another preferred embodiment of the present invention, the method for generating an attack behavior detection rule may include classifying network data by session characteristic information; Converting the classified data into an input data format including the session characteristic information and a characteristic of a network data type to which the network data belongs among a normal type, an attack type, and an unknown type; Constructing a decision tree by applying a classification algorithm to the data converted into the input data format; Generating an accuracy of the decision tree based on an error rate at the last node of the decision tree; And generating a detection rule patterned for each network data type based on a characteristic of a network data type to which the network data belongs, a conditional expression for selecting a node having an optimal information gain of the decision tree, and the accuracy. Include.

In another preferred embodiment of the present invention, the method for generating an attack behavior detection rule comprises: determining whether the previously generated detection rule coincides with the newly generated detection rule; Generating an error rate for each network data type by multiplying the error rate by an error rate for each network data type only when the detection rule is matched; Updating the accuracy of the decision tree based on the generated error rates for each data type; It further includes.

Hereinafter, preferred embodiments of the present invention will be described with reference to the accompanying drawings. It should be noted that the same elements among the drawings are denoted by the same reference numerals and symbols as much as possible even though they are shown in different drawings. In the following description of the present invention, if it is determined that a detailed description of a related known function or configuration may unnecessarily obscure the subject matter of the present invention, the detailed description thereof will be omitted.

1 is a diagram illustrating an overall flowchart of automatically generating and updating an attack detection rule based on network session characteristic information according to the present invention, wherein the network data generating unit 110, the network data collecting unit 120, and a network are shown. The session characteristic information extractor 130, the detection rule automatic generation unit 140, the detection rule storage database unit 150, and the detection rule verification and update unit 180 are included.

The network data generator 110 performs a function of generating data. Here, data generation may be performed by receiving data on a real network from a network card, randomly generating normal behavior data in a normal network environment where attack behavior is not included by an administrator, and randomly using various attack tools by an administrator. And generating attack behavior data.

The network data collector 120 performs a function of collecting data generated by the network data generator by software or by hardware configuration.

The network data collection unit 120 is a normal behavior data is "Normal" data, the attack behavior data "Attack" data according to the type of data generated by the network data generation unit 110, And all cases that do not belong to normal and attack behavior data are collected as "Unknown" data.

In collecting the attack behavior data, the administrator saves each attack name in the attack behavior data and stores them in each file format. In this case, the format of the file name includes the attack type, the attack name, and other information.

As a preferred embodiment of adding a file name, the attack type is 'dos' for a Denial of Service attack and 'mailbomb' if the attack is a mailbomb that attacks a mail server. . Other information shall include the date and day of the test and the distinction between them shall be indicated by '_'. That is, by generating the file name in the form of 'dos_mailbomb_w2frii', it is configured to easily extract the characteristic information from the list file managing the generated data.

The network session characteristic information extractor 130 classifies the data collected by the network data collector 120 for each session and extracts the characteristic information. This will be described in more detail with reference to FIGS. 2 and 3.

The detection rule automatic generation unit 140 uses an algorithm that extends C4.5, which is one of decision tree algorithms based on information theory, based on the characteristic information extracted by the network session characteristic information extraction unit 130 for each attack type. This function creates a detection rule to classify the data. This will be described in more detail with reference to FIG. 4.

The detection rule storage database 150 stores the detection rule generated by the detection rule automatic generation unit 140.

The detection rule verification and update unit 180 includes a detection rule verification unit 160 and a detection rule automatic update unit 170. The detection rule verification unit 160 verifies the detection rules generated by the detection rule automatic generation unit 140 and stored in the detection rule storage database 150, and the detection rule automatic update unit 170 detects the detection rule verification unit 160. Update the accuracy of the verified detection rule in.

The detection rule verifying and updating unit 180 matches the previously generated detection rule with the newly generated detection rule, and compares the error rate for each network data type with the error rate for each network data type. And multiply and update the accuracy of the decision tree based on the generated error rates for each data type. This will be described in more detail with reference to FIGS. 5 and 6.

FIG. 2 illustrates an embodiment in which the network session characteristic information extractor 130 classifies data collected from the network data collector 120 for each session and extracts characteristic information.

The network session characteristic information extractor 130 greatly expands the network session characteristic information according to the object and viewpoint to analyze the data collected from the network data collection unit 120, and includes the session-wide statistical information (Fig. 2- (a)) and the network protocol. Defined by classifying connection information (Fig. 2- (b)), network protocol header information (Fig. 2- (c)), and connection information between two hosts (Fig. 2- (d) and 2- (e)). .

The data is classified into a continuous form of a value that comes in a continuous form within a predetermined range according to a type, and a discrete form of a form in which a certain range or a specific value is defined and distinguished.

Session total statistics (Fig. 2- (a)) is statistical information analyzed for all packets in the session. Extracting feature information in packet units is more effective in classifying types by extracting feature information in session units, while data extraction is limited.

Network protocol connection information (FIG. 2- (b)) is information analyzed for connection establishment of the TCP / IP protocol. The network protocol header information (Fig. 2- (c)) is information of the main fields of interest in the TCP / IP protocol header. The connection information between two hosts (FIGS. 2- (d) and 2- (e)) is various statistical information considering the direction between the two hosts.

3 is a flowchart for extracting feature information of data collected by the network session feature information extractor 130 of FIG. 1.

The data collected from the network data collection unit 120 is classified into sessions by the network session characteristic information extracting unit 130 and the characteristic information is extracted (S310) to accumulate the characteristic information for each session as shown in FIG. 2 ( S320).

It is determined whether the type of data from which network characteristic information is extracted for each session is continuous or discrete (S330).

If the type of the extracted data is continuous, a characteristic classification test (S340) for searching in which section is continuous or discrete based on a threshold range set by the administrator is performed.

The continuous data has a greater influence on the classification according to the threshold determination method in the classification algorithm based on information theory than the discrete type. As a result, the continuous data is subjected to the characteristic classification test in order to apply it to the classification algorithm having the characteristics suitable for the discrete type.

If the extracted data type is discrete, it is classified by normal and attack type (S370) and then input data such as "session information 1, session information 2, ..., session information N, naming" to apply to the classification algorithm. Convert to format (S380).

 Through the characteristic classification test (S340), the optimal classification (S350) is determined depending on whether the continuous data value is partitioned into discrete data values composed of a specific value or a range of representative values (for example, an average value). Determine if you can.

In the case of the optimal classification, the continuous data is converted into discrete data (S360). Otherwise, the continuous data is classified (370) by normal and each attack type without conversion of the data and applied to the classification algorithm. The session information 1, the session information 2, ..., session information N, the naming "is converted into the input data format (S380).

Here, the name is a name indicating the characteristics of the network data type to which the network data belongs , and in the case of normal behavior data such as the method used for the file name of the network data collection unit 120, it is expressed as 'Normal'. In case of attack data, the attack name is referred to by referring to the file name of the network data collection unit.

4 is a detection rule automatic generation unit 140, by using the algorithm that extends C4.5, which is one of decision tree algorithms based on information theory, the session characteristic information input data converted to the input data format in FIG. Flow chart to classify by each attack type.

C4.5, proposed by J. Ross Quinlan, is an algorithm that automatically constructs a tree by calculating the gain according to the reduction of entropy. C4.5 is a classification algorithm. Network data has a large amount of packets, and it is suitable for classifying effectively because there are both continuous and discrete forms of scale in the packet.

In addition, this classification algorithm is easier to convert to SQL statements, which are query languages of relational databases, compared to neural networks and Bayesian classifiers.

The basic C4.5 is a classification algorithm developed by J. Ross Quinlan based on the 1986 ID3 algorithm. This algorithm is capable of multiple splitting that allows two or more child nodes to be split at the parent node and is easy to interpret from the generated tree.

That is, the discrete type can be classified by the number of discrete, and the continuous type can also be classified. However, the continuous type may not be classified better than the discrete type. Finally, the error rate is examined at the end node and pruned to obtain the minimum error rate.

Among the classification algorithms used in the detection rule automatic generation unit, the extended C4.5 algorithm automatically constructs a tree to easily select a measure for classification and to facilitate the interpretation of the constructed tree model.

Also, it is easy to identify how the combination of variables affects the target variable. Therefore, when applied to attack detection, this algorithm is also suitable for identifying correlation between detection rule and attack.

The extended C4.5 algorithm is an adaptation of the basic C4.5 algorithm for the generation of detection rules, which must be preceded by a process of classifying the network session feature information extractor into feature data.

The decision tree is constructed in the same way as the basic C4.5 algorithm, but the error rate is calculated at the final node without pruning. Finally, the process includes constructing a decision tree and converting it to a decision tree rule.

4 automatically generates a detection rule as follows using the extended C4.5 algorithm in the detection rule automatic generation unit 140.

The frequency for each class (or classification) of the session characteristic information input data S380 is calculated (S410). A node of the decision tree is configured based on the calculated frequency (S420). The information gain for each attribute is calculated (S430), and an attribute having an optimal information gain is selected (S440).

If it is not the final (leaf) node and repeats the process from S410 to S440 (S450).

In the case of the last node, the accuracy is determined by calculating the error rate of each decision tree (S460). In this case, the error rate is calculated as the rate when the rule generated in the data set is not satisfied, as in the basic C4.5 algorithm, and the accuracy is defined by configuring support and confidence.

Support means the frequency of frequently occurring rules. The larger the support, the more useful the rule is. The reliability means how reliable the rule is. The higher the reliability, the higher the accuracy.

Support is defined as the ratio of the size of the item to the size of the entire data set, and confidence is defined as 100% confidence minus the error rate.

That is, it can be expressed as follows.

Reliability = 1.0-Error Rate

Support = size of the item / size of the entire dataset

In the case of the final node, after determining the accuracy by calculating the error rate of each decision tree (S460), each node constructs a decision tree having accuracy (S470).

As an example, the following shows a part of the decision tree constructed in the case of attack and normal corresponding to a mailbomb attack.

The format of the decision tree is expressed as "Level Number Scale Name Condition Symbol Scale Value: [Normal or Attack Name (Accuracy)]". Here, the [] item is expressed only in the case of the final node, and the accuracy includes support and reliability as defined in the above step.

L2 HAttl_length> 112:

L3 HBidletime_max <= 988.7:

L4 HBminseg_size> 23: mailbomb (1.000, 0.980)

L4 HBminseg_size <= 23:

L5 HBidletime_max <= 46.6: Normal (0.921, 0.752)

After constructing a decision tree with accuracy at each node (S470), it is converted into a detection rule expressed in the form of "rule number; attack name; conditional expressions; accuracy (support map, reliability)" for each type of attack and detection (S480). The rule storage database 150 stores the data.

When an embodiment of a part of the decision tree configured in the case of attack and normal corresponding to the mailbomb attack described above is converted into a detection rule format, it is expressed as follows.

1; mailbomb; HAttl_length> 112, HBidletime_max <= 988.7, HBminseg_size> 23; 1.000, 0.980

5 is a detailed configuration diagram of the detection rule verification unit 160 in the detection rule verification and update unit 180 shown in FIG. 1.

In the case where verification is started in the detection rule verification controller (S510), normal and attack data are generated through the network data generator 110 to collect data through the network data collector 120, and the collected data is illustrated in FIG. 3. The detection rule format expressed in the form of "rule number; attack name; conditional expressions; accuracy (support map, reliability)" by extracting the session characteristic information data through the network session characteristic information extractor 130 as shown in FIG. Convert to (S520).

The converted detection rule and the detection rules stored in the detection rule storage database 150 are verified through a query (S530). The query is for searching and determining whether one-to-one correspondence with the entire detection rules stored in the database is compared, and compares all of them in order with the conditional expressions included in the format of the detection rule such as step S480 of FIG. 4.

If all the condition expressions match, the accuracy of the detection rule is updated through the automatic detection rule updater 170 (S540). If one or more conditional expressions do not match, the process returns to step S613 to repeat the subsequent steps.

6 is a detailed block diagram of the detection rule automatic update unit 170 in the detection rule verification and update unit 180 shown in FIG. 1.

The session type information input data detection rule verified through the detection rule verification unit 160 determines whether the data type is normal, attack, or unknown (S610).

In this case, the data type is determined by the nominal person, which is the last term of the converted input data format of FIG. 3, and all cases that do not belong to normal and attacking behavior are determined as unknown behavior (S380).

Error rates are calculated for each data type (normal, attack, unknown) (S611, S612, and S613).

The error rate reflecting the normal behavior is calculated by multiplying the error rate (100% confidence-the confidence of the rule) of the detection rule accuracy by the error rate only for the normal behavior data set (S611).

The error rate reflecting the attacking behavior is calculated by multiplying the error rate of the detection rule accuracy by the error rate targeting only the attacking behavior data set (S612).

The error rate reflecting the unknown behavior calculates an error rate reflecting the unknown behavior only for the data set, not the normal and the attack behavior (S613).

In this way, reflecting the error rate for each data type (normal, attack, unknown) means increasing the reliability of detection rule accuracy.

Based on the error rates calculated in each of steps S611 to S613, the accuracy of the detection rule is calculated using weighting, a perceptron rule, a fuzzy theory, and the like (S620). In this case, the accuracy includes reliability and support as in the detection rule automatic generation unit 140.

For example, if a weighting method is applied, the existing accuracy of the rule is calculated by adding the weight of each administrator-defined data type multiplied by the calculated error rate.

Thereafter, the detection rule verification unit automatically updates the accuracy of the searched rule in the step of verifying whether the converted detection rule and the detection rules stored in the detection rule storage database 150 are matched by using a query, and then the detection rule storage database. In operation S630, the storage medium is stored at 150.

7 is an overall flowchart for automatically generating a detection rule.

The data generated by the network data generator 110 of FIG. 1 is collected according to the type of data generated by the network data collector 120. Thereafter, the collected network data is classified by session characteristic information (S700). Thereafter, the classified data is converted into an input data format including session characteristic information and characteristics of the network data type to which the network data belongs among the normal type, the attack type, and the unknown type (S710). This will be described with reference to the configuration described in connection with the configuration of the network session characteristic information extraction unit described in FIG.

A decision tree is constructed by applying a classification algorithm to the data converted into the input data format (S720), and the accuracy of the decision tree is generated based on an error rate in the final node of the decision tree (S730).

Thereafter, a detection rule patterned for each network data type is generated based on the name, a conditional expression for selecting a node having an optimal information gain of the decision tree, and the accuracy (S740). For this, refer to the contents described in connection with the phrase of the detection rule automatic generation unit described in FIG.

It is determined whether the previously generated detection rule coincides with the newly generated detection rule (S750). For this, refer to the contents described regarding the configuration of the detection rule verification unit in the detection rule verification and update unit described in FIG. 5. do.

When the detection rule is matched, the error rate for each network data type is generated by multiplying the error rate by an error rate only for each network data type, and the accuracy of the decision tree is based on the generated error rate for each data type. Update (S760). Regarding this, refer to the descriptions related to the configuration of the detection rule automatic update unit in the detection rule verification and update unit described in FIG. 6.

8 is a view showing the effect of the present invention compared to one of the conventional attack detection method. The difference in attack detection rate is shown comparing the detection rule formation method of the present invention with the LERAD approach of the Florida Institute of Technology.

In FIG. 8, the horizontal axis indicates each attack name, and the vertical axis indicates the detection rate for each attack. The present invention is shown by the solid arrow portion and shows the detection rate of the cited LERAD. As shown in the figure, the detection result of about 10% improvement can be seen in the present invention than the result of the study of LERAD.

9 (a) and (b) are diagrams showing the improvement of accuracy of a detection rule by converting continuous data into discrete data.

FIG. 9 (a) shows that the detection rate when converted to discrete data is higher than the detection rate when the continuous data is applied to the peripheral data of the DARPA data, which is experimental data. That is, as shown in the figure, the improvement in the result applied to the Tue, Wed data was hardly achieved, it can be seen that the detection rate is improved in the remaining data.

FIG. 9 (b) shows that the false positive rate is lower in the case of data converted to discrete type than in the case of continuous data. In other words, when applied to Mon, Fri data does not have a large change, other data can be seen that the false positive (False Positive) is lowered.

10 and 11 illustrate results of applying detection rule formation to experimental data according to an embodiment of the present invention. In FIG. 3, before the characteristic information is accumulated for each session (S320) and the data type is determined (S330), a good measure is selected among various measures and applied to the DARPA experimental data.

GRR is defined as follows.

, (이 때, α= 0.01)Good Rule Rate (GRR) =

, Where α = 0.01

In each step, the GRR value is tested by selecting (G) the good, ignoring the unnecessary (I) and not selecting the bad (X). As a result of the test in the above manner, when applied to Wed and Thu data as shown in FIG. 10, if only a good measure is selected at each step, the detection rate is high and the false detection rate is low.

In FIG. 11, RST means a test result and SLT means a selection.

The invention can also be embodied as computer readable code on a computer readable recording medium. Computer-readable recording media include all kinds of recording devices that store data that can be read by a computer system.

Examples of computer-readable recording media include ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage, and the like, which are also implemented in the form of carrier waves (for example, transmission over the Internet). It also includes. The computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.

The best embodiments have been disclosed in the drawings and specification above. Although specific terms have been used herein, they are used only for the purpose of describing the present invention and are not used to limit the scope of the present invention as defined in the meaning or claims.

Therefore, those skilled in the art will understand that various modifications and equivalent other embodiments are possible from this. Therefore, the true technical protection scope of the present invention will be defined by the technical spirit of the appended claims.

In the present invention, by generating detection rules for each attack type for network session-based characteristic information, recalculating the detection error rate to select more accurate detection rules, and automatically removing the detection rules with low accuracy. In addition, detection rules can be automatically generated to detect known or similar types of attacks without the need for expert assistance, resulting in faster response.

As a result, detection rules are generated with high accuracy in detection of modified attack behaviors or unknown new attacks and capable of coping with new types of attacks.

In addition, there is an effect of extracting the characteristics of the attack type that do not appear in the network packet or cannot be clearly distinguished from the normal network data flow by using the characteristic information of the network session unit.

Claims (11)

A network session characteristic information extraction unit for converting network data classified by session characteristic information into an input data format including the session characteristic information and a characteristic of a network data type to which the network data belongs among a normal type, an attack type, and an unknown type; And A decision tree is constructed by applying a classification algorithm to the network data converted into the input data format, and the accuracy of the decision tree is generated based on an error rate at a final node of the decision tree. A detection rule automatic generation unit for generating a detection rule patterned for each network data type based on a conditional expression for selecting a node having an optimal information gain of a tree and the accuracy; Generating device. The method of claim 1, When the previously generated detection rule and the newly generated detection rule match The error rate for each network data type is generated by multiplying the error rate by an error rate for each network data type only, and verifying a detection rule for updating the accuracy of the decision tree based on the generated error rate for each data type. Updater; Attack behavior detection rule generating device further comprising. The method of claim 1, Depending on whether network data classified by session characteristic information is continuous within a predetermined range, it is divided into continuous type and discrete type, In case of continuous type, if it is partitioned into discrete data value within a predetermined range based on a predetermined threshold range, it is converted into discrete data. The network data is classified into normal behaviors, attack behaviors, and unknown behaviors, thereby classifying the algorithm. remind Apparatus for generating an attack behavior detection rule, characterized in that the conversion to the input data format. The method of claim 1, wherein the algorithm is Calculating a frequency for each classification of network data classified by the session characteristic information, Configure nodes of the decision tree based on the calculated frequency, Information nodes are calculated for each node to select nodes having optimal information gains. And an attack behavior detection rule generation device for calculating an accuracy of the decision tree based on the error rate at a final node. The method of claim 1, wherein the session characteristic information And at least one of session total statistics information, network protocol connection information, network protocol header information, and connection information between two hosts. Classifying network data by session characteristic information; Converting the classified data into an input data format including the session characteristic information and a characteristic of a network data type to which the network data belongs among a normal type, an attack type, and an unknown type; Constructing a decision tree by applying a classification algorithm to the data converted into the input data format; Generating an accuracy of the decision tree based on an error rate at the last node of the decision tree; and Generating a detection rule patterned for each network data type based on the name, a conditional expression for selecting a node having an optimal information gain of the decision tree, and the accuracy; How to create a detection rule. The method of claim 6, Determining whether the previously generated detection rule matches the newly generated detection rule; Generating the error rate for each network data type by multiplying the error rate by the error rate for each network data type only if the detection rule is matched; and And updating the accuracy of the decision tree based on the generated error rates for each data type. The method of claim 6, Dividing the network data classified by the session characteristic information into a continuous type and a discrete type according to whether the network data classified by the session characteristic information is continuous within a predetermined range; Converting into discrete data when the data is partitioned into discrete data values within a predetermined range based on a predetermined threshold range in the case of continuous type; and The network data is classified into normal behaviors, attack behaviors, and unknown behaviors, thereby classifying the algorithm. remind Converting to the input data format; attack method detection rule generation method further comprising a. 7. The method of claim 6, wherein the classification algorithm is Calculating frequency of classification of network data classified by the session characteristic information; Constructing nodes of the decision tree based on the calculated frequencies; Calculating the information gain for each node and selecting a node having an optimal information gain; and Calculating an accuracy of the decision tree on the basis of the error rate at a final node. 10. The method of claim 6 or 9, wherein the classification algorithm is Method for generating attack behavior detection rule, characterized in that the extended C4.5 algorithm. The method of claim 6, wherein the session characteristic information Method for generating an attack behavior detection rule, characterized in that it comprises one or more of session total statistics information, network protocol connection information, network protocol header information, connection information between the two hosts.

Images