KR102002880B1 - Method for detecting malcious packets based on machine learning model and apparatus using the same - Google Patents

Abstract

According to the present disclosure, disclosed are a method for detecting a malicious packet from a packet stream or a log corresponding to the packet stream, and a network apparatus using the same. More particularly, in the method, the network apparatus obtains analysis target data from the packet stream or the corresponding log through a data collection module, determines whether the analysis target data is malicious through a malicious packet discrimination module by a generative adversarial network (GAN), and provides an external entity with data determined to be malicious in the analysis target data.

Description

TECHNICAL FIELD [0001] The present invention relates to a method for detecting malicious packets based on a machine learning model, and a device using the method. [0002]

Disclosed herein are a method for detecting malicious packets from a packet stream or a corresponding log and a network equipment using the same. In particular, according to the method of the present invention, a network device obtains analysis target data from the packet stream or a corresponding log through a data collection module, and generates a generative adversarial (GAN) network to determine maliciousness of the analysis target data, and provides malicious data determined to be malicious among the analysis target data to an external entity.

BACKGROUND ART [0002] With the development of network and wireless communication technologies such as the Internet, the use of wired and wireless communication continues to increase.

However, recently, malicious traffic attacks such as denial of service (DoS) attacks and structured query language (SQL) injection attacks have frequently occurred on wired / wireless communication networks .

Attacks that attack malicious nodes (or devices) connected to the network and cause them to run out of resources for their intended purpose, intentionally exploiting security loopholes in applications (application programs) Such as an attack to unauthorized manipulation of a database by causing the attack to be executed by an attacker or a victim of the attack, Or the function of the Internet site or service may be interrupted or interrupted temporarily or indefinitely. Therefore, it is necessary to prepare for detection of such malicious behavior.

Various methods are used in conventional logs, packet collection and analysis systems, or security threat detection systems in order to detect and respond to specific attacks or abnormal events classified as malicious acts.

In the conventional intrusion blocking system illustrated in FIG. 1, a malicious behavior is detected by using a predefined rule set (e.g., Snort and etpro) to generate an event. The incoming network packet is generally transmitted to the intrusion prevention system (IPS) 130 via the router 110 and the firewall 120. The intrusion blocking module 130 transmits the network packet corresponding to the rule set The malicious packet corresponding to the malicious action is reported to the security manager through the administrator server 140 as an event and the packet not detected as malicious is transmitted to the server / Lt; / RTI >

In such an environment, excessive detection by the IPS 130 causes a lot of events, which increases security administrators' work fatigue. Particularly, even if a payload of an incoming network packet has a content value that is not identical to a payload of a similar character string, it may be determined that the payload matches with the rule set, thereby causing false positives. For example, if the word 'app' in the content value is present and the contents of the packet 'application' come in, it may be malicious even if it corresponds to a normal packet.

Accordingly, the inventor of the present invention has developed a method and system for improving the detection accuracy of malicious packets by learning various content values in the detected packet or the detection log using the generative adversarial network (GAN) algorithm of the IPS 130 I would like to propose.

10-1776662 B

The present invention aims at enhancing the reduction of the occurrence of security events by fake malicious packets by applying a machine learning system such as a constructive hostile neural network.

That is, according to the present invention, it is possible to reduce the high false positives related to the malicious packet in the conventional IPS-dependent method, saving the unnecessary confirmation time for the security events not related to the malicious packet by the user such as the supervisor, .

Therefore, the present invention aims to improve efficiency for protecting an Internet site or service from an attack by a malicious packet.

The characteristic configuration of the present invention for achieving the object of the present invention as described above and realizing the characteristic effects of the present invention described below is as follows.

According to an aspect of the invention, a method is provided for detecting malicious packets from a packet stream or a corresponding log, the method comprising the steps of: (a) Acquiring analysis target data from the packet stream or a log corresponding to the packet stream or supporting another device interworking with the network equipment to acquire the analysis target data through the data acquisition module; (b) the network device determines maliciousness of the analysis object data through a malicious packet discrimination module by a generative adversarial network (GAN), or makes the other device detect the malicious packet through the malicious packet discrimination module A step of determining whether the data to be analyzed is malicious; And (c) supporting the network device to provide data determined as malicious among the analysis target data to an external entity or to provide the other device with the external entity.

According to another aspect of the present invention, there is also provided a computer program comprising instructions implemented to perform the method according to the present invention.

According to still another aspect of the present invention, there is provided a network device, i.e., a computing device, for detecting malicious packets from a packet stream or a corresponding log, the computing device comprising: and a processor for determining maliciousness of the analysis object data through a malicious packet discrimination module based on a generative adversarial network (GAN) A malicious packet detection module for detecting maliciousness of the analysis target data; And provides data to the external entity, which is determined to be malicious, among the data to be analyzed, or to provide the other device with the external entity.

According to an exemplary embodiment of the present disclosure, there is an effect of reducing false positives regarding packets that are suspected to be malicious but actually not malicious by applying the latest machine learning system such as a hostile antagonistic neural network.

Therefore, according to the exemplary embodiment, detection accuracy of malicious packets is improved based on a machine learning model. By using the method of the present invention, data about real malicious packets are accumulated, The detection performance of the malicious packet discrimination module can be continuously improved.

BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the invention to those skilled in the art Other drawings can be obtained based on these figures without requiring inventive work.
FIG. 1 is a conceptual illustration of an example of a conventional intrusion blocking system.
2 schematically shows an exemplary configuration of a network equipment that performs a method for detecting malicious packets based on a machine learning model (hereinafter referred to as "malicious packet detection method"), according to an embodiment of the present invention It is a conceptual diagram.
FIG. 3 is a conceptual diagram illustrating hardware and software architecture of a network equipment and a training computing device performing a malicious packet detection method according to an embodiment of the present invention.
4 is a flowchart illustrating an exemplary malicious packet detection method according to an exemplary embodiment of the present invention.
FIG. 5 illustrates an example of a machine learning model used in an embodiment of the present invention, illustrating major operations of a determination module and a generation module to explain a generative adversarial network (GAN).
FIG. 6 is a conceptual diagram illustrating an intrusion blocking system that reflects the network equipment and training computing device of the present disclosure as shown in FIG.

The following detailed description of the invention refers to the accompanying drawings, which illustrate, by way of example, specific embodiments in which the invention may be practiced in order to clarify the objects, technical solutions and advantages of the invention. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS In the following description of the present invention with reference to the accompanying drawings, the same components are denoted by the same reference numerals regardless of the reference numerals, and a duplicate description thereof will be omitted.

Specific structural or functional descriptions of embodiments are set forth for illustrative purposes only, and may be embodied with various changes and modifications. Accordingly, the embodiments are not intended to be limited to the particular forms disclosed, and the scope of the present disclosure includes changes, equivalents, or alternatives included in the technical idea.

The terms first or second, etc. may be used to describe various elements, but such terms should be interpreted solely for the purpose of distinguishing one element from another. For example, the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component.

It is to be understood that when an element is referred to as being "connected" to another element, it may be directly connected or connected to the other element, although other elements may be present in between.

The singular expressions include plural expressions unless the context clearly dictates otherwise. In this specification, the terms "comprises" or "having", etc. are intended to designate the presence of stated features, integers, steps, operations, components, parts or combinations thereof, , &Quot; an ", " an ", " an "

Unless otherwise defined, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the meaning of the context in the relevant art and, unless explicitly defined herein, are to be interpreted as ideal or overly formal Do not.

Also, throughout the specification and claims of this disclosure, 'learning', 'training' or 'learning' is a term referring to performing machine learning through computing according to procedures, It will be understood by those of ordinary skill in the art that the invention is not intended to refer to mental acts such as activity.

Moreover, the present invention encompasses all possible combinations of embodiments shown herein. It should be understood that the various embodiments of the present invention are different, but need not be mutually exclusive. For example, certain features, structures, and characteristics described herein may be implemented in other embodiments without departing from the spirit and scope of the invention in connection with one embodiment. It should also be understood that the position or arrangement of individual components within each disclosed embodiment may be varied without departing from the spirit and scope of the present invention. The following detailed description is, therefore, not to be taken in a limiting sense, and the scope of the present invention is to be limited only by the appended claims, along with the full scope of equivalents to which such claims are entitled, if properly explained. In the drawings, like reference numerals refer to the same or similar functions throughout the several views.

Unless otherwise indicated herein or clearly contradicted by context, items referred to in the singular are intended to encompass a plurality unless otherwise specified in the context. In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings, so that those skilled in the art can easily carry out the present invention.

FIG. 2 is a conceptual diagram schematically showing an exemplary configuration of a network equipment that performs a malicious packet detection method according to an embodiment of the present invention.

2, a network device 200 according to an exemplary embodiment of the present invention includes a communication unit 210 and a processor 220. The communication unit 210 communicates with an external computing device Not shown) can be directly or indirectly communicated.

In particular, the network device 200 may include any type of computing device, such as a computer, a processor, a memory, a storage, an input device and an output device, , Electronic communication devices such as switches, electronic-information storage systems such as network-attached storage (NAS) and storage area networks (SAN), and computer software (i.e., ≪ RTI ID = 0.0 > and / or < / RTI > functions to achieve desired system performance. The storage may include storage devices such as a hard disk, a universal serial bus (USB) memory, as well as storage devices based on a network connection such as a cloud server.

The communication unit 210 of the network equipment can send and receive requests and responses to and from other computing devices that are interlocked. As an example, such requests and responses can be transmitted through the same transmission control protocol (TCP) But not limited to, a user datagram protocol (UDP) datagram, for example.

Specifically, the communication unit 210 may be implemented in the form of a communication module including a communication interface. For example, the communication interface may be a wireless LAN (WLAN), a wireless fidelity (WIFI) Direct, a digital living network alliance (DLNA), a wireless broadband (Wibro), a world interoperability for microwave access (Wimax), a high speed downlink packet access And a short range communication interface such as Bluetooth (TM), radio frequency identification (RFID), infrared data association (IrDA), ultra-wideband (UWB), ZigBee and near field communication can do. In addition, the communication interface may represent any interface (e.g., a wired interface) capable of communicating with the outside.

For example, the communication unit 210 can acquire a log, a packet, and the like from an external device through the appropriate communication interface. In addition, in a broad sense, the communication unit 210 may include or be associated with a keyboard, a mouse, and other external input devices, a printing device, a display, and other external output devices for receiving commands or instructions.

The processor 220 of the network device 200 may be a micro processing unit (MPU), a central processing unit (CPU), a graphics processing unit (GPU), a neural processing unit (NPU) a cache memory, a data bus, and the like. It may further include a software configuration of an operating system and an application that performs a specific purpose.

FIG. 3 is a conceptual diagram illustrating hardware and software architecture of a network equipment and a training computing device performing a malicious packet detection method according to an embodiment of the present invention.

Components included by way of example in the intrusion prevention system (IPS) 130, the administrator server 140, and the training computing device 300 shown in FIG. 3 include a communication unit 210 included in the individual computing device ) And the processor 220, as will be understood by those skilled in the art.

The intrusion blocking module 130 shown in FIG. 3 detects a malicious packet corresponding to a malicious action as described above, and the malicious packet is reported to the security manager through the administrator server 140. The detection module 132 is a component that performs a core function of the intrusion blocking module 130 and can detect a malicious packet from data of a log or a packet.

Here, the log or packet includes an HTTP header, a source IP, a destination IP, a payload, a port, and the like, and it is mainly determined from the content of the payload whether or not the packet is a malicious packet.

An example of the packet collected by the intrusion blocking module 130 is as follows.

$ 3A DATA | http_uri; reference: url, support.microsoft.com / headers: http: // www. kb / q188806 /; reference: cve, 1999-0278; reference: url, doc.emergingthreats.net/2001365; classtype: web-application-activity; sid: 2001365; rev: 12;)

The agent module 134 of the intrusion blocking module 130 may transmit the information of the malicious packet detected by the intrusion blocking module 130 to the administrator server 140. The agent server 134 To acquire information of the malicious packet from the agent module 134. [ 3, the administrator server 140 further includes a web module 144 for providing a web service for convenience of transferring information to a user or an administrator, which is the subject of use of the administrator server 140 And may further include an analysis module 146 that provides the analysis result of the information so that the user or the administrator can easily grasp the information of the malicious packet.

The information of the malicious packet is acquired by the agent module 134 in FIG. 3 and transmitted to the data collector 330 of the training computing device 300 through the collection module 142, which will be used in the method of the present disclosure, But may be directly transmitted by the intrusion blocking module 130. It is needless to say that the present invention is not limited to the illustrated example.

3, the training computing device 300 may obtain information of actual malicious packets through the data collector 330, which may be generated or generated by a generative adversarial network (GAN) And may be used to train a module (generator) 310. The generation module 310 performs a function of generating a fake malicious packet similar to an actual malicious packet.

The discriminator 320 or the discriminator 320 can be trained by using the fake malicious packet and the actual malicious packet generated by the generation module to perform a function of distinguishing a fake malicious packet from a real malicious packet. As will be described below, a generative hostile neural network (GAN) can be trained in a conflicting structure of a generation module and a discrimination module.

If the discrimination module 320 is sufficiently trained to distinguish the actual malicious packet from the fake malicious packet, the verification / test module 340 verifies and tests the performance of the discrimination module 320 and then has performance meeting the criteria It transmits it to the detection module 132 to update the intrusion blocking module 130. [

4 is a flowchart illustrating an exemplary malicious packet detection method according to an exemplary embodiment of the present invention.

Referring to FIG. 4, a method for detecting a malicious packet from a packet stream or a log corresponding thereto according to the present invention, that is, a malicious packet detection method, (E.g., an intrusion detection module) 130 that is connected to the network equipment or acquires analysis target data from the packet stream or a corresponding log through the data acquisition module 142, (S100) to acquire the analysis target data through the data acquisition module. Here, the analysis target data may be, for example, a payload content value of a packet belonging to the packet stream, or a content value extracted by parsing a maliciously-detected log.

Next, the malicious packet detection method of the present disclosure is characterized in that the network equipment 140 transmits a malicious packet to the malicious packet detection module 320 or 132 via a generative adversarial network (GAN) (Step S200) of determining whether the analysis target data is malicious or not, or supporting another device (for example, 300) to determine whether the analysis target data is malicious through the malicious packet determination module 320 or 132 (S200).

Herein, the malicious packet discrimination module 320 or 132 may be configured to detect a malicious packet in the network device 140 or a predetermined training computing device 300 through machine learning using a plurality of training malicious packets and a plurality of malicious packets It may be trained to distinguish malicious packets from non-malicious packets.

The machine learning model for this machine learning will now be described with reference to FIG.

5 illustrates an example of a machine learning model used in an embodiment of the present invention, illustrating a main action of the discrimination module 320 and the generation module 310 to illustrate a generative adversarial network (GAN) FIG.

Referring to FIG. 5, the similar malicious packet generation module 310 is trained to generate a plurality of similar malicious packets, in which a plurality of actual malicious packets are used as training data. The similar malicious packet generation module 310 may be included in the training computing device 300 or may be included in the network equipment 140 or the other device 130. The similar malicious packet generation module 310 in the network equipment or the training apparatus is constituted by a generational hostile neural network (GAN) together with the malicious packet determination module 320.

The basic structure of the constructive hostile neural network is described in [Goodfellow, Ian J .; Pouget-Abadie, Jean; Mirza, Mehdi; Xu, Bing; Warde-Farley, David; Ozair, Sherjil; Courville, Aaron; Bengio, Yoshua (2014). "Generative Adversarial Networks".

In the presently disclosed hostile neural network, the similar malicious packet generation module may generate a similar malicious packet from a predetermined input value, which may be a random value. As an example, the random value may be a random noise generated using a Gaussian distribution.

That is, the similar malicious packet generation module 310 trains the malicious packet determination module 320 in a direction that causes the similar malicious packet generated by the similar malicious packet generation module 310 to be misidentified as malicious, The malicious packet determination module 320 trains the generated similar malicious packet to determine that it is not malicious, which is a characteristic of the hostile neural network. In particular, a hostile hostile neural network is useful for large amount of data because it corresponds to the non-vector learning that does not require data labeling.

This productive hostile neural network is often characterized by the fact that counterfeiters (corresponding to the 'generating module') tend to deceive counterfeit audiences (corresponding to the 'discriminator module') and counterfeit audiences in the direction of discriminating counterfeit Is likened to taking. The machine learning model to be utilized in the machine learning model of the malicious packet discrimination module 320, that is, the detection module for the malicious packet of the network equipment as well as the training computing device, by the generative hostile neural network (GAN) And its performance can be improved.

That is, a real malicious packet that has not been considered in the previous training is continuously inputted into the training data, and a more similar malicious packet generation module 310 generates a similar malicious packet, which is more like a real, but actually a false malicious packet, By being provided to the training of the discrimination module 320, the discriminating ability for similar malicious packets can be continuously improved.

Needless to say, the machine learning model used in the present invention needs to undergo a certain learning step. For this purpose, data of the refined malicious packet is inputted for training, It is apparent that the pre-learning or pre-training of the module 320 and the similar malicious packet generation module 310 can be completed in advance.

The trained malicious packet discrimination module 320 may be verified and tested by, for example, the verification / test module 340 and verified that the discrimination module 320 meets the required performance When completed, the data of the machine learning model employed in the malicious packet discrimination module 320 or the malicious packet discrimination module 320 can be mounted so as to be used by the network equipment. For example, the detection module of the intrusion blocking module 130 (Not shown).

Referring again to FIG. 4, the malicious packet detection method according to the present invention is a method in which the network device 140 provides malicious data determined as malicious to the external entity, (S300) to provide the data to an external entity.

Here, the external entity includes a network device that performs the method according to the present invention, that is, a user of the computing device, an administrator, an administrator responsible for securing the network, a supervisor, etc. In addition, It is to be understood that any subject is included. When the external entity is human, the network device can provide the external entity with data determined through a predetermined output device, e.g., a user interface displayed on the display.

For example, in step S300, when the network device 140 provides an external entity with a web service, the network device 140 causes the external web browser of the external entity to display the determined data, related contents, etc. .

FIG. 6 is a conceptual view illustrating an intrusion blocking system reflecting the network equipment and training computing device of the present disclosure as shown in FIG. 3, and a training computing device 300 is added in comparison with FIG. 1 of the prior art .

Although illustrated with reference numerals to those that have been realized in the computing devices illustrated by way of example for convenience of explanation with respect to the components shown in Figs. 2 to 6, the network equipment performing the method of the present invention may include one or more devices May be configured to be interlocked with each other. Accordingly, it is apparent that each step of the above-described method of the present invention can be performed by one computing device directly or by supporting the one computing device to perform another computing device interlocked with the one computing device, The reference numerals illustrated in the foregoing description do not limit the method and apparatus of the present disclosure.

As described above, the present invention provides a malicious packet discrimination module for malicious and malicious packets by providing a large amount of training data without any security problems as similar malicious packets generated by machine learning, that is, fake malicious packets over all of the above- But it can be trained to accurately distinguish data.

The advantage of the techniques described herein is that it is possible to quickly and accurately determine whether a packet is malicious by filtering out false security events even in the event of exposure to a large number of logs and analysis information per day, It can greatly reduce the burden on security experts, and it is possible to predict more accurately as a result of re-reflecting malicious packets continuously provided. In short, according to the technique of the present invention, malicious packets are automatically discriminated with higher reliability, and the user can confirm the efficiency of the control by only checking a smaller number of malicious packet payloads and / or corresponding analysis results .

Based on the description of various embodiments of the present disclosure, one of ordinary skill in the art will appreciate that the method and / or processes of the present invention and the steps thereof may be implemented in hardware, software, It is to be clearly understood that the present invention can be realized in any combination. The hardware may include special features or components of a general purpose computer and / or a dedicated computing device or a specific computing device or a particular computing device. Such processes may include one or more processors, e.g., microprocessors, controllers, such as microcontrollers, embedded microcontrollers, microcomputers, arithmetic logic units (ALUs), digital signal processors, For example, a programmable digital signal processor or other programmable device. Additionally or alternatively, the processes may be implemented in an application specific integrated circuit (ASIC), a programmable gate array, such as a field programmable gate array (FPGA), a programmable logic unit (PLU) Any other device capable of executing and responding to Programmable Array Logic (PAL) or other instructions, any other device or combination of devices that can be configured to process electronic signals. The processing device may execute an operating system (OS) and one or more software applications running on the operating system. The processing device may also access, store, manipulate, process, and generate data in response to execution of the software. For ease of understanding, the processing apparatus may be described as being used singly, but those skilled in the art will recognize that the processing apparatus may have a plurality of processing elements and / As shown in FIG. For example, the processing apparatus may comprise a plurality of processors or one processor and one controller. Other processing configurations are also possible, such as a parallel processor.

The software may comprise a computer program, code, instructions, or a combination of one or more of the foregoing, and may be configured to configure the processing device to operate as desired, or to process it collectively or independently Device can be commanded. Software and / or data may be stored on any type of machine, component, physical device, virtual equipment, computer storage media, or device, such as a computer readable recording medium, , Or may be permanently or temporarily embodied in a transmitted signal wave. The software may be distributed over a networked computer system and stored or executed in a distributed manner. The software and data may be stored on one or more machine-readable recording media.

Moreover, the objects of the technical solution of the present invention or portions contributing to the prior art can be implemented in the form of program instructions that can be executed through various computer components and recorded in a machine-readable medium. The machine-readable medium may include program instructions, data files, data structures, and the like, alone or in combination. Program instructions to be recorded on a machine-readable recording medium may be those specially designed and constructed for the embodiments or may be known and available to those of ordinary skill in the computer software arts. Examples of the machine-readable recording medium include magnetic media such as hard disks, floppy disks and magnetic tape, optical media such as CD-ROMs, DVDs, and Blu-ray, optical disks such as floptical disks Magneto-optical media such as ROMs, random access memories (RAMs), flash memory, and the like, and hardware devices specifically configured to store and execute program instructions. Examples of program instructions include, but are not limited to, any of the above devices, as well as a heterogeneous combination of processors, processor architectures or combinations of different hardware and software, Which may be constructed using a structured programming language such as C, an object-oriented programming language such as C ++ or an advanced or low-level programming language (assembly language, hardware description languages and database programming languages and techniques) This includes not only bytecode, but also high-level language code that can be executed by a computer using an interpreter or the like.

Thus, in one aspect of the present invention, when the methods and combinations described above are performed by one or more computing devices, combinations of the methods and methods may be implemented as executable code that performs each of the steps. In another aspect, the method may be implemented as systems for performing the steps, and the methods may be distributed in various ways throughout the devices, or all functions may be integrated into one dedicated, stand-alone device, or other hardware. In yet another aspect, the means for performing the steps associated with the processes described above may include any of the hardware and / or software described above. All such sequential combinations and combinations are intended to be within the scope of this disclosure.

For example, the hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa. The hardware device may include a processor, such as an MPU, CPU, GPU, TPU, coupled to a memory, such as ROM / RAM, for storing program instructions and configured to execute instructions stored in the memory, And a communication unit capable of receiving and sending data. In addition, the hardware device may include a keyboard, a mouse, and other external input devices for receiving commands generated by the developers.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, Those skilled in the art will appreciate that various modifications and changes may be made thereto without departing from the scope of the present invention.

Therefore, the spirit of the present invention should not be construed as being limited to the above-described embodiment, and all of the equivalents or equivalents of the claims, as well as the claims attached hereto, As well as the other. For example, it is to be understood that the techniques described may be performed in a different order than the described methods, and / or that components of the described systems, structures, devices, circuits, Lt; / RTI > or equivalents, even if it is replaced or replaced.

Such equally or equivalently modified embodiments will include logically equivalent methods which can yield, for example, the same results as those of the method according to the present invention, The scope is not to be limited by the foregoing examples, but should be understood in the broadest sense permissible by law.

Claims (8)

A method for detecting a malicious packet from a packet stream or a corresponding log,
(a) the network equipment acquires analysis target data from the packet stream or a corresponding log through a data acquisition module, or causes the other device, which is linked to the network equipment, Supporting acquisition of target data;
(b) the network device determines maliciousness of the analysis object data through a malicious packet discrimination module by a generative adversarial network (GAN), or makes the other device detect the malicious packet through the malicious packet discrimination module A step of determining whether the data to be analyzed is malicious; And
(c) supporting the network device to provide the external entity with data determined to be malicious among the analysis target data or to provide the other device with the external entity
, ≪ / RTI &
In the step (b)
Wherein the malicious packet identification module is derived from a generative adversarial network (GAN) including a similar malicious packet generation module as a generator and a malicious packet discrimination module as a discriminator, Is determined to be malicious,
Wherein the generated hostile neural network is trained by machine learning using a plurality of actual malicious packets for training and a plurality of similar malicious packets that are similar to the actual malicious packets but are not malicious in the network equipment or a predetermined training computing device,
Wherein the plurality of similar malicious packets are generated from the similar malicious packet generation module in the network equipment or the training computing device,
During the training by the machine learning,
Wherein the similar malicious packet generation module trains the malicious packet discrimination module in a direction for discriminating the generated similar malicious packet as malicious, and the malicious packet discrimination module discriminates that the generated similar malicious packet is not malicious Wherein the malicious packet is trained in a direction to cause a malicious packet to be detected. delete delete The method according to claim 1,
Wherein the malicious packet discrimination module that has passed validation (test) of the malicious packet discrimination module trained in the network equipment or the training computing device is mounted to be used by the network equipment. Detection method. A computer program stored in a machine-readable non-transitory medium, comprising instructions for a computing device or a network device to implement the method of any one of claims 1 to 4. 1. A network equipment for detecting a malicious packet from a packet stream or a corresponding log,
A communication unit for acquiring analysis target data from the packet stream or a log corresponding thereto;
A malicious packet discrimination module based on a generative adversarial network (GAN) for discriminating maliciousness of the analysis target data or causing other devices interlocked through the communication section to transmit the analysis target data through the malicious packet discrimination module A process to assist in determining whether or not it is malicious; And a processor for performing a process of providing data to the external entity determined to be malicious among the data to be analyzed or providing the other device to the external entity,
Lt; / RTI >
The malicious packet discrimination module is derived from a generative adversarial network (GAN) including a malicious packet generation module as a generator and the malicious packet discrimination module as a discriminator,
The malicious packet discrimination module determines whether the analysis target data is malicious,
Wherein the generated hostile neural network is configured to use a plurality of actual malicious packets for training and a plurality of similar malicious packets that are similar to the actual malicious packets but are not malicious in the processor or in a predetermined training computing device interlocked with the communication section Machine learning is trained,
Wherein the plurality of similar malicious packets are generated from the similar malicious packet generation module in the processor or the training computing device,
During the training by the machine learning,
In the processor or the training computing device, the similar malicious packet generation module is trained in a direction that causes the malicious packet determination module to determine that the generated similar malicious packet is malicious, and the malicious packet determination module The malicious packet is trained in such a direction as to determine that the similar malicious packet is not malicious. delete delete

Images