TWI813233B - System and method for artificial intelligence against network attack - Google Patents
System and method for artificial intelligence against network attack Download PDFInfo
- Publication number
- TWI813233B TWI813233B TW111112181A TW111112181A TWI813233B TW I813233 B TWI813233 B TW I813233B TW 111112181 A TW111112181 A TW 111112181A TW 111112181 A TW111112181 A TW 111112181A TW I813233 B TWI813233 B TW I813233B
- Authority
- TW
- Taiwan
- Prior art keywords
- unit
- feature
- packet
- information
- network
- Prior art date
Links
- 238000013473 artificial intelligence Methods 0.000 title claims abstract description 80
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000001914 filtration Methods 0.000 claims abstract description 87
- 238000012549 training Methods 0.000 claims description 187
- 230000003542 behavioural effect Effects 0.000 claims description 122
- 238000002372 labelling Methods 0.000 claims description 94
- 238000005457 optimization Methods 0.000 claims description 46
- 238000012545 processing Methods 0.000 claims description 38
- 238000000605 extraction Methods 0.000 claims description 13
- 230000006399 behavior Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 9
- 230000005540 biological transmission Effects 0.000 description 8
- 238000004422 calculation algorithm Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 4
- 238000007635 classification algorithm Methods 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000012706 support-vector machine Methods 0.000 description 3
- 238000013528 artificial neural network Methods 0.000 description 2
- 238000007796 conventional method Methods 0.000 description 2
- 238000003066 decision tree Methods 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000007477 logistic regression Methods 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 210000003813 thumb Anatomy 0.000 description 1
Images
Landscapes
- Circuits Of Receivers In General (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
一種人工智慧抵禦網路攻擊的系統及其方法,其係包括用戶設備、身分認證設備、伺服設備及網路設備,網路設備接收用戶設備傳輸至伺服設備的多個網路封包,網路設備執行以下步驟:該網路設備之封包過濾單元接收該網路封包並根據過濾用戶資料庫將所述網路封包傳遞至身分認證設備或過濾其網路封包;該身分認證設備接收所述網路封包,且對產生該網路封包之用戶設備進行身分認證,並依據身分認證結果將該網路封包傳遞至一伺服設備。An artificial intelligence system and method for resisting network attacks, which includes user equipment, identity authentication equipment, server equipment and network equipment. The network equipment receives multiple network packets transmitted from the user equipment to the server equipment. The network equipment Execute the following steps: the packet filtering unit of the network device receives the network packet and passes the network packet to the identity authentication device or filters its network packet according to the filtered user database; the identity authentication device receives the network packet packet, perform identity authentication on the user device that generated the network packet, and pass the network packet to a server device based on the identity authentication result.
Description
本發明係有關於一種利用人工智慧模型快速辨識並過濾具攻擊行為的網路封包,且可避免身份認證所造成之大量運算資源耗損之人工智慧抵禦網路攻擊的系統及其方法。The present invention relates to an artificial intelligence system and method for resisting network attacks that uses artificial intelligence models to quickly identify and filter network packets with offensive behavior, and can avoid a large consumption of computing resources caused by identity authentication.
隨著網際網路的快速發展,除了加快資訊的傳輸外也改變許多產業的行為。為確保在網際網路上的安全,因此如何防止網路攻擊是一件重大的議題。習知的防範網路攻擊的方式,是在攻擊發生的之後才開始進行封包的分析。由於網際網路的傳輸方式的多樣化,使得過去的單一型態的網路攻擊行為開始轉變成複合式的攻擊行為或是全新的攻擊方式。With the rapid development of the Internet, in addition to accelerating the transmission of information, it has also changed the behavior of many industries. In order to ensure security on the Internet, how to prevent network attacks is a major issue. The conventional way to prevent network attacks is to start analyzing packets after the attack occurs. Due to the diversification of Internet transmission methods, single types of network attacks in the past have begun to transform into complex attacks or new attack methods.
而習知用來抵禦DDoS攻擊的手段主要是依靠經驗法則並搭配CDN疏通流量,以緩解DDoS攻擊所造成之危害,而CDN之主要設計用意在於藉由增設設備來以更高流量的服務來提高服務品質與增加營收,但是以CDN來緩解DDoS攻擊卻會造成用戶付出巨大的成本,並且需要耗費大量人力資源進行分析攻擊態樣、制訂規則且須避免規則間之衝突,所以此方法抵禦方法過於被動且防禦範圍相當侷限。The conventional methods used to resist DDoS attacks mainly rely on rules of thumb and use CDN to dredge traffic to mitigate the harm caused by DDoS attacks. The main design purpose of CDN is to improve services with higher traffic through the addition of equipment. Service quality and increased revenue. However, using CDN to mitigate DDoS attacks will cause users to pay huge costs and require a lot of human resources to analyze attack patterns, formulate rules, and avoid conflicts between rules. Therefore, this method is a defense method. Too passive and the defense range is quite limited.
另外,也有些業者為了避免網路設備被駭,所以會以如TLS之通訊協定來進行身份認證以確認連線雙方身份,但是駭客則會利用通訊協定運算耗時的特性,大量消耗通訊設備的運算資源,進而達到癱瘓通訊設備之目的。In addition, in order to prevent network equipment from being hacked, some operators will use communication protocols such as TLS for identity authentication to confirm the identities of both parties. However, hackers will take advantage of the time-consuming computing characteristics of the communication protocol and consume a large amount of communication equipment. computing resources, thereby achieving the purpose of paralyzing communication equipment.
又另外有習知以過濾惡意流量入侵的方法,其主要是將封包導入偵測過濾的設備,而該偵測過濾的設備需要將封包轉換成流量圖片,而後再利用已知惡意流量封包之模型圖片與流量圖片進行比對分析,判斷流量圖片是否符合模型圖片,但此習知之方法除了需要先得知惡意流量封包之模型圖片而造成過濾流程之增加外,其封包轉換成流量圖片之轉換的過程中相對耗費其運作效率,且圖片比對上也需要提高比對效率才能作精準的比對,相對也需要增設設備來提高運作效率,而其偵測過濾的設備也需要不斷的依照惡意封包的變化來更改流量圖片與惡意流量封包之模型圖片,相對造成比對分析上之困擾。There is another known method of filtering malicious traffic intrusions. The main method is to import packets into a detection and filtering device. The detection and filtering device needs to convert the packets into traffic pictures, and then use the model of known malicious traffic packets. The image and the traffic image are compared and analyzed to determine whether the traffic image matches the model image. However, this conventional method requires not only knowing the model image of the malicious traffic packet first, which increases the filtering process, but also requires the conversion of the packet into a traffic image. The process consumes a lot of operational efficiency, and the comparison efficiency of image comparison also needs to be improved to make accurate comparisons. It also requires additional equipment to improve operational efficiency, and the detection and filtering equipment also needs to constantly follow the malicious packets. Changes in traffic images and model images of malicious traffic packets will cause relatively troublesome comparison and analysis.
爰此,為有效解決上述之問題,本發明之主要目的在於提供一種利用人工智慧模型快速辨識並過濾具攻擊行為的網路封包,且可避免單獨使用身份認證所造成之大量運算資源耗損之人工智慧抵禦網路攻擊的系統及其方法。Therefore, in order to effectively solve the above-mentioned problems, the main purpose of the present invention is to provide a method that uses artificial intelligence models to quickly identify and filter network packets with offensive behavior, and can avoid the artificial consumption of a large amount of computing resources caused by using identity authentication alone. Systems and methods for intelligently resisting cyber attacks.
本發明之另一目的,在於提供一種可大幅降低成本之人工智慧抵禦網路攻擊的系統及其方法。Another object of the present invention is to provide an artificial intelligence system and method for resisting network attacks that can significantly reduce costs.
為達上述目的,本發明係提供一種人工智慧抵禦網路攻擊的系統,其係包括:至少一用戶設備,該用戶設備具有一用戶設備資料且產生有至少一網路封包;一網路設備,該網路設備連接所述用戶設備,且該網路設備具有一封包過濾單元,該封包過濾單元具有至少一過濾用戶資料庫,且該封包過濾單元接收該網路封包並根據其過濾用戶資料庫將所述網路封包傳遞至身分認證設備或過濾其網路封包,該身分認證設備接收所述網路封包,且對產生該網路封包之用戶設備進行身分認證,並該身分認證設備依據身分認證結果將該網路封包傳遞至一伺服設備。In order to achieve the above object, the present invention provides an artificial intelligence system for resisting network attacks, which includes: at least one user equipment, the user equipment has a user equipment data and generates at least one network packet; a network device, The network device is connected to the user device, and the network device has a packet filtering unit. The packet filtering unit has at least one filtering user database, and the packet filtering unit receives the network packet and filters the user database according to it. Pass the network packet to the identity authentication device or filter the network packet. The identity authentication device receives the network packet and performs identity authentication on the user device that generated the network packet, and the identity authentication device performs identity authentication based on the identity. The authentication result passes the network packet to a server device.
據本發明人工智慧抵禦網路攻擊的系統之一實施例,其中所述網路設備更包括有:一封包擷取單元,而該封包擷取單元連接該封包過濾單元且擷取傳遞至身分認證設備之網路封包;一封包儲存單元,該封包儲存單元連接該封包擷取單元且儲存該網路封包;一特徵擷取單元,該特徵擷取單元連接該封包儲存單元且擷取該網路封包並利用至少一特徵模板解析該網路封包,以產生有該網路封包之一行為特徵資訊及一封包資訊;一特徵儲存單元,該特徵儲存單元連接特徵特徵擷取單元,並儲存該行為特徵資訊及該封包資訊;及一處理單元,該處理單元連接該特徵擷取單元並接收其行為特徵資訊,且該處理單元之一人工智慧模型判斷該網路封包之行為特徵資訊為正常或惡意並產生有一特徵資訊結果,並該處理單元將惡意網路封包之特徵資訊結果傳遞至封包過濾單元,該封包過濾單元另接收該特徵儲存單元之封包資訊,且該封包過濾單元經由該特徵資訊結果及封包資訊將產生惡意網路封包之用戶設備資料儲存至過濾用戶資料庫。According to an embodiment of the artificial intelligence system for resisting network attacks of the present invention, the network device further includes: a packet capturing unit, and the packet capturing unit is connected to the packet filtering unit and captures and passes them to the identity authentication A network packet of the device; a packet storage unit connected to the packet capture unit and storing the network packet; a feature capture unit connected to the packet storage unit and capturing the network Packet and use at least one characteristic template to parse the network packet to generate behavioral characteristic information and packet information of the network packet; a characteristic storage unit, the characteristic storage unit is connected to the characteristic characteristic retrieval unit, and stores the behavior Characteristic information and the packet information; and a processing unit that is connected to the characteristic acquisition unit and receives its behavioral characteristic information, and an artificial intelligence model of the processing unit determines whether the behavioral characteristic information of the network packet is normal or malicious And generate a characteristic information result, and the processing unit passes the characteristic information result of the malicious network packet to the packet filtering unit, which also receives the packet information of the characteristic storage unit, and the packet filtering unit passes the characteristic information result And packet information stores user device data that generates malicious network packets into the filtering user database.
據本發明人工智慧抵禦網路攻擊的系統之一實施例,其中所述網路設備更包括有一自動特徵標註單元及一特徵自動標註儲存單元,該自動特徵標註單元連接該特徵儲存單元,且該自動特徵標註單元擷取特徵儲存單元內之行為特徵資訊並進行標註,使該行為特徵資訊具有一特徵自動分類標註,而該特徵自動標註儲存單元連接該自動特徵標註單元並儲存該行為特徵資訊及所屬之特徵自動分類標註,並該特徵自動標註儲存單元連接至一訓練單元,該訓練單元之一待訓練模型擷取所述行為特徵資訊及所屬之特徵自動分類標註並產生一已訓練模型。According to an embodiment of the artificial intelligence system for resisting network attacks of the present invention, the network device further includes an automatic feature labeling unit and an automatic feature labeling storage unit, the automatic feature labeling unit is connected to the feature storage unit, and the The automatic feature labeling unit retrieves and labels the behavioral characteristic information in the characteristic storage unit, so that the behavioral characteristic information has an automatic classification label, and the automatic feature labeling storage unit is connected to the automatic feature labeling unit and stores the behavioral characteristic information and The associated features are automatically classified and labeled, and the feature automatic labeling storage unit is connected to a training unit. A model to be trained in the training unit retrieves the behavioral characteristic information and the associated features are automatically classified and labeled and generates a trained model.
據本發明人工智慧抵禦網路攻擊的系統之一實施例,其中所述網路設備更包括有一比對單元,該比對單元連接所述訓練單元與一正確特徵標註儲存單元,該正確特徵標註儲存單元內儲存有至少一訓練特徵資訊及該訓練特徵資訊之一特徵正確分類標註,而該比對單元擷取該正確特徵標註儲存單元之訓練特徵資訊及特徵正確分類標註,另該訓練單元將該已訓練模型輸出至該比對單元,而該已訓練模型擷取所述訓練特徵資訊並輸出一訓練資訊結果,且該比對單元比對該些訓練資訊結果與訓練特徵資訊及特徵正確分類標註決定優化該已訓練模型或將該已訓練模型輸出至所述處理單元。According to an embodiment of the artificial intelligence system for resisting network attacks of the present invention, the network device further includes a comparison unit connected to the training unit and a correct feature label storage unit, and the correct feature label storage unit The storage unit stores at least one training feature information and a feature correct classification label of the training feature information, and the comparison unit retrieves the training feature information and the correct feature classification label of the correct feature label storage unit, and the training unit will The trained model is output to the comparison unit, and the trained model retrieves the training feature information and outputs a training information result, and the comparison unit compares the training information results with the training feature information and correctly classifies the features Annotation determines whether to optimize the trained model or to output the trained model to the processing unit.
據本發明人工智慧抵禦網路攻擊的系統之一實施例,其中所述網路設備更包括有一優化單元,該優化單元連接所述比對單元,以當該比對單元決定優化該已訓練模型時執行優化。According to an embodiment of the artificial intelligence system for resisting network attacks of the present invention, the network device further includes an optimization unit connected to the comparison unit, so that when the comparison unit decides to optimize the trained model When performing optimization.
據本發明人工智慧抵禦網路攻擊的系統之一實施例,其中所述優化單元另連接所述自動特徵標註單元,以當該比對單元決定優化該已訓練模型時,該優化單元優化該自動特徵標註單元,而該自動特徵標註單元產生有另一組特徵自動分類標註。According to an embodiment of the artificial intelligence system for resisting network attacks of the present invention, the optimization unit is further connected to the automatic feature labeling unit, so that when the comparison unit decides to optimize the trained model, the optimization unit optimizes the automatic feature labeling unit. Feature labeling unit, and the automatic feature labeling unit generates another set of features for automatic classification labeling.
據本發明人工智慧抵禦網路攻擊的系統之一實施例,其中所述優化單元另連接至所述特徵擷取單元,以當該比對單元決定優化該已訓練模型時,該優化單元使該特徵擷取單元使用另一特徵模板,而該特徵擷取單元依據另一特徵模板產生另一行為特徵資訊。According to an embodiment of the artificial intelligence system for resisting network attacks of the present invention, the optimization unit is further connected to the feature extraction unit, so that when the comparison unit decides to optimize the trained model, the optimization unit makes the The feature retrieval unit uses another feature template, and the feature retrieval unit generates another behavioral feature information based on the other feature template.
本發明還提供一種人工智慧抵禦網路攻擊方法,包括:至少一用戶設備產生有至少一網路封包至一網路設備;該網路設備之一封包過濾單元接收該網路封包並根據一過濾用戶資料庫將所述網路封包傳遞至一身分認證設備或過濾其網路封包;該身分認證設備接收所述網路封包,且對產生該網路封包之用戶設備進行身分認證,並依據身分認證結果將該網路封包傳遞至一伺服設備。The present invention also provides an artificial intelligence method for resisting network attacks, including: at least one user equipment generates at least one network packet to a network device; a packet filtering unit of the network device receives the network packet and filters it according to a The user database passes the network packet to an identity authentication device or filters its network packet; the identity authentication device receives the network packet and performs identity authentication on the user device that generated the network packet and based on the identity The authentication result passes the network packet to a server device.
根據本發明人工智慧抵禦網路攻擊方法之一實施例,其中所述該身分認證設備接收所述網路封包,且對產生該網路封包之用戶設備進行身分認證,並依據身分認證結果將該網路封包傳遞至一伺服設備的步驟包括:一封包擷取單元由該封包過濾單元擷取傳遞至身分認證設備之網路封包;一封包儲存單元儲存該封包擷取單元所擷取之網路封包,且由一特徵擷取單元擷取封包儲存單元之網路封包並以至少一特徵模板解析該網路封包,以產生有該網路封包之一行為特徵資訊及一封包資訊並儲存於一特徵儲存單元;該處理單元之一人工智慧模型判斷該網路封包之行為特徵資訊為正常或惡意並產生有一特徵資訊結果;又該處理單元將惡意網路封包之特徵資訊結果傳遞至封包過濾單元,該封包過濾單元另接收該特徵儲存單元之封包資訊,且該封包過濾單元經由該特徵資訊結果及封包資訊將產生惡意網路封包之用戶設備資料儲存至過濾用戶資料庫。According to an embodiment of the artificial intelligence method for resisting network attacks of the present invention, the identity authentication device receives the network packet, performs identity authentication on the user equipment that generated the network packet, and authenticates the user device based on the identity authentication result. The step of transmitting the network packet to a server device includes: a packet capture unit captures the network packet transmitted to the identity authentication device from the packet filtering unit; a packet storage unit stores the network packet captured by the packet capture unit packet, and a feature retrieval unit captures the network packet of the packet storage unit and parses the network packet with at least one feature template to generate behavioral characteristic information and packet information of the network packet and store them in a A characteristic storage unit; an artificial intelligence model of the processing unit determines whether the behavioral characteristic information of the network packet is normal or malicious and generates a characteristic information result; and the processing unit passes the characteristic information result of the malicious network packet to the packet filtering unit , the packet filtering unit also receives packet information from the characteristic storage unit, and the packet filtering unit stores the user equipment data that generates malicious network packets into the filtering user database through the characteristic information results and packet information.
根據本發明人工智慧抵禦網路攻擊方法之一實施例,其中所述由一特徵擷取單元擷取封包儲存單元之網路封包並以至少一特徵模板解析該網路封包,以產生有該網路封包之一行為特徵資訊及一封包資訊的步驟包括:由一特徵儲存單元儲存該特徵擷取單元之行為特徵資訊,再由一自動特徵標註單元擷取特徵儲存單元內之行為特徵資訊並進行標註使該行為特徵資訊具有一特徵自動分類標註;另由一特徵自動標註儲存單元儲存該行為特徵資訊及所屬之特徵自動分類標註,另由一訓練單元之一待訓練模型擷取所述行為特徵資訊及所屬之特徵自動分類標註並產生一已訓練模型;該已訓練模型輸出至一比對單元,該比對單元另擷取正確特徵標註儲存單元之訓練特徵資訊及一特徵正確分類標註;該已訓練模型擷取所述訓練特徵資訊並輸出一訓練資訊結果;比對單元比對該些訓練資訊結果與訓練特徵資訊及特徵正確分類標註決定優化該已訓練模型或將該已訓練模型輸出至所述處理單元。According to an embodiment of the artificial intelligence method for resisting network attacks of the present invention, a feature capturing unit captures network packets from the packet storage unit and parses the network packets with at least one feature template to generate the network packets. The steps of obtaining the behavioral characteristic information of the road packet and the packet information include: storing the behavioral characteristic information of the characteristic retrieval unit in a characteristic storage unit, and then retrieving the behavioral characteristic information in the characteristic storage unit by an automatic characteristic labeling unit and performing Labeling causes the behavioral characteristic information to have a characteristic automatic classification label; an automatic characteristic labeling storage unit stores the behavioral characteristic information and the corresponding characteristic automatic classification label; and a training unit retrieves the behavioral characteristics from a model to be trained The information and the associated features are automatically classified and labeled and a trained model is generated; the trained model is output to a comparison unit, and the comparison unit also retrieves the training feature information and a correct feature classification label from the correct feature label storage unit; the The trained model retrieves the training feature information and outputs a training information result; the comparison unit compares the training information results with the training feature information and the correct feature classification annotation to decide to optimize the trained model or output the trained model to the processing unit.
根據本發明人工智慧抵禦網路攻擊方法之一實施例,其中所述比對單元比對該些訓練資訊結果與訓練特徵資訊及特徵正確分類標註決定優化該已訓練模型的步驟包括:由一優化單元優化該自動特徵標註單元,該自動特徵標註單元再擷取特徵儲存單元內之行為特徵資訊並進行標註使該行為特徵資訊具有另一組特徵自動分類標註;該特徵自動標註儲存單元儲存該行為特徵資訊及所屬之另一組特徵自動分類標註;該訓練單元之待訓練模型擷取所述行為特徵資訊及所屬之特徵自動分類標註並輸出另一已訓練模型;該另一已訓練模型輸出至該比對單元,該比對單元擷取訓練特徵資訊及特徵正確分類標註;該另一已訓練模型擷取所述訓練特徵資訊並輸出另一訓練資訊結果;比對單元比對該些另一訓練資訊結果與訓練特徵資訊及特徵正確分類標註,並將該另已訓練模型輸出至所述處理單元。According to an embodiment of the artificial intelligence method for resisting network attacks of the present invention, the step of comparing the training information results with the training feature information and the correct feature classification annotation by the comparison unit to determine the optimization of the trained model includes: an optimization The unit optimizes the automatic feature labeling unit. The automatic feature labeling unit then retrieves the behavioral characteristic information in the characteristic storage unit and labels it so that the behavioral characteristic information has another set of characteristics for automatic classification and labeling; the automatic characteristic labeling storage unit stores the behavior. The feature information and another set of features to which it belongs are automatically classified and labeled; the model to be trained in the training unit retrieves the behavioral feature information and the corresponding features to be automatically classified and labeled and outputs another trained model; the other trained model is output to The comparison unit captures training feature information and feature correct classification annotations; the other trained model captures the training feature information and outputs another training information result; the comparison unit compares these other The training information results, training feature information and features are correctly classified and labeled, and the other trained model is output to the processing unit.
根據本發明人工智慧抵禦網路攻擊方法之一實施例,其中所述比對單元比對該些訓練資訊結果與訓練特徵資訊及特徵正確分類標註決定優化該已訓練模型的步驟包括:由一優化單元連接至所述特徵擷取單元;優化單元使該特徵擷取單元使用另一特徵模板,而該特徵擷取單元依據另一特徵模板產生另一行為特徵資訊;該自動特徵標註單元再擷取特徵儲存單元內之另一行為特徵資訊並進行標註使該行為特徵資訊具有另一組特徵自動分類標註;該特徵自動標註儲存單元儲存該行為特徵資訊及所屬之另一組特徵自動分類標註;該訓練單元之待訓練模型擷取所述行為特徵資訊及所屬之特徵自動分類標註並輸出另一已訓練模型;該另一已訓練模型輸出至該比對單元,該比對單元擷取訓練特徵資訊及特徵正確分類標註;該另一已訓練模型擷取所述訓練特徵資訊並輸出另一訓練資訊結果;比對單元比對該些另一訓練資訊結果與訓練特徵資訊及特徵正確分類標註,並將該另已訓練模型輸出至所述處理單元。According to an embodiment of the artificial intelligence method for resisting network attacks of the present invention, the step of comparing the training information results with the training feature information and the correct feature classification annotation by the comparison unit to determine the optimization of the trained model includes: an optimization The unit is connected to the feature retrieval unit; the optimization unit causes the feature retrieval unit to use another feature template, and the feature retrieval unit generates another behavioral feature information based on another feature template; the automatic feature annotation unit then captures Another behavioral characteristic information in the characteristic storage unit is labeled so that the behavioral characteristic information has another set of characteristics for automatic classification and labeling; the automatic characteristic labeling storage unit stores the behavioral characteristics information and another set of characteristics for automatic classification and labeling; the The model to be trained in the training unit retrieves the behavioral feature information and the corresponding features, automatically classifies and labels it, and outputs another trained model; the other trained model is output to the comparison unit, and the comparison unit retrieves the training feature information. and the correct classification and labeling of features; the other trained model retrieves the training feature information and outputs another training information result; the comparison unit compares the other training information results with the training feature information and the correct classification labeling of the features, and The other trained model is output to the processing unit.
本發明之上述目的及其結構與功能上的特性,將依據所附圖式之較佳實施例予以說明。The above objects and structural and functional characteristics of the present invention will be explained based on the preferred embodiments of the accompanying drawings.
請參閱第1圖及第2圖所示,係為本發明人工智慧抵禦網路攻擊的系統之系統架構示意圖及系統架構實施示意圖,由圖中可清楚看出,其中所述人工智慧抵禦網路攻擊的系統1係包括有至少一用戶設備2及一身份認證設備3及一伺服設備4及一網路設備5,其中所述身份認證設備3及伺服設備4及網路設備5可分別為獨立之設備或統整於單一裝置內之裝置設備,而該網路設備5網路連接於所述用戶設備2與身分認證設備3之間,該用戶設備2具有一用戶設備資料且產生有至少一網路封包P1,而該身分認證設備3又連接所述伺服設備4,且該身分認證設備3可以是但不限定為路由器(router)、閘道器(gateway)、中繼器(repeater)或橋接器(bridge)。Please refer to Figure 1 and Figure 2, which are system architecture schematic diagrams and system architecture implementation diagrams of the system for artificial intelligence to resist network attacks according to the present invention. It can be clearly seen from the figures that the artificial intelligence resists network attacks. The
而該網路設備5具有一封包過濾單元51,而該封包過濾單元51內具有至少一過濾用戶資料庫511,該過濾用戶資料庫511內記錄有至少一筆會傳遞惡意封包資料之用戶設備資料,且該封包過濾單元51擷取從用戶設備2流經身分認證設備3的網路封包P1,而該封包過濾單元51擷取所述網路封包P1後,會先根據其過濾用戶資料庫511內之用戶設備2資料進行過濾,若傳遞網路封包P1之用戶設備2係記錄為惡意封包資料之用戶設備2資料,該封包過濾單元51則將其網路封包P1進行過濾,反之,若傳遞網路封包P1之用戶設備2並非記錄為惡意封包資料之用戶設備2資料時,該封包過濾單元51則將擷取之網路封包P1傳遞至所述身分認證設備3,該身分認證設備3接收所述網路封包P1,且對產生該網路封包P1之用戶設備2進行身份認證,並依據身份認證結果將該網路封包P1傳遞至一伺服設備4,而該身分認證設備3主要是以傳輸層安全性協定(Transport Layer Security, TLS)或安全通訊端層(Secure Sockets Layer, SSL)之安全性協定連線或其他身分認證方式進行認證,故其身分認證設備3對其傳遞網路封包P1之用戶設備2進行身分驗證,若該身分認證設備3驗證成功時,該身分認證設備3則將網路封包P1傳遞至伺服設備4,若該身分認證設備3驗證失敗,該網路封包P1則不會傳遞至所述伺服設備4。The network device 5 has a packet filtering unit 51, and the packet filtering unit 51 has at least one filtering user database 511. The filtering user database 511 records at least one piece of user equipment data that can transmit malicious packet data. And the packet filtering unit 51 captures the network packet P1 flowing from the user device 2 through the identity authentication device 3. After capturing the network packet P1, the packet filtering unit 51 first filters the user database 511 based on it. If the user equipment 2 transmitting the network packet P1 is the user equipment 2 data recorded as malicious packet data, the packet filtering unit 51 will filter the network packet P1. On the contrary, if the user equipment 2 transmitting the network packet P1 is recorded as malicious packet data, the packet filtering unit 51 will filter the network packet P1. When the user equipment 2 of the network packet P1 is not the user equipment 2 data recorded as malicious packet data, the packet filtering unit 51 passes the captured network packet P1 to the identity authentication device 3, and the identity authentication device 3 receives all the data. The network packet P1 is generated, and the user equipment 2 that generates the network packet P1 is authenticated, and the network packet P1 is delivered to a server device 4 based on the identity authentication result, and the identity authentication device 3 is mainly used for transmission Transport Layer Security (TLS) or Secure Sockets Layer (SSL) security protocol connection or other identity authentication methods are authenticated, so the identity authentication device 3 transmits the network packet P1 The user device 2 performs identity verification. If the identity authentication device 3 successfully authenticates, the identity authentication device 3 will pass the network packet P1 to the server device 4. If the identity authentication device 3 fails the verification, the network packet P1 will will not be passed to the servo device 4.
藉此,該人工智慧抵禦網路攻擊的系統1達到可快速辨識並過濾具攻擊行為的網路封包P1,如此便可不用增設設備及建置較複雜的設備,以減少設置成本外,亦可達到避免身分認證設備3被產生惡意網路封包P1之用戶設備2惡意攻擊而消耗大量運算資源的問題發生,並利用身分認證設備3進行進一步的過濾,使到達伺服設備4之封包為正常封包,進而阻擋網路攻擊。In this way, the
再請參閱第3圖所示,係為本發明人工智慧抵禦網路攻擊的系統之另一系統架構實施示意圖,其中所述網路設備5更包括有依序連接之一封包擷取單元52及一封包儲存單元521及一特徵擷取單元53及一處理單元54,該處理單元54又連接至所述封包過濾單元51。Please refer to Figure 3 again, which is a schematic diagram of another system architecture implementation of the artificial intelligence system for resisting network attacks of the present invention. The network device 5 further includes a packet capture unit 52 connected in sequence and A packet storage unit 521 and a feature retrieval unit 53 and a processing unit 54, the processing unit 54 is connected to the packet filtering unit 51.
而該身分認證設備3將網路封包P1傳遞至伺服設備4之同時,該封包擷取單元52且擷取傳遞至身分認證設備3之網路封包P1,且該封包擷取單元52將擷取到之網路封包P1儲存於所述封包儲存單元521內,而該特徵擷取單元53則擷取該封包儲存單元521內之網路封包P1,並該特徵擷取單元53利用至少一特徵模板531解析該網路封包P1並產生有該網路封包P1之一行為特徵資訊I1及一封包資訊I2,其中該特徵模板531可以根據每一網路封包P1、一固定數量的網路封包P1或一固定時段中所獲取的網路封包P1進行分析,以獲取行為特徵資訊I1。而該特徵模板531包括用戶設備2或伺服設備4的網路封包P1的傳輸協議、擷取數量、標頭資訊、傳輸埠號(port)、傳輸時間、封包內容、傳輸速度、傳輸方向、TCP旗標的次數、接收端、封包數量、封包大小、到達間隔時間(inter arrival time)、資料流活動時間、資料流閒置時間等等,如,第4圖所示,又其中該特徵擷取單元53通過特徵模板531進而獲取該網路封包P1的行為特徵資訊I1,另如第4圖所示,係為行為特徵資訊I1及特徵模板531的內容,所示行為特徵資訊I1係為一組量化數據、矩陣或圖像。特徵模板531並不限定第4圖實施例中的4組。While the identity authentication device 3 transmits the network packet P1 to the server device 4, the packet capture unit 52 captures the network packet P1 transmitted to the identity authentication device 3, and the packet capture unit 52 captures The incoming network packet P1 is stored in the packet storage unit 521, and the feature retrieval unit 53 captures the network packet P1 in the packet storage unit 521, and the feature retrieval unit 53 uses at least one feature template 531 parses the network packet P1 and generates a behavioral characteristic information I1 and a packet information I2 of the network packet P1, wherein the characteristic template 531 can be based on each network packet P1, a fixed number of network packets P1 or The network packets P1 obtained in a fixed period of time are analyzed to obtain behavioral characteristic information I1. The characteristic template 531 includes the transmission protocol, retrieval quantity, header information, transmission port number (port), transmission time, packet content, transmission speed, transmission direction, and TCP of the network packet P1 of the user equipment 2 or the server equipment 4 The number of flags, receiving end, number of packets, packet size, inter arrival time, data flow activity time, data flow idle time, etc., as shown in Figure 4, in which the feature extraction unit 53 The behavioral characteristic information I1 of the network packet P1 is obtained through the characteristic template 531. As shown in Figure 4, it is the content of the behavioral characteristic information I1 and the characteristic template 531. The behavioral characteristic information I1 shown is a set of quantitative data. , matrix or image. The feature template 531 is not limited to the 4 groups in the embodiment of FIG. 4 .
又其中該特徵擷取單元53產生有所述行為特徵資訊I1及封包資訊I2後,該特徵擷取單元53將其行為特徵資訊I1傳遞至所述處理單元54,及將該其行為特徵資訊I1及封包資訊I2傳遞至一特徵儲存單元532儲存,而該封包資訊I2之內容為網路封包P1的網際協定位置(Internet Protocol Address , IP Address)及相對應之行為特徵資訊I1,該特徵儲存單元532另連接至所述封包過濾單元51,該處理單元54之一人工智慧模型541判斷該網路封包P1之行為特徵資訊I1為正常或惡意並產生有一特徵資訊結果R1,其中該人工智慧模型541係由人工智能演算法(Artificial Intelligence)所構成,人工智能演算法可以是但不僅包括人工神經網路、決策樹、感知器、支援向量機、整合學習、降維與度量學習、聚類、貝氏分類器或前饋神經網路模型(Feed Forward Neural Network )等,而其處理單元54將惡意網路封包P1之特徵資訊結果R1傳遞至封包過濾單元51,該封包過濾單元51接收所述特徵資訊結果R1,且該封包過濾單元51另接收該特徵儲存單元532之封包資訊I2,且該封包過濾單元51經由所述特徵資訊結果R1及封包資訊I2得知產生惡意網路封包之用戶設備資料,且該封包過濾單元51將惡意網路封包之用戶設備資料儲存至過濾用戶資料庫511,以使該產生惡意網路封包P1之用戶設備2於再次傳遞網路封包P1至所述伺服設備4時,該封包過濾單元51擷取所述網路封包P1,並會先根據其過濾用戶資料庫511內之用戶設備2資料進行過濾,反之,若該處理單元54之人工智慧模型541判斷該網路封包P1之行為特徵資訊I1為正常並產生所述特徵資訊結果R1,該封包過濾單元51將產生正常網路封包P1之用戶設備2所產生之網路封包P1傳遞至所述身分認證設備3,若該身分認證設備3驗證成功時,該身分認證設備3則將網路封包P1傳遞至伺服設備4,舉例來說:人工智慧模型541判斷行為特徵資訊I1為攻擊特徵或正常特徵,而後將特徵資訊結果R1(該特徵資訊I1是攻擊或正常)傳送給封包過濾單元51,封包過濾單元51依據特徵資訊結果R1與封包資訊I2取得該封包的網際協定位置(Internet Protocol Address , IP Address)及是否為攻擊特徵,若該特徵資訊結果R1為攻擊,即將該封包的網際協定位置(Internet Protocol Address , IP Address)即惡意網路封包之用戶設備資料儲存至過濾用戶資料庫511列為黑名單,未來同一網際協定位置(Internet Protocol Address , IP Address)的封包將會被封包過濾單元51過濾,藉此,該人工智慧抵禦網路攻擊的系統1達到可利用人工智慧模型541快速辨識並過濾具攻擊行為的網路封包P1,如此便可不用增設設備及建置較複雜的設備,以減少設置成本外,且該身分認證設備3在身分認證階段前,也可透過所述人工智慧模型541由特徵模板531解析之行為特徵資訊I1來判斷為正常網路封包P1或惡意網路封包P1,並進一步達到避免被產生惡意網路封包P1之用戶設備2惡意攻擊而消耗大量運算資源的問題發生。In addition, after the characteristic acquisition unit 53 generates the behavioral characteristic information I1 and the packet information I2, the characteristic acquisition unit 53 transfers the behavioral characteristic information I1 to the processing unit 54, and transmits the behavioral characteristic information I1 And the packet information I2 is transferred to a characteristic storage unit 532 for storage, and the content of the packet information I2 is the Internet Protocol Address (IP Address) of the network packet P1 and the corresponding behavioral characteristic information I1. The characteristic storage unit 532 is also connected to the packet filtering unit 51. An artificial intelligence model 541 of the processing unit 54 determines whether the behavioral characteristic information I1 of the network packet P1 is normal or malicious and generates a characteristic information result R1, in which the artificial intelligence model 541 The system is composed of artificial intelligence algorithms (Artificial Intelligence). Artificial intelligence algorithms can be but not only include artificial neural networks, decision trees, perceptrons, support vector machines, integrated learning, dimensionality reduction and metric learning, clustering, shells, etc. classifier or feed forward neural network model (Feed Forward Neural Network), etc., and its processing unit 54 passes the characteristic information result R1 of the malicious network packet P1 to the packet filtering unit 51, and the packet filtering unit 51 receives the characteristics Information result R1, and the packet filtering unit 51 also receives the packet information I2 of the characteristic storage unit 532, and the packet filtering unit 51 obtains the user equipment data that generates malicious network packets through the characteristic information result R1 and packet information I2. , and the packet filtering unit 51 stores the user equipment data of the malicious network packet into the filtering user database 511, so that the user equipment 2 that generated the malicious network packet P1 can re-transmit the network packet P1 to the server device 4 When The behavioral characteristic information I1 of the network packet P1 is normal and the characteristic information result R1 is generated. The packet filtering unit 51 passes the network packet P1 generated by the user equipment 2 that generates the normal network packet P1 to the identity authentication device 3 , if the identity authentication device 3 is successfully verified, the identity authentication device 3 passes the network packet P1 to the server device 4. For example: the artificial intelligence model 541 determines that the behavioral characteristic information I1 is an attack characteristic or a normal characteristic, and then The characteristic information result R1 (the characteristic information I1 is attack or normal) is sent to the packet filtering unit 51. The packet filtering unit 51 obtains the Internet Protocol Address (IP Address) of the packet based on the characteristic information result R1 and the packet information I2. Whether it is an attack signature, if the characteristic information result R1 is an attack, the Internet Protocol Address (IP Address) of the packet, that is, the user device data of the malicious network packet, is stored in the filtering user database 511 and listed as a blacklist. In the future, packets at the same Internet Protocol Address (IP Address) will be filtered by the packet filtering unit 51. Through this, the
另外,,其中所述網路設備5更包括有一自動特徵標註單元55、一特徵自動標註儲存單元551、一訓練單元56、一比對單元57、一正確特徵標註儲存單元58及一優化單元59。In addition, the network device 5 further includes an automatic feature labeling unit 55, an automatic feature labeling storage unit 551, a training unit 56, a comparison unit 57, a correct feature labeling storage unit 58 and an optimization unit 59 .
該自動特徵標註單元55連接該特徵儲存單元532,且該自動特徵標註單元55擷取特徵儲存單元532內之行為特徵資訊I1,並該自動特徵標註單元55對其行為特徵資訊I1進行標註,而使該行為特徵資訊I1具有一特徵自動分類標註C1,進一步來說,即透過自動特徵標註單元55將行為特徵資訊I1分類為正常特徵或惡意特徵,,其中自動特徵標註單元55係可為具有分類演算法的分類器,分類演算法可以是但不僅包括邏輯回歸、決策樹、支援向量機(SVM)、樸素貝葉斯、近鄰演算法(KNN)等,且該自動特徵標註單元55將所述行為特徵資訊I1及所屬之特徵自動分類標註C1傳遞至所述自動標註儲存單元,該自動標註儲存單元內則儲存有所述行為特徵資訊I1及所屬之特徵自動分類標註C1,而該訓練單元56連接所述特徵自動標註儲存單元,且該訓練單元56擷取所述自動標註儲存單元內之行為特徵資訊I1及所屬之特徵自動分類標註C1,又該訓練單元56具有一待訓練模型561,其中該待訓練模型561係由人工智能演算法(Artificial Intelligence)所構成,並該訓練單元56由所述待訓練模型561擷取所述行為特徵資訊I1及所屬之特徵自動分類標註C1,而該待訓練模型561則透過所述行為特徵資訊I1及所屬之特徵自動分類標註C1產生一已訓練模型562。The automatic feature labeling unit 55 is connected to the feature storage unit 532, and the automatic feature labeling unit 55 retrieves the behavioral characteristic information I1 in the feature storage unit 532, and the automatic feature labeling unit 55 labels the behavioral characteristic information I1, and Let the behavioral characteristic information I1 have a feature automatic classification label C1. Furthermore, the behavioral characteristic information I1 is classified as a normal feature or a malicious feature through the automatic feature labeling unit 55, where the automatic feature labeling unit 55 can be a classification-based labeling unit. Algorithm classifier, the classification algorithm can be but not only includes logistic regression, decision tree, support vector machine (SVM), naive Bayes, nearest neighbor algorithm (KNN), etc., and the automatic feature labeling unit 55 will The behavioral characteristic information I1 and the corresponding characteristic automatic classification label C1 are transferred to the automatic labeling storage unit, and the automatic labeling storage unit stores the behavioral characteristic information I1 and the corresponding characteristic automatic classification label C1, and the training unit 56 The automatic feature labeling storage unit is connected, and the training unit 56 retrieves the behavioral characteristic information I1 and the corresponding feature automatic classification label C1 in the automatic labeling storage unit, and the training unit 56 has a model 561 to be trained, where The model to be trained 561 is composed of an artificial intelligence algorithm (Artificial Intelligence), and the training unit 56 retrieves the behavioral characteristic information I1 and the associated feature automatic classification annotation C1 from the model to be trained 561, and the model to be trained 561 The training model 561 generates a trained model 562 through the behavioral characteristic information I1 and the associated characteristic automatic classification annotation C1.
該比對單元57則連接所述訓連單元56及正確特徵標註儲存單元58及所述優化單元59,該正確特徵標註儲存單元58內儲存有至少一訓練特徵資訊I3及該訓練特徵資訊I3之一特徵正確分類標註C2,此處的訓練特徵資訊I3及特徵正確分類標註C2皆為系統外產生,並預先儲存於正確特徵標註儲存單元58的資料,其中,該訓練特徵資訊I2相當於的行為特徵資訊,而該特徵正確分類標註C2則表示該訓練特徵資訊I2為正常特徵或攻擊特徵,訓練特徵資訊I3及特徵正確分類標註C2可為人工或裝置產生及標註,進一步來說,此處特徵正確分類標註C2的分類是正確的,為標準答案,而該訓練單元56之已訓練模型562則輸出至至所述比對單元57,該比對單元57另擷取該正確特徵標註儲存單元58之訓練特徵資訊I3及特徵正確分類標註C2,而該已訓練模型562於比對單元57中擷取所述訓練特徵資訊I3並輸出一訓練資訊結果,該比對單元57比對該些訓練資訊結果與訓練特徵資訊I3及特徵正確分類標註C2,若該比對單元57比對出該訓練資訊結果R2與訓練特徵資訊I3及特徵正確分類標註C2間之分類標註是否相符,若該訓練資訊結果R2與訓練特徵資訊I3及特徵正確分類標註C2之相符率高於設定值時,該比對單元57將該已訓練模型562輸出至所述處理單元54,而由該已訓練模型562更新所述人工智慧模型541,反之若該訓練資訊結果R2與訓練特徵資訊I3及特徵正確分類標註C2之相符率低於設定值時,該比對單元決定優化該已訓練模型C1,舉例來說,預設兩個訓練特徵資訊(A)及(B),(A)對應的特徵正確分類標註為正常(○),(B)對應的特徵正確分類標註為攻擊(X),當(A)、(B)輸入至已訓練模型562後,已訓練模型562輸出訓練特徵資訊(A)的訓練資訊結果為正常(○),訓練特徵資訊(B)的訓練資訊結果為正常(○),此時,比對單元57比對訓練資訊結果及特徵正確分類標註,本例中(A)的訓練資訊結果為正常(○)且特徵正確分類標註為正常(○),符合預設,(B)的訓練資訊結果為正常(○)但特徵正確分類標註為攻擊(X),不符合預設,其已訓練模型562判斷的正確率為50%,若,設定值為需大於90%時,則,比對單元決定調整該自動特徵標註單元55,設定值不限定於大於90%,,可依實際狀況調整。該優化單元59優化該自動特徵標註單元55,而該優化單元59則是利用分類演算法執行優化,使該自動特徵標註單元55由另一演算法或替換標註參數來對所述行為特徵資訊I1產生另一組特徵自動分類標註C1,而該特徵自動標註儲存單元551儲存該行為特徵資訊I1及所屬之另一組特徵自動分類標註C1,另該訓練單元56之待訓練模型561擷取所述行為特徵資訊I1及所屬之特徵自動分類標註C1並輸出另一已訓練模型562至所述比對單元57。The comparison unit 57 is connected to the training connection unit 56 and the correct feature label storage unit 58 and the optimization unit 59. The correct feature label storage unit 58 stores at least one training feature information I3 and the training feature information I3. A feature correct classification label C2. The training feature information I3 and the feature correct classification label C2 here are both data generated outside the system and pre-stored in the correct feature label storage unit 58. The training feature information I2 is equivalent to the behavior of Feature information, and the feature's correct classification label C2 indicates that the training feature information I2 is a normal feature or an attack feature. The training feature information I3 and the feature's correct classification label C2 can be generated and labeled manually or by a device. Furthermore, the features here The classification of the correct classification annotation C2 is correct and is the standard answer, and the trained model 562 of the training unit 56 is output to the comparison unit 57. The comparison unit 57 also retrieves the correct feature annotation storage unit 58. The training feature information I3 and the feature correct classification label C2, and the trained model 562 retrieves the training feature information I3 in the comparison unit 57 and outputs a training information result. The comparison unit 57 compares the training information. If the comparison unit 57 compares the training information result R2 with the training feature information I3 and the correct feature classification label C2, whether the training information result R2 is consistent with the training feature information I3 and the correct feature classification label C2, if the training information result When the coincidence rate between R2, training feature information I3 and feature correct classification label C2 is higher than the set value, the comparison unit 57 outputs the trained model 562 to the processing unit 54, and the trained model 562 updates the Artificial intelligence model 541, on the other hand, if the coincidence rate between the training information result R2, the training feature information I3 and the feature correct classification label C2 is lower than the set value, the comparison unit decides to optimize the trained model C1. For example, the default Two training feature information (A) and (B), the feature corresponding to (A) is correctly classified as normal (○), the feature corresponding to (B) is correctly classified as attack (X), when (A), (B) ) is input to the trained model 562, the trained model 562 outputs the training information result of the training feature information (A) as normal (○), and the training information result of the training feature information (B) as normal (○). At this time, compared with The comparison unit 57 compares the training information results and the correct feature classification annotation. In this example, the training information result of (A) is normal (○) and the correct feature classification annotation is normal (○), which conforms to the default. The training information of (B) The result is normal (○) but the feature is correctly classified as attack (X), which does not meet the preset. The correct rate of judgment of the trained model 562 is 50%. If the set value is greater than 90%, then, compare The unit decides to adjust the automatic feature labeling unit 55, and the setting value is not limited to greater than 90%, and can be adjusted according to actual conditions. The optimization unit 59 optimizes the automatic feature labeling unit 55, and the optimization unit 59 uses a classification algorithm to perform optimization, so that the automatic feature labeling unit 55 uses another algorithm or replaces the labeling parameters to classify the behavioral characteristic information I1 Another set of feature automatic classification labels C1 is generated, and the feature automatic labeling storage unit 551 stores the behavioral characteristic information I1 and the corresponding another set of feature automatic classification labels C1, and the to-be-trained model 561 of the training unit 56 retrieves the above The behavioral characteristic information I1 and the associated characteristics are automatically classified and labeled C1 and another trained model 562 is output to the comparison unit 57 .
該比對單元57另擷取該正確特徵標註儲存單元58之訓練特徵資訊I3及特徵正確分類標註C2,而該已訓練模型562於比對單元57中擷取所述訓練特徵資訊I3並輸出另一訓練資訊結果,且該比對單元57比對該些另一訓練資訊結果與訓練特徵資訊I3及特徵正確分類標註C2,若該比對單元57比對出該另一訓練資訊結果與訓練特徵資訊I3及特徵正確分類標註C2間之分類標註是否相符,若該訓練資訊結果與訓練特徵資訊I3及特徵正確分類標註C2之相符率高於設定值時,該比對單元57將該另一已訓練模型562輸出至所述處理單元54,而由該已訓練模型562更新所述人工智慧模型541,反之,若該另一訓練資訊結果與訓練特徵資訊I3及特徵正確分類標註C2之相符率低於設定值時,該比對單元再次調整該特徵自動分類標註C1,直至訓練資訊結果與訓練特徵資訊I3及特徵正確分類標註C2之相符率高於設定值。The comparison unit 57 also retrieves the training feature information I3 and the correct feature classification label C2 from the correct feature label storage unit 58, and the trained model 562 retrieves the training feature information I3 in the comparison unit 57 and outputs another A training information result, and the comparison unit 57 compares the other training information result with the training feature information I3 and the correct feature classification label C2, if the comparison unit 57 compares the other training information result with the training feature Whether the classification labels between the information I3 and the feature correct classification label C2 are consistent. If the coincidence rate between the training information result and the training feature information I3 and the feature correct classification label C2 is higher than the set value, the comparison unit 57 will The training model 562 is output to the processing unit 54, and the artificial intelligence model 541 is updated by the trained model 562. On the contrary, if the coincidence rate of the other training information result with the training feature information I3 and the feature correct classification label C2 is low When setting the value, the comparison unit again adjusts the feature automatic classification label C1 until the coincidence rate between the training information result, the training feature information I3 and the feature correct classification label C2 is higher than the set value.
又請另外參閱第5圖所示,係為本發明人工智慧抵禦網路攻擊的系統之另一系統架構優化方式實施示意圖,其中所述優化單元59有另一優化方式,其中所述優化單元59係連接至所述特徵擷取單元53,以當該比對單元57決定優化該已訓練模型C1時,該優化單元59使該特徵擷取單元53使用另一特徵模板531,而該特徵擷取單元53依據另一特徵模板531產生另一行為特徵資訊I1為該優化單元59改變該特徵模板531之數量或項目,使該特徵擷取單元53通過特徵模板531進而獲取該網路封包P1的另一行為特徵資訊I1,使該自動特徵標註單元55由另一行為特徵資訊I1產生另一組特徵自動分類標註C1。Please also refer to Figure 5, which is a schematic diagram of another system architecture optimization method for the artificial intelligence system to resist network attacks of the present invention. The optimization unit 59 has another optimization method, and the optimization unit 59 is connected to the feature extraction unit 53, so that when the comparison unit 57 decides to optimize the trained model C1, the optimization unit 59 causes the feature extraction unit 53 to use another feature template 531, and the feature extraction The unit 53 generates another behavioral characteristic information I1 based on another characteristic template 531, and changes the quantity or items of the characteristic template 531 for the optimization unit 59, so that the characteristic retrieval unit 53 obtains another part of the network packet P1 through the characteristic template 531. One piece of behavioral feature information I1 causes the automatic feature labeling unit 55 to generate another set of feature automatic classification labels C1 from another behavioral feature information I1.
為清楚說明此實施例的運作過程,還請參考圖6為本發明人工智慧抵禦網路攻擊方法的流程圖。人工智慧抵禦網路攻擊方法包括以下步驟:In order to clearly explain the operation process of this embodiment, please also refer to FIG. 6 which is a flow chart of the artificial intelligence method for resisting network attacks according to the present invention. Artificial intelligence methods to defend against cyberattacks include the following steps:
步驟S1:用戶設備產生有網路封包至網路設備;Step S1: The user equipment generates a network packet to the network equipment;
步驟S2:該網路設備之封包過濾單元接收該網路封包並根據過濾用戶資料庫將所述網路封包傳遞至身分認證設備或過濾其網路封包;該封包過濾單元51內具有所述過濾用戶資料庫511,該過濾用戶資料庫511內記錄有至少一筆會傳遞惡意封包資料之用戶設備2資料,且該封包過濾單元51擷取從用戶設備2流經身分認證設備3的網路封包P1,而該封包過濾單元51擷取所述網路封包P1後,會先根據其過濾用戶資料庫511內之用戶設備2資料進行過濾,若傳遞網路封包P1之用戶設備2並非記錄為惡意封包資料之用戶設備2資料時,該封包過濾單元51則將擷取之網路封包P1傳遞至所述身分認證設備3,反之,則進入到步驟S21:封包過濾單元將網路封包進行過濾且終止連線;若傳遞網路封包P1之用戶設備2係記錄為惡意封包資料之用戶設備2資料,該封包過濾單元51則將其網路封包P1進行過濾並終止該用戶設備2之連線。Step S2: The packet filtering unit of the network device receives the network packet and passes the network packet to the identity authentication device or filters its network packet according to the filtered user database; the packet filtering unit 51 has the filter User database 511. The filtering user database 511 records at least one piece of information about user equipment 2 that transmits malicious packet information, and the packet filtering unit 51 captures the network packet P1 flowing from user equipment 2 through identity authentication device 3. , and after the packet filtering unit 51 captures the network packet P1, it will first filter based on the user equipment 2 data in the filtering user database 511. If the user equipment 2 transmitting the network packet P1 is not recorded as a malicious packet When the data is received from the user equipment 2, the packet filtering unit 51 will pass the captured network packet P1 to the identity authentication device 3. Otherwise, step S21 will be entered: the packet filtering unit will filter the network packet and terminate. connection; if the user equipment 2 transmitting the network packet P1 is the user equipment 2 data recorded as malicious packet data, the packet filtering unit 51 will filter the network packet P1 and terminate the connection of the user equipment 2.
步驟S3:該身分認證設備接收所述網路封包,且對產生該網路封包之用戶設備進行身分認證,並依據身分認證結果將該網路封包傳遞至伺服設備;其中該身分認證設備3可對其傳遞網路封包P1之用戶設備2進行驗證,若該身分認證設備3驗證成功時,該身分認證設備3則將網路封包P1傳遞至伺服設備4,反之,則進入到步驟S31:身分認證設備停止傳輸網路封包且終止連線,若該身分認證設備3驗證失敗,該網路封包P1則不會傳遞至所述伺服設備4。Step S3: The identity authentication device receives the network packet, performs identity authentication on the user device that generated the network packet, and delivers the network packet to the server device based on the identity authentication result; wherein the identity authentication device 3 can Verify the user equipment 2 that transmits the network packet P1. If the authentication of the identity authentication device 3 is successful, the identity authentication device 3 will pass the network packet P1 to the server device 4. Otherwise, step S31: Identity will be entered. The authentication device stops transmitting network packets and terminates the connection. If the identity authentication device 3 fails to authenticate, the network packet P1 will not be delivered to the server device 4 .
藉此,該人工智慧抵禦網路攻擊的系統1達到可快速辨識並過濾具攻擊行為的網路封包P1,如此便可不用增設設備及建置較複雜的設備,以減少設置成本外,並另外利用身分認證設備3進行進一步之身分認證,達到避免被產生惡意網路封包P1之用戶設備2惡意攻擊而消耗大量運算資源的問題發生。In this way, the
還請參考圖7係為本發明人工智慧抵禦網路攻擊方法的進一步流程圖。其中所述步驟S3後包括以下步驟:Please also refer to FIG. 7 which is a further flow chart of the artificial intelligence method of resisting network attacks according to the present invention. The step S3 includes the following steps:
步驟S4:封包擷取單元由該封包過濾單元擷取傳遞至身分認證設備之網路封包;該身分認證設備3則將網路封包P1傳遞至伺服設備4之同時,該封包擷取單元52且擷取傳遞至身分認證設備3之網路封包P1。Step S4: The packet capture unit captures the network packet transmitted to the identity authentication device from the packet filtering unit; while the identity authentication device 3 transmits the network packet P1 to the server device 4, the packet capture unit 52 and Capture the network packet P1 delivered to the identity authentication device 3.
步驟S5:封包儲存單元儲存該封包擷取單元所擷取之網路封包,且由特徵擷取單元擷取封包儲存單元之網路封包並以特徵模板解析該網路封包,以產生有該網路封包之行為特徵資訊及封包資訊並儲存於特徵儲存單元;該封包擷取單元52將擷取到之網路封包P1儲存於所述封包儲存單元521內,而該特徵擷取單元53則擷取該封包儲存單元521內之網路封包P1,並該特徵擷取單元53利用特徵模板531解析該網路封包P1並產生有該網路封包P1之行為特徵資訊I1及封包資訊I2,且該特徵擷取單元53產生之行為特徵資訊I1及封包資訊I2係儲存於特徵儲存單元532。Step S5: The packet storage unit stores the network packets captured by the packet capture unit, and the feature capture unit captures the network packets from the packet storage unit and parses the network packets with the feature template to generate the network packets. The behavioral characteristic information and packet information of the road packet are stored in the characteristic storage unit; the packet capturing unit 52 stores the captured network packet P1 in the packet storage unit 521, and the characteristic capturing unit 53 captures The network packet P1 in the packet storage unit 521 is obtained, and the feature retrieval unit 53 uses the feature template 531 to parse the network packet P1 and generate behavioral feature information I1 and packet information I2 of the network packet P1, and the The behavioral characteristic information I1 and packet information I2 generated by the characteristic retrieval unit 53 are stored in the characteristic storage unit 532 .
步驟S6:該處理單元之人工智慧模型判斷該網路封包之行為特徵資訊為正常或惡意並產生有特徵資訊結果;其中該特徵擷取單元53產生有所述行為特徵資訊I1後,該特徵擷取單元53將其行為特徵資訊I1傳遞至所述處理單元54,該處理單元54之人工智慧模型541判斷該網路封包P1之行為特徵資訊I1為正常網路封包P1或惡意網路封包P1並產生有特徵資訊結果R1。Step S6: The artificial intelligence model of the processing unit determines whether the behavioral characteristic information of the network packet is normal or malicious and generates a characteristic information result; after the characteristic extraction unit 53 generates the behavioral characteristic information I1, the characteristic extraction The retrieval unit 53 passes its behavioral characteristic information I1 to the processing unit 54. The artificial intelligence model 541 of the processing unit 54 determines that the behavioral characteristic information I1 of the network packet P1 is a normal network packet P1 or a malicious network packet P1 and Generate characteristic information result R1.
步驟S7:又該處理單元將惡意網路封包之特徵資訊結果傳遞至封包過濾單元,該封包過濾單元另接收所述封包資訊,且該封包過濾單元經由該特徵資訊結果及該封包資訊將產生惡意網路封包之用戶設備資料並儲存至過濾用戶資料庫;該封包過濾單元51接收所述特徵資訊結果R1,且封包過濾單元51另接收該特徵儲存單元之封包資訊I2,且該封包過濾單元51經由所述特徵資訊結果R1(該特徵資訊I1是攻擊或正常)及封包資訊I2(該特徵資訊I1及該特徵資訊I1對應的網際協定位置, IP)產生惡意網路封包之用戶設備資料(即特徵資訊I1對應的網際協定位置 , IP),且該封包過濾單元51將產惡意網路封包P1之用戶設備2的封包資訊資料儲存至過濾用戶資料庫511,以使該產生惡意網路封包P1之用戶設備2於再次傳遞網路封包P1至所述伺服設備4時,該封包過濾單元51擷取所述網路封包P1,並會先根據其過濾用戶資料庫511內之用戶設備資料進行過濾,反之,若該處理單元54之人工智慧模型541判斷該網路封包P1之行為特徵資訊I1為正常並產生所述特徵資訊結果R1,該封包過濾單元51將產生正常網路封包P1之用戶設備2所產生之網路封包P1傳遞至所述身分認證設備3。Step S7: The processing unit transmits the characteristic information result of the malicious network packet to the packet filtering unit. The packet filtering unit also receives the packet information, and the packet filtering unit generates malicious information through the characteristic information result and the packet information. The user equipment data of the network packet is stored in the filtering user database; the packet filtering unit 51 receives the characteristic information result R1, and the packet filtering unit 51 also receives the packet information I2 of the characteristic storage unit, and the packet filtering unit 51 The user equipment data (i.e., the malicious network packet generated by the characteristic information result R1 (the characteristic information I1 is an attack or normal) and the packet information I2 (the characteristic information I1 and the Internet Protocol location, IP corresponding to the characteristic information I1)) The Internet Protocol location (IP) corresponding to the characteristic information I1, and the packet filtering unit 51 stores the packet information data of the user device 2 that generates the malicious network packet P1 to the filtering user database 511, so that the malicious network packet P1 is generated When the user device 2 transmits the network packet P1 to the server device 4 again, the packet filtering unit 51 captures the network packet P1 and first performs filtering based on the user device data in the filtered user database 511 , on the contrary, if the artificial intelligence model 541 of the processing unit 54 determines that the behavioral characteristic information I1 of the network packet P1 is normal and generates the characteristic information result R1, the packet filtering unit 51 will generate a user equipment for the normal network packet P1 2The generated network packet P1 is delivered to the identity authentication device 3.
藉此,該人工智慧抵禦網路攻擊的系統1達到可利用人工智慧模型541快速辨識並過濾具攻擊行為的網路封包P1,如此便可不用增設設備及建置較複雜的設備,以減少設置成本外,該身分認證設備3在身分認證階段,也可透過所述人工智慧模型541由特徵模板531解析之行為特徵資訊I1來判斷為正常網路封包P1或惡意網路封包P1,並進一步由該特徵資訊結果R1將產生惡意網路封包P1之用戶設備2儲存至過濾用戶資料庫511,而達到避免被產生惡意網路封包P1之用戶設備2惡意攻擊而消耗大量運算資源的問題發生。In this way, the
還請參考圖8係為本發明人工智慧抵禦網路攻擊方法進行比對的流程圖。其中所述由特徵擷取單元53擷取封包儲存單元521之網路封包P1並以特徵模板531解析該網路封包P1,以產生有該網路封包P1之行為特徵資訊I1及封包資訊I2的步驟包括以下步驟:Please also refer to FIG. 8 , which is a flow chart for comparing the artificial intelligence method for resisting network attacks according to the present invention. The feature retrieval unit 53 captures the network packet P1 of the packet storage unit 521 and uses the feature template 531 to parse the network packet P1 to generate the behavioral feature information I1 and packet information I2 of the network packet P1. The steps include the following:
步驟S41:由特徵儲存單元儲存該特徵擷取單元之行為特徵資訊,再由自動特徵標註單元擷取特徵儲存單元內之行為特徵資訊並進行標註使該行為特徵資訊具有特徵自動分類標註;該特徵儲存單元532儲存所述特徵擷取單元53所產生之行為特徵資訊I1,且該自動特徵標註單元55擷取特徵儲存單元532內之行為特徵資訊I1,並該自動特徵標註單元55對其行為特徵資訊I1進行標註,而使該行為特徵資訊I1具有特徵自動分類標註C1。Step S41: The feature storage unit stores the behavioral characteristic information of the feature retrieval unit, and then the automatic feature labeling unit retrieves the behavioral characteristic information in the feature storage unit and labels it so that the behavioral characteristic information has characteristics for automatic classification and labeling; the characteristics The storage unit 532 stores the behavioral characteristic information I1 generated by the characteristic retrieval unit 53, and the automatic characteristic labeling unit 55 retrieves the behavioral characteristic information I1 in the characteristic storage unit 532, and the automatic characteristic labeling unit 55 assigns the behavioral characteristics to the behavioral characteristic information I1. The information I1 is labeled, so that the behavioral characteristic information I1 has characteristics and is automatically classified and labeled C1.
步驟S42:另由特徵自動標註儲存單元儲存該行為特徵資訊及所屬之特徵自動分類標註,另由訓練單元之待訓練模型擷取所述行為特徵資訊及所屬之特徵自動分類標註並產生已訓練模型;該自動特徵標註單元55將所述行為特徵資訊I1及所屬之特徵自動分類標註C1傳遞至所述自動標註儲存單元,該自動標註儲存單元內則儲存有所述行為特徵資訊I1及所屬之特徵自動分類標註C1,而該訓練單元56擷取所述自動標註儲存單元內之行為特徵資訊I1及所屬之特徵自動分類標註C1,並該訓練單元56由所述待訓練模型561擷取所述行為特徵資訊I1及所屬之特徵自動分類標註C1,而該待訓練模型561則透過所述行為特徵資訊I1及所屬之特徵自動分類標註C1產生已訓練模型562。Step S42: In addition, the behavioral characteristic information and the corresponding automatic classification and labeling of the characteristics are stored in the automatic characteristic labeling storage unit, and the model to be trained in the training unit retrieves the behavioral characteristic information and the automatic classification and labeling of the corresponding characteristics and generates a trained model. ; The automatic feature labeling unit 55 transfers the behavioral characteristic information I1 and the associated automatic classification label C1 to the automatic labeling storage unit, and the automatic labeling storage unit stores the behavioral characteristic information I1 and the associated characteristics. Automatically classify and label C1, and the training unit 56 retrieves the behavioral characteristic information I1 and the corresponding characteristics in the automatic labeling storage unit and automatically classifies and labels C1, and the training unit 56 retrieves the behavior from the to-be-trained model 561 The feature information I1 and the associated features are automatically classified and labeled C1, and the to-be-trained model 561 generates a trained model 562 through the behavioral feature information I1 and the associated features are automatically classified and labeled C1.
步驟S43:該已訓練模型輸出至比對單元,該比對單元另擷取該正確特徵標註儲存單元之訓練特徵資訊及特徵正確分類標註;其中該已訓練模型561係輸出至所述比對單元57,該比對單元57另擷取該正確特徵標註儲存單元58之訓練特徵資訊I2及特徵正確分類標註C2。Step S43: The trained model is output to the comparison unit, and the comparison unit also retrieves the training feature information and the correct feature classification label from the correct feature label storage unit; wherein the trained model 561 is output to the comparison unit. 57. The comparison unit 57 also retrieves the training feature information I2 and the correct feature classification label C2 from the correct feature label storage unit 58.
步驟S44:該已訓練模型擷取所述訓練特徵資訊並輸出訓練資訊結果;該已訓練模型562於比對單元57中擷取所述訓練特徵資訊I3並輸出訓練資訊結果。Step S44: The trained model retrieves the training feature information and outputs the training information result; the trained model 562 retrieves the training feature information I3 in the comparison unit 57 and outputs the training information result.
步驟S45:比對單元比對該些訓練資訊結果與訓練特徵資訊及特徵正確分類標註決定優化該已訓練模型或將該已訓練模型輸出至所述處理單元;且該比對單元57比對該些訓練資訊結果與訓練特徵資訊I3及特徵正確分類標註C2,若該比對單元57比對出該訓練資訊結果與訓練特徵資訊I3及特徵正確分類標註C2間之分類標註是否相符,若該訓練資訊結果與訓練特徵資訊I3及特徵正確分類標註C2之相符率高於設定值時,該比對單元57將該已訓練模型562輸出至所述處理單元54。Step S45: The comparison unit compares the training information results with the training feature information and correct feature classification annotations to decide to optimize the trained model or output the trained model to the processing unit; and the comparison unit 57 compares the If the comparison unit 57 compares the training information results with the training feature information I3 and the feature correct classification label C2, and determines whether the training information result is consistent with the training feature information I3 and the feature correct classification label C2, if the training When the consistency rate between the information result, the training feature information I3 and the feature correct classification annotation C2 is higher than the set value, the comparison unit 57 outputs the trained model 562 to the processing unit 54 .
還請參考第9圖所示,係為本發明人工智慧抵禦網路攻擊方法進行優化的流程圖。其中所述比對單元57比對該些訓練資訊結果R2與訓練特徵資訊I2及特徵正確分類標註C2決定優化該已訓練模型C1的步驟包括以下步驟:Please also refer to Figure 9, which is a flow chart for optimizing the artificial intelligence method of resisting network attacks according to the present invention. The comparison unit 57 compares the training information results R2 with the training feature information I2 and the correct feature classification annotation C2 to determine the optimization of the trained model C1, which includes the following steps:
步驟S4511:由優化單元優化該自動特徵標註單元,該自動特徵標註單元再擷取特徵儲存單元內之行為特徵資訊並進行標註使該行為特徵資訊具有另一組特徵自動分類標註;若該訓練資訊結果與訓練特徵資訊I3及特徵正確分類標註C2之相符率低於設定值時,該比對單元57決定優化該已訓練模型C1,該優化單元59優化該自動特徵標註單元55,而該優化單元59則是利用分類演算法執行優化,使該自動特徵標註單元55由另一演算法或替換標註參數來對所述行為特徵資訊I1產生另一組特徵自動分類標註C1。Step S4511: The optimization unit optimizes the automatic feature labeling unit. The automatic feature labeling unit then retrieves the behavioral characteristic information in the feature storage unit and labels it so that the behavioral characteristic information has another set of characteristics for automatic classification and labeling; if the training information When the consistency rate between the result and the training feature information I3 and the feature correct classification label C2 is lower than the set value, the comparison unit 57 decides to optimize the trained model C1, the optimization unit 59 optimizes the automatic feature labeling unit 55, and the optimization unit Step 59 uses a classification algorithm to perform optimization, so that the automatic feature labeling unit 55 uses another algorithm or replaces the labeling parameters to generate another set of feature automatic classification labels C1 for the behavioral characteristic information I1.
步驟S4512:該特徵自動標註儲存單元儲存該行為特徵資訊及所屬之另一組特徵自動分類標註;而該特徵自動標註儲存單元551儲存該行為特徵資訊I1及所屬之另一組特徵自動分類標註C1。Step S4512: The characteristic automatic labeling storage unit stores the behavioral characteristic information and another set of characteristic automatic classification labels to which it belongs; and the automatic characteristic labeling storage unit 551 stores the behavioral characteristic information I1 and another group of characteristic automatic classification labels to which it belongs C1 .
步驟S4513:該訓練單元之待訓練模型擷取所述行為特徵資訊及所屬之特徵自動分類標註並輸出另一已訓練模型;該訓練單元56之待訓練模型561擷取所述行為特徵資訊I1及所屬之特徵自動分類標註C1並輸出另一已訓練模型562。Step S4513: The to-be-trained model of the training unit retrieves the behavioral characteristic information and the associated features, automatically classifies and labels it, and outputs another trained model; the to-be-trained model 561 of the training unit 56 retrieves the behavioral characteristic information I1 and The corresponding features are automatically classified and labeled C1 and another trained model 562 is output.
步驟S4514:該另一已訓練模型輸出至比對單元,該比對單元另擷取正確特徵標註儲存單元之訓練特徵資訊及特徵正確分類標註;該訓練單元56之另一已訓練模型562則輸出至至所述比對單元57,該比對單元57另擷取該正確特徵標註儲存單元58之訓練特徵資訊I3及特徵正確分類標註C2。Step S4514: The other trained model is output to the comparison unit. The comparison unit also retrieves the training feature information and the correct feature classification label from the correct feature label storage unit; the other trained model 562 of the training unit 56 outputs To the comparison unit 57, the comparison unit 57 also retrieves the training feature information I3 and the correct feature classification label C2 from the correct feature label storage unit 58.
步驟S4515:該另一已訓練模型擷取所述訓練特徵資訊並輸出另一訓練資訊結果;而該另一已訓練模型562於比對單元57中擷取所述訓練特徵資訊I3並輸出另一訓練資訊結果。Step S4515: The other trained model retrieves the training feature information and outputs another training information result; and the other trained model 562 retrieves the training feature information I3 in the comparison unit 57 and outputs another Training information results.
步驟S4516:比對單元比對該些另一訓練資訊結果與訓練特徵資訊及特徵正確分類標註,並將該另已訓練模型輸出至所述處理單元;該比對單元57比對該些另一訓練資訊結果與訓練特徵資訊I3及特徵正確分類標註C2,若該比對單元57比對出該另一訓練資訊結果與訓練特徵資訊I3及特徵正確分類標註C2間之分類標註是否相符,若該訓練資訊結果與訓練特徵資訊I3及特徵正確分類標註C2之相符率高於設定值時,該比對單元57將該另一已訓練模型562輸出至所述處理單元54,而由該已訓練模型562更新所述人工智慧模型541,反之,若該另一訓練資訊結果與訓練特徵資訊I3及特徵正確分類標註C2之相符率低於設定值時,該比對單元57再次調整該特徵自動分類標註C1,直至訓練資訊結果與訓練特徵資訊I3及特徵正確分類標註C2之相符率高於設定值。Step S4516: The comparison unit compares the results of the other training information with the training feature information and the correct classification annotation of the features, and outputs the other trained model to the processing unit; the comparison unit 57 compares the results of the other training information with the training feature information and the correct classification annotation of the features. If the comparison unit 57 compares the training information result with the training feature information I3 and the correct feature classification label C2 to determine whether the classification label between the other training information result and the training feature information I3 and the correct feature classification label C2 is consistent, if the When the consistency rate between the training information result, the training feature information I3 and the feature correct classification label C2 is higher than the set value, the comparison unit 57 outputs the other trained model 562 to the processing unit 54, and the trained model 562 updates the artificial intelligence model 541. On the contrary, if the coincidence rate between the other training information result and the training feature information I3 and the feature correct classification label C2 is lower than the set value, the comparison unit 57 adjusts the feature automatic classification label again. C1, until the consistency rate between the training information result, the training feature information I3 and the feature correct classification annotation C2 is higher than the set value.
還請參考第10圖所示,係為本發明人工智慧抵禦網路攻擊方法進行另一優化的流程圖。其中所述比對單元57比對該些訓練資訊結果R2與訓練特徵資訊I2及特徵正確分類標註C2決定優化該已訓練模型C1的步驟包括以下步驟:Please also refer to Figure 10, which is a flow chart for another optimization of the artificial intelligence method of resisting network attacks according to the present invention. The comparison unit 57 compares the training information results R2 with the training feature information I2 and the correct feature classification annotation C2 to determine the optimization of the trained model C1, which includes the following steps:
步驟S4521:優化單元連接至所述特徵擷取單元;其中所述優化單元59係連接至所述特徵擷取單元53。Step S4521: The optimization unit is connected to the feature extraction unit; wherein the optimization unit 59 is connected to the feature extraction unit 53.
步驟S4522:優化單元使該特徵擷取單元使用另一特徵模板,而該特徵擷取單元依據另一特徵模板產生另一行為特徵資訊;以當該比對單元57決定優化該已訓練模型C1時,該優化單元59使該特徵擷取單元53使用另一特徵模板531,而該特徵擷取單元53依據另一特徵模板531產生另一行為特徵資訊I1為該優化單元59改變該特徵模板531之數量或項目,使該特徵擷取單元53通過特徵模板531進而獲取該網路封包P1的另一行為特徵資訊I1。Step S4522: The optimization unit causes the feature extraction unit to use another feature template, and the feature extraction unit generates another behavioral feature information based on the other feature template; when the comparison unit 57 decides to optimize the trained model C1 , the optimization unit 59 causes the feature retrieval unit 53 to use another feature template 531, and the feature retrieval unit 53 generates another behavioral feature information I1 based on another feature template 531 for the optimization unit 59 to change the feature template 531. The quantity or item allows the feature retrieval unit 53 to obtain another behavioral feature information I1 of the network packet P1 through the feature template 531.
步驟S4523:該自動特徵標註單元再擷取特徵儲存單元內之另一行為特徵資訊並進行標註使該行為特徵資訊具有另一組特徵自動分類標註;使該自動特徵標註單元55由另一行為特徵資訊I1產生另一組特徵自動分類標註C1。Step S4523: The automatic feature labeling unit retrieves another behavioral feature information in the feature storage unit and labels it so that the behavioral feature information has another set of features for automatic classification and labeling; the automatic feature labeling unit 55 is configured with another behavioral feature Information I1 generates another set of features to automatically classify and label C1.
步驟S4524:該特徵自動標註儲存單元儲存該行為特徵資訊及所屬之另一組特徵自動分類標註;該特徵自動標註儲存單元551儲存該行為特徵資訊I1及所屬之另一組特徵自動分類標註C1。Step S4524: The characteristic automatic labeling storage unit stores the behavioral characteristic information and another set of characteristic automatic classification labels to which it belongs; the automatic characteristic labeling storage unit 551 stores the behavioral characteristic information I1 and another group of characteristic automatic classification labels to which it belongs C1.
步驟S4525:該訓練單元之待訓練模型擷取所述行為特徵資訊及所屬之特徵自動分類標註並輸出另一已訓練模型;該訓練單元56之待訓練模型561擷取所述行為特徵資訊I1及所屬之特徵自動分類標註C1並輸出另一已訓練模型562。Step S4525: The to-be-trained model of the training unit retrieves the behavioral characteristic information and the associated features, automatically classifies and labels it, and outputs another trained model; the to-be-trained model 561 of the training unit 56 retrieves the behavioral characteristic information I1 and The corresponding features are automatically classified and labeled C1 and another trained model 562 is output.
步驟S4526:該另一已訓練模型輸出至該比對單元,該比對單元擷取訓練特徵資訊及特徵正確分類標註;該訓練單元56之另一已訓練模型562則輸出至至所述比對單元57,該比對單元57另擷取該正確特徵標註儲存單元58之訓練特徵資訊I3及特徵正確分類標註C2。Step S4526: The other trained model is output to the comparison unit, and the comparison unit retrieves training feature information and feature correct classification annotations; the other trained model 562 of the training unit 56 is output to the comparison unit. Unit 57, the comparison unit 57 also retrieves the training feature information I3 and the correct feature classification label C2 from the correct feature label storage unit 58.
步驟S4527:該另一已訓練模型擷取所述訓練特徵資訊並輸出另一訓練資訊結果;而該另一已訓練模型562於比對單元57中擷取所述訓練特徵資訊I3並輸出另一訓練資訊結果。Step S4527: The other trained model retrieves the training feature information and outputs another training information result; and the other trained model 562 retrieves the training feature information I3 in the comparison unit 57 and outputs another training feature information. Training information results.
步驟S4528:比對單元比對該些另一訓練資訊結果與訓練特徵資訊及特徵正確分類標註,並將該另一已訓練模型輸出至所述處理單元;該比對單元57比對該些另一訓練資訊結果與訓練特徵資訊I3及特徵正確分類標註C2,若該比對單元57比對出該另一訓練資訊結果與訓練特徵資訊I3及特徵正確分類標註C2間之分類標註是否相符,若該訓練資訊結果與訓練特徵資訊I3及特徵正確分類標註C2之相符率高於設定值時,該比對單元57將該另一已訓練模型562輸出至所述處理單元54,而由該已訓練模型562更新所述人工智慧模型541,反之,若該另一訓練資訊結果與訓練特徵資訊I3及特徵正確分類標註C2之相符率低於設定值時,該比對單元57再次調整該特徵自動分類標註C1,直至訓練資訊結果與訓練特徵資訊I3及特徵正確分類標註C2之相符率高於設定值。Step S4528: The comparison unit compares the results of the other training information with the training feature information and correct classification annotations of the features, and outputs the other trained model to the processing unit; the comparison unit 57 compares the results of the other training information with the training feature information and correct classification annotations of the features. If the comparison unit 57 compares the result of one training information with the training feature information I3 and the correct feature classification label C2 and determines whether the classification label between the other training information result and the training feature information I3 and the correct feature classification label C2 is consistent, if When the consistency rate between the training information result, the training feature information I3 and the feature correct classification label C2 is higher than the set value, the comparison unit 57 outputs the other trained model 562 to the processing unit 54, and the trained model 562 is The model 562 updates the artificial intelligence model 541. On the contrary, if the coincidence rate between the another training information result and the training feature information I3 and the feature correct classification label C2 is lower than the set value, the comparison unit 57 adjusts the feature automatic classification again. Mark C1 until the consistency rate between the training information result, the training feature information I3 and the feature correct classification mark C2 is higher than the set value.
藉此,該人工智慧抵禦網路攻擊的系統1達到可利用人工智慧模型541快速辨識並過濾具攻擊行為的網路封包P1,如此便可不用增設設備及建置較複雜的設備,以減少設置成本外,該身分認證設備3在身分認證階段,也可透過所述人工智慧模型541由特徵模板531解析之行為特徵資訊I1來判斷為正常網路封包P1或惡意網路封包P1,並進一步由該特徵資訊結果R1將產生惡意網路封包P1之用戶設備2儲存至過濾用戶資料庫511,而達到避免被產生惡意網路封包P1之用戶設備2惡意攻擊而消耗大量運算資源的問題發生。In this way, the
以上已將本發明做一詳細說明,惟以上所述者,僅為本發明之一較佳實施例而已,當不能限定本發明實施之範圍,即凡依本發明申請範圍所作之均等變化與修飾等,皆應仍屬本發明之專利涵蓋範圍。The present invention has been described in detail above. However, the above is only a preferred embodiment of the present invention. It cannot limit the scope of the present invention, that is, all equivalent changes and modifications can be made according to the scope of the present invention. etc., should still fall within the scope of the patent of the present invention.
1:人工智慧抵禦網路攻擊的系統 2:用戶設備 3:身份認證設備 4:伺服設備 5:網路設備 51:封包過濾單元 511:過濾用戶資料庫 52:封包擷取單元 521:封包儲存單元 53:特徵擷取單元 531:特徵模板 532:特徵儲存單元 54:處理單元 541:人工智慧模型 55:自動特徵標註單元 551:特徵自動標註儲存單元 56:訓練單元 561:待訓練模型 562:已訓練模型 57:比對單元 58:正確特徵標註儲存單元 59:優化單元 P1:網路封包 I1:行為特徵資訊 I2:封包資訊 R1:特徵資訊結果 C1:特徵自動分類標註 I3:訓練特徵資訊 C2:特徵正確分類標註 S1~S7:步驟 S41~S45:步驟 S4511~S4516:步驟 S4521~S4528:步驟 1: Artificial intelligence system to resist cyber attacks 2: User equipment 3: Identity authentication equipment 4:Servo equipment 5:Network equipment 51: Packet filtering unit 511: Filter user database 52: Packet capture unit 521:Packet storage unit 53: Feature extraction unit 531:Feature template 532: Feature storage unit 54: Processing unit 541:Artificial intelligence model 55: Automatic feature labeling unit 551: Feature automatic labeling storage unit 56:Training unit 561: Model to be trained 562:Trained model 57:Comparison unit 58: Correct feature labeling of storage units 59: Optimization unit P1: Network packet I1: Behavioral characteristics information I2: Packet information R1: Feature information results C1: Automatic feature classification and annotation I3: Training feature information C2: Correct classification and labeling of features S1~S7: steps S41~S45: steps S4511~S4516: steps S4521~S4528: steps
第1圖係為本發明人工智慧抵禦網路攻擊的系統之系統架構示意圖。 第2圖係為本發明人工智慧抵禦網路攻擊的系統之系統架構實施示意圖。 第3圖係為本發明人工智慧抵禦網路攻擊的系統之另一系統架構實施示意圖。 第4圖係為本發明行為特徵資訊的內容示意圖。 第5圖係為本發明人工智慧抵禦網路攻擊的系統之另一系統架構優化方式實施示意圖。 第6圖係為本發明人工智慧抵禦網路攻擊方法的流程圖。 第7圖係為本發明人工智慧抵禦網路攻擊方法的進一步流程圖。 第8圖係為本發明人工智慧抵禦網路攻擊方法進行比對的流程圖。 第9圖係為本發明人工智慧抵禦網路攻擊方法進行優化的流程圖。 第10圖係為本發明人工智慧抵禦網路攻擊方法進行另一優化的流程圖。 Figure 1 is a schematic diagram of the system architecture of the artificial intelligence system to resist network attacks according to the present invention. Figure 2 is a schematic diagram of the system architecture implementation of the artificial intelligence system to resist network attacks according to the present invention. Figure 3 is a schematic diagram of another system architecture implementation of the artificial intelligence system to resist network attacks of the present invention. Figure 4 is a schematic diagram of the content of behavioral characteristic information of the present invention. Figure 5 is a schematic diagram of another system architecture optimization method of the artificial intelligence system to resist network attacks of the present invention. Figure 6 is a flow chart of the artificial intelligence method for resisting network attacks according to the present invention. Figure 7 is a further flow chart of the artificial intelligence method of resisting network attacks according to the present invention. Figure 8 is a flow chart for comparing artificial intelligence methods for resisting network attacks according to the present invention. Figure 9 is a flow chart for optimizing the artificial intelligence method of resisting network attacks according to the present invention. Figure 10 is a flow chart of another optimization of the artificial intelligence method of resisting network attacks according to the present invention.
1:人工智慧抵禦網路攻擊的系統 1: Artificial intelligence system to resist cyber attacks
2:用戶設備 2: User equipment
3:身份認證設備 3: Identity authentication equipment
4:伺服設備 4:Servo equipment
5:網路設備 5:Network equipment
51:封包過濾單元 51: Packet filtering unit
511:過濾用戶資料庫 511: Filter user database
Claims (10)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW111112181A TWI813233B (en) | 2022-03-30 | 2022-03-30 | System and method for artificial intelligence against network attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW111112181A TWI813233B (en) | 2022-03-30 | 2022-03-30 | System and method for artificial intelligence against network attack |
Publications (2)
Publication Number | Publication Date |
---|---|
TWI813233B true TWI813233B (en) | 2023-08-21 |
TW202338642A TW202338642A (en) | 2023-10-01 |
Family
ID=88585745
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW111112181A TWI813233B (en) | 2022-03-30 | 2022-03-30 | System and method for artificial intelligence against network attack |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI813233B (en) |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TW201946416A (en) * | 2018-04-26 | 2019-12-01 | 中華電信股份有限公司 | System of host protection based on moving target defense and method thereof |
-
2022
- 2022-03-30 TW TW111112181A patent/TWI813233B/en active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TW201946416A (en) * | 2018-04-26 | 2019-12-01 | 中華電信股份有限公司 | System of host protection based on moving target defense and method thereof |
Also Published As
Publication number | Publication date |
---|---|
TW202338642A (en) | 2023-10-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021082339A1 (en) | Machine learning and rule matching integrated security detection method and device | |
US20220224706A1 (en) | Artificial intelligence-based network security protection method and apparatus, and electronic device | |
US11057403B2 (en) | Suspicious packet detection device and suspicious packet detection method thereof | |
US9729655B2 (en) | Managing transfer of data in a data network | |
US9009830B2 (en) | Inline intrusion detection | |
US7630379B2 (en) | Systems and methods for improved network based content inspection | |
US6741595B2 (en) | Device for enabling trap and trace of internet protocol communications | |
US20210303984A1 (en) | Machine-learning based approach for classification of encrypted network traffic | |
CN109768981B (en) | Network attack defense method and system based on machine learning under SDN architecture | |
Fallah et al. | Android malware detection using network traffic based on sequential deep learning models | |
CN114448654B (en) | Block chain-based distributed trusted audit security evidence storing method | |
CN107666486A (en) | A kind of network data flow restoration methods and system based on message protocol feature | |
KR102083028B1 (en) | System for detecting network intrusion | |
CN112769623A (en) | Internet of things equipment identification method under edge environment | |
CN116346418A (en) | DDoS detection method and device based on federal learning | |
CN115150278B (en) | Use of a Data Processing Unit (DPU) as a preprocessor for Graphics Processing Unit (GPU) based machine learning | |
CN108667804B (en) | DDoS attack detection and protection method and system based on SDN architecture | |
CN114598499A (en) | Network risk behavior analysis method combined with business application | |
TWI813233B (en) | System and method for artificial intelligence against network attack | |
JP7494240B2 (en) | AI-based network attack defense system and method | |
EP4207681A1 (en) | Artificial intelligence system and method thereof for defending against cyber attacks | |
US20230319101A1 (en) | Artificial intelligence system and method thereof for defending against cyber attacks | |
CN113949653B (en) | Encryption protocol identification method and system based on deep learning | |
Li et al. | Composite lightweight traffic classification system for network management | |
Kapre et al. | Behaviour based botnet detection with traffic analysis and flow interavals using PSO and SVM |