CN106534191B - A kind of network inbreak detection method and device - Google Patents
A kind of network inbreak detection method and device Download PDFInfo
- Publication number
- CN106534191B CN106534191B CN201611155840.0A CN201611155840A CN106534191B CN 106534191 B CN106534191 B CN 106534191B CN 201611155840 A CN201611155840 A CN 201611155840A CN 106534191 B CN106534191 B CN 106534191B
- Authority
- CN
- China
- Prior art keywords
- current
- value
- population
- value sequence
- sequence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Alarm Systems (AREA)
Abstract
The present invention provides a kind of network inbreak detection method and devices, this method comprises: carrying out misuse detection to real-time collected network data according to current Intrusion Signatures database;When determining network data there are when intrusion behavior, foundation genetic algorithm handles the characteristic value sequence of network data, obtains each current signature value sequence;Calculate the fitness value of each current signature value sequence, the current signature value sequence that fitness value is greater than threshold value is stored in current Intrusion Signatures database, threshold value is to be handled in advance at least one training characteristics value sequence in current Intrusion Signatures database.It is not only realized based on method disclosed above and network flow data is detected, and cross and variation can be carried out to the intrusion behavior that detected and by obtaining more intrusion behaviors compared with fitness threshold value according to genetic algorithm, Intrusion Signatures database is constantly updated to realize, and then the accuracy rate of network invasion monitoring is continuously improved.
Description
Technical field
The present invention relates to field of information security technology, more specifically to a kind of network inbreak detection method and device.
Background technique
With internet technology, the network information security has become an important class of current network information development
Topic.NIDS (Network Intrusion Detection System, Network Intrusion Detection System) is after " firewall " and " number
According to encryption " etc. the important security technology of another item after conventional securities safeguard measure.
The Network Intrusion Detection System of mainstream is misuse detection system at present.Misuse detection system is entered based on what is pre-established
It invades property data base to match the characteristic value sequence of collected network data, whether there is with this to detect network data
Intrusion behavior.But since Intrusion Signatures database cannot timely update, it is lower that this will result in accuracy in detection.
In view of this, how to timely update Intrusion Signatures database and then raising intrusion detection accuracy, are this field skills
The problem of art personnel's urgent need to resolve.
Summary of the invention
In view of this, the present invention provides a kind of network inbreak detection method and device, to solve in existing technical solution
The lower problem of accuracy in detection caused by cannot being timely updated as intrusion behavior property data base.Technical solution is as follows:
A kind of network inbreak detection method, comprising:
Misuse detection is carried out to real-time collected network data according to current Intrusion Signatures database;
When determining the network data there are when intrusion behavior, according to genetic algorithm to the characteristic value sequence of the network data
Column are handled, and each current signature value sequence is obtained;
Fitness value is greater than the current characteristic value sequence of threshold value by the fitness value for calculating each current signature value sequence
Column be stored in the current Intrusion Signatures database, the threshold value be in advance in the current Intrusion Signatures database extremely
What a few training characteristics value sequence was handled.
Preferably, the current signature value sequence that fitness value is greater than threshold value is stored in the current Intrusion Signatures number
According in library, later, further includes:
Update the current signature database.
Preferably, described that the characteristic value sequence of the network data is handled according to genetic algorithm, obtain each work as
Preceding characteristic value sequence, comprising:
According to the first default population composing rule, the characteristic value sequence of the network data is added in corresponding population,
Wherein, the quantity of characteristic value sequence is consistent in each population;
Based on pre-arranged code rule, binary coding is carried out to the All Eigenvalues sequence in each population;
Match the characteristic value sequence after each coding two-by-two at random between each population, and default according to first
Cross and variation rule carries out cross and variation processing, obtains each current signature value sequence.
Preferably, described that at least one training characteristics value sequence in the current Intrusion Signatures database is carried out in advance
Processing obtains the process of threshold value
According to the second default population composing rule, by least one training characteristics in the current Intrusion Signatures database
Sequential value is added in corresponding training population, wherein the quantity of training characteristics value sequence is consistent in each trained population;
Based on pre-arranged code rule, binary system volume is carried out to whole training characteristics value sequences in each trained population
Code;
Match the training characteristics value sequence after each coding, and foundation two-by-two at random between each trained population
Second default cross and variation rule and maximum evolutionary generation carry out cross and variation processing, obtain each current training characteristics value sequence
Column;
Calculate the fitness value of each current training characteristics value sequence;
Judge whether fitness value does not work as less than each current training characteristics value sequence of present threshold value described
In preceding Intrusion Signatures database;
If so, the present threshold value is determined as threshold value;
If it is not, the minimum fitness value of the current training characteristics value sequence in the current Intrusion Signatures database is true
It is set to present threshold value, and returns and execute the default population composing rule of the foundation, it will be in the current Intrusion Signatures database
At least one training characteristics sequential value is added in corresponding training population, the step for.
A kind of network invasion monitoring device, comprising: misuse detection module, genetic algorithm processing module and calculating storage mould
Block, the calculating memory module further include that threshold value obtains module;
The misuse detection module, for being carried out according to current Intrusion Signatures database to collected network data in real time
Misuse detection;
The genetic algorithm processing module, for when determining the network data there are when intrusion behavior, foundation heredity to be calculated
Method handles the characteristic value sequence of the network data, obtains each current signature value sequence;
The calculating memory module, for calculating the fitness value of each current signature value sequence, by fitness value
It is stored in the current Intrusion Signatures database greater than the current signature value sequence of threshold value;
The threshold value obtains module, in advance at least one training characteristics in the current Intrusion Signatures database
Value sequence is handled to obtain the threshold value.
Preferably, after the calculating memory module, further includes: update module;
The update module, for updating the current signature database.
Preferably, the genetic algorithm processing module includes: that population composing unit, the first coding unit and the first intersection become
Anticoincidence unit;
The population composing unit, for regular according to the first default population composing, by the characteristic value of the network data
Sequence is added in corresponding population, wherein the quantity of characteristic value sequence is consistent in each population;
First coding unit, for regular based on pre-arranged code, to the All Eigenvalues sequence in each population
Column carry out binary coding;
The first cross and variation unit, described in being matched after each coding two-by-two at random between each population
Characteristic value sequence, and cross and variation processing is carried out according to the first default cross and variation rule, obtain each current signature value sequence.
Preferably, it includes: trained population composing unit, the second coding unit, the second intersection change that the threshold value, which obtains module,
Anticoincidence unit, computing unit, judging unit, first threshold determination unit and second threshold determination unit;
The trained population composing unit, for regular according to the second default population composing, by the current Intrusion Signatures
At least one training characteristics sequential value in database is added in corresponding training population, wherein in each trained population
The quantity of training characteristics value sequence is consistent;
Second coding unit, for being trained to the whole in each trained population based on pre-arranged code rule
Characteristic value sequence carries out binary coding;
Second cross and variation unit, described in being matched after each coding two-by-two at random between each trained population
Training characteristics value sequence, and cross and variation processing is carried out according to the second default cross and variation rule and maximum evolutionary generation, it obtains
Each current training characteristics value sequence;
The computing unit, for calculating the fitness value of each current training characteristics value sequence;
The judging unit, for judging that fitness value is less than each current training characteristics value sequence of present threshold value
Whether not in the current Intrusion Signatures database;If so, triggering the first threshold determination unit;If it is not, triggering institute
State second threshold determination unit;
The first threshold determination unit, for the present threshold value to be determined as threshold value;
The second threshold determination unit, for by the current training characteristics value in the current Intrusion Signatures database
The minimum fitness value of sequence is determined as present threshold value, and triggers the trained population composing unit.
Compared to the prior art, what the present invention realized has the beneficial effect that
Network inbreak detection method and device disclosed by the invention are combined by that will misapply detection with genetic algorithm, no
But it realizes and network flow data is detected, and the intrusion behavior that detected can be intersected according to genetic algorithm
Make a variation and by obtaining more intrusion behaviors compared with fitness threshold value, with realize constantly update Intrusion Signatures database,
And then the accuracy rate of network invasion monitoring is continuously improved.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The embodiment of invention for those of ordinary skill in the art without creative efforts, can also basis
The attached drawing of offer obtains other attached drawings.
Fig. 1 is a kind of network inbreak detection method flow chart disclosed in the embodiment of the present invention one;
Fig. 2 is a kind of network inbreak detection method flow chart disclosed in the embodiment of the present invention two;
Fig. 3 is a kind of network inbreak detection method partial process view disclosed in the embodiment of the present invention three;
Fig. 4 is another kind network inbreak detection method partial process view disclosed in the embodiment of the present invention three;
Fig. 5 is a kind of network invasion monitoring apparatus structure schematic diagram disclosed in the embodiment of the present invention four;
Fig. 6 is a kind of network invasion monitoring apparatus structure schematic diagram disclosed in the embodiment of the present invention five;
Fig. 7 is a kind of network invasion monitoring device partial structure diagram disclosed in the embodiment of the present invention six;
Fig. 8 is another kind network invasion monitoring device partial structure diagram disclosed in the embodiment of the present invention six.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
Embodiment one
The embodiment of the present invention one discloses a kind of network inbreak detection method, is applied to network invasion monitoring device, method
Flow chart is as shown in Figure 1, include the following steps:
S101 carries out misuse detection to real-time collected network data according to current Intrusion Signatures database;
During executing step S101, misuse detection is carried out to real-time collected network data, passes through pair net
The characteristic value sequence of network data judges the network data with the presence or absence of intrusion behavior with current Intrusion Signatures database;Wherein,
The network data of acquisition may include at least one parameter preset numerical value, and parameter preset is when attack occurs in network system
Change most apparent feature, parameter preset includes but is not limited to IP source address, IP destination address, source port, destination port, IP
Message instruction domain, TCP source port, TCP destination port and/or TCP acknowledgment number can be specifically arranged according to actual needs.
S102, when determining network data there are when intrusion behavior, according to genetic algorithm to the characteristic value sequence of network data
It is handled, obtains each current signature value sequence;
During executing step S102, by preset time period it is collected at least one there are the nets of intrusion behavior
The characteristic value sequence of network data is handled according to genetic algorithm, for example, there is invasion row for 5 detected in the 10S
For network data and lower 15S in detected 5 there are the network datas of intrusion behavior to be handled according to genetic algorithm.
S103 calculates the fitness value of each current signature value sequence, and fitness value is greater than to the current characteristic value of threshold value
Sequence is stored in current Intrusion Signatures database, and threshold value is in advance to the training of at least one of current Intrusion Signatures database
What characteristic value sequence was handled.
During executing step S103, the adaptation of each current signature value sequence is calculated according to fitness calculation formula
Angle value, due to fitness value indicates the network data there are intrusion behaviors a possibility that, then when the bigger expression of fitness value exists
A possibility that intrusion behavior, is bigger.
It should be noted that genetic algorithm is calculated for solving optimized searching algorithm in mathematics, it is evolution algorithm
One kind.Evolution algorithm is initially some phenomenons used for reference in evolution biology and grows up that these phenomenons include losing
Biography, mutation, natural selection and hybridization etc..
Network inbreak detection method disclosed by the embodiments of the present invention is combined by that will misapply detection with genetic algorithm, no
But it realizes and network flow data is detected, and the intrusion behavior that detected can be intersected according to genetic algorithm
Make a variation and by obtaining more intrusion behaviors compared with fitness threshold value, with realize constantly update Intrusion Signatures database,
And then the accuracy rate of network invasion monitoring is continuously improved.
Embodiment two
The network inbreak detection method in conjunction with disclosed in the embodiments of the present invention one and attached drawing 1, the embodiment of the present invention two is also
A kind of network inbreak detection method is provided, method flow diagram is as shown in Fig. 2, include the following steps:
S101 carries out misuse detection to real-time collected network data according to current Intrusion Signatures database;
S102, when determining network data there are when intrusion behavior, according to genetic algorithm to the characteristic value sequence of network data
It is handled, obtains each current signature value sequence;
S103 calculates the fitness value of each current signature value sequence, and fitness value is greater than to the current characteristic value of threshold value
Sequence is stored in current Intrusion Signatures database, and threshold value is in advance to the training of at least one of current Intrusion Signatures database
What characteristic value sequence was handled;
S104 updates current signature database.
It should be noted that current Intrusion Signatures database can be the initial Intrusion Signatures database pre-set,
It can also be by the way that be updated before carrying out misuse detection to network data to initial Intrusion Signatures database will be updated
Initial Intrusion Signatures database is as current Intrusion Signatures database.
It should also be noted that, in the network inbreak detection method disclosed in the embodiment of the present invention two, step S101~step
The implementation procedure of rapid S103 is consistent with the open step S101~step S103 of above-described embodiment one, and details are not described herein, please join
See part disclosed in the embodiment of the present invention one.
Network inbreak detection method disclosed by the embodiments of the present invention increases spy by being updated to property data base
The characteristic value sequence in database is levied, so that the network data for being used to execute next time by updated property data base detected
Journey, so that accuracy in detection is continuously increased.
Embodiment three
The network inbreak detection method in conjunction with disclosed in the embodiment of the present invention one and embodiment two, as there is shown in figs. 1 and 2
The characteristic value sequence of network data is handled according to genetic algorithm in step S102, obtains each current signature value sequence
Specific implementation procedure, as shown in figure 3, including the following steps:
The characteristic value sequence of network data is added in corresponding population by S301 according to the first default population composing rule,
Wherein, the quantity of characteristic value sequence is consistent in each population;
It, can be according to the first default population composing rule, for example, constructing 2 populations, often during executing step S301
There are 3 characteristic value sequences in a population, the characteristic value sequence of the network data of continuous acquisition is successively added to corresponding population
In.
S302 carries out binary coding to the All Eigenvalues sequence in each population based on pre-arranged code rule;
During executing step S302, for example, being that intrusion behavior becomes when occurring by pre-arranged code rule setting
The Coding pattern features of the parameter of change are 1, and the Coding pattern features of other parameters are 0;Assuming that the network data currently acquired includes IP
The numerical value of source address, IP destination address and source port these three parameters, intrusion behavior only have IP source address that can become when occurring
Change, then according to pre-arranged code rule by IP source address Coding pattern features be 1, IP destination address characteristic value and source port characteristic value
It is encoded to 0.
S303 matches the characteristic value sequence after each coding two-by-two at random between each population, and according to the first default friendship
Fork variation rule carries out cross and variation processing, obtains each current signature value sequence;
It is for being paired into two-by-two during executing step S303, such as by the first default cross and variation rule setting
Characteristic value sequence after each coding of function randomly selects crosspoint, and three encoded radios before this crosspoint is interchangeable
To complete cross processing, meanwhile, the characteristic value after randomly selecting a coding makes a variation, and 0 variation is made a variation for 1 or by 1
It is 0, it should be noted that intersect and ordinal relation is not present in variation, carried out at random during cross and variation.
Network inbreak detection method disclosed by the embodiments of the present invention is combined by that will misapply detection with genetic algorithm, no
But it realizes and network flow data is detected, and the intrusion behavior that detected can be intersected according to genetic algorithm
Make a variation and by obtaining more intrusion behaviors compared with fitness threshold value, with realize constantly update Intrusion Signatures database,
And then the accuracy rate of network invasion monitoring is continuously improved.
The network inbreak detection method in conjunction with disclosed in the embodiment of the present invention one and embodiment two, as there is shown in figs. 1 and 2
In advance at least one training characteristics value sequence in the current Intrusion Signatures database is handled to obtain in step S103
The specific implementation procedure of threshold value, as shown in figure 4, including the following steps:
S401, it is according to the second default population composing rule, the training of at least one of current Intrusion Signatures database is special
Sign sequential value is added in corresponding training population, wherein the quantity of training characteristics value sequence is consistent in each trained population;
S402 carries out binary system to whole training characteristics value sequences in each trained population based on pre-arranged code rule
Coding;
S403 matches the training characteristics value sequence after each coding at random between each trained population two-by-two, and according to the
Two default cross and variation rules and maximum evolutionary generation carry out cross and variation processing, obtain each current training characteristics value sequence;
During executing step S403, determine that current Evolution of Population algebra is 0, meanwhile, between each trained population
Match the training characteristics value sequence after each coding two-by-two at random;It is carried out at cross and variation according to the second default cross and variation rule
Reason, and current Evolution of Population algebra is added 1;Training population maximum evolutionary generation is calculated according to pre-set present threshold value, and
Whether the current training Evolution of Population algebra of judgement is less than population maximum evolutionary generation;If so, again between each trained population with
Machine matches two-by-two, and carries out cross and variation processing, current Evolution of Population algebra is added 1, and judge current training Evolution of Population generation
Whether number is less than population maximum evolutionary generation.
S404 calculates the fitness value of each current training characteristics value sequence;
S405, judges whether fitness value does not enter less than each current training characteristics value sequence of present threshold value currently
It invades in property data base;If so, executing step S406;If it is not, executing step S407;
Present threshold value is determined as threshold value by S406;
The minimum fitness value of current training characteristics value sequence in current Intrusion Signatures database is determined as by S407
Present threshold value, and return to step S401.
It should be noted that present threshold value can be preset when first time training adaptation degree threshold value.
Network inbreak detection method disclosed by the embodiments of the present invention is combined by that will misapply detection with genetic algorithm, no
But it realizes and network flow data is detected, and the intrusion behavior that detected can be intersected according to genetic algorithm
Make a variation and by obtaining more intrusion behaviors compared with fitness threshold value, with realize constantly update Intrusion Signatures database,
And then the accuracy rate of network invasion monitoring is continuously improved.
Example IV
Based on network inbreak detection method disclosed in the various embodiments described above, in the corresponding open execution of four fundamental rules of the embodiment of the present invention
The network invasion monitoring device of network inbreak detection method is stated, structural schematic diagram is as shown in figure 5, network invasion monitoring device
500 include: misuse detection module 501, genetic algorithm processing module 502 and calculating memory module 503, calculates memory module 503
It further include that threshold value obtains module 6031;
Detection module 501 is misapplied, for carrying out according to current Intrusion Signatures database to collected network data in real time
Misuse detection;
Genetic algorithm processing module 502, for when determining network data there are when intrusion behavior, foundation genetic algorithm to be to net
The characteristic value sequence of network data is handled, and each current signature value sequence is obtained;
Memory module 503 is calculated, for calculating the fitness value of each current signature value sequence, fitness value is greater than threshold
The current signature value sequence of value is stored in current Intrusion Signatures database;
Threshold value obtains module 5031, in advance at least one training characteristics value sequence in current Intrusion Signatures database
Column are handled to obtain threshold value.
Network invasion monitoring device disclosed by the embodiments of the present invention is combined by that will misapply detection with genetic algorithm, no
But it realizes and network flow data is detected, and the intrusion behavior that detected can be intersected according to genetic algorithm
Make a variation and by obtaining more intrusion behaviors compared with fitness threshold value, with realize constantly update Intrusion Signatures database,
And then the accuracy rate of network invasion monitoring is continuously improved.
Embodiment five
Network invasion monitoring device and attached drawing 5 in conjunction with disclosed in the embodiments of the present invention four, the embodiment of the present invention five is also
A kind of network invasion monitoring device is provided, structural schematic diagram is as shown in fig. 6, network invasion monitoring device 500 includes: misuse inspection
It surveys module 501, genetic algorithm processing module 502, calculate memory module 503 and update module 504, calculate memory module 503 also
Module 5031 is obtained including threshold value,
Detection module 501 is misapplied, for carrying out according to current Intrusion Signatures database to collected network data in real time
Misuse detection;
Genetic algorithm processing module 502, for when determining network data there are when intrusion behavior, foundation genetic algorithm to be to net
The characteristic value sequence of network data is handled, and each current signature value sequence is obtained;
Memory module 503 is calculated, for calculating the fitness value of each current signature value sequence, fitness value is greater than threshold
The current signature value sequence of value is stored in current Intrusion Signatures database;
Threshold value obtains module 5031, in advance at least one training characteristics value sequence in current Intrusion Signatures database
Column are handled to obtain threshold value;
Update module 504, for updating current signature database.
Network invasion monitoring device disclosed by the embodiments of the present invention increases spy by being updated to property data base
The characteristic value sequence in database is levied, so that the network data for being used to execute next time by updated property data base detected
Journey, so that accuracy in detection is continuously increased.
Embodiment six
The network invasion monitoring device in conjunction with disclosed in the embodiment of the present invention four and embodiment five goes out as shown in Figure 5 and Figure 6
Genetic algorithm processing module 502 in network invasion monitoring device 500, structural schematic diagram as shown in fig. 7, comprises: population structure
At unit 701, the first coding unit 702 and the first cross and variation unit 703;
Population composing unit 701, for according to the first default population composing rule, the characteristic value sequence of network data to be added
It is added in corresponding population, wherein the quantity of characteristic value sequence is consistent in each population;
First coding unit 702, for being carried out to the All Eigenvalues sequence in each population based on pre-arranged code rule
Binary coding;
First cross and variation unit 703, for matching the characteristic value sequence after each coding two-by-two at random between each population
Column, and cross and variation processing is carried out according to the first default cross and variation rule, obtain each current signature value sequence.
Network invasion monitoring device disclosed by the embodiments of the present invention is combined by that will misapply detection with genetic algorithm, no
But it realizes and network flow data is detected, and the intrusion behavior that detected can be intersected according to genetic algorithm
Make a variation and by obtaining more intrusion behaviors compared with fitness threshold value, with realize constantly update Intrusion Signatures database,
And then the accuracy rate of network invasion monitoring is continuously improved.
The network invasion monitoring device in conjunction with disclosed in the embodiment of the present invention four and embodiment five goes out as shown in Figure 5 and Figure 6
Threshold value in network invasion monitoring device 500 obtains module 5031, and structural schematic diagram is as shown in Figure 8, comprising: training population structure
At unit 801, the second coding unit 802, the second cross and variation unit 803, computing unit 804, judging unit 805, the first threshold
It is worth determination unit 806 and second threshold determination unit 807;
Training population composing unit 801, for regular according to the second default population composing, by current Intrusion Signatures database
In at least one training characteristics sequential value be added in corresponding training population, wherein training characteristics value in each trained population
The quantity of sequence is consistent;
Second coding unit 802, for regular based on pre-arranged code, to whole training characteristics values in each trained population
Sequence carries out binary coding;
Second cross and variation unit 803, for the training after matching each coding two-by-two at random between each trained population
Characteristic value sequence, and cross and variation processing is carried out according to the second default cross and variation rule and maximum evolutionary generation, it obtains each
Current training characteristics value sequence;
Computing unit 804, for calculating the fitness value of each current training characteristics value sequence;
Judging unit 805, for judge fitness value be less than present threshold value each current training characteristics value sequence whether
Not in current Intrusion Signatures database;If so, triggering first threshold determination unit 806;If it is not, triggering second threshold determines
Unit 807;
First threshold determination unit 806, for present threshold value to be determined as threshold value;
Second threshold determination unit 807, for by the current training characteristics value sequence in current Intrusion Signatures database
Minimum fitness value be determined as present threshold value, and trigger trained population composing unit.
Network invasion monitoring device disclosed by the embodiments of the present invention is combined by that will misapply detection with genetic algorithm, no
But it realizes and network flow data is detected, and the intrusion behavior that detected can be intersected according to genetic algorithm
Make a variation and by obtaining more intrusion behaviors compared with fitness threshold value, with realize constantly update Intrusion Signatures database,
And then the accuracy rate of network invasion monitoring is continuously improved.
A kind of network inbreak detection method provided by the present invention and device are described in detail above, answered herein
With a specific example illustrates the principle and implementation of the invention, the explanation of above example is only intended to help to manage
Solve method and its core concept of the invention;At the same time, for those skilled in the art, according to the thought of the present invention,
There will be changes in specific embodiment and application range, in conclusion the content of the present specification should not be construed as to this hair
Bright limitation.
It should be noted that all the embodiments in this specification are described in a progressive manner, each embodiment weight
Point explanation is the difference from other embodiments, and the same or similar parts between the embodiments can be referred to each other.
For the device disclosed in the embodiment, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, phase
Place is closed referring to method part illustration.
It should also be noted that, herein, relational terms such as first and second and the like are used merely to one
Entity or operation are distinguished with another entity or operation, without necessarily requiring or implying between these entities or operation
There are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant are intended to contain
Lid non-exclusive inclusion, so that the element that the process, method, article or equipment including a series of elements is intrinsic,
It further include either the element intrinsic for these process, method, article or equipments.In the absence of more restrictions,
The element limited by sentence "including a ...", it is not excluded that in the process, method, article or equipment including the element
In there is also other identical elements.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention.
Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein
General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention
It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one
The widest scope of cause.
Claims (6)
1. a kind of network inbreak detection method characterized by comprising
Misuse detection is carried out to real-time collected network data according to current Intrusion Signatures database;
When determine the network data there are when intrusion behavior, according to genetic algorithm to the characteristic value sequence of the network data into
Row processing, obtains each current signature value sequence;
The fitness value for calculating each current signature value sequence deposits the current signature value sequence that fitness value is greater than threshold value
It is stored in the current Intrusion Signatures database, the threshold value is in advance at least one in the current Intrusion Signatures database
What a training characteristics value sequence was handled;
Wherein, described in advance at least one training characteristics value sequence in the current Intrusion Signatures database handle
Process to threshold value includes:
According to the second default population composing rule, by least one training characteristics sequence in the current Intrusion Signatures database
Value is added in corresponding training population, wherein the quantity of training characteristics value sequence is consistent in each trained population;
Based on pre-arranged code rule, binary coding is carried out to whole training characteristics value sequences in each trained population;
Match the training characteristics value sequence after each coding two-by-two at random between each trained population, and according to second
Default cross and variation rule and maximum evolutionary generation carry out cross and variation processing, obtain each current training characteristics value sequence;
Calculate the fitness value of each current training characteristics value sequence;
Judge whether fitness value does not enter currently less than each current training characteristics value sequence of present threshold value described
It invades in property data base;
If so, the present threshold value is determined as threshold value;
If it is not, the minimum fitness value of the current training characteristics value sequence in the current Intrusion Signatures database is determined as
Present threshold value, and return to the execution foundation second and preset population composing rule, it will be in the current Intrusion Signatures database
At least one training characteristics sequential value is added in corresponding training population, the step for.
2. the method according to claim 1, wherein the current characteristic value sequence that fitness value is greater than to threshold value
Column are stored in the current Intrusion Signatures database, later, further includes:
Update the current signature database.
3. the method according to claim 1, wherein feature of the foundation genetic algorithm to the network data
Value sequence is handled, and each current signature value sequence is obtained, comprising:
According to the first default population composing rule, the characteristic value sequence of the network data is added in corresponding population, wherein
The quantity of characteristic value sequence is consistent in each population;
Based on pre-arranged code rule, binary coding is carried out to the All Eigenvalues sequence in each population;
Match the characteristic value sequence after each coding two-by-two at random between each population, and according to the first default intersection
Variation rule carries out cross and variation processing, obtains each current signature value sequence.
4. a kind of network invasion monitoring device characterized by comprising misuse detection module, genetic algorithm processing module and meter
Memory module is calculated, the calculating memory module further includes that threshold value obtains module;
The misuse detection module, for being misapplied according to current Intrusion Signatures database to real-time collected network data
Detection;
The genetic algorithm processing module, for when determining the network data there are when intrusion behavior, according to genetic algorithm pair
The characteristic value sequence of the network data is handled, and each current signature value sequence is obtained;
Fitness value is greater than by the calculating memory module for calculating the fitness value of each current signature value sequence
The current signature value sequence of threshold value is stored in the current Intrusion Signatures database;
The threshold value obtains module, in advance at least one training characteristics value sequence in the current Intrusion Signatures database
Column are handled to obtain the threshold value;
Wherein, the threshold value obtain module include: trained population composing unit, the second coding unit, the second cross and variation unit,
Computing unit, judging unit, first threshold determination unit and second threshold determination unit;
The trained population composing unit, for regular according to the second default population composing, by the current Intrusion Signatures data
At least one training characteristics sequential value in library is added in corresponding training population, wherein training in each trained population
The quantity of characteristic value sequence is consistent;
Second coding unit, for regular based on pre-arranged code, to whole training characteristics in each trained population
Value sequence carries out binary coding;
Second cross and variation unit, for the training after matching each coding two-by-two at random between each trained population
Characteristic value sequence, and cross and variation processing is carried out according to the second default cross and variation rule and maximum evolutionary generation, it obtains each
Current training characteristics value sequence;
The computing unit, for calculating the fitness value of each current training characteristics value sequence;
The judging unit, for judge fitness value be less than present threshold value each current training characteristics value sequence whether
Not in the current Intrusion Signatures database;If so, triggering the first threshold determination unit;If it is not, triggering described the
Two threshold value determination units;
The first threshold determination unit, for the present threshold value to be determined as threshold value;
The second threshold determination unit, for by the current training characteristics value sequence in the current Intrusion Signatures database
Minimum fitness value be determined as present threshold value, and trigger the trained population composing unit.
5. device according to claim 4, which is characterized in that after the calculating memory module, further includes: update mould
Block;
The update module, for updating the current signature database.
6. device according to claim 4, which is characterized in that the genetic algorithm processing module includes: population composing list
Member, the first coding unit and the first cross and variation unit;
The population composing unit, for regular according to the first default population composing, by the characteristic value sequence of the network data
It is added in corresponding population, wherein the quantity of characteristic value sequence is consistent in each population;
First coding unit, for based on pre-arranged code rule, to the All Eigenvalues sequence in each population into
Row binary coding;
The first cross and variation unit, for matching the feature after each coding two-by-two at random between each population
Value sequence, and cross and variation processing is carried out according to the first default cross and variation rule, obtain+arrive each current signature value sequence.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611155840.0A CN106534191B (en) | 2016-12-14 | 2016-12-14 | A kind of network inbreak detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611155840.0A CN106534191B (en) | 2016-12-14 | 2016-12-14 | A kind of network inbreak detection method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106534191A CN106534191A (en) | 2017-03-22 |
CN106534191B true CN106534191B (en) | 2019-06-21 |
Family
ID=58340006
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611155840.0A Active CN106534191B (en) | 2016-12-14 | 2016-12-14 | A kind of network inbreak detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106534191B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107426217B (en) * | 2017-07-27 | 2019-10-18 | 郑州云海信息技术有限公司 | A kind of method and device of detection system invasion |
CN110166454B (en) * | 2019-05-21 | 2021-11-16 | 重庆邮电大学 | Mixed feature selection intrusion detection method based on adaptive genetic algorithm |
CN110868414B (en) * | 2019-11-14 | 2021-07-13 | 北京理工大学 | Industrial control network intrusion detection method and system based on multi-voting technology |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101399672A (en) * | 2008-10-17 | 2009-04-01 | 章毅 | Intrusion detection method for fusion of multiple neutral networks |
CN103581188A (en) * | 2013-11-05 | 2014-02-12 | 中国科学院计算技术研究所 | Network security situation forecasting method and system |
CN103685268A (en) * | 2013-12-10 | 2014-03-26 | 华东理工大学 | Network intrusion detection method based on GPU and SVM |
CN104986347A (en) * | 2015-06-03 | 2015-10-21 | 中国民航大学 | Real-time detection method for civil aircraft airline pilot operation errors |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FI20096394A0 (en) * | 2009-12-23 | 2009-12-23 | Valtion Teknillinen | DETECTING DETECTION IN COMMUNICATIONS NETWORKS |
-
2016
- 2016-12-14 CN CN201611155840.0A patent/CN106534191B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101399672A (en) * | 2008-10-17 | 2009-04-01 | 章毅 | Intrusion detection method for fusion of multiple neutral networks |
CN103581188A (en) * | 2013-11-05 | 2014-02-12 | 中国科学院计算技术研究所 | Network security situation forecasting method and system |
CN103685268A (en) * | 2013-12-10 | 2014-03-26 | 华东理工大学 | Network intrusion detection method based on GPU and SVM |
CN104986347A (en) * | 2015-06-03 | 2015-10-21 | 中国民航大学 | Real-time detection method for civil aircraft airline pilot operation errors |
Non-Patent Citations (1)
Title |
---|
模糊推理结合Michigan型遗传算法的网络入侵检测方案;马勇;《电子设计工程》;20160605;第110页 |
Also Published As
Publication number | Publication date |
---|---|
CN106534191A (en) | 2017-03-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20220060511A1 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
Cherdantseva et al. | A review of cyber security risk assessment methods for SCADA systems | |
CN108200030A (en) | Detection method, system, device and the computer readable storage medium of malicious traffic stream | |
CN106534191B (en) | A kind of network inbreak detection method and device | |
CN104346571B (en) | Security breaches management method, system and equipment | |
US20080215576A1 (en) | Fusion and visualization for multiple anomaly detection systems | |
CN111786950A (en) | Situation awareness-based network security monitoring method, device, equipment and medium | |
CN107835201A (en) | Network attack detecting method and device | |
CN101859274A (en) | Method and system for fuzz testing | |
CN105208040A (en) | Network attack detection method and device | |
CN110474878B (en) | DDoS attack situation early warning method and server based on dynamic threshold | |
CN112152962B (en) | Threat detection method and system | |
CN106446179B (en) | The generation method and device of hot topic | |
CN113434859A (en) | Intrusion detection method, device, equipment and storage medium | |
CN106534224A (en) | Intelligent network attack detection method and device | |
Zakrzewska et al. | Modeling cyber conflicts using an extended Petri Net formalism | |
CN109035777A (en) | Traffic circulation Situation analysis method and system | |
CN110321438A (en) | Real-time fraud detection method, device and electronic equipment based on complex network | |
CN112084505A (en) | Deep learning model malicious sample detection method, system, device and storage medium | |
Perelman et al. | Extreme impact contamination events sampling for real-sized water distribution systems | |
CN111343143A (en) | Data identification method, device and storage medium | |
CN104486353B (en) | A kind of security incident detection method and device based on flow | |
CN115455457A (en) | Chain data management method, system and storage medium based on intelligent big data | |
CN109714342A (en) | The guard method of a kind of electronic equipment and device | |
Boger et al. | Calculating the Maximum Response Time of Protection Systems of Industrial Control System Network to the Impact of a DDoS Attack |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |