CN106534191B - A kind of network inbreak detection method and device - Google Patents

A kind of network inbreak detection method and device Download PDF

Info

Publication number
CN106534191B
CN106534191B CN201611155840.0A CN201611155840A CN106534191B CN 106534191 B CN106534191 B CN 106534191B CN 201611155840 A CN201611155840 A CN 201611155840A CN 106534191 B CN106534191 B CN 106534191B
Authority
CN
China
Prior art keywords
current
value
population
value sequence
sequence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611155840.0A
Other languages
Chinese (zh)
Other versions
CN106534191A (en
Inventor
翟建军
钟金鑫
齐志彬
陈青民
李周
丁晓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing An Xin Tian Xing Technology Co Ltd
Original Assignee
Beijing An Xin Tian Xing Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing An Xin Tian Xing Technology Co Ltd filed Critical Beijing An Xin Tian Xing Technology Co Ltd
Priority to CN201611155840.0A priority Critical patent/CN106534191B/en
Publication of CN106534191A publication Critical patent/CN106534191A/en
Application granted granted Critical
Publication of CN106534191B publication Critical patent/CN106534191B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Alarm Systems (AREA)

Abstract

The present invention provides a kind of network inbreak detection method and devices, this method comprises: carrying out misuse detection to real-time collected network data according to current Intrusion Signatures database;When determining network data there are when intrusion behavior, foundation genetic algorithm handles the characteristic value sequence of network data, obtains each current signature value sequence;Calculate the fitness value of each current signature value sequence, the current signature value sequence that fitness value is greater than threshold value is stored in current Intrusion Signatures database, threshold value is to be handled in advance at least one training characteristics value sequence in current Intrusion Signatures database.It is not only realized based on method disclosed above and network flow data is detected, and cross and variation can be carried out to the intrusion behavior that detected and by obtaining more intrusion behaviors compared with fitness threshold value according to genetic algorithm, Intrusion Signatures database is constantly updated to realize, and then the accuracy rate of network invasion monitoring is continuously improved.

Description

A kind of network inbreak detection method and device
Technical field
The present invention relates to field of information security technology, more specifically to a kind of network inbreak detection method and device.
Background technique
With internet technology, the network information security has become an important class of current network information development Topic.NIDS (Network Intrusion Detection System, Network Intrusion Detection System) is after " firewall " and " number According to encryption " etc. the important security technology of another item after conventional securities safeguard measure.
The Network Intrusion Detection System of mainstream is misuse detection system at present.Misuse detection system is entered based on what is pre-established It invades property data base to match the characteristic value sequence of collected network data, whether there is with this to detect network data Intrusion behavior.But since Intrusion Signatures database cannot timely update, it is lower that this will result in accuracy in detection.
In view of this, how to timely update Intrusion Signatures database and then raising intrusion detection accuracy, are this field skills The problem of art personnel's urgent need to resolve.
Summary of the invention
In view of this, the present invention provides a kind of network inbreak detection method and device, to solve in existing technical solution The lower problem of accuracy in detection caused by cannot being timely updated as intrusion behavior property data base.Technical solution is as follows:
A kind of network inbreak detection method, comprising:
Misuse detection is carried out to real-time collected network data according to current Intrusion Signatures database;
When determining the network data there are when intrusion behavior, according to genetic algorithm to the characteristic value sequence of the network data Column are handled, and each current signature value sequence is obtained;
Fitness value is greater than the current characteristic value sequence of threshold value by the fitness value for calculating each current signature value sequence Column be stored in the current Intrusion Signatures database, the threshold value be in advance in the current Intrusion Signatures database extremely What a few training characteristics value sequence was handled.
Preferably, the current signature value sequence that fitness value is greater than threshold value is stored in the current Intrusion Signatures number According in library, later, further includes:
Update the current signature database.
Preferably, described that the characteristic value sequence of the network data is handled according to genetic algorithm, obtain each work as Preceding characteristic value sequence, comprising:
According to the first default population composing rule, the characteristic value sequence of the network data is added in corresponding population, Wherein, the quantity of characteristic value sequence is consistent in each population;
Based on pre-arranged code rule, binary coding is carried out to the All Eigenvalues sequence in each population;
Match the characteristic value sequence after each coding two-by-two at random between each population, and default according to first Cross and variation rule carries out cross and variation processing, obtains each current signature value sequence.
Preferably, described that at least one training characteristics value sequence in the current Intrusion Signatures database is carried out in advance Processing obtains the process of threshold value
According to the second default population composing rule, by least one training characteristics in the current Intrusion Signatures database Sequential value is added in corresponding training population, wherein the quantity of training characteristics value sequence is consistent in each trained population;
Based on pre-arranged code rule, binary system volume is carried out to whole training characteristics value sequences in each trained population Code;
Match the training characteristics value sequence after each coding, and foundation two-by-two at random between each trained population Second default cross and variation rule and maximum evolutionary generation carry out cross and variation processing, obtain each current training characteristics value sequence Column;
Calculate the fitness value of each current training characteristics value sequence;
Judge whether fitness value does not work as less than each current training characteristics value sequence of present threshold value described In preceding Intrusion Signatures database;
If so, the present threshold value is determined as threshold value;
If it is not, the minimum fitness value of the current training characteristics value sequence in the current Intrusion Signatures database is true It is set to present threshold value, and returns and execute the default population composing rule of the foundation, it will be in the current Intrusion Signatures database At least one training characteristics sequential value is added in corresponding training population, the step for.
A kind of network invasion monitoring device, comprising: misuse detection module, genetic algorithm processing module and calculating storage mould Block, the calculating memory module further include that threshold value obtains module;
The misuse detection module, for being carried out according to current Intrusion Signatures database to collected network data in real time Misuse detection;
The genetic algorithm processing module, for when determining the network data there are when intrusion behavior, foundation heredity to be calculated Method handles the characteristic value sequence of the network data, obtains each current signature value sequence;
The calculating memory module, for calculating the fitness value of each current signature value sequence, by fitness value It is stored in the current Intrusion Signatures database greater than the current signature value sequence of threshold value;
The threshold value obtains module, in advance at least one training characteristics in the current Intrusion Signatures database Value sequence is handled to obtain the threshold value.
Preferably, after the calculating memory module, further includes: update module;
The update module, for updating the current signature database.
Preferably, the genetic algorithm processing module includes: that population composing unit, the first coding unit and the first intersection become Anticoincidence unit;
The population composing unit, for regular according to the first default population composing, by the characteristic value of the network data Sequence is added in corresponding population, wherein the quantity of characteristic value sequence is consistent in each population;
First coding unit, for regular based on pre-arranged code, to the All Eigenvalues sequence in each population Column carry out binary coding;
The first cross and variation unit, described in being matched after each coding two-by-two at random between each population Characteristic value sequence, and cross and variation processing is carried out according to the first default cross and variation rule, obtain each current signature value sequence.
Preferably, it includes: trained population composing unit, the second coding unit, the second intersection change that the threshold value, which obtains module, Anticoincidence unit, computing unit, judging unit, first threshold determination unit and second threshold determination unit;
The trained population composing unit, for regular according to the second default population composing, by the current Intrusion Signatures At least one training characteristics sequential value in database is added in corresponding training population, wherein in each trained population The quantity of training characteristics value sequence is consistent;
Second coding unit, for being trained to the whole in each trained population based on pre-arranged code rule Characteristic value sequence carries out binary coding;
Second cross and variation unit, described in being matched after each coding two-by-two at random between each trained population Training characteristics value sequence, and cross and variation processing is carried out according to the second default cross and variation rule and maximum evolutionary generation, it obtains Each current training characteristics value sequence;
The computing unit, for calculating the fitness value of each current training characteristics value sequence;
The judging unit, for judging that fitness value is less than each current training characteristics value sequence of present threshold value Whether not in the current Intrusion Signatures database;If so, triggering the first threshold determination unit;If it is not, triggering institute State second threshold determination unit;
The first threshold determination unit, for the present threshold value to be determined as threshold value;
The second threshold determination unit, for by the current training characteristics value in the current Intrusion Signatures database The minimum fitness value of sequence is determined as present threshold value, and triggers the trained population composing unit.
Compared to the prior art, what the present invention realized has the beneficial effect that
Network inbreak detection method and device disclosed by the invention are combined by that will misapply detection with genetic algorithm, no But it realizes and network flow data is detected, and the intrusion behavior that detected can be intersected according to genetic algorithm Make a variation and by obtaining more intrusion behaviors compared with fitness threshold value, with realize constantly update Intrusion Signatures database, And then the accuracy rate of network invasion monitoring is continuously improved.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this The embodiment of invention for those of ordinary skill in the art without creative efforts, can also basis The attached drawing of offer obtains other attached drawings.
Fig. 1 is a kind of network inbreak detection method flow chart disclosed in the embodiment of the present invention one;
Fig. 2 is a kind of network inbreak detection method flow chart disclosed in the embodiment of the present invention two;
Fig. 3 is a kind of network inbreak detection method partial process view disclosed in the embodiment of the present invention three;
Fig. 4 is another kind network inbreak detection method partial process view disclosed in the embodiment of the present invention three;
Fig. 5 is a kind of network invasion monitoring apparatus structure schematic diagram disclosed in the embodiment of the present invention four;
Fig. 6 is a kind of network invasion monitoring apparatus structure schematic diagram disclosed in the embodiment of the present invention five;
Fig. 7 is a kind of network invasion monitoring device partial structure diagram disclosed in the embodiment of the present invention six;
Fig. 8 is another kind network invasion monitoring device partial structure diagram disclosed in the embodiment of the present invention six.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
Embodiment one
The embodiment of the present invention one discloses a kind of network inbreak detection method, is applied to network invasion monitoring device, method Flow chart is as shown in Figure 1, include the following steps:
S101 carries out misuse detection to real-time collected network data according to current Intrusion Signatures database;
During executing step S101, misuse detection is carried out to real-time collected network data, passes through pair net The characteristic value sequence of network data judges the network data with the presence or absence of intrusion behavior with current Intrusion Signatures database;Wherein, The network data of acquisition may include at least one parameter preset numerical value, and parameter preset is when attack occurs in network system Change most apparent feature, parameter preset includes but is not limited to IP source address, IP destination address, source port, destination port, IP Message instruction domain, TCP source port, TCP destination port and/or TCP acknowledgment number can be specifically arranged according to actual needs.
S102, when determining network data there are when intrusion behavior, according to genetic algorithm to the characteristic value sequence of network data It is handled, obtains each current signature value sequence;
During executing step S102, by preset time period it is collected at least one there are the nets of intrusion behavior The characteristic value sequence of network data is handled according to genetic algorithm, for example, there is invasion row for 5 detected in the 10S For network data and lower 15S in detected 5 there are the network datas of intrusion behavior to be handled according to genetic algorithm.
S103 calculates the fitness value of each current signature value sequence, and fitness value is greater than to the current characteristic value of threshold value Sequence is stored in current Intrusion Signatures database, and threshold value is in advance to the training of at least one of current Intrusion Signatures database What characteristic value sequence was handled.
During executing step S103, the adaptation of each current signature value sequence is calculated according to fitness calculation formula Angle value, due to fitness value indicates the network data there are intrusion behaviors a possibility that, then when the bigger expression of fitness value exists A possibility that intrusion behavior, is bigger.
It should be noted that genetic algorithm is calculated for solving optimized searching algorithm in mathematics, it is evolution algorithm One kind.Evolution algorithm is initially some phenomenons used for reference in evolution biology and grows up that these phenomenons include losing Biography, mutation, natural selection and hybridization etc..
Network inbreak detection method disclosed by the embodiments of the present invention is combined by that will misapply detection with genetic algorithm, no But it realizes and network flow data is detected, and the intrusion behavior that detected can be intersected according to genetic algorithm Make a variation and by obtaining more intrusion behaviors compared with fitness threshold value, with realize constantly update Intrusion Signatures database, And then the accuracy rate of network invasion monitoring is continuously improved.
Embodiment two
The network inbreak detection method in conjunction with disclosed in the embodiments of the present invention one and attached drawing 1, the embodiment of the present invention two is also A kind of network inbreak detection method is provided, method flow diagram is as shown in Fig. 2, include the following steps:
S101 carries out misuse detection to real-time collected network data according to current Intrusion Signatures database;
S102, when determining network data there are when intrusion behavior, according to genetic algorithm to the characteristic value sequence of network data It is handled, obtains each current signature value sequence;
S103 calculates the fitness value of each current signature value sequence, and fitness value is greater than to the current characteristic value of threshold value Sequence is stored in current Intrusion Signatures database, and threshold value is in advance to the training of at least one of current Intrusion Signatures database What characteristic value sequence was handled;
S104 updates current signature database.
It should be noted that current Intrusion Signatures database can be the initial Intrusion Signatures database pre-set, It can also be by the way that be updated before carrying out misuse detection to network data to initial Intrusion Signatures database will be updated Initial Intrusion Signatures database is as current Intrusion Signatures database.
It should also be noted that, in the network inbreak detection method disclosed in the embodiment of the present invention two, step S101~step The implementation procedure of rapid S103 is consistent with the open step S101~step S103 of above-described embodiment one, and details are not described herein, please join See part disclosed in the embodiment of the present invention one.
Network inbreak detection method disclosed by the embodiments of the present invention increases spy by being updated to property data base The characteristic value sequence in database is levied, so that the network data for being used to execute next time by updated property data base detected Journey, so that accuracy in detection is continuously increased.
Embodiment three
The network inbreak detection method in conjunction with disclosed in the embodiment of the present invention one and embodiment two, as there is shown in figs. 1 and 2 The characteristic value sequence of network data is handled according to genetic algorithm in step S102, obtains each current signature value sequence Specific implementation procedure, as shown in figure 3, including the following steps:
The characteristic value sequence of network data is added in corresponding population by S301 according to the first default population composing rule, Wherein, the quantity of characteristic value sequence is consistent in each population;
It, can be according to the first default population composing rule, for example, constructing 2 populations, often during executing step S301 There are 3 characteristic value sequences in a population, the characteristic value sequence of the network data of continuous acquisition is successively added to corresponding population In.
S302 carries out binary coding to the All Eigenvalues sequence in each population based on pre-arranged code rule;
During executing step S302, for example, being that intrusion behavior becomes when occurring by pre-arranged code rule setting The Coding pattern features of the parameter of change are 1, and the Coding pattern features of other parameters are 0;Assuming that the network data currently acquired includes IP The numerical value of source address, IP destination address and source port these three parameters, intrusion behavior only have IP source address that can become when occurring Change, then according to pre-arranged code rule by IP source address Coding pattern features be 1, IP destination address characteristic value and source port characteristic value It is encoded to 0.
S303 matches the characteristic value sequence after each coding two-by-two at random between each population, and according to the first default friendship Fork variation rule carries out cross and variation processing, obtains each current signature value sequence;
It is for being paired into two-by-two during executing step S303, such as by the first default cross and variation rule setting Characteristic value sequence after each coding of function randomly selects crosspoint, and three encoded radios before this crosspoint is interchangeable To complete cross processing, meanwhile, the characteristic value after randomly selecting a coding makes a variation, and 0 variation is made a variation for 1 or by 1 It is 0, it should be noted that intersect and ordinal relation is not present in variation, carried out at random during cross and variation.
Network inbreak detection method disclosed by the embodiments of the present invention is combined by that will misapply detection with genetic algorithm, no But it realizes and network flow data is detected, and the intrusion behavior that detected can be intersected according to genetic algorithm Make a variation and by obtaining more intrusion behaviors compared with fitness threshold value, with realize constantly update Intrusion Signatures database, And then the accuracy rate of network invasion monitoring is continuously improved.
The network inbreak detection method in conjunction with disclosed in the embodiment of the present invention one and embodiment two, as there is shown in figs. 1 and 2 In advance at least one training characteristics value sequence in the current Intrusion Signatures database is handled to obtain in step S103 The specific implementation procedure of threshold value, as shown in figure 4, including the following steps:
S401, it is according to the second default population composing rule, the training of at least one of current Intrusion Signatures database is special Sign sequential value is added in corresponding training population, wherein the quantity of training characteristics value sequence is consistent in each trained population;
S402 carries out binary system to whole training characteristics value sequences in each trained population based on pre-arranged code rule Coding;
S403 matches the training characteristics value sequence after each coding at random between each trained population two-by-two, and according to the Two default cross and variation rules and maximum evolutionary generation carry out cross and variation processing, obtain each current training characteristics value sequence;
During executing step S403, determine that current Evolution of Population algebra is 0, meanwhile, between each trained population Match the training characteristics value sequence after each coding two-by-two at random;It is carried out at cross and variation according to the second default cross and variation rule Reason, and current Evolution of Population algebra is added 1;Training population maximum evolutionary generation is calculated according to pre-set present threshold value, and Whether the current training Evolution of Population algebra of judgement is less than population maximum evolutionary generation;If so, again between each trained population with Machine matches two-by-two, and carries out cross and variation processing, current Evolution of Population algebra is added 1, and judge current training Evolution of Population generation Whether number is less than population maximum evolutionary generation.
S404 calculates the fitness value of each current training characteristics value sequence;
S405, judges whether fitness value does not enter less than each current training characteristics value sequence of present threshold value currently It invades in property data base;If so, executing step S406;If it is not, executing step S407;
Present threshold value is determined as threshold value by S406;
The minimum fitness value of current training characteristics value sequence in current Intrusion Signatures database is determined as by S407 Present threshold value, and return to step S401.
It should be noted that present threshold value can be preset when first time training adaptation degree threshold value.
Network inbreak detection method disclosed by the embodiments of the present invention is combined by that will misapply detection with genetic algorithm, no But it realizes and network flow data is detected, and the intrusion behavior that detected can be intersected according to genetic algorithm Make a variation and by obtaining more intrusion behaviors compared with fitness threshold value, with realize constantly update Intrusion Signatures database, And then the accuracy rate of network invasion monitoring is continuously improved.
Example IV
Based on network inbreak detection method disclosed in the various embodiments described above, in the corresponding open execution of four fundamental rules of the embodiment of the present invention The network invasion monitoring device of network inbreak detection method is stated, structural schematic diagram is as shown in figure 5, network invasion monitoring device 500 include: misuse detection module 501, genetic algorithm processing module 502 and calculating memory module 503, calculates memory module 503 It further include that threshold value obtains module 6031;
Detection module 501 is misapplied, for carrying out according to current Intrusion Signatures database to collected network data in real time Misuse detection;
Genetic algorithm processing module 502, for when determining network data there are when intrusion behavior, foundation genetic algorithm to be to net The characteristic value sequence of network data is handled, and each current signature value sequence is obtained;
Memory module 503 is calculated, for calculating the fitness value of each current signature value sequence, fitness value is greater than threshold The current signature value sequence of value is stored in current Intrusion Signatures database;
Threshold value obtains module 5031, in advance at least one training characteristics value sequence in current Intrusion Signatures database Column are handled to obtain threshold value.
Network invasion monitoring device disclosed by the embodiments of the present invention is combined by that will misapply detection with genetic algorithm, no But it realizes and network flow data is detected, and the intrusion behavior that detected can be intersected according to genetic algorithm Make a variation and by obtaining more intrusion behaviors compared with fitness threshold value, with realize constantly update Intrusion Signatures database, And then the accuracy rate of network invasion monitoring is continuously improved.
Embodiment five
Network invasion monitoring device and attached drawing 5 in conjunction with disclosed in the embodiments of the present invention four, the embodiment of the present invention five is also A kind of network invasion monitoring device is provided, structural schematic diagram is as shown in fig. 6, network invasion monitoring device 500 includes: misuse inspection It surveys module 501, genetic algorithm processing module 502, calculate memory module 503 and update module 504, calculate memory module 503 also Module 5031 is obtained including threshold value,
Detection module 501 is misapplied, for carrying out according to current Intrusion Signatures database to collected network data in real time Misuse detection;
Genetic algorithm processing module 502, for when determining network data there are when intrusion behavior, foundation genetic algorithm to be to net The characteristic value sequence of network data is handled, and each current signature value sequence is obtained;
Memory module 503 is calculated, for calculating the fitness value of each current signature value sequence, fitness value is greater than threshold The current signature value sequence of value is stored in current Intrusion Signatures database;
Threshold value obtains module 5031, in advance at least one training characteristics value sequence in current Intrusion Signatures database Column are handled to obtain threshold value;
Update module 504, for updating current signature database.
Network invasion monitoring device disclosed by the embodiments of the present invention increases spy by being updated to property data base The characteristic value sequence in database is levied, so that the network data for being used to execute next time by updated property data base detected Journey, so that accuracy in detection is continuously increased.
Embodiment six
The network invasion monitoring device in conjunction with disclosed in the embodiment of the present invention four and embodiment five goes out as shown in Figure 5 and Figure 6 Genetic algorithm processing module 502 in network invasion monitoring device 500, structural schematic diagram as shown in fig. 7, comprises: population structure At unit 701, the first coding unit 702 and the first cross and variation unit 703;
Population composing unit 701, for according to the first default population composing rule, the characteristic value sequence of network data to be added It is added in corresponding population, wherein the quantity of characteristic value sequence is consistent in each population;
First coding unit 702, for being carried out to the All Eigenvalues sequence in each population based on pre-arranged code rule Binary coding;
First cross and variation unit 703, for matching the characteristic value sequence after each coding two-by-two at random between each population Column, and cross and variation processing is carried out according to the first default cross and variation rule, obtain each current signature value sequence.
Network invasion monitoring device disclosed by the embodiments of the present invention is combined by that will misapply detection with genetic algorithm, no But it realizes and network flow data is detected, and the intrusion behavior that detected can be intersected according to genetic algorithm Make a variation and by obtaining more intrusion behaviors compared with fitness threshold value, with realize constantly update Intrusion Signatures database, And then the accuracy rate of network invasion monitoring is continuously improved.
The network invasion monitoring device in conjunction with disclosed in the embodiment of the present invention four and embodiment five goes out as shown in Figure 5 and Figure 6 Threshold value in network invasion monitoring device 500 obtains module 5031, and structural schematic diagram is as shown in Figure 8, comprising: training population structure At unit 801, the second coding unit 802, the second cross and variation unit 803, computing unit 804, judging unit 805, the first threshold It is worth determination unit 806 and second threshold determination unit 807;
Training population composing unit 801, for regular according to the second default population composing, by current Intrusion Signatures database In at least one training characteristics sequential value be added in corresponding training population, wherein training characteristics value in each trained population The quantity of sequence is consistent;
Second coding unit 802, for regular based on pre-arranged code, to whole training characteristics values in each trained population Sequence carries out binary coding;
Second cross and variation unit 803, for the training after matching each coding two-by-two at random between each trained population Characteristic value sequence, and cross and variation processing is carried out according to the second default cross and variation rule and maximum evolutionary generation, it obtains each Current training characteristics value sequence;
Computing unit 804, for calculating the fitness value of each current training characteristics value sequence;
Judging unit 805, for judge fitness value be less than present threshold value each current training characteristics value sequence whether Not in current Intrusion Signatures database;If so, triggering first threshold determination unit 806;If it is not, triggering second threshold determines Unit 807;
First threshold determination unit 806, for present threshold value to be determined as threshold value;
Second threshold determination unit 807, for by the current training characteristics value sequence in current Intrusion Signatures database Minimum fitness value be determined as present threshold value, and trigger trained population composing unit.
Network invasion monitoring device disclosed by the embodiments of the present invention is combined by that will misapply detection with genetic algorithm, no But it realizes and network flow data is detected, and the intrusion behavior that detected can be intersected according to genetic algorithm Make a variation and by obtaining more intrusion behaviors compared with fitness threshold value, with realize constantly update Intrusion Signatures database, And then the accuracy rate of network invasion monitoring is continuously improved.
A kind of network inbreak detection method provided by the present invention and device are described in detail above, answered herein With a specific example illustrates the principle and implementation of the invention, the explanation of above example is only intended to help to manage Solve method and its core concept of the invention;At the same time, for those skilled in the art, according to the thought of the present invention, There will be changes in specific embodiment and application range, in conclusion the content of the present specification should not be construed as to this hair Bright limitation.
It should be noted that all the embodiments in this specification are described in a progressive manner, each embodiment weight Point explanation is the difference from other embodiments, and the same or similar parts between the embodiments can be referred to each other. For the device disclosed in the embodiment, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, phase Place is closed referring to method part illustration.
It should also be noted that, herein, relational terms such as first and second and the like are used merely to one Entity or operation are distinguished with another entity or operation, without necessarily requiring or implying between these entities or operation There are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant are intended to contain Lid non-exclusive inclusion, so that the element that the process, method, article or equipment including a series of elements is intrinsic, It further include either the element intrinsic for these process, method, article or equipments.In the absence of more restrictions, The element limited by sentence "including a ...", it is not excluded that in the process, method, article or equipment including the element In there is also other identical elements.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one The widest scope of cause.

Claims (6)

1. a kind of network inbreak detection method characterized by comprising
Misuse detection is carried out to real-time collected network data according to current Intrusion Signatures database;
When determine the network data there are when intrusion behavior, according to genetic algorithm to the characteristic value sequence of the network data into Row processing, obtains each current signature value sequence;
The fitness value for calculating each current signature value sequence deposits the current signature value sequence that fitness value is greater than threshold value It is stored in the current Intrusion Signatures database, the threshold value is in advance at least one in the current Intrusion Signatures database What a training characteristics value sequence was handled;
Wherein, described in advance at least one training characteristics value sequence in the current Intrusion Signatures database handle Process to threshold value includes:
According to the second default population composing rule, by least one training characteristics sequence in the current Intrusion Signatures database Value is added in corresponding training population, wherein the quantity of training characteristics value sequence is consistent in each trained population;
Based on pre-arranged code rule, binary coding is carried out to whole training characteristics value sequences in each trained population;
Match the training characteristics value sequence after each coding two-by-two at random between each trained population, and according to second Default cross and variation rule and maximum evolutionary generation carry out cross and variation processing, obtain each current training characteristics value sequence;
Calculate the fitness value of each current training characteristics value sequence;
Judge whether fitness value does not enter currently less than each current training characteristics value sequence of present threshold value described It invades in property data base;
If so, the present threshold value is determined as threshold value;
If it is not, the minimum fitness value of the current training characteristics value sequence in the current Intrusion Signatures database is determined as Present threshold value, and return to the execution foundation second and preset population composing rule, it will be in the current Intrusion Signatures database At least one training characteristics sequential value is added in corresponding training population, the step for.
2. the method according to claim 1, wherein the current characteristic value sequence that fitness value is greater than to threshold value Column are stored in the current Intrusion Signatures database, later, further includes:
Update the current signature database.
3. the method according to claim 1, wherein feature of the foundation genetic algorithm to the network data Value sequence is handled, and each current signature value sequence is obtained, comprising:
According to the first default population composing rule, the characteristic value sequence of the network data is added in corresponding population, wherein The quantity of characteristic value sequence is consistent in each population;
Based on pre-arranged code rule, binary coding is carried out to the All Eigenvalues sequence in each population;
Match the characteristic value sequence after each coding two-by-two at random between each population, and according to the first default intersection Variation rule carries out cross and variation processing, obtains each current signature value sequence.
4. a kind of network invasion monitoring device characterized by comprising misuse detection module, genetic algorithm processing module and meter Memory module is calculated, the calculating memory module further includes that threshold value obtains module;
The misuse detection module, for being misapplied according to current Intrusion Signatures database to real-time collected network data Detection;
The genetic algorithm processing module, for when determining the network data there are when intrusion behavior, according to genetic algorithm pair The characteristic value sequence of the network data is handled, and each current signature value sequence is obtained;
Fitness value is greater than by the calculating memory module for calculating the fitness value of each current signature value sequence The current signature value sequence of threshold value is stored in the current Intrusion Signatures database;
The threshold value obtains module, in advance at least one training characteristics value sequence in the current Intrusion Signatures database Column are handled to obtain the threshold value;
Wherein, the threshold value obtain module include: trained population composing unit, the second coding unit, the second cross and variation unit, Computing unit, judging unit, first threshold determination unit and second threshold determination unit;
The trained population composing unit, for regular according to the second default population composing, by the current Intrusion Signatures data At least one training characteristics sequential value in library is added in corresponding training population, wherein training in each trained population The quantity of characteristic value sequence is consistent;
Second coding unit, for regular based on pre-arranged code, to whole training characteristics in each trained population Value sequence carries out binary coding;
Second cross and variation unit, for the training after matching each coding two-by-two at random between each trained population Characteristic value sequence, and cross and variation processing is carried out according to the second default cross and variation rule and maximum evolutionary generation, it obtains each Current training characteristics value sequence;
The computing unit, for calculating the fitness value of each current training characteristics value sequence;
The judging unit, for judge fitness value be less than present threshold value each current training characteristics value sequence whether Not in the current Intrusion Signatures database;If so, triggering the first threshold determination unit;If it is not, triggering described the Two threshold value determination units;
The first threshold determination unit, for the present threshold value to be determined as threshold value;
The second threshold determination unit, for by the current training characteristics value sequence in the current Intrusion Signatures database Minimum fitness value be determined as present threshold value, and trigger the trained population composing unit.
5. device according to claim 4, which is characterized in that after the calculating memory module, further includes: update mould Block;
The update module, for updating the current signature database.
6. device according to claim 4, which is characterized in that the genetic algorithm processing module includes: population composing list Member, the first coding unit and the first cross and variation unit;
The population composing unit, for regular according to the first default population composing, by the characteristic value sequence of the network data It is added in corresponding population, wherein the quantity of characteristic value sequence is consistent in each population;
First coding unit, for based on pre-arranged code rule, to the All Eigenvalues sequence in each population into Row binary coding;
The first cross and variation unit, for matching the feature after each coding two-by-two at random between each population Value sequence, and cross and variation processing is carried out according to the first default cross and variation rule, obtain+arrive each current signature value sequence.
CN201611155840.0A 2016-12-14 2016-12-14 A kind of network inbreak detection method and device Active CN106534191B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611155840.0A CN106534191B (en) 2016-12-14 2016-12-14 A kind of network inbreak detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611155840.0A CN106534191B (en) 2016-12-14 2016-12-14 A kind of network inbreak detection method and device

Publications (2)

Publication Number Publication Date
CN106534191A CN106534191A (en) 2017-03-22
CN106534191B true CN106534191B (en) 2019-06-21

Family

ID=58340006

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611155840.0A Active CN106534191B (en) 2016-12-14 2016-12-14 A kind of network inbreak detection method and device

Country Status (1)

Country Link
CN (1) CN106534191B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107426217B (en) * 2017-07-27 2019-10-18 郑州云海信息技术有限公司 A kind of method and device of detection system invasion
CN110166454B (en) * 2019-05-21 2021-11-16 重庆邮电大学 Mixed feature selection intrusion detection method based on adaptive genetic algorithm
CN110868414B (en) * 2019-11-14 2021-07-13 北京理工大学 Industrial control network intrusion detection method and system based on multi-voting technology

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101399672A (en) * 2008-10-17 2009-04-01 章毅 Intrusion detection method for fusion of multiple neutral networks
CN103581188A (en) * 2013-11-05 2014-02-12 中国科学院计算技术研究所 Network security situation forecasting method and system
CN103685268A (en) * 2013-12-10 2014-03-26 华东理工大学 Network intrusion detection method based on GPU and SVM
CN104986347A (en) * 2015-06-03 2015-10-21 中国民航大学 Real-time detection method for civil aircraft airline pilot operation errors

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI20096394A0 (en) * 2009-12-23 2009-12-23 Valtion Teknillinen DETECTING DETECTION IN COMMUNICATIONS NETWORKS

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101399672A (en) * 2008-10-17 2009-04-01 章毅 Intrusion detection method for fusion of multiple neutral networks
CN103581188A (en) * 2013-11-05 2014-02-12 中国科学院计算技术研究所 Network security situation forecasting method and system
CN103685268A (en) * 2013-12-10 2014-03-26 华东理工大学 Network intrusion detection method based on GPU and SVM
CN104986347A (en) * 2015-06-03 2015-10-21 中国民航大学 Real-time detection method for civil aircraft airline pilot operation errors

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
模糊推理结合Michigan型遗传算法的网络入侵检测方案;马勇;《电子设计工程》;20160605;第110页

Also Published As

Publication number Publication date
CN106534191A (en) 2017-03-22

Similar Documents

Publication Publication Date Title
US20220060511A1 (en) Ai-driven defensive cybersecurity strategy analysis and recommendation system
Cherdantseva et al. A review of cyber security risk assessment methods for SCADA systems
CN108200030A (en) Detection method, system, device and the computer readable storage medium of malicious traffic stream
CN106534191B (en) A kind of network inbreak detection method and device
CN104346571B (en) Security breaches management method, system and equipment
US20080215576A1 (en) Fusion and visualization for multiple anomaly detection systems
CN111786950A (en) Situation awareness-based network security monitoring method, device, equipment and medium
CN107835201A (en) Network attack detecting method and device
CN101859274A (en) Method and system for fuzz testing
CN105208040A (en) Network attack detection method and device
CN110474878B (en) DDoS attack situation early warning method and server based on dynamic threshold
CN112152962B (en) Threat detection method and system
CN106446179B (en) The generation method and device of hot topic
CN113434859A (en) Intrusion detection method, device, equipment and storage medium
CN106534224A (en) Intelligent network attack detection method and device
Zakrzewska et al. Modeling cyber conflicts using an extended Petri Net formalism
CN109035777A (en) Traffic circulation Situation analysis method and system
CN110321438A (en) Real-time fraud detection method, device and electronic equipment based on complex network
CN112084505A (en) Deep learning model malicious sample detection method, system, device and storage medium
Perelman et al. Extreme impact contamination events sampling for real-sized water distribution systems
CN111343143A (en) Data identification method, device and storage medium
CN104486353B (en) A kind of security incident detection method and device based on flow
CN115455457A (en) Chain data management method, system and storage medium based on intelligent big data
CN109714342A (en) The guard method of a kind of electronic equipment and device
Boger et al. Calculating the Maximum Response Time of Protection Systems of Industrial Control System Network to the Impact of a DDoS Attack

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant