CN107040517A - A kind of cognitive intrusion detection method towards cloud computing environment - Google Patents
A kind of cognitive intrusion detection method towards cloud computing environment Download PDFInfo
- Publication number
- CN107040517A CN107040517A CN201710096368.6A CN201710096368A CN107040517A CN 107040517 A CN107040517 A CN 107040517A CN 201710096368 A CN201710096368 A CN 201710096368A CN 107040517 A CN107040517 A CN 107040517A
- Authority
- CN
- China
- Prior art keywords
- cloud
- unit
- data
- rule
- cognitive
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of cognitive intrusion detection method towards cloud computing environment, including data pre-processing unit, data packet detecting unit member, database, rule of recogni-tion storehouse, intrusion detection engine unit event handling unit, cloud cognitive Inference machine and statistical analysis unit, its medium cloud cognitive Inference study module is optimized using genetic algorithm to characteristic vector, make required training time and monitoring time ratio other method short, secondly, the detectability of real-time online is stronger, finally, the ability for making full use of cloud computing to carry out Large-scale parallel computing and big data quantity processing in the environment of cloud computing, greatly reinforce operational capability, make system more safe and efficient.
Description
Technical field
The invention belongs to field of cloud calculation, a kind of particularly cognitive intrusion detection method towards cloud computing environment.
Background technology
Cloud computing has become the much-talked-about topic of current IT circles concern, but the development of cloud computing also faces many key ask
Topic, and safety problem is stood in the breach, and with the continuous popularization of cloud computing, its importance presents and gradually rises trend, into
For the central factor of restriction cloud computing development.The challenge of cloud security is embodied in 3 aspects:(1) data safety, includes data encryption
Decryption, access control, transmission safety etc.;(2) service safe, includes server security, Secure Single Sign-on, authentication, letter
Appoint model etc.;(3) security monitoring system, for defending and preventing malicious intrusions behavior, ensures the data and privacy of all users
Safety, is the vital ring of cloud security.
Traditional passive type defence method can not in time judge and prevent network attack, lack known to identification or unknown peace
The cognitive ability attacked entirely, does not possess real-time, intelligent can not meet the environment of cloud computing.Therefore, cloud computing environment
The more active of lower needs, the cognitive intrusion detection method of priori, to reach quick identification, early warning with protecting under cloud computing environment
Security attack.
(the application number of prior art Literature one:201510870283.X) provide a kind of intrusion detection based on cloud computing
Method, is transferred to high in the clouds from traditional host side by intrusion detection feature, is provided beyond the clouds with service form.The invasion inspection of its core
Survey Analysis Service and be placed in high in the clouds, maintenance is updated to it by the network security team of cloud service provider specialty.Simplify main frame
The complexity at end, reduces maintenance cost.Its main process is as shown in Figure 1.The document is one for internet intrusion detection
Individual basic patent, for intruding detection system, the intruding detection system based on cloud computing environment makes system have cloud
With shared advantage in the data set of database.The deficiency of the technology is:(1) not to intrusion detection engine, intrusion detection is compared
Rule base, dysgnosis detection, which is made, to be specifically described;(2) do not recognized for comparing obtained possible unknown class intrusion behavior
Ability, does not provide corresponding solution, simply as new intrusion behavior, does not possess the cognitive ability to unknown attack.
(the application number of document two:201610049716.X) there is provided the autonomous analysis intrusion detection in a kind of cloud computing environment
Method, packet of the intrusion detection device in real time to the exception of network traffic by pretreatment is trained using improved BP neural network
Detected, then abnormal data is identified, the progress feature extraction of obtained unknown intrusion behavior is identified with next time
The intrusion behavior of new type, it is proposed that the autonomous thinking analyzed with detection, the rate of spread is high.Its main process is as shown in Figure 2.This article
It is patent for one of internet intrusion detection more forward position to offer, for intruding detection system, based on cloud computing ring
Border and known and UNKNOWN TYPE intrusion behavior can be detected and fed back in time supplement cloud database makes system detectio and defense function
Improved.The deficiency of the technology is:The Eigenvalue Extraction Method of unknown intrusion behavior is also improved space, is to improve
The speed and security of system.
The content of the invention
For the passive type defence policies of traditional intruding detection system (Intrusion Detection System) model
It can not in time judge and prevent known or unknown security attack, a kind of the problems such as danger coefficient of system is larger, it is proposed that face
To the intruding detection system with cognitive ability of cloud computing, concrete scheme is as follows:A kind of cognition towards cloud computing environment enters
Detection method is invaded, is comprised the following steps:
Step 1, data pre-processing unit receives the packet of Traffic Anomaly in cloud computing environment, to the number in packet
According to regularization pretreatment is carried out, so as to obtain the data APMB package for including characteristic vector, and pretreated packet is divided
It is not dealt into database and packet detection unit;
Step 2, the database receives and stores the data APMB package with characteristic vector data, and according to the number of deposit
Log recording is set up according to bag;
Step 3, set up in rule of recogni-tion storehouse, rule of recogni-tion storehouse and include known intrusion behavior characteristic;
Step 3, data packet detecting unit member according to have been built up come rule of recogni-tion storehouse in information progress rule match,
If it was found that the matched rule met, alarms, intrusion detection engine unit is according to the alarm received to intrusion detection engine unit
Information sends to event handling unit and instructed, and event handling unit is received to carry out sending alarm and cut-out network after instruction;
Step 4, if the matched rule that data packet detecting unit member meets without discovery, then it represents that the None- identified packet
In attack species, then by database by the information of the packet be transmitted to cloud reasoning study module do invasion possibility commented
Estimate;
Step 5, cloud rule, when without network connection, characteristic vector of the cloud cognitive Inference machine to be stored in database are set up
Data are that training sample sets up the rule database that clouds up;
Step 6, the attack species of None- identified is judged, during network connection, cloud cognitive Inference machine receives None- identified attack
The characteristic vector data of the packet of species, cloud cognitive Inference machine is using the characteristic vector pickup algorithm based on genetic algorithm to levying
The most preferred Intrusion Signatures vector of acquisition, the fortune pipe station data that the Intrusion Signatures vector sum is set up is in optimized selection in vector data
Storehouse is compared, and is activated a plurality of qualitative cloud rule, is carried out uncertain inference by cloud cognitive Inference machine, determine Invasion type, and handle
As a result send to intrusion detection engine unit;
Step 7, the Intrusion Signatures vector sends the cloud rule that type is corrected, be modernized into primitive nebula regularization database
Change database.
Step 8, Intrusion Signatures vector is sent into statistical analysis unit, statistical analysis unit according to Intrusion Signatures to
The log recording of amount judges whether composition network intrusions, and the result of judgement is sent to intrusion detection engine unit and event handling list
Member, is updated while the data message of Intrusion Signatures vector is sent into rule of recogni-tion storehouse;
Step 9, the intrusion detection engine unit receives the reasoning results from cloud cognitive Inference machine and from statistical
The judged result of unit is analysed, sends and instructs to event handling unit;
Step 10, the event handling unit is received after the instruction from intrusion detection engine unit and statistical analysis unit
Progress sends alarm and cut-out network.
The characteristic vector pickup algorithm based on genetic algorithm in step 6 described further is comprised the following steps that:
1) evolutionary generation g=0 is set, generation includes the initialization colony P (g) of n individual;
2) to each individual valuation in the colony, respective fitness f (x) is calculated;
3) according to individual adaptation degree f (x), (fitness value is bigger, chooses as parent for two individuals of selection from P (g)
Chance is bigger), according to crossover probability, allow two individuals selected intersect produce new offspring (if crossover probability is 0,
I.e. without intersecting, then offspring is exactly the complete duplication of parent), further according to mutation probability, newborn offspring produces in respective locus
Change different;Repeat the above steps, produce new individual, the individual ultimately produced is formed to new colony P (g+1);
4) the colony P (g+1) newly produced is made into evolutionary generation g=g+1 as the colony needed for follow-up evolutional operation;
If 5) end condition is met, algorithm terminates, and returns to individual best in current group, i.e. optimal solution
If 6) end condition is unsatisfactory for, step 2 is skipped to) continue the genetic algorithm.
Uncertain inference described in step 6 described further is comprised the following steps that:
Step1, one group of unknown Intrusion Signatures vector (X after data prediction1,X2…Xn), each XiAccording to 3En
Principle:|Ex-Xi| < 3En activation rules;
Step2, every rule correspondence Normal Cloud Generator reasoning output water dust (the drop x that are activatedi,yi);
Step3, backward cloud generator is in water dust drop (x1,y1),…(xn,yn) on the basis of obtain the numerical value of virtual cloud
Feature:Exij, Enij, Heij;
Step4, then by xiSubstitute into virtual cloud and obtain its degree of certainty;
Step5, to each xiStep2-5 processes are repeated, corresponding degree of certainty is respectively obtained;
Step6, invasion type is determined according to maximum degree of certainty principle.
Statistical analysis processing unit to n variate-value by any given moment, entering in further described step 8
Whether row measurement, reasoning and judging system has an invasion, and each Ni (i=1,2, n) variable represents system different aspect
Feature, comprising SYN number of data packets, login failed for user number of times, CPU usage and network traffics etc., Mi (i=1,
2, n) be the data under normal circumstances desired value prediction, the detection function defined in t is:
Wherein, λi> 0 embodies the weights of significance level, i.e. sensitivity, and F (t) is smaller, and communication process is closer to normal
Situation, after F (t) exceedes threshold values set in advance, is considered as network intrusions and there occurs.
Compared to the prior art medium cloud cognitive Inference study module more of the present invention is carried out using genetic algorithm to characteristic vector
Optimization, makes required training time and monitoring time ratio other method short, next, the detectability of real-time online is stronger, finally,
The ability for making full use of cloud computing to carry out Large-scale parallel computing and big data quantity processing in the environment of cloud computing, enables computing
Power is greatly reinforced, and makes system more safe and efficient.
Brief description of the drawings
Fig. 1 is the intrusion detection method flow chart based on cloud computing of document one;
Fig. 2 is the autonomous analysis intrusion detection method flow chart in the cloud computing environment of document two;
Fig. 3 is the cognitive intrusion detection method flow chart towards cloud computing;
Fig. 4 is the algorithm flow block diagram that characteristic vector pickup is obtained based on genetic algorithm;
The specific reasoning algorithm FB(flow block) of Fig. 5 cloud cognitive Inference machines.
Embodiment
Embodiment 1
As shown in figure 1, a kind of intruding detection system with cognitive ability towards cloud computing, including cognition detection
Module:Data prediction is responsible for the data flow in collection network, generates the data streaming file of certain format.Packet detection is to warp
The data flow for crossing pretreatment carries out packet detection, according to the rule of recogni-tion storehouse having built up, whether judges the data flow
For known attack form, the attack signature for meeting certain rule is set up to known attack, is assisted comprising processing mode, transport layer
Discuss type, application layer protocol type, port numbers, IP address range, remark information etc..
Cloud cognitive Inference study module:Cloud reasoning study module is that invasion possibility is estimated.The input of inference machine
It is divided into two parts:During a part of intrusion detection (online judgement), the network characterization vector collected is supplied to cloud to recognize by collector
Know that inference machine is analyzed and reasoning.And the characteristic vector that collector is gathered during network connection is a lot, for quick cloud computing ring
The connection data of magnanimity, characteristic vector is in optimized selection using genetic algorithm under border, according to the low rate of false alarm of high detection rate
Fitness value, selects optimal characteristic individual;When another is sample training (off-line learning), collector is by pretreated letter
Breath storage provides information into database for cloud cognitive Inference machine, and then invasion possibility is estimated using cloud computing.
Statistical analysis processing module:For the log recording of Virtual Organization, for analyzing in real time, note abnormalities event.Enter
The warning message that detecting and alarm integrates each system is invaded, backward event processing module is analyzed and assigns instruction, alarm, cut-out is completed and connects
The work such as connect.
The cognition detection module include data pre-processing unit, data packet detecting unit member, intrusion detection engine unit,
Database;Include cloud cognitive Inference machine and cloud regularizing unit in cloud cognitive Inference study module;Statistical analysis processing module
Include statistical analysis unit and event handling unit.
The design pretreatment unit is connected with data packet detecting unit member and database respectively, and data packet detecting unit member is with entering
The connection of detecting and alarm unit is invaded, intrusion detection engine unit is connected with event handling unit;The database and cloud regularization list
Member connection, cloud regularizing unit and cloud cognitive Inference machine are connected with each other, cloud cognitive Inference machine respectively with cloud regularizing unit, invasion
Detecting and alarm unit and statistical analysis unit connection, the statistical analysis unit respectively with rule of recogni-tion storehouse, event handling unit
With the connection of intrusion detection engine unit, the cognitive rule of recogni-tion storehouse is connected with data packet detecting unit member.
As shown in Figure 1, Figure 2 and Figure 3, a kind of cognitive intrusion detection side towards cloud computing environment based on said system
Method, comprises the following steps:
Step 1, data pre-processing unit receives the packet of Traffic Anomaly in cloud computing environment, to the number in packet
According to regularization pretreatment is carried out, so as to obtain the data APMB package for including characteristic vector, and pretreated packet is divided
It is not dealt into database and packet detection unit;
Step 2, the database receives and stores the data APMB package with characteristic vector data, and according to the number of deposit
Log recording is set up according to bag;
Step 3, set up in rule of recogni-tion storehouse, rule of recogni-tion storehouse and include known intrusion behavior characteristic;
Step 3, data packet detecting unit member according to have been built up come rule of recogni-tion storehouse in information progress rule match,
If it was found that the matched rule met, alarms, intrusion detection engine unit is according to the alarm received to intrusion detection engine unit
Information sends to event handling unit and instructed, and event handling unit is received to carry out sending alarm and cut-out network after instruction;
Step 4, if the matched rule that data packet detecting unit member meets without discovery, then it represents that the None- identified packet
In attack species, then by database by the information of the packet be transmitted to cloud reasoning study module do invasion possibility commented
Estimate;
Step 5, cloud rule, when without network connection, characteristic vector of the cloud cognitive Inference machine to be stored in database are set up
Data are that training sample sets up the rule database that clouds up;
Step 6, the attack species of None- identified is judged, during network connection, cloud cognitive Inference machine receives None- identified attack
The characteristic vector data of the packet of species, cloud cognitive Inference machine is using the characteristic vector pickup algorithm based on genetic algorithm to levying
The most preferred Intrusion Signatures vector of acquisition, the fortune pipe station data that the Intrusion Signatures vector sum is set up is in optimized selection in vector data
Storehouse is compared, and is activated a plurality of qualitative cloud rule, is carried out uncertain inference by cloud cognitive Inference machine, determine Invasion type, and handle
As a result send to intrusion detection engine unit;
The characteristic vector pickup algorithm based on genetic algorithm in the step 6 is comprised the following steps that:
1) evolutionary generation g=0 is set, generation includes the initialization colony P (g) of n individual;
2) to each individual valuation in the colony, respective fitness f (x) is calculated;
3) according to individual adaptation degree f (x), (fitness value is bigger, chooses as parent for two individuals of selection from P (g)
Chance is bigger), according to crossover probability, allow two individuals selected intersect produce new offspring (if crossover probability is 0,
I.e. without intersecting, then offspring is exactly the complete duplication of parent), further according to mutation probability, newborn offspring produces in respective locus
Change different;Repeat the above steps, produce new individual, the individual ultimately produced is formed to new colony P (g+1);
4) the colony P (g+1) newly produced is made into evolutionary generation g=g+1 as the colony needed for follow-up evolutional operation;
If 5) end condition is met, algorithm terminates, and returns to individual best in current group, i.e. optimal solution
If 6) end condition is unsatisfactory for, step 2 is skipped to) continue the genetic algorithm.
It can be corrected according to the result of calculation of above-mentioned steps and update original cloud rule, to improve to current network conditions
Intrusion detection adaptability.
Uncertain inference described in the step 6 is comprised the following steps that:
Step1, one group of unknown Intrusion Signatures vector (X after data prediction1,X2…Xn), each XiAccording to 3En
Principle:|Ex-Xi| < 3En activation rules;
Step2, every rule correspondence Normal Cloud Generator reasoning output water dust (the drop x that are activatedi,yi);
Step3, backward cloud generator is in water dust drop (x1,y1),…(xn,yn) on the basis of obtain the numerical value of virtual cloud
Feature:Exij, Enij, Heij;
Step4, then by xiSubstitute into virtual cloud and obtain its degree of certainty;
Step5, to each xiStep2-5 processes are repeated, corresponding degree of certainty is respectively obtained;
Step6, invasion type is determined according to maximum degree of certainty principle.
Step 7, the Intrusion Signatures vector sends the cloud rule that type is corrected, be modernized into primitive nebula regularization database
Change database.
Step 8, Intrusion Signatures vector is sent into statistical analysis unit, statistical analysis unit according to Intrusion Signatures to
The log recording of amount judges whether composition network intrusions, and the result of judgement is sent to intrusion detection engine unit and event handling list
Member, is updated while the data message of Intrusion Signatures vector is sent into rule of recogni-tion storehouse;
Statistical analysis processing unit is to n variate-value by any given moment, measuring in the step 8,
Whether reasoning and judging system has an invasion, each Ni (i=1,2, n) variable represents the feature of system different aspect,
Comprising SYN number of data packets, login failed for user number of times, CPU usage and network traffics etc., and Mi (i=1,2, n)
It is the desired value prediction of the data under normal circumstances, the detection function defined in t is:
Wherein, λi> 0 embodies the weights of significance level, i.e. sensitivity, and F (t) is smaller, and communication process is closer to normal
Situation, after F (t) exceedes threshold values set in advance, is considered as network intrusions and there occurs.
Step 9, the intrusion detection engine unit receives the reasoning results from cloud cognitive Inference machine and from statistical
The judged result of unit is analysed, sends and instructs to event handling unit;
Step 10, the event handling unit is received after the instruction from intrusion detection engine unit and statistical analysis unit
Progress sends alarm and cut-out network.
It is different from traditional intruding detection system, towards the intruding detection system (abbreviation with cognitive ability of cloud computing
CIDCC man-to-man matching, i.e. one rule of single features matching activation) are no longer used, but works as the invasion that input is collected
Characteristic vector, will activate a plurality of qualitative cloud intrusion rule, then realize with probabilistic association by cloud cognitive Inference machine
Reasoning, and it is corresponding to intrusion detection engine progress decision-making to differentiate that result is exported.
After network connection starts, the data flow in network can be intercepted and captured inside the intruding detection system of the network firewall, it is right
Data flow in data prediction, i.e. collection network, generates the data APMB package of certain format.Then, mould is detected in packet
Data flow of the block by pretreatment can carry out packet detection.
Data set provided in rule of recogni-tion storehouse, all attacks are broadly divided into 4 major classes:DOS classes, PROBE classes, R2L
Class and U2R classes.Wherein, the invasion type included in DOS classes has land, Nepture, pod, teardrop etc.;PROBE classes are included
Invasion type have nmap, portsweep, satan, mscan, ipsweep.According to the rule of recogni-tion storehouse, judge that data flow is
No is known attack form.For known attack, the attack signature for meeting certain rule is set up, attack signature has following
Part is constituted:Processing mode (Assert is alerted, Disconnect cut-out connections, Track track records), transport layer protocol type
(TCP, UDP), application layer protocol type (FTP, HTTP, SSH, Telnet), port numbers, IP address range, remark information
(Message) etc..Experiment employs 1% (being altogether 50000 linkage records) of whole data set, while in order to ensure what is performed
Efficiency, randomly selects 100,000 records as training dataset and test set respectively in experiment.DOS is only included in training sample
Class, PROBE classes, the class of R2L classes three, remaining data set select 20,000 record datas else for test, wherein occurring comprising training set
Various attack types, also include the attack type not occurred in training set.
Testing result verifies that the system has preferable detectability to unknown attack and known attack, either to known
Attack or unknown attack, make use of set forth herein new model Billy with traditional IDS Framework there is higher ROC to divide
Value.And the cognitive intrusion detection model based on cloud computing has advantages below:First, this method genetic algorithm is employed to spy
Levy vector to optimize, make required training time and monitoring time ratio other method short, secondly, the detectability of real-time online
It is relatively strong, finally, make full use of cloud computing to carry out the energy of Large-scale parallel computing and big data quantity processing in the environment of cloud computing
Power, greatly reinforces operational capability, makes system more safe and efficient.
Claims (4)
1. a kind of cognitive intrusion detection method towards cloud computing environment, it is characterised in that comprise the following steps:
Step 1, data pre-processing unit receives the packet of Traffic Anomaly in cloud computing environment, and the data in packet are entered
Line disciplineization is pre-processed, so as to obtain the data APMB package for including characteristic vector, and pretreated packet is sent out respectively
Into database and packet detection unit;
Step 2, the database receives and stores the data APMB package with characteristic vector data, and according to the packet of deposit
Set up log recording;
Step 3, set up in rule of recogni-tion storehouse, rule of recogni-tion storehouse and include known intrusion behavior characteristic;
Step 3, data packet detecting unit member according to have been built up come rule of recogni-tion storehouse in information carry out rule match, if send out
The matched rule now met, then alarm, intrusion detection engine unit is according to the warning message received to intrusion detection engine unit
Send and instruct to event handling unit, event handling unit is received to carry out sending alarm and cut-out network after instruction;
Step 4, if the matched rule that data packet detecting unit member meets without discovery, then it represents that in the None- identified packet
Attack species, then by database by the information of the packet be transmitted to cloud reasoning study module do invasion possibility be estimated;
Step 5, cloud rule is set up, when without network connection, characteristic vector data of the cloud cognitive Inference machine in database is
Training sample sets up the Database Unit for regularization of clouding up;
Step 6, the attack species of None- identified is judged, during network connection, cloud cognitive Inference machine receives None- identified attack species
Packet characteristic vector data, cloud cognitive Inference machine using the characteristic vector pickup algorithm based on genetic algorithm to levying vector
The most preferred Intrusion Signatures vector of acquisition, the fortune pipe station database ratio that the Intrusion Signatures vector sum is set up is in optimized selection in data
It is right, a plurality of qualitative cloud rule is activated, uncertain inference is carried out by cloud cognitive Inference machine, Invasion type is determined, and result
Send to intrusion detection engine unit;
Step 7, the Intrusion Signatures vector sends the cloud regularization number that type is corrected, be modernized into primitive nebula regularization database
According to storehouse.
Step 8, the Intrusion Signatures vector is sent into statistical analysis unit, and statistical analysis unit is according to Intrusion Signatures vector
Log recording judges whether composition network intrusions, and the result of judgement is sent to intrusion detection engine unit and event handling unit,
The data message of Intrusion Signatures vector is sent into rule of recogni-tion storehouse simultaneously and is updated;
Step 9, the intrusion detection engine unit receives the reasoning results from cloud cognitive Inference machine and from statistical analysis list
The judged result of member, sends to event handling unit and instructs;
Step 10, the event handling unit is received and carried out after the instruction from intrusion detection engine unit and statistical analysis unit
Send alarm and cut-out network.
2. the cognitive intrusion detection method according to claim 1 towards cloud computing environment, it is characterised in that the step
The characteristic vector pickup algorithm based on genetic algorithm in 6 is comprised the following steps that:
1) evolutionary generation g=0 is set, generation includes the initialization colony P (g) of n individual;
2) to each individual valuation in the colony, respective fitness f (x) is calculated;
3) according to individual adaptation degree f (x), (fitness value is bigger, the chance chosen as parent for two individuals of selection from P (g)
It is bigger), according to crossover probability, allow two individuals selected intersect the new offspring of generation (if crossover probability is 0, i.e., not
Intersected, then offspring is exactly the complete duplication of parent), further according to mutation probability, newborn offspring produces change in respective locus
It is different;Repeat the above steps, produce new individual, the individual ultimately produced is formed to new colony P (g+1);
4) the colony P (g+1) newly produced is made into evolutionary generation g=g+1 as the colony needed for follow-up evolutional operation;
If 5) end condition is met, algorithm terminates, and returns to individual best in current group, i.e. optimal solution
If 6) end condition is unsatisfactory for, step 2 is skipped to) continue the genetic algorithm.
3. the cognitive intrusion detection method according to claim 1 towards cloud computing environment, it is characterised in that the step
Uncertain inference described in 6 is comprised the following steps that:
Step1, one group of unknown Intrusion Signatures vector (X after data prediction1,X2…Xn), each XiAccording to 3En principles:|
Ex-Xi| < 3En activation rules;
Step2, every rule correspondence Normal Cloud Generator reasoning output water dust (the drop x that are activatedi,yi);
Step3, backward cloud generator is in water dust drop (x1,y1),…(xn,yn) on the basis of obtain the numerical characteristics of virtual cloud:
Exij, Enij, Heij;
Step4, then by xiSubstitute into virtual cloud and obtain its degree of certainty;
Step5, to each xiStep2-5 processes are repeated, corresponding degree of certainty is respectively obtained;
Step6, invasion type is determined according to maximum degree of certainty principle.
4. the cognitive intrusion detection method according to claim 1 towards cloud computing environment, it is characterised in that the step
Statistical analysis processing unit to n variate-value by any given moment, measuring in 8, and whether reasoning and judging system
There is an invasion, and each Ni (i=1,2, n) variable represents the feature of system different aspect, includes SYN number-of-packets
Mesh, login failed for user number of times, CPU usage and network traffics etc., and Mi (i=1,2, n) it is the number under normal circumstances
According to desired value prediction, the detection function defined in t is:
Wherein, λi> 0 embodies the weights of significance level, i.e. sensitivity, and F (t) is smaller, communication process closer to normal condition,
After F (t) exceedes threshold values set in advance, it is considered as network intrusions and there occurs.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710096368.6A CN107040517B (en) | 2017-02-22 | 2017-02-22 | Cognitive intrusion detection method oriented to cloud computing environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710096368.6A CN107040517B (en) | 2017-02-22 | 2017-02-22 | Cognitive intrusion detection method oriented to cloud computing environment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107040517A true CN107040517A (en) | 2017-08-11 |
CN107040517B CN107040517B (en) | 2020-01-10 |
Family
ID=59533553
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710096368.6A Active CN107040517B (en) | 2017-02-22 | 2017-02-22 | Cognitive intrusion detection method oriented to cloud computing environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107040517B (en) |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107612948A (en) * | 2017-11-08 | 2018-01-19 | 国网四川省电力公司信息通信公司 | A kind of intrusion prevention system and method |
CN107623691A (en) * | 2017-09-29 | 2018-01-23 | 长沙市智为信息技术有限公司 | A kind of ddos attack detecting system and method based on reverse transmittance nerve network algorithm |
CN107835201A (en) * | 2017-12-14 | 2018-03-23 | 华中师范大学 | Network attack detecting method and device |
CN107992746A (en) * | 2017-12-14 | 2018-05-04 | 华中师范大学 | Malicious act method for digging and device |
CN108183902A (en) * | 2017-12-28 | 2018-06-19 | 北京奇虎科技有限公司 | A kind of recognition methods of malicious websites and device |
CN109547455A (en) * | 2018-12-06 | 2019-03-29 | 南京邮电大学 | Industrial Internet of Things anomaly detection method, readable storage medium storing program for executing and terminal |
CN109756478A (en) * | 2018-11-28 | 2019-05-14 | 国网江苏省电力有限公司南京供电分公司 | A kind of abnormal multistage standby blocking-up method of industrial control system attack considering priority |
CN110324348A (en) * | 2019-07-08 | 2019-10-11 | 陈浩 | A kind of information security of computer network monitoring system |
CN110417823A (en) * | 2019-09-25 | 2019-11-05 | 广东电网有限责任公司佛山供电局 | A kind of communication network intrusion detection method based on embedded feature selecting framework |
CN112653651A (en) * | 2019-10-11 | 2021-04-13 | 四川无国界信息技术有限公司 | Vulnerability mining method based on cloud computing |
CN112866175A (en) * | 2019-11-12 | 2021-05-28 | 华为技术有限公司 | Method, device, equipment and storage medium for reserving abnormal traffic types |
CN113065127A (en) * | 2021-02-24 | 2021-07-02 | 山东英信计算机技术有限公司 | Database protection method, system and medium |
CN114154160A (en) * | 2022-02-08 | 2022-03-08 | 中国电子信息产业集团有限公司第六研究所 | Container cluster monitoring method and device, electronic equipment and storage medium |
CN115118500A (en) * | 2022-06-28 | 2022-09-27 | 深信服科技股份有限公司 | Attack behavior rule obtaining method and device and electronic equipment |
CN116168805A (en) * | 2023-01-20 | 2023-05-26 | 北京瑞帆科技有限公司 | Thinking training device and cognitive training system for cognitive training |
CN117273571A (en) * | 2023-10-12 | 2023-12-22 | 江苏泓鑫科技有限公司 | Intelligent port operation data management system and method based on blockchain |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030113727A1 (en) * | 2000-12-06 | 2003-06-19 | Girn Kanwaljit Singh | Family history based genetic screening method and apparatus |
CN101924762A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Cloud security-based active defense method |
CN102111420A (en) * | 2011-03-16 | 2011-06-29 | 上海电机学院 | Intelligent NIPS framework based on dynamic cloud/fire wall linkage |
CN102123396A (en) * | 2011-02-14 | 2011-07-13 | 恒安嘉新(北京)科技有限公司 | Cloud detection method of virus and malware of mobile phone based on communication network |
CN102663284A (en) * | 2012-03-21 | 2012-09-12 | 南京邮电大学 | Malicious code identification method based on cloud computing |
CN102724176A (en) * | 2012-02-23 | 2012-10-10 | 北京市计算中心 | Intrusion detection system facing cloud calculating environment |
CN104753920A (en) * | 2015-03-01 | 2015-07-01 | 江西科技学院 | Quantum genetic algorithm based intrusion detection method |
-
2017
- 2017-02-22 CN CN201710096368.6A patent/CN107040517B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030113727A1 (en) * | 2000-12-06 | 2003-06-19 | Girn Kanwaljit Singh | Family history based genetic screening method and apparatus |
CN101924762A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Cloud security-based active defense method |
CN102123396A (en) * | 2011-02-14 | 2011-07-13 | 恒安嘉新(北京)科技有限公司 | Cloud detection method of virus and malware of mobile phone based on communication network |
CN102111420A (en) * | 2011-03-16 | 2011-06-29 | 上海电机学院 | Intelligent NIPS framework based on dynamic cloud/fire wall linkage |
CN102724176A (en) * | 2012-02-23 | 2012-10-10 | 北京市计算中心 | Intrusion detection system facing cloud calculating environment |
CN102663284A (en) * | 2012-03-21 | 2012-09-12 | 南京邮电大学 | Malicious code identification method based on cloud computing |
CN104753920A (en) * | 2015-03-01 | 2015-07-01 | 江西科技学院 | Quantum genetic algorithm based intrusion detection method |
Cited By (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107623691A (en) * | 2017-09-29 | 2018-01-23 | 长沙市智为信息技术有限公司 | A kind of ddos attack detecting system and method based on reverse transmittance nerve network algorithm |
CN107612948A (en) * | 2017-11-08 | 2018-01-19 | 国网四川省电力公司信息通信公司 | A kind of intrusion prevention system and method |
CN107992746B (en) * | 2017-12-14 | 2021-06-25 | 华中师范大学 | Malicious behavior mining method and device |
CN107835201A (en) * | 2017-12-14 | 2018-03-23 | 华中师范大学 | Network attack detecting method and device |
CN107992746A (en) * | 2017-12-14 | 2018-05-04 | 华中师范大学 | Malicious act method for digging and device |
CN108183902A (en) * | 2017-12-28 | 2018-06-19 | 北京奇虎科技有限公司 | A kind of recognition methods of malicious websites and device |
CN108183902B (en) * | 2017-12-28 | 2021-10-22 | 北京奇虎科技有限公司 | Malicious website identification method and device |
CN109756478A (en) * | 2018-11-28 | 2019-05-14 | 国网江苏省电力有限公司南京供电分公司 | A kind of abnormal multistage standby blocking-up method of industrial control system attack considering priority |
CN109547455A (en) * | 2018-12-06 | 2019-03-29 | 南京邮电大学 | Industrial Internet of Things anomaly detection method, readable storage medium storing program for executing and terminal |
CN110324348A (en) * | 2019-07-08 | 2019-10-11 | 陈浩 | A kind of information security of computer network monitoring system |
CN110417823B (en) * | 2019-09-25 | 2020-04-14 | 广东电网有限责任公司佛山供电局 | Communication network intrusion detection method based on embedded feature selection architecture |
CN110417823A (en) * | 2019-09-25 | 2019-11-05 | 广东电网有限责任公司佛山供电局 | A kind of communication network intrusion detection method based on embedded feature selecting framework |
CN112653651A (en) * | 2019-10-11 | 2021-04-13 | 四川无国界信息技术有限公司 | Vulnerability mining method based on cloud computing |
CN112866175B (en) * | 2019-11-12 | 2022-08-19 | 华为技术有限公司 | Method, device, equipment and storage medium for reserving abnormal traffic types |
CN112866175A (en) * | 2019-11-12 | 2021-05-28 | 华为技术有限公司 | Method, device, equipment and storage medium for reserving abnormal traffic types |
CN113065127A (en) * | 2021-02-24 | 2021-07-02 | 山东英信计算机技术有限公司 | Database protection method, system and medium |
CN113065127B (en) * | 2021-02-24 | 2022-09-20 | 山东英信计算机技术有限公司 | Database protection method, system and medium |
CN114154160A (en) * | 2022-02-08 | 2022-03-08 | 中国电子信息产业集团有限公司第六研究所 | Container cluster monitoring method and device, electronic equipment and storage medium |
CN114154160B (en) * | 2022-02-08 | 2022-09-16 | 中国电子信息产业集团有限公司第六研究所 | Container cluster monitoring method and device, electronic equipment and storage medium |
CN115118500A (en) * | 2022-06-28 | 2022-09-27 | 深信服科技股份有限公司 | Attack behavior rule obtaining method and device and electronic equipment |
CN115118500B (en) * | 2022-06-28 | 2023-11-07 | 深信服科技股份有限公司 | Attack behavior rule acquisition method and device and electronic equipment |
CN116168805A (en) * | 2023-01-20 | 2023-05-26 | 北京瑞帆科技有限公司 | Thinking training device and cognitive training system for cognitive training |
CN117273571A (en) * | 2023-10-12 | 2023-12-22 | 江苏泓鑫科技有限公司 | Intelligent port operation data management system and method based on blockchain |
CN117273571B (en) * | 2023-10-12 | 2024-04-02 | 江苏泓鑫科技有限公司 | Intelligent port operation data management system and method based on blockchain |
Also Published As
Publication number | Publication date |
---|---|
CN107040517B (en) | 2020-01-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107040517A (en) | A kind of cognitive intrusion detection method towards cloud computing environment | |
Ullah et al. | A two-level hybrid model for anomalous activity detection in IoT networks | |
Haddadi et al. | Benchmarking the effect of flow exporters and protocol filters on botnet traffic classification | |
Amini et al. | RT-UNNID: A practical solution to real-time network-based intrusion detection using unsupervised neural networks | |
Liao et al. | Peer to peer botnet detection using data mining scheme | |
Kostas | Anomaly detection in networks using machine learning | |
Le et al. | Data analytics on network traffic flows for botnet behaviour detection | |
Sherazi et al. | DDoS attack detection: A key enabler for sustainable communication in internet of vehicles | |
Soe et al. | Rule generation for signature based detection systems of cyber attacks in iot environments | |
Haddadi et al. | Botnet behaviour analysis using ip flows: with http filters using classifiers | |
Staudemeyer et al. | Extracting salient features for network intrusion detection using machine learning methods | |
Mehibs et al. | Proposed network intrusion detection system in cloud environment based on back propagation neural network | |
El-Alfy et al. | A multicriterion fuzzy classification method with greedy attribute selection for anomaly-based intrusion detection | |
Pan et al. | Anomaly based intrusion detection for building automation and control networks | |
Ahmed et al. | Intrusion Detection System in Software-Defined Networks Using Machine Learning and Deep Learning Techniques--A Comprehensive Survey | |
Akbar et al. | Intrusion detection system methodologies based on data analysis | |
Fallahi et al. | Automated flow-based rule generation for network intrusion detection systems | |
Fenil et al. | Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches | |
Shah et al. | Intelligent intrusion detection system through combined and optimized machine learning | |
Lu et al. | Botnets detection based on irc-community | |
Manandhar et al. | Towards practical anomaly-based intrusion detection by outlier mining on TCP packets | |
Tran | Network anomaly detection | |
Naidu et al. | An effective approach to network intrusion detection system using genetic algorithm | |
Nguyen | A scheme for building a dataset for intrusion detection systems | |
Mukkamala et al. | Hybrid multi-agent framework for detection of stealthy probes |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: Yuen Road Qixia District of Nanjing City, Jiangsu Province, No. 9 210023 Applicant after: Nanjing Post & Telecommunication Univ. Address before: 210003 Gulou District, Jiangsu, Nanjing new model road, No. 66 Applicant before: Nanjing Post & Telecommunication Univ. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |