CN107040517A - A kind of cognitive intrusion detection method towards cloud computing environment - Google Patents

A kind of cognitive intrusion detection method towards cloud computing environment Download PDF

Info

Publication number
CN107040517A
CN107040517A CN201710096368.6A CN201710096368A CN107040517A CN 107040517 A CN107040517 A CN 107040517A CN 201710096368 A CN201710096368 A CN 201710096368A CN 107040517 A CN107040517 A CN 107040517A
Authority
CN
China
Prior art keywords
cloud
unit
data
rule
cognitive
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710096368.6A
Other languages
Chinese (zh)
Other versions
CN107040517B (en
Inventor
亓晋
孙雁飞
谭虹
郭阳
王堃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Post and Telecommunication University
Nanjing University of Posts and Telecommunications
Original Assignee
Nanjing Post and Telecommunication University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Post and Telecommunication University filed Critical Nanjing Post and Telecommunication University
Priority to CN201710096368.6A priority Critical patent/CN107040517B/en
Publication of CN107040517A publication Critical patent/CN107040517A/en
Application granted granted Critical
Publication of CN107040517B publication Critical patent/CN107040517B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of cognitive intrusion detection method towards cloud computing environment, including data pre-processing unit, data packet detecting unit member, database, rule of recogni-tion storehouse, intrusion detection engine unit event handling unit, cloud cognitive Inference machine and statistical analysis unit, its medium cloud cognitive Inference study module is optimized using genetic algorithm to characteristic vector, make required training time and monitoring time ratio other method short, secondly, the detectability of real-time online is stronger, finally, the ability for making full use of cloud computing to carry out Large-scale parallel computing and big data quantity processing in the environment of cloud computing, greatly reinforce operational capability, make system more safe and efficient.

Description

A kind of cognitive intrusion detection method towards cloud computing environment
Technical field
The invention belongs to field of cloud calculation, a kind of particularly cognitive intrusion detection method towards cloud computing environment.
Background technology
Cloud computing has become the much-talked-about topic of current IT circles concern, but the development of cloud computing also faces many key ask Topic, and safety problem is stood in the breach, and with the continuous popularization of cloud computing, its importance presents and gradually rises trend, into For the central factor of restriction cloud computing development.The challenge of cloud security is embodied in 3 aspects:(1) data safety, includes data encryption Decryption, access control, transmission safety etc.;(2) service safe, includes server security, Secure Single Sign-on, authentication, letter Appoint model etc.;(3) security monitoring system, for defending and preventing malicious intrusions behavior, ensures the data and privacy of all users Safety, is the vital ring of cloud security.
Traditional passive type defence method can not in time judge and prevent network attack, lack known to identification or unknown peace The cognitive ability attacked entirely, does not possess real-time, intelligent can not meet the environment of cloud computing.Therefore, cloud computing environment The more active of lower needs, the cognitive intrusion detection method of priori, to reach quick identification, early warning with protecting under cloud computing environment Security attack.
(the application number of prior art Literature one:201510870283.X) provide a kind of intrusion detection based on cloud computing Method, is transferred to high in the clouds from traditional host side by intrusion detection feature, is provided beyond the clouds with service form.The invasion inspection of its core Survey Analysis Service and be placed in high in the clouds, maintenance is updated to it by the network security team of cloud service provider specialty.Simplify main frame The complexity at end, reduces maintenance cost.Its main process is as shown in Figure 1.The document is one for internet intrusion detection Individual basic patent, for intruding detection system, the intruding detection system based on cloud computing environment makes system have cloud With shared advantage in the data set of database.The deficiency of the technology is:(1) not to intrusion detection engine, intrusion detection is compared Rule base, dysgnosis detection, which is made, to be specifically described;(2) do not recognized for comparing obtained possible unknown class intrusion behavior Ability, does not provide corresponding solution, simply as new intrusion behavior, does not possess the cognitive ability to unknown attack.
(the application number of document two:201610049716.X) there is provided the autonomous analysis intrusion detection in a kind of cloud computing environment Method, packet of the intrusion detection device in real time to the exception of network traffic by pretreatment is trained using improved BP neural network Detected, then abnormal data is identified, the progress feature extraction of obtained unknown intrusion behavior is identified with next time The intrusion behavior of new type, it is proposed that the autonomous thinking analyzed with detection, the rate of spread is high.Its main process is as shown in Figure 2.This article It is patent for one of internet intrusion detection more forward position to offer, for intruding detection system, based on cloud computing ring Border and known and UNKNOWN TYPE intrusion behavior can be detected and fed back in time supplement cloud database makes system detectio and defense function Improved.The deficiency of the technology is:The Eigenvalue Extraction Method of unknown intrusion behavior is also improved space, is to improve The speed and security of system.
The content of the invention
For the passive type defence policies of traditional intruding detection system (Intrusion Detection System) model It can not in time judge and prevent known or unknown security attack, a kind of the problems such as danger coefficient of system is larger, it is proposed that face To the intruding detection system with cognitive ability of cloud computing, concrete scheme is as follows:A kind of cognition towards cloud computing environment enters Detection method is invaded, is comprised the following steps:
Step 1, data pre-processing unit receives the packet of Traffic Anomaly in cloud computing environment, to the number in packet According to regularization pretreatment is carried out, so as to obtain the data APMB package for including characteristic vector, and pretreated packet is divided It is not dealt into database and packet detection unit;
Step 2, the database receives and stores the data APMB package with characteristic vector data, and according to the number of deposit Log recording is set up according to bag;
Step 3, set up in rule of recogni-tion storehouse, rule of recogni-tion storehouse and include known intrusion behavior characteristic;
Step 3, data packet detecting unit member according to have been built up come rule of recogni-tion storehouse in information progress rule match, If it was found that the matched rule met, alarms, intrusion detection engine unit is according to the alarm received to intrusion detection engine unit Information sends to event handling unit and instructed, and event handling unit is received to carry out sending alarm and cut-out network after instruction;
Step 4, if the matched rule that data packet detecting unit member meets without discovery, then it represents that the None- identified packet In attack species, then by database by the information of the packet be transmitted to cloud reasoning study module do invasion possibility commented Estimate;
Step 5, cloud rule, when without network connection, characteristic vector of the cloud cognitive Inference machine to be stored in database are set up Data are that training sample sets up the rule database that clouds up;
Step 6, the attack species of None- identified is judged, during network connection, cloud cognitive Inference machine receives None- identified attack The characteristic vector data of the packet of species, cloud cognitive Inference machine is using the characteristic vector pickup algorithm based on genetic algorithm to levying The most preferred Intrusion Signatures vector of acquisition, the fortune pipe station data that the Intrusion Signatures vector sum is set up is in optimized selection in vector data Storehouse is compared, and is activated a plurality of qualitative cloud rule, is carried out uncertain inference by cloud cognitive Inference machine, determine Invasion type, and handle As a result send to intrusion detection engine unit;
Step 7, the Intrusion Signatures vector sends the cloud rule that type is corrected, be modernized into primitive nebula regularization database Change database.
Step 8, Intrusion Signatures vector is sent into statistical analysis unit, statistical analysis unit according to Intrusion Signatures to The log recording of amount judges whether composition network intrusions, and the result of judgement is sent to intrusion detection engine unit and event handling list Member, is updated while the data message of Intrusion Signatures vector is sent into rule of recogni-tion storehouse;
Step 9, the intrusion detection engine unit receives the reasoning results from cloud cognitive Inference machine and from statistical The judged result of unit is analysed, sends and instructs to event handling unit;
Step 10, the event handling unit is received after the instruction from intrusion detection engine unit and statistical analysis unit Progress sends alarm and cut-out network.
The characteristic vector pickup algorithm based on genetic algorithm in step 6 described further is comprised the following steps that:
1) evolutionary generation g=0 is set, generation includes the initialization colony P (g) of n individual;
2) to each individual valuation in the colony, respective fitness f (x) is calculated;
3) according to individual adaptation degree f (x), (fitness value is bigger, chooses as parent for two individuals of selection from P (g) Chance is bigger), according to crossover probability, allow two individuals selected intersect produce new offspring (if crossover probability is 0, I.e. without intersecting, then offspring is exactly the complete duplication of parent), further according to mutation probability, newborn offspring produces in respective locus Change different;Repeat the above steps, produce new individual, the individual ultimately produced is formed to new colony P (g+1);
4) the colony P (g+1) newly produced is made into evolutionary generation g=g+1 as the colony needed for follow-up evolutional operation;
If 5) end condition is met, algorithm terminates, and returns to individual best in current group, i.e. optimal solution
If 6) end condition is unsatisfactory for, step 2 is skipped to) continue the genetic algorithm.
Uncertain inference described in step 6 described further is comprised the following steps that:
Step1, one group of unknown Intrusion Signatures vector (X after data prediction1,X2…Xn), each XiAccording to 3En Principle:|Ex-Xi| < 3En activation rules;
Step2, every rule correspondence Normal Cloud Generator reasoning output water dust (the drop x that are activatedi,yi);
Step3, backward cloud generator is in water dust drop (x1,y1),…(xn,yn) on the basis of obtain the numerical value of virtual cloud Feature:Exij, Enij, Heij
Step4, then by xiSubstitute into virtual cloud and obtain its degree of certainty;
Step5, to each xiStep2-5 processes are repeated, corresponding degree of certainty is respectively obtained;
Step6, invasion type is determined according to maximum degree of certainty principle.
Statistical analysis processing unit to n variate-value by any given moment, entering in further described step 8 Whether row measurement, reasoning and judging system has an invasion, and each Ni (i=1,2, n) variable represents system different aspect Feature, comprising SYN number of data packets, login failed for user number of times, CPU usage and network traffics etc., Mi (i=1, 2, n) be the data under normal circumstances desired value prediction, the detection function defined in t is:
Wherein, λi> 0 embodies the weights of significance level, i.e. sensitivity, and F (t) is smaller, and communication process is closer to normal Situation, after F (t) exceedes threshold values set in advance, is considered as network intrusions and there occurs.
Compared to the prior art medium cloud cognitive Inference study module more of the present invention is carried out using genetic algorithm to characteristic vector Optimization, makes required training time and monitoring time ratio other method short, next, the detectability of real-time online is stronger, finally, The ability for making full use of cloud computing to carry out Large-scale parallel computing and big data quantity processing in the environment of cloud computing, enables computing Power is greatly reinforced, and makes system more safe and efficient.
Brief description of the drawings
Fig. 1 is the intrusion detection method flow chart based on cloud computing of document one;
Fig. 2 is the autonomous analysis intrusion detection method flow chart in the cloud computing environment of document two;
Fig. 3 is the cognitive intrusion detection method flow chart towards cloud computing;
Fig. 4 is the algorithm flow block diagram that characteristic vector pickup is obtained based on genetic algorithm;
The specific reasoning algorithm FB(flow block) of Fig. 5 cloud cognitive Inference machines.
Embodiment
Embodiment 1
As shown in figure 1, a kind of intruding detection system with cognitive ability towards cloud computing, including cognition detection Module:Data prediction is responsible for the data flow in collection network, generates the data streaming file of certain format.Packet detection is to warp The data flow for crossing pretreatment carries out packet detection, according to the rule of recogni-tion storehouse having built up, whether judges the data flow For known attack form, the attack signature for meeting certain rule is set up to known attack, is assisted comprising processing mode, transport layer Discuss type, application layer protocol type, port numbers, IP address range, remark information etc..
Cloud cognitive Inference study module:Cloud reasoning study module is that invasion possibility is estimated.The input of inference machine It is divided into two parts:During a part of intrusion detection (online judgement), the network characterization vector collected is supplied to cloud to recognize by collector Know that inference machine is analyzed and reasoning.And the characteristic vector that collector is gathered during network connection is a lot, for quick cloud computing ring The connection data of magnanimity, characteristic vector is in optimized selection using genetic algorithm under border, according to the low rate of false alarm of high detection rate Fitness value, selects optimal characteristic individual;When another is sample training (off-line learning), collector is by pretreated letter Breath storage provides information into database for cloud cognitive Inference machine, and then invasion possibility is estimated using cloud computing.
Statistical analysis processing module:For the log recording of Virtual Organization, for analyzing in real time, note abnormalities event.Enter The warning message that detecting and alarm integrates each system is invaded, backward event processing module is analyzed and assigns instruction, alarm, cut-out is completed and connects The work such as connect.
The cognition detection module include data pre-processing unit, data packet detecting unit member, intrusion detection engine unit, Database;Include cloud cognitive Inference machine and cloud regularizing unit in cloud cognitive Inference study module;Statistical analysis processing module Include statistical analysis unit and event handling unit.
The design pretreatment unit is connected with data packet detecting unit member and database respectively, and data packet detecting unit member is with entering The connection of detecting and alarm unit is invaded, intrusion detection engine unit is connected with event handling unit;The database and cloud regularization list Member connection, cloud regularizing unit and cloud cognitive Inference machine are connected with each other, cloud cognitive Inference machine respectively with cloud regularizing unit, invasion Detecting and alarm unit and statistical analysis unit connection, the statistical analysis unit respectively with rule of recogni-tion storehouse, event handling unit With the connection of intrusion detection engine unit, the cognitive rule of recogni-tion storehouse is connected with data packet detecting unit member.
As shown in Figure 1, Figure 2 and Figure 3, a kind of cognitive intrusion detection side towards cloud computing environment based on said system Method, comprises the following steps:
Step 1, data pre-processing unit receives the packet of Traffic Anomaly in cloud computing environment, to the number in packet According to regularization pretreatment is carried out, so as to obtain the data APMB package for including characteristic vector, and pretreated packet is divided It is not dealt into database and packet detection unit;
Step 2, the database receives and stores the data APMB package with characteristic vector data, and according to the number of deposit Log recording is set up according to bag;
Step 3, set up in rule of recogni-tion storehouse, rule of recogni-tion storehouse and include known intrusion behavior characteristic;
Step 3, data packet detecting unit member according to have been built up come rule of recogni-tion storehouse in information progress rule match, If it was found that the matched rule met, alarms, intrusion detection engine unit is according to the alarm received to intrusion detection engine unit Information sends to event handling unit and instructed, and event handling unit is received to carry out sending alarm and cut-out network after instruction;
Step 4, if the matched rule that data packet detecting unit member meets without discovery, then it represents that the None- identified packet In attack species, then by database by the information of the packet be transmitted to cloud reasoning study module do invasion possibility commented Estimate;
Step 5, cloud rule, when without network connection, characteristic vector of the cloud cognitive Inference machine to be stored in database are set up Data are that training sample sets up the rule database that clouds up;
Step 6, the attack species of None- identified is judged, during network connection, cloud cognitive Inference machine receives None- identified attack The characteristic vector data of the packet of species, cloud cognitive Inference machine is using the characteristic vector pickup algorithm based on genetic algorithm to levying The most preferred Intrusion Signatures vector of acquisition, the fortune pipe station data that the Intrusion Signatures vector sum is set up is in optimized selection in vector data Storehouse is compared, and is activated a plurality of qualitative cloud rule, is carried out uncertain inference by cloud cognitive Inference machine, determine Invasion type, and handle As a result send to intrusion detection engine unit;
The characteristic vector pickup algorithm based on genetic algorithm in the step 6 is comprised the following steps that:
1) evolutionary generation g=0 is set, generation includes the initialization colony P (g) of n individual;
2) to each individual valuation in the colony, respective fitness f (x) is calculated;
3) according to individual adaptation degree f (x), (fitness value is bigger, chooses as parent for two individuals of selection from P (g) Chance is bigger), according to crossover probability, allow two individuals selected intersect produce new offspring (if crossover probability is 0, I.e. without intersecting, then offspring is exactly the complete duplication of parent), further according to mutation probability, newborn offspring produces in respective locus Change different;Repeat the above steps, produce new individual, the individual ultimately produced is formed to new colony P (g+1);
4) the colony P (g+1) newly produced is made into evolutionary generation g=g+1 as the colony needed for follow-up evolutional operation;
If 5) end condition is met, algorithm terminates, and returns to individual best in current group, i.e. optimal solution
If 6) end condition is unsatisfactory for, step 2 is skipped to) continue the genetic algorithm.
It can be corrected according to the result of calculation of above-mentioned steps and update original cloud rule, to improve to current network conditions Intrusion detection adaptability.
Uncertain inference described in the step 6 is comprised the following steps that:
Step1, one group of unknown Intrusion Signatures vector (X after data prediction1,X2…Xn), each XiAccording to 3En Principle:|Ex-Xi| < 3En activation rules;
Step2, every rule correspondence Normal Cloud Generator reasoning output water dust (the drop x that are activatedi,yi);
Step3, backward cloud generator is in water dust drop (x1,y1),…(xn,yn) on the basis of obtain the numerical value of virtual cloud Feature:Exij, Enij, Heij
Step4, then by xiSubstitute into virtual cloud and obtain its degree of certainty;
Step5, to each xiStep2-5 processes are repeated, corresponding degree of certainty is respectively obtained;
Step6, invasion type is determined according to maximum degree of certainty principle.
Step 7, the Intrusion Signatures vector sends the cloud rule that type is corrected, be modernized into primitive nebula regularization database Change database.
Step 8, Intrusion Signatures vector is sent into statistical analysis unit, statistical analysis unit according to Intrusion Signatures to The log recording of amount judges whether composition network intrusions, and the result of judgement is sent to intrusion detection engine unit and event handling list Member, is updated while the data message of Intrusion Signatures vector is sent into rule of recogni-tion storehouse;
Statistical analysis processing unit is to n variate-value by any given moment, measuring in the step 8, Whether reasoning and judging system has an invasion, each Ni (i=1,2, n) variable represents the feature of system different aspect, Comprising SYN number of data packets, login failed for user number of times, CPU usage and network traffics etc., and Mi (i=1,2, n) It is the desired value prediction of the data under normal circumstances, the detection function defined in t is:
Wherein, λi> 0 embodies the weights of significance level, i.e. sensitivity, and F (t) is smaller, and communication process is closer to normal Situation, after F (t) exceedes threshold values set in advance, is considered as network intrusions and there occurs.
Step 9, the intrusion detection engine unit receives the reasoning results from cloud cognitive Inference machine and from statistical The judged result of unit is analysed, sends and instructs to event handling unit;
Step 10, the event handling unit is received after the instruction from intrusion detection engine unit and statistical analysis unit Progress sends alarm and cut-out network.
It is different from traditional intruding detection system, towards the intruding detection system (abbreviation with cognitive ability of cloud computing CIDCC man-to-man matching, i.e. one rule of single features matching activation) are no longer used, but works as the invasion that input is collected Characteristic vector, will activate a plurality of qualitative cloud intrusion rule, then realize with probabilistic association by cloud cognitive Inference machine Reasoning, and it is corresponding to intrusion detection engine progress decision-making to differentiate that result is exported.
After network connection starts, the data flow in network can be intercepted and captured inside the intruding detection system of the network firewall, it is right Data flow in data prediction, i.e. collection network, generates the data APMB package of certain format.Then, mould is detected in packet Data flow of the block by pretreatment can carry out packet detection.
Data set provided in rule of recogni-tion storehouse, all attacks are broadly divided into 4 major classes:DOS classes, PROBE classes, R2L Class and U2R classes.Wherein, the invasion type included in DOS classes has land, Nepture, pod, teardrop etc.;PROBE classes are included Invasion type have nmap, portsweep, satan, mscan, ipsweep.According to the rule of recogni-tion storehouse, judge that data flow is No is known attack form.For known attack, the attack signature for meeting certain rule is set up, attack signature has following Part is constituted:Processing mode (Assert is alerted, Disconnect cut-out connections, Track track records), transport layer protocol type (TCP, UDP), application layer protocol type (FTP, HTTP, SSH, Telnet), port numbers, IP address range, remark information (Message) etc..Experiment employs 1% (being altogether 50000 linkage records) of whole data set, while in order to ensure what is performed Efficiency, randomly selects 100,000 records as training dataset and test set respectively in experiment.DOS is only included in training sample Class, PROBE classes, the class of R2L classes three, remaining data set select 20,000 record datas else for test, wherein occurring comprising training set Various attack types, also include the attack type not occurred in training set.
Testing result verifies that the system has preferable detectability to unknown attack and known attack, either to known Attack or unknown attack, make use of set forth herein new model Billy with traditional IDS Framework there is higher ROC to divide Value.And the cognitive intrusion detection model based on cloud computing has advantages below:First, this method genetic algorithm is employed to spy Levy vector to optimize, make required training time and monitoring time ratio other method short, secondly, the detectability of real-time online It is relatively strong, finally, make full use of cloud computing to carry out the energy of Large-scale parallel computing and big data quantity processing in the environment of cloud computing Power, greatly reinforces operational capability, makes system more safe and efficient.

Claims (4)

1. a kind of cognitive intrusion detection method towards cloud computing environment, it is characterised in that comprise the following steps:
Step 1, data pre-processing unit receives the packet of Traffic Anomaly in cloud computing environment, and the data in packet are entered Line disciplineization is pre-processed, so as to obtain the data APMB package for including characteristic vector, and pretreated packet is sent out respectively Into database and packet detection unit;
Step 2, the database receives and stores the data APMB package with characteristic vector data, and according to the packet of deposit Set up log recording;
Step 3, set up in rule of recogni-tion storehouse, rule of recogni-tion storehouse and include known intrusion behavior characteristic;
Step 3, data packet detecting unit member according to have been built up come rule of recogni-tion storehouse in information carry out rule match, if send out The matched rule now met, then alarm, intrusion detection engine unit is according to the warning message received to intrusion detection engine unit Send and instruct to event handling unit, event handling unit is received to carry out sending alarm and cut-out network after instruction;
Step 4, if the matched rule that data packet detecting unit member meets without discovery, then it represents that in the None- identified packet Attack species, then by database by the information of the packet be transmitted to cloud reasoning study module do invasion possibility be estimated;
Step 5, cloud rule is set up, when without network connection, characteristic vector data of the cloud cognitive Inference machine in database is Training sample sets up the Database Unit for regularization of clouding up;
Step 6, the attack species of None- identified is judged, during network connection, cloud cognitive Inference machine receives None- identified attack species Packet characteristic vector data, cloud cognitive Inference machine using the characteristic vector pickup algorithm based on genetic algorithm to levying vector The most preferred Intrusion Signatures vector of acquisition, the fortune pipe station database ratio that the Intrusion Signatures vector sum is set up is in optimized selection in data It is right, a plurality of qualitative cloud rule is activated, uncertain inference is carried out by cloud cognitive Inference machine, Invasion type is determined, and result Send to intrusion detection engine unit;
Step 7, the Intrusion Signatures vector sends the cloud regularization number that type is corrected, be modernized into primitive nebula regularization database According to storehouse.
Step 8, the Intrusion Signatures vector is sent into statistical analysis unit, and statistical analysis unit is according to Intrusion Signatures vector Log recording judges whether composition network intrusions, and the result of judgement is sent to intrusion detection engine unit and event handling unit, The data message of Intrusion Signatures vector is sent into rule of recogni-tion storehouse simultaneously and is updated;
Step 9, the intrusion detection engine unit receives the reasoning results from cloud cognitive Inference machine and from statistical analysis list The judged result of member, sends to event handling unit and instructs;
Step 10, the event handling unit is received and carried out after the instruction from intrusion detection engine unit and statistical analysis unit Send alarm and cut-out network.
2. the cognitive intrusion detection method according to claim 1 towards cloud computing environment, it is characterised in that the step The characteristic vector pickup algorithm based on genetic algorithm in 6 is comprised the following steps that:
1) evolutionary generation g=0 is set, generation includes the initialization colony P (g) of n individual;
2) to each individual valuation in the colony, respective fitness f (x) is calculated;
3) according to individual adaptation degree f (x), (fitness value is bigger, the chance chosen as parent for two individuals of selection from P (g) It is bigger), according to crossover probability, allow two individuals selected intersect the new offspring of generation (if crossover probability is 0, i.e., not Intersected, then offspring is exactly the complete duplication of parent), further according to mutation probability, newborn offspring produces change in respective locus It is different;Repeat the above steps, produce new individual, the individual ultimately produced is formed to new colony P (g+1);
4) the colony P (g+1) newly produced is made into evolutionary generation g=g+1 as the colony needed for follow-up evolutional operation;
If 5) end condition is met, algorithm terminates, and returns to individual best in current group, i.e. optimal solution
If 6) end condition is unsatisfactory for, step 2 is skipped to) continue the genetic algorithm.
3. the cognitive intrusion detection method according to claim 1 towards cloud computing environment, it is characterised in that the step Uncertain inference described in 6 is comprised the following steps that:
Step1, one group of unknown Intrusion Signatures vector (X after data prediction1,X2…Xn), each XiAccording to 3En principles:| Ex-Xi| < 3En activation rules;
Step2, every rule correspondence Normal Cloud Generator reasoning output water dust (the drop x that are activatedi,yi);
Step3, backward cloud generator is in water dust drop (x1,y1),…(xn,yn) on the basis of obtain the numerical characteristics of virtual cloud: Exij, Enij, Heij
Step4, then by xiSubstitute into virtual cloud and obtain its degree of certainty;
Step5, to each xiStep2-5 processes are repeated, corresponding degree of certainty is respectively obtained;
Step6, invasion type is determined according to maximum degree of certainty principle.
4. the cognitive intrusion detection method according to claim 1 towards cloud computing environment, it is characterised in that the step Statistical analysis processing unit to n variate-value by any given moment, measuring in 8, and whether reasoning and judging system There is an invasion, and each Ni (i=1,2, n) variable represents the feature of system different aspect, includes SYN number-of-packets Mesh, login failed for user number of times, CPU usage and network traffics etc., and Mi (i=1,2, n) it is the number under normal circumstances According to desired value prediction, the detection function defined in t is:
Wherein, λi> 0 embodies the weights of significance level, i.e. sensitivity, and F (t) is smaller, communication process closer to normal condition, After F (t) exceedes threshold values set in advance, it is considered as network intrusions and there occurs.
CN201710096368.6A 2017-02-22 2017-02-22 Cognitive intrusion detection method oriented to cloud computing environment Active CN107040517B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710096368.6A CN107040517B (en) 2017-02-22 2017-02-22 Cognitive intrusion detection method oriented to cloud computing environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710096368.6A CN107040517B (en) 2017-02-22 2017-02-22 Cognitive intrusion detection method oriented to cloud computing environment

Publications (2)

Publication Number Publication Date
CN107040517A true CN107040517A (en) 2017-08-11
CN107040517B CN107040517B (en) 2020-01-10

Family

ID=59533553

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710096368.6A Active CN107040517B (en) 2017-02-22 2017-02-22 Cognitive intrusion detection method oriented to cloud computing environment

Country Status (1)

Country Link
CN (1) CN107040517B (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107612948A (en) * 2017-11-08 2018-01-19 国网四川省电力公司信息通信公司 A kind of intrusion prevention system and method
CN107623691A (en) * 2017-09-29 2018-01-23 长沙市智为信息技术有限公司 A kind of ddos attack detecting system and method based on reverse transmittance nerve network algorithm
CN107835201A (en) * 2017-12-14 2018-03-23 华中师范大学 Network attack detecting method and device
CN107992746A (en) * 2017-12-14 2018-05-04 华中师范大学 Malicious act method for digging and device
CN108183902A (en) * 2017-12-28 2018-06-19 北京奇虎科技有限公司 A kind of recognition methods of malicious websites and device
CN109547455A (en) * 2018-12-06 2019-03-29 南京邮电大学 Industrial Internet of Things anomaly detection method, readable storage medium storing program for executing and terminal
CN109756478A (en) * 2018-11-28 2019-05-14 国网江苏省电力有限公司南京供电分公司 A kind of abnormal multistage standby blocking-up method of industrial control system attack considering priority
CN110324348A (en) * 2019-07-08 2019-10-11 陈浩 A kind of information security of computer network monitoring system
CN110417823A (en) * 2019-09-25 2019-11-05 广东电网有限责任公司佛山供电局 A kind of communication network intrusion detection method based on embedded feature selecting framework
CN112653651A (en) * 2019-10-11 2021-04-13 四川无国界信息技术有限公司 Vulnerability mining method based on cloud computing
CN112866175A (en) * 2019-11-12 2021-05-28 华为技术有限公司 Method, device, equipment and storage medium for reserving abnormal traffic types
CN113065127A (en) * 2021-02-24 2021-07-02 山东英信计算机技术有限公司 Database protection method, system and medium
CN114154160A (en) * 2022-02-08 2022-03-08 中国电子信息产业集团有限公司第六研究所 Container cluster monitoring method and device, electronic equipment and storage medium
CN115118500A (en) * 2022-06-28 2022-09-27 深信服科技股份有限公司 Attack behavior rule obtaining method and device and electronic equipment
CN116168805A (en) * 2023-01-20 2023-05-26 北京瑞帆科技有限公司 Thinking training device and cognitive training system for cognitive training
CN117273571A (en) * 2023-10-12 2023-12-22 江苏泓鑫科技有限公司 Intelligent port operation data management system and method based on blockchain

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030113727A1 (en) * 2000-12-06 2003-06-19 Girn Kanwaljit Singh Family history based genetic screening method and apparatus
CN101924762A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Cloud security-based active defense method
CN102111420A (en) * 2011-03-16 2011-06-29 上海电机学院 Intelligent NIPS framework based on dynamic cloud/fire wall linkage
CN102123396A (en) * 2011-02-14 2011-07-13 恒安嘉新(北京)科技有限公司 Cloud detection method of virus and malware of mobile phone based on communication network
CN102663284A (en) * 2012-03-21 2012-09-12 南京邮电大学 Malicious code identification method based on cloud computing
CN102724176A (en) * 2012-02-23 2012-10-10 北京市计算中心 Intrusion detection system facing cloud calculating environment
CN104753920A (en) * 2015-03-01 2015-07-01 江西科技学院 Quantum genetic algorithm based intrusion detection method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030113727A1 (en) * 2000-12-06 2003-06-19 Girn Kanwaljit Singh Family history based genetic screening method and apparatus
CN101924762A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Cloud security-based active defense method
CN102123396A (en) * 2011-02-14 2011-07-13 恒安嘉新(北京)科技有限公司 Cloud detection method of virus and malware of mobile phone based on communication network
CN102111420A (en) * 2011-03-16 2011-06-29 上海电机学院 Intelligent NIPS framework based on dynamic cloud/fire wall linkage
CN102724176A (en) * 2012-02-23 2012-10-10 北京市计算中心 Intrusion detection system facing cloud calculating environment
CN102663284A (en) * 2012-03-21 2012-09-12 南京邮电大学 Malicious code identification method based on cloud computing
CN104753920A (en) * 2015-03-01 2015-07-01 江西科技学院 Quantum genetic algorithm based intrusion detection method

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107623691A (en) * 2017-09-29 2018-01-23 长沙市智为信息技术有限公司 A kind of ddos attack detecting system and method based on reverse transmittance nerve network algorithm
CN107612948A (en) * 2017-11-08 2018-01-19 国网四川省电力公司信息通信公司 A kind of intrusion prevention system and method
CN107992746B (en) * 2017-12-14 2021-06-25 华中师范大学 Malicious behavior mining method and device
CN107835201A (en) * 2017-12-14 2018-03-23 华中师范大学 Network attack detecting method and device
CN107992746A (en) * 2017-12-14 2018-05-04 华中师范大学 Malicious act method for digging and device
CN108183902A (en) * 2017-12-28 2018-06-19 北京奇虎科技有限公司 A kind of recognition methods of malicious websites and device
CN108183902B (en) * 2017-12-28 2021-10-22 北京奇虎科技有限公司 Malicious website identification method and device
CN109756478A (en) * 2018-11-28 2019-05-14 国网江苏省电力有限公司南京供电分公司 A kind of abnormal multistage standby blocking-up method of industrial control system attack considering priority
CN109547455A (en) * 2018-12-06 2019-03-29 南京邮电大学 Industrial Internet of Things anomaly detection method, readable storage medium storing program for executing and terminal
CN110324348A (en) * 2019-07-08 2019-10-11 陈浩 A kind of information security of computer network monitoring system
CN110417823B (en) * 2019-09-25 2020-04-14 广东电网有限责任公司佛山供电局 Communication network intrusion detection method based on embedded feature selection architecture
CN110417823A (en) * 2019-09-25 2019-11-05 广东电网有限责任公司佛山供电局 A kind of communication network intrusion detection method based on embedded feature selecting framework
CN112653651A (en) * 2019-10-11 2021-04-13 四川无国界信息技术有限公司 Vulnerability mining method based on cloud computing
CN112866175B (en) * 2019-11-12 2022-08-19 华为技术有限公司 Method, device, equipment and storage medium for reserving abnormal traffic types
CN112866175A (en) * 2019-11-12 2021-05-28 华为技术有限公司 Method, device, equipment and storage medium for reserving abnormal traffic types
CN113065127A (en) * 2021-02-24 2021-07-02 山东英信计算机技术有限公司 Database protection method, system and medium
CN113065127B (en) * 2021-02-24 2022-09-20 山东英信计算机技术有限公司 Database protection method, system and medium
CN114154160A (en) * 2022-02-08 2022-03-08 中国电子信息产业集团有限公司第六研究所 Container cluster monitoring method and device, electronic equipment and storage medium
CN114154160B (en) * 2022-02-08 2022-09-16 中国电子信息产业集团有限公司第六研究所 Container cluster monitoring method and device, electronic equipment and storage medium
CN115118500A (en) * 2022-06-28 2022-09-27 深信服科技股份有限公司 Attack behavior rule obtaining method and device and electronic equipment
CN115118500B (en) * 2022-06-28 2023-11-07 深信服科技股份有限公司 Attack behavior rule acquisition method and device and electronic equipment
CN116168805A (en) * 2023-01-20 2023-05-26 北京瑞帆科技有限公司 Thinking training device and cognitive training system for cognitive training
CN117273571A (en) * 2023-10-12 2023-12-22 江苏泓鑫科技有限公司 Intelligent port operation data management system and method based on blockchain
CN117273571B (en) * 2023-10-12 2024-04-02 江苏泓鑫科技有限公司 Intelligent port operation data management system and method based on blockchain

Also Published As

Publication number Publication date
CN107040517B (en) 2020-01-10

Similar Documents

Publication Publication Date Title
CN107040517A (en) A kind of cognitive intrusion detection method towards cloud computing environment
Ullah et al. A two-level hybrid model for anomalous activity detection in IoT networks
Haddadi et al. Benchmarking the effect of flow exporters and protocol filters on botnet traffic classification
Amini et al. RT-UNNID: A practical solution to real-time network-based intrusion detection using unsupervised neural networks
Liao et al. Peer to peer botnet detection using data mining scheme
Kostas Anomaly detection in networks using machine learning
Le et al. Data analytics on network traffic flows for botnet behaviour detection
Sherazi et al. DDoS attack detection: A key enabler for sustainable communication in internet of vehicles
Soe et al. Rule generation for signature based detection systems of cyber attacks in iot environments
Haddadi et al. Botnet behaviour analysis using ip flows: with http filters using classifiers
Staudemeyer et al. Extracting salient features for network intrusion detection using machine learning methods
Mehibs et al. Proposed network intrusion detection system‎ in cloud environment based on back‎ propagation neural network
El-Alfy et al. A multicriterion fuzzy classification method with greedy attribute selection for anomaly-based intrusion detection
Pan et al. Anomaly based intrusion detection for building automation and control networks
Ahmed et al. Intrusion Detection System in Software-Defined Networks Using Machine Learning and Deep Learning Techniques--A Comprehensive Survey
Akbar et al. Intrusion detection system methodologies based on data analysis
Fallahi et al. Automated flow-based rule generation for network intrusion detection systems
Fenil et al. Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches
Shah et al. Intelligent intrusion detection system through combined and optimized machine learning
Lu et al. Botnets detection based on irc-community
Manandhar et al. Towards practical anomaly-based intrusion detection by outlier mining on TCP packets
Tran Network anomaly detection
Naidu et al. An effective approach to network intrusion detection system using genetic algorithm
Nguyen A scheme for building a dataset for intrusion detection systems
Mukkamala et al. Hybrid multi-agent framework for detection of stealthy probes

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: Yuen Road Qixia District of Nanjing City, Jiangsu Province, No. 9 210023

Applicant after: Nanjing Post & Telecommunication Univ.

Address before: 210003 Gulou District, Jiangsu, Nanjing new model road, No. 66

Applicant before: Nanjing Post & Telecommunication Univ.

GR01 Patent grant
GR01 Patent grant