CN108347430B - Network intrusion detection and vulnerability scanning method and device based on deep learning - Google Patents
Network intrusion detection and vulnerability scanning method and device based on deep learning Download PDFInfo
- Publication number
- CN108347430B CN108347430B CN201810011225.5A CN201810011225A CN108347430B CN 108347430 B CN108347430 B CN 108347430B CN 201810011225 A CN201810011225 A CN 201810011225A CN 108347430 B CN108347430 B CN 108347430B
- Authority
- CN
- China
- Prior art keywords
- malicious
- network
- file
- attack
- vulnerability
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 78
- 238000000034 method Methods 0.000 title claims abstract description 74
- 238000013135 deep learning Methods 0.000 title claims abstract description 51
- 238000012549 training Methods 0.000 claims abstract description 59
- 230000006399 behavior Effects 0.000 claims abstract description 37
- 238000013145 classification model Methods 0.000 claims abstract description 34
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 31
- 238000007418 data mining Methods 0.000 claims abstract description 14
- 238000012544 monitoring process Methods 0.000 claims abstract description 14
- 238000012360 testing method Methods 0.000 claims description 31
- 238000003860 storage Methods 0.000 claims description 21
- 230000008569 process Effects 0.000 claims description 15
- 238000012795 verification Methods 0.000 claims description 11
- 125000006850 spacer group Chemical group 0.000 claims description 9
- 244000035744 Hura crepitans Species 0.000 claims description 5
- 238000004519 manufacturing process Methods 0.000 claims description 5
- 238000003062 neural network model Methods 0.000 claims description 5
- 230000000737 periodic effect Effects 0.000 claims description 3
- 238000012216 screening Methods 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 238000013473 artificial intelligence Methods 0.000 description 5
- 238000012550 audit Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 4
- 230000007123 defense Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000011897 real-time detection Methods 0.000 description 4
- 238000009412 basement excavation Methods 0.000 description 3
- 238000010276 construction Methods 0.000 description 3
- 238000000605 extraction Methods 0.000 description 3
- 238000010801 machine learning Methods 0.000 description 3
- 238000013528 artificial neural network Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 210000004556 brain Anatomy 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000013136 deep learning model Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000001902 propagating effect Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- RYGMFSIKBFXOCR-UHFFFAOYSA-N Copper Chemical compound [Cu] RYGMFSIKBFXOCR-UHFFFAOYSA-N 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 229910052802 copper Inorganic materials 0.000 description 1
- 239000010949 copper Substances 0.000 description 1
- 238000002790 cross-validation Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000011002 quantification Methods 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 239000002023 wood Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network intrusion detection and vulnerability scanning method and device based on deep learning, wherein the method comprises the following steps: collecting malicious sample files and establishing a malicious file database; training and modeling are carried out according to the behaviors of malicious files in the malicious file database by utilizing a deep learning algorithm, and model incremental training of real-time monitoring is carried out according to the received new malicious sample file to obtain a classification model; simulating the malicious sample files in the malicious file database to run in different environments, and detecting the attack characteristics of the malicious sample files by using an IDS (intrusion detection system); and analyzing the malicious file database by using a data mining algorithm, constructing a vulnerability attack mode feature library, generating a network attack packet, and scanning the network vulnerability.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a network intrusion detection and vulnerability scanning method and device based on deep learning.
Background
Network attacks have increased dramatically in number and scale in recent years, and intrusion detection and vulnerability scanning systems have become essential systems for enterprise network facilities. The information system of the national power grid company is listed as a key information infrastructure and is regarded as an important strategic resource of the country, so that the safety of the key information infrastructure is protected, and the key content of the current network safety construction of the company is provided. However, the current intrusion detection system and vulnerability scanning system for guaranteeing network security have the following problems:
rule-based intrusion detection system
The existing intrusion detection systems are all rule-based systems, detect intrusion according to known attack characteristics, and can directly detect intrusion behaviors. However, the effectiveness of this method depends on the completeness of the detection knowledge base. For this reason, the feature library must be updated in a timely manner, editing these rules is very time consuming, and highly dependent on the knowledge base of known intrusions. In addition, unknown intrusion behaviors cannot be found by the method, and a new intrusion mode is difficult to detect.
Vulnerability scanning system based on known vulnerability library
The existing vulnerability scanning systems are all based on known vulnerability libraries, and the existing vulnerability libraries are used for scanning the systems one by one to find vulnerabilities existing in the network. The maintenance and the updating of the leak library consume a large amount of manpower, the real-time performance is poor, and the speed of various novel leaks cannot be kept up with. Because the existing vulnerabilities in the vulnerability database are scanned once, the vulnerabilities cannot be scanned according to the actual system condition, and time and a large amount of network resources are occupied.
In order to deal with the novel network attack technology which is developed rapidly and protect the network facilities of the power system, a set of intrusion detection system for monitoring the novel network attack on line in real time and a vulnerability scanning technology for automatically combining a vulnerability library with the actual system condition are provided.
Deep learning stems from the study of artificial neural networks to discover a distributed feature representation of data by combining lower-level features to form more abstract higher-level representation attribute classes or features. Deep learning is a new field in machine learning research, and its motivation is to create and simulate a neural network for human brain to analyze and learn, which simulates the mechanism of human brain to interpret data such as images, sounds and texts. Deep learning algorithms can explore deep level relationships between seemingly unrelated features, associate various information in the network with various states in the host, and determine whether the network is under attack or invaded.
From the perspective of overall architecture and processing flow, a classification model based on deep learning is a special case of supervised learning, and although the classification model based on deep learning has stronger generalization capability and stronger detection capability than a detection system based on rules or features and a detection system based on a shallow machine learning model, the classification model based on deep learning inevitably generates report omission when a new infinite attack mode is faced. This requires re-training the model with these new attack data samples to improve the optimal detection. However, in conventional supervised learning techniques, retraining of the model is typically required using all data samples including the newly acquired data, which consumes significant computational resources and time, which is unacceptable for deep learning models.
In summary, in the prior art, how to implement real-time detection, data flow audit and vulnerability scanning of a power system network through an artificial intelligence technology and a big data mining technology based on deep learning, improve the operation stability of a power grid information system, and enhance the defense capability of a company against network attacks is a problem, and an effective solution is not yet available.
Disclosure of Invention
The invention provides a network intrusion detection and vulnerability scanning method and device based on deep learning, aiming at the defects in the prior art and solving the problems of how to realize real-time detection, data flow audit and vulnerability scanning of a power system network through an artificial intelligence technology and a big data mining technology based on deep learning, improving the operation stability of a power grid information system and enhancing the defense capability against network attacks in the prior art.
The invention aims to provide a network intrusion detection and vulnerability scanning method based on deep learning.
In order to achieve the purpose, the invention adopts the following technical scheme:
a network intrusion detection and vulnerability scanning method based on deep learning comprises the following steps:
collecting malicious sample files and establishing a malicious file database;
training and modeling are carried out according to the behaviors of malicious files in the malicious file database by utilizing a deep learning algorithm, and model incremental training of real-time monitoring is carried out according to the received new malicious sample file to obtain a classification model;
simulating the malicious sample files in the malicious file database to run in different environments, and detecting the attack characteristics of the malicious sample files by using an IDS (intrusion detection system);
and analyzing the malicious file database by using a data mining algorithm, constructing a vulnerability attack mode feature library, generating a network attack packet, and scanning the network vulnerability.
As a further preferred scheme, in the method, the specific step of collecting the malicious sample file includes: the method comprises the steps of running a detected file by adopting various virtual machine environments, determining whether the file is a malicious file according to a system environment, a memory state and file behaviors after the detected file is opened, and collecting the detected file determined to be the malicious file as a malicious sample file.
As a further preferred scheme, in the method, a dynamic sandbox detection engine is adopted to simulate the execution of an application program and the execution of an attack code in a malicious file, so as to obtain the content and the intention of an attack event of a malicious sample, record the content and the intention, and establish a malicious file database according to the recorded behaviors;
and the behavior recorded in the malicious file database is a behavior which endangers the system, and comprises registry operation, file operation, vulnerability utilization mode, API (application program interface) calling sequence, network behavior and process thread operation.
As a further preferable scheme, in the method, a deep learning detection algorithm is adopted, each behavior of a malicious sample file in a malicious file database is normalized and quantized, and a preliminary classification model is obtained through iterative training of a neural network model.
As a further preferred solution, in the method, when the number of the received new malicious sample files is accumulated to a certain number, performing one incremental training of the preliminary classification model;
and updating parameters of the middle part of the model in a hierarchical manner and fixing parameters of other levels when the initial classification model is subjected to incremental training.
As a further preferred scheme, in the method, the specific step of model incremental training for real-time monitoring includes:
when the incremental training of the preliminary classification model is carried out, an additional verification data set is used for carrying out periodic testing on the model, the detection performance on the verification data set is observed to judge whether the model is correspondingly improved or has an overfitting phenomenon aiming at certain type of attack, and the trained data set and parameter control are adjusted in time; and meanwhile, a multi-fold cross verification method is adopted to confirm the updating accuracy of the model.
As a further preferred scheme, in the method, the specific steps of simulating the running of the malicious sample files in the malicious file database in different environments and detecting the attack characteristics of the malicious sample files by using the IDS include:
simulating the same malicious sample file in the malicious file database in different environments;
analyzing the pcap packages of the malicious sample files in different environments respectively, and calculating the similarity of the pcap packages in the different environments to obtain two pcap packages with the highest matching degree;
calculating and screening out character string binary groups with high matching degree to obtain host information possibly existing in the message data, and calculating interval symbols among a plurality of host information;
solving the matched character string and the matched mode through a longest common subsequence algorithm, judging whether the matched character string contains a spacer, and if so, intercepting the matched string only containing a single spacer;
and importing the matching strings and the matching patterns into the attack characteristics of the IDS for detecting the malicious files in the actual production environment.
As a further preferred scheme, in the method, generating a network attack packet, and performing network vulnerability scanning specifically includes:
analyzing a vulnerability attack mode feature library, and constructing a test case, namely a network attack packet, by adopting an attack mode in the feature library;
and (4) utilizing the test case to scan the network vulnerability, determining whether the vulnerability exists according to the feedback result, determining an effective test case, establishing a vulnerability library for the effective test case, and automatically updating the vulnerability library.
It is a second object of the present invention to provide a computer-readable storage medium.
In order to achieve the purpose, the invention adopts the following technical scheme:
a computer readable storage medium having stored therein a plurality of instructions adapted to be loaded by a processor of a terminal device and to perform the process of:
collecting malicious sample files and establishing a malicious file database;
training and modeling are carried out according to the behaviors of malicious files in the malicious file database by utilizing a deep learning algorithm, and model incremental training of real-time monitoring is carried out according to the received new malicious sample file to obtain a classification model;
simulating the malicious sample files in the malicious file database to run in different environments, and detecting the attack characteristics of the malicious sample files by using an IDS (intrusion detection system);
and analyzing the malicious file database by using a data mining algorithm, constructing a vulnerability attack mode feature library, generating a network attack packet, and scanning the network vulnerability.
A third object of the present invention is to provide a terminal device.
In order to achieve the purpose, the invention adopts the following technical scheme:
a terminal device comprising a processor and a computer readable storage medium, the processor being configured to implement instructions; a computer readable storage medium for storing a plurality of instructions adapted to be loaded by a processor and to perform the process of:
collecting malicious sample files and establishing a malicious file database;
training and modeling are carried out according to the behaviors of malicious files in the malicious file database by utilizing a deep learning algorithm, and model incremental training of real-time monitoring is carried out according to the received new malicious sample file to obtain a classification model;
simulating the malicious sample files in the malicious file database to run in different environments, and detecting the attack characteristics of the malicious sample files by using an IDS (intrusion detection system);
and analyzing the malicious file database by using a data mining algorithm, constructing a vulnerability attack mode feature library, generating a network attack packet, and scanning the network vulnerability.
The invention has the beneficial effects that:
1. according to the network intrusion detection and vulnerability scanning method and device based on deep learning, real-time detection, data flow audit and vulnerability scanning of the power system network are achieved through the artificial intelligence technology and the big data mining technology based on deep learning, the operation stability of a power grid information system is improved, and the defense capability of a company for network attacks is enhanced.
2. According to the network intrusion detection and vulnerability scanning method and device based on deep learning, the training data volume is controlled, so that the incremental training cost is low, the balance relation of different types of data is kept, and the influence of an updated model on the detection capability of an original attack mode is avoided.
3. According to the network intrusion detection and vulnerability scanning method and device based on deep learning, the detection capability of the model is monitored in real time in the training process, whether the model subjected to incremental training can achieve better detection capability or not is effectively monitored, whether a new attack mode is effectively identified and meanwhile the high detection rate of the original attack mode is maintained.
4. According to the network intrusion detection and vulnerability scanning method and device based on deep learning, model incremental training of real-time monitoring is carried out according to the received new malicious sample files to obtain classification models, and subsequently generated malicious file samples can be automatically identified and classified through the classification models, so that the classification detection effect is fully improved; and by automatically testing the novel loopholes, the leak library is automatically updated, and finally, the unknown loophole excavation testing efficiency is greatly improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the application and, together with the description, serve to explain the application and are not intended to limit the application.
FIG. 1 is a flow chart of the network intrusion detection and vulnerability scanning method based on deep learning of the present invention;
FIG. 2 is a schematic diagram of a supervised learning framework;
fig. 3 is a schematic diagram of a deep learning-based classification model.
The specific implementation mode is as follows:
the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present application. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.
It is noted that the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of methods and systems according to various embodiments of the present disclosure. It should be noted that each block in the flowchart or block diagrams may represent a module, a segment, or a portion of code, which may comprise one or more executable instructions for implementing the logical function specified in the respective embodiment. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Without conflict, the embodiments and features of the embodiments of the present application may be combined with each other to further explain the present invention in conjunction with the figures and embodiments.
Example 1:
the embodiment 1 aims to provide a network intrusion detection and vulnerability scanning method based on deep learning.
In order to achieve the purpose, the invention adopts the following technical scheme:
as shown in figure 1 of the drawings, in which,
a network intrusion detection and vulnerability scanning method based on deep learning comprises the following steps:
step (1): collecting malicious sample files and establishing a malicious file database;
step (2): training and modeling are carried out according to the behaviors of malicious files in the malicious file database by utilizing a deep learning algorithm, and model incremental training of real-time monitoring is carried out according to the received new malicious sample file to obtain a classification model;
and (3): simulating the malicious sample files in the malicious file database to run in different environments, and detecting the attack characteristics of the malicious sample files by using an IDS (intrusion detection system);
and (4): and analyzing the malicious file database by using a data mining algorithm, constructing a vulnerability attack mode feature library, generating a network attack packet, and scanning the network vulnerability.
Step (1): researching a dynamic sandbox detection algorithm of malicious files utilized by various network attacks, analyzing the behaviors of the malicious files, and establishing a malicious file database;
in step (1) of this embodiment, the specific step of collecting the malicious sample file includes:
step (1-1): the method comprises the steps of running a detected file by adopting various virtual machine environments, determining whether the file is a malicious file according to a system environment, a memory state and file behaviors after the detected file is opened, and collecting the detected file determined to be the malicious file as a malicious sample file.
Malicious sample attacks mostly use special trojans which can bypass the detection of defensive host antivirus software and can be spread in a limited small range. The project adopts various virtual machine environments, runs the detected file, monitors the system environment and the memory state of the opened file and various behaviors of the file and the like to determine whether the file is a malicious file. Whether malicious documents exploit any vulnerabilities, known or unknown vulnerabilities, some malicious operations they are to do always have certain similarities and characteristic patterns. Therefore, various Nday attacks can be detected, unknown 0day attacks can be detected as well, and most common document file formats such as windows systems, Linux, android executable files, pdf, doc, xls, rtf, docx, xlsx, ppt, pptx, ppsx and the like can be detected.
In the step (1) of the present embodiment,
step (1-2): simulating the execution of an application program and the execution of an attack code in a malicious file by adopting a dynamic sandbox detection engine to obtain the content and the intention of an attack event of a malicious sample, recording the content and the intention, and establishing a malicious file database according to the recorded behaviors;
and the behavior recorded in the malicious file database is a behavior which endangers the system, and comprises registry operation, file operation, vulnerability utilization mode, API (application program interface) calling sequence, network behavior and process thread operation.
And simulating the execution of the application program and the execution of the attack code in the malicious file by using the dynamic sandbox detection engine according to the content and the intention of the attack event of the malicious sample. The recorded behaviors comprise registry operation, file operation, vulnerability utilization mode, API calling sequence, network behavior, process thread operation and other behaviors which harm the system, and a malicious file database is formed according to the behavior records.
Step (2): researching a deep learning algorithm for classifying and detecting the multi-type malicious files, realizing automatic detection of the malicious files, and classifying attack types;
however, these different file types have completely different composition structures, and the corresponding malicious files will also exhibit significantly different characteristics, so a special detection processing flow needs to be designed for each file type. The method adopts a deep learning detection algorithm, normalizes and quantifies each behavior of the malicious file, and obtains a classification model through iterative training of a neural network model. Malicious file samples generated subsequently can be automatically identified and classified through the classification model, and the classification detection effect is fully improved.
The deep learning classification model requires large-scale data samples to be trained and constructed, the calculation and storage costs are high, and the training and construction process cannot be repeated frequently in actual production to generate a new model. However, the network attack mode is complex and variable, some under-reported and under-reported data samples are inevitably accumulated gradually in the use process of the attack detection system, or some samples of novel attacks or malicious files are obtained through other ways, a rapid model updating optimization method is needed at this time, the existing model is subjected to incremental training only by using the newly obtained labeled data samples, the evolution of classification detection capability is achieved, and the new attack mode can be effectively identified on the premise of keeping the detection capability of the original attack model.
From the overall architecture and processing flow, the classification model based on deep learning is a special case of supervised learning, so the overall model training construction and classifier application are basically the same as those of a general supervised learning framework, and fig. 2 and 3 show the comparison of the two. Two key differences are included: firstly, the step of deep learning without artificial feature extraction, namely a feature extraction module in a graph; and secondly, an updating part of the classifier is adopted, the general supervised learning usually needs to add the misclassification data into the original labeled data set to perform brand-new training on the model, and the training cost is very high.
Although the classification model based on deep learning has stronger generalization capability and stronger detection capability than a detection system based on rules or characteristics and a detection system based on a shallow machine learning model, the classification model inevitably generates report omission in the face of a new attack mode which is layered endlessly. This requires re-training the model with these new attack data samples to improve the optimal detection. However, in conventional supervised learning techniques, retraining of the model is typically required using all data samples including the newly acquired data, which consumes significant computational resources and time, which is unacceptable for deep learning models.
Therefore, the incremental training of the model is carried out by adopting the newly acquired data and a small amount of other data, so that the effect of rapidly updating and optimizing the model becomes an optimized deep learning scheme.
Control of training data amount: when the new attack data samples are accumulated to a certain data amount (such as 200 pieces), the incremental training of the model can be performed once. Besides using newly acquired attack data samples, the same amount of data can be randomly sampled from the original attack sample library, and corresponding non-attack samples are supplemented to be jointly used as an incremental training data set. The aim of controlling the training data volume is to make the incremental training cost lower, keep the balance relation of different types of data and avoid the influence of the updated model on the detection capability of the original attack mode.
Partial immobilization of model parameters: the total data amount during the incremental training is small, so that the method is not suitable for carrying out large-range parameter adjustment on the deep learning integral model. According to the research experience of deep learning in other application fields, a tuning-tuning (fine-tuning) method that parameters of certain levels in a fixed multi-layer neural network model are not changed and only other partial parameters are updated can be adopted. For example, the parameters of only the last fully connected sublayer portion may be adjusted, while the parameters of all other previous layers are fixed.
Monitoring of model detection capability: whether the model after incremental training can achieve better detection capability or not and whether the high detection rate of the original attack mode is maintained while the new attack mode is effectively identified or not need to monitor the detection capability of the model in real time in the training process. The specific method is that an additional verification data set is continuously used for periodically testing the model in the incremental training process, whether the model is correspondingly improved or has an overfitting phenomenon aiming at certain attacks is judged by observing the detection performance on the verification data set, and therefore the trained data set and parameter control are adjusted in time. In addition, the accuracy of model updating is confirmed by adopting a multi-fold cross validation method.
In the step (2) of the present embodiment,
step (2-1): and (3) carrying out normalization and quantification on each behavior of the malicious sample files in the malicious file database by adopting a deep learning detection algorithm, and carrying out iterative training through a neural network model to obtain a preliminary classification model.
In the step (2) of the present embodiment,
step (2-2): performing incremental training of a primary classification model once when the number of the received new malicious sample files is accumulated to a certain number; and updating parameters of the middle part of the model in a hierarchical manner and fixing parameters of other levels when the initial classification model is subjected to incremental training.
In step (2) of this embodiment, the specific step of performing incremental training of the model for real-time monitoring includes:
when the incremental training of the preliminary classification model is carried out, an additional verification data set is used for carrying out periodic testing on the model, the detection performance on the verification data set is observed to judge whether the model is correspondingly improved or has an overfitting phenomenon aiming at certain type of attack, and the trained data set and parameter control are adjusted in time; and meanwhile, a multi-fold cross verification method is adopted to confirm the updating accuracy of the model.
And (3): and a deep learning algorithm for researching the network attack characteristics of the multi-type malicious files automatically generates the network behavior characteristics, and realizes the detection of novel unknown network attack behaviors.
In step (3) of this embodiment, the specific steps of simulating the running of the malicious sample files in the malicious file database in different environments, and detecting the attack features of the malicious sample files by using the IDS include:
step (3-1): simulating the same malicious sample file in the malicious file database in different environments;
step (3-2): analyzing the pcap packages of the malicious sample files in different environments respectively, and calculating the similarity of the pcap packages in the different environments to obtain two pcap packages with the highest matching degree;
step (3-3): calculating and screening out character string binary groups with high matching degree to obtain host information possibly existing in the message data, and calculating interval symbols among a plurality of host information;
step (3-4): solving the matched character string and the matched mode through a longest common subsequence algorithm, judging whether the matched character string contains a spacer, and if so, intercepting the matched string only containing a single spacer;
step (3-5): and importing the matching strings and the matching patterns into the attack characteristics of the IDS for detecting the malicious files in the actual production environment.
When the malicious file attacks, executes or is latent, relevant information is sent to the server, and some basic information of the controlled host is often attached to the information. Such as: user name, machine name, operating system version, language, time zone, etc., memory size, CPU frequency, core count, Mac address, important folder directory, whether to install softenable, whether to install firewall, virus version, author information, etc.
The project ensures that the 'online' information sent by the botnet worms is different to the maximum extent (such as … hardware information, an operating system, software, various configuration information and the like) by distributing the same botnet worm (botnet, trojan and worm) sample to different environment simulation operations at the same time. The 'online' information sent by the stiff wood wormholes is contained in the pcap packets, and the pcap packets in different environments are analyzed by comparing the pcap packets in different environments, so that json files containing the dns information, the domain name information and all protocol data are obtained. And calculating the similarity of the mass Json data to obtain the hamming distances of different simhashes as the similarity of the pcap packet.
And constructing a distance matrix of the pcap packets, and iteratively solving two pcap packets with the highest matching degree. And then, the corresponding Levensstein ratio of the protocol data of the two packets is obtained, so that the character string binary group with higher matching degree is screened out, host information possibly existing in the message data is obtained, and the interval character among a plurality of host information is calculated.
And solving the matched character string and the matched mode through a longest common subsequence algorithm, judging whether the matched character string contains the spacer, and intercepting the matched string only containing a single spacer if the matched character string contains the spacer. The matching strings and patterns are imported into an intrusion detection device (IDS), which can detect the attack characteristics of malicious files in an actual production environment.
And (4): researching a vulnerability attack mode feature extraction algorithm based on data mining, and extracting attack features in malicious files; and an algorithm for automatically constructing vulnerability attack is researched, and the novel vulnerability in the network is mined by using the attack characteristics of the malicious file.
Analyzing various attack modes and characteristics in the malicious file, such as used protocol, port, transmitted field and other information, finding out the specific relation among the information by using a data mining algorithm, and constructing a vulnerability attack mode characteristic library.
For the protocol-based fuzzy test vulnerability discovery, the validity of the test case is the key to discover whether the host or the system has unknown vulnerabilities. The traditional vulnerability mining test usually depends on years of experience of testers, and the test efficiency is low. The project adopts an artificial intelligence method for automatically constructing the test cases, and the capability of generating effective test cases by the test software is improved. Firstly, a vulnerability attack mode feature library established by analyzing malicious files is analyzed, test cases are established by adopting the attack modes, the test cases are sent to a host, a server, an information system and the like in a network, whether vulnerabilities exist or not is determined according to feedback results, and a vulnerability library is established for effective test cases. Through the novel leak of automatic test, the automatic leak storehouse of updating finally realizes promoting by a wide margin of unknown leak excavation test efficiency.
In step (4) of this embodiment, the specific step of generating a network attack packet and performing network vulnerability scanning includes:
analyzing a vulnerability attack mode feature library, and constructing a test case, namely a network attack packet, by adopting an attack mode in the feature library;
and (4) utilizing the test case to scan the network vulnerability, determining whether the vulnerability exists according to the feedback result, determining an effective test case, establishing a vulnerability library for the effective test case, and automatically updating the vulnerability library.
Example 2:
the object of this embodiment 2 is to provide a computer-readable storage medium.
In order to achieve the purpose, the invention adopts the following technical scheme:
a computer readable storage medium having stored therein a plurality of instructions adapted to be loaded by a processor of a terminal device and to perform the process of:
step (1): collecting malicious sample files and establishing a malicious file database;
step (2): training and modeling are carried out according to the behaviors of malicious files in the malicious file database by utilizing a deep learning algorithm, and model incremental training of real-time monitoring is carried out according to the received new malicious sample file to obtain a classification model;
and (3): simulating the malicious sample files in the malicious file database to run in different environments, and detecting the attack characteristics of the malicious sample files by using an IDS (intrusion detection system);
and (4): and analyzing the malicious file database by using a data mining algorithm, constructing a vulnerability attack mode feature library, generating a network attack packet, and scanning the network vulnerability.
Example 3:
the purpose of this embodiment 3 is to provide a terminal device.
In order to achieve the purpose, the invention adopts the following technical scheme:
a terminal device comprising a processor and a computer readable storage medium, the processor being configured to implement instructions; a computer readable storage medium for storing a plurality of instructions adapted to be loaded by a processor and to perform the process of:
step (1): collecting malicious sample files and establishing a malicious file database;
step (2): training and modeling are carried out according to the behaviors of malicious files in the malicious file database by utilizing a deep learning algorithm, and model incremental training of real-time monitoring is carried out according to the received new malicious sample file to obtain a classification model;
and (3): simulating the malicious sample files in the malicious file database to run in different environments, and detecting the attack characteristics of the malicious sample files by using an IDS (intrusion detection system);
and (4): and analyzing the malicious file database by using a data mining algorithm, constructing a vulnerability attack mode feature library, generating a network attack packet, and scanning the network vulnerability.
These computer-executable instructions, when executed in a device, cause the device to perform methods or processes described in accordance with various embodiments of the present disclosure.
In the present embodiments, a computer program product may include a computer-readable storage medium having computer-readable program instructions embodied thereon for performing various aspects of the present disclosure. The computer readable storage medium may be a tangible device that can hold and store the instructions for use by the instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic memory device, a magnetic memory device, an optical memory device, an electromagnetic memory device, a semiconductor memory device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a Static Random Access Memory (SRAM), a portable compact disc read-only memory (CD-ROM), a Digital Versatile Disc (DVD), a memory stick, a floppy disk, a mechanical coding device, such as punch cards or in-groove projection structures having instructions stored thereon, and any suitable combination of the foregoing. Computer-readable storage media as used herein is not to be construed as transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission medium (e.g., optical pulses through a fiber optic cable), or electrical signals transmitted through electrical wires.
The computer-readable program instructions described herein may be downloaded from a computer-readable storage medium to a respective computing/processing device, or to an external computer or external storage device over a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. The network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in a computer-readable storage medium in the respective computing/processing device.
The computer program instructions for carrying out operations of the present disclosure may be assembly instructions, Instruction Set Architecture (ISA) instructions, machine related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages, including an object oriented programming language such as C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer-readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, the electronic circuitry can execute computer-readable program instructions to implement aspects of the present disclosure by utilizing state information of the computer-readable program instructions to personalize the electronic circuitry, such as a programmable logic circuit, a Field Programmable Gate Array (FPGA), or a Programmable Logic Array (PLA).
It should be noted that although several modules or sub-modules of the device are mentioned in the above detailed description, such division is merely exemplary and not mandatory. Indeed, the features and functionality of two or more of the modules described above may be embodied in one module in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module described above may be further divided into embodiments by a plurality of modules.
The invention has the beneficial effects that:
1. according to the network intrusion detection and vulnerability scanning method and device based on deep learning, real-time detection, data flow audit and vulnerability scanning of the power system network are achieved through the artificial intelligence technology and the big data mining technology based on deep learning, the operation stability of a power grid information system is improved, and the defense capability of a company for network attacks is enhanced.
2. According to the network intrusion detection and vulnerability scanning method and device based on deep learning, the training data volume is controlled, so that the incremental training cost is low, the balance relation of different types of data is kept, and the influence of an updated model on the detection capability of an original attack mode is avoided.
3. According to the network intrusion detection and vulnerability scanning method and device based on deep learning, the detection capability of the model is monitored in real time in the training process, whether the model subjected to incremental training can achieve better detection capability or not is effectively monitored, whether a new attack mode is effectively identified and meanwhile the high detection rate of the original attack mode is maintained.
4. According to the network intrusion detection and vulnerability scanning method and device based on deep learning, model incremental training of real-time monitoring is carried out according to the received new malicious sample files to obtain classification models, and subsequently generated malicious file samples can be automatically identified and classified through the classification models, so that the classification detection effect is fully improved; and by automatically testing the novel loopholes, the leak library is automatically updated, and finally, the unknown loophole excavation testing efficiency is greatly improved.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (9)
1. A network intrusion detection and vulnerability scanning method based on deep learning is characterized by comprising the following steps:
collecting malicious sample files and establishing a malicious file database;
training and modeling are carried out according to the behaviors of malicious files in the malicious file database by utilizing a deep learning algorithm, and model incremental training of real-time monitoring is carried out according to the received new malicious sample file to obtain a classification model;
simulating the malicious sample files in the malicious file database to run in different environments, and detecting the attack characteristics of the malicious sample files by using an IDS (intrusion detection system);
analyzing a malicious file database by using a data mining algorithm, constructing a vulnerability attack mode feature library, generating a network attack packet, and scanning network vulnerabilities;
in the method, the specific steps of simulating the running of the malicious sample files in the malicious file database in different environments and detecting the attack characteristics of the malicious sample files by using the IDS comprise the following steps:
simulating the same malicious sample file in the malicious file database in different environments;
analyzing the pcap packages of the malicious sample files in different environments respectively, and calculating the similarity of the pcap packages in the different environments to obtain two pcap packages with the highest matching degree;
calculating and screening out character string binary groups with high matching degree to obtain host information possibly existing in the message data, and calculating interval symbols among a plurality of host information;
solving the matched character string and the matched mode through a longest common subsequence algorithm, judging whether the matched character string contains a spacer, and if so, intercepting the matched string only containing a single spacer;
and importing the matching strings and the matching patterns into the attack characteristics of the IDS for detecting the malicious files in the actual production environment.
2. The method of claim 1, wherein in the method, the step of collecting the malicious sample files comprises: the method comprises the steps of running a detected file by adopting various virtual machine environments, determining whether the file is a malicious file according to a system environment, a memory state and file behaviors after the detected file is opened, and collecting the detected file determined to be the malicious file as a malicious sample file.
3. The method of claim 2, wherein in the method, a dynamic sandbox detection engine is used to simulate the execution of an application program and the execution of an attack code in a malicious file, to obtain the content and intention of an attack event of a malicious sample, to record the content and intention, and to establish a malicious file database according to the recorded behavior;
and the behavior recorded in the malicious file database is a behavior which endangers the system, and comprises registry operation, file operation, vulnerability utilization mode, API (application program interface) calling sequence, network behavior and process thread operation.
4. The method of claim 1, wherein a deep learning detection algorithm is used to normalize and quantify each behavior of a malicious sample file in the malicious file database, and a preliminary classification model is obtained through iterative training of a neural network model.
5. The method of claim 4, wherein in the method, an incremental training of the preliminary classification model is performed once when a certain number of new malicious sample files are received;
and updating parameters of the middle part of the model in a hierarchical manner and fixing parameters of other levels when the initial classification model is subjected to incremental training.
6. The method of claim 5, wherein the step of incrementally training the real-time monitored model comprises:
when the incremental training of the preliminary classification model is carried out, an additional verification data set is used for carrying out periodic testing on the model, the detection performance on the verification data set is observed to judge whether the model is correspondingly improved or has an overfitting phenomenon aiming at certain type of attack, and the trained data set and parameter control are adjusted in time; and meanwhile, a multi-fold cross verification method is adopted to confirm the updating accuracy of the model.
7. The method of claim 1, wherein the method generates a network attack packet, and the specific step of performing the network vulnerability scanning comprises:
analyzing a vulnerability attack mode feature library, and constructing a test case, namely a network attack packet, by adopting an attack mode in the feature library;
and (4) utilizing the test case to scan the network vulnerability, determining whether the vulnerability exists according to the feedback result, determining an effective test case, establishing a vulnerability library for the effective test case, and automatically updating the vulnerability library.
8. A computer-readable storage medium having stored thereon a plurality of instructions, characterized in that said instructions are adapted to be loaded by a processor of a terminal device and to perform the method according to any one of claims 1-7.
9. A terminal device comprising a processor and a computer readable storage medium, the processor being configured to implement instructions; a computer-readable storage medium for storing a plurality of instructions for performing the method of any of claims 1-7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810011225.5A CN108347430B (en) | 2018-01-05 | 2018-01-05 | Network intrusion detection and vulnerability scanning method and device based on deep learning |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810011225.5A CN108347430B (en) | 2018-01-05 | 2018-01-05 | Network intrusion detection and vulnerability scanning method and device based on deep learning |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108347430A CN108347430A (en) | 2018-07-31 |
CN108347430B true CN108347430B (en) | 2021-01-12 |
Family
ID=62960401
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810011225.5A Active CN108347430B (en) | 2018-01-05 | 2018-01-05 | Network intrusion detection and vulnerability scanning method and device based on deep learning |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108347430B (en) |
Families Citing this family (46)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109255234B (en) * | 2018-08-15 | 2023-03-24 | 腾讯科技(深圳)有限公司 | Processing method, device, medium and electronic equipment of machine learning model |
CN109495443B (en) * | 2018-09-13 | 2021-02-19 | 中国科学院信息工程研究所 | Method and system for resisting Lexong software attack based on host honeypot |
CN109146097B (en) * | 2018-09-21 | 2021-02-02 | 中国联合网络通信集团有限公司 | Equipment maintenance method and system, server and equipment maintenance terminal |
CN108965340B (en) * | 2018-09-25 | 2020-05-05 | 网御安全技术(深圳)有限公司 | Industrial control system intrusion detection method and system |
CN109344622A (en) * | 2018-09-26 | 2019-02-15 | 杭州迪普科技股份有限公司 | The intrusion detection method and relevant device of loophole attack |
CN111049784B (en) * | 2018-10-12 | 2023-08-01 | 三六零科技集团有限公司 | Network attack detection method, device, equipment and storage medium |
CN109672666B (en) * | 2018-11-23 | 2021-12-14 | 北京丁牛科技有限公司 | Network attack detection method and device |
CN109670306A (en) * | 2018-11-27 | 2019-04-23 | 国网山东省电力公司济宁供电公司 | Electric power malicious code detecting method, server and system based on artificial intelligence |
CN110737894B (en) * | 2018-12-04 | 2022-12-27 | 安天科技集团股份有限公司 | Composite document security detection method and device, electronic equipment and storage medium |
EP3906508B1 (en) * | 2018-12-31 | 2024-03-13 | Intel Corporation | Securing systems employing artificial intelligence |
CN111435393B (en) * | 2019-01-14 | 2024-04-16 | 北京京东尚科信息技术有限公司 | Object vulnerability detection method, device, medium and electronic equipment |
CN109688159B (en) * | 2019-01-23 | 2023-01-17 | 平安科技(深圳)有限公司 | Network isolation violation identification method, server and computer-readable storage medium |
CN109871683B (en) * | 2019-01-24 | 2021-04-27 | 深圳昂楷科技有限公司 | Database protection system and method |
CN109960934A (en) * | 2019-03-25 | 2019-07-02 | 西安电子科技大学 | A kind of malicious requests detection method based on CNN |
CN110110525A (en) * | 2019-04-26 | 2019-08-09 | 北京中润国盛科技有限公司 | A kind of bug excavation method based on machine learning and deep learning |
CN112052449A (en) * | 2019-06-06 | 2020-12-08 | 深信服科技股份有限公司 | Malicious file identification method, device, equipment and storage medium |
CN110516444B (en) * | 2019-07-23 | 2023-04-07 | 成都理工大学 | Cross-terminal and cross-version Root attack detection and protection system based on kernel |
CN110661795A (en) * | 2019-09-20 | 2020-01-07 | 哈尔滨安天科技集团股份有限公司 | Vector-level threat information automatic production and distribution system and method |
CN110602137A (en) * | 2019-09-25 | 2019-12-20 | 光通天下网络科技股份有限公司 | Malicious IP and malicious URL intercepting method, device, equipment and medium |
CN111026012B (en) * | 2019-11-29 | 2023-01-31 | 安天科技集团股份有限公司 | Method and device for detecting PLC firmware level bugs, electronic equipment and storage medium |
CN111159111A (en) * | 2019-12-13 | 2020-05-15 | 深信服科技股份有限公司 | Information processing method, device, system and computer readable storage medium |
CN111090855A (en) * | 2019-12-26 | 2020-05-01 | 中科信息安全共性技术国家工程研究中心有限公司 | Intrusion detection method and device based on Linux host |
CN111400718B (en) * | 2020-03-06 | 2022-07-15 | 苏州浪潮智能科技有限公司 | Method and device for detecting system vulnerability and attack and related equipment |
CN111737693B (en) * | 2020-05-09 | 2023-06-02 | 北京启明星辰信息安全技术有限公司 | Method for determining characteristics of malicious software, and method and device for detecting malicious software |
CN112269992B (en) * | 2020-06-01 | 2023-10-20 | 中国科学院信息工程研究所 | Real-time malicious sample detection method based on artificial intelligent processor and electronic device |
CN111917781A (en) * | 2020-08-05 | 2020-11-10 | 湖南匡楚科技有限公司 | Intelligent internal malicious behavior network attack identification method and electronic equipment |
CN111931187A (en) * | 2020-08-13 | 2020-11-13 | 深信服科技股份有限公司 | Component vulnerability detection method, device, equipment and readable storage medium |
CN112202722A (en) * | 2020-09-08 | 2021-01-08 | 华东师范大学 | Intrusion detection method |
CN112187730A (en) * | 2020-09-08 | 2021-01-05 | 华东师范大学 | Intrusion detection system |
CN112260989B (en) * | 2020-09-16 | 2021-07-30 | 湖南大学 | Power system and network malicious data attack detection method, system and storage medium |
CN112615819A (en) * | 2020-12-03 | 2021-04-06 | 北京锐服信科技有限公司 | Intrusion behavior detection method and system based on deep learning |
CN112583820B (en) * | 2020-12-09 | 2022-06-17 | 南方电网科学研究院有限责任公司 | Power attack testing system based on attack topology |
CN113177191A (en) * | 2021-04-16 | 2021-07-27 | 中国人民解放军战略支援部队信息工程大学 | Firmware function similarity detection method and system based on fuzzy matching |
CN113141360B (en) * | 2021-04-21 | 2022-06-28 | 建信金融科技有限责任公司 | Method and device for detecting network malicious attack |
CN113468524B (en) * | 2021-05-21 | 2022-05-24 | 天津理工大学 | RASP-based machine learning model security detection method |
CN113282928B (en) * | 2021-06-11 | 2022-12-20 | 杭州安恒信息技术股份有限公司 | Malicious file processing method, device and system, electronic device and storage medium |
CN113468538A (en) * | 2021-06-15 | 2021-10-01 | 江苏大学 | Vulnerability attack database construction method based on similarity measurement |
CN113411356B (en) * | 2021-08-23 | 2021-12-10 | 北京华云安信息技术有限公司 | Vulnerability detection method, system, device and computer readable storage medium |
CN113691562B (en) * | 2021-09-15 | 2024-04-23 | 神州网云(北京)信息技术有限公司 | Rule engine implementation method for accurately identifying malicious network communication |
CN113839963B (en) * | 2021-11-25 | 2022-02-15 | 南昌首页科技发展有限公司 | Network security vulnerability intelligent detection method based on artificial intelligence and big data |
CN114553525A (en) * | 2022-02-22 | 2022-05-27 | 国网河北省电力有限公司电力科学研究院 | Network security vulnerability mining method and system based on artificial intelligence |
CN114710325B (en) * | 2022-03-17 | 2023-09-15 | 广州杰赛科技股份有限公司 | Method, device, equipment and storage medium for constructing network intrusion detection model |
CN114866279B (en) * | 2022-03-24 | 2023-07-25 | 中国科学院信息工程研究所 | Vulnerability attack flow detection method and system based on HTTP request payload |
CN114912116B (en) * | 2022-05-18 | 2023-01-24 | 河南工业贸易职业学院 | Intelligent computer network information safety controller and control system |
CN115130110B (en) * | 2022-07-08 | 2024-03-19 | 国网浙江省电力有限公司电力科学研究院 | Vulnerability discovery method, device, equipment and medium based on parallel integrated learning |
CN115695046B (en) * | 2022-12-28 | 2023-03-31 | 广东工业大学 | Network intrusion detection method based on reinforcement ensemble learning |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102789593A (en) * | 2012-06-18 | 2012-11-21 | 北京大学 | Intrusion detection method based on incremental GHSOM (Growing Hierarchical Self-organizing Maps) neural network |
CN104243407A (en) * | 2013-06-13 | 2014-12-24 | 华为技术有限公司 | Generation method and device for malicious software network intrusion detection feature codes |
CN104486141A (en) * | 2014-11-26 | 2015-04-01 | 国家电网公司 | Misdeclaration self-adapting network safety situation predication method |
CN106778795A (en) * | 2015-11-24 | 2017-05-31 | 华为技术有限公司 | A kind of sorting technique and device based on incremental learning |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10542020B2 (en) * | 2015-03-26 | 2020-01-21 | Tyco Fire & Security Gmbh | Home network intrusion detection and prevention system and method |
US10652254B2 (en) * | 2016-02-23 | 2020-05-12 | Zenedge, Inc. | Analyzing web application behavior to detect malicious requests |
-
2018
- 2018-01-05 CN CN201810011225.5A patent/CN108347430B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102789593A (en) * | 2012-06-18 | 2012-11-21 | 北京大学 | Intrusion detection method based on incremental GHSOM (Growing Hierarchical Self-organizing Maps) neural network |
CN104243407A (en) * | 2013-06-13 | 2014-12-24 | 华为技术有限公司 | Generation method and device for malicious software network intrusion detection feature codes |
CN104486141A (en) * | 2014-11-26 | 2015-04-01 | 国家电网公司 | Misdeclaration self-adapting network safety situation predication method |
CN106778795A (en) * | 2015-11-24 | 2017-05-31 | 华为技术有限公司 | A kind of sorting technique and device based on incremental learning |
Also Published As
Publication number | Publication date |
---|---|
CN108347430A (en) | 2018-07-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108347430B (en) | Network intrusion detection and vulnerability scanning method and device based on deep learning | |
Arshad et al. | SAMADroid: a novel 3-level hybrid malware detection model for android operating system | |
US11316891B2 (en) | Automated real-time multi-dimensional cybersecurity threat modeling | |
US10762206B2 (en) | Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security | |
US20220014560A1 (en) | Correlating network event anomalies using active and passive external reconnaissance to identify attack information | |
US11218510B2 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
US20220201042A1 (en) | Ai-driven defensive penetration test analysis and recommendation system | |
US11882134B2 (en) | Stateful rule generation for behavior based threat detection | |
US20220210202A1 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
Ting et al. | Compression analytics for classification and anomaly detection within network communication | |
US11886587B2 (en) | Malware detection by distributed telemetry data analysis | |
Sommestad et al. | Variables influencing the effectiveness of signature-based network intrusion detection systems | |
Akhtar | Malware detection and analysis: Challenges and research opportunities | |
US20240056475A1 (en) | Techniques for detecting living-off-the-land binary attacks | |
Zammit | A machine learning based approach for intrusion prevention using honeypot interaction patterns as training data | |
GB2619589A (en) | Fuzz testing of machine learning models to detect malicious activity on a computer | |
Mei et al. | CTScopy: hunting cyber threats within enterprise via provenance graph-based analysis | |
Qin et al. | Potential threats mining methods based on correlation analysis of multi‐type logs | |
US20220237289A1 (en) | Automated malware classification with human-readable explanations | |
Aarya et al. | Web scanning: existing techniques and future | |
EP3926501A1 (en) | System and method of processing information security events to detect cyberattacks | |
US20210286879A1 (en) | Displaying Cyber Threat Data in a Narrative | |
Helmer et al. | Anomalous intrusion detection system for hostile Java applets | |
Hobert et al. | Enhancing Cyber Attribution through Behavior Similarity Detection on Linux Shell Honeypots with ATT&CK Framework | |
US20230104673A1 (en) | Machine learning outputs with high confidence explanations |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |