CN108718310A - Multi-level attack signatures generation based on deep learning and malicious act recognition methods - Google Patents
Multi-level attack signatures generation based on deep learning and malicious act recognition methods Download PDFInfo
- Publication number
- CN108718310A CN108718310A CN201810481076.9A CN201810481076A CN108718310A CN 108718310 A CN108718310 A CN 108718310A CN 201810481076 A CN201810481076 A CN 201810481076A CN 108718310 A CN108718310 A CN 108718310A
- Authority
- CN
- China
- Prior art keywords
- code
- attack
- feature
- measured
- layer data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 238000013135 deep learning Methods 0.000 title claims abstract description 39
- 238000000605 extraction Methods 0.000 claims abstract description 41
- 238000013499 data model Methods 0.000 claims abstract description 25
- 230000006399 behavior Effects 0.000 claims abstract description 23
- 230000006870 function Effects 0.000 claims description 23
- 238000003062 neural network model Methods 0.000 claims description 18
- 230000008569 process Effects 0.000 claims description 12
- 230000000694 effects Effects 0.000 claims description 10
- 238000012549 training Methods 0.000 claims description 10
- 230000001537 neural effect Effects 0.000 claims description 8
- 238000012800 visualization Methods 0.000 claims description 3
- 230000009885 systemic effect Effects 0.000 abstract description 8
- 238000001514 detection method Methods 0.000 abstract description 6
- 238000004458 analytical method Methods 0.000 description 20
- 230000000007 visual effect Effects 0.000 description 9
- 230000003068 static effect Effects 0.000 description 8
- 239000011159 matrix material Substances 0.000 description 7
- 238000013528 artificial neural network Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 239000000284 extract Substances 0.000 description 3
- 238000005457 optimization Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012512 characterization method Methods 0.000 description 2
- 230000006378 damage Effects 0.000 description 2
- 230000004069 differentiation Effects 0.000 description 2
- 235000013399 edible fruits Nutrition 0.000 description 2
- 238000005206 flow analysis Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- POXUQBFHDHCZAD-MHTLYPKNSA-N (2r)-2-[(4s)-2,2-dimethyl-1,3-dioxolan-4-yl]-3,4-dihydroxy-2h-furan-5-one Chemical compound O1C(C)(C)OC[C@H]1[C@@H]1C(O)=C(O)C(=O)O1 POXUQBFHDHCZAD-MHTLYPKNSA-N 0.000 description 1
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000019771 cognition Effects 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 230000000254 damaging effect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 210000003205 muscle Anatomy 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000004454 trace mineral analysis Methods 0.000 description 1
- 230000017105 transposition Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- General Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Virology (AREA)
- Computational Linguistics (AREA)
- Mathematical Physics (AREA)
- Biophysics (AREA)
- Biomedical Technology (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Computation (AREA)
- Life Sciences & Earth Sciences (AREA)
- Data Mining & Analysis (AREA)
- Molecular Biology (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The multi-level attack signatures generation and malicious act recognition methods that the invention discloses a kind of based on deep learning, belong to technical field of network security, the malicious code in attack behavior database is trained including the use of deep learning method, to build the attack data model of malicious code;The code to be measured in network layer is handled based on attack data model, obtains the network layer data feature of code to be measured;Feature extraction is carried out to the code to be measured in physical layer, obtains the physical layer data feature of code to be measured;In conjunction with network layer data feature and physical layer data feature, determine whether code to be measured is malicious code.The present invention is identified code by combinational network layer data feature and physical layer data feature, effectively meets the high requirement of systemic defence, ensure that systemic defence reliability.The consumption of system detectio time is effectively controlled while effective raising Malicious Code Detection accuracy rate.
Description
Technical field
The present invention relates to technical field of network security, more particularly to the multi-level attack signatures generation based on deep learning and
Malicious act recognition methods.
Background technology
Malicious code is infected computer data with destruction, operation is felt with invasive or destructive program, destruction
The damaging effects such as safety and the integrality of computer data are contaminated, the main reason for personal, company information is revealed is become.
In terms of malicious code analysis, the method for existing dynamic behaviour capture can angle comprehensively analyze Botnet
Behavior operates, but its overhead is big, analytical cycle is long.Existing static disassembly mode obtains Botnet function call
Figure, compare instruction information and function call similitude method, due to the function call graph of a Malware averagely have it is thousands of
A node, although can remove some of them by prune approach without artis, there are still much noises, therefore its analysis knot
Fruit is inaccurate, and defending performance is unreliable.Moreover, either dynamic behaviour acquisition mode or static disassembly mode, analysis
When used each category feature be all artificial predefined feature, these features whether comprehensively, whether be entirely correctly by artificial
Make a reservation for determine, it is subjective.
Invention content
The purpose of the present invention is to provide based on deep learning multi-level attack signatures generation and malicious act identification side
Method, to take into account reliability and real-time malicious code is identified.
In order to achieve the above object, the present invention uses multi-level attack signatures generation and malicious act knowledge based on deep learning
Other method, includes the following steps:
The malicious code in attack behavior database is trained using deep learning method, to build malicious code
Data model is attacked, the malicious code in the attack database is the malice crossed in advance by static analysis, dynamic analysis
Code;
The code to be measured in network layer is handled based on attack data model, obtains the network layer data of code to be measured
Feature;
Feature extraction is carried out to the code to be measured in physical layer, obtains the physical layer data feature of code to be measured;
In conjunction with network layer data feature and physical layer data feature, determine whether code to be measured is malicious code.
Preferably, described that the malicious code in attack behavior database is trained using deep learning method, with structure
The attack data model of malicious code is built, including:
The necessary attack signature of malicious code in the attack database is converted into constraints;
The target of attack function of malicious code is built according to constraints;
Attack object function is solved using non-linear iterative, obtains the vector of attack of malicious code;
The attack data model is built according to the vector of attack of malicious code.
Preferably, described in network layer, code to be measured is handled based on attack data model, obtains code to be measured
Network layer data feature, including:
Using the malicious code behavior to be identified as the input of the attack data model, the malice to be identified is obtained
The corresponding network layer vector of attack of code behavior;
Using network layer vector of attack as the input of the neural network model built in advance, network layer data feature is obtained.
Preferably, further include:
Matching treatment is carried out to the network layer data feature, and code to be measured is divided by normal generation according to matching result
Code, malicious code and unknown code.
Preferably, it is described within the physical layer, to code to be measured carry out feature extraction, obtain the physical layer data of code to be measured
Feature, including:
When defending class requirement high and defending requirement of real-time low, using the attack characteristic extraction method based on mover
The physical layer data of physical layer data and the unknown code to the normal code carries out feature extraction, respectively obtains normal
The physical layer data feature of code and the physical layer data feature of unknown code;
When defending class requirement high and defending requirement of real-time high, using the attack characteristic extraction method based on mover
Feature extraction is carried out to the physical layer data of the unknown code, obtains the physical layer data feature of unknown code.
Preferably, further include:
Defend class requirement and defence requirement of real-time it is all low when, by the network layer data feature of the code to be measured with
Attack signature in attack signature database is compared;
When the network layer data feature of code to be measured matches with the attack signature in attack signature database, institute is determined
State whether code to be measured is malicious code, attack signature is malicious code in the attack database in this feature database
Feature.
Preferably, the building process of the neural network model built in advance includes:
K limited Boltzmann machines are stacked into a depth belief network, k is positive integer;
Pass through each neural unit in the limited Boltzmann machine of first layer of the unsupervised mode to depth belief network
Data characteristics sorting parameter is trained;
What the hidden layer for the Boltzmann machine that first layer is limited was limited the second layer as the visualization layer of the second layer
The data characteristics sorting parameter of each neural unit is trained in Boltzmann machine, is completed successively to top layer limited to every layer
The training of Boltzmann machine parameter obtains the initial parameter of neural network model;
It is exercised supervision training to the initial parameter using the data with trapping feature tag, determines every layer of limited wave
Cohesion in the graceful machine of Wurz between the weight parameter and adjacent net network layers of neural unit, builds the neural network model.
Preferably, described using network layer vector of attack as the input of the neural network model built in advance, obtain network
Layer data feature, including:
In the neural network model, the malice generation recorded in suspect code sequence and system in code to be measured is traversed
Code sequence, matches each character in two sequences, obtains matching result;
Matching result is traversed, using longest common subsequence as network layer data feature.
Preferably, the combination network layer data feature and physical layer data feature determine whether code to be measured is malice
Code, including:
Network layer data feature and physical layer data feature are carried out with the feature in the attack signature database respectively
Compare;
Judge whether network layer data feature matches with the feature in the attack signature database, and judges physics
Whether layer data feature matches with the feature in the attack signature database;
When at least one comparison result is to match, determine whether code to be measured is malicious code.
Preferably, further include:
Using the code to be measured for being determined as malicious code as newly-increased data, it is added to the attack database
In, the attack database is updated;
The malicious code in updated attack database is trained using deep learning method, with to attack
Data model is updated.
Compared with prior art, there are following technique effects by the present invention:The present invention is using known to deep learning functional training
Malicious code, obtain the feature of malicious code, build the attack data model of malicious code, strengthen system identification malice generation
The ability of code.In unknown code intrusion system, is i.e. feature extraction is identified to unknown code, judges the feature of unknown code
Whether match with the feature of malicious code, tentatively judges whether the unknown code is malicious code.Then in conjunction with system difference
Defence grade, feature extraction is carried out to the physical layer data of unknown code, is effectively combined the feature of physical layer data, is determined
Whether unknown code is malicious code.By the attack defense method of parallel multi level feature selection, to ensure to the greatest extent
The accuracy of malicious code identification.
Description of the drawings
Below in conjunction with the accompanying drawings, the specific implementation mode of the present invention is described in detail:
Fig. 1 is the flow diagram of multi-level attack signatures generation and malicious act recognition methods based on deep learning;
Fig. 2 is world model's figure of multi-level deep learning;
Fig. 3 is that master exhales node access to exit process and related frame structure;
Fig. 4 is the attack defending illustraton of model of unbonded physical layer analysis;
Fig. 5 is the attack defending illustraton of model in conjunction with physical layer analysis and parameter coordination.
Specific implementation mode
In order to illustrate further the feature of the present invention, reference should be made to the following detailed description and accompanying drawings of the present invention.Institute
Attached drawing is only for reference and purposes of discussion, is not used for limiting protection scope of the present invention.
The basic thought of this embodiment scheme is:When system is invaded by code to be measured, pass through network in code to be measured
End-to-end transmission process in, the feature of network layer data is extracted using the neural network in deep learning in network layer,
Data also using the feature extracting method based on physical host to code to be measured in physical layer carry out feature extraction, according to system
The requirement for defending grade, the classification of code to be measured is determined in conjunction with network layer data feature and physical layer data feature.With reference to
Specific technical solution illustrates:
As shown in Figure 1, present embodiment discloses based on deep learning multi-level attack signatures generation and malicious act know
Other method, includes the following steps S1 to S4:
S1, the malicious code in attack behavior database is trained using deep learning method, to build malice generation
The attack data model of code;
It should be noted that the malicious code in the attack database is by existing static analysis and dynamic point
What analysis obtained.Then these known malicious codes are trained using deep learning method, the attack data mould constructed
Type can reinforce recognition capability and the accuracy of malicious code.
S2, the code to be measured in network layer is handled based on attack data model, obtains the network layer of code to be measured
Data characteristics;
S3, feature extraction is carried out to the code to be measured in physical layer, obtains the physical layer data feature of code to be measured;
S4, in conjunction with network layer data feature and physical layer data feature, determine whether code to be measured is malicious code.
It should be noted that carrying out feature extraction in network layer and in physical layer respectively to same code to be measured, pass through
In conjunction with network layer data feature and physical layer data feature, when systemic defence is more demanding, it can effectively ensure malice generation
The accuracy of code identification, improves systemic defence reliability.
As further instruction, the detailed process that the attack data model of malicious code is built in above-mentioned steps S1 is:
(1) constraints is built:
The malicious code data in existing attack database in system is analyzed first, obtains malicious code
The necessary attack signature of itself embodies the necessary attack signature of malicious code itself in the present embodiment as follows:
Feature 1:Attacker has certain grasp to the network topology structure of attacking system;
Feature 2:There are certain precognitions for testing mechanism of the attacker to attacking system;
Feature 3:Attacker makes the attack income of itself reach maximum by changing related data around attacking system.
By taking attacking system is intelligent grid as an example, the necessary attack signature materialization of malicious code itself is as follows:
Feature 1:Attacker has certain grasp to the network topology structure in intelligent grid;
Feature 2:There are certain precognitions for testing mechanism of the attacker to intelligent grid;
Feature 3:Attacker makes the attack income of itself reach maximum by changing surrounding neighbours ammeter measurement data.
Three kinds of above-mentioned attack signatures have certain generality, give tacit consent to these three and are characterized as known features, are converted
For constraints, specially:
Wherein, a indicates that the vector of attack in some stage, H indicate that the Jacobian matrix that attacker utilizes (indicates electric power
Topological structure H ∈ Rm×n),Indicate the threshold value of attack assessment, | | | | indicate that norm, T indicate the transposition of vector of attack a.M, N tables
Show that the vector used when operator carries out data transmission, the present embodiment M, N indicate as follows using diagoned vector:
It should be noted that changing regardless of what kind of attacker executes, the behavior signal of attack itself can all detected,
To ensure the crypticity of attack, attacker has to consider these three constraintss, therefore the constraints has generality.
(2) attack object function is constrained by constraints:
According to constraints by target of attack function representation be Lagrange multiplier, it is as follows:
L(a,λ1,λ2,λ3)=U (a)+λ1 Th1(a)+λ2 Th2(a)+λ3 TG (a),
Wherein,h2(a)=N (a+L), g (a)=aTMa, λ1、λ2、λ3Indicate that glug is bright respectively
Three respective weights of function in day multiplier method are only used as parameter that need not solve, and U (a) indicates object function.
Then by the partial derivative of parameters, original object function minimum problems are converted to derivative problem,
AskWhen function is minimized, the concrete numerical value of relevant parameter so that object function
Meet:
Wherein, U (ak) indicate attacker object function, dkIndicate the update weights of each iteration, akIndicate object function
Vector of attack in the middle k iteration used,Indicate second-order partial differential coefficient, L (αk,λk) indicate attack mesh in kth time iteration
Scalar functions,Indicate a section partial derivative, λkThree function weight λ respectively in method of Lagrange multipliers1、λ2、λ3Non-linear
The concrete numerical value that kth time iteration is taken in iterative algorithm.
(3) the target of attack function under the conditions of non-linear iterative and feature constraint is utilized, finding out can indicate to attack
Hit the vector of attack of behavior.The iterative algorithm detection process of the vector of attack of malicious code is:
(3-1) determines initial parameter value a first0,λ0And the init state definite value H of matrix H0, H0It is m × n squares
Battle array, and selection parameter η ∈ (0,0.5), τ ∈ (0,1) in given range;
(3-2) judges whether to meet constraints, and step (3-3) is continued to execute if met, and otherwise stops calculating;
(3-3) solves d by the planning subproblem of conversionkValue;
(3-4) is by vector of attack αkInitial value α0=1 brings following formula into:
Judge whether to meet, if then thinking that the parameter value can use, execute step (3-5),
Otherwise to vector of attack αkIt is updated.αkUpdate meets formula αk=τkαk, wherein τk∈(0,τ)。
Wherein, D indicates that the diagonal matrix of C rank latitudes, η indicate the weighting parameter of a selection,It is for adjusting
The adjustment function of step-length can be expressed as:
r1、r2、r3For the weight for parameters proportion in adjustment function, value can be setIn maximum value, 1≤ri≤3。
(3-5) is as vector of attack αkAfter meeting constraints, start to calculate vector of attack akIterative value ak+1=ak+αkdk。
As further explaining, above-mentioned steps S2:In network layer, code to be measured is carried out based on attack data model
Processing, obtains the network layer data feature of code to be measured, specifically includes:
Using the malicious code behavior to be identified as the input of the attack data model, the malice to be identified is obtained
The corresponding network layer vector of attack of code behavior;
Using network layer vector of attack as the input of the neural network model built in advance, network layer data feature is obtained.
Specifically, the building process of neural network model is:
By k limited Boltzmann machines by way of stacking, a depth belief network, depth conviction net may be constructed
The data characteristics sorting parameter of each neural unit in the limited Boltzmann machine being limited to first layer by unsupervised mode of network
It is trained, in the spy that the visualization layer of the hidden layer as the second layer that are limited Boltzmann machine using first layer sets the second layer
Sign parameter is trained, and is so constantly completed the training for being limited parameter in Boltzmann machine to each layer upwards, is obtained feature and carry
The initial parameter of modulus type.
Then reached come the training for carrying out having supervision to the initial parameter of model using the data with trapping feature tag
Fine tuning to initial parameter, so that it is determined that the parent in final each layer between the weight parameter and adjacent net network layers of neural unit
Close degree, so far constructs neural network model.
Wherein, the energy function of Boltzmann machine is limited in neural network to be expressed as:
Wherein, vjIndicate j-th of element of visual layers vector v, hiIndicate the identity element of hidden layer vector h, wijIt indicates
The element of weight matrix between visual layers and hiding layer unit, n indicate that hiding layer number, m indicate the number of identical element in visual layers
Amount.cjWith diThe weighting that each element occupies between visual layers and hidden layer is indicated respectively, then passes through the power of given hidden layer
Value is distributed in the conditional probability that attack signature identifies in each hiding layer unit to calculate:
Wherein, sigm indicates curvilinear function, sigm (x)=1/ (1+e-x)。
Similarly, it is known that each unit that the weighted value that visual layers each unit is occupied can calculate in visual layers is attacked
Hit the conditional probability of feature recognition:
After carrying out initial training, data label is there is a phenomenon where poor fitting or over-fitting in order to prevent, needs pair
The weight of each visual layers and hidden layer in neural network carries out the update of a new round.Wherein, between visual layers and hidden layer
Each unit weight update matrix is expressed as:
wij=wij-R(<hivj>m-<hivj>n)
Wherein,<>Indicate that the desired value acquired, R indicate the rate of study.
The biasing update between each hidden layer and visual layers can be expressed as accordingly:
It is updated by continuous parameter, ultimately forms the neural network parameter for training data, to ensure attack recognition
Accuracy rate.
Specifically, using the extracting method based on longest common subsequence, the character string sequence that neural network model is exported
Row are compared and match with the attack signature recorded in attacking system, and finally selecting longest common subsequence conduct most can generation
The attack signature of table attack.This method extraction feature can greatly reduce the recognition time of attack.Extraction process is:
Define 1:For sequence P={ p1,p2,...,pmAnd Q={ q1,q2,...,qn, if there are a sequence L=
{L1,L2,...,LtMeet L ∈ X, L ∈ Y and meet the sub-sequence length of condition without other and be more than L, then sequence L is P and Q
Longest common subsequence.
Define 2:For length be m sequence X and length be n sequence Y, need the matrix auxiliary of m × n to complete.
The matrix records the match condition between character in two character strings, therefore it is C, C to define memory spaceijIndicate the i-th of sequence X
J-th of character of a character and sequence Y.
Specific matching process is as follows:
(1) ergodic sequence X and sequence Y matches each character in sequence, and when matching needs to follow following rule
Then:
(2) after the completion of matching, matching result is traversed, the maximum submatrix of diagonal line in memory space all 1 is found out, it should
Character string corresponding to submatrix is required longest common subsequence.
If the character string sequence exported in neural network model, there is not and in database the feature letter to match
Breath, then can think that the attack is unknown attack, and will export in neural network model longest character string as
The attack signature of the unknown attack.
As further instruction, in above-mentioned steps S3:Within the physical layer, feature extraction is carried out to code to be measured, obtained
In the physical layer data feature of code to be measured, extracted using attack characteristic extraction method, that is, whitepack of Intrusion Detection based on host, extraction process
It is identical as extraction process in the prior art, i.e., first by the rogue program decompiling launched a offensive be assembly instruction, then pass through
Trace analysis assembly instruction finds out the instruction segment of attack, then therefrom extracting attack feature.
As further explaining, above-mentioned steps S4:In conjunction with network layer data feature and physical layer data feature, determination waits for
Survey whether code is malicious code.Its detailed process is:
Network layer data feature and physical layer data feature are carried out with the feature in the attack signature database respectively
Compare, the feature of malicious code in attack database is characterized as in attack signature database;
Judge whether network layer data feature matches with the feature in the attack signature database, and judges physics
Whether layer data feature matches with the feature in the attack signature database;
When at least one comparison result is to match, determine whether code to be measured is malicious code.
It should be noted that being combined by network layer data feature and physical layer data feature in the present embodiment, improve
The accuracy of code identification to be measured, the system for being suitable for defending calling hierarchy high substantially increase the defence reliability of system.
As further explaining, in above-mentioned steps S2:In network layer, based on attack data model to code to be measured into
Row processing, obtains the network layer data feature of code to be measured.Further include following steps later:
Matching treatment is carried out to the network layer data feature, and code to be measured is divided by normal generation according to matching result
Code, malicious code and unknown code.
Wherein, normal code refers to the code for being judged as threatening without attack;Malicious code refers to being judged as having attacking
Hit the code of threat;Unknown code refers to not being normal code nor malicious code " gray zone ", needs further
The code of differentiation.
As further explaining, the present embodiment is using the code classification of network layer data feature recognition as preliminary identification knot
Fruit realizes different responses, specially then according to the requirement of systemic defence and real-time according to code classification:
When defending class requirement high and defending requirement of real-time low, using the attack characteristic extraction method based on mover
The physical layer data of physical layer data and the unknown code to the normal code carries out feature extraction, respectively obtains normal
The physical layer data feature of code and the physical layer data feature of unknown code;
When defending class requirement high and defending requirement of real-time high, using the attack characteristic extraction method based on mover
Feature extraction is carried out to the physical layer data of the unknown code, obtains the physical layer data feature of unknown code;
Defend class requirement and defence requirement of real-time it is all low when, by the network layer data feature of the code to be measured with
Attack signature in attack signature database is compared, in network layer data feature and the attack signature database of code to be measured
In attack signature when matching, determine whether the code to be measured is malicious code.
It should be noted that if when network layer data feature is mismatched with the feature in attack signature database, can weigh
Feature extraction newly is carried out to the code to be measured of network layer, if the feature in network layer data feature and attack signature database is still
It mismatches, then regards the code to be measured as unknown code.
It should be noted that the present embodiment classifies to the code to be measured in network layer, according to systemic defence grade
And the requirement of defence real-time, to analyzing for respective classes code, such as when system real time is more demanding, only in object
It manages layer and feature extraction is carried out to unknown code, not only reduce time consumption, but also systemic defence delay can be reduced on the whole.In system
When defending more demanding, feature extraction is carried out to unknown code and normal code in physical layer, it is special by combinational network layer data
Code is identified in physical layer data feature of seeking peace, and effectively meets the high requirement of systemic defence, ensure that system is anti-
Imperial reliability.Therefore, it is effectively controlled while this embodiment scheme can effectively improve Malicious Code Detection accuracy rate
The consumption of system detectio time.
As further explaining, the detection process to malicious code further includes:
Using the code to be measured for being determined as malicious code as newly-increased data, it is added to the attack database
In, the attack database is updated;
The malicious code in updated attack database is trained using deep learning method, with to attack
Data model is updated.
It should be noted that the present embodiment by the code to be measured for being identified as malicious code by increasing to attack data
In library, to be updated to the malicious code stored in attack behavior database, and then attack data model is updated, such as
This iteration updates, and to improve the accuracy of network layer data feature extraction, improves the accuracy rate of malicious code identification.
Below by taking the code detection process to be measured in power grid as an example, this embodiment scheme is further described:
As shown in Fig. 2, the history data set of the known attack type for input, we carry out data prediction work first
Make, be included in and vector of attack extraction has been carried out to input data set, generates alarm event sequence, i.e., it will each known attack row
After vector of attack extracts, to execute corresponding attack signatures generation, the maximum length sequence extracted is generated as corresponding announcement
Alert sequence of events.
The alarm event list being likely to occur in conjunction with known in electricity grid network, in order to effectively use alarm time daily record
Collection classify and sequence number to alarm event by attack purpose first.Wherein, each alarm event event is belonged to
In an alarm event type type, and each alarm event type type includes one or more alarm event event.It accuses
Alert event category table describes the potential impact degree and range of an alarm event, and the influence between each event category is
Relatively independent, but for an abnormal behaviour in practice, all can include in most cases a variety of event categories, carry out structure
It is described at a kind of complex behavior.In conclusion alarm event, can be divided into as follows by the three phases common according to multi-step attack
Three type type, as shown in alarm event classification chart table 1:
Table 1
Defence process proposed by the present invention can specifically be divided into four-stage:
(1) as shown in figure 3, the static state on extraction basis, behavioral characteristics:Under the premise of not runs software program in machine code, point
Loophole that may be present in software program is analysed, the semiology analysis analytical technology analyzed based on stain is studied, passes through white list, path
Chess game optimization, the methods of uncorrelated state removing optimization Static Analysis Technology, improves efficiency.Further, research is based on control
The Static Analysis Technology of flow graph passes through control flow analysis, data-flow analysis, pointer analysis depth.Wherein, static analysis, dynamic
Analysis is all traditional attack characteristic extraction method, is only used as a reference of attack signatures generation, therefore does not say carefully.
(2) using the assembly code after the feature of extraction and malicious code binary code, dis-assembling as total input,
Deep learning algorithm is submitted to go to obtain the feature of malicious code judgement.
(3) finally according to the requirement of the reliability of different defence and retardance, using corresponding service response, including such as
Under:
I) advantage for utilizing deep learning extracting attack feature, realizes the safe condition of " point, line, surface " different levels network
Accurate perception and conduct monitoring at all levels, and dynamic early-warning is carried out to network safety situation, it is more by studying to carry out analysis in network layer
Protocol traffic monitoring, models etc. skills based on communication flows and the communication behavior of service logic at Network security factor integration middleware
Art forms data of completely tracing to the source and generates tool, realizes the anomalous identification to terminal communication flows, and further by connection
The key networks security factor such as relationship, discharge pattern, accessing time sequence is audited, and is associated with and is excavated built-in terminal network attack
A situation arises for threat.
II) after deep learning extracts unknown attack signature, attack is divided into according to longest character match
And unknown attack, if more demanding for security performance, and to requirement of real-time not high system such as Fig. 5, then will be to just
Chang Hangwei and unknown behavior carry out attack signatures generation again in the data characteristic of physical layer using deep learning, after analysis extraction
Attack signature, firmware internal code decoding with information pre-processing in order to solve due to use unknown compression algorithm, and make eventually
Program code or data the problem of being difficult to obtain inside the firmware of end, by binary code form, identify its operating system and
File format therefrom extracts instruction set, compiling optimization option, the load information such as plot, using known binary file information,
Training learning machine, analyzes the program code inside unknown built-in terminal firmware, and realization automatically processes the two of firmware
Carry system code fileinfo.Network layer attack signature parameter value and physical layer attributes parameter value are subjected to comprehensive analysis again,
Finally determine whether for attack.
III) more demanding such as Fig. 4 for security performance when system, and it is equally higher to the requirement of real-time of defence when,
Then only to extracted in network layer behavior classification in unknown behavior physical layer data carry out feature judgement, in conjunction with network layer with
The characteristic parameter value of physical layer carries out comprehensive analysis, i.e., can have one and regulation after deep learning carries out signature analysis
The parameter value of the threshold value of boundary determines attack compared to.
IV) of less demanding for security performance when system, and to the requirement of real-time of defence with it is not high when, then do not enable
Cognition identification uses the attack type that the attack type of deep learning differentiation is final that is, in network layer.
This programme and the comparison of existing extraction characterization method are as shown in table 2:
Table 2
As shown in table 2, IASA is respectively shown, carrying based on deep learning in Muscle, IMuscle and the present embodiment
Take method, to four kinds extraction characterization methods be compared, it can be found that for same attack type it is most representational most
Long sequence signature:" GET~*~~HTTP/1.1 r n*;~* nHost~* r n*;~* r nHost;~* Xff
XBF* r n ", the malicious code recognition methods based on deep learning that the present embodiment proposes is on extraction time and extraction is accurate
All it is higher than three kinds of other extracting methods in true rate.
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all the present invention spirit and
Within principle, any modification, equivalent replacement, improvement and so on should all be included in the protection scope of the present invention.
Claims (10)
1. the multi-level attack signatures generation based on deep learning and malicious act recognition methods, which is characterized in that including:
The malicious code in attack behavior database is trained using deep learning method, to build the attack of malicious code
Data model;
The code to be measured in network layer is handled based on attack data model, the network layer data for obtaining code to be measured is special
Sign;
Feature extraction is carried out to the code to be measured in physical layer, obtains the physical layer data feature of code to be measured;
In conjunction with network layer data feature and physical layer data feature, determine whether code to be measured is malicious code.
2. the malicious code Activity recognition method based on deep learning as described in claim 1, which is characterized in that the utilization
Deep learning method is trained the malicious code in attack behavior database, to build the attack data mould of malicious code
Type, including:
The necessary attack signature of malicious code in the attack database is converted into constraints;
The target of attack function of malicious code is built according to constraints;
Attack object function is solved using non-linear iterative, obtains the vector of attack of malicious code;
The attack data model is built according to the vector of attack of malicious code.
3. the malicious code Activity recognition method based on deep learning as described in claim 1, which is characterized in that described in net
In network layers, code to be measured is handled based on attack data model, obtains the network layer data feature of code to be measured, including:
Using the malicious code behavior to be identified as the input of the attack data model, the malicious code to be identified is obtained
The corresponding network layer vector of attack of behavior;
Using network layer vector of attack as the input of the neural network model built in advance, network layer data feature is obtained.
4. the malicious code Activity recognition method based on deep learning as claimed in claim 3, which is characterized in that described advance
The building process of the neural network model of structure includes:
K limited Boltzmann machines are stacked into a depth belief network, k is positive integer;
Pass through the data of each neural unit in the limited Boltzmann machine of first layer of the unsupervised mode to depth belief network
Tagsort parameter is trained;
Bohr of the hidden layer for the Boltzmann machine that first layer is limited as the visualization layer of the second layer to be limited to the second layer
Hereby the data characteristics sorting parameter of each neural unit is trained in graceful machine, completes the bohr limited to every layer to top layer successively
The hereby training of graceful machine parameter, obtains the initial parameter of neural network model;
It is exercised supervision training to the initial parameter using the data with trapping feature tag, determines every layer of limited bohr hereby
Cohesion in graceful machine between the weight parameter of neural unit and adjacent net network layers builds the neural network model.
5. the malicious code Activity recognition method based on deep learning as claimed in claim 4, which is characterized in that described by net
Input of the network layers vector of attack as the neural network model built in advance obtains network layer data feature, including:
In the neural network model, the malicious code sequence recorded in suspect code sequence and system in code to be measured is traversed
Row, match each character in two sequences, obtain matching result;
Matching result is traversed, using longest common subsequence as network layer data feature.
6. the malicious code Activity recognition method based on deep learning as described in claim 1, which is characterized in that the combination
Network layer data feature and physical layer data feature determine whether code to be measured is malicious code, including:
Network layer data feature and physical layer data feature are compared with the feature in the attack signature database respectively,
Attack signature is the feature of malicious code in the attack database in this feature database;
Judge whether network layer data feature matches with the feature in the attack signature database, and judges the physics number of plies
Whether match with the feature in the attack signature database according to feature;
When at least one comparison result is to match, determine whether code to be measured is malicious code.
7. the malicious code Activity recognition method based on deep learning as claimed in claim 3, which is characterized in that described in net
In network layers, code to be measured is handled based on attack data model, after obtaining the network layer data feature of code to be measured, also
Including:
To the network layer data feature carry out matching treatment, and according to matching result by code to be measured be divided into normal code,
Malicious code and unknown code.
8. the malicious code Activity recognition method based on deep learning as claimed in claim 7, which is characterized in that described in object
It manages in layer, feature extraction is carried out to code to be measured, obtains the physical layer data feature of code to be measured, including:
When defending class requirement high and defending requirement of real-time low, using the attack characteristic extraction method based on mover to institute
The physical layer data of the physical layer data and the unknown code of stating normal code carries out feature extraction, respectively obtains normal code
Physical layer data feature and unknown code physical layer data feature;
When defending class requirement high and defending requirement of real-time high, using the attack characteristic extraction method based on mover to institute
The physical layer data for stating unknown code carries out feature extraction, obtains the physical layer data feature of unknown code.
9. the malicious code Activity recognition method based on deep learning as claimed in claim 7, which is characterized in that further include:
When defending class requirement and defence requirement of real-time is all low, by the network layer data feature of the code to be measured and attack
Attack signature in property data base is compared;
When the network layer data feature of code to be measured matches with the attack signature in attack signature database, waited for described in determination
Survey whether code is malicious code.
10. a kind of such as malicious code Activity recognition method of the claim 1-9 any one of them based on deep learning, feature
It is, further includes:
Using the code to be measured for being determined as malicious code as newly-increased data, it is added in the attack database, it is right
The attack database is updated;
The malicious code in updated attack database is trained using deep learning method, with to attacking data
Model is updated.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810481076.9A CN108718310B (en) | 2018-05-18 | 2018-05-18 | Deep learning-based multilevel attack feature extraction and malicious behavior identification method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810481076.9A CN108718310B (en) | 2018-05-18 | 2018-05-18 | Deep learning-based multilevel attack feature extraction and malicious behavior identification method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108718310A true CN108718310A (en) | 2018-10-30 |
CN108718310B CN108718310B (en) | 2021-02-26 |
Family
ID=63899978
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810481076.9A Active CN108718310B (en) | 2018-05-18 | 2018-05-18 | Deep learning-based multilevel attack feature extraction and malicious behavior identification method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108718310B (en) |
Cited By (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109508458A (en) * | 2018-10-31 | 2019-03-22 | 北京国双科技有限公司 | The recognition methods of legal entity and device |
CN109766693A (en) * | 2018-12-11 | 2019-05-17 | 四川大学 | A kind of cross-site scripting attack detection method based on deep learning |
CN109873826A (en) * | 2019-02-28 | 2019-06-11 | 中国人民解放军战略支援部队信息工程大学 | A kind of permeation pathway planning algorithm and system based on dynamical feedback |
CN110061982A (en) * | 2019-04-02 | 2019-07-26 | 广州大学 | A kind of confrontation intelligence attack safe transmission method based on intensified learning |
CN110290101A (en) * | 2019-04-15 | 2019-09-27 | 南京邮电大学 | Association attack recognition methods in smart grid environment based on depth trust network |
CN110390354A (en) * | 2019-07-01 | 2019-10-29 | 华北电力科学研究院有限责任公司 | The prediction technique and device of depth cyber-defence ability |
CN110855683A (en) * | 2019-11-18 | 2020-02-28 | 东北电力大学 | Method for carrying out attack detection and reconstruction on electric power information physical system |
CN110868421A (en) * | 2019-11-19 | 2020-03-06 | 泰康保险集团股份有限公司 | Malicious code identification method, device, equipment and storage medium |
CN111143835A (en) * | 2019-11-18 | 2020-05-12 | 深圳供电局有限公司 | Non-invasive protection method for business logic of electric power metering system based on machine learning |
CN111208731A (en) * | 2020-01-12 | 2020-05-29 | 东北电力大学 | Method for carrying out attack detection and reconstruction on electric power information physical system |
CN111488585A (en) * | 2020-04-17 | 2020-08-04 | 北京墨云科技有限公司 | Attack vector generation method based on deep learning |
CN111797401A (en) * | 2020-07-08 | 2020-10-20 | 深信服科技股份有限公司 | Attack detection parameter acquisition method, device, equipment and readable storage medium |
CN112565272A (en) * | 2020-12-09 | 2021-03-26 | 中国人民解放军国防科技大学 | Method and device for blocking minimum Steiner tree of double-layer network and computer equipment |
CN112883995A (en) * | 2020-12-30 | 2021-06-01 | 华北电力大学 | Method and device for identifying malicious behaviors of closed-source power engineering control system based on ensemble learning |
CN113127866A (en) * | 2019-12-31 | 2021-07-16 | 奇安信科技集团股份有限公司 | Feature code extraction method and device for malicious code and computer equipment |
CN113141360A (en) * | 2021-04-21 | 2021-07-20 | 建信金融科技有限责任公司 | Method and device for detecting network malicious attack |
CN113472721A (en) * | 2020-03-31 | 2021-10-01 | 华为技术有限公司 | Network attack detection method and device |
CN113496033A (en) * | 2020-04-08 | 2021-10-12 | 腾讯科技(深圳)有限公司 | Access behavior recognition method and device and storage medium |
CN113596020A (en) * | 2021-07-28 | 2021-11-02 | 深圳供电局有限公司 | Smart grid false data injection attack vulnerability detection method |
CN114091019A (en) * | 2020-12-03 | 2022-02-25 | 奇安信科技集团股份有限公司 | Data set construction method and device, malicious software identification method and device, and identification model construction method and device |
CN114095260A (en) * | 2021-11-22 | 2022-02-25 | 广东电网有限责任公司 | Method, device and equipment for detecting abnormal flow of power grid and computer medium |
CN114978654A (en) * | 2022-05-12 | 2022-08-30 | 北京大学 | End-to-end communication system attack defense method based on deep learning |
CN115033895A (en) * | 2022-08-12 | 2022-09-09 | 中国电子科技集团公司第三十研究所 | Binary program supply chain safety detection method and device |
CN115580492A (en) * | 2022-12-07 | 2023-01-06 | 深圳市乙辰科技股份有限公司 | Intelligent network security protection method and system based on network equipment |
CN117336068A (en) * | 2023-10-16 | 2024-01-02 | 北京安博通科技股份有限公司 | Gateway equipment-based data message processing method, device and equipment |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102711099A (en) * | 2012-06-20 | 2012-10-03 | 上海电机学院 | Safety routing method and system capable of resisting interference attacks |
CN103379099A (en) * | 2012-04-19 | 2013-10-30 | 阿里巴巴集团控股有限公司 | Hostile attack identification method and system |
CN106850675A (en) * | 2017-03-10 | 2017-06-13 | 北京安赛创想科技有限公司 | A kind of determination method and device of attack |
CN107194251A (en) * | 2017-04-01 | 2017-09-22 | 中国科学院信息工程研究所 | Android platform malicious application detection method and device |
CN107392025A (en) * | 2017-08-28 | 2017-11-24 | 刘龙 | Malice Android application program detection method based on deep learning |
US20180060576A1 (en) * | 2016-08-29 | 2018-03-01 | Trend Micro Incorporated | Detecting malicious code in sections of computer files |
CN108040073A (en) * | 2018-01-23 | 2018-05-15 | 杭州电子科技大学 | Malicious attack detection method based on deep learning in information physical traffic system |
-
2018
- 2018-05-18 CN CN201810481076.9A patent/CN108718310B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103379099A (en) * | 2012-04-19 | 2013-10-30 | 阿里巴巴集团控股有限公司 | Hostile attack identification method and system |
CN102711099A (en) * | 2012-06-20 | 2012-10-03 | 上海电机学院 | Safety routing method and system capable of resisting interference attacks |
US20180060576A1 (en) * | 2016-08-29 | 2018-03-01 | Trend Micro Incorporated | Detecting malicious code in sections of computer files |
CN106850675A (en) * | 2017-03-10 | 2017-06-13 | 北京安赛创想科技有限公司 | A kind of determination method and device of attack |
CN107194251A (en) * | 2017-04-01 | 2017-09-22 | 中国科学院信息工程研究所 | Android platform malicious application detection method and device |
CN107392025A (en) * | 2017-08-28 | 2017-11-24 | 刘龙 | Malice Android application program detection method based on deep learning |
CN108040073A (en) * | 2018-01-23 | 2018-05-15 | 杭州电子科技大学 | Malicious attack detection method based on deep learning in information physical traffic system |
Non-Patent Citations (2)
Title |
---|
SHIFU HOU ET AL;: "Deep Neural Networks for Automatic Android Malware Detection", 《2017 IEEE/ACM INTERNATIONAL CONFERENCE ON ADVANCES IN SOCIAL NETWORKS ANALYSIS AND MINING (ASONAM)》 * |
杨晔: "基于行为的恶意代码检测方法研究", 《中国优秀硕士学位论文全文数据库 信息科技辑(月刊 ) 》 * |
Cited By (37)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109508458A (en) * | 2018-10-31 | 2019-03-22 | 北京国双科技有限公司 | The recognition methods of legal entity and device |
CN109766693A (en) * | 2018-12-11 | 2019-05-17 | 四川大学 | A kind of cross-site scripting attack detection method based on deep learning |
CN109873826A (en) * | 2019-02-28 | 2019-06-11 | 中国人民解放军战略支援部队信息工程大学 | A kind of permeation pathway planning algorithm and system based on dynamical feedback |
CN109873826B (en) * | 2019-02-28 | 2022-05-27 | 中国人民解放军战略支援部队信息工程大学 | Penetration path planning method and system based on dynamic feedback |
CN110061982A (en) * | 2019-04-02 | 2019-07-26 | 广州大学 | A kind of confrontation intelligence attack safe transmission method based on intensified learning |
CN110290101A (en) * | 2019-04-15 | 2019-09-27 | 南京邮电大学 | Association attack recognition methods in smart grid environment based on depth trust network |
CN110290101B (en) * | 2019-04-15 | 2021-12-07 | 南京邮电大学 | Deep trust network-based associated attack behavior identification method in smart grid environment |
CN110390354A (en) * | 2019-07-01 | 2019-10-29 | 华北电力科学研究院有限责任公司 | The prediction technique and device of depth cyber-defence ability |
CN110390354B (en) * | 2019-07-01 | 2021-08-27 | 华北电力科学研究院有限责任公司 | Prediction method and device for defense capability of deep network |
CN111143835A (en) * | 2019-11-18 | 2020-05-12 | 深圳供电局有限公司 | Non-invasive protection method for business logic of electric power metering system based on machine learning |
CN110855683B (en) * | 2019-11-18 | 2021-08-10 | 东北电力大学 | Method for carrying out attack detection and reconstruction on electric power information physical system |
CN111143835B (en) * | 2019-11-18 | 2021-12-31 | 深圳供电局有限公司 | Non-invasive protection method for business logic of electric power metering system based on machine learning |
CN110855683A (en) * | 2019-11-18 | 2020-02-28 | 东北电力大学 | Method for carrying out attack detection and reconstruction on electric power information physical system |
CN110868421A (en) * | 2019-11-19 | 2020-03-06 | 泰康保险集团股份有限公司 | Malicious code identification method, device, equipment and storage medium |
CN113127866B (en) * | 2019-12-31 | 2023-08-18 | 奇安信科技集团股份有限公司 | Feature code extraction method and device of malicious code and computer equipment |
CN113127866A (en) * | 2019-12-31 | 2021-07-16 | 奇安信科技集团股份有限公司 | Feature code extraction method and device for malicious code and computer equipment |
CN111208731A (en) * | 2020-01-12 | 2020-05-29 | 东北电力大学 | Method for carrying out attack detection and reconstruction on electric power information physical system |
CN111208731B (en) * | 2020-01-12 | 2022-05-24 | 东北电力大学 | Method for attack detection and reconstruction of electric power information physical system |
CN113472721A (en) * | 2020-03-31 | 2021-10-01 | 华为技术有限公司 | Network attack detection method and device |
CN113496033A (en) * | 2020-04-08 | 2021-10-12 | 腾讯科技(深圳)有限公司 | Access behavior recognition method and device and storage medium |
CN111488585A (en) * | 2020-04-17 | 2020-08-04 | 北京墨云科技有限公司 | Attack vector generation method based on deep learning |
CN111797401B (en) * | 2020-07-08 | 2023-12-29 | 深信服科技股份有限公司 | Attack detection parameter acquisition method, device, equipment and readable storage medium |
CN111797401A (en) * | 2020-07-08 | 2020-10-20 | 深信服科技股份有限公司 | Attack detection parameter acquisition method, device, equipment and readable storage medium |
CN114091019A (en) * | 2020-12-03 | 2022-02-25 | 奇安信科技集团股份有限公司 | Data set construction method and device, malicious software identification method and device, and identification model construction method and device |
CN112565272A (en) * | 2020-12-09 | 2021-03-26 | 中国人民解放军国防科技大学 | Method and device for blocking minimum Steiner tree of double-layer network and computer equipment |
CN112565272B (en) * | 2020-12-09 | 2022-05-17 | 中国人民解放军国防科技大学 | Method and device for blocking minimum Steiner tree of double-layer network and computer equipment |
CN112883995A (en) * | 2020-12-30 | 2021-06-01 | 华北电力大学 | Method and device for identifying malicious behaviors of closed-source power engineering control system based on ensemble learning |
CN113141360A (en) * | 2021-04-21 | 2021-07-20 | 建信金融科技有限责任公司 | Method and device for detecting network malicious attack |
CN113141360B (en) * | 2021-04-21 | 2022-06-28 | 建信金融科技有限责任公司 | Method and device for detecting network malicious attack |
CN113596020B (en) * | 2021-07-28 | 2023-03-24 | 深圳供电局有限公司 | Smart grid false data injection attack vulnerability detection method |
CN113596020A (en) * | 2021-07-28 | 2021-11-02 | 深圳供电局有限公司 | Smart grid false data injection attack vulnerability detection method |
CN114095260A (en) * | 2021-11-22 | 2022-02-25 | 广东电网有限责任公司 | Method, device and equipment for detecting abnormal flow of power grid and computer medium |
CN114978654A (en) * | 2022-05-12 | 2022-08-30 | 北京大学 | End-to-end communication system attack defense method based on deep learning |
CN114978654B (en) * | 2022-05-12 | 2023-03-10 | 北京大学 | End-to-end communication system attack defense method based on deep learning |
CN115033895A (en) * | 2022-08-12 | 2022-09-09 | 中国电子科技集团公司第三十研究所 | Binary program supply chain safety detection method and device |
CN115580492A (en) * | 2022-12-07 | 2023-01-06 | 深圳市乙辰科技股份有限公司 | Intelligent network security protection method and system based on network equipment |
CN117336068A (en) * | 2023-10-16 | 2024-01-02 | 北京安博通科技股份有限公司 | Gateway equipment-based data message processing method, device and equipment |
Also Published As
Publication number | Publication date |
---|---|
CN108718310B (en) | 2021-02-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108718310A (en) | Multi-level attack signatures generation based on deep learning and malicious act recognition methods | |
Ding et al. | Intrusion detection system for NSL-KDD dataset using convolutional neural networks | |
Li et al. | A hybrid malicious code detection method based on deep learning | |
Tesfahun et al. | Intrusion detection using random forests classifier with SMOTE and feature reduction | |
Saxena et al. | Intrusion detection in KDD99 dataset using SVM-PSO and feature reduction with information gain | |
CN106973038B (en) | Network intrusion detection method based on genetic algorithm oversampling support vector machine | |
CN112491796B (en) | Intrusion detection and semantic decision tree quantitative interpretation method based on convolutional neural network | |
CN104809069A (en) | Source node loophole detection method based on integrated neural network | |
CN111901340B (en) | Intrusion detection system and method for energy Internet | |
CN111126820B (en) | Method and system for preventing electricity stealing | |
Ding et al. | Research on intrusion detection technology based on deep learning | |
CN112738092A (en) | Log data enhancement method, classification detection method and system | |
Sakr et al. | Filter versus wrapper feature selection for network intrusion detection system | |
Liu et al. | Intrusion detection based on IDBM | |
CN114374541A (en) | Abnormal network flow detector generation method based on reinforcement learning | |
CN113556319A (en) | Intrusion detection method based on long-short term memory self-coding classifier under internet of things | |
Muslihi et al. | Detecting SQL injection on web application using deep learning techniques: a systematic literature review | |
CN113269228A (en) | Method, device and system for training graph network classification model and electronic equipment | |
Nguimbous et al. | Anomaly-based intrusion detection using auto-encoder | |
Ahmad et al. | Artificial neural network approaches to intrusion detection: a review | |
CN110290101B (en) | Deep trust network-based associated attack behavior identification method in smart grid environment | |
CN116260565A (en) | Chip electromagnetic side channel analysis method, system and storage medium | |
Hai-yan et al. | A multiple objective optimization based echo state network tree and application to intrusion detection | |
CN109063721A (en) | A kind of method and device that behavioural characteristic data are extracted | |
Majeed et al. | Propose hmnids hybrid multilevel network intrusion detection system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |