CN111314361B - Attack threat sensing method and device based on bacterial foraging algorithm - Google Patents

Attack threat sensing method and device based on bacterial foraging algorithm Download PDF

Info

Publication number
CN111314361B
CN111314361B CN202010114231.0A CN202010114231A CN111314361B CN 111314361 B CN111314361 B CN 111314361B CN 202010114231 A CN202010114231 A CN 202010114231A CN 111314361 B CN111314361 B CN 111314361B
Authority
CN
China
Prior art keywords
data
threat
target
network
bacteria
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010114231.0A
Other languages
Chinese (zh)
Other versions
CN111314361A (en
Inventor
吴郑霞
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202010114231.0A priority Critical patent/CN111314361B/en
Publication of CN111314361A publication Critical patent/CN111314361A/en
Application granted granted Critical
Publication of CN111314361B publication Critical patent/CN111314361B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/004Artificial life, i.e. computing arrangements simulating life
    • G06N3/006Artificial life, i.e. computing arrangements simulating life based on simulated virtual individual or collective life forms, e.g. social simulations or particle swarm optimisation [PSO]

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Biophysics (AREA)
  • Molecular Biology (AREA)
  • Biomedical Technology (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an attack threat sensing method and device based on a bacterial foraging algorithm, which relate to the technical field of network security and comprise the following steps: acquiring flow data of a network to be detected; determining threat scores of each network node by using the flow data, wherein the threat scores are used for representing network node authorities; performing iterative optimization on network nodes based on threat scoring and a bacterial foraging algorithm to determine target data; the target data is compared with the first preset data, whether the flow data are attack data or not is determined, and the technical problem that the detection efficiency of network threat attack is low in the prior art is solved.

Description

Attack threat sensing method and device based on bacterial foraging algorithm
Technical Field
The invention relates to the technical field of network security, in particular to an attack threat sensing method and device based on a bacterial foraging algorithm.
Background
With the continuous progress of information technology in China, more and more crimes relate to the field of computer information, and the crimes have more and more influences on the country and individuals. The real-time and rapid acquisition of the attack method and the attack path becomes a key point. However, a large amount of network threat intelligence data is difficult to manually find out a key attack method and an attack path in a short time for active defense. Therefore, under the condition of limited police strength, the real-time and rapid analysis of clues by using the advanced computer information security technology becomes a problem to be solved urgently.
No effective solution has been proposed to the above problems.
Disclosure of Invention
In view of this, the present invention aims to provide an attack threat sensing method and apparatus based on a bacterial foraging algorithm, so as to alleviate the technical problem in the prior art that the detection efficiency of the network threat attack is low.
In a first aspect, an embodiment of the present invention provides an attack threat sensing method based on a bacterial foraging algorithm, including: acquiring flow data of a network to be detected, wherein the network to be detected comprises a plurality of network nodes, and the network nodes comprise at least one of the following: the router, the gateway and the host computer, wherein the traffic data comprises at least one of the following data: IP address change data, MAC address change data, port address change data and network access data; determining a threat score of each network node by using the traffic data, wherein the threat score is used for representing the authority of the network node; performing iterative optimization on the network nodes based on the threat score and a bacterial foraging algorithm to determine target data, wherein the target data comprises: the method comprises the steps of obtaining an optimal threat information path and threat data corresponding to the optimal threat information path, wherein the optimal threat path is a threat information path with the maximum bacterium adaptation value; and comparing the target with first preset data to determine whether the flow data is attack data or not, wherein the attack data is the flow data used for attacking the network to be detected, and the first preset data is an optimal threat information path and threat data corresponding to the flow data which does not attack the network to be detected.
Further, determining a threat score for each of the network nodes using the traffic data includes: determining the distance between each network node and the asset to be protected, and numbering each network node based on the distance; constructing a two-dimensional matrix T (I, J) by utilizing the serial number and the intercommunication relation between the plurality of network nodes, wherein I and J are serial numbers of any two network nodes; determining threat scores theta of each of the network nodes using the two-dimensional matrix and the traffic data i Wherein i is the number of the network node.
Further, if one network node corresponds to one initial bacterium, the threat score is the initial adaptation value of the initial bacterium; based on the threat scoring and bacterial foraging algorithm, iterative optimization is carried out on the network nodes, and an optimal threat information path and threat data corresponding to the optimal threat information path are determined, wherein the method comprises the following steps: chemotaxis step, performing chemotaxis treatment on the initial bacteria to obtain target bacteria, and calculating a first adaptive value of the target bacteria by using a first formula, wherein the first formula is theta i (j+1,k,l)=θ i (j,k,l)+C(i)+φ(i),θ i (j +1, k, l) denotes the adaptation value of the ith initial bacterium at the time of the j +1 th chemotaxis, the k th reproduction and the l th mutation, C (i) represents the progression of said initial bacteriumLength, phi (i) represents the flip angle of the initial bacteria; an aggregation step, performing aggregation simulation treatment on the target bacteria by using the first adaptive value to obtain an adaptive value of intermediate target bacteria, wherein the intermediate target bacteria are bacteria of which the adaptive value is not changed in the target bacteria; a propagation step, namely determining first sub-target bacteria in the intermediate target bacteria and generating second sub-target bacteria according to the first sub-target bacteria, wherein the first sub-target bacteria are the bacteria with the preset number and the maximum adaptation value in the intermediate target bacteria, and the number of the first sub-target bacteria is equal to that of the second sub-target bacteria; determining the first and second sub-target bacteria as the initial bacteria and the fitness of the first and second sub-target bacteria as the initial fitness, and repeating the chemotaxis, aggregation and propagation steps until the initial fitness is a maximum fitness; and determining the network node corresponding to the maximum adaptive value as a final network node, and determining the optimal threat intelligence path and the threat data corresponding to the optimal threat intelligence path based on the final network node.
Further, the method further comprises: and comparing the target data with second preset data to determine whether the flow data is known attack data.
Further, the method further comprises: and if the traffic data is not the known attack data, adding the target data to the second preset data.
In a second aspect, an embodiment of the present invention further provides an attack threat sensing device based on a bacterial foraging algorithm, including: the network traffic monitoring system comprises an acquisition unit, a first determination unit, an iteration unit and a second determination unit, wherein the acquisition unit is used for acquiring traffic data of a network to be detected, the network to be detected comprises a plurality of network nodes, and the network nodes comprise at least one of the following: the router, the gateway and the host, wherein the traffic data comprises at least one of the following: IP address change data, MAC address change data, port address change data and network access data; the first determining unit is configured to determine a threat score of each network node by using the traffic data, where the threat score is used to characterize the network node permission; the iteration unit is used for performing iterative optimization on the network nodes based on the threat score and a bacterial foraging algorithm to determine an optimal threat information path and threat data corresponding to the optimal threat information path, wherein the optimal threat path is a threat information path with a maximum bacterial adaptation value; the second determining unit compares the optimal threat intelligence path and the threat data with first preset data to determine whether the flow data is attack data or not, wherein the attack data is flow data used for attacking the network to be detected, and the first preset data is the optimal threat intelligence path and the threat data corresponding to the flow data which does not attack the network to be detected.
Further, the first determination unit is configured to: determining the distance between each network node and the asset to be protected, and numbering each network node based on the distance; constructing a two-dimensional matrix T (I, J) by utilizing the serial number and the intercommunication relation between the plurality of network nodes, wherein I and J are serial numbers of any two network nodes; determining threat scores theta of each of the network nodes using the two-dimensional matrix and the traffic data i Wherein i is the number of the network node.
Further, if one network node corresponds to one initial bacterium, the threat score is the initial adaptation value of the initial bacterium; the iteration unit is configured to perform the steps of: chemotaxis, namely performing chemotaxis treatment on the initial bacteria to obtain target bacteria, and calculating a first adaptive value of the target bacteria by utilizing a first formula, wherein the first formula is theta i (j+1,k,l)=θ i (j,k,l)+C(i)+φ(i),θ i (j +1, k, l) represents the adaptation value of the i-th initial bacterium at the j + 1-th chemotaxis, k-th reproduction and l-th mutation, C (i) represents the progression length of the initial bacterium, and phi (i) represents the initial bacteriumThe turning angle of the starting bacteria; performing aggregation simulation treatment on the target bacteria by using the first adaptive value to obtain an adaptive value of intermediate target bacteria, wherein the intermediate target bacteria are bacteria of which the adaptive value is not changed in the target bacteria; a breeding step, namely determining a first sub-target bacterium in the intermediate target bacteria, and generating a second sub-target bacterium according to the first sub-target bacterium, wherein the first sub-target bacterium is a preset number of bacteria with the maximum adaptation value in the intermediate target bacteria, and the number of the first sub-target bacterium is equal to that of the second sub-target bacterium; determining the first and second sub-target bacteria as the initial bacteria and the acclimation value of the first and second sub-target bacteria as the initial acclimation value, and repeating the chemotaxis step, the aggregation step, and the propagation step until the initial acclimation value is a maximum acclimation value; and determining the network node corresponding to the maximum adaptive value as a final network node, and determining the optimal threat intelligence path and the threat data corresponding to the optimal threat intelligence path based on the final network node.
In a third aspect, the present invention also provides a computer-readable medium having non-volatile program code executable by a processor, where the program code causes the processor to execute the attack threat awareness method based on the bacterial foraging algorithm of the first aspect.
In a fourth aspect, an embodiment of the present invention further provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor, when executing the computer program, implements the method for sensing an attack threat based on a bacterial foraging algorithm described in the first aspect.
In the embodiment of the invention, firstly, the flow data of a network to be detected is obtained; determining threat scores of all network nodes by using the flow data, wherein the threat scores are used for representing network node permissions; performing iterative optimization on network nodes based on threat scoring and a bacterial foraging algorithm to determine an optimal threat information path and threat data corresponding to the optimal threat information path; and comparing the optimal threat intelligence path and the threat data with first preset data to determine whether the flow data is attack data or not.
In the embodiment of the application, the flow data on the main key network nodes such as the routers, the gateways, the hosts and the like are obtained, the network key routing node which attacks most frequently and the attack path which attacks successfully are found out by using the foraging algorithm, and then the main attack method and the attack path which threaten the attack are mined and summarized by comparing the flow data with the first preset data in normal network interaction, so that the technical problem that manual detection is needed when the network threat attack is detected in the prior art is solved, and the technical effect of improving the detection efficiency of the network threat attack is realized.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of an attack threat sensing method based on a bacterial foraging algorithm according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for calculating a threat score of a target node according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an attack threat sensing apparatus based on a bacterial foraging algorithm according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a server according to an embodiment of the present invention.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The first embodiment is as follows:
according to an embodiment of the invention, there is provided an embodiment of a method for threat awareness of attacks based on bacterial foraging algorithms, it being noted that the steps illustrated in the flowchart of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that while a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.
Fig. 1 is a flow chart of an attack threat awareness method based on a bacterial foraging algorithm, as shown in fig. 1, including the steps of:
step S102, obtaining flow data of a network to be detected, wherein the network to be detected comprises a plurality of network nodes, and the network nodes comprise at least one of the following: the router, the gateway and the host, wherein the traffic data comprises at least one of the following: IP address change data, MAC address change data, port address change data and network access data;
specifically, by collecting hard probe data and soft probe data on main key network nodes such as each router, gateway, host and the like, when messages flow among the network nodes, traffic information of each network node can be analyzed according to http and tcp network protocols, and then the information is analyzed and stored, so that the traffic data is obtained.
In addition, it should be noted that after the flow data is acquired, the flow data may be subjected to data cleansing to remove unnecessary redundant data, for example: repeated connection access, ping UNICOM data and direct normal attempt of route access data etc. and then improve the analysis efficiency of flow data, guarantee the accuracy of flow data.
Step S104, determining threat scores of the network nodes by using the flow data, wherein the threat scores are used for representing the network node authority;
step S106, performing iterative optimization on the network node based on the threat score and bacterial foraging algorithm to determine an optimal threat information path and threat data corresponding to the optimal threat information path, wherein the optimal threat path is a threat information path with the maximum bacterial adaptation value;
step S108, comparing the optimal threat intelligence path and the threat data with first preset data to determine whether the flow data is attack data or not, wherein the attack data is flow data used for attacking the network to be detected, and the first preset data is the optimal threat intelligence path and the threat data corresponding to the flow data which does not attack the network to be detected.
In the embodiment of the application, the flow data on the main key network nodes such as the routers, the gateways, the hosts and the like are obtained, the network key routing node which attacks most frequently and the attack path which attacks successfully are found out by using the foraging algorithm, and then the main attack method and the attack path which threaten the attack are mined and summarized by comparing the flow data with the first preset data in normal network interaction, so that the technical problem that manual detection is needed when the network threat attack is detected in the prior art is solved, and the technical effect of improving the detection efficiency of the network threat attack is realized.
In the embodiment of the present invention, as shown in fig. 2, step S104 further includes the following steps:
step S11, determining the distance between each network node and the asset to be protected, and numbering each network node based on the distance;
step S12, constructing a two-dimensional matrix T (I, J) by utilizing the serial number and the intercommunication relation between the plurality of network nodes, wherein I and J are serial numbers of any two network nodes;
step S13, using the two-dimensional matrix and the flow data to determine the threat score theta of each network node i Wherein i is the number of the network node.
In the embodiment of the present invention, first, the main key network nodes such as routers, gateways, hosts, and the like participating in network data transmission in the entire network to be detected are numbered, and sequentially ordered according to the distance from each network node to the protected network asset, and the network nodes are respectively numbered as 1, 2 … … through N, and the relationship of whether they are directly intercommunicated or not is recorded in the two-dimensional matrix T (I, J), for example, if the node 1 and the node 3 are directly intercommunicated, the element T (1, 3) in the two-dimensional matrix is 1.
According to the degree of threat information contained in the transmission of each node, the main key network nodes such as each router, gateway and host are scored, and the operation with higher threat coefficient is included, for example: direct database access, direct acquisition of the highest system authority, etc., will result in a higher score for the threat coefficients, including operations with lower threat coefficients, such as: forwarding unencrypted information, and injecting test attack into SQL; a score with a lower threat coefficient will be obtained. Recording these fractions as θ i And taking the number as an initial adaptive value, wherein i is the number of the network nodes, and one network node corresponds to one bacterium.
In this embodiment of the present invention, step S106 further includes the following steps:
step S21, chemotaxis step, chemotactic the initial bacteria to obtain the target bacteria, and calculate the first adaptive value of the target bacteria by using the first formula, wherein the first formula is theta i (j+1,k,l)=θ i (j,k,l)+C(i)+φ(i),θ i (j +1, k, l) denotes the adaptation value of the ith initial bacterium at the j +1 th chemotaxis, the k-th reproduction, the l-th variation, C (i) denotes the length of advancement of the initial bacterium, and φ (i) denotes the turnover angle of the initial bacterium;
step S22, an aggregation step, in which the first adaptive value is used to perform aggregation simulation treatment on the target bacteria to obtain an adaptive value of intermediate target bacteria, wherein the intermediate target bacteria are bacteria of which the adaptive value does not change in the target bacteria;
step S23, a reproduction step, namely determining a first sub-target bacterium in the intermediate target bacteria and generating a second sub-target bacterium according to the first sub-target bacterium, wherein the first sub-target bacterium is a preset number of bacteria with the maximum adaptation value in the intermediate target bacteria, and the number of the first sub-target bacterium is equal to that of the second sub-target bacterium;
step S24, determining the first and second sub-target bacteria as the initial bacteria, and determining the adaptation value of the first and second sub-target bacteria as the initial adaptation value, and repeating the chemotaxis step, the aggregation step, and the propagation step until the initial adaptation value is a maximum adaptation value;
step S25, determining the network node corresponding to the maximum adaptive value as a final network node, and determining the optimal threat intelligence path and the threat data corresponding to the optimal threat intelligence path based on the final network node.
In the embodiment of the invention, the bacterial foraging algorithm mainly comprises the following steps: chemotaxis, aggregation, reproduction and optimal path generation.
The chemotaxis step simulates the process of cell movement, so that the chemotaxis treatment is carried out on the initial bacteria to obtain the target bacteria, and a first adaptive value of the target bacteria is calculated by utilizing a first formula, wherein the first formula is theta i (j+1,k,l)=θ i (j,k,l)+C(i)+φ(i),θ i (j +1, k, l) indicates the i-th initial change at the j +1 th chemotaxis, k-th reproduction and l-th mutationThe adaptation value of the starting bacterium, C (i) represents the length of advance of the starting bacterium, and φ (i) represents the flip angle of the starting bacterium.
It should be noted that, in the following description,
Figure BDA0002390646710000101
wherein n is i Identifying the number of neighbor nodes, m, of the ith initial bacterium i Identifying the number of chemotactic intentional nodes, θ, among the ith initial bacterial neighbor nodes m The adaptation value of the m-th initial bacterium with chemotactic intention in another node is shown.
Figure BDA0002390646710000102
Where φ (i) is the inverse cosine value of the initial bacteria, since the bacteria want to approach the place most suitable for itself, the maximum value of the cosine values needs to be selected.
The aggregation is simulated by simulating bacterial aggregation to form a group, and the main function is to correct the adaptive value of the bacteria and accelerate the aggregation of the group of bacteria through the acting force among the bacteria. The aggregation simulation specifically comprises two processes of self-replication and cell swallowing, wherein after the bacteria complete one replication, whether the adaptive value is changed or not is checked, if the adaptive degree is improved, the bacteria continuously move for a plurality of steps along the same direction, and the process is circulated until the adaptive degree is not improved any more or a set moving step number critical value is reached. Through the turned cosine value phi (i), I obtain the maximum turning direction, and then the initial bacteria theta are turned i Is duplicated, one with its own fitness value and the other giving it the direction of movement, i.e. theta n
The breeding steps mainly simulate the breeding process of bacteria and the individual selection of the bacteria, and the operation specifically comprises the steps of sequencing all the bacteria according to fitness values, removing the poorer half of the bacteria, replacing the better half of the bacteria, and ensuring the total amount of the bacteria to be unchanged. By this over-term we will get valid attack data values acquired in a number of times. The specific method comprises the steps of sequencing the adaptive values of all nodes, eliminating bacteria with lower adaptive values, directly clearing the adaptive values, reserving half of bacteria with higher health degree, and generating the same number of sub-bacteria, wherein the length of the previous progress C (i) of the sub-bacteria is reduced by 10%, so that the search precision is improved.
And finally, repeating the chemotaxis step, the aggregation step and the propagation step to finally obtain the path with the minimum energy consumption and the highest adaptive value as the optimal threat information path. Therefore, the threat information path information which evolves frequently is cleaned, the key path (namely the optimal threat information path) of the threat information is finally obtained, and the attack technique of the threat information can be obtained through analyzing the threat data corresponding to the optimal threat information path.
In an embodiment of the present invention, the method further includes the steps of:
and step S110, comparing the optimal threat intelligence path and the threat data with second preset data, and determining whether the flow data is known attack data.
Step S112, if the traffic data is not the known attack data, adding the optimal threat intelligence path and the threat data to the second preset data.
In the embodiment of the invention, after the optimal threat intelligence path and the threat data are obtained, the threat intelligence path and the threat data stored in the existing system are compared. If the optimal threat intelligence path and threat data do exist for significant network asset data, it can be concluded that the traffic data is likely a known type of attack data. By checking the threat intelligence path and the threat data stored in the existing system for each new flow data, the flow path and the access mode of the new flow data can be analyzed to judge whether the new flow data is a threat attack, thereby protecting the asset security of a user.
Example two:
the invention further provides an embodiment of an attack threat sensing device based on the bacterial foraging algorithm, the system is used for executing the attack threat sensing method based on the bacterial foraging algorithm provided by the embodiment of the invention, and the following is a specific introduction of the attack threat sensing device based on the bacterial foraging algorithm provided by the embodiment of the invention.
As shown in fig. 3, the attack threat sensing apparatus based on bacterial foraging algorithm includes: an acquisition unit 10, a first determination unit 20, an iteration unit 30 and a second determination unit 40.
The acquiring unit 10 is configured to acquire traffic data of a network to be detected, where the network to be detected includes a plurality of network nodes, and the network nodes include at least one of the following: the router, the gateway and the host, wherein the traffic data comprises at least one of the following: IP address change data, MAC address change data, port address change data and network access data;
the first determining unit 20 is configured to determine a threat score of each network node by using the traffic data, where the threat score is used to characterize the network node permission;
the iteration unit 30 is configured to perform iterative optimization on the network node based on the threat score and a bacterial foraging algorithm, and determine an optimal threat information path and threat data corresponding to the optimal threat information path, where the optimal threat path is a threat information path with a maximum bacterial adaptation value;
the second determining unit 40 compares the optimal threat intelligence path and the threat data with first preset data to determine whether the traffic data is attack data, where the attack data is traffic data used for attacking the network to be detected, and the first preset data is the optimal threat intelligence path and the threat data corresponding to the traffic data that does not attack the network to be detected.
In the embodiment of the application, the flow data on the main key network nodes such as the routers, the gateways, the hosts and the like are obtained, the network key routing node which attacks most frequently and the attack path which attacks successfully are found out by using the foraging algorithm, and then the main attack method and the attack path which threaten the attack are mined and summarized by comparing the flow data with the first preset data in normal network interaction, so that the technical problem that manual detection is needed when the network threat attack is detected in the prior art is solved, and the technical effect of improving the detection efficiency of the network threat attack is realized.
Preferably, the first determination unit is configured to: determining the distance between each network node and the asset to be protected, and numbering each network node based on the distance; constructing a two-dimensional matrix T (I, J) by utilizing the serial number and the intercommunication relation between the plurality of network nodes, wherein I and J are serial numbers of any two network nodes; determining threat scores theta of the network nodes by using the two-dimensional matrix and the flow data i Wherein i is the number of the network node.
Preferably, if one network node corresponds to one initial bacterium, the threat score is an initial fitness value of the initial bacterium; the iteration unit is used for executing the following steps: an aggregation step, performing aggregation simulation treatment on the target bacteria by using the first adaptive value to obtain an adaptive value of intermediate target bacteria, wherein the intermediate target bacteria are bacteria of which the adaptive value is not changed in the target bacteria; a breeding step, namely determining a first sub-target bacterium in the intermediate target bacteria, and generating a second sub-target bacterium according to the first sub-target bacterium, wherein the first sub-target bacterium is a preset number of bacteria with the maximum adaptation value in the intermediate target bacteria, and the number of the first sub-target bacterium is equal to that of the second sub-target bacterium; determining the first and second sub-target bacteria as the initial bacteria and the fitness of the first and second sub-target bacteria as the initial fitness, and repeating the chemotaxis, aggregation and propagation steps until the initial fitness is a maximum fitness; and determining the network node corresponding to the maximum adaptive value as a final network node, and determining the optimal threat intelligence path and the threat data corresponding to the optimal threat intelligence path based on the final network node.
Preferably, the apparatus further comprises: and the comparison unit is used for comparing the optimal threat intelligence path and the threat data with second preset data to determine whether the flow data is known attack data.
Preferably, the apparatus further comprises: an execution unit, configured to add the optimal threat intelligence path and the threat data to the second preset data if the traffic data is not the known attack data
The computer readable medium provided with the non-volatile program code executable by the processor according to the embodiment of the present invention, the program code causes the processor to execute the method for detecting the web page dark chain based on the text topic in the first embodiment.
Example three:
the electronic device provided by the embodiment of the invention comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor realizes the webpage dark chain detection method based on the text theme in the first embodiment when executing the computer program.
Referring to fig. 4, an embodiment of the present invention further provides a server 100, including: a processor 60, a memory 61, a bus 62 and a communication interface 63, wherein the processor 60, the communication interface 63 and the memory 61 are connected through the bus 62; the processor 60 is arranged to execute executable modules, such as computer programs, stored in the memory 61.
The Memory 61 may include a high-speed Random Access Memory (RAM) and may also include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 63 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, and the like can be used.
The bus 62 may be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 4, but this does not indicate only one bus or one type of bus.
The memory 61 is used for storing a program, the processor 60 executes the program after receiving an execution instruction, and the method executed by the apparatus defined by the flow process disclosed in any of the foregoing embodiments of the present invention may be applied to the processor 60, or implemented by the processor 60.
The processor 60 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by instructions in the form of hardware integrated logic circuits or software in the processor 60. The Processor 60 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, or discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory 61, and the processor 60 reads the information in the memory 61 and, in combination with its hardware, performs the steps of the above method.
In addition, in the description of the embodiments of the present invention, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicate orientations or positional relationships based on those shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element referred to must have a specific orientation, be constructed in a specific orientation, and be operated, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical functional division, and there may be other divisions when the actual implementation is performed, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not performed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may also be distributed on multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (8)

1. An attack threat perception method based on a bacterial foraging algorithm is characterized by comprising the following steps:
acquiring flow data of a network to be detected, wherein the network to be detected comprises a plurality of network nodes, and the network nodes comprise at least one of the following: the router, the gateway and the host, wherein the traffic data comprises at least one of the following: IP address change data, MAC address change data, port address change data and network access data;
determining a threat score of each network node by using the traffic data, wherein the threat score is used for representing the authority of the network node;
performing iterative optimization on the network nodes based on the threat score and a bacterial foraging algorithm to determine target data, wherein the target data comprises at least one of the following: the method comprises the steps of obtaining an optimal threat information path and threat data corresponding to the optimal threat information path, wherein the optimal threat path is the threat information path with the maximum bacterial adaptation value;
comparing the target data with first preset data to determine whether the flow data is attack data or not, wherein the attack data is flow data used for attacking the to-be-detected network, and the first preset data is an optimal threat intelligence path and threat data corresponding to the flow data which does not attack the to-be-detected network;
determining a threat score of each network node by using the traffic data, wherein the determining comprises:
determining the distance between each network node and the asset to be protected, and numbering each network node based on the distance;
constructing a two-dimensional matrix T (I, J) by utilizing the serial number and the intercommunication relation between the plurality of network nodes, wherein I and J are serial numbers of any two network nodes;
determining a threat score theta for each of the network nodes using the two-dimensional matrix and the traffic data i Where i is the number of the network node.
2. The method of claim 1, wherein a network node corresponds to an initial bacterium, and the threat score is an initial fitness value for the initial bacterium;
based on the threat score and the bacterial foraging algorithm, iterative optimization is carried out on the network nodes, and target data are determined, wherein the steps comprise:
chemotaxis step, performing chemotaxis treatment on the initial bacteria to obtain target bacteria, and calculating a first adaptive value of the target bacteria by using a first formula, wherein the first formula is theta i (j+1,k,l)=θ i (j,k,l)+C(i)+φ(i),θ i (j +1, k, l) represents the adaptation value of the ith initial bacterium at the time of the j +1 th chemotaxis, the k th reproduction and the l th mutation, C (i) represents the advancing length of the initial bacterium, and phi (i) represents the overturning angle of the initial bacterium;
an aggregation step, performing aggregation simulation treatment on the target bacteria by using the first adaptive value to obtain an adaptive value of intermediate target bacteria, wherein the intermediate target bacteria are bacteria of which the adaptive value is not changed in the target bacteria;
a propagation step, namely determining first sub-target bacteria in the intermediate target bacteria and generating second sub-target bacteria according to the first sub-target bacteria, wherein the first sub-target bacteria are the bacteria with the preset number and the maximum adaptation value in the intermediate target bacteria, and the number of the first sub-target bacteria is equal to that of the second sub-target bacteria;
determining the first and second sub-target bacteria as the initial bacteria and the fitness of the first and second sub-target bacteria as the initial fitness, and repeating the chemotaxis, aggregation and propagation steps until the initial fitness is a maximum fitness;
and determining the network node corresponding to the maximum adaptive value as a final network node, and determining the target data based on the final network node.
3. The method of claim 1, further comprising:
and comparing the target data with second preset data to determine whether the flow data is known attack data.
4. The method of claim 3, further comprising:
and if the traffic data is not the known attack data, adding the target data to the second preset data.
5. An attack threat sensing device based on a bacterial foraging algorithm, comprising: an obtaining unit, a first determining unit, an iterating unit and a second determining unit, wherein,
the acquiring unit is configured to acquire traffic data of a network to be detected, where the network to be detected includes a plurality of network nodes, and the network nodes include at least one of the following: the router, the gateway and the host, wherein the traffic data comprises at least one of the following: IP address change data, MAC address change data, port address change data and network access data;
the first determining unit is configured to determine a threat score of each network node by using the traffic data, where the threat score is used to characterize the network node permission;
the iteration unit is used for performing iterative optimization on the network nodes based on the threat score and the bacterial foraging algorithm to determine target data, wherein the target data comprises at least one of the following data: the method comprises the steps of obtaining an optimal threat information path and threat data corresponding to the optimal threat information path, wherein the optimal threat path is a threat information path with the maximum bacterium adaptation value;
the second determining unit is used for comparing the target with first preset data to determine whether the flow data is attack data or not, wherein the attack data is the flow data used for attacking the to-be-detected network, and the first preset data is an optimal threat intelligence path and threat data corresponding to the flow data which does not attack the to-be-detected network;
wherein the first determination unit is configured to:
determining the distance between each network node and the asset to be protected, and numbering each network node based on the distance;
constructing a two-dimensional matrix T (I, J) by utilizing the serial number and the intercommunication relation between the plurality of network nodes, wherein I and J are serial numbers of any two network nodes;
determining threat scores theta of the network nodes by using the two-dimensional matrix and the flow data i Wherein i is the number of the network node.
6. The apparatus of claim 5, wherein a network node corresponds to an initiating bacterium, and wherein the threat score is an initial fitness value for the initiating bacterium; the iteration unit is used for executing the following steps:
a chemotaxis step of chemotactic treating said starting bacteriaObtaining target bacteria, and calculating a first adaptive value of the target bacteria by using a first formula, wherein the first formula is theta i (j+1,k,l)=θ i (j,k,l)+C(i)+φ(i),θ i (j +1, k, l) represents the adaptation value of the ith initial bacterium at the time of the j +1 th chemotaxis, the k th reproduction and the l th mutation, C (i) represents the advancing length of the initial bacterium, and phi (i) represents the overturning angle of the initial bacterium;
an aggregation step, performing aggregation simulation treatment on the target bacteria by using the first adaptive value to obtain an adaptive value of intermediate target bacteria, wherein the intermediate target bacteria are bacteria of which the adaptive value is not changed in the target bacteria;
a breeding step, namely determining a first sub-target bacterium in the intermediate target bacteria, and generating a second sub-target bacterium according to the first sub-target bacterium, wherein the first sub-target bacterium is a preset number of bacteria with the maximum adaptation value in the intermediate target bacteria, and the number of the first sub-target bacterium is equal to that of the second sub-target bacterium;
determining the first and second sub-target bacteria as the initial bacteria and the acclimation value of the first and second sub-target bacteria as the initial acclimation value, and repeating the chemotaxis step, the aggregation step, and the propagation step until the initial acclimation value is a maximum acclimation value;
and determining the network node corresponding to the maximum adaptive value as a final network node, and determining the target data based on the final network node.
7. A computer-readable medium having processor-executable non-volatile program code, wherein the program code causes the processor to perform the method of any one of claims 1 to 4 based on a bacterial foraging algorithm for an attack threat perception.
8. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor, when executing the computer program, implements the bacterial foraging algorithm-based attack threat awareness method of any of claims 1 to 4.
CN202010114231.0A 2020-02-24 2020-02-24 Attack threat sensing method and device based on bacterial foraging algorithm Active CN111314361B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010114231.0A CN111314361B (en) 2020-02-24 2020-02-24 Attack threat sensing method and device based on bacterial foraging algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010114231.0A CN111314361B (en) 2020-02-24 2020-02-24 Attack threat sensing method and device based on bacterial foraging algorithm

Publications (2)

Publication Number Publication Date
CN111314361A CN111314361A (en) 2020-06-19
CN111314361B true CN111314361B (en) 2022-09-23

Family

ID=71160228

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010114231.0A Active CN111314361B (en) 2020-02-24 2020-02-24 Attack threat sensing method and device based on bacterial foraging algorithm

Country Status (1)

Country Link
CN (1) CN111314361B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106713233A (en) * 2015-11-13 2017-05-24 国网智能电网研究院 Method for judging and protecting network security state
CN107579986A (en) * 2017-09-21 2018-01-12 北京工业大学 A kind of method of network security detection in complex network
CN109948771A (en) * 2019-03-25 2019-06-28 西北大学 It is a kind of to be looked for food the Situation Assessment algorithm of Optimized BP Neural Network based on bacterium
CN110545280A (en) * 2019-09-09 2019-12-06 北京华赛在线科技有限公司 quantitative evaluation method based on threat detection accuracy
CN110719291A (en) * 2019-10-16 2020-01-21 杭州安恒信息技术股份有限公司 Network threat identification method and identification system based on threat information

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103870317B (en) * 2012-12-10 2017-07-21 中兴通讯股份有限公司 Method for scheduling task and system in cloud computing

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106713233A (en) * 2015-11-13 2017-05-24 国网智能电网研究院 Method for judging and protecting network security state
CN107579986A (en) * 2017-09-21 2018-01-12 北京工业大学 A kind of method of network security detection in complex network
CN109948771A (en) * 2019-03-25 2019-06-28 西北大学 It is a kind of to be looked for food the Situation Assessment algorithm of Optimized BP Neural Network based on bacterium
CN110545280A (en) * 2019-09-09 2019-12-06 北京华赛在线科技有限公司 quantitative evaluation method based on threat detection accuracy
CN110719291A (en) * 2019-10-16 2020-01-21 杭州安恒信息技术股份有限公司 Network threat identification method and identification system based on threat information

Also Published As

Publication number Publication date
CN111314361A (en) 2020-06-19

Similar Documents

Publication Publication Date Title
Choudhary et al. Analysis of KDD-Cup’99, NSL-KDD and UNSW-NB15 datasets using deep learning in IoT
CN113489619B (en) Network topology inference method and device based on time series analysis
CN112615888B (en) Threat assessment method and device for network attack behavior
Liu et al. Smartening the crowds: computational techniques for improving human verification to fight phishing scams
Wei et al. A novel intrusion detection model for the CAN bus packet of in-vehicle network based on attention mechanism and autoencoder
Balla et al. Real-time web crawler detection
CN113839817A (en) Network asset risk assessment method, device and system
CN112839014B (en) Method, system, equipment and medium for establishing abnormal visitor identification model
CN111641619B (en) Method and device for constructing hacker portrait based on big data and computer equipment
Tian et al. A digital evidence fusion method in network forensics systems with Dempster-shafer theory
CN113015167A (en) Encrypted flow data detection method, system, electronic device and storage medium
CN114338195A (en) Web traffic anomaly detection method and device based on improved isolated forest algorithm
CN109919794B (en) Microblog user trust evaluation method based on trust propagation
CN111314361B (en) Attack threat sensing method and device based on bacterial foraging algorithm
TWI599905B (en) Protecting method and system for malicious code, and monitor apparatus
Ahmad et al. Artificial neural network approaches to intrusion detection: a review
CN110889445A (en) Video CDN hotlinking detection method and device, electronic equipment and storage medium
CN115277065B (en) Anti-attack method and device in abnormal traffic detection of Internet of things
De Smet About the computation of robust PROMETHEE II rankings: Empirical evidence
EP3266178A1 (en) Method and apparatus for mutual-aid collusive attack detection in online voting systems
CN111901324B (en) Method, device and storage medium for flow identification based on sequence entropy
Chang et al. Implementation of ransomware prediction system based on weighted-KNN and real-time isolation architecture on SDN Networks
Wang et al. Intrusion detection algorithms based on correlation information entropy and binary particle swarm optimization
CN111431909A (en) Method and device for detecting grouping abnormity in user entity behavior analysis and terminal
Sairam et al. Using CAPTCHA selectively to mitigate HTTP-based attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant