CN112311813B - Network attack identification method and device - Google Patents
Network attack identification method and device Download PDFInfo
- Publication number
- CN112311813B CN112311813B CN202011322942.3A CN202011322942A CN112311813B CN 112311813 B CN112311813 B CN 112311813B CN 202011322942 A CN202011322942 A CN 202011322942A CN 112311813 B CN112311813 B CN 112311813B
- Authority
- CN
- China
- Prior art keywords
- rate
- iteration
- difference analysis
- network attack
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a network attack identification method and a network attack identification device, wherein the method comprises the following steps: receiving a network attack identification requirement sent by a cloud service or a local cluster server; acquiring network traffic data of a cloud service or a local cluster server in real time based on the network attack identification requirement, wherein the network traffic data comprises a source IP address and network behaviors; and carrying out difference analysis on the network flow data to obtain a final network attack difference analysis and identification scheme, wherein the network attack difference analysis and identification scheme is used for identifying suspicious network behaviors and suspicious source IP addresses in the network flow data. The method and the device can solve the problems that the traditional network attack identification mode adopted in the prior art can not adapt to the increasing requirements of network attack upgrading and variation gradually, and the response delay is high and the misjudgment rate is high.
Description
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to a method and an apparatus for identifying a network attack.
Background
With the rapid development of artificial intelligence, the conventional network attack recognition mode adopted at present can not adapt to the increasing requirements of network attack upgrade and variation, and the problems of high response delay, high misjudgment rate and the like are increasingly prominent.
Therefore, it is an urgent problem to be solved by those skilled in the art to provide a network attack identification method.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a method and an apparatus for identifying a network attack, aiming at the above-mentioned deficiencies in the prior art, so as to solve the problems that the traditional network attack identification mode adopted in the prior art can not adapt to the increasing requirements of network attack upgrade and variation, and has high response delay and high false rate.
In a first aspect, an embodiment of the present invention provides a method for identifying a network attack, including:
receiving a network attack identification requirement sent by a cloud service or a local cluster server;
acquiring network traffic data of a cloud service or a local cluster server in real time based on the network attack identification requirement, wherein the network traffic data comprises a source IP address and network behaviors;
and carrying out difference analysis on the network flow data to obtain a final network attack difference analysis and identification scheme, wherein the network attack difference analysis and identification scheme is used for identifying suspicious network behaviors and suspicious source IP addresses in the network flow data.
Preferably, the performing the difference analysis on the network traffic data includes:
s1: setting an iteration initial parameter and a maximum iteration number;
s2: performing difference analysis on the network traffic data based on the misjudgment rate, the response delay rate and the accuracy to obtain a network attack difference analysis and identification scheme with the optimal matching degree;
s3: performing discrete two-dimensional Fourier transform on the network attack difference analysis and identification scheme with the optimal matching degree;
s4: judging whether the network attack difference analysis and identification scheme with the optimal matching degree after discrete two-dimensional Fourier transform meets preset evaluation conditions, and if so, turning to the step S7; if not, go to step S5;
s5: deep unsupervised learning is carried out on the misjudgment rate, the response delay rate and the accuracy rate;
s6: adding 1 to the iteration times, judging whether the current iteration times are smaller than the maximum iteration times, if so, returning to execute the step S2, and if not, executing the step S7;
s7: and outputting the network attack difference analysis and identification scheme with the optimal matching degree as a final network attack difference analysis and identification scheme.
Preferably, the misjudgment rate is a ratio of the amount which is not detected but has a difference in flow rate per unit time to the total amount of flow rate difference analysis detection per unit time, the response delay rate is a ratio of the amount of time that the flow rate detection in unit time is invalid to the total amount per unit time, and the correct rate is a ratio of the amount of work done in the difference flow rate detection per unit time to the total amount of the difference flow rate per unit time.
Preferably, in the step of performing difference analysis on the network traffic data based on the misjudgment rate, the response delay rate and the accuracy rate to obtain the network attack difference analysis and identification scheme with the optimal matching degree, the network attack difference analysis and identification scheme with the optimal matching degree is obtained according to the following calculation formula:
in the formula, k is iteration times; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively;
the accuracy of the k iteration is obtained; />
Is the response delay rate at the kth iteration; />
The misjudgment rate in the k iteration; c kmax The maximum accuracy at the k iteration; e kmin Is the minimum response delay rate at the k iteration; w is a group of kmin The minimum misjudgment rate at the k-th iteration is obtained.
Preferably, the network attack difference analysis and identification scheme with the optimal matching degree is subjected to discrete two-dimensional fourier transform, specifically, the transform is performed according to the following formula:
wherein the content of the first and second substances,
the signal is a signal subjected to discrete two-dimensional Fourier transform in the kth iteration; k is the number of iterations; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively; />
The accuracy of the k iteration is obtained; />
Is the response delay rate at the kth iteration; />
The false positive rate at the k-th iteration.
Preferably, the judging whether the network attack difference analysis and identification scheme with the optimal matching degree after the discrete two-dimensional fourier transform meets a preset evaluation condition is specifically performed according to the following formula:
wherein k is the number of iterations; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively;
the accuracy of the kth iteration is obtained; />
Is the response delay rate at the kth iteration; />
The misjudgment rate in the k iteration; p is the probability.
Preferably, the deep unsupervised learning is performed on the misjudgment rate, the response delay rate and the accuracy rate, specifically, the deep unsupervised learning is performed according to the following formula:
wherein M is ijt k+1 Mainly comprises
Three aspects of an information vector, <' > based on a predetermined criterion>
Is the correct rate in the (k + 1) th iteration>
Is the response delay rate at the k +1 th iteration, <' > is>
The error rate is the error rate of the (k + 1) th iteration, phi is an adjusting parameter, and k is the iteration frequency; i. j and t are dimensions; b ijt k+1 The depth unsupervised learning enhancement factor is the depth unsupervised learning enhancement factor in the k +1 th iteration;
wherein, the deep unsupervised learning enhancement factor B ijt k+1 Obtained according to the following formula:
in the formula, C kmax The maximum accuracy at the k iteration; e kmin Is the minimum response delay rate at the k iteration; w is a group of kmin The minimum misjudgment rate at the k-th iteration is obtained.
In a second aspect, an embodiment of the present invention provides an apparatus for identifying a network attack, including:
the demand receiving module is used for receiving network attack identification demands sent by cloud services or local cluster servers;
the data acquisition module is connected with the requirement receiving module and used for acquiring network traffic data of a cloud service or a local cluster server in real time based on the network attack identification requirement, wherein the network traffic data comprises a source IP address and network behaviors;
and the difference analysis module is connected with the data acquisition module and used for carrying out difference analysis on the network traffic data to obtain a final network attack difference analysis and identification scheme, and the network attack difference analysis and identification scheme is used for identifying suspicious network behaviors and suspicious source IP addresses in the network traffic data.
Preferably, the difference analysis module comprises:
the setting unit is used for setting iteration initial parameters and the maximum iteration times;
the difference analysis unit is used for carrying out difference analysis on the network traffic data based on the misjudgment rate, the response delay rate and the accuracy rate to obtain a network attack difference analysis and identification scheme with the optimal matching degree;
the Fourier transform unit is used for carrying out discrete two-dimensional Fourier transform on the network attack difference analysis and identification scheme with the optimal matching degree;
the evaluation judging unit is used for judging whether the network attack difference analysis and identification scheme with the optimal matching degree after discrete two-dimensional Fourier transform meets preset evaluation conditions;
the learning unit is used for carrying out deep unsupervised learning on the misjudgment rate, the response delay rate and the accuracy rate;
the iteration judging unit is used for adding 1 to the iteration times and judging whether the current iteration times are smaller than the maximum iteration times or not;
and the output unit is used for outputting the network attack difference analysis and identification scheme with the optimal matching degree as a final network attack difference analysis and identification scheme.
Preferably, the misjudgment rate is a ratio of an undetected amount with different flow rates in unit time to a total amount of flow rate difference analysis detection in unit time, the response delay rate is a ratio of an invalid occupied time amount of flow rate detection in unit time to the total amount in unit time, and the correct rate is a ratio of the different flow rate detection success amount in unit time to the total amount of the different flow rates in unit time.
According to the network attack identification method and device provided by the embodiment of the invention, the network attack identification requirement sent by the cloud service or the local cluster server is received; network traffic data of a cloud service or a local cluster server is acquired in real time based on the network attack identification requirement, and difference analysis is carried out on the network traffic data, so that a final network attack difference analysis identification scheme with low response delay, low misjudgment rate and high accuracy rate can be obtained; therefore, suspicious network behaviors and suspicious source IP addresses in the network traffic data can be identified according to the final network attack difference analysis and identification scheme, so that a subsequent system can block network traffic from the suspicious source IP addresses in a targeted manner. The method solves the problems that the traditional network attack identification mode adopted in the prior art can not adapt to the increasing requirements of network attack upgrading and variation gradually, and has high response delay and high misjudgment rate.
Drawings
FIG. 1: the invention relates to an identification scene graph of network attack;
FIG. 2: the invention is a flow chart of a network attack recognition method;
FIG. 3: the structure diagram of the multilayer convolution neuron network is shown in the embodiment of the invention;
FIG. 4 is a schematic view of: is a storage model of an embodiment of the invention;
FIG. 5 is a schematic view of: the invention relates to a structure diagram of a network attack recognition device.
Detailed Description
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
In order to make the technical solutions of the present application better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the scene diagram described in the embodiment of the present application is for more clearly illustrating the technical solution of the embodiment of the present application, and does not constitute a limitation to the technical solution provided in the embodiment of the present application, and as a person of ordinary skill in the art knows, with the evolution of a network architecture and the occurrence of a new service scenario, the technical solution provided in the embodiment of the present application is also applicable to similar technical problems.
As shown in fig. 1, a scene diagram for identifying a network attack provided in the embodiment of the present application is shown, where each part is described as follows:
1) An intelligent network attack difference analysis and detection system, comprising: input, analysis and output. Wherein the input comprises: the network flow data mainly realizes the input function of the attacker flow data, and the network flow data at least comprises a source IP address and network behaviors. The analysis mainly implements a classification analysis function of traffic or network behavior of the attacker. The output includes: suspicious behaviors and non-suspicious rows, and/or suspicious source IP addresses and non-suspicious source IP addresses, mainly realizing statistical report of the suspicious behaviors and/or the suspicious source IP addresses of attackers, and reporting to a security expert operation team for subsequent rating and other related work;
2) A local cluster server, comprising: the server and the like realize local services and send network attack identification requirements to the intelligent network attack difference analysis and detection system;
3) A cloud service, comprising: various cloud services and the like, so that local service servitization is realized, and a network attack identification requirement is sent to an intelligent network attack difference analysis and detection system;
4) Internal and external attackers, comprising: and internal and external attackers for realizing internal and external attacks.
In the scenario shown in fig. 1, the following process flows are included:
1&2&3. An external attacker can establish a hidden channel with a local server through cloud service or directly, and the external attacker carries out malicious network attacks such as message tampering, counterfeiting, service denial, flow analysis, eavesdropping and the like aiming at the cloud service and the local cluster server, namely generates network attack identification requirements;
4. an internal attacker can directly establish a hidden channel with a local server, and the internal attacker carries out malicious network attacks such as social work, message tampering, counterfeiting, service denial, flow analysis, eavesdropping and the like on the cloud service and the local cluster server;
5 and 6, the intelligent network attack difference analysis and detection system is positioned in the middle of a network, receives network attack identification requirements sent by a cloud service or a local cluster server, and monitors and analyzes network traffic in real time;
7. the intelligent network attack difference analysis and detection system reports the primary identification to the security team, and the security team returns the verification and auxiliary analysis results to the intelligent network attack difference analysis and detection system;
8. the intelligent network attack difference analysis and detection system carries out interception and blocking on network attacks at a circular real point, and the circular real point in the upper graph is the interception and blocking point.
Based on the scenario diagram shown in fig. 1, the following describes an embodiment related to network attack identification according to the present application. Referring to fig. 2, which is a flowchart of a method for identifying a network attack according to an embodiment of the present invention, as shown in fig. 2, the method includes the following steps:
step S102, receiving a network attack identification requirement sent by a cloud service or a local cluster server.
In this embodiment, when an internal attacker and an external attacker tamper malicious network attacks such as message tampering, forgery, service denial, traffic analysis, eavesdropping and the like on a cloud service or a local cluster server, a network attack identification requirement is also generated, and the cloud service or the local cluster server can automatically generate the network attack identification requirement when preliminarily judging that a network attack may exist, and send the network attack identification requirement to the intelligent network attack difference analysis and detection system.
Step S104, network flow data of the cloud service or the local cluster server is obtained in real time based on the network attack identification requirement, and the network flow data comprises a source IP address and network behaviors
In this embodiment, the intelligent network attack difference analysis and detection system may monitor and acquire network traffic connected to or entering the cloud service or the local cluster server in real time, and the cloud service or the local cluster server may also periodically and actively report the network attack identification requirement and the network traffic data, so that the intelligent network attack difference analysis and detection system analyzes the network traffic data.
And step S106, carrying out difference analysis on the network traffic data to obtain a final network attack difference analysis and identification scheme, wherein the network attack difference analysis and identification scheme is used for identifying suspicious network behaviors and suspicious source IP addresses in the network traffic data.
In this embodiment, after the intelligent network attack difference analysis and detection system obtains the network traffic data, the network traffic data is subjected to difference analysis, so as to obtain a final network attack difference analysis and identification scheme with low response delay, low false positive rate and high accuracy, where the network attack difference analysis and identification scheme is used to identify a suspicious network behavior in the network traffic data and a suspicious source IP address corresponding to the suspicious network behavior, and the suspicious network behavior is as follows: delete commands, or modify commands, etc. are frequently used.
In this embodiment, the intelligent network attack difference analysis and detection system may receive network attack identification requirements sent by a plurality of cloud services or local cluster servers, the network attack identification requirements may be stored by using a sparse matrix, and the network attack identification requirements are independent from each other and do not interfere with each other. The difference analysis is based on a deep analysis model, and when the network attack recognition requirement reaches the deep analysis model, the network attack recognition requirement is analyzed into a corresponding deep analysis result. The current higher analysis dispatch priority is given if the incoming network attack identification needs are delayed.
In the embodiment, the difference analysis is carried out on the network traffic data, the strategy ideas of multilayer convolution neurons, difference analysis, depth unsupervised learning and the like in each iteration are that in a 1,2, \8230hmultidimensional space, a plurality of depth analysis schemes migrate to the direction determined by the optimized network attack difference analysis identification scheme according to strategy modes of multilayer convolution neurons, difference analysis, depth unsupervised learning and the like. Based on strategy principles such as multilayer convolution neurons, difference analysis and deep unsupervised learning, network attack recognition requirements are input through requests after being input, and corresponding network attack difference analysis recognition schemes are output after multilayer convolution neurons, difference analysis and deep unsupervised learning analysis. As shown in fig. 3, the multi-layered convolutional neuron network comprises: a misjudgment rate W (= amount of differential flow rate in unit time but not detected/total amount of flow rate differential analysis detection in unit time), a response delay rate E (= amount of time taken by flow rate detection in unit time invalid/total amount of unit time), and a correct rate C (= amount of differential flow rate detection in unit time total amount of differential flow rate in unit time). The output quantities include: and analyzing and identifying the network attack difference.
Optionally, performing a difference analysis on the network traffic data may include:
s1: setting an iteration initial parameter and a maximum iteration number;
s2: performing difference analysis on the network traffic data based on the misjudgment rate, the response delay rate and the accuracy to obtain a network attack difference analysis and identification scheme with the optimal matching degree;
s3: performing discrete two-dimensional Fourier transform on the network attack difference analysis and identification scheme with the optimal matching degree;
s4: judging whether the network attack difference analysis and identification scheme with the optimal matching degree after the discrete two-dimensional Fourier transform meets a preset evaluation condition, and if so, turning to the step S7; if not, go to step S5;
s5: deep unsupervised learning is carried out on the misjudgment rate, the response delay rate and the accuracy rate;
s6: adding 1 to the iteration times, judging whether the current iteration times are smaller than the maximum iteration times, if so, returning to execute the step S2, and if not, executing the step S7;
s7: and outputting the network attack difference analysis and identification scheme with the optimal matching degree as a final network attack difference analysis and identification scheme.
In this embodiment, the misjudgment rate, the response delay rate, and the accuracy rate may be preset by the intelligent network attack difference analysis and detection system in advance, and are continuously optimized through deep unsupervised learning, and then a better network attack difference analysis and identification scheme with low response delay, low misjudgment rate, and high accuracy rate is obtained through the continuously optimized misjudgment rate, response delay rate, and accuracy rate.
In this embodiment, the discrete two-dimensional fourier transform is performed on the network attack difference analysis and identification scheme with the optimal matching degree, so that data in various formats can be unified, and analysis and processing are facilitated.
In this embodiment, when the network attack difference analysis and identification scheme with the optimal matching degree after performing discrete two-dimensional fourier transform in the middle does not satisfy the preset evaluation condition, the network attack difference analysis and identification scheme that does not satisfy the evaluation condition is further iteratively optimized. Meanwhile, in order to avoid infinite iteration optimization, the maximum iteration number can be set to be 45-55, preferably 50, when the iteration number reaches 50, the scheme is defaulted to meet the preset evaluation condition, and finally, the network attack difference analysis and identification scheme with the optimal matching degree reaching the evaluation condition or reaching the maximum iteration number is selected as the final network attack difference analysis and identification scheme.
In this embodiment, as shown in fig. 4, each of the network attack difference analysis and identification schemes with the optimal matching degree may be stored in a form of a three-dimensional vector, where each three-dimensional coordinate at least includes a false positive rate, a response delay rate, and a correct rate, the false positive rate is a ratio of an undetected amount of differentiated flow within a unit time to a total amount of flow difference analysis and detection within the unit time, the response delay rate is a ratio of an amount of invalid occupied time for flow detection within the unit time to the total amount of the unit time, and the correct rate is a ratio of a work amount of differential flow detection within the unit time to the total amount of differentiated flow within the unit time.
Optionally, in the step of performing difference analysis on the network traffic data based on the misjudgment rate, the response delay rate, and the accuracy to obtain the network attack difference analysis and identification scheme with the optimal matching degree, the network attack difference analysis and identification scheme with the optimal matching degree may be obtained according to the following calculation formula:
in the formula, k is iteration times; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively;
the accuracy of the kth iteration is obtained; />
Is the response delay rate at the kth iteration; />
The misjudgment rate in the k iteration; c kmax The maximum accuracy at the k iteration; e kmin Is the minimum response delay rate at the kth iteration; w kmin The minimum misjudgment rate at the k-th iteration is obtained.
Optionally, discrete two-dimensional fourier transform is performed on the network attack difference analysis and identification scheme with the optimal matching degree, and specifically, the discrete two-dimensional fourier transform may be performed according to the following formula:
wherein, the first and the second end of the pipe are connected with each other,
the signal is a signal subjected to discrete two-dimensional Fourier transform in the kth iteration; k is the number of iterations; i. j and t are dimensions; m, n and p are each independentlyi. Maximum dimension values for j and t; />
The accuracy of the k iteration is obtained; />
Is the response delay rate at the kth iteration; />
The false positive rate at the k-th iteration.
Optionally, whether the network attack difference analysis and identification scheme with the optimal matching degree after the discrete two-dimensional fourier transform meets a preset evaluation condition is judged, and specifically, the judgment can be performed according to the following formula:
wherein k is the number of iterations; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively;
the accuracy of the k iteration is obtained; />
Is the response delay rate at the kth iteration; />
The misjudgment rate in the k iteration; p is the probability.
Optionally, deep unsupervised learning is performed on the false positive rate, the response delay rate, and the accuracy rate, and specifically, the deep unsupervised learning may be performed according to the following formula:
wherein M is ijt k+1 Mainly comprises
Three aspects of an information vector, <' > based on a predetermined criterion>
Is the correct rate in the (k + 1) th iteration>
Is the response delay rate at the k +1 th iteration, <' > is>
The error judgment rate is the error judgment rate in the (k + 1) th iteration, phi is an adjusting parameter, and k is the iteration times; i. j and t are dimensions; b is ijt k+1 A deep unsupervised learning enhancement factor in the (k + 1) th iteration;
wherein, the deep unsupervised learning enhancement factor B ijt k+1 Obtained according to the following formula:
in the formula, C kmax The maximum accuracy at the k iteration; e kmin Is the minimum response delay rate at the kth iteration; w kmin The minimum misjudgment rate at the k-th iteration is obtained.
In the identification method of the network attack provided by the embodiment, the requirement is identified by receiving the network attack sent by the cloud service or the local cluster server; network traffic data of a cloud service or a local cluster server is acquired in real time based on the network attack identification requirement, and difference analysis is carried out on the network traffic data, so that a final network attack difference analysis identification scheme with low response delay, low misjudgment rate and high accuracy rate can be obtained; therefore, the suspicious network behaviors and the suspicious source IP addresses in the network traffic data can be identified according to the final network attack difference analysis and identification scheme, so that a subsequent system can block network traffic from the suspicious source IP addresses in a targeted manner. The method solves the problems that the traditional network attack identification mode adopted in the prior art can not adapt to the increasing requirements of network attack upgrading and variation gradually, and has high response delay and high misjudgment rate.
As shown in fig. 5, this embodiment further provides an apparatus for identifying a cyber attack, including:
the requirement receiving module 21 is configured to receive a network attack identification requirement sent by a cloud service or a local cluster server;
the data acquisition module 22 is connected to the requirement receiving module 21, and is configured to acquire network traffic data of a cloud service or a local cluster server in real time based on the network attack identification requirement, where the network traffic data includes a source IP address and a network behavior;
a difference analysis module 23 connected to the data acquisition module 22, configured to perform difference analysis on the network traffic data to obtain a final network attack difference analysis and identification scheme, where the network attack difference analysis and identification scheme is used to identify a suspicious network behavior and a suspicious source IP address in the network traffic data.
Optionally, the difference analysis module 22 may include:
the setting unit is used for setting iteration initial parameters and the maximum iteration times;
the difference analysis unit is used for carrying out difference analysis on the network traffic data based on the misjudgment rate, the response delay rate and the accuracy rate to obtain a network attack difference analysis and identification scheme with the optimal matching degree;
the Fourier transform unit is used for carrying out discrete two-dimensional Fourier transform on the network attack difference analysis and identification scheme with the optimal matching degree;
the evaluation judging unit is used for judging whether the network attack difference analysis and identification scheme with the optimal matching degree after discrete two-dimensional Fourier transform meets preset evaluation conditions;
the learning unit is used for carrying out deep unsupervised learning on the misjudgment rate, the response delay rate and the accuracy rate;
the iteration judging unit is used for adding 1 to the iteration times and judging whether the current iteration times are smaller than the maximum iteration times;
and the output unit is used for outputting the network attack difference analysis and identification scheme with the optimal matching degree as a final network attack difference analysis and identification scheme.
Optionally, the misjudgment rate is a ratio of an undetected amount with a difference flow rate in unit time to a total amount of flow rate difference analysis detection in unit time, the response delay rate is a ratio of an amount of time occupied by flow rate detection invalidity in unit time to the total amount in unit time, and the correct rate is a ratio of a success amount of difference flow rate detection in unit time to the total amount of difference flow rate in unit time.
Optionally, the difference analysis unit is specifically configured to perform difference analysis on the network traffic data based on the misjudgment rate, the response delay rate, and the accuracy according to the following calculation formula to obtain a network attack difference analysis and identification scheme with an optimal matching degree:
in the formula, k is iteration times; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively;
the accuracy of the kth iteration is obtained; />
Is the response delay rate at the kth iteration; />
The misjudgment rate in the k iteration; c kmax The maximum accuracy at the k iteration; e kmin Is the minimum response delay at the kth iterationA rate of retardation; w kmin The minimum misjudgment rate at the k iteration is obtained.
Optionally, the fourier transform unit is specifically configured to perform discrete two-dimensional fourier transform on the network attack difference analysis and identification scheme with the optimal matching degree according to the following formula:
wherein the content of the first and second substances,
the signal is a signal subjected to discrete two-dimensional Fourier transform in the kth iteration; k is the number of iterations; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively; />
The accuracy of the kth iteration is obtained; />
Is the response delay rate at the kth iteration; />
The false positive rate at the k-th iteration.
Optionally, the evaluation and determination unit is specifically configured to determine whether the network attack difference analysis and identification scheme with the optimal matching degree after performing the discrete two-dimensional fourier transform satisfies a preset evaluation condition according to the following formula:
wherein k is the number of iterations; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively;
the accuracy of the k iteration is obtained; />
Is the response delay rate at the kth iteration; />
The misjudgment rate in the k iteration; p is the probability.
Optionally, the learning unit is specifically configured to perform deep unsupervised learning on the false positive rate, the response delay rate, and the correct rate according to the following formulas:
wherein M is ijt k+1 Mainly comprises
Three aspects of an information vector, based on a predetermined criterion>
Is the correct rate in the (k + 1) th iteration>
Is the response delay rate in the (k + 1) th iteration +>
The error judgment rate is the error judgment rate in the (k + 1) th iteration, phi is an adjusting parameter, and k is the iteration times; i. j and t are dimensions; b is ijt k+1 A deep unsupervised learning enhancement factor in the (k + 1) th iteration;
wherein, the deep unsupervised learning enhancement factor B ijt k+1 Obtained according to the following formula:
in the formula, C kmax The maximum accuracy at the kth iteration; e kmin Is the minimum response delay rate at the k iteration; w kmin The minimum misjudgment rate at the k iteration is obtained.
The network attack recognition device provided by the embodiment of the invention recognizes the requirement by receiving the network attack sent by the cloud service or the local cluster server; network flow data of a cloud service or a local cluster server is obtained in real time based on the network attack identification requirement, and difference analysis is carried out on the network flow data, so that a final network attack difference analysis identification scheme with low response delay, low misjudgment rate and high accuracy rate can be obtained; therefore, the suspicious network behaviors and the suspicious source IP addresses in the network traffic data can be identified according to the final network attack difference analysis and identification scheme, so that a subsequent system can block network traffic from the suspicious source IP addresses in a targeted manner. The method solves the problems that the traditional network attack identification mode adopted in the prior art can not adapt to the increasing requirements of network attack upgrading and variation gradually, and has high response delay and high misjudgment rate.
It will be understood that the above embodiments are merely exemplary embodiments adopted to illustrate the principles of the present invention, and the present invention is not limited thereto. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit and substance of the invention, and these modifications and improvements are also considered to be within the scope of the invention.
Claims (5)
1. A network attack recognition method is characterized by comprising the following steps:
receiving a network attack identification requirement sent by a cloud service or a local cluster server;
acquiring network traffic data of a cloud service or a local cluster server in real time based on the network attack identification requirement, wherein the network traffic data comprises a source IP address and network behaviors;
performing difference analysis on the network traffic data to obtain a final network attack difference analysis and identification scheme, wherein the network attack difference analysis and identification scheme is used for identifying suspicious network behaviors and suspicious source IP addresses in the network traffic data;
the performing a difference analysis on the network traffic data includes:
s1: setting an iteration initial parameter and a maximum iteration number;
s2: performing difference analysis on the network traffic data based on the misjudgment rate, the response delay rate and the accuracy to obtain a network attack difference analysis and identification scheme with the optimal matching degree;
s3: performing discrete two-dimensional Fourier transform on the network attack difference analysis and identification scheme with the optimal matching degree;
s4: judging whether the network attack difference analysis and identification scheme with the optimal matching degree after the discrete two-dimensional Fourier transform meets a preset evaluation condition, and if so, turning to the step S7; if not, go to step S5;
s5: deep unsupervised learning is carried out on the misjudgment rate, the response delay rate and the accuracy rate;
s6: adding 1 to the iteration times, judging whether the current iteration times are smaller than the maximum iteration times, if so, returning to execute the step S2, and if not, executing the step S7;
s7: outputting the network attack difference analysis and identification scheme with the optimal matching degree as a final network attack difference analysis and identification scheme;
the misjudgment rate is the ratio of the amount which has different flow rates but is not detected in unit time to the total amount of flow rate difference analysis and detection in unit time, the response delay rate is the ratio of the amount of time occupied by ineffective flow rate detection in unit time to the total amount in unit time, and the correct rate is the ratio of the amount of work of different flow rate detection in unit time to the total amount of different flow rates in unit time;
in the step of performing difference analysis on the network traffic data based on the misjudgment rate, the response delay rate and the accuracy rate to obtain the network attack difference analysis and identification scheme with the optimal matching degree, the network attack difference analysis and identification scheme with the optimal matching degree is obtained according to the following calculation formula:
in the formula, k is iteration times; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively;
the accuracy of the k iteration is obtained; />
Is the response delay rate at the kth iteration; />
The misjudgment rate in the k iteration; c kmax The maximum accuracy at the kth iteration; e kmin Is the minimum response delay rate at the k iteration; w kmin The minimum misjudgment rate at the k-th iteration is obtained.
2. The method according to claim 1, wherein the network attack difference analysis and identification scheme with the optimal matching degree is subjected to discrete two-dimensional fourier transform, specifically according to the following formula:
wherein the content of the first and second substances,
the signal is a signal subjected to discrete two-dimensional Fourier transform in the kth iteration; k is the number of iterations; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively; />
The accuracy of the kth iteration is obtained; />
Is the response delay rate at the kth iteration; />
The false positive rate at the k-th iteration.
3. The method for identifying the cyber attack according to claim 2, wherein the judging whether the cyber attack difference analysis identification scheme with the optimal matching degree after the discrete two-dimensional fourier transform satisfies a preset evaluation condition is specifically performed according to the following formula:
wherein k is the number of iterations; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively;
the accuracy of the k iteration is obtained; />
Is the response delay rate at the kth iteration; />
The misjudgment rate in the k iteration; p is the probability.
4. The method according to claim 3, wherein the deep unsupervised learning is performed on the false positive rate, the response delay rate and the correct rate, specifically according to the following formula:
wherein M is ijt k+1 Mainly comprises
Three aspects of an information vector, based on a predetermined criterion>
Is the correct rate in the (k + 1) th iteration>
Is the response delay rate at the k +1 th iteration, <' > is>
The error judgment rate is the error judgment rate in the (k + 1) th iteration, phi is an adjusting parameter, and k is the iteration times; i. j and t are dimensions; b is ijt k+1 The depth unsupervised learning enhancement factor is the depth unsupervised learning enhancement factor in the k +1 th iteration;
wherein, the deep unsupervised learning enhancement factor B ijt k+1 Obtained according to the following formula:
in the formula, C kmax The maximum accuracy at the k iteration; e kmin Is the minimum response delay rate at the kth iteration; w kmin The minimum misjudgment rate at the k iteration is obtained.
5. An apparatus for identifying a cyber attack, comprising:
the demand receiving module is used for receiving network attack identification demands sent by cloud services or local cluster servers;
the data acquisition module is connected with the requirement receiving module and used for acquiring network traffic data of a cloud service or a local cluster server in real time based on the network attack identification requirement, wherein the network traffic data comprises a source IP address and network behaviors;
the difference analysis module is connected with the data acquisition module and used for carrying out difference analysis on the network traffic data to obtain a final network attack difference analysis and identification scheme, and the network attack difference analysis and identification scheme is used for identifying suspicious network behaviors and suspicious source IP addresses in the network traffic data;
the variance analysis module includes:
the setting unit is used for setting iteration initial parameters and the maximum iteration times;
the difference analysis unit is used for carrying out difference analysis on the network traffic data based on the misjudgment rate, the response delay rate and the accuracy rate to obtain a network attack difference analysis and identification scheme with the optimal matching degree;
the Fourier transform unit is used for carrying out discrete two-dimensional Fourier transform on the network attack difference analysis and identification scheme with the optimal matching degree;
the evaluation judging unit is used for judging whether the network attack difference analysis identification scheme with the optimal matching degree after the discrete two-dimensional Fourier transform meets the preset evaluation condition or not;
the learning unit is used for carrying out deep unsupervised learning on the misjudgment rate, the response delay rate and the accuracy rate;
the iteration judging unit is used for adding 1 to the iteration times and judging whether the current iteration times are smaller than the maximum iteration times or not;
the output unit is used for outputting the network attack difference analysis and identification scheme with the optimal matching degree as a final network attack difference analysis and identification scheme;
the misjudgment rate is the ratio of the amount which has different flow rates but is not detected in unit time to the total amount of flow rate difference analysis and detection in unit time, the response delay rate is the ratio of the amount of time occupied by ineffective flow rate detection in unit time to the total amount in unit time, and the correct rate is the ratio of the amount of work done by the different flow rate detection in unit time to the total amount of the different flow rate in unit time;
the difference analysis unit is specifically configured to obtain a network attack difference analysis and identification scheme according to the following calculation formula:
in the formula, k is iteration times; i. j and t are dimensions; m, n and p are the maximum dimension values of i, j and t respectively;
the accuracy of the k iteration is obtained; />
Is the response delay rate at the kth iteration; />
The misjudgment rate in the k iteration; c kmax The maximum accuracy at the k iteration; e kmin Is the minimum response delay rate at the k iteration; w kmin The minimum misjudgment rate at the k-th iteration is obtained. />
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011322942.3A CN112311813B (en) | 2020-11-23 | 2020-11-23 | Network attack identification method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011322942.3A CN112311813B (en) | 2020-11-23 | 2020-11-23 | Network attack identification method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112311813A CN112311813A (en) | 2021-02-02 |
| CN112311813B true CN112311813B (en) | 2023-03-28 |
Family
ID=74335566
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011322942.3A Active CN112311813B (en) | 2020-11-23 | 2020-11-23 | Network attack identification method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112311813B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115426167A (en) * | 2022-08-31 | 2022-12-02 | 中国联合网络通信集团有限公司 | Black product identification method and device and computer readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106941490A (en) * | 2017-03-20 | 2017-07-11 | 湖南友道信息技术有限公司 | Online network flow abnormal detecting method based on bidirectional two-dimensional principal component analysis |
| CN110247910A (en) * | 2019-06-13 | 2019-09-17 | 深信服科技股份有限公司 | A kind of detection method of abnormal flow, system and associated component |
| CN110830499A (en) * | 2019-11-21 | 2020-02-21 | 中国联合网络通信集团有限公司 | Network attack application detection method and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10079846B2 (en) * | 2015-06-04 | 2018-09-18 | Cisco Technology, Inc. | Domain name system (DNS) based anomaly detection |
-
2020
- 2020-11-23 CN CN202011322942.3A patent/CN112311813B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106941490A (en) * | 2017-03-20 | 2017-07-11 | 湖南友道信息技术有限公司 | Online network flow abnormal detecting method based on bidirectional two-dimensional principal component analysis |
| CN110247910A (en) * | 2019-06-13 | 2019-09-17 | 深信服科技股份有限公司 | A kind of detection method of abnormal flow, system and associated component |
| CN110830499A (en) * | 2019-11-21 | 2020-02-21 | 中国联合网络通信集团有限公司 | Network attack application detection method and system |
Non-Patent Citations (2)
| Title |
|---|
| 基于半监督学习的无线网络攻击行为检测优化方法;基于半监督学习的无线网络攻击行为检测优化方法;《计算机研究与发展》;20200430;第791-802页 * |
| 聚类在网络入侵的异常检测中的应用;严晓光等;《计算机***应用》;20051005(第10期);第36-39页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112311813A (en) | 2021-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112738015B (en) | Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection | |
| CN109600363B (en) | Internet of things terminal network portrait and abnormal network access behavior detection method | |
| US20110261710A1 (en) | Analysis apparatus and method for abnormal network traffic | |
| CN111641634B (en) | Honey net based active defense system and method for industrial control network | |
| CN110351291B (en) | DDoS attack detection method and device based on multi-scale convolutional neural network | |
| CN109951462B (en) | Application software flow anomaly detection system and method based on holographic modeling | |
| CN117113262B (en) | Network traffic identification method and system | |
| Juvonen et al. | An efficient network log anomaly detection system using random projection dimensionality reduction | |
| Marchetti et al. | Identification of correlated network intrusion alerts | |
| Wang et al. | FeCo: Boosting intrusion detection capability in IoT networks via contrastive learning | |
| CN112311813B (en) | Network attack identification method and device | |
| CN116389023A (en) | Resource access authority control method and system | |
| Sen et al. | Towards an approach to contextual detection of multi-stage cyber attacks in smart grids | |
| CN112437085B (en) | Network attack identification method and device | |
| CN111291078B (en) | Domain name matching detection method and device | |
| Bartos et al. | IFS: Intelligent flow sampling for network security–an adaptive approach | |
| CN113132414B (en) | Multi-step attack mode mining method | |
| CN111901137A (en) | Method for mining multi-step attack scene by using honeypot alarm log | |
| CN115118525A (en) | Internet of things safety protection system and protection method thereof | |
| KR20140014784A (en) | A method for detecting abnormal patterns of network traffic by analyzing linear patterns and intensity features | |
| CN111510438A (en) | Management and control method for data classification of power internet of things terminal | |
| CN115622720B (en) | Network anomaly detection method, device and detection equipment | |
| CN114157514B (en) | Multi-channel IDS integrated detection method and device | |
| CN117254960B (en) | Detection method for detecting API interface verification risk from flow data | |
| Luo | Intrusion detection system for internet of vehicles based on ensemble learning and cnn |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |