CN112882905A - Method, system and electronic equipment for judging whether network communication behavior is abnormal or not - Google Patents
Method, system and electronic equipment for judging whether network communication behavior is abnormal or not Download PDFInfo
- Publication number
- CN112882905A CN112882905A CN202110302584.8A CN202110302584A CN112882905A CN 112882905 A CN112882905 A CN 112882905A CN 202110302584 A CN202110302584 A CN 202110302584A CN 112882905 A CN112882905 A CN 112882905A
- Authority
- CN
- China
- Prior art keywords
- network communication
- data
- preset
- communication data
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004891 communication Methods 0.000 title claims abstract description 286
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 51
- 238000000034 method Methods 0.000 title claims abstract description 30
- 230000006399 behavior Effects 0.000 claims abstract description 67
- 238000003062 neural network model Methods 0.000 claims abstract description 49
- 238000004458 analytical method Methods 0.000 claims description 6
- 238000001514 detection method Methods 0.000 abstract description 35
- 230000019771 cognition Effects 0.000 abstract description 12
- 238000013528 artificial neural network Methods 0.000 abstract description 8
- 238000012545 processing Methods 0.000 abstract description 8
- 230000009286 beneficial effect Effects 0.000 description 10
- 238000012423 maintenance Methods 0.000 description 4
- 238000004590 computer program Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3006—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/32—Monitoring with visual or acoustical indication of the functioning of the machine
- G06F11/324—Display of status information
- G06F11/327—Alarm or error message display
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/20—Administration of product repair or maintenance
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Quality & Reliability (AREA)
- General Physics & Mathematics (AREA)
- Business, Economics & Management (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Human Resources & Organizations (AREA)
- Economics (AREA)
- Marketing (AREA)
- Operations Research (AREA)
- Strategic Management (AREA)
- Tourism & Hospitality (AREA)
- General Business, Economics & Management (AREA)
- Entrepreneurship & Innovation (AREA)
- Mathematical Physics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method, a system and electronic equipment for judging whether network communication behaviors are abnormal, wherein according to a group of network communication data with the same communication information to be judged and a neural network model based on a neural network corresponding to the same communication information, detection personnel does not need to perform complex advanced data feature processing, the implementation difficulty is low, the detection personnel does not need to have deep industry knowledge and cognition, the technical threshold is low, and the learning cost of the detection personnel is reduced.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method, a system, and an electronic device for determining whether a network communication behavior is abnormal.
Background
Within an industrial control environment, there are a large number of devices and equipment that operate in real time. A large amount of network communication is performed between these devices and apparatuses, so as to exchange information, report data, send control instructions, and the like. However, these devices and equipment have the potential to be naturally damaged, hijacked, and attacked, resulting in the basic functions within the industrial control environment being disturbed and destroyed. At present, an untrusted communication behavior detection algorithm is often established, the mathematical principle is complex, advanced data feature processing in the algorithm requires detection personnel to have profound industry knowledge and cognition, the technical threshold is high, and the learning cost is high and the implementation difficulty is high;
how to efficiently and quickly identify credible communication behaviors and incredible communication behaviors from a large number of network communication behaviors among various devices and equipment, namely, whether the network communication behaviors are abnormal or not is judged, and the learning cost of detection personnel can be reduced is a problem to be solved in the industry.
Disclosure of Invention
The invention aims to solve the technical problem of the prior art and provides a method, a system and electronic equipment for judging whether network communication behavior is abnormal or not.
The technical scheme of the method for judging whether the network communication behavior is abnormal is as follows:
s1, acquiring a plurality of pieces of network communication data among a plurality of preset devices;
s2, analyzing each piece of network communication data to obtain communication information corresponding to each piece of network communication data;
s3, judging whether a first preset number of untrusted data packets exist in a group of network communication data to be judged according to the group of network communication data with the same communication information and a neural network model corresponding to the same communication information, if so, judging that the network communication behavior is abnormal, and if not, judging that the network abnormal communication behavior does not exist.
The method for judging whether the network communication behavior is abnormal has the following beneficial effects:
according to a group of network communication data with the same communication information to be judged and a neural network model based on a neural network corresponding to the same communication information, detection personnel do not need to perform complex preposed data feature processing, the implementation difficulty is low, deep industry knowledge and cognition are not needed, the technical threshold is low, and the learning cost of the detection personnel is reduced.
On the basis of the above scheme, the method for judging whether the network communication behavior is abnormal according to the present invention may be further improved as follows.
Further, still include:
s50, counting a group of time sequence data corresponding to each piece of historical network communication data corresponding to any same communication information, wherein the time sequence data comprises the packet length of a data packet and the time difference between every two adjacent pieces of historical network communication data;
s51, carrying out de-duplication on the packet lengths corresponding to the same communication information, and arranging the packet lengths from small to large to obtain an array and obtain a one-hot code corresponding to the array;
s52, sequentially taking the one-hot code corresponding to each packet length in the array as a label value, sequentially taking the one-hot codes and the time differences corresponding to the first n packet lengths adjacent to the packet length corresponding to the label value in the array, and sequentially taking the one-hot codes and the time differences corresponding to the last m packet lengths adjacent to the packet length corresponding to the label value as input values, and constructing a neural network model;
s53, executing S50 to S52 to each piece of historical network communication data corresponding to each piece of same communication information to obtain a neural network model corresponding to each piece of same communication information.
The beneficial effect of adopting the further scheme is that: the neural network model can be established only by extracting the packet length of the data packet and the time difference between every two adjacent historical network communication data, detection personnel do not need to have profound industry knowledge and cognition, the technical threshold is low, and the learning cost of the detection personnel is reduced.
Further, still include:
and S4, executing S3 on each group of network communication data with the same communication information, counting the total number of all the untrusted data packets, and giving an alarm when the total number of all the untrusted data packets exceeds a first preset total number threshold value.
The beneficial effect of adopting the further scheme is that: and when the total number of all the untrusted data packets exceeds a first preset total number threshold value, giving an alarm so as to remind detection personnel of performing later maintenance.
Further, before the alarm is issued, the method further comprises:
when the total number of all the untrusted data packets exceeds a second preset total number threshold value, calculating the occupation ratio of all the untrusted data packets in all the data packets, and judging whether the occupation ratio is greater than a preset occupation ratio threshold value or not to obtain a first judgment result;
the issuing of the alert includes: and when the first judgment result is yes, giving an alarm.
The beneficial effect of adopting the further scheme is that: through double judgment, whether the total number of all the untrustworthy data packets exceeds a first preset total number threshold value or not is judged, and the total number of all the untrustworthy data packets exceeds a second preset total number threshold value is judged, so that the accuracy of alarming is further guaranteed.
Further, still include:
and acquiring preset equipment corresponding to each alarm in a preset time period, and determining the determined preset equipment as the preset equipment for performing the non-communication behavior when the determined frequency of any preset equipment is greater than a preset frequency threshold value.
The beneficial effect of adopting the further scheme is that: when the preset equipment for performing the unreliable communication behavior is judged, the detection personnel can conveniently maintain or replace the equipment.
Further, S3 is preceded by:
judging whether a group of network communication data to be judged with the same communication information has a corresponding neural network model or not to obtain a second judgment result;
s3 includes: when the second determination result is yes, S3 is executed.
Further, still include:
and when the second judgment result is negative, continuing to execute S1-S2 until the quantity of the group of network communication data to be judged with the same communication information exceeds a second preset quantity, taking the network communication data in the group as historical network communication data, and executing S50-S52 to obtain a neural network model corresponding to the same communication information.
Further, the communication information of any piece of network communication data includes: the IP and the port of the preset device for sending the network communication data, the IP and the port of the preset device for receiving the network communication data, and the protocol corresponding to the network communication data.
The technical scheme of the system for judging whether the network communication behavior is abnormal is as follows:
the device comprises an acquisition module, an analysis module and a first judgment module;
the acquisition module is used for acquiring a plurality of pieces of network communication data among a plurality of preset devices;
the analysis module is used for analyzing each piece of network communication data to obtain communication information corresponding to each piece of network communication data;
the first judging module is used for: according to a group of network communication data with the same communication information to be judged and a neural network model corresponding to the same communication information, judging whether a first preset number of incredible data packets exist in the group of network communication data, if so, judging that a network communication behavior is abnormal, and if not, judging that a network abnormal communication behavior does not exist.
The system for judging whether the network communication behavior is abnormal has the following beneficial effects:
according to a group of network communication data with the same communication information to be judged and a neural network model based on a neural network corresponding to the same communication information, detection personnel do not need to perform complex preposed data feature processing, the implementation difficulty is low, deep industry knowledge and cognition are not needed, the technical threshold is low, and the learning cost of the detection personnel is reduced.
On the basis of the above scheme, the system for judging whether the network communication behavior is abnormal according to the present invention may be further improved as follows.
Further, the system also comprises a modeling module and a repeated calling module, wherein the modeling module is used for:
counting a group of time sequence data corresponding to each piece of historical network communication data corresponding to any one piece of same communication information, wherein the time sequence data comprises the packet length of a data packet and the time difference between every two adjacent pieces of historical network communication data;
removing the duplicate of the packet length corresponding to the same communication information, and arranging the packet length from small to large to obtain an array and obtain a one-hot code corresponding to the array;
sequentially taking the one-hot code corresponding to each packet length in the array as a tag value, sequentially taking the one-hot codes and time differences corresponding to the first n packet lengths adjacent to the packet length corresponding to the tag value in the array, and sequentially taking the one-hot codes and time differences corresponding to the last m packet lengths adjacent to the packet length corresponding to the tag value as input values, and constructing a neural network model;
the repeated calling module is used for calling the modeling module to respectively establish corresponding neural network models for each piece of historical network communication data corresponding to each piece of same communication information, and obtaining the neural network model corresponding to each piece of same communication information.
The beneficial effect of adopting the further scheme is that: the neural network model can be established only by extracting the packet length of the data packet and the time difference between every two adjacent historical network communication data, detection personnel do not need to have profound industry knowledge and cognition, the technical threshold is low, and the learning cost of the detection personnel is reduced.
Further, the statistic judgment module is used for: and repeatedly calling the first judging module to judge each group of network communication data with the same communication information, counting the total number of all the untrusted data packets, and giving an alarm when the total number of all the untrusted data packets exceeds a first preset total number threshold value.
The beneficial effect of adopting the further scheme is that: and when the total number of all the untrusted data packets exceeds a first preset total number threshold value, giving an alarm so as to remind detection personnel of performing later maintenance.
Further, the statistical judgment module is specifically configured to:
when the total number of all the untrustworthy data packets exceeds a second preset total number threshold value, calculating the occupation ratio of all the untrustworthy data packets in all the data packets, judging whether the occupation ratio is larger than a preset occupation ratio threshold value or not, obtaining a first judgment result, and when the first judgment result is yes, giving an alarm.
Through double judgment, whether the total number of all the untrustworthy data packets exceeds a first preset total number threshold value or not is judged, and the total number of all the untrustworthy data packets exceeds a second preset total number threshold value is judged, so that the accuracy of alarming is further guaranteed.
Further, the second determining module is configured to: and acquiring preset equipment corresponding to each alarm in a preset time period, and determining the determined preset equipment as the preset equipment for performing the non-communication behavior when the determined frequency of any preset equipment is greater than a preset frequency threshold value.
The beneficial effect of adopting the further scheme is that: when the preset equipment for performing the unreliable communication behavior is judged, the detection personnel can conveniently maintain or replace the equipment.
Further, the device also comprises a third judging module, wherein the third judging module is used for: judging whether a group of network communication data to be judged with the same communication information has a corresponding neural network model or not to obtain a second judgment result;
the first judging module is specifically configured to: and if the second judgment result is yes, judging whether a first preset number of incredible data packets exist in a group of network communication data to be judged according to the group of network communication data with the same communication information and the neural network model corresponding to the same communication information, if so, judging that the network communication behavior is abnormal, and if not, judging that the network abnormal communication behavior does not exist.
Further, the modeling module is further configured to:
and when the second judgment result is negative, continuing to call the acquisition module and the analysis module until the quantity of the group of network communication data with the same communication information to be judged exceeds a second preset quantity, and taking the network communication data in the group as historical network communication data to obtain a neural network model corresponding to the same communication information.
Further, the communication information of any piece of network communication data includes: the IP and the port of the preset device for sending the network communication data, the IP and the port of the preset device for receiving the network communication data, and the protocol corresponding to the network communication data.
The technical scheme of the electronic equipment is as follows:
comprising a memory, a processor and a program stored in said memory and running on said processor, said processor implementing the steps of a method of determining whether a network communication behaviour is abnormal as described in any of the above when executing said program.
The electronic equipment has the following beneficial effects:
according to a group of network communication data with the same communication information to be judged and a neural network model based on a neural network corresponding to the same communication information, detection personnel do not need to perform complex preposed data feature processing, the implementation difficulty is low, deep industry knowledge and cognition are not needed, the technical threshold is low, and the learning cost of the detection personnel is reduced.
Drawings
Fig. 1 is a flowchart illustrating a method for determining whether network communication behavior is abnormal according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a system for determining whether a network communication behavior is abnormal according to an embodiment of the present invention.
Detailed Description
As shown in fig. 1, a method for determining whether a network communication behavior is abnormal according to an embodiment of the present invention includes the following steps:
s1, acquiring a plurality of pieces of network communication data among a plurality of preset devices;
s2, analyzing each piece of network communication data to obtain communication information corresponding to each piece of network communication data;
s3, judging whether a first preset number of untrusted data packets exist in a group of network communication data to be judged according to the group of network communication data with the same communication information and a neural network model corresponding to the same communication information, if so, judging that the network communication behavior is abnormal, and if not, judging that the network abnormal communication behavior does not exist.
According to a group of network communication data with the same communication information to be judged and a neural network model based on a neural network corresponding to the same communication information, detection personnel do not need to perform complex preposed data feature processing, the implementation difficulty is low, deep industry knowledge and cognition are not needed, the technical threshold is low, and the learning cost of the detection personnel is reduced.
Wherein, general network communication data has a fixed format, each piece of network communication data can be analyzed according to the fixed format to obtain communication information corresponding to each piece of network communication data, and the communication information of any piece of network communication data includes: the IP and the port of the preset device for sending the network communication data, the IP and the port of the preset device for receiving the network communication data, and the protocol corresponding to the network communication data.
After the communication information corresponding to each piece of network communication data is obtained, the communication information corresponding to each piece of network communication data is compared and judged and grouped to obtain a plurality of groups of network communication data with the same communication information. Then, a group of network communication data with the same communication information to be judged and a neural network model corresponding to the same communication information judge whether a first preset number of untrusted data packets exist in the group of network communication data, if so, judge that a network communication behavior is abnormal, and if not, judge that a network abnormal communication behavior does not exist. And by analogy, judging each group of network communication data with the same communication information.
Preferably, in the above technical solution, S3 further includes:
judging whether a group of network communication data to be judged with the same communication information has a corresponding neural network model or not to obtain a second judgment result;
s3 includes: when the second determination result is yes, S3 is executed.
That is, before determining each set of network communication data having the same communication information, it is determined whether there is network communication data corresponding to each set, and then:
1) when the second determination result is yes, S3 is executed again;
2) and if the second judgment result is negative, continuing to execute S1-S2, namely continuing to acquire network communication data and classifying until the number of the group of network communication data to be judged with the same communication information exceeds a second preset number, and acquiring a corresponding neural network model according to the network communication data in the group so as to be convenient for calling the neural network model for judgment next time.
The process of establishing the neural network model comprises the following steps:
s50, counting a group of time sequence data corresponding to each piece of historical network communication data corresponding to any same communication information, wherein the time sequence data comprises the packet length of a data packet and the time difference between every two adjacent pieces of historical network communication data;
s51, carrying out de-duplication on the packet lengths corresponding to the same communication information, and arranging the packet lengths from small to large to obtain an array and obtain a one-hot code corresponding to the array;
s52, sequentially taking the one-hot code corresponding to each packet length in the array as a label value, sequentially taking the one-hot codes and the time differences corresponding to the first n packet lengths adjacent to the packet length corresponding to the label value in the array, and sequentially taking the one-hot codes and the time differences corresponding to the last m packet lengths adjacent to the packet length corresponding to the label value as input values, and constructing a neural network model;
s53, executing S50 to S52 to each piece of historical network communication data corresponding to each piece of same communication information to obtain a neural network model corresponding to each piece of same communication information.
The neural network model can be established only by extracting the packet length of the data packet and the time difference between every two adjacent historical network communication data, detection personnel do not need to have profound industry knowledge and cognition, the technical threshold is low, and the learning cost of the detection personnel is reduced.
For example, a group of time series data respectively corresponding to each piece of historical network communication data corresponding to any one piece of same communication information is counted, and in the time series data, the packet length of a data packet includes: 52, 76, 84, 52, 76, 84, 93, 102, 93, 84, the time difference between every two adjacent historical network communication data can be obtained according to the time stamp on each historical network communication data;
then "52, 76, 84, 52, 76, 84, 93, 102, 93, 84" is weighted down and arranged in descending order to obtain an array (52, 76, 84, 93, 102), each element in the array (52, 76, 84, 93, 102) is subjected to one-hot encoding, i.e. one-hot encoding, and the one-hot encoding corresponding to 52 is: one-hot codes corresponding to (1,0,0,0,0), 76 are (0,1,0,0,0), one-hot codes corresponding to 84 are (0,0,1,0,0), one-hot codes corresponding to 93 are (0,0,0,1,0), one-hot codes corresponding to 102 are (0,0,0,0,1), that is, one-hot codes corresponding to the arrays (52, 76, 84, 93, 102) are (1,0,0,0,0, 0), (0,1,0,0,0), (0,0,0,1,0, 0,0,0,0, 1);
the specific steps of sequentially using the one-hot code corresponding to each packet length in the array as a tag value are as follows:
the one-hot corresponding to 52 is encoded as: (1,0,0,0,0) as a tag value, taking the one-hot code and time difference corresponding to the first n packet lengths adjacent to the packet length corresponding to the tag value in the array, and the one-hot code and time difference corresponding to the last m packet lengths adjacent to the packet length corresponding to the tag value as input values, n and m are adjusted according to actual conditions, since the one-hot code corresponding to 52 is the head of the array, the one-hot code and time difference corresponding to the first n packet lengths can be replaced by 0, the one-hot code and time difference corresponding to the last m packet lengths can be replaced by 0, if there is no one, zero can be filled, and so on, taking the one-hot code corresponding to 76 as (0,1,0,0,0, 0) as the tag value, and the one-hot code corresponding to 84 as (0,0,1,0,0, 0,0) as the tag value, and (3) training based on the neural network by taking the one-hot code corresponding to 93 as a label value (0,0,0,1,0) and the one-hot code corresponding to 102 as a label value (0,0,0,0,1) to obtain a corresponding neural network model.
When the neural network model is actually applied, a group of network communication data with the same communication information is counted to obtain the packet length of each network communication data, and a packet length sequence is obtained, for example, the packet length sequence is: 52, 76, 84, 52, 76, 84, 93, 102, 93, 84, it is understood that the sequence of packet lengths of each piece of network communication data is arranged in chronological order, and the description is continued by taking m-n-4 as an example:
since the packet length is 10 in total, 10 sets of input values and tag values can be obtained, specifically:
1) when the one-hot code corresponding to the first element 52 in the packet length sequence is encoded as a tag value, the one-hot code and the time difference respectively corresponding to the first 4 packet lengths adjacent to the packet length corresponding to the tag value in the array, and the one-hot code and the time difference respectively corresponding to the last 4 packet lengths adjacent to the packet length corresponding to the tag value are taken as input values, because the one-hot code and the time difference respectively corresponding to the 4 packet lengths on the left of the one-hot code corresponding to the first element 52 do not exist, 0 is complemented, and the one-hot code and the time difference respectively corresponding to the last 4 packet lengths adjacent to the first element are respectively: 76. inputting the one-hot codes and the time differences corresponding to 84, 52 and 76 into corresponding neural network models to obtain a first output result; when the first output result and the one-hot code corresponding to the first element 52 are within a preset deviation range, determining that the data packet corresponding to the packet length is credible, otherwise, determining that the data packet is not credible;
2) when the one-hot corresponding to the second element 76 in the packet length sequence is coded as a tag value, the one-hot codes and time differences corresponding to the first 4 packet lengths adjacent to the packet length corresponding to the tag value in the array, and the one-hot codes and time differences corresponding to the last 4 packet lengths adjacent to the tag value in the array are taken as input values, because only 1 one-hot code and time difference corresponding to the 4 packet lengths on the left side of the one-hot code corresponding to the second element 76 exist, and the other three do not exist, 0 is complemented to not exist, and the one-hot codes and time differences corresponding to the last 4 packet lengths adjacent to the first element are respectively: inputting the one-hot codes and the time differences corresponding to 84, 52, 76 and 84 respectively into the corresponding neural network model to obtain a first output result; when the first output result and the one-hot code corresponding to the second element 76 are within a preset deviation range, judging that the data packet corresponding to the packet length is credible, otherwise, judging that the data packet is not credible;
3) when the one-hot code corresponding to the third element 84 in the packet length sequence is encoded as a tag value, the one-hot codes and time differences corresponding to the first 4 packet lengths adjacent to the packet length corresponding to the tag value in the array, and the one-hot codes and time differences corresponding to the last 4 packet lengths adjacent to the tag value in the array are taken as input values, because only 2 one-hot codes and time differences corresponding to the 4 packet lengths on the left side of the one-hot code corresponding to the third element 76 exist, and the other 2 packets do not exist, 0 is complemented if the one-hot codes and time differences corresponding to the last 4 packet lengths adjacent to the third element are respectively: 52, 76, 84, 93, respectively, corresponding to one-hot codes and time differences; inputting a corresponding neural network model to obtain a first output result; when the first output result and the one-hot code corresponding to the third element 84 are within a preset deviation range, determining that the data packet corresponding to the packet length is credible, otherwise, determining that the data packet is not credible;
and analogizing in sequence, judging whether a data packet corresponding to each packet length in the packet length sequence is credible, judging whether a first preset number of incredible data packets exist in the group of network communication data, if so, judging that the network communication behavior is abnormal, and if not, judging that the network abnormal communication behavior does not exist.
It should be noted that, the existing untrusted communication behavior detection algorithm has a strong dependency on the native data, that is, the content data to be transmitted in the network communication data, but in the present application, whether the network behavior is abnormal is determined by the packet length, so that the dependency on the native data is reduced, the accuracy of identifying whether the network behavior is abnormal can be ensured, the flow of identifying whether the network behavior is abnormal is greatly simplified, and the trusted communication behavior and the untrusted communication behavior can be efficiently and quickly identified from a large number of network communication behaviors between each device and equipment.
Preferably, in the above technical solution, the method further comprises:
and S4, executing S3 on each group of network communication data with the same communication information, counting the total number of all the untrusted data packets, and giving an alarm when the total number of all the untrusted data packets exceeds a first preset total number threshold value.
When the total number of all the untrusted data packets exceeds a first preset total number threshold value, an alarm is sent out so as to remind detection personnel to perform later maintenance, wherein the alarm can be performed in the forms of a popup window, a mail, WeChat information and the like.
Preferably, in the above technical solution, before the issuing of the alarm, the method further includes:
when the total number of all the untrusted data packets exceeds a second preset total number threshold value, calculating the occupation ratio of all the untrusted data packets in all the data packets, and judging whether the occupation ratio is greater than a preset occupation ratio threshold value or not to obtain a first judgment result;
the issuing of the alert includes: and when the first judgment result is yes, giving an alarm.
Through double judgment, whether the total number of all the untrustworthy data packets exceeds a first preset total number threshold value or not is judged, and the total number of all the untrustworthy data packets exceeds a second preset total number threshold value is judged, so that the accuracy of alarming is further guaranteed.
Preferably, in the above technical solution, the method further comprises:
and acquiring preset equipment corresponding to each alarm in a preset time period, and determining the determined preset equipment as the preset equipment for performing the non-communication behavior when the determined frequency of any preset equipment is greater than a preset frequency threshold value.
The communication information of any piece of network communication data comprises: the IP and the port of the preset equipment for sending the network communication data and the IP and the port of the preset equipment for receiving the network communication data can be easily judged to carry out the unreliable communication behavior according to the communication information, so that the detection personnel can conveniently maintain or replace the equipment.
The first preset number, the second preset number, the first preset total number threshold, the second preset total number threshold, the preset times threshold, the preset deviation range and the like can be adjusted and set according to actual conditions, and details are not repeated herein.
In the foregoing embodiments, although the steps are numbered as S1, S2, etc., but only the specific embodiments are given in this application, and those skilled in the art may adjust the execution order of S1, S2, etc. according to the actual situation, which is also within the protection scope of the present invention, and it is understood that some embodiments may include some or all of the above embodiments.
As shown in fig. 2, a system 200 for determining whether a network communication behavior is abnormal according to an embodiment of the present invention includes an obtaining module 210, a parsing module 220, and a first determining module 230;
the obtaining module 210 is configured to obtain multiple pieces of network communication data between multiple preset devices;
the analysis module 220 is configured to analyze each piece of network communication data to obtain communication information corresponding to each piece of network communication data;
the first determining module 230 is configured to: according to a group of network communication data with the same communication information to be judged and a neural network model corresponding to the same communication information, judging whether a first preset number of incredible data packets exist in the group of network communication data, if so, judging that a network communication behavior is abnormal, and if not, judging that a network abnormal communication behavior does not exist.
According to a group of network communication data with the same communication information to be judged and a neural network model based on a neural network corresponding to the same communication information, detection personnel do not need to perform complex preposed data feature processing, the implementation difficulty is low, deep industry knowledge and cognition are not needed, the technical threshold is low, and the learning cost of the detection personnel is reduced.
Preferably, in the above technical solution, the system further includes a modeling module and a repeat calling module, wherein the modeling module is configured to:
counting a group of time sequence data corresponding to each piece of historical network communication data corresponding to any one piece of same communication information, wherein the time sequence data comprises the packet length of a data packet and the time difference between every two adjacent pieces of historical network communication data;
removing the duplicate of the packet length corresponding to the same communication information, and arranging the packet length from small to large to obtain an array and obtain a one-hot code corresponding to the array;
sequentially taking the one-hot code corresponding to each packet length in the array as a tag value, sequentially taking the one-hot codes and time differences corresponding to the first n packet lengths adjacent to the packet length corresponding to the tag value in the array, and sequentially taking the one-hot codes and time differences corresponding to the last m packet lengths adjacent to the packet length corresponding to the tag value as input values, and constructing a neural network model;
the repeated calling module is used for calling the modeling module to respectively establish corresponding neural network models for each piece of historical network communication data corresponding to each piece of same communication information, and obtaining the neural network model corresponding to each piece of same communication information.
The neural network model can be established only by extracting the packet length of the data packet and the time difference between every two adjacent historical network communication data, detection personnel do not need to have profound industry knowledge and cognition, the technical threshold is low, and the learning cost of the detection personnel is reduced.
Preferably, in the above technical solution, the statistical determination module is configured to: the first determining module 230 is repeatedly called to determine each group of network communication data with the same communication information, count the total number of all the untrusted data packets, and issue an alarm when the total number of all the untrusted data packets exceeds a first preset total number threshold.
And when the total number of all the untrusted data packets exceeds a first preset total number threshold value, giving an alarm so as to remind detection personnel of performing later maintenance.
Preferably, in the above technical solution, the statistical determination module is specifically configured to:
when the total number of all the untrustworthy data packets exceeds a second preset total number threshold value, calculating the occupation ratio of all the untrustworthy data packets in all the data packets, judging whether the occupation ratio is larger than a preset occupation ratio threshold value or not, obtaining a first judgment result, and when the first judgment result is yes, giving an alarm.
Through double judgment, whether the total number of all the untrustworthy data packets exceeds a first preset total number threshold value or not is judged, and the total number of all the untrustworthy data packets exceeds a second preset total number threshold value is judged, so that the accuracy of alarming is further guaranteed.
Preferably, in the above technical solution, the second determining module is configured to: and acquiring preset equipment corresponding to each alarm in a preset time period, and determining the determined preset equipment as the preset equipment for performing the non-communication behavior when the determined frequency of any preset equipment is greater than a preset frequency threshold value.
When the preset equipment for performing the unreliable communication behavior is judged, the detection personnel can conveniently maintain or replace the equipment.
Preferably, in the above technical solution, the apparatus further includes a third determining module, where the third determining module is configured to: judging whether a group of network communication data to be judged with the same communication information has a corresponding neural network model or not to obtain a second judgment result;
the first determining module 230 is specifically configured to: and if the second judgment result is yes, judging whether a first preset number of incredible data packets exist in a group of network communication data to be judged according to the group of network communication data with the same communication information and the neural network model corresponding to the same communication information, if so, judging that the network communication behavior is abnormal, and if not, judging that the network abnormal communication behavior does not exist.
Preferably, in the above technical solution, the modeling module is further configured to:
if the second judgment result is negative, the obtaining module 210 and the parsing module 220 are continuously called until the number of the group of network communication data to be judged with the same communication information exceeds a second preset number, and the network communication data in the group is used as historical network communication data to obtain a neural network model corresponding to the same communication information.
Preferably, in the above technical solution, the communication information of any piece of network communication data includes: the IP and the port of the preset device for sending the network communication data, the IP and the port of the preset device for receiving the network communication data, and the protocol corresponding to the network communication data.
The above steps for implementing corresponding functions for each parameter and each unit module in the system 200 for determining whether a network communication behavior is abnormal according to the present invention may refer to each parameter and step in the above embodiment of a method for determining whether a network communication behavior is abnormal, which are not described herein again.
An electronic device according to an embodiment of the present invention includes a memory, a processor, and a program stored in the memory and running on the processor, where the processor implements any of the above-described steps of the method for determining whether a network communication behavior is abnormal when executing the program.
According to a group of network communication data with the same communication information to be judged and a neural network model based on a neural network corresponding to the same communication information, detection personnel do not need to perform complex preposed data feature processing, the implementation difficulty is low, deep industry knowledge and cognition are not needed, the technical threshold is low, and the learning cost of the detection personnel is reduced.
The electronic device may be a computer, a mobile phone, or the like, and correspondingly, the program of the electronic device is computer software or a mobile phone APP, and the parameters and the steps in the electronic device of the present invention may refer to the parameters and the steps in the above embodiment of the method for determining whether the network communication behavior is abnormal, which is not described herein again.
As will be appreciated by one skilled in the art, the present invention may be embodied as a system, method or computer program product.
Accordingly, the present disclosure may be embodied in the form of: may be embodied entirely in hardware, entirely in software (including firmware, resident software, micro-code, etc.) or in a combination of hardware and software, and may be referred to herein generally as a "circuit," module "or" system. Furthermore, in some embodiments, the invention may also be embodied in the form of a computer program product in one or more computer-readable media having computer-readable program code embodied in the medium.
Any combination of one or more computer-readable media may be employed. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.
Claims (10)
1. A method for determining whether network communication behavior is abnormal, comprising:
s1, acquiring a plurality of pieces of network communication data among a plurality of preset devices;
s2, analyzing each piece of network communication data to obtain communication information corresponding to each piece of network communication data;
s3, judging whether a first preset number of untrusted data packets exist in a group of network communication data to be judged according to the group of network communication data with the same communication information and a neural network model corresponding to the same communication information, if so, judging that the network communication behavior is abnormal, and if not, judging that the network abnormal communication behavior does not exist.
2. The method of claim 1, further comprising:
s50, counting a group of time sequence data corresponding to each piece of historical network communication data corresponding to any same communication information, wherein the time sequence data comprises the packet length of a data packet and the time difference between every two adjacent pieces of historical network communication data;
s51, carrying out de-duplication on the packet lengths corresponding to the same communication information, and arranging the packet lengths from small to large to obtain an array and obtain a one-hot code corresponding to the array;
s52, sequentially taking the one-hot code corresponding to each packet length in the array as a label value, sequentially taking the one-hot codes and the time differences corresponding to the first n packet lengths adjacent to the packet length corresponding to the label value in the array, and sequentially taking the one-hot codes and the time differences corresponding to the last m packet lengths adjacent to the packet length corresponding to the label value as input values, and constructing a neural network model;
s53, executing S50 to S52 to each piece of historical network communication data corresponding to each piece of same communication information to obtain a neural network model corresponding to each piece of same communication information.
3. A method for determining whether network communication behavior is abnormal according to claim 1 or 2, further comprising:
and S4, executing S3 on each group of network communication data with the same communication information, counting the total number of all the untrusted data packets, and giving an alarm when the total number of all the untrusted data packets exceeds a first preset total number threshold value.
4. A method for determining whether network communication behavior is abnormal according to claim 3, wherein before issuing the alarm, the method further comprises:
when the total number of all the untrusted data packets exceeds a second preset total number threshold value, calculating the occupation ratio of all the untrusted data packets in all the data packets, and judging whether the occupation ratio is greater than a preset occupation ratio threshold value or not to obtain a first judgment result;
the issuing of the alert includes: and when the first judgment result is yes, giving an alarm.
5. The method of claim 4, further comprising:
and acquiring preset equipment corresponding to each alarm in a preset time period, and determining the determined preset equipment as the preset equipment for performing the non-communication behavior when the determined frequency of any preset equipment is greater than a preset frequency threshold value.
6. The method of claim 4 or 5, wherein the step of determining whether the network communication behavior is abnormal further comprises, before S3:
judging whether a group of network communication data to be judged with the same communication information has a corresponding neural network model or not to obtain a second judgment result;
s3 includes: when the second determination result is yes, S3 is executed.
7. The method of claim 6, further comprising:
and when the second judgment result is negative, continuing to execute S1-S2 until the quantity of the group of network communication data to be judged with the same communication information exceeds a second preset quantity, taking the network communication data in the group as historical network communication data, and executing S50-S52 to obtain a neural network model corresponding to the same communication information.
8. A method for determining whether network communication behavior is abnormal according to claim 1 or 2, wherein the communication information of any network communication data includes: the IP and the port of the preset device for sending the network communication data, the IP and the port of the preset device for receiving the network communication data, and the protocol corresponding to the network communication data.
9. A system for judging whether network communication behavior is abnormal is characterized by comprising an acquisition module, an analysis module and a first judgment module;
the acquisition module is used for acquiring a plurality of pieces of network communication data among a plurality of preset devices;
the analysis module is used for analyzing each piece of network communication data to obtain communication information corresponding to each piece of network communication data;
the first judging module is used for: according to a group of network communication data with the same communication information to be judged and a neural network model corresponding to the same communication information, judging whether a first preset number of incredible data packets exist in the group of network communication data, if so, judging that a network communication behavior is abnormal, and if not, judging that a network abnormal communication behavior does not exist.
10. An electronic device comprising a memory, a processor and a program stored on the memory and running on the processor, wherein the processor implements the steps of a method of determining whether network communication behavior is abnormal as claimed in any one of claims 1 to 8 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110302584.8A CN112882905A (en) | 2021-03-22 | 2021-03-22 | Method, system and electronic equipment for judging whether network communication behavior is abnormal or not |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110302584.8A CN112882905A (en) | 2021-03-22 | 2021-03-22 | Method, system and electronic equipment for judging whether network communication behavior is abnormal or not |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112882905A true CN112882905A (en) | 2021-06-01 |
Family
ID=76041625
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110302584.8A Pending CN112882905A (en) | 2021-03-22 | 2021-03-22 | Method, system and electronic equipment for judging whether network communication behavior is abnormal or not |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112882905A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111222133A (en) * | 2019-11-14 | 2020-06-02 | 辽宁工程技术大学 | Multistage self-adaptive coupling method for industrial control network intrusion detection |
| CN111600865A (en) * | 2020-05-11 | 2020-08-28 | 杭州安恒信息技术股份有限公司 | Abnormal communication detection method and device, electronic equipment and storage medium |
| CN111865949A (en) * | 2020-07-09 | 2020-10-30 | 恒安嘉新(北京)科技股份公司 | Abnormal communication detection method and device, server and storage medium |
| CN111935172A (en) * | 2020-08-25 | 2020-11-13 | 珠海市一知安全科技有限公司 | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium |
| CN112257760A (en) * | 2020-09-30 | 2021-01-22 | 北京航空航天大学 | Method for detecting abnormal network communication behavior of host based on time sequence die body |
-
2021
- 2021-03-22 CN CN202110302584.8A patent/CN112882905A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111222133A (en) * | 2019-11-14 | 2020-06-02 | 辽宁工程技术大学 | Multistage self-adaptive coupling method for industrial control network intrusion detection |
| CN111600865A (en) * | 2020-05-11 | 2020-08-28 | 杭州安恒信息技术股份有限公司 | Abnormal communication detection method and device, electronic equipment and storage medium |
| CN111865949A (en) * | 2020-07-09 | 2020-10-30 | 恒安嘉新(北京)科技股份公司 | Abnormal communication detection method and device, server and storage medium |
| CN111935172A (en) * | 2020-08-25 | 2020-11-13 | 珠海市一知安全科技有限公司 | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium |
| CN112257760A (en) * | 2020-09-30 | 2021-01-22 | 北京航空航天大学 | Method for detecting abnormal network communication behavior of host based on time sequence die body |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111262722B (en) | Safety monitoring method for industrial control system network | |
| CN109981328B (en) | Fault early warning method and device | |
| CN115563180A (en) | Dynamic threshold generation method, device, equipment and storage medium | |
| CN114595210A (en) | Multi-dimensional data anomaly detection method and device and electronic equipment | |
| CN113206797A (en) | Flow control method and device, electronic equipment and storage medium | |
| CN113934536B (en) | Data acquisition method facing edge calculation | |
| CN113259367B (en) | Industrial control network flow multistage anomaly detection method and device | |
| WO2020036850A1 (en) | Protocol-independent anomaly detection | |
| CN113705714A (en) | Power distribution Internet of things equipment abnormal behavior detection method and device based on behavior sequence | |
| CN112882905A (en) | Method, system and electronic equipment for judging whether network communication behavior is abnormal or not | |
| CN111555895B (en) | Method, device, storage medium and computer equipment for analyzing website faults | |
| CN116074215B (en) | Network quality detection method, device, equipment and storage medium | |
| CN109462510B (en) | CDN node quality evaluation method and device | |
| CN113285824B (en) | Method and device for monitoring security of network configuration command | |
| CN111431752A (en) | Safety detection method based on adaptive flow control | |
| CN113535458B (en) | Abnormal false alarm processing method and device, storage medium and terminal | |
| WO2023181241A1 (en) | Monitoring server device, system, method, and program | |
| CN113487010B (en) | Power grid network security event analysis method based on machine learning | |
| CN114860543A (en) | Anomaly detection method, device, equipment and computer readable storage medium | |
| CN114928467A (en) | Network security operation and maintenance association analysis method and system | |
| CN115238779A (en) | Anomaly detection method, device, equipment and medium for cloud disk | |
| CN113285847A (en) | Communication network anomaly detection method and system of intelligent converter station monitoring system | |
| CN114584356A (en) | Network security monitoring method and network security monitoring system | |
| CN113886757A (en) | Power communication network PTN network service operation reliability assessment method | |
| CN112069037A (en) | Method and device for detecting no threshold value of cloud platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |