CN114629718A - Hidden malicious behavior detection method based on multi-model fusion - Google Patents
Hidden malicious behavior detection method based on multi-model fusion Download PDFInfo
- Publication number
- CN114629718A CN114629718A CN202210364305.5A CN202210364305A CN114629718A CN 114629718 A CN114629718 A CN 114629718A CN 202210364305 A CN202210364305 A CN 202210364305A CN 114629718 A CN114629718 A CN 114629718A
- Authority
- CN
- China
- Prior art keywords
- model
- sample
- hidden
- dns
- training
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 54
- 230000004927 fusion Effects 0.000 title claims abstract description 24
- 238000012549 training Methods 0.000 claims abstract description 43
- 238000000605 extraction Methods 0.000 claims abstract description 7
- 230000006399 behavior Effects 0.000 claims description 31
- 238000000034 method Methods 0.000 claims description 17
- 238000012545 processing Methods 0.000 claims description 12
- 238000012360 testing method Methods 0.000 claims description 9
- 230000006870 function Effects 0.000 claims description 7
- 230000008569 process Effects 0.000 claims description 7
- 238000001914 filtration Methods 0.000 claims description 6
- 230000009467 reduction Effects 0.000 claims description 4
- 238000004458 analytical method Methods 0.000 claims description 3
- 238000009499 grossing Methods 0.000 claims description 3
- 238000007838 multiplex ligation-dependent probe amplification Methods 0.000 claims description 3
- 238000005070 sampling Methods 0.000 claims description 3
- 239000000945 filler Substances 0.000 claims description 2
- 230000007787 long-term memory Effects 0.000 claims description 2
- 230000006403 short-term memory Effects 0.000 claims description 2
- 238000013527 convolutional neural network Methods 0.000 description 20
- 230000005540 biological transmission Effects 0.000 description 4
- 238000013135 deep learning Methods 0.000 description 3
- 238000010801 machine learning Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 230000005641 tunneling Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000015654 memory Effects 0.000 description 2
- 238000013528 artificial neural network Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Molecular Biology (AREA)
- Data Mining & Analysis (AREA)
- Computational Linguistics (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Evolutionary Computation (AREA)
- Biophysics (AREA)
- Biomedical Technology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a hidden malicious behavior detection method based on multi-model fusion, which comprises the steps of obtaining black samples, white samples and CDN sample data sets of DNS messages; performing feature extraction on the black sample, the white sample and the CDN sample data set; performing multi-model training based on the extracted features, and performing weight fusion on the trained multi-model to obtain a hidden malicious behavior detection model; and detecting and capturing the DNS hidden tunnel in real time by using the hidden malicious behavior detection model. The invention can greatly reduce the labor cost and simultaneously improve the accuracy of DNS hidden tunnel detection.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a hidden malicious behavior detection method based on multi-model fusion.
Background
In the face of the increasingly enhanced intelligent development of network security defense, one key reason why malicious attacks can still be frequently achieved is the hiding characteristic of the malicious attacks, and the most common detection methods such as feature matching or machine learning and the like, such as the hiding tunnel means, can be easily bypassed.
The DNS hidden tunnel is one of the hiding means, and as most of firewalls, intrusion detection systems and intrusion prevention systems rarely detect DNS traffic, conditions are provided for the DNS to serve as the hidden tunnel. The DNS (Domain Name System) is a service of the internet, and maps a Domain Name and an IP address with each other, enabling a person to access the internet more conveniently. Typically, the DNS uses 53 ports, the limit for the length of each level of domain name is 63 characters, and the total length of the domain name cannot exceed 253 characters.
The DNS tunneling is a technique for encapsulating the contents of other protocols in the DNS protocol and then completing data transmission with DNS request and response packets, and for functional and friendly reasons, it is impossible for a firewall to completely filter out the DNS protocol. Therefore, an attacker can utilize the DNS tunneling technology to realize dangerous operations such as file transmission, C & C channel construction and the like.
DNS tunnels can be divided into direct tunnels and relay tunnels depending on their implementation. The direct tunnel is that a client is directly connected with a designated target DNS server, and data codes are encapsulated in a DNS protocol for communication, so that the method is faster, but poor in concealment and easy to detect and track. The relay tunnel is realized by DNS recursive query, is relatively hidden, but simultaneously, because a data packet needs to pass through a plurality of nodes before reaching a target DNS server, the speed is much slower than that of a direct tunnel, and simultaneously, DNS cache of a local client needs to be avoided, a random domain name can be generated by using a random domain name generation algorithm (DGA), and blacklist detection is effectively bypassed. As described above, the DNS hidden tunnel is a phenomenon in which a large number of domain names are not repeated during the tunnel communication time.
In the existing detection technology for hiding malicious behaviors, two types are mainly used, one type is based on rule detection, and the other type is based on a machine learning detection mode. A disadvantage of rule-based detection is that DNS tunneling software can modify characteristics of domain name length, request frequency, etc. to bypass detection of these rules. The detection mode based on machine learning needs to collect training data in advance for modeling, although the labor cost is reduced to a certain extent, abstract features cannot be automatically learned, the efficiency is low, and partial data still need to be manually processed.
Disclosure of Invention
The invention aims to provide a hidden malicious behavior detection method based on multi-model fusion, which can greatly reduce the labor cost and improve the accuracy of DNS hidden tunnel detection.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows:
a hidden malicious behavior detection method based on multi-model fusion comprises the following steps:
step 1, obtaining black samples, white samples and CDN sample data sets of DNS messages;
step 2, extracting characteristics of the black sample, the white sample and the CDN sample data set;
step 3, performing multi-model training based on the extracted features, and performing weight fusion on the trained multi-model to obtain a hidden malicious behavior detection model, wherein the hidden malicious behavior detection model comprises the following steps:
step 3.1, performing multi-model training based on the extracted features, wherein the multi-model comprises an LSTM model, a 1D-CNN model and an MLP model;
step 3.2, calculating the weight corresponding to each model as follows:
f(vi)=(vi)α
in the formula, wiIs the weight of the ith model, viThe accuracy of the ith model, n is the number of models and n is 3, and α is a constant greater than 1;
step 3.3, performing weight fusion on the multiple models as follows:
p={pMLP×wMLP+p1D-CNN×w1D-CNN+pRNN×wRNN}
wherein p is the detection result output by the detection model of the hidden malicious behavior, and p isMLPAs a result of the MLP model, wMLPIs a weight, p, of the MLP model1D-CNNAs a result of the examination of the 1D-CNN model, w1D-CNNIs the weight of the 1D-CNN model, pRNNAs a result of the detection of the LSTM model, wRNNIs the weight of the LSTM model;
and 4, detecting and capturing the DNS hidden tunnel in real time by using the hidden malicious behavior detection model.
Several alternatives are provided below, but not as an additional limitation to the above general solution, but merely as a further addition or preference, each alternative being combinable individually for the above general solution or among several alternatives without technical or logical contradictions.
Preferably, the obtaining black samples, white samples and CDN sample data sets of the DNS packet includes:
step 1.1, constructing a DNS hidden tunnel, and acquiring a black sample data set of a DNS message by packet capturing;
step 1.2, acquiring a white sample data set of a DNS message in the campus network by packet capturing of traffic in the campus network;
and step 1.3, obtaining a CDN sample data set by packet capturing of CDN flow.
Preferably, the obtaining black samples, white samples, and CDN sample data sets of the DNS packet further includes:
step 1.4, analyzing each piece of data in the black sample, the white sample and the CDN sample data set, reading source data and extracting features required by multi-model training from the source data during analysis, and then converting the extracted features into a model identifiable file.
Preferably, the performing feature extraction on the black sample, the white sample and the CDN sample dataset includes:
step 2.1, filtering illegal sample data;
2.2, extracting a subdomain from the domain name feature of each piece of sample data;
step 2.3, obtaining the effective character number in the subdomain as the maximum characteristic value, and carrying out integer coding on the domain name in the subdomain to convert the domain name into a word vector;
step 2.4, if the length of the domain name feature is smaller than the maximum feature value, filling the word vector by using a filler until the length of the domain name feature reaches the maximum feature value, and outputting the filled word vector as the extracted feature; otherwise, directly outputting the word vector in the step 2.3 as the extracted feature.
Preferably, the multi-model training based on the extracted features includes:
randomly sampling the characteristics extracted from the black sample, the white sample and the CDN sample data set to divide the characteristics into a training set and a testing set;
performing multi-model training by using a training set, wherein in the training process, firstly, a one-dimensional convolution function is added into a 1D-CNN model for feature processing, a long-term and short-term memory network function is added into an LSTM model for feature processing, and a hidden layer is added into an MLP model for feature processing; secondly, adding an embedding layer in the respective training process of the three models to perform data dimension reduction, and then adding a dropout layer in the 1D-CNN model, the LSTM model and the MLP model to perform smoothing treatment;
and verifying each model by using the test set, finishing training if the accuracy of each model reaches a preset requirement, and otherwise, performing multi-model training by using the training set again.
Preferably, the detection result output by the concealed malicious behavior detection model is a two-dimensional vector, a first dimension of the two-dimensional vector represents the probability that the data belongs to the DNS concealed tunnel, and a second dimension represents the probability that the data belongs to the normal data.
According to the detection method for the hidden malicious behaviors based on multi-model fusion, provided by the invention, the collected DNS samples are used for multi-model training to generate a primary model, then a test set is used for testing the primary model, and finally a stable model capable of automatically detecting the DNS hidden tunnel is obtained, and data is trained by using the capability of deep learning for automatically extracting potential features, so that the labor cost is greatly reduced, and meanwhile, the accuracy of DNS hidden tunnel detection is improved.
Drawings
FIG. 1 is a flowchart of a hidden malicious behavior detection method based on multi-model fusion according to the present invention;
FIG. 2 is a flow chart of acquiring a data set according to the present invention;
FIG. 3 is a flow chart of feature extraction for a data set according to the present invention;
FIG. 4 is a flow chart of the present invention for performing multi-model training.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.
In order to overcome the problems that detection of hidden malicious behaviors is easy to bypass, long in required time and low in accuracy in the prior art, the embodiment provides a method for detecting hidden malicious behaviors based on multi-model fusion.
As shown in fig. 1, the method for detecting hidden malicious behavior based on multi-model fusion provided in this embodiment includes the following steps:
step 1, obtaining black samples, white samples and CDN sample data sets of the DNS message.
In the prior art, there are many types of ways to acquire a training data set, and in order to improve a model training effect, the data acquisition way shown in fig. 2 is adopted in this embodiment, which is specifically as follows:
step 1.1, a DNS hidden tunnel is constructed by using a dnscat2 tool, and a black sample data set of a DNS message is acquired by packet capturing based on a wireshark packet capturing tool.
Step 1.2, a white sample data set of the DNS message in the campus network is obtained by packet capturing of the flow in the campus network based on a wireshark packet capturing tool.
And step 1.3, capturing the CDN flow based on a wireshark packet capturing tool to obtain a CDN sample data set. Since some CDNs use domain names similar to hidden tunnels, to improve the highest detection accuracy, the CDN's data set is also used to train the model.
The data set contains DNS request response message information. Including destination server, origin server, port, protocol, number of packets, domain name information, etc.
Step 1.4, because the data obtained by packet capturing is complex and diverse and is in a pcap packet format which cannot be directly identified by a model, the data set needs to be processed, each piece of data in the black sample, the white sample and the CDN sample data set is firstly analyzed during processing, source data is firstly read during analysis, characteristics (including a destination port, response data, a query domain name and query data) required by multi-model training are extracted from the source data, and then the extracted characteristics are converted into a file (for example, a txt file) which can be identified by the model (deep learning algorithm).
And 2, performing feature extraction on the black sample, the white sample and the CDN sample data set.
The feature extraction is to obtain data for inputting to the neural network in the sample data, and a data processing procedure of the feature extraction in this embodiment is shown in fig. 3.
Step 2.1, filtering illegal sample data, namely filtering DNS data; since each piece of sample data includes the characteristics of the protocol and the port. Therefore, filtering is performed for each piece of sample data, which is filtering for illegal data whose protocol is not 17 and whose port is not 53.
2.2, extracting a subdomain from the domain name feature of each piece of sample data; for the domain name feature, the domain name feature is composed of a root domain and a subdomain. The DNS hidden tunnel transmission data only can put data codes in a subdomain part for transmission, and a root domain does not influence the data codes. Therefore, the present embodiment extracts the subdomain from the domain name feature of each piece of data, and further processes the subdomain.
And 2.3, acquiring the effective character number in the subdomain as a maximum characteristic value, and carrying out integer coding on the subdomain domain name to convert the effective character number into a word vector. The integer coding adopts a conventional coding mode in data processing, and details are not described in this embodiment.
Step 2.4, if the length of the domain name feature is smaller than the maximum feature value, filling the word vector by using a filling character (such as '0') until the length of the domain name feature reaches the maximum feature value, and outputting the filled word vector as the extracted feature; otherwise, directly outputting the word vector in the step 2.3 as the extracted feature.
And 3, performing multi-model training based on the extracted features, and performing weight fusion on the trained multi-model to obtain a hidden malicious behavior detection model. As shown in fig. 4, the method specifically includes the following steps:
step 3.1, performing multi-model training based on the extracted features, wherein the multi-model comprises an LSTM model, a 1D-CNN model and an MLP model, and comprises the following steps:
and 3.1.1, randomly sampling the characteristics extracted from the black sample, the white sample and the CDN sample data set, and dividing the characteristics into a training set and a testing set. For example, 80% of data are respectively used for training a multilayer perceptron model (MLP model), a convolutional neural network model (1D-CNN model) and a long-short term memory network model (LSTM model); the remaining 20% of the data was used to validate the trained model, respectively.
Step 3.1.2, performing multi-model training by using a training set, wherein in the training process, firstly, a one-dimensional convolution function is added into a 1D-CNN model to perform feature processing (the feature is the word vector of the domain name fragment output in the step 2.4), a long-short term memory network function is added into an LSTM model to perform feature processing, and a hidden layer is added into an MLP model to perform feature processing; then, adding an embedding layer in the respective training processes of the three models to perform data dimension reduction, wherein the essence of the data dimension reduction is the same as that of word2 vec; and then, adding a dropout layer into the 1D-CNN model, the LSTM model and the MLP model for smoothing to prevent overfitting.
And 3.1.3, verifying each model by using the test set, finishing training if the accuracy of each model reaches a preset requirement, and otherwise, performing multi-model training by using the training set again.
Step 3.2, calculating the weight of each model in the final result after the test model meets the preset requirement, wherein the weight corresponding to each model is calculated as follows:
f(vi)=(vi)α
in the formula, wiIs the weight of the ith model, viFor the accuracy of the ith model, n is the number of models and n is 3, α is a constant greater than 1; introducing function f (v)i)=(vi)αThe purpose of (1) is to increase the weight corresponding to the model with high accuracy.
Step 3.3, carrying out weight fusion on the multiple models to solidify the models as follows:
p={pMLP×wMLP+p1D-CNN×w1D-CNN+pRNN×wRNN}
wherein p is the detection result output by the hidden malicious behavior detection model, and p isMLPAs a result of the detection of the MLP model, wMLPIs the weight of the MLP model, p1D-CNNIs the detection result of the 1D-CNN model, w1D-CNNIs the weight of the 1D-CNN model, pRNNAs a result of the detection of the LSTM model, wRNNAre the weights of the LSTM model.
The detection result output by the detection model for the hidden malicious behavior obtained in this embodiment is a two-dimensional vector, a first dimension of the two-dimensional vector represents the probability that the data belongs to the DNS hidden tunnel, and a second dimension represents the probability that the data belongs to the normal data.
And 4, detecting and capturing the DNS hidden tunnel in real time by using a hidden malicious behavior detection model.
The accuracy of detecting the hidden malicious behaviors is effectively improved through a multi-model fusion detection mode, the stable model capable of automatically detecting the DNS hidden tunnel is obtained finally, the ability of deep learning for automatically extracting potential features is utilized for training data, therefore, the labor cost is greatly reduced, and the accuracy of detecting the DNS hidden tunnel is improved.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is specific and detailed, but not to be construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present invention should be subject to the appended claims.
Claims (6)
1. A hidden malicious behavior detection method based on multi-model fusion is characterized by comprising the following steps:
step 1, obtaining black samples, white samples and CDN sample data sets of DNS messages;
step 2, extracting characteristics of the black sample, the white sample and the CDN sample data set;
step 3, performing multi-model training based on the extracted features, and performing weight fusion on the trained multi-model to obtain a hidden malicious behavior detection model, wherein the hidden malicious behavior detection model comprises the following steps:
step 3.1, performing multi-model training based on the extracted features, wherein the multi-model comprises an LSTM model, a 1D-CNN model and an MLP model;
step 3.2, calculating the weight corresponding to each model as follows:
f(vi)=(vi)α
in the formula, wiIs the weight of the ith model, viThe accuracy of the ith model, n is the number of models and n is 3, and α is a constant greater than 1;
step 3.3, performing weight fusion on the multiple models as follows:
p={pMLP×wMLP+p1D-CNN×w1D-CNN+pRNN×wRNN}
wherein p is the detection result output by the hidden malicious behavior detection model, and p isMLPAs a result of the detection of the MLP model, wMLPIs the weight of the MLP model, p1D-CNNIs the detection result of the 1D-CNN model, w1D-CNNIs the weight of the 1D-CNN model, pRNNAs a result of the detection of the LSTM model, wRNNIs the weight of the LSTM model;
and 4, detecting and capturing the DNS hidden tunnel in real time by using the hidden malicious behavior detection model.
2. The method for detecting the hidden malicious behaviors based on multi-model fusion according to claim 1, wherein the obtaining of the black sample, the white sample and the CDN sample dataset of the DNS message comprises:
step 1.1, constructing a DNS hidden tunnel, and acquiring a black sample data set of a DNS message through packet capture;
step 1.2, acquiring a white sample data set of a DNS message in the campus network by packet capturing of traffic in the campus network;
and step 1.3, obtaining a CDN sample data set by packet capturing of CDN flow.
3. The method for detecting the hidden malicious behaviors based on multi-model fusion according to claim 2, wherein the obtaining of the black sample, the white sample and the CDN sample dataset of the DNS packet further comprises:
step 1.4, analyzing each piece of data in the black sample, the white sample and the CDN sample data set, reading source data and extracting features required by multi-model training from the source data during analysis, and then converting the extracted features into a model identifiable file.
4. The method for detecting the concealed malicious behavior based on the multi-model fusion as claimed in claim 1, wherein the performing feature extraction on the black sample, the white sample and the CDN sample dataset includes:
step 2.1, filtering illegal sample data;
2.2, extracting a subdomain from the domain name feature of each piece of sample data;
step 2.3, obtaining the effective character number in the subdomain as the maximum characteristic value, and carrying out integer coding on the domain name in the subdomain to convert the domain name into a word vector;
step 2.4, if the length of the domain name feature is smaller than the maximum feature value, filling the word vector by using a filler until the length of the domain name feature reaches the maximum feature value, and outputting the filled word vector as the extracted feature; otherwise, directly outputting the word vector in the step 2.3 as the extracted feature.
5. The method for detecting concealed malicious behaviors based on multi-model fusion as claimed in claim 1, wherein the multi-model training based on the extracted features comprises:
randomly sampling the characteristics extracted from the black sample, the white sample and the CDN sample data set to divide the characteristics into a training set and a testing set;
performing multi-model training by using a training set, wherein in the training process, firstly, a one-dimensional convolution function is added into a 1D-CNN model for feature processing, a long-term and short-term memory network function is added into an LSTM model for feature processing, and a hidden layer is added into an MLP model for feature processing; then, adding an embedding layer in the respective training processes of the three models to perform data dimension reduction; then, adding a dropout layer into the 1D-CNN model, the LSTM model and the MLP model for smoothing;
and verifying each model by using the test set, finishing training if the accuracy of each model reaches a preset requirement, and otherwise, performing multi-model training by using the training set again.
6. The hidden malicious behavior detection method based on multi-model fusion as claimed in claim 1, wherein the detection result output by the hidden malicious behavior detection model is a two-dimensional vector, a first dimension of the two-dimensional vector represents the probability that the data belongs to the DNS hidden tunnel, and a second dimension of the two-dimensional vector represents the probability that the data belongs to the normal data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210364305.5A CN114629718A (en) | 2022-04-07 | 2022-04-07 | Hidden malicious behavior detection method based on multi-model fusion |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210364305.5A CN114629718A (en) | 2022-04-07 | 2022-04-07 | Hidden malicious behavior detection method based on multi-model fusion |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114629718A true CN114629718A (en) | 2022-06-14 |
Family
ID=81905008
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210364305.5A Pending CN114629718A (en) | 2022-04-07 | 2022-04-07 | Hidden malicious behavior detection method based on multi-model fusion |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114629718A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115189922A (en) * | 2022-06-17 | 2022-10-14 | 阿里云计算有限公司 | Risk identification method and device and electronic equipment |
| CN115238671A (en) * | 2022-09-22 | 2022-10-25 | 四川大学 | Anti-interference detection method based on grammatical features and integration strategy |
| CN115314239A (en) * | 2022-06-21 | 2022-11-08 | 中化学交通建设集团有限公司 | Analysis method and related equipment for hidden malicious behaviors based on multi-model fusion |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109936582A (en) * | 2019-04-24 | 2019-06-25 | 第四范式(北京)技术有限公司 | Construct the method and device based on the PU malicious traffic stream detection model learnt |
| CN110266647A (en) * | 2019-05-22 | 2019-09-20 | 北京金睛云华科技有限公司 | It is a kind of to order and control communication check method and system |
| CN111967343A (en) * | 2020-07-27 | 2020-11-20 | 广东工业大学 | Detection method based on simple neural network and extreme gradient lifting model fusion |
| CN111970277A (en) * | 2020-08-18 | 2020-11-20 | 中国工商银行股份有限公司 | Flow identification method and device based on federal learning |
| CN113328994A (en) * | 2021-04-30 | 2021-08-31 | 新华三信息安全技术有限公司 | Malicious domain name processing method, device, equipment and machine readable storage medium |
| CN114172748A (en) * | 2022-02-10 | 2022-03-11 | 中国矿业大学(北京) | Encrypted malicious traffic detection method |
-
2022
- 2022-04-07 CN CN202210364305.5A patent/CN114629718A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109936582A (en) * | 2019-04-24 | 2019-06-25 | 第四范式(北京)技术有限公司 | Construct the method and device based on the PU malicious traffic stream detection model learnt |
| CN110266647A (en) * | 2019-05-22 | 2019-09-20 | 北京金睛云华科技有限公司 | It is a kind of to order and control communication check method and system |
| CN111967343A (en) * | 2020-07-27 | 2020-11-20 | 广东工业大学 | Detection method based on simple neural network and extreme gradient lifting model fusion |
| CN111970277A (en) * | 2020-08-18 | 2020-11-20 | 中国工商银行股份有限公司 | Flow identification method and device based on federal learning |
| CN113328994A (en) * | 2021-04-30 | 2021-08-31 | 新华三信息安全技术有限公司 | Malicious domain name processing method, device, equipment and machine readable storage medium |
| CN114172748A (en) * | 2022-02-10 | 2022-03-11 | 中国矿业大学(北京) | Encrypted malicious traffic detection method |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115189922A (en) * | 2022-06-17 | 2022-10-14 | 阿里云计算有限公司 | Risk identification method and device and electronic equipment |
| CN115189922B (en) * | 2022-06-17 | 2024-04-09 | 阿里云计算有限公司 | Risk identification method and apparatus, and electronic device |
| CN115314239A (en) * | 2022-06-21 | 2022-11-08 | 中化学交通建设集团有限公司 | Analysis method and related equipment for hidden malicious behaviors based on multi-model fusion |
| CN115238671A (en) * | 2022-09-22 | 2022-10-25 | 四川大学 | Anti-interference detection method based on grammatical features and integration strategy |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Kim et al. | AI-IDS: Application of deep learning to real-time Web intrusion detection | |
| CN109600363B (en) | Internet of things terminal network portrait and abnormal network access behavior detection method | |
| CN112019574B (en) | Abnormal network data detection method and device, computer equipment and storage medium | |
| CN114629718A (en) | Hidden malicious behavior detection method based on multi-model fusion | |
| CN107733851A (en) | DNS tunnels Trojan detecting method based on communication behavior analysis | |
| CN109450721B (en) | Network abnormal behavior identification method based on deep neural network | |
| CN112468520B (en) | Data detection method, device and equipment and readable storage medium | |
| CN111818103B (en) | Traffic-based tracing attack path method in network target range | |
| CN111726264A (en) | Network protocol variation detection method, device, electronic equipment and storage medium | |
| CN114422211B (en) | HTTP malicious traffic detection method and device based on graph attention network | |
| CN111245784A (en) | Method for multi-dimensional detection of malicious domain name | |
| SG184120A1 (en) | Method of identifying a protocol giving rise to a data flow | |
| Kumar et al. | Light weighted CNN model to detect DDoS attack over distributed scenario | |
| CN113746804A (en) | DNS hidden channel detection method, device, equipment and storage medium | |
| CN116112287B (en) | Network attack organization tracking method and device based on space-time correlation | |
| CN115840965B (en) | Information security guarantee model training method and system | |
| CN113965393B (en) | Botnet detection method based on complex network and graph neural network | |
| CN116074051A (en) | Equipment fingerprint generation method and equipment | |
| CN112583827B (en) | Data leakage detection method and device | |
| CN111835720B (en) | VPN flow WEB fingerprint identification method based on feature enhancement | |
| Gojic et al. | Proposal of security architecture in 5G mobile network with DDoS attack detection | |
| CN112615713A (en) | Detection method and device of hidden channel, readable storage medium and electronic equipment | |
| CN116866089B (en) | Network flow detection method and device based on twin capsule network | |
| CN117318985A (en) | SVM-based vehicle-mounted terminal intrusion detection test method | |
| CN117914555A (en) | Training and flow detection method and device for intelligent gateway |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |