CN114978663A - Internet security service system based on behavior camouflage - Google Patents
Internet security service system based on behavior camouflage Download PDFInfo
- Publication number
- CN114978663A CN114978663A CN202210538880.2A CN202210538880A CN114978663A CN 114978663 A CN114978663 A CN 114978663A CN 202210538880 A CN202210538880 A CN 202210538880A CN 114978663 A CN114978663 A CN 114978663A
- Authority
- CN
- China
- Prior art keywords
- server
- data
- attack
- network
- target server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 claims abstract description 41
- 238000012546 transfer Methods 0.000 claims abstract description 31
- 238000001514 detection method Methods 0.000 claims description 29
- 230000006399 behavior Effects 0.000 claims description 21
- 230000002159 abnormal effect Effects 0.000 claims description 20
- 238000006243 chemical reaction Methods 0.000 claims description 13
- 238000013528 artificial neural network Methods 0.000 claims description 12
- 230000004044 response Effects 0.000 claims description 9
- 238000012549 training Methods 0.000 claims description 7
- 230000005540 biological transmission Effects 0.000 claims description 6
- 238000004088 simulation Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 abstract description 10
- 239000013598 vector Substances 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 230000003542 behavioural effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000006378 damage Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 230000032683 aging Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention belongs to the technical field of internet security, and particularly relates to an internet security service system based on behavior camouflage. The system comprises: the system comprises a target server, a transfer server, a mirror image camouflage server and an attack camouflage server; the target server, the mirror image camouflage server and the attack camouflage server are all in one network and are in signal connection with each other. The invention constructs a server to attack the target server to deceive the attacker who actually attacks the target server, because in the actual process, if the attacker detects that the target server is attacked, the attacker can cancel the attack to the target server, and meanwhile, the constructed disguised attack server also constructs a mirror image disguised server after destroying the acquired data, thereby deceiving and misleading the attacker.
Description
Technical Field
The invention belongs to the technical field of internet security, and particularly relates to an internet security service system based on behavior camouflage.
Background
With the rapid development of internet technology, internet technology provides users with various convenient applications, such as: instant chat, social platform, online shopping, etc., and at the same time, hackers can not normally access the network server by maliciously attacking the network server of the application. Taking Distributed Denial of service (DDOS for short) as an example, a large number of zombie hosts intruded or indirectly utilized by an attacker send a large number of disguised network packets to an attack object (i.e., a network server), so as to cause network blocking or server resource exhaustion, thereby causing the network server to refuse to provide services for legitimate users, i.e., the network packets sent to the network server by the legitimate users are submerged, and the legitimate users cannot normally access the network resources of the network server. Common DDOS attack approaches include: SynFlood, AckFlood, udp Flood, ImpFlood, TcpFlood, connectionsFlood, scriptFlood, ProxyFlood, etc.
At present, the network attack detection process is generally as follows: manually and empirically setting data thresholds, and pre-storing the data thresholds in a computer device. In the current network operation, the computer equipment can acquire the data stream sent to the server, count the data of the data stream, compare the data with the data threshold value, and determine that the server is attacked by the network if the data is greater than the data threshold value.
However, none of the exceptions of these methods is passive defense attack, and network attacks often have hiding property and disguising property, so that the accuracy of discovering the attacks is affected, and the protection of network security is threatened.
Therefore, if a method can be found to prevent the network attack from the source, the network attack can be bypassed or the network attack can not be regarded as the attack object, and the network security can be greatly improved.
Disclosure of Invention
In view of the above, the main object of the present invention is to provide an internet security service system based on behavioral camouflage, the present invention constructs a server to attack a target server to deceive an attacker who actually attacks the target server, because in the actual process, if the attacker detects that the target server is under attack, the attacker cancels the attack on the target server, and meanwhile, the disguised attack server constructed by the present invention also constructs a mirror image camouflage server after destroying the acquired data, thereby deceiving and misleading the attacker, and in addition, the transfer server, the target server and the mirror image camouflage server of the present invention are mutually switched in the operation process, thereby causing a greater trouble to the attacker.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
an internet security service system based on behavioral camouflage, the system comprising: the system comprises a target server, a transfer server, a mirror image disguise server and an attack disguise server; the target server, the mirror image disguise server and the attack disguise server are in the same network and are in signal connection with each other; the transfer server is in different networks with the target server, the mirror image camouflage server and the attack camouflage server and is in signal connection with the attack camouflage server; the attack camouflage server performs network attack on the target server in real time to acquire data of the target server, destroys data corresponding to the data acquired in the target server, transmits the acquired data to the transfer server, performs data disturbance on the acquired data to acquire disturbed data, and transmits the disturbed data to the mirror camouflage server; the mirror image camouflage server receives the disturbed data, sends an information request to the target server to request for acquiring the physical parameters of the target server, then adjusts the physical parameters of the mirror image camouflage server to be consistent with the acquired physical parameters, realizes the simulation of the target server and completes the conversion from the mirror image camouflage server to the target server; and after receiving the information request of the mirror image camouflage server, the target server sends the physical parameters to the mirror image camouflage server, then clears the data of the target server, and completes the conversion from the target server to the transfer server.
Furthermore, the target server and the mirror image camouflage server have two states, namely a working state and a waiting state, and the working state and the waiting state are mutually converted in the same set time period; the attack masquerading server and the transfer server only exist in one working state.
Further, the starting time of the work of the target server is set to t 0 Setting a time period as T; the start time of the duration of the active state of the target server is t 0 End time t 0 + T, the starting time of the waiting state is T 0 + T, end time T 0 + 2T; the attack masquerading server starts working at t 0 (ii) a The start time of the operation of the transfer server is t 0 + T; the start time of the operation of the mirror image disguise server is t 0 + T, the duration of the active state starting at time T 0 + T, end time T 0 +2T, the starting time of the waiting state is T 0 +2T, end time T 0 + 3T; the attack masquerading Server is at t 0 Starting time to work, acquiring data of a target server, destroying data corresponding to the acquired data in the target server, entering a waiting state by the target server after a time period T, attacking the disguise server to transmit the acquired data to a transfer server, then performing data scrambling on the acquired data to obtain scrambled data, and transmitting the scrambled data to a mirror image disguise server; transfer server at t 0 And after receiving the data acquired by the attack camouflage server at the time of + T, starting working.
Further, the attack masquerading server includes: a target determination part, an attack part, a scrambling part and a data transmission part; the target determining part is configured to determine a target server when the attack masquerading server starts to operate, and to re-determine the target server every 2T time interval after the attack masquerading server starts to operate; the attack part comprises a first attack part, a second attack part and an attack identification part; the first attack part is configured to carry out network attack on the target server in real time and acquire data of the target server; the attack identification part is configured to detect whether the target server is attacked or not according to a set identification period, identify the attack type if the target server is attacked, and send an attack type identification result to the second attack part; the second attack part is configured to replace the first attack part with the same attack type pair based on the received attack type identification result, perform network attack on the target server and acquire data of the target server; the disturbing part is configured to destroy data corresponding to the data acquired from the target server to obtain disturbed data; the data transmission part is configured to send the acquired data to the transfer server and send the disturbed data to the mirror camouflage server.
Further, the method for the first attack part to attack the target server in real time and obtain the data of the target server includes: randomly selecting one from password intrusion, WWW deception, node attack or port scanning to attack the target server so as to obtain the data of the target server.
Further, the method for detecting whether the target server is attacked by the attack identification part according to the set identification period comprises the following steps: acquiring a network structure of a network consisting of a server and a local end connected with the server; forming a network chain at least comprising a server and a local end according to a network structure; the network link is a target link subjected to network attack, which is estimated by analyzing a network topological structure aiming at the characteristics of the network attack; sending a detection data packet to a local end in a network chain through the network chain; receiving a response data packet sent by the local end under the trigger of the detection data packet; acquiring current detection parameters according to the receiving parameters of the response data packet and the information carried by the response data packet; and performing data feature matching by using a preset data feature matching model according to the current detection parameters and the stored historical detection data, and determining whether the network chain is attacked or not according to the obtained data feature matching result.
Further, the data feature matching model expresses the following formula:
the Est is a calculated data feature matching result, N is the number of local ends connected with the server, N is the number of local ends in a network chain, C is an adjustment coefficient, the value range is 1-3, F is a current detection parameter, and H is historical detection data; and when the value of Est is within the set threshold value range, judging that the network attack is suffered.
Further, the method for identifying the attack type by the attack identification part comprises the following steps: collecting network operation data of a target server; the network operation data comprises a source IP address, a source port number, a destination IP address, a characteristic offset, a characteristic length, a characteristic detail, a destination port number and a protocol type; performing data anomaly analysis on network operation data by using an autoencoder; the self-encoder learns based on behavior patterns of historical normal data and historical abnormal data, so that the learned self-encoder is used for judging the collected network operation data to be normal data or abnormal data; the method comprises the steps that a deep neural network is used as a discrimination model to discriminate whether the attack type of an attack currently received by a target server is a certain known attack type or an unknown type; and integrating the results of the self-encoder and the discrimination model to finish network attack classification and unknown attack detection.
Further, the method for determining whether the attack type of the data to be detected is a known attack type or an unknown type by using the deep neural network as a determination model includes: adding a correcting variable on the basis of a traditional neural network training method to enable the neural network to learn feature expression with discrimination, namely enabling the distance of the flow of the same type of attack on a feature space to be smaller than a specified distance; then, by learning a feature space, the distance between the flow of the unknown class and the flow of the known attack exceeds a specified distance in the feature space, and the attack type of the flow to be detected is judged according to the distance.
Further, the method for analyzing the network operation data for data abnormality by the self-encoder and judging the acquired network operation data to be normal data or abnormal data includes: the self-encoder respectively performs data matching analysis on the network operation data based on the historical abnormal data and the historical normal data, and judges whether the network operation data is normal data or abnormal data according to the result of the matching analysis; the self-encoder is represented using the following formula:
wherein A is i I is 1,2,3 … 8, which respectively represents the source IP address, source port number, destination IP address, and network operation data,Characteristic offset, characteristic length, characteristic detail, destination port number and protocol type; b is i 1,2,3 … 8, which respectively represents a source IP address, a source port number, a destination IP address, a feature offset, a feature length, a feature detail, a destination port number and a protocol type of the historical normal data; c i 1,2,3 … 8, which respectively represent the source IP address, source port number, destination IP address, feature offset, feature length, feature detail, destination port number, and protocol type of the historical exception data; f is a first correcting variable, and Q is a second correcting variable; the values of the first correcting variable and the second correcting variable are set values; when calculated D 1 Greater than D 2 If so, the network operation data is normal data; when calculated D 1 Is less than or equal to D 2 And then the network operation data is represented as abnormal data.
The internet security service system based on behavior camouflage has the following beneficial effects: the invention realizes the high-security internet through three processes: firstly, the attack can be disguised in a manner that an attacker can mistakenly think that the current server has received the attack, so that the attacker cancels the attack on the target server; the second is realized by the circular conversion of the target server, the transfer server and the mirror image disguise server, the continuous conversion makes the attack method difficult to judge which one is the target server, and the conversion is executed periodically, namely the conversion is repeated in real time, so that an attacker can hardly determine a real server, and attack identification is caused; thirdly, attack detection and attack judgment are carried out in a characteristic matching or data matching characteristic identification mode, and further improvement is achieved.
Drawings
Fig. 1 is a schematic system structure diagram of an internet security service system based on behavior camouflage according to an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating that each server of the internet security service system based on behavior camouflage performs periodic conversion according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a network attack of the internet security service system based on behavior masquerading according to an embodiment of the present invention;
fig. 4 is a schematic diagram illustrating a principle of a feature recognition attack of an internet security service system based on behavior masquerading according to an embodiment of the present invention.
Detailed Description
The method of the present invention will be described in further detail below with reference to the accompanying drawings and embodiments of the invention.
Example 1
As shown in fig. 1, an internet security service system based on behavior masquerading, the system comprising: the system comprises a target server, a transfer server, a mirror image camouflage server and an attack camouflage server; the target server, the mirror image camouflage server and the attack camouflage server are in the same network and are in signal connection with each other; the transfer server is in different networks with the target server, the mirror image camouflage server and the attack camouflage server and is in signal connection with the attack camouflage server; the attack camouflage server performs network attack on the target server in real time to acquire data of the target server, destroys data corresponding to the data acquired in the target server, transmits the acquired data to the transfer server, performs data disturbance on the acquired data to acquire disturbed data, and transmits the disturbed data to the mirror camouflage server; the mirror image camouflage server receives the disturbed data, sends an information request to the target server to request for acquiring the physical parameters of the target server, then adjusts the physical parameters of the mirror image camouflage server to be consistent with the acquired physical parameters, realizes the simulation of the target server and completes the conversion from the mirror image camouflage server to the target server; and the target server sends the physical parameters to the mirror image camouflage server after receiving the information request of the mirror image camouflage server, and then clears the data of the target server to finish the conversion from the target server to the transfer server.
Referring to fig. 2, in fig. 2, a process diagram of server conversion for different IDs is shown. In a in fig. 2, if the server keeps its own ID, it indicates that the server is an attack masquerading server. In B, the servers are periodically switched, so that the functions of the servers are changed, and the attack method is difficult to identify which server is the target server.
Example 2
On the basis of the previous embodiment, the target server and the mirror image disguise server both have two states, namely a working state and a waiting state, and the working state and the waiting state are mutually converted in the same set time period; the attack masquerading server and the transfer server only exist in one working state.
Referring to fig. 3, a conventional cyber attack generally includes steps of investigation, intrusion, command control, lateral penetration, data leakage, and trace cleanup. And generally the triggering of a network attack requires the target server to be found. In the invention, after the target server acquires data by the attacked camouflage server, the attacked camouflage server firstly scrambles the acquired data to obtain some meaningless data and then sends the meaningless data to the mirror image camouflage server, and the mirror image camouflage server receives the meaningless data and then sends a request to the target server to acquire physical parameters and then converts the physical parameters into the same server as the target server, thereby realizing the conversion of the mirror image camouflage server and the target server.
And then, the attack masquerading server acquires data from the target server, the target server is converted from the transfer server substantially, and the cyclic execution is carried out, so that the other three servers except the attack masquerading server are converted in real time, and the data is transferred among the servers, so that the attack method is difficult to determine the target server and apply the attack, and the safety is improved.
Example 3
On the basis of the previous embodiment, the starting time of the work of the target server is set to t 0 Setting a time period as T; the duration of the working state of the target serverWith a starting time of t 0 End time t 0 + T, starting time of waiting state is T 0 + T, end time T 0 + 2T; the attack masquerading server starts working at time t 0 (ii) a The start time of the operation of the transfer server is t 0 + T; the start time of the operation of the mirror image disguise server is t 0 + T, the duration of the active state starting at time T 0 + T, end time T 0 +2T, the starting time of the waiting state is T 0 +2T, end time T 0 + 3T; the attack masquerading Server is at t 0 Starting time to work, acquiring data of a target server, destroying data corresponding to the acquired data in the target server, entering a waiting state by the target server after a time period T, attacking the disguise server to transmit the acquired data to a transfer server, then performing data scrambling on the acquired data to obtain scrambled data, and transmitting the scrambled data to a mirror image disguise server; transfer server at t 0 And after receiving the data acquired by the attack camouflage server at the time of + T, starting working.
Specifically, when data destruction, that is, data scramble is performed, the data is randomly generated into other data.
Example 4
On the basis of the above embodiment, the attack masquerading server includes: a target determination part, an attack part, a scrambling part and a data transmission part; the target determining part is configured to determine a target server when the attack masquerading server starts to operate, and to re-determine the target server every 2T time interval after the attack masquerading server starts to operate; the attack part comprises a first attack part, a second attack part and an attack identification part; the first attack part is configured to carry out network attack on the target server in real time and acquire data of the target server; the attack identification part is configured to detect whether the target server is attacked or not according to a set identification period, identify the attack type if the target server is attacked, and send an attack type identification result to the second attack part; the second attack part is configured to replace the first attack part with the same attack type pair based on the received attack type identification result, perform network attack on the target server and acquire data of the target server; the disturbing part is configured to destroy data corresponding to the data acquired from the target server to obtain disturbed data; the data transmission part is configured to send the acquired data to the transfer server and send the disturbed data to the mirror camouflage server.
Specifically, the network attack is to attack the system and the resource by using the vulnerability and security defect existing in the network information system. The threat faced by network information systems comes from many aspects and may change over time. Macroscopically, these threats can be classified as human threats and natural threats. Natural threats come from various natural disasters, harsh field environments, electromagnetic interference, natural aging of network equipment, and the like. These threats are purposeless, but can cause damage to the network communication system, compromising communication security. The artificial threat is an artificial attack to a network information system, and aims to destroy, cheat and steal data information and the like in an unauthorized mode by searching for the weakness of the system. Compared with the prior art, the well-designed artificial attack threats are difficult to prevent, have multiple types and large quantity. From the viewpoint of the destructiveness to information, the attack types can be classified into passive attacks and active attacks.
Example 5
On the basis of the previous embodiment, the first attack part performs network attack on the target server in real time, and the method for acquiring the data of the target server includes: randomly selecting one from password intrusion, WWW deception, node attack or port scanning to attack the target server so as to obtain the data of the target server.
Example 6
On the basis of the previous embodiment, the method for detecting whether the target server is attacked by the attack identification part according to the set identification period comprises the following steps: acquiring a network structure of a network consisting of a server and a local end connected with the server; forming a network chain at least comprising a server and a local end according to a network structure; the network link is a target link subjected to network attack, which is estimated by analyzing a network topological structure aiming at the characteristics of the network attack; sending a detection data packet to a local end in a network chain through the network chain; receiving a response data packet sent by the local end under the trigger of the detection data packet; acquiring current detection parameters according to the receiving parameters of the response data packet and the information carried by the response data packet; and performing data feature matching by using a preset data feature matching model according to the current detection parameters and the stored historical detection data, and determining whether the network chain is attacked or not according to the obtained data feature matching result.
Specifically, the network attack detection can be realized by constructing a feature vector. Constructing a network attack behavior feature vector; determining a model training set and a test set, making a label for data, distinguishing a normal behavior from an attack behavior, and classifying the attack behavior; constructing a depth confidence network model, training layer by layer, extracting network attack behavior characteristics, calculating errors until convergence, and finely adjusting the weight of the model to obtain a characteristic vector; taking the extracted feature vectors as input parameters, selecting a proper SVM classifier for training, classifying the network attack behaviors, and constructing a network attack detection model; constructing a network attack behavior analysis model, testing the accuracy of the model by using a test set, calculating the accuracy, the false alarm rate and the missing report rate, and optimizing by using the identified network attack behavior as training data; taking the network attack feature vector subjected to dimensionality reduction and feature extraction as an input parameter, and transmitting the input parameter into a first SVM classifier; and selecting different SVM classifiers to distinguish different network attack behaviors.
Example 7
On the basis of the above embodiment, the data feature matching model is expressed by the following formula:
wherein Est is the calculated data characteristic matching result, and N is the number of local terminals connected with the serverN is the number of local ends in a network chain, C is an adjustment coefficient, the value range is 1-3, F is a current detection parameter, and H is historical detection data; and when the value of the Est is within a set threshold value range, judging that the network attack is suffered.
Specifically, the data matching model is realized by constructing a network chain, so that huge data volume caused by overall detection and analysis is reduced.
Example 8
On the basis of the previous embodiment, the method for identifying the attack type by the attack identification part comprises the following steps: collecting network operation data of a target server; the network operation data comprises a source IP address, a source port number, a destination IP address, a characteristic offset, a characteristic length, a characteristic detail, a destination port number and a protocol type; performing data anomaly analysis on network operation data by using an autoencoder; the self-encoder learns based on behavior patterns of historical normal data and historical abnormal data, so that the learned self-encoder is used for judging the collected network operation data to be normal data or abnormal data; the method comprises the steps that a deep neural network is used as a discrimination model to discriminate whether the attack type of an attack currently received by a target server is a certain known attack type or an unknown type; and integrating the results of the self-encoder and the discrimination model to finish network attack classification and unknown attack detection.
Example 9
On the basis of the above embodiment, the method for determining whether the attack type of the data to be detected is a known attack type or an unknown type by using the deep neural network as a determination model includes: adding a correcting variable on the basis of a traditional neural network training method to enable the neural network to learn feature expression with discrimination, namely enabling the distance of the flow of the same type of attack on a feature space to be smaller than a specified distance; then, by learning a feature space, the distance between the flow of the unknown class and the flow of the known attack exceeds a specified distance in the feature space, and the attack type of the flow to be detected is judged according to the distance.
Example 10
In the above implementationOn the basis of the example, the method for analyzing the abnormal data of the network operation data by the self-encoder and judging the collected network operation data to be normal data or abnormal data comprises the following steps: the self-encoder respectively performs data matching analysis on the network operation data based on the historical abnormal data and the historical normal data, and judges whether the network operation data is normal data or abnormal data according to the result of the matching analysis; the self-encoder is represented using the following formula:
wherein A is i 1,2,3 … 8, which respectively represent the source IP address, source port number, destination IP address, feature offset, feature length, feature detail, destination port number, and protocol type of the network operation data; b is i 1,2,3 … 8, which respectively represent the source IP address, source port number, destination IP address, feature offset, feature length, feature detail, destination port number, and protocol type of the historical normal data; c i 1,2,3 … 8, which respectively represent the source IP address, source port number, destination IP address, feature offset, feature length, feature detail, destination port number, and protocol type of the historical exception data; f is a first correcting variable, and Q is a second correcting variable; the values of the first correcting variable and the second correcting variable are set values; when calculated D 1 Greater than D 2 If so, the network operation data is normal data; when calculated D 1 Is less than or equal to D 2 And then the network operation data is represented as abnormal data.
It should be noted that, the system provided in the foregoing embodiment is only illustrated by dividing the functional units, and in practical applications, the functions may be distributed by different functional units according to needs, that is, the units or steps in the embodiments of the present invention are further decomposed or combined, for example, the units in the foregoing embodiment may be combined into one unit, or may be further decomposed into multiple sub-units, so as to complete all or the functions of the units described above. The names of the units and steps involved in the embodiments of the present invention are only for distinguishing the units or steps, and are not to be construed as unduly limiting the present invention.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes and related descriptions of the storage device and the processing device described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
Those of skill in the art would appreciate that the various illustrative elements, method steps, described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that programs corresponding to the elements, method steps may be located in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. To clearly illustrate this interchangeability of electronic hardware and software, various illustrative components and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as electronic hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The terms "first," "second," and the like, are used to distinguish similar objects and are not configured to describe or imply a particular order or sequence.
The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or unit/apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or unit/apparatus.
So far, the technical solutions of the present invention have been described in connection with the preferred embodiments shown in the drawings, but it is apparent to those skilled in the art that the scope of the present invention is not limited to these specific embodiments. Equivalent modifications or substitutions of the related art marks may be made by those skilled in the art without departing from the principle of the present invention, and the technical solutions after such modifications or substitutions will fall within the protective scope of the present invention.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.
Claims (10)
1. An internet security service system based on behavior masquerading, the system comprising: the system comprises a target server, a transfer server, a mirror image camouflage server and an attack camouflage server; the target server, the mirror image camouflage server and the attack camouflage server are in the same network and are in signal connection with each other; the transfer server is in different networks with the target server, the mirror image camouflage server and the attack camouflage server and is in signal connection with the attack camouflage server; the attack camouflage server performs network attack on the target server in real time to acquire data of the target server, destroys data corresponding to the data acquired in the target server, sends the acquired data to the transfer server, then performs data disturbance on the acquired data to acquire disturbed data, and sends the disturbed data to the mirror image camouflage server; the mirror image camouflage server receives the disturbed data, sends an information request to the target server to request for acquiring the physical parameters of the target server, then adjusts the physical parameters of the mirror image camouflage server to be consistent with the acquired physical parameters, realizes the simulation of the target server and completes the conversion from the mirror image camouflage server to the target server; and the target server sends the physical parameters to the mirror image camouflage server after receiving the information request of the mirror image camouflage server, and then clears the data of the target server to finish the conversion from the target server to the transfer server.
2. The system of claim 1, wherein the target server and the mirror masquerading server each have two states, an active state and a standby state, and the active state and the standby state are switched with each other at the same set time period; the attack masquerading server and the transfer server only exist in one working state.
3. The system of claim 2, wherein the start time of the operation of the target server is set to t 0 Setting a time period as T; the start time of the duration of the active state of the target server is t 0 End time t 0 + T, starting time of waiting state is T 0 + T, end time T 0 + 2T; the attack masquerading server starts working at time t 0 (ii) a The start time of the operation of the transfer server is t 0 + T; the start time of the operation of the mirror image disguise server is t 0 + T, the duration of the active state starting at time T 0 + T, end time T 0 +2T, the starting time of the waiting state is T 0 +2T, end time T 0 + 3T; the attack masquerading Server is at t 0 Starting time to work, acquiring data of a target server, destroying data corresponding to the acquired data in the target server, entering a waiting state by the target server after a time period T, attacking the disguise server to transmit the acquired data to a transfer server, then performing data scrambling on the acquired data to obtain scrambled data, and transmitting the scrambled data to a mirror image disguise server; transfer server at t 0 And after receiving the data acquired by the attack camouflage server at the time of + T, starting working.
4. The system of claim 3, wherein the attack masquerading server comprises: a target determination part, an attack part, a scrambling part and a data transmission part; the target determining part is configured to determine a target server when the attack masquerading server starts to operate, and to re-determine the target server every 2T time interval after the attack masquerading server starts to operate; the attack part comprises a first attack part, a second attack part and an attack identification part; the first attack part is configured to carry out network attack on the target server in real time and acquire data of the target server; the attack identification part is configured to detect whether the target server is attacked or not according to a set identification period, identify the attack type if the target server is attacked, and send an attack type identification result to the second attack part; the second attack part is configured to replace the first attack part with the same attack type pair based on the received attack type identification result, perform network attack on the target server and acquire data of the target server; the disturbing part is configured to destroy data corresponding to the data acquired from the target server to obtain disturbed data; the data transmission part is configured to send the acquired data to the transfer server and send the scrambled data to the mirror image disguise server.
5. The system of claim 4, wherein the first attack part performs a network attack on the target server in real time, and the method for acquiring the data of the target server comprises: randomly selecting one from password intrusion, WWW deception, node attack or port scanning to attack the target server so as to obtain the data of the target server.
6. The system of claim 5, wherein the attack recognition part, according to the set recognition period, detects whether the target server is attacked comprises: acquiring a network structure of a network consisting of a server and a local end connected with the server; forming a network chain at least comprising a server and a local end according to a network structure; the network link is a target link subjected to network attack, which is estimated by analyzing a network topological structure aiming at the characteristics of the network attack; sending a detection data packet to a local end in a network chain through the network chain; receiving a response data packet sent by the local end under the trigger of the detection data packet; acquiring current detection parameters according to the receiving parameters of the response data packet and the information carried by the response data packet; and performing data feature matching by using a preset data feature matching model according to the current detection parameters and the stored historical detection data, and determining whether the network chain is attacked or not according to the obtained data feature matching result.
7. The system of claim 6, wherein the data feature matching model expresses the following formula:
the Est is a calculated data feature matching result, N is the number of local ends connected with the server, N is the number of local ends in a network chain, C is an adjustment coefficient, the value range is 1-3, F is a current detection parameter, and H is historical detection data; and when the value of Est is within the set threshold value range, judging that the network attack is suffered.
8. The system according to claim 7, wherein the method of the attack identification section identifying the type of attack comprises: collecting network operation data of a target server; the network operation data comprises a source IP address, a source port number, a destination IP address, a characteristic offset, a characteristic length, a characteristic detail, a destination port number and a protocol type; performing data anomaly analysis on network operation data by using an autoencoder; the self-encoder learns based on behavior patterns of historical normal data and historical abnormal data, so that the learned self-encoder is used for judging the collected network operation data to be normal data or abnormal data; the method comprises the steps that a deep neural network is used as a discrimination model to discriminate whether the attack type of an attack currently received by a target server is a certain known attack type or an unknown type; and integrating the results of the self-encoder and the discrimination model to finish network attack classification and unknown attack detection.
9. The system of claim 8, wherein the method for discriminating the attack type of the data to be tested as a known attack type or an unknown type by using the deep neural network as a discrimination model comprises: adding a correcting variable on the basis of a traditional neural network training method to enable the neural network to learn feature expression with discrimination, namely enabling the distance of the flow of the same type of attack on a feature space to be smaller than a specified distance; then, by learning a feature space, the distance between the flow of the unknown class and the flow of the known attack exceeds a specified distance in the feature space, and the attack type of the flow to be detected is judged according to the distance.
10. The system of claim 9, wherein the self-encoder performs data anomaly analysis on the network operation data, and the method for judging whether the collected network operation data is normal data or abnormal data comprises: the self-encoder respectively performs data matching analysis on the network operation data based on the historical abnormal data and the historical normal data, and judges whether the network operation data are normal data or abnormal data according to the result of the matching analysis; the self-encoder is represented using the following formula:
wherein A is i 1,2, 3.. 8, which respectively represent a source IP address, a source port number, a destination IP address, a feature offset, a feature length, a feature detail, a destination port number and a protocol type of network operation data; b is i 1,2, 3.. 8, which respectively represent a source IP address, a source port number, a destination IP address, a feature offset, a feature length, a feature detail, a destination port number and a protocol type of the historical normal data; c i 1,2, 3.. 8, which respectively represent a source IP address, a source port number, a destination IP address, a feature offset, a feature length, a feature detail, a destination port number and a protocol type of the historical abnormal data; f is a first correcting variable, and Q is a second correcting variable; the values of the first correcting variable and the second correcting variable are set values; when calculated D 1 Greater than D 2 If the network operation data is normal data, the network operation data is represented as normal data; when calculated D 1 Is less than or equal to D 2 And then the network operation data is represented as abnormal data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210538880.2A CN114978663A (en) | 2022-05-18 | 2022-05-18 | Internet security service system based on behavior camouflage |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210538880.2A CN114978663A (en) | 2022-05-18 | 2022-05-18 | Internet security service system based on behavior camouflage |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114978663A true CN114978663A (en) | 2022-08-30 |
Family
ID=82982683
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210538880.2A Pending CN114978663A (en) | 2022-05-18 | 2022-05-18 | Internet security service system based on behavior camouflage |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114978663A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116257327A (en) * | 2023-05-15 | 2023-06-13 | 浙江保融科技股份有限公司 | Method for calling blocking client library in JVM non-blocking system |
-
2022
- 2022-05-18 CN CN202210538880.2A patent/CN114978663A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116257327A (en) * | 2023-05-15 | 2023-06-13 | 浙江保融科技股份有限公司 | Method for calling blocking client library in JVM non-blocking system |
| CN116257327B (en) * | 2023-05-15 | 2023-09-15 | 浙江保融科技股份有限公司 | Method for calling blocking client library in JVM non-blocking system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zarras et al. | Automated generation of models for fast and precise detection of HTTP-based malware | |
| Chen et al. | Intrusion detection | |
| Akbar et al. | Intrusion detection system methodologies based on data analysis | |
| Buragohain et al. | Anomaly based DDoS attack detection | |
| Khalaf et al. | An adaptive model for detection and prevention of DDoS and flash crowd flooding attacks | |
| CN102130920A (en) | Botnet discovery method and system thereof | |
| Chen et al. | Attack sequence detection in cloud using hidden markov model | |
| Mangrulkar et al. | Network attacks and their detection mechanisms: A review | |
| CN111083172A (en) | Link communication monitoring view construction method based on data packet analysis | |
| ALEKSIEVA et al. | An approach for host based botnet detection system | |
| Jadhav et al. | A novel approach for the design of network intrusion detection system (NIDS) | |
| Sumanth et al. | Raspberry Pi based intrusion detection system using k-means clustering algorithm | |
| CN114978663A (en) | Internet security service system based on behavior camouflage | |
| Jaiganesh et al. | An efficient algorithm for network intrusion detection system | |
| CN112367315A (en) | Endogenous safe WAF honeypot deployment method | |
| Subbulakshmi et al. | A unified approach for detection and prevention of DDoS attacks using enhanced support vector machines and filtering mechanisms | |
| Sammany et al. | Artificial neural networks architecture for intrusion detection systems and classification of attacks | |
| Ariffin et al. | IoT attacks and mitigation plan: A preliminary study with Machine Learning Algorithms | |
| El-Alfy et al. | Detecting Cyber‐Attacks on Wireless Mobile Networks Using Multicriterion Fuzzy Classifier with Genetic Attribute Selection | |
| CN114866341A (en) | Vulnerability amplification type backdoor attack security assessment method for network intrusion detection system | |
| CN115225301A (en) | D-S evidence theory-based hybrid intrusion detection method and system | |
| Divya et al. | Computer Network worms propagation and its defence mechanisms: a survey | |
| Patil et al. | Network intrusion detection and prevention techniques for DoS attacks | |
| Collins et al. | On the limits of payload-oblivious network attack detection | |
| Kabiri et al. | Category-based selection of effective parameters for intrusion detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20220830 |
|
| WD01 | Invention patent application deemed withdrawn after publication |