CN115208595A - Detection method, device, equipment and storage medium - Google Patents

Detection method, device, equipment and storage medium Download PDF

Info

Publication number
CN115208595A
CN115208595A CN202110383939.0A CN202110383939A CN115208595A CN 115208595 A CN115208595 A CN 115208595A CN 202110383939 A CN202110383939 A CN 202110383939A CN 115208595 A CN115208595 A CN 115208595A
Authority
CN
China
Prior art keywords
data
detection
information
network
result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110383939.0A
Other languages
Chinese (zh)
Inventor
张会娟
黄静
何申
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Communications Ltd Research Institute filed Critical China Mobile Communications Group Co Ltd
Priority to CN202110383939.0A priority Critical patent/CN115208595A/en
Publication of CN115208595A publication Critical patent/CN115208595A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The application discloses a detection method, a detection device and a computer readable storage medium, wherein the method comprises the following steps: acquiring first data; the first data comprises request information data and operation behavior data; analyzing the first data, and extracting first difference characteristic information; the first difference characteristic information comprises variation information carried in the first data; the variant information comprises quantitative difference information between the first data and other network request operation information and an incidence relation between the request information data and the operation behavior data; and detecting the safety state of the first data based on the first difference characteristic information.

Description

Detection method, device, equipment and storage medium
Technical Field
The present application relates to the field of information technology, and in particular, to a detection method, a detection apparatus, a detection device, and a computer-readable storage medium.
Background
In the related art, the network security status detection generally includes the following processes: and finally, analyzing whether the network access request and/or the network behavior data are safe or not according to the dimension reduction result. However, the marking result and the dimension reduction result in the detection process cannot reflect the essential difference between various features in the network data, and cannot reflect the essential association relationship between the network access request and the network behavior data.
Disclosure of Invention
Based on the foregoing problems, embodiments of the present application provide a detection method, a detection apparatus, a detection device, and a computer-readable storage medium.
According to the detection method provided by the embodiment of the application, under the condition that the first data comprising the request information data and the operation behavior data is obtained, the first difference characteristic information can be extracted from the first data, and the safety state of the first data is detected according to the first difference characteristic information; the first difference characteristic information includes quantitative difference information between the first data and other network request operation information and an association relationship between the request information data and the operation behavior data, so that the detection method provided by the embodiment of the application can acquire the difference characteristic information of any network request and can also acquire the association relationship between the request information data and the operation behavior data, thereby enabling the detection of the network state to be more accurate, enabling the detected security state to be more objective, and improving the efficiency of detecting the network security state.
The technical scheme provided by the application is as follows:
the embodiment of the application provides a detection method, which comprises the following steps:
acquiring first data; the first data comprises request information data and operation behavior data;
analyzing the first data, and extracting first difference characteristic information; the first difference characteristic information comprises variation information carried in the first data; the variant information comprises quantitative difference information between the first data and other network request operation information and an incidence relation between the request information data and the operation behavior data;
detecting a security status of the first data based on the first differential feature information.
The embodiment of the present application further provides a detection apparatus, the detection apparatus includes: the device comprises an acquisition module, a feature extraction module and a detection module, wherein:
the acquisition module is used for acquiring first data; wherein the first data at least comprises network request data;
the feature extraction module is used for analyzing and processing the first data and extracting first difference feature information; the first difference characteristic information comprises variation information carried in the first data; the variant information comprises quantitative difference information between the first data and other network request operation information and an incidence relation between the request information data and the operation behavior data;
the detection module is configured to detect a security state of the first data based on the first difference feature information.
The embodiment of the application further provides a detection device, which comprises a processor, a memory and a communication bus, wherein the communication bus is used for realizing communication connection between the processor and the memory; the processor is configured to execute a computer program stored in the memory to implement the detection method as described in any of the preceding.
An embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor of a detection device, the detection method as described in any of the foregoing can be implemented.
As can be seen from the above, in the detection method provided in the embodiment of the present application, under the condition that the first data including the request information data and the operation behavior data is obtained, the first difference feature information can be extracted from the first data, and then the security state of the first data is detected according to the first difference feature information; the first difference characteristic information includes quantitative difference information between the first data and other network request operation information and an association relationship between the request information data and the operation behavior data, so that the detection method provided by the embodiment of the application can acquire the difference characteristic information of any network request and can also acquire the association relationship between the request information data and the operation behavior data, thereby enabling the detection of the network state to be more accurate, enabling the detected security state to be more objective, and improving the efficiency of network security state detection.
Drawings
Fig. 1 is a schematic flowchart of a first detection method provided in an embodiment of the present application;
fig. 2 is a schematic flow chart of a second detection method provided in the embodiment of the present application;
fig. 3 is a schematic flowchart of a first difference feature information extraction process provided in the embodiment of the present application;
fig. 4 is a schematic structural diagram of detection network training provided in the embodiment of the present application;
fig. 5a is a statistical illustration of classification results of five types of data by using the detection method provided in the embodiment of the present application;
fig. 5b is a schematic diagram of statistical results of false detection rates and missed detection rates of five data detections by using the detection method provided in the embodiment of the present application;
fig. 5c is a schematic diagram of a detection accuracy statistic of five data detections by using the detection method provided in the embodiment of the present application;
fig. 6 is a schematic structural diagram of a detection apparatus according to an embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of a detection apparatus according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The present application relates to the field of information technology, and in particular, to a detection method, a detection apparatus, a detection device, and a computer-readable storage medium.
Network intrusion detection is the detection of network intrusion behavior by collecting information of several key points in a network computer network system and analyzing the information to determine whether there is behavior violating security policy in the network or system or whether there is evidence of attack.
In practical application, network intrusion detection is the first step of network active defense, so intrusion detection has become a research hotspot of network security, and therefore, how to efficiently and accurately perform intrusion detection, or how to detect a network security state through a detection model with good performance has become a major challenge in the current network security field.
In the related art, the network security status detection is usually implemented by the following steps: and simply marking the network access request, the network behavior data and a large amount of corresponding characteristic information by using numerical values to obtain a marking result, then simply reducing the dimensions of the marking result to obtain a dimension reduction result, and finally analyzing whether the network access request and/or the network behavior data are safe or not according to the dimension reduction result. However, the above marking result and dimension reduction result cannot reflect the essential difference between various features in the network data, and cannot reflect the essential association relationship between the network access request and the network behavior data.
Based on the above problems, embodiments of the present application provide a detection method, where in a case where first data including request information data and operation behavior data is acquired, first difference feature information can be extracted from the first data, and then a security state of the first data is detected according to the first difference feature information; the first difference characteristic information includes quantitative difference information between the first data and other network request operation information and an association relationship between the request information data and the operation behavior data, so that the detection method provided by the embodiment of the application can acquire the difference characteristic information of any network request and also can acquire the association relationship between the request information data and the operation behavior data, so that the detection of the network state is more accurate, the detected security state can be more objective, and the efficiency of detecting the network security state is improved.
The detection method provided in the embodiment of the present Application may be implemented by a Processor in the detection Device, where the Processor may be at least one of an Application Specific Integrated Circuit (ASIC), a Digital Signal Processor (DSP), a Digital Signal Processing Device (DSPD), a Programmable Logic Device (PLD), a Field Programmable Gate Array (FPGA), a Central Processing Unit (CPU), a controller, a microcontroller, and a microprocessor.
Fig. 1 is a schematic flow chart of a first detection method according to an embodiment of the present disclosure. As shown in fig. 1, the method may include steps 101 to 103:
step 101, obtaining first data.
The first data comprises request information data and operation behavior data.
In one embodiment, the request for information data may include network request data. Illustratively, the network requests data, which may include a request line, a request header, an empty line, a request body, and the like.
In one embodiment, the request for information data may further include request response data. Illustratively, the request response data may include a status line, a message header, an empty line, a response body, and the like.
In one embodiment, the operation behavior data may include data corresponding to a series of operations performed by the detection device after receiving the request information data.
In one embodiment, the operation behavior data may include at least one of target data of the detection device access behavior, target data of the modification/tampering behavior, and the like after responding to the request information data. Illustratively, the access behavior may include access to a kernel, access to system configuration data, access to system startup data, and the like; the modification/tampering action may include actions of modifying/tampering system configuration data, modifying/tampering user data, and the like.
In one embodiment, the operation behavior data may be target behavior data that needs to be detected.
In one embodiment, the target behavior data to be detected can be any type of data set by people; but may be any behavior data selected from historical test results of the test device.
In one embodiment, the target behavior data to be detected can be flexibly adjusted according to any one of the system time of the detection device, the operation state of the detection device, the operation environment of the detection device, and the like.
In one embodiment, the corresponding operational behavior data may be delayed after the detection device receives the request information data. For example, after the detection device receives the request information data, if the request information data carries the response delay time, the detection device may perform an operation corresponding to the request information data only when the response delay time arrives.
In one embodiment, the detection device may perform a number of different types of operations after receiving one request for information data. Therefore, it is important to analyze the association between the request information data and the operation behavior data.
In one embodiment, the detection device may perform only one type of operation after receiving the plurality of request information data.
In one embodiment, the number of the first data may be plural.
In one embodiment, the first data may be acquired by the detection device in real time; illustratively, the subsequent analysis detection operation is performed immediately after the first data is acquired.
In one embodiment, the first data may be historical data obtained by the detection device from a database.
And 102, analyzing the first data, and extracting first difference characteristic information.
The first difference characteristic information comprises variation information carried in the first data; and the variant information comprises quantitative difference information between the first data and other network request operation information and an association relation between the request information data and the operation behavior data.
In one embodiment, the other network request operation information may include any type of network request information data, and corresponding operation behavior data.
In one embodiment, the number of the operation information requested by the other network may be plural.
In one embodiment, the quantized difference information may represent difference information that distinguishes the first data from any other type of network request information data and operation behavior data thereof, and may be a specific numerical value after quantization.
In one embodiment, the quantized difference information may represent difference information that can distinguish the current request information data from any other request information data.
In one embodiment, there may be a plurality of quantization difference information.
In one embodiment, the association relationship between the request information data and the operation behavior data may include association relationship between the request information data and the operation behavior data, or no association relationship between the request information data and the operation behavior data.
In one embodiment, the association relationship between the request information data and the operation behavior data may include strength of the association relationship between the request information data and the operation behavior data.
In one embodiment, the association between the request information data and the operation behavior data may include a causal association between the request information data and the operation behavior data.
In one embodiment, the first differential feature information may include, in addition to the variation information carried in the first data, other feature information carried in the first data; illustratively, the other characteristic information may include characteristic information carried by the network request data in a broad sense.
In an embodiment, the analyzing the first data to extract the first difference feature information may be implemented by any one of the following manners:
after any network request is acquired, acquiring request information data from the network request data in real time, and analyzing the request information data to obtain first information; then acquiring second information; extracting first difference characteristic information from the first information and the second information; and the second information comprises the response state of the detection equipment and/or specific response behavior information of the detection equipment.
After any network request is obtained, analyzing and processing the network request data to obtain all feature information carried in the network request data, and extracting first difference feature information from the third information according to the matching relation between the third information stored in the detection device and the all feature information. Illustratively, the third information may be stored in a database and determined after detection is performed according to a large amount of sample data; illustratively, the third information may include a correspondence between the network request data and the differential characteristic information.
And 103, detecting the safety state of the first data based on the first difference characteristic information.
In one embodiment, the security status of the first data may indicate that the first data is dangerous data or safe data.
In one embodiment, the security status of the first data may be embodied by a security level or a risk level.
In one embodiment, the detecting the security status of the first data based on the first differential feature information may be implemented by any one of the following methods:
and detecting the safety state of the first data according to the matching relation between the first difference characteristic information and the standard difference characteristic information. Illustratively, the standard differential characteristic information may be determined by the detection device through analysis of a large amount of sample data; illustratively, the standard differential characteristic information can be updated in real time according to the analysis result of the detection device on the request information data and the operation behavior data.
And further analyzing and processing the first differential characteristic information through a neural network, extracting core characteristic information from the first differential characteristic information, and detecting the safety state of the first data according to the core characteristic information.
As can be seen from the above, in the detection method provided in the embodiment of the present application, under the condition that the first data including the request information data and the operation behavior data is obtained, the first difference feature information can be extracted from the first data, and then the security state of the first data is detected according to the first difference feature information; the first difference characteristic information includes quantitative difference information between the first data and other network request operation information and an association relationship between the request information data and the operation behavior data, so that the detection method provided by the embodiment of the application can acquire the difference characteristic information of any network request and can also acquire the association relationship between the request information data and the operation behavior data, thereby enabling the detection of the network state to be more accurate, enabling the detected security state to be more objective, and improving the efficiency of network security state detection.
Based on the foregoing embodiments, the embodiments of the present application further provide a second detection method, and fig. 2 is a schematic flow chart of the second detection method provided in the embodiments of the present application. As shown in fig. 2, the detection method may include steps 201 to 204:
step 201, first data is acquired.
The first data comprises request information data and operation behavior data.
Step 202, analyzing the first data to obtain second data and third data.
The second data comprises data related to the request information data in the first data; and third data including data related to the operation behavior data in the first data.
In one embodiment, the second data may be character information or character combination information related to the request information data acquired from the first data. Accordingly, the third data may include character information or character combination information related to the operation behavior acquired from the first data.
In one embodiment, the second data and the third data may be numerical data obtained by digitizing the first data.
In the embodiment of the present application, step 202 may be implemented by steps A1 to A2:
step A1, quantizing the first data to obtain a first quantization result.
In one embodiment, the first data may be quantized according to a correspondence relationship between characters and numerical values, and illustratively, the first character may correspond to a first numerical value and the second character may correspond to a second numerical value.
In one embodiment, the quantization of the first data may be performed according to a specified quantization algorithm.
In one embodiment, the first quantized result may only contain data of a specified type, such as integer data.
In one embodiment, the first quantized result may include floating point data in addition to integer data.
In one embodiment, the data length of each quantization result in the first quantization result may not exceed a length threshold for the convenience of subsequent calculations.
In the embodiment of the present application, step A1 may be implemented by steps B1 to B3:
and B1, quantizing the first type data in the first data to obtain a second quantization result.
Wherein the first type of data comprises text data.
In one embodiment, the text data may include single character data, character combination data, or character strings.
In one embodiment, the first type of data may further include at least one of a combination of characters and numbers, a combination of characters and symbols, and the like; the symbols may illustratively include punctuation symbols, mathematical operation symbols, greek symbols, and the like.
In one embodiment, the first type of data may be words.
In one embodiment, the first type of data in the first data is quantized by equations (1) to (3):
Figure BDA0003014100350000101
Figure BDA0003014100350000102
TF-IDF*,j=TF*,j×IDF*,j (3)
in formula (1), k *,j Representing the times of appearance of words in the obtained jth first data;
Figure BDA0003014100350000103
representing the total number of words in the acquired n first data; TF, j denotes the word Frequency (TF) of a word in the jth first data.
In the formula (2), M represents the total amount of words in all the acquired first data; m is i Representing words in the ith first datumA total number; IDF, j represents Inverse file Frequency (IDF) of word.
In equation (3), TF-IDF, j may be used to evaluate the importance of the word to the first data, or any one of the n first data.
And B2, acquiring second type data from the first data.
Wherein the second type of data comprises numerical data.
In one embodiment, the second type of data and the first type of data may constitute the first data.
In one embodiment, the second type of data may further include a combination of numerical values, and the second type of data may include a conditional calculation relationship of several numerical values.
In one embodiment, the data type of the second type of data may be the same as the data type of the first quantization result. For example, the second type data and the first quantization result may be both integer data types.
And B3, obtaining a first quantization result based on the second quantization result and the second type data.
In one embodiment, the first quantization result may be obtained by concatenating the second quantization result with the second type data.
In one embodiment, in the case that the number of the first data is one, the first quantization result may be an array.
In one embodiment, in the case that the number of the first data is plural, the first quantization result may be a matrix, and may be exemplarily denoted as a matrix a; illustratively, the dimension of the matrix a may be determined by the number of elements in the first quantization result and the number of the first data.
In one embodiment, the first quantization result may be obtained by concatenating the second quantization result and the second type of data.
In one embodiment, the first quantization result may be an augmentation matrix including the second quantization result, and the setting position of the second quantization result and the second type data in the matrix may be fixed.
As can be seen from the above, in the detection method provided in the embodiment of the present application, the quantization of the first data is not performed through an artificial subjective and simple quantization operation, but is performed through an objective quantization operation according to the TF value and the IDF value of each data in the first data. Therefore, the first quantization result obtained by the above quantization operation can objectively represent the first data or the actual distribution state of each of the plurality of first data, thereby providing an objective condition for the accurate effect of the subsequent state detection.
And A2, acquiring second data and third data from the first quantization result.
In one embodiment, the combination of the second data and the third data in the first quantization result may have a certain rule, and in this case, the second data and the third data may be obtained from the first quantization result based on the rule.
In one embodiment, in the first quantization result, the subscript range of the second data and the subscript range of the third data may be fixed, and in this case, the second data and the third data may be obtained from the first quantization result according to the subscript range of each data.
As can be seen from the above, in the embodiment of the present application, before performing security detection on the first data, objective quantization is performed on the first data, and the first quantization result obtained after quantization is data of a numerical type, which is more rapid to store and query, so that efficiency of various operations performed on the first quantization result in a subsequent detection process can be greatly improved.
And step 203, analyzing the second data and the third data by a Partial Least Squares (PLS) method, and extracting first difference characteristic information.
In one embodiment, the analyzing the second data and the third data by PLS may be implemented as follows:
and analyzing and processing the correlation between the second data and the third data through the PLS to obtain a first analysis result, and acquiring a specified amount of second data as first differential characteristic information according to the first analysis result.
In this embodiment of the present application, step 203 may be implemented by steps C1 to C2:
and C1, analyzing and processing the second data and the third data through PLS, and determining a fitting parameter between the second data and the third data.
In one embodiment, the fitting parameter may indicate whether an association exists between the second data and the third data.
In one embodiment, the fitting parameter may represent the strength of the correlation between the second data and the third data.
In one embodiment, the fitting parameter may be a cross-validation parameter between the second data and the third data.
In one embodiment, the determining the fitting parameter between the second data and the third data by analyzing the second data and the third data by PLS may be performed by any one of the following methods:
the fitting parameters are determined by means of PLS by analyzing the degree of fit of the linear combination between the third data and the at least one second data.
The fitting parameters are determined by analyzing the degree of fit of the linear combination between the at least one third datum and the linear combination between the at least one second datum by PLS.
Firstly, the second data and the third data are normalized to obtain a first normalized result and a second normalized result, and then the fitting degree between the first normalized result and the second normalized result is analyzed through PLS, so that fitting parameters are determined.
In one embodiment, in the case that the fitting parameter represents a cross-validity parameter, the cross-validity parameter between the second data and the third data may be calculated by equation (4):
Figure BDA0003014100350000131
in the formula (4), the reaction mixture is,
Figure BDA0003014100350000132
for representing a cross-validity parameter between the second data and the third data. In the formula (4), d is a constant and is more than 0 and less than or equal to h +1;
Figure BDA0003014100350000133
representing the fitting quantity between the second data and the third data after the d quantization data is deleted when h components are taken for regression modeling, and recording the fitting quantity as a first fitting quantity;
Figure BDA0003014100350000134
representing the fitting quantity between the second data and the third data, which is obtained by calculation based on all the quantized data in the first quantized result when h components are used for regression modeling, and recording as a second fitting quantity;
Figure BDA0003014100350000135
indicating the result of normalizing the third data.
And C2, extracting first difference characteristic information from the second data based on the fitting parameters.
In one embodiment, step C2 may be implemented by:
and determining a fitting threshold, and extracting first difference characteristic information from the second data according to the size relation between the fitting threshold and the fitting parameters.
Determining a fitting threshold value based on the fitting parameter being less than the fitting threshold value
Figure BDA0003014100350000136
And extracting first differential characteristic information from the second data.
When the fitting parameter is smaller thanIn case of a threshold, PLS extraction
Figure BDA0003014100350000137
I.e. the process of principal components is finished, the number of the extracted principal components at this time can be k, and then the process is finished
Figure BDA0003014100350000138
The k coefficients in the first difference feature information are used for taking absolute values, then the absolute value calculation results are subjected to descending order arrangement, and quantitative values in k first quantitative results corresponding to the k absolute value calculation results after descending order arrangement are used as the first difference feature information.
Illustratively, the fitting threshold may be 0.0975.
Fig. 3 is a schematic flow chart of first difference feature information extraction according to an embodiment of the present disclosure. As shown in fig. 3, the process may include steps 203-1 to 203-7:
and step 203-1, determining characteristic variables to be screened.
In one embodiment, the feature variables to be filtered may include the request information data and the operation behavior data in the foregoing embodiments.
In one embodiment, the feature variables to be filtered may include text data in the request information data and the operation behavior data, and the text data may be words.
And step 203-2, calculating the word frequency of each characteristic variable.
Illustratively, the TF value of each feature variable may be calculated by equation (1) described in the foregoing embodiment.
And 203-3, calculating the reverse file frequency of each characteristic variable.
For example, the IDF value of each feature variable may be determined by equation (2) in the foregoing embodiment.
And step 203-4, calculating the quantization result of each variable.
Illustratively, the quantization result of each variable may be calculated by multiplying the word frequency by the inverse file frequency, i.e., the formula (3) provided in the foregoing embodiment.
Through the quantization process, objective quantization of the first data is achieved, and quantization deviation caused by artificial subjective quantization is reduced, so that characteristics related to intrusion behaviors can be better screened out, and the reliability of a final detection result can be improved.
Illustratively, the quantization result of each variable may be the first quantization result described in the foregoing embodiment.
Step 203-5, calculating cross validity parameters.
Illustratively, the cross-validation parameter may be calculated by PLS on the second data and the third data in the first quantized result.
And step 203-6, determining the number of extracted variables.
Illustratively, the number of extracted variables may be extracted from the second data according to a size relationship between the cross validity parameter and the fitting threshold.
And 203-7, extracting first difference characteristic information.
For example, the first difference feature information is the same as the process provided in the foregoing embodiment, and is not described herein again.
In the related technology, how to screen out the characteristic variables with high correlation with the intrusion behavior from a large number of characteristic variables has close relation to the accuracy of intrusion behavior detection and the data calculation amount of subsequent detection; in the related art, feature information is generally extracted from data by Principal Component Analysis (PCA).
Compared with the scheme, the first differential feature information extracted from the second data based on the PLS provided by the embodiment of the present application is reduced relative to the dimension of the second data; the first difference characteristic information comprises a maximized orthogonal characteristic component in the second data; furthermore, the first difference characteristic information also carries enough incidence relation between the second data and the third data, so that sufficient characteristic information guarantee is provided for a subsequent characteristic detection link, and a foundation is laid for efficient and accurate safety state detection.
In summary, in the detection method provided by the embodiment of the present application, scientific quantification and accurate extraction of text features are realized by using an objective quantification method and a PLS processing means, so that the computation amount in the subsequent detection process can be reduced, the accuracy of state detection can be provided, and the adaptive capability of the detection method can be improved.
And 204, detecting the safety state of the first data based on the first difference characteristic information.
In this embodiment of the present application, step 204 may be implemented by:
and detecting the first difference characteristic information through the trained detection network to obtain the safety state of the first data.
The trained detection network is obtained by training the detection network based on the second difference characteristic information; the second difference characteristic information is obtained by processing the sample data through the PLS; the sample data comprises at least one request information data and operation behavior data corresponding to the at least one request information data.
In one embodiment, the sample data may be obtained from a database.
In one embodiment, the sample data may include a plurality of different types of request information data, and a plurality of types of operation behavior data.
In one embodiment, the sample data may include different types of request information data and corresponding operational behavior data for multiple different types of network devices.
With the continuous development of internet technology, hundreds of millions of internet-of-things devices are continuously accessed to a network, and the network environment is gradually complicated due to continuously increasing dimensions and complex network interaction behaviors, so that the ubiquitous presence of large-scale heterogeneous networks further enhances the uncertainty of request information data and corresponding operation behavior data in a network system, for example, the data packet loss and time delay problems in the network transmission process, or uncertainty factors such as platform differences generated by the heterogeneous network environment and the like, and also provides a huge challenge for an intrusion detection method.
In order to improve the robustness of the detection network, the sample data may include known types of request information data and corresponding operation behavior data, and the types and the number of the request information data and the operation behavior data may also be updated and increased in real time.
In the embodiment of the present application, a process of processing sample data by using PLS to obtain second difference feature information is the same as a process of determining a fitting parameter between second data and third data by using PLS in the foregoing embodiment, and extracting first difference feature information based on the fitting parameter, and details are not repeated here.
In one embodiment, the detection network may be a neural network with feature extraction function.
In one embodiment, the detection network may be a neural network capable of adaptively performing feature extraction.
In one embodiment, the detection network may be a fuzzy neural network.
In one embodiment, the detection network may be an adaptive fuzzy neural network.
Because the complexity and uncertainty of the network environment are increasingly obvious, the intrusion detection methods in the related technologies cannot well solve the uncertainty problem, and therefore the detection accuracy of the intrusion detection method is not high directly. The fuzzy neural network combines the advantages of the neural network and the fuzzy system, and the accuracy of the non-linear problem and the uncertainty problem can be improved by adopting the fuzzy neural network to detect the network safety state; the adaptive fuzzy neural network can accelerate the training speed of the fuzzy neural network.
In the embodiment of the application, the first difference characteristic information is detected through the trained adaptive fuzzy neural network, so that the detection precision and the adaptive capacity can be improved on the one hand; on the other hand, the detection result, namely the security state of the first data can represent the actual network security state, and even under the condition that new types of threat data appear, the detection rule of the fuzzy system can still be relied on to output continuous fuzzy results.
In the embodiment of the present application, the trained neural network is obtained through steps D1 to D3:
and D1, carrying out fuzzy detection on the second difference characteristic information through a detection network to obtain a detection result.
In an embodiment, the fuzzy detection of the second difference feature information through the detection network may be implemented by:
and acquiring a fuzzy detection rule of the detection network, and performing fuzzy calculation detection on the second difference characteristic information based on the fuzzy detection rule so as to obtain a detection result.
And carrying out fuzzy detection on each piece of feature information or the specified feature information in the second difference feature information through a detection network to obtain a detection result.
And D2, acquiring a state tag from the sample data.
In one embodiment, the status tag may be a tag carried in the sample data and used for indicating a security type or a security level corresponding to the sample data.
In one embodiment, the status label may include text information as well as numerical information.
In one embodiment, the status label may be a numerical variable obtained by quantization using the quantization process described in the previous embodiment.
And D3, adjusting fuzzy rule parameters based on the detection result and the state label to obtain the trained detection network.
In one embodiment, in the case that the first condition is satisfied, the fuzzy rule parameters may be continuously adjusted based on the detection result and the status label until the second condition is satisfied, and the adjustment operation is stopped, so as to obtain a trained detection network.
Illustratively, the first condition may include any one of:
the matching degree between the detection result and the state label is weak;
the detection result is not equal to the state label;
the difference between the detection result and the state label is larger than a preset threshold value.
Accordingly, the second condition may include any one of:
the matching degree between the detection result and the state label is stronger;
the detection result is equal to the state label;
the difference between the detection result and the state label is smaller than a preset threshold value.
In the embodiment of the application, the detection network may include an input layer and a detection layer.
Exemplarily, the input layer may be configured to input the second differential feature information; the number of neurons in the input layer may be equal to the number of second differential feature information. For example, if the number of the second differential feature information is k, the number of the neurons in the input layer may also be k.
Illustratively, the detection layer can perform detection analysis on the data input by the input layer.
In one embodiment, the detection layer may process the second differential feature information through a Radial Basis Function (RBF). For example, in the case that the detection layer performs characteristic detection through RBF, the detection layer may be referred to as RBF layer; illustratively, the RBF layer may include r neurons, and the output of each neuron may be determined by equation (5):
Figure BDA0003014100350000181
in the case of the formula (5),
Figure BDA0003014100350000182
representing the output result of the jth neuron of the RBF layer; c. C j =[c 1j ,c 2j ,...,c rj ]Is the center vector of the jth RBF layer neuron, where c ij Representing the central value of the ith input neuron to the jth neuron; sigma j Represents the width of the jth neuron; x = [ x = 1 ,x 2 ,…,x k ] T Is the output data of the input layer, where x i Representing the ith input feature variable.
For example, the detection network may further include a normalization layer, where the normalization layer is configured to normalize the output data of the detection layer, and specifically as shown in equation (6):
Figure BDA0003014100350000183
in formula (6), μ j Is the output of the jth neuron of the normalization layer.
Illustratively, the detection network may further include an output layer for performing weighted output on the output data of the normalization layer, as shown in equation (7):
Figure BDA0003014100350000191
in the formula (7), ω j Representing the connection weight value between the jth neuron and the output neuron of the normalization layer; y is i Representing the actual output result of the ith output neuron.
Illustratively, the output layer may further implement a type determination function, and the type determination function may be implemented by equation (8):
Figure BDA0003014100350000192
in the formula (8), the reaction mixture is,
Figure BDA0003014100350000193
the target value is represented, for example,
Figure BDA0003014100350000194
may be the status tag in the previous embodiment; alpha (0 < alpha < 0.5) represents an error value.
In the embodiment of the present application, step D3 may be implemented by steps E1 to E2:
and E1, determining an error threshold value.
In one embodiment, the error threshold may be a fixed value.
In one embodiment, the error threshold may be an adjustable value, and exemplarily, a value of the error threshold may vary with a change of a sample data type; the error threshold may also change with the change of the application scenario, for example, in a scenario with a strict security level requirement, the error threshold may be set to a smaller value; in a scenario where the security level requirement is relaxed, the error threshold may be set to a larger value.
In one embodiment, the error threshold may be determined only during the process of detecting network training, or may be predetermined.
And E2, determining the detection error of the feature detection module based on the detection result and the state label.
In one embodiment, the detection error may be obtained by calculating a difference between the detection result and the status label.
In one embodiment, the detection error may be obtained by calculating a mean square error between the detection result and the state label.
For example, the detection error can be calculated by equation (9):
Figure BDA0003014100350000201
in equation (9), M represents the total number of sample data; y represents the detection result; y represents a status label.
And E3, under the condition that the detection error is larger than or equal to the error threshold, adjusting fuzzy rule parameters through a parameter adjusting module based on the detection result, the state label and the error threshold to obtain the trained detection network.
Correspondingly, under the condition that the detection error is smaller than the error threshold, the training process of the detection network can be stopped, and the fuzzy rule parameters are stored to obtain the detection network after training.
Through the method, a perfect detection network model can be constructed, and each layer in the detection network can realize a relatively independent data processing function; in addition, compared with the traditional fuzzy neural network, the error value is introduced into the detection network provided by the embodiment of the application, so that the fault tolerance of the detection network can be improved, and the self-adaption performance of the detection network is improved. That is to say, the detection network using the adaptive fuzzy neural network as the prototype provided by the embodiment of the present application can better handle the uncertainty problem through the learning and adjusting process of the fuzzy rule parameters executed by the error threshold.
Therefore, the detection method provided by the embodiment of the application is finally used for detecting the fuzzy rule parameters of the trained detection network of the first difference characteristic information, and can flexibly adjust the processing results, the error threshold values and the state labels in the sample data of various types of sample data through the fuzzy rule parameters, so that a foundation is laid for efficient and accurate detection of the adaptive fuzzy neural network.
In the embodiment of the present application, step D3 may be implemented by steps F1 to F2:
and F1, determining a self-adaptive learning rate parameter based on the state label, the detection result and the fuzzy rule parameter.
In one embodiment, the adaptive learning rate parameter may be determined according to each detection result, a state label corresponding to the detection result, and a fuzzy rule parameter.
In one embodiment, the adaptive learning rate parameter may change with each change in the sample data.
In one embodiment, the adaptive learning rate parameter may maintain a weak range of variation in the detection network for the same type of sample data.
Illustratively, the adaptive learning rate parameter may be determined by equation (9):
Figure RE-GDA0003255047140000211
in equation (10), η (t) represents the adaptive learning rate parameter of the t-th training; in equation (10), Λ (t) may be represented by
Figure BDA0003014100350000212
Calculating to obtain;
Figure BDA0003014100350000213
a status tag indicating the t-th sample data; y (t) can be a detection result corresponding to the t sample data; ω = [ ω ] 12 ,…,ω r ]Representing a connection weight vector; .
The self-adaptive learning rate calculated by the formula (10) can change along with the change of the error alpha, and the value of the learning rate is larger in the early stage of the training of the detection network, so that the convergence rate of the detection network can be increased; and in the later stage of the training of the detection network, the learning rate value is smaller, so that the detection network can be converged to a global optimal state.
And F2, adjusting the fuzzy rule parameters based on the self-adaptive learning rate parameters, the detection results, the state labels and the initial fuzzy rule parameters.
In one embodiment, the initial fuzzy rule parameters may include parameters of the detection network in an initial state.
In one embodiment, the initial fuzzy rule parameters may include fuzzy rule parameters obtained after the ith detection network training, which may be used as the initial fuzzy rule parameters adjusted by the (i + 1) th fuzzy rule parameters.
In the embodiment of the application, the fuzzy rule parameters comprise a first fuzzy rule parameter and a second fuzzy rule parameter; accordingly, the detection network comprises an output module and a characteristic detection module.
The characteristic detection module is used for detecting the second difference characteristic information based on the first fuzzy parameter to obtain a first result; and the output module is used for carrying out type division on the first result based on the second fuzzy parameter to obtain a detection result.
Accordingly, adjusting the fuzzy rule parameters can be realized by the following steps:
and adjusting the first fuzzy parameter and the second fuzzy parameter based on the detection result and the adaptive learning rate parameter.
In one embodiment, the output module may include the output layer described in the previous embodiment.
In one embodiment, the feature detection module may include the detection layer and the normalization layer described in the previous embodiment; illustratively, the feature detection module may further include the input layer described in the foregoing embodiments.
Accordingly, the first blur parameters may include the center vector of the RBF layer neurons, the width of the RBF layer neurons, as described in the foregoing embodiments; the second fuzzy parameter may include the connection weight vector described in the previous embodiment.
For example, the first blur parameter and the second blur parameter may be calculated by equations (11) to (13):
Figure BDA0003014100350000221
Figure BDA0003014100350000222
Figure BDA0003014100350000223
as can be seen from equations (11) to (13), the first fuzzy parameter c in the (j) th neuron training of the feature detection module is j (t + 1) and σ j (t + 1), η (t), which is the adaptive learning rate parameter of the t-th training, and c, which is the first fuzzy parameter of the t-th training j (t) and σ j (t) and the detection result obtained by the t training, namely y (t), are obtained by calculation; correspondingly, the second fuzzy parameter, namely omega, of the j (th) neuron of the output module in the t +1 training time j (t + 1) is determined by y (t) which is the detection result of the t-th training, η (t) which is the adaptive learning rate parameter of the t-th training, and a second fuzzy parameter ω of the t-th training j And (t) calculating.
In the related art, adjustment of neural network parameters is usually realized by Back Propagation (BP), however, the BP algorithm has the disadvantages of being easy to get into a local minimum value and slow in convergence speed, and based on the above problems, the detection algorithm provided by the embodiment of the present application can accelerate the learning speed of the detection network by an Adaptive Back Propagation (ABP) learning algorithm, thereby indirectly improving the detection efficiency.
As can be seen from the above, the ABP policy provided in the embodiment of the present application can overcome the problems of a fixed learning rate, a low convergence rate and a local minimum value easily caused in the conventional BP algorithm, so that the learning speed of the detection network is increased, and the learning performance of the detection network can be improved.
Fig. 4 is a schematic structural diagram of detection network training provided in the embodiment of the present application.
As shown in fig. 4, the detection network training structure may include three parts, a cooperative feature selection module 401, an adaptive fuzzy neural network 402, and an adaptive parameter adjustment module 403. Wherein:
the cooperative Feature Selection module 401 may implement a function of a Cooperative Feature Selection Algorithm (CFSA); for example, the CFSA may implement the functions of obtaining a sample quantization result by quantizing the sample data and extracting the second differential feature information from the sample quantization result, which are described in the foregoing embodiments.
The adaptive fuzzy neural network 402 may include the detection network described in the foregoing embodiment, and is configured to analyze and process the second difference characteristic information to obtain a sample detection result; and can also receive the parameter adjustment result of the adaptive parameter adjustment module 403, and update the first fuzzy parameter and the second fuzzy parameter of itself according to the parameter adjustment result.
The adaptive parameter adjusting module 403 is configured to adjust the fuzzy rule parameter according to the output data, the state label, and the preamble fuzzy rule parameter of the adaptive fuzzy neural network 402, and send a parameter adjustment result to the self-using fuzzy neural network.
In the embodiment of the present application, an objective quantization method is adopted in the cooperative feature selection module 401, and PLS is adopted to extract the second differential feature information, so that the adaptive fuzzy neural network 402 can more intelligently infer rules among sample data, human participation factors are reduced, and the detection process is more objective and controllable.
In the related art, there is also a scheme of performing feature screening by using a deep belief network, and although the recognition accuracy of this method is improved, the training process of these networks needs to consume a large amount of computing resources and needs a long training time. In the detection network training method provided by the embodiment of the application, the dimensions of the second difference characteristic information are effectively reduced through the PLS, so that the calculated amount in the detection network training process can be reduced; in addition, the stability of the detection network can be improved by adaptively blurring the neural network.
Through the above manner, in the neural network training method provided by the embodiment of the application, after sample data is quantized, second difference characteristic information is extracted from a sample data quantization result through the PLS, and based on the second difference characteristic information, the state label of the sample data and the initial fuzzy rule parameter, the fuzzy rule parameter of the adaptive fuzzy neural network is adjusted, so that the precision of sample data feature extraction is improved; in the training process of the self-adaptive fuzzy neural network, an error threshold value and a self-adaptive learning rate parameter are introduced, so that the speed of the self-adaptive fuzzy neural network is increased, the convergence state of the self-adaptive fuzzy neural network is improved, and a foundation is laid for efficient and accurate detection of the first data in the follow-up process.
Fig. 5a is a diagram illustrating statistics of classification results of five types of data by using the detection method provided in the embodiment of the present application.
Fig. 5b is a schematic diagram of statistical results of false detection rates and false detection rates of five data detections by using the detection method provided in the embodiment of the present application.
Fig. 5c is a schematic diagram of a detection accuracy statistics of five data detections by using the detection method provided in the embodiment of the present application.
It should be noted that the results shown in fig. 5a to fig. 5c are obtained by counting five data detected by the detection method provided in the embodiment of the present application. Wherein, the five kinds of data are obtained from KDDCup99 intrusion detection database; after acquiring the five types of data, 5 characteristic variables with high correlation are screened out from 41 input variables by using the CFAS provided by the embodiment of the application, then the screened characteristic variables are detected by using the detection network provided by the embodiment of the application, and finally statistics is performed according to the detection result to obtain the CFAS.
The above five types Of data include Normal, probing, dos (dental-Of-Service), U2R (Unauthorized Access To Local Superuser preferences), and R2L (Unauthorized Access From a remove Machine).
In fig. 5a, 990 Normal type data, 790 banding type data, 980 Dos type data, about 30U 2R type data, and about 200R 2L data are obtained by five types of data classification, and the classification results are equivalent to the number of each type of data obtained from the KDDCup99 intrusion detection database. That is to say, the detection method provided by the embodiment of the application has higher accuracy in dividing the five data types.
In fig. 5b, after the detection method provided by the embodiment of the present application is adopted to detect five types of data, the false detection rate and the missing detection rate corresponding to the detection results are (0,0.001), (0.006, 0.005), (0.006, 0.004), (0.03, 0.02), and (0.018, 0.014), respectively.
In fig. 5c, after the detection method provided by the embodiment of the present application is used to detect five types of data, the detection accuracies corresponding to the detection results are 1, 0.99, 0.98, 0.95, and 0.97, respectively.
From the above, after the detection method provided by the embodiment of the application is adopted to detect the five types of data, the false detection rate and the missing detection rate corresponding to the detection result are reduced compared with the false detection rate and the missing detection rate of the network detection method in the related art, and the detection accuracy is greatly improved compared with the detection accuracy of the detection method in the related art.
Based on the foregoing embodiments, the embodiment of the present application further provides a detection device 6, and fig. 6 is a schematic structural diagram of the detection device 6 provided in the embodiment of the present application. As shown in fig. 6, the detection apparatus 6 may include an obtaining module 601, a feature extracting module 602, and a detecting module 603; wherein:
an obtaining module 601, configured to obtain first data; the first data at least comprises network request data;
the feature extraction module 602 is configured to analyze the first data and extract first difference feature information; the first difference characteristic information comprises variation information carried in the first data; mutation information comprising quantitative difference information between the first data and other network request operation information and an incidence relation between the request information data and the operation behavior data;
the detecting module 603 is configured to detect a security status of the first data based on the first difference characteristic information.
In some embodiments, the feature extraction module 602 is configured to analyze the first data to obtain second data and third data; the second data comprises data related to the request information data in the first data; third data including data related to the operation behavior data in the first data;
the feature extraction module 602 is configured to analyze the second data and the third data by using a Partial Least Squares (PLS), and extract first differential feature information.
In some embodiments, the feature extraction module 602 is configured to perform analysis processing on the second data and the third data by PLS, and determine a fitting parameter between the second data and the third data;
a feature extraction module 602, configured to extract first difference feature information from the second data based on the fitting parameters.
In some embodiments, the feature extraction module 602 is configured to quantize the first data to obtain a first quantization result; second data and third data are obtained from the first quantization result.
In some embodiments, the feature extraction module 602 is configured to quantize the first type data in the first data to obtain a second quantization result; the first type data comprises text data;
a feature extraction module 602, configured to obtain second type data from the first data; wherein the second type data comprises numerical data;
and obtaining a first quantization result based on the second quantization result and the second type data.
In some embodiments, the detecting module 603 is configured to detect the first difference feature information through the trained detection network, so as to obtain a security state of the first data; the trained detection network is obtained by training the detection network based on the second difference characteristic information; the second difference characteristic information is obtained by processing the sample data through the PLS; and the sample data comprises at least one request information data and operation behavior data corresponding to the at least one request information data.
In some embodiments, the detecting module 603 is configured to perform fuzzy detection on the second difference characteristic information through a detection network to obtain a detection result; acquiring a state label from sample data; and adjusting fuzzy rule parameters based on the detection result and the state label to obtain the trained detection network.
In some embodiments, the detecting module 603 is configured to determine an adaptive learning rate parameter based on the state label, the detection result, and the fuzzy rule parameter; and adjusting the fuzzy rule parameters based on the self-adaptive learning rate parameters, the detection result, the state label and the initial fuzzy rule parameters.
In some embodiments, the fuzzy rule parameters include a first fuzzy parameter and a second fuzzy parameter; the detection network comprises an output module and a characteristic detection module; the characteristic detection module is used for detecting the second difference characteristic information based on the first fuzzy parameter to obtain a first result; the output module is used for carrying out type division on the first result based on the second fuzzy parameter to obtain a detection result; the detecting module 603 is configured to adjust the first blur parameter and the second blur parameter based on the detection result and the adaptive learning rate parameter.
In some embodiments, a detection module 603 for determining an error threshold; determining a detection error of the feature detection module based on the detection result and the state label; and under the condition that the detection error is greater than or equal to the error threshold, adjusting fuzzy rule parameters through a parameter adjusting module based on the detection result, the state label and the error threshold to obtain the trained detection network.
It should be noted that, in practical applications, the obtaining module 601, the feature extracting module 602, and the detecting module 603 may be implemented by using a processor in a detecting device, where the processor may be at least one of an ASIC, a DSP, a DSPD, a PLD, an FPGA, a CPU, a controller, a microcontroller, and a microprocessor.
As can be seen from the above, the detection device 6 provided in the embodiment of the present application, when first data including request information data and operation behavior data is obtained, can extract first difference characteristic information from the first data, and then detect the security state of the first data according to the first difference characteristic information; the first difference characteristic information includes quantitative difference information between request information data in the first data and an association relationship between the request information data and the operation behavior data, so that the detection device 6 provided in the embodiment of the present application can obtain the difference characteristic information of any network request and can also obtain the association relationship between the request information data and the operation behavior data, thereby enabling the detection of the network state to be more accurate, and the detected security state to be more objective, thereby improving the efficiency of detecting the network security state.
Based on the foregoing embodiment, the embodiment of the present application further provides a detection device 7. Fig. 7 is a schematic structural diagram of a detection apparatus 7 according to an embodiment of the present application. As shown in fig. 7, the detection device 7 includes a processor 701, a memory 702, and a communication bus.
Wherein, the communication bus is used for realizing the communication connection between the processor 701 and the memory 702; the processor 701 is configured to execute a computer program stored 702 in the memory to implement the detection method according to any of the previous embodiments.
The processor 701 may be at least one of an ASIC, a DSP, a DSPD, a PLD, an FPGA, a CPU, a controller, a microcontroller, and a microprocessor. It is understood that the electronic device for implementing the above-mentioned processor function may be other electronic devices, and the embodiments of the present application are not particularly limited.
The memory 702 may be a volatile memory (RAM); or a non-volatile memory (non-volatile memory) such as a ROM, a flash memory (flash memory, hard Disk Drive (HDD) or Solid-State Drive (SSD)), or a combination of such types of memory, and provides instructions and data to the processor.
Based on the foregoing embodiments, the present application further provides a computer-readable storage medium, which can be executed by a processor to implement the detection method as described in any of the foregoing embodiments.
The foregoing description of the various embodiments is intended to highlight various differences between the embodiments, and the same or similar parts may be referred to each other, and for brevity, will not be described again herein.
The methods disclosed in the method embodiments provided by the present application can be combined arbitrarily without conflict to obtain new method embodiments.
The features disclosed in the various product embodiments presented in this application can be combined arbitrarily, without conflict, to arrive at new product embodiments.
The features disclosed in the method or apparatus embodiments provided in the present application may be combined arbitrarily, without conflict, to arrive at new method embodiments or apparatus embodiments.
The computer-readable storage medium may be a Memory such as a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read Only Memory (EPROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a magnetic Random Access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical Disc, or a Compact Disc Read-Only Memory (CD-ROM); or may be various electronic devices, such as mobile phones, computers, tablet devices, personal digital assistants, etc., that include one or any combination of the above-mentioned memories.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, the element defined by the phrases "comprising a" \8230; "does not exclude the presence of additional identical elements in the process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the above embodiment method may be implemented by software plus necessary general hardware nodes, and may of course be implemented by hardware, but in many cases, the former is a better embodiment. Based on such understanding, the technical solutions of the present application may be substantially or partially embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to perform the methods described in the embodiments of the present application.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present application, and not intended to limit the scope of the present application, and all modifications, equivalents, flow charts, and other related technical fields that are made by using the contents of the specification and drawings of the present application, and are directly or indirectly used in the present application, are included in the scope of the present application.

Claims (13)

1. A method of detection, the method comprising:
acquiring first data; the first data comprises request information data and operation behavior data;
analyzing and processing the first data, and extracting first difference characteristic information; the first difference characteristic information comprises variation information carried in the first data; the variant information comprises quantitative difference information between the first data and other network request operation information and an incidence relation between the request information data and the operation behavior data;
detecting a security status of the first data based on the first differential feature information.
2. The method of claim 1, wherein analyzing the first data to extract first differential feature information comprises:
analyzing the first data to obtain second data and third data; wherein the second data comprises data related to the request information data in the first data; the third data comprises data related to the operation behavior data in the first data;
and analyzing and processing the second data and the third data by a Partial Least Squares (PLS) method, and extracting the first difference characteristic information.
3. The method of claim 2, wherein the extracting the first discriminatory feature information by performing, by Partial Least Squares (PLS), analysis on the second data and the third data comprises:
performing, by the PLS, analysis processing on the second data and the third data to determine fitting parameters between the second data and the third data;
extracting the first differential feature information from the second data based on the fitting parameters.
4. The method of claim 2, wherein analyzing the first data to obtain second data and third data comprises:
quantizing the first data to obtain a first quantization result;
the second data and the third data are obtained from the first quantization result.
5. The method of claim 4, wherein the quantizing the first data to obtain a first quantization result comprises:
quantizing first type data in the first data to obtain a second quantization result; wherein the first type of data comprises text data;
acquiring second type data from the first data; wherein the second type of data comprises numerical data;
and obtaining the first quantization result based on the second quantization result and the second type data.
6. The method of claim 1, wherein the detecting the security status of the first data based on the first differential signature information comprises:
detecting the first difference characteristic information through a trained detection network to obtain a safety state of the first data; the trained detection network is obtained by training the detection network based on second difference characteristic information; the second difference characteristic information is obtained by processing the sample data through a PLS; the sample data comprises at least one request information data and operation behavior data corresponding to the at least one request information data.
7. The method of claim 6, wherein the trained detection network is obtained by:
performing fuzzy detection on the second difference characteristic information through the detection network to obtain the detection result;
acquiring a state tag from the sample data;
and adjusting the fuzzy rule parameters based on the detection result and the state label to obtain the trained detection network.
8. The method of claim 7, wherein adjusting the fuzzy rule parameter based on the detection result and the status tag comprises:
determining an adaptive learning rate parameter based on the state label, the detection result and the fuzzy rule parameter;
and adjusting the fuzzy rule parameters based on the self-adaptive learning rate parameters, the detection result, the state label and the initial fuzzy rule parameters.
9. The method of claim 8, wherein the fuzzy rule parameters comprise a first fuzzy parameter and a second fuzzy parameter; the detection network comprises an output module and a characteristic detection module; the feature detection module is configured to detect the second difference feature information based on the first fuzzy parameter to obtain a first result; the output module is configured to perform type division on the first result based on the second fuzzy parameter to obtain the detection result; the adjusting the fuzzy rule parameter comprises:
adjusting the first and second blur parameters based on the detection result and the adaptive learning rate parameter.
10. The method of claim 7, wherein the adjusting the fuzzy rule parameter based on the detection result and the status label to obtain the trained detection network comprises:
determining an error threshold;
determining a detection error of the feature detection module based on the detection result and the state label;
and under the condition that the detection error is greater than or equal to the error threshold, adjusting the fuzzy rule parameters through the parameter adjusting module based on the detection result, the state label and the error threshold to obtain the trained detection network.
11. A detection device, characterized in that the detection device comprises: the device comprises an acquisition module, a feature extraction module and a detection module, wherein:
the acquisition module is used for acquiring first data; wherein the first data at least comprises network request data;
the feature extraction module is used for analyzing and processing the first data and extracting first difference feature information; the first difference characteristic information comprises variation information carried in the first data; the variant information comprises quantitative difference information between the first data and other network request operation information and an incidence relation between the request information data and the operation behavior data;
the detection module is configured to detect a security state of the first data based on the first difference feature information.
12. A detection device is characterized by comprising a processor, a memory and a communication bus, wherein the communication bus is used for realizing communication connection between the processor and the memory; the processor is configured to execute a computer program stored in the memory to implement the detection method according to any one of claims 1 to 10.
13. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor of a detection device, is capable of carrying out the detection method according to any one of claims 1 to 10.
CN202110383939.0A 2021-04-09 2021-04-09 Detection method, device, equipment and storage medium Pending CN115208595A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110383939.0A CN115208595A (en) 2021-04-09 2021-04-09 Detection method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110383939.0A CN115208595A (en) 2021-04-09 2021-04-09 Detection method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115208595A true CN115208595A (en) 2022-10-18

Family

ID=83571381

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110383939.0A Pending CN115208595A (en) 2021-04-09 2021-04-09 Detection method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115208595A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102792635A (en) * 2010-03-09 2012-11-21 微软公司 Behavior-based security system
US20160255139A1 (en) * 2016-03-12 2016-09-01 Yogesh Chunilal Rathod Structured updated status, requests, user data & programming based presenting & accessing of connections or connectable users or entities and/or link(s)
CN110062380A (en) * 2019-04-28 2019-07-26 广东电网有限责任公司 A kind of connected reference request safety detection method of mobile application system
CN110730195A (en) * 2019-12-18 2020-01-24 腾讯科技(深圳)有限公司 Data processing method and device and computer readable storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102792635A (en) * 2010-03-09 2012-11-21 微软公司 Behavior-based security system
US20160255139A1 (en) * 2016-03-12 2016-09-01 Yogesh Chunilal Rathod Structured updated status, requests, user data & programming based presenting & accessing of connections or connectable users or entities and/or link(s)
CN110062380A (en) * 2019-04-28 2019-07-26 广东电网有限责任公司 A kind of connected reference request safety detection method of mobile application system
CN110730195A (en) * 2019-12-18 2020-01-24 腾讯科技(深圳)有限公司 Data processing method and device and computer readable storage medium

Similar Documents

Publication Publication Date Title
CN108737406B (en) Method and system for detecting abnormal flow data
Alaiz-Moreton et al. Multiclass classification procedure for detecting attacks on MQTT-IoT protocol
Maseer et al. Benchmarking of machine learning for anomaly based intrusion detection systems in the CICIDS2017 dataset
CN112165485B (en) Intelligent prediction method for large-scale network security situation
CN110298663B (en) Fraud transaction detection method based on sequence wide and deep learning
CN111783442A (en) Intrusion detection method, device, server and storage medium
Yang et al. Detecting stealthy domain generation algorithms using heterogeneous deep neural network framework
CN110378430B (en) Network intrusion detection method and system based on multi-model fusion
CN111600919A (en) Web detection method and device based on artificial intelligence
CN111614599A (en) Webshell detection method and device based on artificial intelligence
CN116305168B (en) Multi-dimensional information security risk assessment method, system and storage medium
CN110162958B (en) Method, apparatus and recording medium for calculating comprehensive credit score of device
CN110602120B (en) Network-oriented intrusion data detection method
CN113660196A (en) Network traffic intrusion detection method and device based on deep learning
CN113886821A (en) Malicious process identification method and device based on twin network, electronic equipment and storage medium
Awad et al. Addressing imbalanced classes problem of intrusion detection system using weighted extreme learning machine
CN112948578B (en) DGA domain name open set classification method, device, electronic equipment and medium
CN115208595A (en) Detection method, device, equipment and storage medium
CN112463964B (en) Text classification and model training method, device, equipment and storage medium
Susyanto et al. Semiparametric likelihood‐ratio‐based biometric score‐level fusion via parametric copula
US11595438B2 (en) Webpage phishing detection using deep reinforcement learning
CN115987689B (en) Network intrusion detection method and device
CN114816964B (en) Risk model construction method, risk detection device and computer equipment
Demir et al. Authorship Authentication of Short Messages from Social Networks Machines
Wang et al. CI_GRU: An efficient DGA botnet classification model based on an attention recurrence plot

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination