CN115333801A - Method and system based on bidirectional message intrusion detection - Google Patents

Method and system based on bidirectional message intrusion detection Download PDF

Info

Publication number
CN115333801A
CN115333801A CN202210890816.0A CN202210890816A CN115333801A CN 115333801 A CN115333801 A CN 115333801A CN 202210890816 A CN202210890816 A CN 202210890816A CN 115333801 A CN115333801 A CN 115333801A
Authority
CN
China
Prior art keywords
message
module
time sequence
client
feature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210890816.0A
Other languages
Chinese (zh)
Inventor
侯小超
周瑞红
刘玉佳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Guorui Digital Intelligence Technology Co ltd
Original Assignee
Beijing Guorui Digital Intelligence Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Guorui Digital Intelligence Technology Co ltd filed Critical Beijing Guorui Digital Intelligence Technology Co ltd
Priority to CN202210890816.0A priority Critical patent/CN115333801A/en
Publication of CN115333801A publication Critical patent/CN115333801A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Mining & Analysis (AREA)
  • Biophysics (AREA)
  • Mathematical Physics (AREA)
  • Biomedical Technology (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Molecular Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Virology (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a method and a system for intrusion detection based on a bidirectional message, which can detect and rapidly highlight required characteristic vectors in an all-around way by extracting time sequence characteristics and space characteristics of message data and classifying random forests, and solve the problem that malicious codes in the prior art avoid intrusion detection based on ports or load keywords by means of encrypted flow by utilizing different integrated classification capabilities; when the time stamp carried by the bidirectional message is used for calculating transmission, the deviation between the bidirectional message and the estimated time of channel measurement is calculated, whether the message data of the client is maliciously tampered is judged, and other detection angles are introduced for assistance, so that the detection accuracy is improved.

Description

Method and system based on bidirectional message intrusion detection
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and a system for intrusion detection based on bidirectional messages.
Background
With the continuous development of traffic encryption technology, encrypted traffic gradually replaces unencrypted traffic to become the mainstream of the current network, and various malicious software is often used to evade the traditional port or load keyword-based intrusion detection system while protecting the privacy of users, thereby bringing serious threats to network security.
The existing common method for detecting the encrypted traffic is to use a convolutional neural network model to identify encrypted feature vectors, so that intrusion detection on the encrypted traffic can be realized, but a single detection angle is easily influenced by a model training effect. Other detection angles need to be introduced for assistance, and the detection accuracy is improved.
Therefore, a method and a system for intrusion detection based on bidirectional message are urgently needed.
Disclosure of Invention
The invention aims to provide a method and a system for intrusion detection based on a bidirectional message, which solve the problems that malicious codes borrow encrypted messages to avoid intrusion detection based on port or load keywords, and a single detection angle is easily influenced by a model training effect.
In a first aspect, the present application provides a method for intrusion detection based on bidirectional messages, where the method includes:
acquiring message data of a client, dividing the network message data into different session messages by taking a session as a unit, extracting a feature vector of the session messages, and respectively inputting the feature vector into a time sequence feature module and a space feature module;
the time sequence characteristic module comprises a plurality of hidden layer neurons, the hidden layer neurons are divided into two groups, one group is a forward feedback circuit, the other group is a reverse feedback circuit, a bidirectional feedback loop is formed, the current neuron in each feedback circuit receives hidden layer information transmitted by the previous neuron and state information transmitted by the neighbor neuron adjacent to the previous neuron, the hidden layer information at the current moment and the state information updated by the current neuron are output, and the hidden layer information and the state information updated by the current neuron are output to an accumulation unit of the time sequence characteristic module to carry out vector element bitwise addition;
the spatial feature module stores global feature vectors in a plurality of local feature matrices, captures time sequence relations among different message loads, obtains long-distance dependency relations of data among the vectors, gives different weight values to the vectors to form different weight matrices Q, K and V, performs linear transformation on the weight matrices Q, K and V in parallel, and combines and outputs global features;
extracting intermediate layer output of the fully-connected neural network of the time sequence characteristic module and the spatial characteristic module to serve as new time sequence characteristic and spatial characteristic of the conversation message, and splicing the new time sequence characteristic and the spatial characteristic together to obtain a mixed characteristic vector of the conversation message;
the mixed feature vectors are transmitted to a random forest of a server for classification, the random forest performs n rounds of extraction to obtain n training sets, the extracted n training sets are used for training by column sampling at random by using a specified amount of feature values to obtain n decision trees, and the n decision trees obtain classification results in a voting mode;
the message data of the client carries a first time stamp which is sent, the server carries a second time stamp which is returned in a response message which is returned to the client, and the time spent on message transmission is calculated according to the first time stamp and the second time stamp;
measuring and estimating a channel, obtaining the estimated time of message transmission according to the result of the measurement and estimation, judging whether the deviation between the time of message transmission and the estimated time is within a preset range, if so, continuously judging the classification result, otherwise, determining that the message data of the client is maliciously tampered;
and judging whether malicious codes exist in the message data of the client according to the classification result, and when the malicious codes exist in the message data of the client, terminating the TLS1.3 handshake process by the server.
In a second aspect, the present application provides a system based on bidirectional packet intrusion detection, the system including:
the system comprises a preprocessing module, a time sequence characteristic module and a space characteristic module, wherein the preprocessing module is used for acquiring message data of a client, dividing the network message data into different session messages by taking a session as a unit, extracting characteristic vectors of the session messages and respectively inputting the characteristic vectors into the time sequence characteristic module and the space characteristic module;
the time sequence characteristic module comprises a plurality of hidden layer neurons, wherein the hidden layer neurons are divided into two groups, one group is a forward feedback circuit, the other group is a reverse feedback circuit, a bidirectional feedback loop is formed, the current neuron in each feedback circuit receives hidden layer information transmitted by the previous neuron and state information transmitted by a neighbor neuron adjacent to the previous neuron, the hidden layer information at the current moment and the state information updated by the current neuron are output, and the hidden layer information and the state information updated by the current neuron are output to an accumulation unit of the time sequence characteristic module to carry out vector element bitwise addition;
the spatial feature module stores global feature vectors in a plurality of local feature matrices, captures time sequence relations among different message loads, obtains long-distance dependency relations of data among the vectors, gives different weight values to the vectors to form different weight matrices Q, K and V, performs linear transformation on the weight matrices Q, K and V in parallel, and combines and outputs the global features;
the classification module is used for extracting the intermediate layer output of the fully-connected neural network of the time sequence characteristic module and the spatial characteristic module as a new time sequence characteristic and a new spatial characteristic of the conversation message, and splicing the new time sequence characteristic and the new spatial characteristic together to obtain a mixed characteristic vector of the conversation message; the mixed feature vectors are transmitted to a random forest of a server for classification, the random forest performs n rounds of extraction to obtain n training sets, the extracted n training sets are used for training by column sampling at random by using a specified amount of feature values to obtain n decision trees, and the n decision trees obtain classification results in a voting mode;
the bidirectional message judging module is used for utilizing that the message data of the client carries a sent first time stamp, the server carries a returned second time stamp in a response message returned to the client, and the time spent on message transmission is calculated according to the first time stamp and the second time stamp; measuring and estimating a channel, obtaining the estimated time of message transmission according to the result of the measurement and estimation, judging whether the deviation between the time of message transmission and the estimated time is within a preset range, if so, continuously judging the classification result, otherwise, determining that the message data of the client is maliciously tampered;
and the execution module is used for judging whether malicious codes exist in the message data of the client according to the classification result, and when the malicious codes exist in the message data of the client, the server terminates the TLS1.3 handshake process.
In a third aspect, the present application provides a system based on bidirectional message intrusion detection, where the system includes a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to perform the method of any one of the four possibilities of the first aspect according to instructions in the program code.
In a fourth aspect, the present application provides a computer-readable storage medium for storing program code for performing the method of any one of the four possibilities of the first aspect.
Advantageous effects
The invention provides a method and a system for intrusion detection based on a bidirectional message, which can detect and rapidly highlight required characteristic vectors in an all-around way by extracting time sequence characteristics and space characteristics of message data and classifying random forests, and solve the problem that malicious codes in the prior art avoid intrusion detection based on ports or load keywords by means of encrypted flow by utilizing different integrated classification capabilities; when the time stamp carried by the bidirectional message is used for calculating transmission, the deviation between the bidirectional message and the estimated time of channel measurement is calculated, whether the message data of the client is maliciously tampered is judged, and other detection angles are introduced for assistance, so that the detection accuracy is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings required to be used in the embodiments will be briefly described below, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
FIG. 1 is a general flow chart of a method for intrusion detection based on two-way messages according to the present invention;
fig. 2 is an architecture diagram of a system based on bidirectional message intrusion detection according to the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings so that the advantages and features of the present invention can be more easily understood by those skilled in the art, and the scope of the present invention will be more clearly and clearly defined.
TLS1.3 is a new transport layer encryption protocol for providing secure communication between a web browser and a server. TLS1.3 has the characteristics of higher speed and higher safety.
TLS1.3 speeds up the encrypted connection by TLS false start and zero round trip time 0-RTT. In short, two round trips are required to complete the handshake in TLS1.2, only one round trip is required using TLS1.3, which in turn reduces the encryption delay by half, so that the encrypted connection is faster. This makes the recognition detection faster and more efficient in the new encryption protocol TLS1.3 usage scenario, so that the presence of malicious code is discovered before the handshake is successful.
Fig. 1 is a general flowchart of a method for intrusion detection based on bidirectional messages, the method including:
acquiring message data of a client, dividing the network message data into different session messages by taking a session as a unit, extracting a feature vector of the session messages, judging whether the feature vector comprises a service load or not and judging whether handshake information is complete or not;
if the feature vector of the session message does not include the service load, the session message can be considered to be irrelevant to the service and is likely to be a result of malicious code tampering.
If the handshake information of the session message is incomplete, the session message can also be determined to be a result of malicious code tampering.
Judging whether to execute further feature compression or not according to the number of the session messages obtained by division, executing feature compression when the number of the session messages exceeds a preset threshold value, and respectively inputting the feature vectors of the session messages extracted previously into a time sequence feature module and a space feature module;
and if the number of the session messages is smaller than a preset threshold value, the feature vectors can be directly and respectively input into the time sequence feature module and the space feature module without performing feature compression.
The feature compression is to select a part of feature quantity with strong specificity from the extracted feature vectors of the session messages so as to compress data quantity and improve operation speed. Feature compression methods common in the art may be employed.
The time sequence characteristic module comprises a plurality of hidden layer neurons, the hidden layer neurons are divided into two groups, one group is a forward feedback circuit, the other group is a reverse feedback circuit, a bidirectional feedback loop is formed, a current neuron in each feedback circuit receives hidden layer information transmitted by a previous neuron and state information transmitted by a neighbor neuron adjacent to the previous neuron, the hidden layer information at the current moment and the state information updated by the current neuron are output, and the output is output to an accumulation unit of the time sequence characteristic module for vector element bit-to-bit addition;
the information transmission and long-term memory ability of the input mixed characteristic vector are realized through a multi-layer structure consisting of a plurality of hidden layer neurons.
The spatial feature module stores global feature vectors in a plurality of local feature matrices, captures time sequence relations among different message loads, obtains long-distance dependency relations of data among the vectors, gives different weight values to the vectors to form different weight matrices Q, K and V, performs linear transformation on the weight matrices Q, K and V in parallel, and combines and outputs global features;
extracting intermediate layer outputs of the fully-connected neural networks of the time sequence characteristic module and the spatial characteristic module as new time sequence characteristics and spatial characteristics of the conversation message, and splicing the new time sequence characteristics and the spatial characteristics together to obtain a mixed characteristic vector of the conversation message;
the mixed feature vectors are transmitted to a random forest of a server for classification, the random forest performs n rounds of extraction to obtain n training sets, the extracted n training sets are used for training by column sampling at random by using a specified amount of feature values to obtain n decision trees, and the n decision trees obtain classification results in a voting mode;
the message data of the client carries a first time stamp which is sent, the server carries a second time stamp which is returned in a response message which is returned to the client, and the time spent on message transmission is calculated according to the first time stamp and the second time stamp;
measuring and estimating a channel, obtaining the estimated time of message transmission according to the result of the measurement and estimation, judging whether the deviation between the time of message transmission and the estimated time is within a preset range, if so, continuously judging the classification result, otherwise, determining that the message data of the client is maliciously tampered;
and judging whether malicious codes exist in the message data of the client according to the classification result, and when the malicious codes exist in the message data of the client, terminating the TLS1.3 handshake process by the server.
And when the message data of the client does not contain the malicious codes, the server completes the handshake process according to the handshake execution standard of TLS 1.3.
In some preferred embodiments, after extracting the feature vector of the session packet, the method further includes: judging whether the feature vector comprises a service load or not and judging whether handshake information is complete or not, including: if the feature vector of the session message does not include the service load, the session message is determined to be irrelevant to the service and is a result of malicious code tampering; and if the handshake information of the session message is incomplete, the session message is determined to be a result of malicious code tampering.
In some preferred embodiments, the classification capability of each decision tree is targeted, the specified quantity feature values are obtained according to different classifications, and the same feature vector matrix is classified according to different angles through the decision trees, so that an integration function aiming at different classification capabilities is completed. The classification performance is higher than that of a single classifier.
The mean generalization error of a decision tree in a random forest is related to the regression function.
In some preferred embodiments, the voting mode includes performing weighted accumulation on the output result of each decision tree.
Fig. 2 is an architecture diagram of a system based on bidirectional packet intrusion detection provided in the present application, where the system includes:
the system comprises a preprocessing module, a time sequence characteristic module and a space characteristic module, wherein the preprocessing module is used for acquiring message data of a client, dividing the network message data into different session messages by taking a session as a unit, extracting characteristic vectors of the session messages and respectively inputting the characteristic vectors into the time sequence characteristic module and the space characteristic module;
the time sequence characteristic module comprises a plurality of hidden layer neurons, wherein the hidden layer neurons are divided into two groups, one group is a forward feedback circuit, the other group is a reverse feedback circuit, a bidirectional feedback loop is formed by the two groups, the current neuron in each feedback circuit receives hidden layer information transmitted by the previous neuron and state information transmitted by the neighbor neuron adjacent to the previous neuron, the hidden layer information at the current moment and the state information updated by the current neuron are output, and the output is output to an accumulation unit of the time sequence characteristic module for vector element bitwise addition;
the spatial feature module stores global feature vectors in a plurality of local feature matrices, captures time sequence relations among different message loads, obtains long-distance dependency relations of data among the vectors, gives different weight values to the vectors to form different weight matrices Q, K and V, performs linear transformation on the weight matrices Q, K and V in parallel, and combines and outputs the global features;
the classification module is used for extracting the intermediate layer output of the fully-connected neural network of the time sequence characteristic module and the spatial characteristic module as new time sequence characteristics and spatial characteristics of the conversation message, and splicing the new time sequence characteristics and the spatial characteristics together to obtain a mixed characteristic vector of the conversation message; the mixed feature vectors are transmitted to a random forest of a server for classification, the random forest performs n rounds of extraction to obtain n training sets, the extracted n training sets are used for training by column sampling at random by using a specified amount of feature values to obtain n decision trees, and the n decision trees obtain classification results in a voting mode;
the bidirectional message judging module is used for calculating the time spent on message transmission according to the first timestamp and the second timestamp by utilizing the fact that the message data of the client carries the sent first timestamp and the response message returned to the client by the server carries the returned second timestamp; measuring and estimating a channel, obtaining the estimated time of message transmission according to the result of the measurement and estimation, judging whether the deviation between the time of message transmission and the estimated time is within a preset range, if so, continuously judging the classification result, otherwise, determining that the message data of the client is maliciously tampered;
and the execution module is used for judging whether malicious codes exist in the message data of the client according to the classification result, and when the malicious codes exist in the message data of the client, the server terminates the TLS1.3 handshake process.
The application provides a system based on two-way message intrusion detection, the system includes: the system includes a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to perform the method according to any of the embodiments of the first aspect according to instructions in the program code.
The present application provides a computer readable storage medium for storing program code for performing the method of any of the embodiments of the first aspect.
In specific implementation, the present invention further provides a computer storage medium, where the computer storage medium may store a program, and the program may include some or all of the steps in the embodiments of the present invention when executed. The storage medium can be a magnetic disk, an optical disk, a read-only memory (ROM), a Random Access Memory (RAM), or the like.
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The same and similar parts between the various embodiments of the present specification may be referred to each other. In particular, for the embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the description in the method embodiments.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.

Claims (7)

1. A method based on two-way message intrusion detection is characterized in that the method comprises the following steps:
acquiring message data of a client, dividing the network message data into different session messages by taking a session as a unit, extracting a feature vector of the session messages, and respectively inputting the feature vector into a time sequence feature module and a space feature module;
the time sequence characteristic module comprises a plurality of hidden layer neurons, the hidden layer neurons are divided into two groups, one group is a forward feedback circuit, the other group is a reverse feedback circuit, a bidirectional feedback loop is formed, the current neuron in each feedback circuit receives hidden layer information transmitted by the previous neuron and state information transmitted by the neighbor neuron adjacent to the previous neuron, the hidden layer information at the current moment and the state information updated by the current neuron are output, and the hidden layer information and the state information updated by the current neuron are output to an accumulation unit of the time sequence characteristic module to carry out vector element bitwise addition;
the spatial feature module stores global feature vectors in a plurality of local feature matrices, captures time sequence relations among different message loads, obtains long-distance dependency relations of data among the vectors, gives different weight values to the vectors to form different weight matrices Q, K and V, performs linear transformation on the weight matrices Q, K and V in parallel, and combines and outputs global features;
extracting intermediate layer outputs of the fully-connected neural networks of the time sequence characteristic module and the spatial characteristic module as new time sequence characteristics and spatial characteristics of the conversation message, and splicing the new time sequence characteristics and the spatial characteristics together to obtain a mixed characteristic vector of the conversation message;
the mixed feature vectors are transmitted to a random forest of a server for classification, the random forest is extracted for n rounds to obtain n training sets, the extracted n training sets are used for training by column sampling randomly through the feature values of the specified quantity to obtain n decision trees, and the n decision trees obtain classification results in a voting mode;
the message data of the client carries a first time stamp which is sent, the server carries a second time stamp which is returned in a response message which is returned to the client, and the time spent on message transmission is calculated according to the first time stamp and the second time stamp;
measuring and estimating a channel, obtaining the estimated time of message transmission according to the result of the measurement and estimation, judging whether the deviation between the time of message transmission and the estimated time is within a preset range, if so, continuously judging the classification result, otherwise, determining that the message data of the client is maliciously tampered;
and judging whether malicious codes exist in the message data of the client according to the classification result, and when the malicious codes exist in the message data of the client, terminating the TLS1.3 handshake process by the server.
2. The method of claim 1, wherein: after extracting the feature vector of the session message, the method further comprises: judging whether the feature vector comprises a service load or not and judging whether handshake information is complete or not, including: if the feature vector of the session message does not comprise the service load, the session message is determined to be irrelevant to the service and is a malicious code tampering result; and if the handshake information of the session message is incomplete, the session message is determined to be a result of malicious code tampering.
3. The method of claim 1, wherein: the classification capability of each decision tree has pertinence, the specified quantity characteristic value is obtained according to different classifications, and the same characteristic vector matrix is classified according to different angles through the decision trees, so that the integration function aiming at different classification capabilities is completed.
4. A method according to any of claims 2 or 3, characterized in that: the voting mode comprises the step of performing weighted accumulation on the output result of each decision tree.
5. A system for two-way message intrusion detection, the system comprising:
the system comprises a preprocessing module, a time sequence characteristic module and a space characteristic module, wherein the preprocessing module is used for acquiring message data of a client, dividing the network message data into different session messages by taking a session as a unit, extracting characteristic vectors of the session messages and respectively inputting the characteristic vectors into the time sequence characteristic module and the space characteristic module;
the time sequence characteristic module comprises a plurality of hidden layer neurons, wherein the hidden layer neurons are divided into two groups, one group is a forward feedback circuit, the other group is a reverse feedback circuit, a bidirectional feedback loop is formed, the current neuron in each feedback circuit receives hidden layer information transmitted by the previous neuron and state information transmitted by a neighbor neuron adjacent to the previous neuron, the hidden layer information at the current moment and the state information updated by the current neuron are output, and the hidden layer information and the state information updated by the current neuron are output to an accumulation unit of the time sequence characteristic module to carry out vector element bitwise addition;
the spatial feature module is used for storing global feature vectors in a plurality of local feature matrices, capturing time sequence relations among different message loads, obtaining long-distance dependency relations of data among the vectors, giving different weight values to the vectors to form different weight matrices Q, K and V, performing linear transformation on the weight matrices Q, K and V in parallel, and combining and outputting global features;
the classification module is used for extracting the intermediate layer output of the fully-connected neural network of the time sequence characteristic module and the spatial characteristic module as new time sequence characteristics and spatial characteristics of the conversation message, and splicing the new time sequence characteristics and the spatial characteristics together to obtain a mixed characteristic vector of the conversation message; the mixed feature vectors are transmitted to a random forest of a server for classification, the random forest is extracted for n rounds to obtain n training sets, the extracted n training sets are used for training by column sampling randomly through the feature values of the specified quantity to obtain n decision trees, and the n decision trees obtain classification results in a voting mode;
the bidirectional message judging module is used for calculating the time spent on message transmission according to the first timestamp and the second timestamp by utilizing the fact that the message data of the client carries the sent first timestamp and the response message returned to the client by the server carries the returned second timestamp; measuring and estimating a channel, obtaining the estimated time of message transmission according to the result of the measurement and estimation, judging whether the deviation between the time of message transmission and the estimated time is within a preset range, if so, continuously judging the classification result, otherwise, determining that the message data of the client is maliciously tampered;
and the execution module is used for judging whether malicious codes exist in the message data of the client according to the classification result, and when the malicious codes exist in the message data of the client, the server terminates the TLS1.3 handshake process.
6. A system for two-way message intrusion detection, the system comprising a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to perform the method according to instructions in the program code to implement any of claims 1-4.
7. A computer-readable storage medium, characterized in that the computer-readable storage medium is configured to store a program code for performing implementing the method of any of claims 1-4.
CN202210890816.0A 2022-07-27 2022-07-27 Method and system based on bidirectional message intrusion detection Pending CN115333801A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210890816.0A CN115333801A (en) 2022-07-27 2022-07-27 Method and system based on bidirectional message intrusion detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210890816.0A CN115333801A (en) 2022-07-27 2022-07-27 Method and system based on bidirectional message intrusion detection

Publications (1)

Publication Number Publication Date
CN115333801A true CN115333801A (en) 2022-11-11

Family

ID=83919807

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210890816.0A Pending CN115333801A (en) 2022-07-27 2022-07-27 Method and system based on bidirectional message intrusion detection

Country Status (1)

Country Link
CN (1) CN115333801A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115801459A (en) * 2023-02-03 2023-03-14 北京六方云信息技术有限公司 Message detection method, device, system and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115801459A (en) * 2023-02-03 2023-03-14 北京六方云信息技术有限公司 Message detection method, device, system and storage medium

Similar Documents

Publication Publication Date Title
Lin et al. TSCRNN: A novel classification scheme of encrypted traffic based on flow spatiotemporal features for efficient management of IIoT
CN112003870B (en) Network encryption traffic identification method and device based on deep learning
Garcia et al. Distributed real-time SlowDoS attacks detection over encrypted traffic using Artificial Intelligence
CN112235264B (en) Network traffic identification method and device based on deep migration learning
CN112738039A (en) Malicious encrypted flow detection method, system and equipment based on flow behavior
CN111224940B (en) Anonymous service traffic correlation identification method and system nested in encrypted tunnel
CN111866024B (en) Network encryption traffic identification method and device
De Souza et al. Two-step ensemble approach for intrusion detection and identification in IoT and fog computing environments
Yang et al. LCCDE: a decision-based ensemble framework for intrusion detection in the internet of vehicles
CN115426137A (en) Malicious encrypted network flow detection tracing method and system
CN114255037A (en) Multi-party combined sorting method and data processing method under privacy protection
CN115333801A (en) Method and system based on bidirectional message intrusion detection
Khan et al. Long short-term memory neural networks for false information attack detection in software-defined in-vehicle network
CN115314265B (en) Method and system for identifying TLS (transport layer security) encryption application based on traffic and time sequence
CN113839925A (en) IPv6 network intrusion detection method and system based on data mining technology
din et al. Detection of botnet in IoT network through machine learning based optimized feature importance via ensemble models
CN117478403A (en) Whole scene network security threat association analysis method and system
Liu et al. Spatial‐Temporal Feature with Dual‐Attention Mechanism for Encrypted Malicious Traffic Detection
KR102119636B1 (en) Anonymous network analysis system using passive fingerprinting and method thereof
CN114172715B (en) Industrial control intrusion detection system and method based on secure multiparty calculation
CN114866310A (en) Malicious encrypted flow detection method, terminal equipment and storage medium
Li et al. Research on intrusion detection based on neural network optimized by genetic algorithm
CN114205816A (en) Information security architecture of power mobile Internet of things and use method thereof
CN113901464A (en) Artificial intelligence safety architecture system and method based on service arrangement and related equipment
CN114422207A (en) Multi-mode-based C & C communication flow detection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination