CN116980181B - Method and system for detecting associated alarm event - Google Patents

Method and system for detecting associated alarm event Download PDF

Info

Publication number
CN116980181B
CN116980181B CN202310743271.5A CN202310743271A CN116980181B CN 116980181 B CN116980181 B CN 116980181B CN 202310743271 A CN202310743271 A CN 202310743271A CN 116980181 B CN116980181 B CN 116980181B
Authority
CN
China
Prior art keywords
alarm event
alarm
authentication information
attack
requester
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310743271.5A
Other languages
Chinese (zh)
Other versions
CN116980181A (en
Inventor
白红霞
马娜
王潇
甄小丽
李海亮
徐剑南
刘瑞全
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiang Nan Information Security Beijing Technology Co ltd
Original Assignee
Jiang Nan Information Security Beijing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiang Nan Information Security Beijing Technology Co ltd filed Critical Jiang Nan Information Security Beijing Technology Co ltd
Priority to CN202310743271.5A priority Critical patent/CN116980181B/en
Publication of CN116980181A publication Critical patent/CN116980181A/en
Application granted granted Critical
Publication of CN116980181B publication Critical patent/CN116980181B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/0499Feedforward networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • H04L41/065Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis involving logical or physical relationship, e.g. grouping and hierarchies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Molecular Biology (AREA)
  • Data Mining & Analysis (AREA)
  • Computational Linguistics (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Evolutionary Computation (AREA)
  • Biophysics (AREA)
  • Biomedical Technology (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a method and a system for detecting an associated alarm event, wherein the method comprises the following steps: when a detection request aiming at an associated alarm event is received, carrying out identity verification on the requester based on the identification information of the requester and the identity information of the requester; when the requester passes the identity verification, acquiring a plurality of alarm events with association relation with the alarm event related to the detection request from an alarm event database based on the attribute information of the alarm event related to the detection request; generating an input vector based on attribute information of each alarm event, thereby obtaining a plurality of input vectors associated with the alarm event detection set, and processing the plurality of input vectors by a relevance detection model to determine an associated alarm probability value of the alarm event detection set; and when the associated alarm probability value is greater than the probability threshold value, determining that a plurality of alarm events in the alarm event detection set belong to the associated alarm event.

Description

Method and system for detecting associated alarm event
Technical Field
The present invention relates to the field of network information security technology, and more particularly, to a method and system for detecting associated alarm events.
Background
With the continuous development of network technology, the number and frequency of network attack events are increasing. Most network systems may suffer or potentially suffer from malicious network attacks, and malicious network attacks typically cause losses to the network system. In some cases, the loss caused by a malicious network attack is very large.
For this reason, network information security technologies such as intrusion detection technology are widely used for detection of malicious attacks to block network attacks as early as possible. Intrusion detection techniques typically generate alarm events based on detected network behavior to provide event logging or subsequent processing. In practice, many alarm events have some relevance, e.g. the attacks come from the same malicious attacker, etc.
However, there is currently no efficient technique for detecting associated alarm events such that each alarm event can only be handled in isolation or individually. In this case, on the one hand, a potential cyber attack threat cannot be found, and on the other hand, the processing efficiency for the alarm event cannot be improved.
Disclosure of Invention
In order to solve the problems in the prior art, the technical scheme of the invention provides a method and a system for detecting the associated alarm event, a computer readable storage medium and an electronic device.
According to one aspect of the present invention there is provided a method for detecting an associated alarm event, the method comprising:
when a detection request for an associated alarm event is received, extracting requester information and alarm event information from the detection request;
analyzing the requester information to obtain the identification information and the identity information of the requester, and analyzing the alarm event information to obtain the attribute information of the alarm event related to the detection request;
carrying out identity verification on the requester based on the identification information of the requester and the identity information of the requester;
when the requester passes identity verification, acquiring a plurality of alarm events with association relations with the alarm events related to the detection request from an alarm event database based on attribute information of the alarm events related to the detection request, and forming an alarm event detection set comprising the alarm events and the alarm events with association relations;
generating an input vector based on attribute information of each alarm event in the alarm event detection set, so as to obtain a plurality of input vectors associated with the alarm event detection set, and processing the plurality of input vectors by a relevance detection model to determine an associated alarm probability value of the alarm event detection set; and
When the associated alarm probability value is greater than the probability threshold value, determining that a plurality of alarm events in the alarm event detection set belong to the associated alarm event.
Preferably, the authentication of the requester based on the identification information of the requester and the identity information of the requester includes:
acquiring current authentication information of the requester from the identity information of the requester;
retrieving in an authentication database based on the identification information of the requesting party to obtain pre-stored authentication information associated with the requesting party;
authentication of current authentication information of the supplicant based on pre-stored authentication information associated with the supplicant.
Preferably, the authentication method further comprises verifying the current authentication information of the requester based on the prestored authentication information associated with the requester, and the authentication method comprises the following steps:
extracting at least two current authentication information items from the current authentication information of the requesting party; each current authentication information item is authenticated based on pre-stored authentication information associated with the supplicant.
Preferably, wherein verifying each current authentication information item based on pre-stored authentication information associated with the supplicant comprises:
Acquiring a plurality of pre-stored authentication information items from pre-stored authentication information associated with the requesting party;
each current authentication information item is compared with a corresponding type of authentication information item among a plurality of authentication information items stored in advance, so that an authentication result is determined based on the comparison result.
Preferably, the type of the authentication information item includes: password authentication information item, fingerprint authentication information item, voice authentication information item, and image authentication information item.
Preferably, the comparing each current authentication information item with a corresponding type of authentication information item among a plurality of authentication information items stored in advance, so as to determine a result of identity verification based on the compared result, includes:
comparing each current authentication information item with corresponding types of authentication information items in a plurality of pre-stored authentication information items to obtain a comparison result of each current authentication information item;
when the comparison result of each current authentication information item is the same, determining that the requester passes the identity verification;
and when the comparison results of any current authentication information items are different, determining that the requester fails the identity verification.
Preferably, wherein the attribute information includes: source network address, source port number, destination network address, destination port number, attack type, and timestamp.
Preferably, the source network address is a network address of an initiator device that initiates an attack in the alarm event, the source port number is a port number used by the initiator device that initiates the attack in the alarm event, the destination network address is a network address of an attacked device that is attacked in the alarm event, and the destination port number is a port number involved in the attack of the attacked device in the alarm event.
Preferably, the attack type is denial of service attack, phishing attack, scanning attack, buffer overflow attack, password attack or structured query language SQL injection attack;
the time stamp is used to indicate the time at which the alarm event was detected.
Preferably, the acquiring, based on attribute information of the alarm event related to the detection request, a plurality of alarm events having association relation with the alarm event related to the detection request in an alarm event database includes:
acquiring a source network address, a destination network address and a time stamp of an alarm event related to the detection request from attribute information of the alarm event related to the detection request, and taking the source network address, the destination network address and the time stamp of the alarm event related to the detection request as a basic source network address, a basic destination network address and a basic time stamp respectively;
And acquiring attribute information of each alarm event in an alarm event database, determining the alarm event with the time stamp earlier than the basic time stamp, the source network address identical to the basic source network address and the destination network address identical to the basic destination network address in the attribute information as the alarm event with the association relation with the alarm event related to the detection request, thereby acquiring a plurality of alarm events with the association relation with the alarm event related to the detection request from the alarm event database.
Preferably, the acquiring, based on attribute information of the alarm event related to the detection request, a plurality of alarm events having association relation with the alarm event related to the detection request in an alarm event database includes:
acquiring a destination network address, a source port number, a destination port number and a time stamp of an alarm event related to the detection request from attribute information of the alarm event related to the detection request, wherein the destination network address, the source port number, the destination port number and the time stamp of the alarm event related to the detection request are respectively used as a basic destination network address, a basic source port number, a basic destination port number and a basic time stamp;
The method comprises the steps of obtaining attribute information of each alarm event in an alarm event database, determining the alarm event with the same time stamp, the same destination network address, the same source port number and the same base source port number and the same destination port number in the attribute information as the alarm event with the association relation with the alarm event related to the detection request, and obtaining a plurality of alarm events with the association relation with the alarm event related to the detection request in the alarm event database.
Preferably, the generating the input vector based on the attribute information of each alarm event in the alarm event detection set, thereby obtaining a plurality of input vectors associated with the alarm event detection set includes:
acquiring a source network address, a source port number, a destination network address, a destination port number, an attack type and a time stamp in attribute information of each alarm event in an alarm event detection set;
an input vector associated with each alarm event is generated based on the source network address, the source port number, the destination network address, the destination port number, the attack type, and the timestamp, thereby obtaining a plurality of input vectors associated with the alarm event detection set.
Preferably, the processing of the plurality of input vectors by the relevance detection model to determine the associated alarm probability values of the alarm event detection set includes:
the input layer of the relevance detection model acquires a plurality of input vectors associated with an alarm event detection set, and the input vectors associated with the alarm event detection set are sequentially input to a corresponding calculation unit of a circulating layer of the relevance detection model; wherein the loop layer includes a plurality of computing units connected in a hierarchical manner, each computing unit of the plurality of computing units including: the fuzzy processing module and the memory strengthening processing module;
the circulating layer of the relevance detection model utilizes a plurality of computing units to compute a plurality of input vectors so as to determine a hidden state value;
the full connection layer of the relevance detection model determines relevance of a plurality of input vectors according to the hidden state value; and
and the output layer of the relevance detection model determines the relevance alarm probability values of a plurality of alarm events in the alarm event detection set according to the relevance of a plurality of input vectors.
Preferably, the loop layer of the relevance detection model calculates a plurality of input vectors by using a plurality of calculation units, thereby determining a hidden state value, including:
Calculating by a fuzzy processing module of the t-th calculating unit based on the t-th input vector and the hidden state value of the t-1-th calculating unit to obtain a fuzzy result value of the t-th calculating unit; wherein, t is more than or equal to 1 and less than or equal to N, wherein t and N are natural numbers and N is the number of calculation units of the circulating layer; and the number of input vectors is N;
calculating by a memory enhancement processing module of the t-th calculating unit based on the t-th input vector and the hidden state value of the t-1-th calculating unit to obtain a memory enhancement result value of the t-th calculating unit;
calculating by the t-th calculating unit based on the fuzzy result value of the t-th calculating unit, the memory strengthening result value of the t-th calculating unit, the t-th input vector and the hidden state value of the t-1-th calculating unit to obtain candidate hidden state values of the t-th calculating unit; and
and calculating based on the fuzzy result value of the t-th calculation unit, the memory strengthening result value of the t-th calculation unit, the hidden state value of the t-1 th calculation unit and the candidate hidden state value of the t-th calculation unit so as to acquire the hidden state value output by the t-th calculation unit.
Preferably, the fuzzy processing module of the t-th computing unit performs computation based on the t-th input vector and the hidden state value of the t-1-th computing unit to obtain a fuzzy result value of the t-th computing unit, including:
The calculation is based on the following formula:
m t =leaky ReLU(W r *[h t-1 ,x t ]*[h t-1 ,x t ] T )+tanh(W m *(h t-1 ,x t ]*[h t-1 ,x t ] T ) 2 )+sigmod(W u *(h t-1 ,x t ]*[h t-1 ,x t ] T ) 2 -[h t-1 ,x t ]*[h t-1 ,x t ] T +b);
wherein m is t Fuzzy result values output by data processing for the fuzzy processing module of the t-th computing unit are all activating functions, W r ,W m And W is u A weight matrix of the fuzzy processing module, h t-1 Is the hidden state value output by the t-1 th calculation unit and h t-1 Is input to the t-th calculation unit, x t Is the input vector of the t-th calculation unit, where h 0 Is a random value, T is a transpose, and b is a bias value;
the fuzzy processing module is used for determining the part of the state information of the t-1 computing unit, which needs to be forgotten in the t computing unit, wherein the forgotten part of the state information is the part of the state information which has less influence on the output result of the relevance detection model than the influence threshold value.
Preferably, the memory enhancement processing module of the t-th computing unit performs computation based on the t-th input vector and the hidden state value of the t-1-th computing unit to obtain a memory enhancement result value of the t-th computing unit, including: the calculation is based on the following formula:
s t =leaky Relu(W Z *[h t-1 ,x t ]*[h t-1 ,x t ] T )+tanh(W a *([h t-1 ,x t ]*[h t-1 ,x t ] T ) 2 )+sigmod(W b *([h t-1 ,x t ]*[h t-1 ,x t ] T ) 2 +[h t-1 ,x t ]*[h t-1 ,x t ] T +c);
wherein s is t Memory enhancement result values outputted by data processing for the memory enhancement processing module of the t-th computing unit are all activation functions Number W z ,W a And W is b For the weight matrix of the memory strengthening processing module, h t-1 Is the hidden state value output by the t-1 th calculation unit and h t-1 Is input to the t-th calculation unit, x t Is the input vector of the t-th calculation unit, 1<t is less than or equal to N, wherein t and N are natural numbers and N is the number of calculation units of the circulating layer; t is a transpose, c is a bias value;
the memory enhancing processing module is used for determining part of the state information of the t-1 computing unit, which remains memory in the t computing unit, and the t computing unit carries out importance enhancing processing on the part of the state information which remains memory.
Preferably, the computing, by the t-th computing unit, based on the fuzzy result value of the t-th computing unit, the memory strengthening result value of the t-th computing unit, the t-th input vector, and the hidden state value of the t-1-th computing unit, to obtain the candidate hidden state value of the t-th computing unit includes:
the calculation is based on the following formula:
wherein,candidate hidden state value for the t-th computing unit, W k And W is p For the weight matrix, d and e are both bias values.
Preferably, the calculating based on the fuzzy result value of the t-th calculating unit, the memory strengthening result value of the t-th calculating unit, the hidden state value of the t-1 th calculating unit and the candidate hidden state value of the t-th calculating unit to obtain the hidden state value output by the t-th calculating unit includes:
The calculation is based on the following formula:
wherein, the addition of the root is Hadamard product, h t Is the hidden state value output by the t-th calculation unit.
Preferably, the determining, by the full connection layer of the relevance detection model, the relevance of the plurality of input vectors according to the hidden state value includes:
the fully connected layer of the relevance detection model determines relevance of a plurality of input vectors based on the following formula:
determining a two-dimensional vector of full connection layer output:
y=ReLU(h N W hy +b y )
wherein y is a two-dimensional vector output by the full connection layer and the two-dimensional vector y= [ y1, y2]Where y1 is a value indicating that the plurality of input vectors are associated and y2 is a value indicating that the plurality of input vectors are not associated, h N Hidden state value, W, for the Nth calculation unit output ny Weight value of full connection layer, b y For bias of full connection layer, leak Relu is activation function;
determining the association degree of a plurality of input vectors based on a result set output by the full connection layer:
preferably, the determining, by the output layer of the relevance detection model, the relevance alarm probability value of the plurality of alarm events in the alarm event detection set according to the relevance of the plurality of input vectors includes:
S=Relation×α
wherein S is an associated alarm probability value of a plurality of alarm events in the alarm event detection set, α is an adjustment coefficient, and α=0.98 when N is greater than a first number threshold; when N is less than or equal to the first number threshold and greater than the second number threshold, α=0.95; when N is less than or equal to the second number threshold, α=0.92.
According to another aspect of the present invention there is provided a system for detecting an associated alarm event, the system comprising:
extracting means for extracting requester information and alarm event information from a detection request for an associated alarm event when the detection request is received;
the analyzing device is used for analyzing the information of the requesting party to acquire the identification information and the identity information of the requesting party and analyzing the alarm event information to acquire the attribute information of the alarm event related to the detection request;
the verification device is used for carrying out identity verification on the requester based on the identification information of the requester and the identity information of the requester;
the acquisition device is used for acquiring a plurality of alarm events with association relation with the alarm event related to the detection request from an alarm event database based on the attribute information of the alarm event related to the detection request when the requester passes identity verification, and forming an alarm event detection set comprising the alarm events and the alarm events with association relation;
processing means for generating an input vector based on attribute information of each alarm event in the alarm event detection set, thereby obtaining a plurality of input vectors associated with the alarm event detection set, the plurality of input vectors being processed by the association degree detection model to determine an associated alarm probability value for the alarm event detection set; and
Determining means for determining that a plurality of alarm events in the alarm event detection set belong to an associated alarm event when the associated alarm probability value is greater than a probability threshold value
According to a further aspect of the present invention, there is provided a computer readable storage medium, characterized in that the storage medium stores a computer program for performing the method according to any of the embodiments.
According to still another aspect of the present invention, there is provided an electronic apparatus including:
a processor;
a memory for storing the processor-executable instructions;
the processor is configured to read the executable instructions from the memory and execute the instructions to implement the method according to any embodiment.
According to the technical scheme of the invention, the information of the requesting party and the information of the alarm event are extracted from the detection request, and the identification information and the identity information of the requesting party and the attribute information of the alarm event are obtained according to the information. Then, a plurality of alarm events with association relation with the alarm event related to the detection request are acquired in an alarm event database based on the attribute information of the alarm event related to the detection request to form an alarm event detection set comprising a plurality of alarm events, an input vector is generated based on the attribute information of each alarm event, and the plurality of input vectors are processed by an association degree detection model to determine an association alarm probability value of the alarm event detection set. And finally, when the associated alarm probability value is larger than the probability threshold value, determining that a plurality of alarm events in the alarm event detection set belong to the associated alarm event. The technical scheme of the invention can effectively identify the associated alarm event in a plurality of alarm events, so that potential network attack threats can be identified more quickly and effectively, and the processing efficiency of a large number of alarm events is improved.
Drawings
Exemplary embodiments of the present invention may be more completely understood in consideration of the following drawings:
FIG. 1 is a flow chart of a method for detecting an associated alarm event according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a calculation unit of a relevance detection model according to an embodiment of the present invention; and
fig. 3 is a schematic diagram of a system for detecting an associated alarm event according to an embodiment of the present invention.
Detailed Description
The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the examples described herein, which are provided to fully and completely disclose the present invention and fully convey the scope of the invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, like elements/components are referred to by like reference numerals.
Unless otherwise indicated, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art. In addition, it will be understood that terms defined in commonly used dictionaries should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.
FIG. 1 is a flow chart of a method for detecting an associated alarm event according to an embodiment of the present invention. As shown in fig. 1, the method 100 includes:
step 101, when a detection request for an associated alarm event is received, requester information and alarm event information are extracted from the detection request. When a requester wants to detect an associated alarm event having an association with an existing, known or specific alarm event, requester information and alarm event information are added to a detection request for the associated alarm event, and the detection request for the associated alarm event is sent to a server, a service platform, a network platform or a software platform for detecting the associated alarm event, etc. Wherein the requester information includes: identification information and identity information of the supplicant, and the identity information of the supplicant includes current authentication information of the supplicant. Alarm event information is information describing an alarm event.
Step 102, the requester information is parsed to obtain the identification information and the identity information of the requester, and the alarm event information is parsed to obtain the attribute information of the alarm event related to the detection request.
In one embodiment, the attribute information includes: source network address, source port number, destination network address, destination port number, attack type, and timestamp. For example, if an alarm is detected, generated, or known to exist in the network, the occurrence of the alarm is described by an event. The alarm may be represented in such an octave: event e= (srcIP, srcPort, dstIP, dstPort, type, time). The event indicates that at Time instant, there is one packet sent from the SrcPort port of srccip to the DestPort port of destpip, and type is attack type.
In one embodiment, the source network address is a network address of an initiator device that initiates an attack in an alarm event, the source port number is a port number used by the initiator device that initiates the attack in the alarm event, the destination network address is a network address of an attacked device that is attacked in the alarm event, and the destination port number is a port number involved in the attack of the attacked device in the alarm event. Preferably, the attack type is a denial of service attack, a phishing attack, a scanning attack, a buffer overflow attack, a cryptographic attack, or a structured query language SQL injection attack. In addition, a time stamp is used to indicate the time when the alarm event was detected, and the time stamp may also be the time when the alarm event was generated, or the like.
In one embodiment, the requester message is information describing the requester, and the requester information may include: identification information and identity information of the supplicant, and the identity information of the supplicant includes current authentication information of the supplicant. The current authentication information includes, for example: information for authenticating a user identity such as a (current) password authentication information item, a (current) fingerprint authentication information item, a (current) voice authentication information item, and a (current) image authentication information item.
Step 103, performing identity verification on the requester based on the identification information of the requester and the identity information of the requester, specifically including: acquiring current authentication information of a requester from identity information of the requester; retrieving in an authentication database based on the identification information of the requesting party to obtain pre-stored authentication information associated with the requesting party; the current authentication information of the requesting party is authenticated based on pre-stored authentication information associated with the requesting party. Preferably, the authentication database stores authentication information of each of a plurality of requesters (e.g., users) in advance according to identification information of the requester for identity authentication of the specific requester.
In one embodiment, authenticating current authentication information of a supplicant based on pre-stored authentication information associated with the supplicant includes: extracting at least two current authentication information items from the current authentication information of the requesting party; each current authentication information item is authenticated based on pre-stored authentication information associated with the supplicant. It should be appreciated that, in order to promote authentication security, the present application defines that at least two current authentication information items are included in the current authentication information of the requesting party. That is, the requestor is considered to pass the identity authentication only when at least two current authentication information items are verified successfully or pass the verification.
In one embodiment, authenticating each current authentication information item based on pre-stored authentication information associated with the supplicant includes: acquiring a plurality of pre-stored authentication information items from pre-stored authentication information associated with a requesting party; each current authentication information item is compared with a corresponding type of authentication information item among a plurality of authentication information items stored in advance, so that an authentication result is determined based on the comparison result. Wherein the types of authentication information items include: password authentication information item, fingerprint authentication information item, voice authentication information item, and image authentication information item.
In one embodiment, comparing each current authentication information item with a corresponding type of authentication information item of the plurality of authentication information items stored in advance, thereby determining a result of the identity verification based on the result of the comparison, comprising: comparing each current authentication information item with corresponding types of authentication information items in a plurality of pre-stored authentication information items to obtain a comparison result of each current authentication information item; when the comparison result of each current authentication information item is the same, determining that the requester passes the identity verification; and when the comparison results of any of the current authentication information items are different, determining that the requester fails the identity verification.
For example, the plurality of authentication information items stored in advance include: password authentication information item, fingerprint authentication information item, voice authentication information item, and image authentication information item. The at least two current authentication information items include: a current password authentication information item and a current fingerprint authentication information item. Then, comparing the current password authentication information item with the prestored password authentication information item, and comparing the current fingerprint authentication information item with the prestored fingerprint authentication information item, and if the comparison results are the same, determining that the requester passes the identity verification. And when the comparison result of any of the current authentication information items (e.g., the password authentication information item or the fingerprint authentication information item) is different, determining that the requester fails the authentication.
Step 104, when the requester passes the identity verification, acquiring a plurality of alarm events with association relation with the alarm event related to the detection request from an alarm event database based on the attribute information of the alarm event related to the detection request, and forming an alarm event detection set comprising the alarm events related to the detection request and the alarm events with association relation.
In one embodiment, acquiring a plurality of alarm events having an association relationship with the alarm event related to the detection request in an alarm event database based on attribute information of the alarm event related to the detection request includes: acquiring a source network address, a destination network address and a time stamp of an alarm event related to a detection request from attribute information of the alarm event related to the detection request, and taking the source network address, the destination network address and the time stamp of the alarm event related to the detection request as a basic source network address, a basic destination network address and a basic time stamp respectively; and acquiring attribute information of each alarm event in the alarm event database, determining the alarm event with the time stamp earlier than the basic time stamp, the source network address identical to the basic source network address and the destination network address identical to the basic destination network address in the attribute information as the alarm event with the association relation with the alarm event related to the detection request, thereby acquiring a plurality of alarm events with the association relation with the alarm event related to the detection request in the alarm event database.
In one embodiment, acquiring a plurality of alarm events having an association relationship with the alarm event related to the detection request in an alarm event database based on attribute information of the alarm event related to the detection request includes: acquiring a destination network address, a source port number, a destination port number and a timestamp of an alarm event related to a detection request from attribute information of the alarm event related to the detection request, and taking the destination network address, the source port number, the destination port number and the timestamp of the alarm event related to the detection request as a basic destination network address, a basic source port number, a basic destination port number and a basic timestamp respectively;
the method comprises the steps of acquiring attribute information of each alarm event in an alarm event database, determining the alarm event with the same time stamp in the attribute information, the same destination network address, the same source port number and the same base source port number and the same destination port number as the alarm event with the association relation with the alarm event related to the detection request, and acquiring a plurality of alarm events with the association relation with the alarm event related to the detection request from the alarm event database.
Step 105, generating an input vector based on attribute information of each alarm event in the alarm event detection set, thereby obtaining a plurality of input vectors associated with the alarm event detection set, and processing the plurality of input vectors by the association degree detection model to determine an associated alarm probability value of the alarm event detection set.
In one embodiment, wherein generating an input vector based on attribute information of each alarm event in the alarm event detection set to obtain a plurality of input vectors associated with the alarm event detection set comprises: acquiring a source network address, a source port number, a destination network address, a destination port number, an attack type and a time stamp in attribute information of each alarm event in an alarm event detection set; an input vector associated with each alarm event is generated based on the source network address, the source port number, the destination network address, the destination port number, the attack type, and the timestamp, thereby obtaining a plurality of input vectors associated with the alarm event detection set.
In one embodiment, wherein processing the plurality of input vectors by the relevance detection model to determine the associated alarm probability values for the alarm event detection set includes: the input layer of the association degree detection model acquires a plurality of input vectors associated with the alarm event detection set, and the plurality of input vectors associated with the alarm event detection set are sequentially input to the corresponding calculation units of the circulating layer of the association degree detection model; wherein the loop layer includes a plurality of computing units connected in a hierarchical manner, each computing unit of the plurality of computing units including: the fuzzy processing module and the memory strengthening processing module; the circulating layer of the association degree detection model utilizes a plurality of computing units to compute a plurality of input vectors so as to determine a hidden state value; the full connection layer of the relevance detection model determines the relevance of a plurality of input vectors according to the hidden state value; and determining associated alarm probability values of a plurality of alarm events in the alarm event detection set according to the association degrees of the plurality of input vectors by an output layer of the association degree detection model.
In one embodiment, a loop layer of the relevance detection model calculates a plurality of input vectors using a plurality of calculation units to determine a hidden state value, comprising: calculating by a fuzzy processing module of the t-th calculating unit based on the t-th input vector and the hidden state value of the t-1-th calculating unit to obtain a fuzzy result value of the t-th calculating unit; wherein, t is more than or equal to 1 and less than or equal to N, wherein t and N are natural numbers and N is the number of calculation units of the circulating layer; and the number of input vectors is N; calculating by a memory enhancement processing module of the t-th calculating unit based on the t-th input vector and the hidden state value of the t-1-th calculating unit to obtain a memory enhancement result value of the t-th calculating unit; calculating by the t-th calculating unit based on the fuzzy result value of the t-th calculating unit, the memory strengthening result value of the t-th calculating unit, the t-th input vector and the hidden state value of the t-1-th calculating unit to obtain candidate hidden state values of the t-th calculating unit; and calculating based on the fuzzy result value of the t-th calculation unit, the memory strengthening result value of the t-th calculation unit, the hidden state value of the t-1-th calculation unit and the candidate hidden state value of the t-th calculation unit to obtain the hidden state value output by the t-th calculation unit.
In one embodiment, the calculating, by the blur processing module of the t-th computing unit, based on the t-th input vector and the hidden state value of the t-1 th computing unit, to obtain the blur result value of the t-th computing unit includes:
the calculation is based on the following formula:
m t =leaky Relu(W r *[h t-1 ,x t ]*[h t-1 ,x t ] T )+tanh(W m *([h t-1 ,x t ]*[h t-1 ,x t ] T ) 2 )+sigmod(W u *([h t-1 ,x t ]*[h t-1 ,x t ] T ) 2 -[h t-1 ,x t ]*[h t-1 ,x t ] T +b);
wherein m is t Fuzzy result values output by data processing for a fuzzy processing module of the t-th computing unit are all activating functions, W r ,W m And W is u A weight matrix of the fuzzy processing module, h t-1 Is the hidden state value output by the t-1 th calculation unit and h t-1 Is input to the t-th calculation unit, x t Is the input vector of the t-th calculation unit, where h 0 Is a random value, T is a transpose, and b is a bias value;
the fuzzy processing module is used for determining the part of the state information of the t-1 computing unit, which needs to be forgotten in the t computing unit, wherein the forgotten part of the state information is the part of the state information which has less influence on the output result of the relevance detection model than the influence threshold value.
In one embodiment, the memory enhancement processing module of the t-th computing unit performs computation based on the t-th input vector and the hidden state value of the t-1 th computing unit to obtain a memory enhancement result value of the t-th computing unit, including: the calculation is based on the following formula:
s t =leaky Relu(W z *[h t-1 ,x t ]*[h t-1 ,x t ] T )+tanh(W a *([h t-1 ,x t ]*[h t-1 ,x t ] T ) 2 )+sigmod(W b *([h t-1 ,x t ]*[h t-1 ,x t ] T ) 2 +[h t-1 ,x t ]*[h t-1 ,x t ] T +c);
Wherein s is t Memory enhancement result values outputted for data processing by the memory enhancement processing module of the t-th computing unit, wherein, the memory enhancement result values, leakyRelu, tanh and sigmod are all activation functions, W z ,W a And W is b For the weight matrix of the memory strengthening processing module, h t-1 Is the hidden state value output by the t-1 th calculation unit and h t-1 Is input to the t-th calculation unit, x t Is the input vector of the t-th calculation unit, 1<t is less than or equal to N, wherein t and N are natural numbers and N is the number of calculation units of the circulating layer; t is a transpose, c is a bias value;
the memory enhancing processing module is used for determining part of the state information of the t-1 computing unit, which remains memory in the t computing unit, and the t computing unit carries out importance enhancing processing on the part of the state information which remains memory. The memory enhancing module is used for determining how much state information of the previous time step t-1 is brought into the current state, and the larger the value is, the more state information is brought from the previous time step t-1 to the time step t
In one embodiment, the computing by the t-th computing unit based on the fuzzy result value of the t-th computing unit, the memory enhancement result value of the t-th computing unit, the t-th input vector, and the hidden state value of the t-1-th computing unit to obtain the candidate hidden state value of the t-th computing unit includes:
The calculation is based on the following formula:
wherein,candidate hidden state value for the t-th computing unit, W k And W is p For the weight matrix, d and e are both bias values.
In one embodiment, calculating based on the fuzzy result value of the t-th computing unit, the memory enhancement result value of the t-th computing unit, the hidden state value of the t-1 th computing unit, and the candidate hidden state value of the t-th computing unit to obtain the hidden state value output by the t-th computing unit includes:
the calculation is based on the following formula:
wherein, the addition of the root is Hadamard product, h t Is the hidden state value output by the t-th calculation unit.
In one embodiment, the full connection layer of the relevance detection model determines the relevance of the plurality of input vectors according to the hidden state value, including:
the fully connected layer of the relevance detection model determines the relevance of a plurality of input vectors based on the following formula:
determining a two-dimensional vector of full connection layer output:
y=ReLU(h N W hy +b y )
wherein y is a two-dimensional vector output by the full connection layer and the two-dimensional vector y= [ y1, y2]Where y1 is a value indicating that the plurality of input vectors are associated and y2 is a value indicating that the plurality of input vectors are not associated, h N Hidden state value, W, for the Nth calculation unit output hy Weight value of full connection layer, b y For bias of the full link layer, leak Relu is the activation function.
Determining the association degree of a plurality of input vectors based on a result set output by the full connection layer:
preferably, the fully connected layer is mainly used for improving the learning ability of the model. Notably, the fully connected layer selects the ReLU (Rectified Li near Units, linear rectifying unit) activation function instead of the sigmoid activation function. The reason is that: compared with the s igmoid activation function, the ReLU activation function can ensure that the output of part of the nerve units is 0, so that the interdependence relationship among the parameters of the nerve network is reduced, and the over-fitting problem is relieved.
Further comprising, calculating a predicted output value:
wherein o is t For the output value of the cyclic layer, c is a memory state value and c is a natural number, 0.ltoreq.c<t,W o As a weight matrix, the leakage ReLU is an activation function, and i is more than or equal to 0 and less than or equal to c.
Alternatively, a two-dimensional vector of full connection layer outputs is determined:
y=ReLU(h N W hy +b y )o t
y is a two-dimensional vector output by the full connection layer and the two-dimensional vector y= [ y1, y2 ]]Where y1 is a value indicating that the plurality of input vectors are associated and y2 is a value indicating that the plurality of input vectors are not associated, h N Hidden state value, W, for the Nth calculation unit output hy Weight value of full connection layer, b y For bias of full connection layer, leak Relu is activation function; o (o) t To predict the output value.
In one embodiment, the determining, by the output layer of the relevance detection model, a relevance alarm probability value of a plurality of alarm events in the alarm event detection set according to relevance of a plurality of input vectors includes:
calculating an associated alarm probability value based on the following formula:
S=Relation×α
wherein S is an associated alarm probability value of a plurality of alarm events in the alarm event detection set, α is an adjustment coefficient, and α=0.98 when N is greater than a first number threshold; when N is less than or equal to the first number threshold and greater than the second number threshold, α=0.95; when N is less than or equal to the second number threshold, α=0.92.
The output layer is mainly used for classification. The model selection softmax function converts the numeric type of output into a probabilistic type of output. For example, if the probability that the android software to be detected belongs to "normal android software" is large, the detection result of the android software to be detected is normal android software; in contrast, the detection result of the android software to be detected is android malicious software.
Preferably, the activation function sigmod: sigmod (x) =1/(1+e-x), activation function Tanh: tanh (z) = (ez+e-z)/((ez-e-z)), activation function ReLU: reLU (x) =max (0, x), activation function leak ReLU: leak ReLU (x) =max (0, x) +leak min (0, x).
Preferably, leak is a small constant. y=max (0, x) +leak min (0, x) (leak is a small constant, so that some negative values are retained so that negative information is not lost altogether).
And 106, when the associated alarm probability value is greater than the probability threshold value, determining that a plurality of alarm events in the alarm event detection set belong to the associated alarm event. The probability threshold value can be preset and can be dynamically adjusted according to different scenes or actual applications. In addition, when the alarm events in the alarm event detection set are determined to belong to the associated alarm events, the alarm events in the alarm event detection set can be processed together, so that potential network attack threats can be identified more quickly and effectively, and the processing efficiency of a large number of alarm events is improved.
Fig. 3 is a schematic diagram of a system for detecting an associated alarm event according to an embodiment of the present invention. The system comprises: extraction means 301, analysis means 302, verification means 303, acquisition means 304, processing means 305 and determination means 306.
Extraction means 301 for, when a detection request for an associated alarm event is received, extracting requester information and alarm event information from the detection request. When a requester wants to detect an associated alarm event having an association with an existing, known or specific alarm event, requester information and alarm event information are added to a detection request for the associated alarm event, and the detection request for the associated alarm event is sent to a server, a service platform, a network platform or a software platform for detecting the associated alarm event, etc. Wherein the requester information includes: identification information and identity information of the supplicant, and the identity information of the supplicant includes current authentication information of the supplicant. Alarm event information is information describing an alarm event.
The analyzing device 302 is configured to analyze the information of the requester to obtain identification information and identity information of the requester, and analyze the information of the alarm event to obtain attribute information of the alarm event related to the detection request.
In one embodiment, the attribute information includes: source network address, source port number, destination network address, destination port number, attack type, and timestamp. For example, if an alarm is detected, generated, or known to exist in the network, the occurrence of the alarm is described by an event. The alarm may be represented in such an octave: event e= (srcIP, srcPort, dstIP, dstPort, type, time). The event indicates that at Time instant, there is one packet sent from the SrcPort port of srccip to the DestPort port of destpip, and type is attack type.
In one embodiment, the source network address is a network address of an initiator device that initiates an attack in an alarm event, the source port number is a port number used by the initiator device that initiates the attack in the alarm event, the destination network address is a network address of an attacked device that is attacked in the alarm event, and the destination port number is a port number involved in the attack of the attacked device in the alarm event. Preferably, the attack type is a denial of service attack, a phishing attack, a scanning attack, a buffer overflow attack, a cryptographic attack, or a structured query language SQL injection attack. In addition, a time stamp is used to indicate the time when the alarm event was detected, and the time stamp may also be the time when the alarm event was generated, or the like.
In one embodiment, the requester message is information describing the requester, and the requester information may include: identification information and identity information of the supplicant, and the identity information of the supplicant includes current authentication information of the supplicant. The current authentication information includes, for example: information for authenticating a user identity such as a (current) password authentication information item, a (current) fingerprint authentication information item, a (current) voice authentication information item, and a (current) image authentication information item.
And the verification device 303 is used for carrying out identity verification on the requester based on the identification information of the requester and the identity information of the requester. The verifying device 303 is specifically configured to obtain current authentication information of the requester from identity information of the requester; retrieving in an authentication database based on the identification information of the requesting party to obtain pre-stored authentication information associated with the requesting party; the current authentication information of the requesting party is authenticated based on pre-stored authentication information associated with the requesting party. Preferably, the authentication database stores authentication information of each of a plurality of requesters (e.g., users) in advance according to identification information of the requester for identity authentication of the specific requester.
In one embodiment, the verifying means 303 is specifically configured to extract at least two current authentication information items from the current authentication information of the requesting party; each current authentication information item is authenticated based on pre-stored authentication information associated with the supplicant. It should be appreciated that, in order to promote authentication security, the present application defines that at least two current authentication information items are included in the current authentication information of the requesting party. That is, the requestor is considered to pass the identity authentication only when at least two current authentication information items are verified successfully or pass the verification.
In one embodiment, the verifying means 303 is specifically configured to obtain a plurality of pre-stored authentication information items from pre-stored authentication information associated with the requesting party; each current authentication information item is compared with a corresponding type of authentication information item among a plurality of authentication information items stored in advance, so that an authentication result is determined based on the comparison result. Wherein the types of authentication information items include: password authentication information item, fingerprint authentication information item, voice authentication information item, and image authentication information item.
In one embodiment, the verification device 303 is specifically configured to compare each current authentication information item with a corresponding type of authentication information item in the prestored multiple authentication information items, so as to obtain a comparison result of each current authentication information item; when the comparison result of each current authentication information item is the same, determining that the requester passes the identity verification; and when the comparison results of any of the current authentication information items are different, determining that the requester fails the identity verification.
For example, the plurality of authentication information items stored in advance include: password authentication information item, fingerprint authentication information item, voice authentication information item, and image authentication information item. The at least two current authentication information items include: a current password authentication information item and a current fingerprint authentication information item. Then, comparing the current password authentication information item with the prestored password authentication information item, and comparing the current fingerprint authentication information item with the prestored fingerprint authentication information item, and if the comparison results are the same, determining that the requester passes the identity verification. And when the comparison result of any of the current authentication information items (e.g., the password authentication information item or the fingerprint authentication information item) is different, determining that the requester fails the authentication.
And the acquiring means 304 is configured to acquire, when the requester passes the identity verification, a plurality of alarm events having an association relationship with the alarm event related to the detection request from the alarm event database based on the attribute information of the alarm event related to the detection request, and form an alarm event detection set including the alarm events and the alarm events having the association relationship with each other.
In one embodiment, the obtaining device 304 is specifically configured to obtain, from attribute information of an alarm event related to a detection request, a source network address, a destination network address, and a timestamp of the alarm event related to the detection request, where the source network address, the destination network address, and the timestamp of the alarm event related to the detection request are respectively used as a base source network address, a base destination network address, and a base timestamp; and acquiring attribute information of each alarm event in the alarm event database, determining the alarm event with the time stamp earlier than the basic time stamp, the source network address identical to the basic source network address and the destination network address identical to the basic destination network address in the attribute information as the alarm event with the association relation with the alarm event related to the detection request, thereby acquiring a plurality of alarm events with the association relation with the alarm event related to the detection request in the alarm event database.
In one embodiment, the obtaining device 304 is specifically configured to obtain, from attribute information of an alarm event related to a detection request, a destination network address, a source port number, a destination port number, and a timestamp of the alarm event related to the detection request, where the destination network address, the source port number, the destination port number, and the timestamp of the alarm event related to the detection request are respectively used as a base destination network address, a base source port number, a base destination port number, and a base timestamp;
The method comprises the steps of acquiring attribute information of each alarm event in an alarm event database, determining the alarm event with the same time stamp in the attribute information, the same destination network address, the same source port number and the same base source port number and the same destination port number as the alarm event with the association relation with the alarm event related to the detection request, and acquiring a plurality of alarm events with the association relation with the alarm event related to the detection request from the alarm event database.
Processing means 305 for generating an input vector based on the attribute information of each alarm event in the alarm event detection set, thereby obtaining a plurality of input vectors associated with the alarm event detection set, and processing the plurality of input vectors by the relevance detection model to determine an associated alarm probability value for the alarm event detection set.
In one embodiment, the processing device 305 is specifically configured to obtain a source network address, a source port number, a destination network address, a destination port number, an attack type, and a timestamp in attribute information of each alarm event in the alarm event detection set; an input vector associated with each alarm event is generated based on the source network address, the source port number, the destination network address, the destination port number, the attack type, and the timestamp, thereby obtaining a plurality of input vectors associated with the alarm event detection set.
In one embodiment, the processing device 305 is specifically configured to obtain a plurality of input vectors associated with the alarm event detection set by using an input layer of the relevance detection model, and sequentially input the plurality of input vectors associated with the alarm event detection set to a corresponding calculation unit of a loop layer of the relevance detection model; wherein the loop layer includes a plurality of computing units connected in a hierarchical manner, each computing unit of the plurality of computing units including: the fuzzy processing module and the memory strengthening processing module; the circulating layer of the association degree detection model utilizes a plurality of computing units to compute a plurality of input vectors so as to determine a hidden state value; the full connection layer of the relevance detection model determines the relevance of a plurality of input vectors according to the hidden state value; and determining associated alarm probability values of a plurality of alarm events in the alarm event detection set according to the association degrees of the plurality of input vectors by an output layer of the association degree detection model.
In one embodiment, the processing device 305 is specifically configured to cause the fuzzy processing module of the t-th computing unit to perform computation based on the t-th input vector and the hidden state value of the t-1 th computing unit, so as to obtain a fuzzy result value of the t-th computing unit; wherein, t is more than or equal to 1 and less than or equal to N, wherein t and N are natural numbers and N is the number of calculation units of the circulating layer; and the number of input vectors is N; calculating by a memory enhancement processing module of the t-th calculating unit based on the t-th input vector and the hidden state value of the t-1-th calculating unit to obtain a memory enhancement result value of the t-th calculating unit; calculating by the t-th calculating unit based on the fuzzy result value of the t-th calculating unit, the memory strengthening result value of the t-th calculating unit, the t-th input vector and the hidden state value of the t-1-th calculating unit to obtain candidate hidden state values of the t-th calculating unit; and calculating based on the fuzzy result value of the t-th calculation unit, the memory strengthening result value of the t-th calculation unit, the hidden state value of the t-1-th calculation unit and the candidate hidden state value of the t-th calculation unit to obtain the hidden state value output by the t-th calculation unit.
In one embodiment, the processing device 305 is specifically configured to perform the calculation based on the following formula:
m t =leaky Relu(W r *[h t-1 ,x t ]*[h t-1 ,x t ] T )+tanh(W m *([h t-1 ,x t ]*[h t-1 ,x t ] T ) 2 )+sigmod(W u *([h t-1 ,x t ]*[h t-1 ,x t ] T ) 2 -[h t-1 ,x t ]*[h t-1 ,x t ] T +b);
wherein m is t Fuzzy result values output by data processing for a fuzzy processing module of the t-th computing unit are all activating functions, W r ,W m And W is u A weight matrix of the fuzzy processing module, h t-1 Is the hidden state value output by the t-1 th calculation unit and h t-1 Is input to the t-th calculation unit, x t Is the input vector of the t-th calculation unit, where h 0 Is a random value, T is a transpose, and b is a bias value;
the fuzzy processing module is used for determining the part of the state information of the t-1 computing unit, which needs to be forgotten in the t computing unit, wherein the forgotten part of the state information is the part of the state information which has less influence on the output result of the relevance detection model than the influence threshold value.
In one embodiment, the processing device 305 is specifically configured to perform the calculation based on the following formula:
s t =leaky Relu(W Z *[h t-1 ,x t ]*[h t-1 ,x t ] T )+tanh(W a *([h t-1 ,x t ]*[h t-1 ,x t ] T ) 2 )+sigmod(W b *([h t-1 ,x t ]*[h t-1 ,x t ] T ) 2 +[h t-1 ,x t ]*[h t-1 ,x t ] T +c);
wherein s is t Memory enhancement result values outputted for data processing by the memory enhancement processing module of the t-th computing unit, wherein the leakage Relu, tanh and sigmod are all activation functions, W z ,W a And W is b For the weight matrix of the memory strengthening processing module, h t-1 Is the hidden state value output by the t-1 th calculation unit and h t-1 Is input to the t-th calculation unit, x t Is the input vector of the t-th calculation unit, 1<t is less than or equal to N, wherein t and N are natural numbers and N is the number of calculation units of the circulating layer; t is a transpose, c is a bias value;
the memory enhancing processing module is used for determining part of the state information of the t-1 computing unit, which remains memory in the t computing unit, and the t computing unit carries out importance enhancing processing on the part of the state information which remains memory. The memory enhancing module is used for determining how much state information of the previous time step t-1 is brought into the current state, and the larger the value is, the more state information is brought from the previous time step t-1 to the time step t
In one embodiment, the processing device 305 is specifically configured to perform the calculation based on the following formula:
wherein,candidate hidden state value for the t-th computing unit, W k And W is p For the weight matrix, d and e are both bias values.
In one embodiment, the processing device 305 is specifically configured to perform the calculation based on the following formula:
wherein, the addition of the root is Hadamard product, h t Is the hidden state value output by the t-th calculation unit.
In one embodiment, the processing device 305 is specifically configured to cause the fully connected layer of the relevance detection model to determine the relevance of the plurality of input vectors based on the following formula:
Determining a two-dimensional vector of full connection layer output:
y=ReLU(h N W hy +b y )
wherein y is a two-dimensional vector output by the full connection layer and the two-dimensional vector y= [ y1, y2]Where y1 is a value indicating that the plurality of input vectors are associated and y2 is a value indicating that the plurality of input vectors are not associated, h N Hidden state value, W, for the Nth calculation unit output hy Weight value of full connection layer, b y For bias of full connection layer, leak Relu is activation function;
determining the association degree of a plurality of input vectors based on a result set output by the full connection layer:
preferably, the fully connected layer is mainly used for improving the learning ability of the model. Notably, the fully connected layer selects a ReLU (Rectified Linear Units, linear rectifying unit) activation function instead of a sigmoid activation function. The reason is that: compared with the sigmoid activation function, the ReLU activation function can ensure that the output of part of the nerve units is 0, so that the interdependence relationship among the parameters of the nerve network is reduced, and the over-fitting problem is relieved.
The processing means 305 are specifically further configured to calculate a predicted output value:
wherein o is t For predicting output value, c is memory state value, c is 0.ltoreq.c<t,W o As a weight matrix, the leakage ReLU is an activation function,0≤i≤c。
alternatively, the number of the first and second channels,
y=ReLU(h N W hy +b y )o t
in one embodiment, the processing device 305 is specifically configured to calculate
S=Relation×α
Wherein S is an associated alarm probability value of a plurality of alarm events in the alarm event detection set, α is an adjustment coefficient, and α=0.98 when N is greater than a first number threshold; when N is less than or equal to the first number threshold and greater than the second number threshold, α=0.95; when N is less than or equal to the second number threshold, α=0.92.
The output layer is mainly used for classification. The model selection softmax function converts the numeric type of output into a probabilistic type of output. For example, if the probability that the android software to be detected belongs to "normal android software" is large, the detection result of the android software to be detected is normal android software; in contrast, the detection result of the android software to be detected is android malicious software.
Preferably, the activation function sigmod: sigmod (x) =1/(1+e-x), activation function Tanh: tanh (z) = (ez+e-z)/((ez-e-z)), activation function ReLU: reLU (x) =max (0, x), activation function leak ReLU: leak ReLU (x) =max (0, x) +leak min (0, x).
Preferably, leak is a small constant. y=max (0, x) +leak min (0, x) (leak is a small constant, so that some negative values are retained so that negative information is not lost altogether).
And the determining device is used for determining that a plurality of alarm events in the alarm event detection set belong to the associated alarm event when the associated alarm probability value is larger than the probability threshold value. The probability threshold value can be preset and can be dynamically adjusted according to different scenes or actual applications. In addition, when the alarm events in the alarm event detection set are determined to belong to the associated alarm events, the alarm events in the alarm event detection set can be processed together, so that potential network attack threats can be identified more quickly and effectively, and the processing efficiency of a large number of alarm events is improved.

Claims (9)

1. A method for detecting an associated alarm event, the method comprising:
when a detection request for an associated alarm event is received, extracting requester information and alarm event information from the detection request;
analyzing the requester information to obtain the identification information and the identity information of the requester, and analyzing the alarm event information to obtain the attribute information of the alarm event related to the detection request;
carrying out identity verification on the requester based on the identification information of the requester and the identity information of the requester;
when the requester passes identity verification, acquiring a plurality of alarm events with association relations with the alarm events related to the detection request from an alarm event database based on attribute information of the alarm events related to the detection request, and forming an alarm event detection set comprising the alarm events and the alarm events with association relations;
generating an input vector based on attribute information of each alarm event in the alarm event detection set, so as to obtain a plurality of input vectors associated with the alarm event detection set, and processing the plurality of input vectors by a relevance detection model to determine an associated alarm probability value of the alarm event detection set; and
When the associated alarm probability value is larger than the probability threshold value, determining that a plurality of alarm events in the alarm event detection set belong to the associated alarm event;
wherein the attribute information includes: source network address, source port number, destination network address, destination port number, attack type, and timestamp; the source network address is the network address of the initiator device which initiates the attack in the alarm event, the source port number is the port number used by the initiator device which initiates the attack in the alarm event, the destination network address is the network address of the attacked device which is attacked in the alarm event, and the destination port number is the port number involved in the attack of the attacked device in the alarm event; the attack type is denial of service attack, phishing attack, scanning attack, buffer overflow attack, password attack or structured query language SQL injection attack; the timestamp is used for indicating the moment when the alarm event is detected;
generating an input vector associated with each alarm event based on the source network address, the source port number, the destination network address, the destination port number, the attack type, and the timestamp, thereby obtaining a plurality of input vectors associated with the alarm event detection set;
Wherein processing the plurality of input vectors by the relevance detection model to determine a relevance alarm probability value for the alarm event detection set comprises:
the input layer of the relevance detection model acquires a plurality of input vectors associated with an alarm event detection set, and the input vectors associated with the alarm event detection set are sequentially input to a corresponding calculation unit of a circulating layer of the relevance detection model; wherein the loop layer includes a plurality of computing units connected in a hierarchical manner, each computing unit of the plurality of computing units including: the fuzzy processing module and the memory strengthening processing module;
the circulating layer of the relevance detection model utilizes a plurality of computing units to compute a plurality of input vectors so as to determine a hidden state value;
the full connection layer of the relevance detection model determines relevance of a plurality of input vectors according to the hidden state value; and
the output layer of the relevance detection model determines the relevance alarm probability values of a plurality of alarm events in the alarm event detection set according to the relevance of a plurality of input vectors;
the loop layer of the relevance detection model calculates a plurality of input vectors by using a plurality of calculation units, so as to determine a hidden state value, and the method comprises the following steps:
Calculating by a fuzzy processing module of the t-th calculating unit based on the t-th input vector and the hidden state value of the t-1-th calculating unit to obtain a fuzzy result value of the t-th calculating unit; wherein, t is more than or equal to 1 and less than or equal to N, wherein t and N are natural numbers and N is the number of calculation units of the circulating layer; and the number of input vectors is N;
calculating by a memory enhancement processing module of the t-th calculating unit based on the t-th input vector and the hidden state value of the t-1-th calculating unit to obtain a memory enhancement result value of the t-th calculating unit;
calculating by the t-th calculating unit based on the fuzzy result value of the t-th calculating unit, the memory strengthening result value of the t-th calculating unit, the t-th input vector and the hidden state value of the t-1-th calculating unit to obtain candidate hidden state values of the t-th calculating unit; and
and calculating based on the fuzzy result value of the t-th calculation unit, the memory strengthening result value of the t-th calculation unit, the hidden state value of the t-1 th calculation unit and the candidate hidden state value of the t-th calculation unit so as to acquire the hidden state value output by the t-th calculation unit.
2. The method of claim 1, wherein authenticating the requestor based on the identification information of the requestor and the identity information of the requestor comprises:
Acquiring current authentication information of the requester from the identity information of the requester;
retrieving in an authentication database based on the identification information of the requesting party to obtain pre-stored authentication information associated with the requesting party;
authentication of current authentication information of the supplicant based on pre-stored authentication information associated with the supplicant.
3. The method of claim 2, wherein verifying the current authentication information of the requestor based on pre-stored authentication information associated with the requestor comprises:
extracting at least two current authentication information items from the current authentication information of the requesting party; each current authentication information item is authenticated based on pre-stored authentication information associated with the supplicant.
4. A method according to claim 3, wherein verifying each current authentication information item based on pre-stored authentication information associated with the requesting party comprises:
acquiring a plurality of pre-stored authentication information items from pre-stored authentication information associated with the requesting party;
each current authentication information item is compared with a corresponding type of authentication information item among a plurality of authentication information items stored in advance, so that an authentication result is determined based on the comparison result.
5. The method of claim 4, the type of authentication information item comprising: password authentication information item, fingerprint authentication information item, voice authentication information item, and image authentication information item.
6. The method of claim 4, wherein comparing each current authentication information item with a corresponding type of authentication information item of the plurality of authentication information items stored in advance, thereby determining a result of the authentication based on the comparison result, comprises:
comparing each current authentication information item with corresponding types of authentication information items in a plurality of pre-stored authentication information items to obtain a comparison result of each current authentication information item;
when the comparison result of each current authentication information item is the same, determining that the requester passes the identity verification;
and when the comparison results of any current authentication information items are different, determining that the requester fails the identity verification.
7. A system for detecting an associated alarm event, the system comprising:
extracting means for extracting requester information and alarm event information from a detection request for an associated alarm event when the detection request is received;
the analyzing device is used for analyzing the information of the requesting party to acquire the identification information and the identity information of the requesting party and analyzing the alarm event information to acquire the attribute information of the alarm event related to the detection request;
The verification device is used for carrying out identity verification on the requester based on the identification information of the requester and the identity information of the requester;
the acquisition device is used for acquiring a plurality of alarm events with association relation with the alarm event related to the detection request from an alarm event database based on the attribute information of the alarm event related to the detection request when the requester passes identity verification, and forming an alarm event detection set comprising the alarm events and the alarm events with association relation;
processing means for generating an input vector based on attribute information of each alarm event in the alarm event detection set, thereby obtaining a plurality of input vectors associated with the alarm event detection set, the plurality of input vectors being processed by the relevance detection model to determine an associated alarm probability value for the alarm event detection set,
wherein processing the plurality of input vectors by the relevance detection model to determine a relevance alarm probability value for the alarm event detection set comprises:
the input layer of the relevance detection model acquires a plurality of input vectors associated with an alarm event detection set, and the input vectors associated with the alarm event detection set are sequentially input to a corresponding calculation unit of a circulating layer of the relevance detection model; wherein the loop layer includes a plurality of computing units connected in a hierarchical manner, each computing unit of the plurality of computing units including: the fuzzy processing module and the memory strengthening processing module;
The circulating layer of the relevance detection model utilizes a plurality of computing units to compute a plurality of input vectors so as to determine a hidden state value;
the full connection layer of the relevance detection model determines relevance of a plurality of input vectors according to the hidden state value; and
the output layer of the relevance detection model determines the relevance alarm probability values of a plurality of alarm events in the alarm event detection set according to the relevance of a plurality of input vectors;
the loop layer of the relevance detection model calculates a plurality of input vectors by using a plurality of calculation units, so as to determine a hidden state value, and the method comprises the following steps:
calculating by a fuzzy processing module of the t-th calculating unit based on the t-th input vector and the hidden state value of the t-1-th calculating unit to obtain a fuzzy result value of the t-th calculating unit; wherein, t is more than or equal to 1 and less than or equal to N, wherein t and N are natural numbers and N is the number of calculation units of the circulating layer; and the number of input vectors is N;
calculating by a memory enhancement processing module of the t-th calculating unit based on the t-th input vector and the hidden state value of the t-1-th calculating unit to obtain a memory enhancement result value of the t-th calculating unit;
Calculating by the t-th calculating unit based on the fuzzy result value of the t-th calculating unit, the memory strengthening result value of the t-th calculating unit, the t-th input vector and the hidden state value of the t-1-th calculating unit to obtain candidate hidden state values of the t-th calculating unit; and
calculating based on the fuzzy result value of the t-th calculation unit, the memory strengthening result value of the t-th calculation unit, the hidden state value of the t-1 th calculation unit and the candidate hidden state value of the t-th calculation unit to obtain the hidden state value output by the t-th calculation unit; and
determining means for determining that a plurality of alarm events in the alarm event detection set belong to an associated alarm event when the associated alarm probability value is greater than a probability threshold value;
wherein the attribute information includes: source network address, source port number, destination network address, destination port number, attack type, and timestamp; the source network address is the network address of the initiator device which initiates the attack in the alarm event, the source port number is the port number used by the initiator device which initiates the attack in the alarm event, the destination network address is the network address of the attacked device which is attacked in the alarm event, and the destination port number is the port number involved in the attack of the attacked device in the alarm event; the attack type is denial of service attack, phishing attack, scanning attack, buffer overflow attack, password attack or structured query language SQL injection attack; the timestamp is used for indicating the moment when the alarm event is detected;
An input vector associated with each alarm event is generated based on the source network address, the source port number, the destination network address, the destination port number, the attack type, and the timestamp, thereby obtaining a plurality of input vectors associated with the alarm event detection set.
8. A computer readable storage medium, characterized in that the storage medium stores a computer program for executing the method of any one of claims 1-6.
9. An electronic device, comprising:
a processor;
a memory for storing the processor-executable instructions;
the processor is configured to read the executable instructions from the memory and execute the instructions to implement the method of any one of claims 1-6.
CN202310743271.5A 2023-06-21 2023-06-21 Method and system for detecting associated alarm event Active CN116980181B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310743271.5A CN116980181B (en) 2023-06-21 2023-06-21 Method and system for detecting associated alarm event

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310743271.5A CN116980181B (en) 2023-06-21 2023-06-21 Method and system for detecting associated alarm event

Publications (2)

Publication Number Publication Date
CN116980181A CN116980181A (en) 2023-10-31
CN116980181B true CN116980181B (en) 2024-02-20

Family

ID=88480600

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310743271.5A Active CN116980181B (en) 2023-06-21 2023-06-21 Method and system for detecting associated alarm event

Country Status (1)

Country Link
CN (1) CN116980181B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101494535A (en) * 2009-03-05 2009-07-29 范九伦 Method for constructing network inbreak scene based on hidden Mrakov model
CN103748991B (en) * 2010-06-09 2012-02-08 北京理工大学 Network attack recognition system based on multistage event correlation
CN105471623A (en) * 2015-11-16 2016-04-06 中国烟草总公司江苏省公司 Key IP address safety alarm association analysis method based on fuzzy scene
CN106228135A (en) * 2016-07-21 2016-12-14 深圳市喜悦智慧数据有限公司 The warning of a kind of identity-based identification/report danger method and system
CN111274395A (en) * 2020-01-19 2020-06-12 河海大学 Power grid monitoring alarm event identification method based on convolution and long-short term memory network
CN112202817A (en) * 2020-11-30 2021-01-08 北京微智信业科技有限公司 Attack behavior detection method based on multi-event association and machine learning
CN112822206A (en) * 2021-01-29 2021-05-18 清华大学 Network cooperative attack behavior prediction method and device and electronic equipment
CN113381890A (en) * 2021-06-08 2021-09-10 中国电信股份有限公司 Alarm information association method and device, electronic equipment and readable storage medium
CN113422763A (en) * 2021-06-04 2021-09-21 桂林电子科技大学 Alarm correlation analysis method constructed based on attack scene
CN114818652A (en) * 2022-04-06 2022-07-29 亿玛创新网络(天津)有限公司 Alarm information processing method and device, electronic equipment and storage medium

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101494535A (en) * 2009-03-05 2009-07-29 范九伦 Method for constructing network inbreak scene based on hidden Mrakov model
CN103748991B (en) * 2010-06-09 2012-02-08 北京理工大学 Network attack recognition system based on multistage event correlation
CN105471623A (en) * 2015-11-16 2016-04-06 中国烟草总公司江苏省公司 Key IP address safety alarm association analysis method based on fuzzy scene
CN106228135A (en) * 2016-07-21 2016-12-14 深圳市喜悦智慧数据有限公司 The warning of a kind of identity-based identification/report danger method and system
CN111274395A (en) * 2020-01-19 2020-06-12 河海大学 Power grid monitoring alarm event identification method based on convolution and long-short term memory network
CN112202817A (en) * 2020-11-30 2021-01-08 北京微智信业科技有限公司 Attack behavior detection method based on multi-event association and machine learning
CN112822206A (en) * 2021-01-29 2021-05-18 清华大学 Network cooperative attack behavior prediction method and device and electronic equipment
CN113422763A (en) * 2021-06-04 2021-09-21 桂林电子科技大学 Alarm correlation analysis method constructed based on attack scene
CN113381890A (en) * 2021-06-08 2021-09-10 中国电信股份有限公司 Alarm information association method and device, electronic equipment and readable storage medium
WO2022257423A1 (en) * 2021-06-08 2022-12-15 天翼云科技有限公司 Warning information association method and apparatus, and electronic device and readable storage medium
CN114818652A (en) * 2022-04-06 2022-07-29 亿玛创新网络(天津)有限公司 Alarm information processing method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN116980181A (en) 2023-10-31

Similar Documents

Publication Publication Date Title
Lee et al. Machine learning based file entropy analysis for ransomware detection in backup systems
Aoudni et al. Cloud security based attack detection using transductive learning integrated with Hidden Markov Model
Azeez et al. Identifying phishing attacks in communication networks using URL consistency features
Aborujilah et al. Cloud‐Based DDoS HTTP Attack Detection Using Covariance Matrix Approach
Rahim et al. Detecting the Phishing Attack Using Collaborative Approach and Secure Login through Dynamic Virtual Passwords.
Thomas et al. Machine learning and cybersecurity
Zhang et al. SQL injection detection based on deep belief network
Fallah et al. Android malware detection using network traffic based on sequential deep learning models
CN110855716B (en) Self-adaptive security threat analysis method and system for counterfeit domain names
CN109495471B (en) Method, device and equipment for judging WEB attack result and readable storage medium
Zhu et al. Effective phishing website detection based on improved BP neural network and dual feature evaluation
Verma et al. A novel model to enhance the data security in cloud environment
CN116980181B (en) Method and system for detecting associated alarm event
CN117478403A (en) Whole scene network security threat association analysis method and system
US20230164180A1 (en) Phishing detection methods and systems
CN116962047A (en) Interpretable threat information generation method, system and device
Khan et al. A dynamic method of detecting malicious scripts using classifiers
Muntean et al. A novel intrusion detection method based on support vector machines
Chen et al. Fraud analysis and detection for real-time messaging communications on social networks
Reddy et al. Implementation of Machine Learning Techniques for Cloud Security in Detection of DDOS Attacks
EP4068125B1 (en) Method of monitoring and protecting access to an online service
CN113411339B (en) Password file leakage detection method based on zero factor graph sequence
CN109636575B (en) Terminal risk detection method, device, equipment and readable storage medium
Hu et al. VeriDIP: Verifying Ownership of Deep Neural Networks through Privacy Leakage Fingerprints
Liashenko et al. Implementation biometric data security in remote authentication systems via network steganography

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant