CN118041692B - Network security testing method and system based on intrusion detection technology - Google Patents
Network security testing method and system based on intrusion detection technology Download PDFInfo
- Publication number
- CN118041692B CN118041692B CN202410430414.1A CN202410430414A CN118041692B CN 118041692 B CN118041692 B CN 118041692B CN 202410430414 A CN202410430414 A CN 202410430414A CN 118041692 B CN118041692 B CN 118041692B
- Authority
- CN
- China
- Prior art keywords
- array
- dimension reduction
- access time
- dimension
- call
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012360 testing method Methods 0.000 title claims abstract description 41
- 238000001514 detection method Methods 0.000 title claims abstract description 33
- 238000005516 engineering process Methods 0.000 title claims abstract description 30
- 238000004364 calculation method Methods 0.000 claims abstract description 38
- 238000000034 method Methods 0.000 claims abstract description 28
- 238000004458 analytical method Methods 0.000 claims abstract description 24
- 230000006399 behavior Effects 0.000 claims abstract description 24
- 238000012545 processing Methods 0.000 claims abstract description 23
- 238000012937 correction Methods 0.000 claims description 16
- 238000005192 partition Methods 0.000 claims description 6
- 238000005457 optimization Methods 0.000 claims description 5
- 238000011946 reduction process Methods 0.000 claims 1
- 238000012544 monitoring process Methods 0.000 abstract description 3
- 238000004422 calculation algorithm Methods 0.000 description 7
- 230000009545 invasion Effects 0.000 description 6
- 238000010276 construction Methods 0.000 description 5
- 238000003491 array Methods 0.000 description 4
- 238000010801 machine learning Methods 0.000 description 3
- 238000012549 training Methods 0.000 description 3
- 206010000117 Abnormal behaviour Diseases 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000013145 classification model Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 238000000513 principal component analysis Methods 0.000 description 2
- 238000012300 Sequence Analysis Methods 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 238000007621 cluster analysis Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000001816 cooling Methods 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 238000002790 cross-validation Methods 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000007477 logistic regression Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 238000011524 similarity measure Methods 0.000 description 1
- 230000003595 spectral effect Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000012706 support-vector machine Methods 0.000 description 1
Landscapes
- Telephonic Communication Services (AREA)
Abstract
The invention provides a network security testing method and system based on an intrusion detection technology, which relates to the technical field of network security, and the method comprises the following steps: performing dimension reduction processing on an access time array obtained by the time when the target database is accessed in a preset time period and a call duration array obtained by the call duration of the login interface in the process that the target database is accessed for many times in the preset time period, obtaining a dimension reduction access time array and a dimension reduction call duration array, performing network security analysis and calculation to obtain a database security level, setting a suspected intrusion frequency threshold value according to the number of times that the target database is accessed in the preset time period, and combining the database security levels through a plurality of suspected intrusion behaviors to serve as a network security test result of the target database. The method solves the technical problem of low network security caused by lack of detection of network intrusion in the prior art, realizes reasonable and accurate intrusion monitoring, and improves network security.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a network security testing method and system based on an intrusion detection technology.
Background
With the development of communication technology, people and industries applying computer networks are increasing, but people generally lack security consciousness of computer networks. When a computer network is applied, many users cannot collect and monitor network traffic in real time, meanwhile, threat discrimination is not carried out on the behavior of the users using the computer network, and invasion conditions are created for computer viruses, so that data loss, information leakage and the like are caused, the safety of the users using the computer is seriously influenced, and the technical problem of low network safety caused by lack of detection of network invasion exists in the prior art.
Disclosure of Invention
The application provides a network security testing method and system based on an intrusion detection technology, which are used for solving the technical problem of low network security caused by lack of detection of network intrusion in the prior art.
In view of the above problems, the present application provides a network security testing method and system based on intrusion detection technology.
In a first aspect, the present application provides a network security testing method based on intrusion detection technology, the method comprising: acquiring the accessed time of a target database in a preset time period, and obtaining an access time array; collecting the calling duration of the login interface in the process that the target database is accessed for a plurality of times in the preset time period, and obtaining a calling duration array; performing dimension reduction processing on the access time array and the call duration array to obtain a dimension reduction access time array and a dimension reduction call duration array, wherein the dimension reduction processing is performed on the access time array by calculating the distribution probability of a plurality of access times; according to the dimension reduction access time array and the dimension reduction call time length array, carrying out network security analysis and calculation of the target database, and carrying out correction calculation according to the dimension reduction feature restoration degree of the dimension reduction access time array and the dimension reduction call time length array to obtain the security level of the database; setting a suspected intrusion frequency threshold according to the security level of the database and the frequency of the target database accessed in a preset time period; and performing suspicious intrusion decision division on the calling duration array according to the suspicious intrusion frequency threshold value to obtain a plurality of suspicious intrusion behaviors, and combining the database security level to serve as a network security test result of a target database.
In a second aspect, the present application provides a network security testing system based on intrusion detection technology, the system comprising: the first array acquisition module is used for acquiring the accessed time of the target database in a preset time period and acquiring an access time array; the second array acquisition module is used for acquiring the calling duration of the login interface in the process that the target database is accessed for a plurality of times in the preset time period and acquiring a calling duration array; the dimension reduction module is used for carrying out dimension reduction processing on the access time array and the call duration array to obtain a dimension reduction access time array and a dimension reduction call duration array, wherein the dimension reduction processing is carried out on the access time array by calculating the distribution probability of a plurality of access times; the correction calculation module is used for carrying out network security analysis and calculation of the target database according to the dimension reduction access time array and the dimension reduction call time length array, and carrying out correction calculation according to the dimension reduction feature restoration degree of the dimension reduction access time array and the dimension reduction call time length array to obtain the security level of the database; the threshold setting module is used for setting a suspected intrusion frequency threshold according to the database security level and the frequency of the target database accessed in a preset time period; the test result module is used for carrying out suspicious intrusion decision division on the calling duration array according to the suspicious intrusion frequency threshold value to obtain a plurality of suspicious intrusion behaviors, and combining the database security level to serve as a network security test result of a target database.
One or more technical schemes provided by the application have at least the following technical effects or advantages:
The network security testing method and system based on the intrusion detection technology provided by the application relate to the technical field of network security, solve the technical problem of low network security caused by lack of detection of network intrusion in the prior art, realize reasonable and accurate intrusion monitoring and improve network security.
Drawings
FIG. 1 is a schematic flow chart of a network security testing method based on intrusion detection technology;
fig. 2 is a schematic diagram of a network security testing system based on intrusion detection technology according to the present application.
Reference numerals illustrate: the system comprises a first array acquisition module 1, a second array acquisition module 2, a dimension reduction module 3, a correction calculation module 4, a threshold setting module 5 and a test result module 6.
Detailed Description
The application provides a network security testing method and system based on an intrusion detection technology, which are used for solving the technical problem of low network security caused by lack of detection of network intrusion in the prior art.
Example 1
As shown in fig. 1, an embodiment of the present application provides a network security testing method based on intrusion detection technology, where the method includes:
Step A100: acquiring the accessed time of a target database in a preset time period, and obtaining an access time array;
In the application, the network security testing method based on the intrusion detection technology is applied to the network security testing system based on the intrusion detection technology, the system is used for identifying the data needing network security testing in the current network, determining the target database, setting the time period of accessing the target database according to the historical access time node for more accurately testing the network security, acquiring the accessed time information in the target database through the preset time period, wherein the preset time period can be one day, one week and the like, the time information can comprise the time length called by logging in the interface when accessing, namely the access time length information, the access time node information, the access time number information and the like, and the access time and the interface use time length of intrusion access can be analyzed through the access time and the interface use time length when the deviation occurs with the normal access time length.
On the basis, a target data format is selected according to a preset time period, wherein the target data format can be a timestamp array, a Datetime array and the like, the accessed time is arranged to obtain an access time array, and network security test based on an intrusion detection technology is realized at a later stage and is used as an important reference basis.
Step A200: collecting the calling duration of the login interface in the process that the target database is accessed for a plurality of times in the preset time period, and obtaining a calling duration array;
In the application, in order to more accurately identify abnormal access existing in the current network, data acquisition is also required to be carried out on the called duration of the login interface in the process that target data is accessed for a plurality of times in the determined preset time period, namely login operation is required to be carried out before each access of the target database, the calling duration refers to the called duration of the login interface, namely the time span from entering the login interface to logging successfully, further, the calling duration is calculated according to the time difference between the service starting time and the service ending time for each login interface call, finally, the calling duration of each login interface call is extracted, a calling duration array is constructed according to the preset time period, the calling duration is stored in a list or an array so as to carry out data call in the later period, and further, network security test based on an intrusion detection technology is ensured.
Step A300: performing dimension reduction processing on the access time array and the call duration array to obtain a dimension reduction access time array and a dimension reduction call duration array, wherein the dimension reduction processing is performed on the access time array by calculating the distribution probability of a plurality of access times;
further, the step a300 of the present application further includes:
Step a310: acquiring preset access time, wherein the preset access time is the midpoint time of the preset time period;
step A320: calculating and acquiring distribution probabilities of a plurality of access times and the preset access time in the access time array according to the preset access time to obtain a distribution probability array, wherein the magnitudes of intervals of the access time and the preset access time are inversely related to the magnitudes of the distribution probabilities;
Step a330: according to the access time array, randomly generating a first dimension-reduction access time array as a step dimension-reduction result, and combining the preset access time to calculate and obtain a first dimension-reduction distribution probability array, wherein the first dimension-reduction access time array comprises dimension-reduction access time of dimension-reduction quantity;
step A340: analyzing the similarity of the distribution probability array and the first dimension reduction distribution probability array to obtain first dimension reduction similarity;
Step A350: continuously randomly generating a second dimension reduction access time array, and calculating to obtain a second dimension reduction similarity;
Step A360: judging and updating the step dimension reduction result according to the second dimension reduction similarity and the first dimension reduction similarity;
Step a370: continuing to perform dimension reduction optimization processing on the stage dimension reduction result until convergence is achieved, and obtaining the dimension reduction access time array with the maximum dimension reduction similarity;
step A380: and performing dimension reduction processing on the call duration array based on the historical average call duration to obtain the dimension reduction call duration array.
Further, step a340 of the present application includes:
Step A341: acquiring a sample distribution probability array set and a sample dimension reduction distribution probability array set, and evaluating and acquiring a sample dimension reduction similarity set;
Step a342: the sample distribution probability array set, the sample dimension reduction distribution probability array set and the sample dimension reduction similarity set are adopted to construct a dimension reduction similarity analysis path;
Step a343: and analyzing the distribution probability array and the first dimension reduction distribution probability array based on the dimension reduction similarity analysis path to obtain the first dimension reduction similarity.
Further, step a360 of the present application includes:
Step a361: generating an update probability distribution according to the second dimension reduction similarity and the first dimension reduction similarity, wherein the update probability distribution comprises a first probability interval and a second probability interval which are in direct proportion to the magnitudes of the second dimension reduction similarity and the first dimension reduction similarity;
Step a362: and randomly generating a random number larger than 0 and smaller than 1, and updating the first dimension reduction access time array or the second dimension reduction access time array into a step dimension reduction result according to a probability interval in which the random number falls in the updating probability distribution.
In the application, the obtained access time array and the call duration array are subjected to dimension reduction optimization based on the distribution probability of the distribution access time and the call duration, and the dimension reduction access time array and the dimension reduction call duration array with the maximum similarity of the distribution probability are calculated, which means that the preset access time is firstly determined according to the midpoint time in the determined preset time period, wherein the midpoint time is a time node at the center between the initial time and the final time of the period in the preset access period, further, the distribution probability of a plurality of access times and the preset access time in the access time array is calculated according to the preset access time, and the distribution probability can be set to be 0 by obtaining the earliest access time and the latest access time in the access time array, or the distribution probability of time distribution of the starting point and the ending point of the preset time period is 0, the distribution probability of other rest multiple access times is calculated in sequence, namely the access time falling into the middle point of the earliest access time and the preset access time, the distribution probability of the preset access time corresponding to the access time is 0.5, the larger the interval between the access time and the preset access time is, the smaller the distribution probability of betting is, so that the distribution probabilities of the multiple access times and the rainwater access time are arranged, a distribution probability array is obtained, the size of the interval between the access time and the preset access time and the size of the distribution probability have an inverse relation, then a first dimension-reducing access time array is randomly generated according to the access time array, the first dimension-reducing access time array is obtained by extracting the characteristics of the access time array, and selecting the most representative feature from the extracted features according to the correlation analysis, and then applying a dimension reduction algorithm, such as principal component analysis, to convert the high-dimension feature into a low-dimension mark, thereby serving as a stage dimension reduction result, and simultaneously combining with a preset access time to obtain a first dimension reduction distribution probability array through calculation, wherein the first dimension reduction distribution probability array corresponds to the first dimension reduction access time array, and the first dimension reduction access time array further comprises dimension reduction access time of dimension reduction quantity.
Further, the analysis of the similarity between the distribution probability array and the first dimension-reduction distribution probability array means that the similarity of the data in the distribution probability array and the first dimension-reduction distribution probability array is analyzed, for example, the distribution rule of the data in the two distribution probability arrays is similar, for example, the size of concentrated distribution is similar, the similarity between the arrays is higher, firstly, sample extraction is performed on the distribution probability array and the first dimension-reduction distribution probability array according to the distribution probability characteristics respectively, a sample distribution probability array set and a sample dimension-reduction distribution probability array set are generated, and the similarity evaluation of the distribution distance is performed on the sample distribution probability array set and the sample dimension-reduction distribution probability array set, determining a sample dimension reduction similarity set, further, adopting a sample distribution probability array set, a sample dimension reduction distribution probability array set and a sample dimension reduction similarity set, firstly estimating probability distribution of data by using a statistical method or a probability model, namely describing distribution condition of original data by using the sample distribution probability array set, reducing dimension of the data by using a dimension reduction algorithm such as principal component analysis and the like, carrying out dimension reduction processing on the original data to obtain a dimension reduced data set, calculating similarity among samples by using distance measures such as Euclidean distance, manhattan distance or similarity measure such as cosine similarity and correlation coefficient according to the dimension reduced data set, finally, according to the sample dimension reduction similarity set, a clustering algorithm such as hierarchical clustering, a k-means algorithm or a graph segmentation algorithm such as spectral clustering is used for constructing a similarity analysis path, namely a dimension reduction similarity analysis path, wherein each node represents one sample, the edges represent similarity relations among the samples, and then, through the dimension reduction similarity analysis path, two distribution probability array similarity analyses are carried out on the distribution probability array and the first dimension reduction distribution probability array to obtain first dimension reduction similarity, a second dimension reduction access time array is continuously randomly generated, and the second dimension reduction similarity is obtained through the same-way calculation, further, according to the second dimension reduction similarity and the first dimension reduction similarity, the step dimension reduction result is judged and updated, namely the update probability distribution is obtained through the second dimension reduction similarity and the first dimension reduction similarity, the update probability distribution comprises a first probability interval and a second probability interval which are in direct proportion to the magnitudes of the second dimension reduction similarity and the first dimension reduction similarity, the first probability interval and the second probability interval have corresponding relations with the second dimension reduction similarity and the first dimension reduction similarity, further, a number is randomly generated as a random number in a range larger than 0 and smaller than 1, and meanwhile, the random number is in the probability interval in which the update probability distribution falls based on the random number, randomly generating a random number larger than 0 and smaller than 1, updating the first dimension reduction access time array or the second dimension reduction access time array into a stage dimension reduction result according to a probability interval in which the random number falls in an update probability distribution, judging whether the random number falls in the first probability interval or the second probability interval in the update probability distribution, updating the first dimension reduction access time array to serve as the stage dimension reduction result if the random number falls in the first probability interval, updating the second dimension reduction access time array to serve as the stage dimension reduction result if the random number falls in the second probability interval, further, continuously performing the dimension reduction optimization processing similar to the stage dimension reduction result until the stage dimension reduction result reaches a convergence state, the convergence process can be that the step dimension reduction results are converged at one point, and the convergence is carried out when a certain value is close to the step dimension reduction results, so that the dimension reduction access time array with the maximum dimension reduction similarity is obtained, finally, the dimension reduction processing is carried out on the call time array based on the historical average call time length, namely, the dimension reduction call time length array which retains the original data characteristics is obtained through dimension reduction, the security level of the database is analyzed, the calculation force is saved after dimension reduction is achieved, the convergence efficiency is improved, the data characteristics are retained, the construction of the dimension reduction call time length array is completed, and the network security test tamping foundation based on the intrusion detection technology is realized later.
Step A400: according to the dimension reduction access time array and the dimension reduction call time length array, carrying out network security analysis and calculation of the target database, and carrying out correction calculation according to the dimension reduction feature restoration degree of the dimension reduction access time array and the dimension reduction call time length array to obtain the security level of the database;
further, the step a400 of the present application further includes:
step A410: acquiring a sample dimension reduction access time array set and a sample dimension reduction call duration array set, and acquiring a sample security level set;
step a420: respectively adopting the sample dimension-reduction access time array set and the sample dimension-reduction call time length array set, and constructing a time safety recognition branch and a time safety recognition branch by combining the sample safety grade set to obtain a safety recognition path;
step a430: based on the safety recognition path, analyzing and recognizing the dimension reduction access time array and the dimension reduction call time array, and weighting and calculating to obtain a preliminary database safety level;
Step a440: and obtaining the similarity of the distribution probability array and the dimension reduction distribution probability array of the dimension reduction access time array and the dimension reduction calling time length array as the dimension reduction characteristic restoration degree, and carrying out correction calculation on the preliminary database security level to obtain the database security level.
In the application, a dimension-reduced access time array and a dimension-reduced call time array after dimension reduction are taken as basic reference data, network security analysis and calculation are carried out on a target database, firstly, the similarity of the distribution probability of the dimension-reduced access time array and the dimension-reduced call time array and the distribution probability of the original access time array and the call time array is taken as dimension-reduced characteristic restoration degree, correction calculation is carried out on security level, the security level of the database is analyzed, the sample data is respectively fetched on the dimension-reduced access time array and the dimension-reduced call time array based on the feature of cooling data, a sample dimension-reduced access time array set and a sample dimension-reduced call time array set are obtained, and meanwhile, the average access time and the average access time in the sample dimension-reduced call time array set are simultaneously calculated according to the sample dimension-reduced access time array set and the sample dimension-reduced call time array set, setting sample safety level in turn to determine sample safety level set, further adopting sample dimension-reducing access time array set and sample dimension-reducing call time length array set, combining sample safety level set, constructing time safety identification branch and time safety identification branch, identifying abnormal behavior on access time by using time sequence analysis and abnormality detection method, constructing time safety identification branch by identifying abnormal behavior on call time by using cluster analysis, classification model and other methods, inputting sample dimension-reducing access time array set and sample dimension-reducing call time length array set into time safety identification branch and time safety identification branch respectively for processing, based on output result of time safety identification branch and time safety identification branch, the security recognition path is constructed by using a machine learning method or a rule engine and other technologies, and the path can be a tree structure or a graph structure, wherein each node represents one sample, so that the similarity relationship or the security degree between the samples is represented.
Based on a safety recognition path, analyzing and recognizing the dimension reduction access time array and the dimension reduction call time length array, performing weighted calculation according to analysis and recognition results, and performing targeted calculation after the weighted calculation is required to be summarized based on a large amount of data and the weight is accurately determined, wherein the weight duty ratio of the dimension reduction access time array and the dimension reduction call time length array can be a first influence coefficient: and the second influence coefficient is 4:6, the influence parameters after the weighted calculation process are respectively the first influence parameter 0.4, the second influence parameter 0.6, the preliminary database security level is obtained according to the weighted calculation result, the distribution probability of the dimension reduction access time array and the dimension reduction calling time array is obtained through the similarity of the distribution probability of the dimension reduction access time array and the dimension reduction calling time array, the similarity of the distribution probability array and the dimension reduction distribution probability array of the dimension reduction access time array and the dimension reduction calling time array is obtained through the similarity of the dimension reduction access time array and the dimension reduction calling time array, the preliminary database security level is calculated as the dimension reduction feature restoration level, the dimension reduction feature restoration level is measured through calculating the variance or the reconstruction error of the feature in the dimension reduction data, the dimension reduction restoration level reflects the restoration capability of the feature to the original data, the preliminary database security level is calculated according to the feature and the corresponding security level in the original data set, the database security level is calculated based on the rule system based on the machine learning algorithm such as classification model or expert knowledge, the dimension reduction feature restoration feature level is further used as a correction factor, the preliminary database security level is adjusted, the dimension reduction feature restoration level is calculated based on the corresponding to the weight, the potential is reduced by the weight of the corresponding feature restoration level, the preliminary database security level is calculated based on the weight, the preliminary security level is reduced, the final security level is calculated based on the weight, the preliminary weight is reduced, the importance is reduced, and the final security level is reduced, and the importance is reduced, and the original is calculated.
Step A500: setting a suspected intrusion frequency threshold according to the security level of the database and the frequency of the target database accessed in a preset time period;
further, the step a500 of the present application further includes:
step A510: acquiring the number of times that the target database is accessed in a preset time period, and acquiring access number information;
Step A520: acquiring a sample security level set and a sample intrusion probability set, and constructing an intrusion probability decision-making machine based on decision-making data;
Step a530: and based on the intrusion probability decision-making device, carrying out classification decision on the database security level to obtain target intrusion probability, and calculating to obtain a suspected intrusion frequency threshold by combining the access frequency information.
In the application, in order to improve the accuracy of network security test in the target database, the database security level obtained by the calculation and the number of times the target database is accessed in a preset time period are required to be judged, namely, the probability of the target database being invaded is obtained according to the database security level mapping, wherein the smaller the database security level is, the greater the invasion probability of the target database is considered, then the suspected invasion number which is possibly invaded is calculated by combining the number of times the target database is accessed in the preset time period, the access number can be set by recording the accessed number of the target database in the preset time period, the access number information is obtained, further, the sample security level set and the sample invasion probability set are determined according to the historical security level and the invaded probability of the target database, an invasion probability decision device is constructed based on the decision data, the decision data is processed through a feature engineering technology, so as to reduce the dimension and remove redundancy features, and the useful features in the decision data such as time, source IP address, target IP address, protocol type, port number and the like are extracted. The method comprises the steps of using a machine learning algorithm, such as logistic regression, decision tree, support vector machine and the like, training an intrusion probability model, wherein the training data of the intrusion probability model can comprise a positive sample and a negative sample with labels, the positive sample is an event of known intrusion, the negative sample is an event of unknown intrusion, evaluating the performance, accuracy, recall rate and the like of the model based on a cross-validation method, a leave-out method and the like, further, integrating a plurality of models according to a voting method, a stacking method and the like to improve the accuracy of an intrusion probability decision maker, finally constructing an intrusion probability decision maker by training the integrated model, classifying the database security level, calculating the intrusion probability of each database access record, classifying the database access record according to the calculated intrusion probability, exemplarily, setting a threshold value, such as 0.5, judging the record larger than the threshold value as the suspected intrusion behavior, judging the record smaller than the threshold value as the normal access behavior, further, extracting the record judged as the suspected intrusion behavior according to the voting behavior, calculating the intrusion probability, setting the average threshold value according to the probability of the suspected intrusion probability, setting the average threshold value and the probability of the intrusion probability according to the probability requirement, setting the average business requirement, and finally setting the intrusion probability requirement. For example, the target intrusion probability is multiplied by the access number threshold to generate a threshold of suspected intrusion numbers to be used as reference data in a later network security test based on intrusion detection technology.
Step A600: and performing suspicious intrusion decision division on the calling duration array according to the suspicious intrusion frequency threshold value to obtain a plurality of suspicious intrusion behaviors, and combining the database security level to serve as a network security test result of a target database.
Further, the step a600 of the present application further includes:
step a610: acquiring a sample calling duration set;
step a620: based on the isolated tree, constructing a multi-layer partition node by adopting a plurality of sample call durations in the sample call duration set, and obtaining a suspected call duration partition tree;
Step a630: inputting the call duration array into the suspected call duration division tree, dividing the call duration array into K suspected call durations by a plurality of layers of division nodes, and outputting the first K call durations divided into single data into K suspected call durations, wherein K is the suspected intrusion frequency threshold and is an integer greater than 1;
Step A640: and outputting the K access behaviors corresponding to the K suspected call durations as suspected intrusion behaviors, and obtaining the multiple suspected intrusion behaviors.
In the application, according to the threshold value of the suspicion intrusion times, the suspicion intrusion decision division of the long array is carried out according to the suspicion intrusion times, a plurality of call time lengths in the long array are isolated and divided according to the suspicion intrusion times, the access corresponding to the first K call time lengths divided into single data is regarded as suspicion intrusion behaviors, wherein K is an integer larger than 1 in the threshold value of the suspicion intrusion times, sample call time length sets are extracted through the call time length array, a multi-layer division node is constructed based on an isolated tree, a plurality of sample call time lengths in the sample call time length sets are adopted, the multi-layer division node is used for obtaining the suspicion call time length division tree, the input call time length array can be divided into two sets larger than the call time length in the multi-layer division node, and smaller than the two sets are iterated according to the time length, if one call time length is abnormal, the probability of being divided into single data is relatively large, thus the call time length of the first K suspicion suspected call is output as the single suspicion data, the call time length is further, the first K is divided into the single suspicion suspected call time length data is finally the K suspicion data, the call time length is 5 seconds, the difference is formed, the two-phase is more than the normal, for the normal call time length is 5 seconds, and the normal is more than the normal, for the case, for the two is more the normal, and the time is divided, for the time length is 5 is more than the suspicion the time and the normal and the time length is 5 is taken as the average and the time and is 5 and the time is easy to be divided by the time and is 5 and the time and is easy to be, the accuracy of network security testing based on the intrusion detection technology is improved.
In summary, the network security testing method based on the intrusion detection technology provided by the embodiment of the application at least has the following technical effects that reasonable and accurate intrusion monitoring is realized, and network security is improved.
Example two
Based on the same inventive concept as the network security testing method based on the intrusion detection technology in the foregoing embodiments, as shown in fig. 2, the present application provides a network security testing system based on the intrusion detection technology, the system comprising:
The first array acquisition module 1 is used for acquiring the accessed time of the target database in a preset time period and acquiring an access time array;
the second array acquisition module 2 is used for acquiring the calling duration of the login interface in the process that the target database is accessed for a plurality of times in the preset time period, and acquiring a calling duration array;
The dimension reduction module 3 is used for performing dimension reduction processing on the access time array and the call duration array to obtain a dimension reduction access time array and a dimension reduction call duration array, wherein the dimension reduction processing is performed on the access time array by calculating the distribution probability of a plurality of access times;
The correction calculation module 4 is used for carrying out network security analysis and calculation of the target database according to the dimension reduction access time array and the dimension reduction call time length array, and carrying out correction calculation according to the dimension reduction feature restoration degree of the dimension reduction access time array and the dimension reduction call time length array to obtain the security level of the database;
the threshold setting module 5 is used for setting a suspected intrusion number threshold according to the database security level and the number of times the target database is accessed in a preset time period;
the test result module 6 is configured to divide the suspected intrusion decision on the call duration array according to the suspected intrusion frequency threshold, obtain a plurality of suspected intrusion behaviors, and combine the database security level to serve as a network security test result of the target database.
Further, the system further comprises:
The time setting module is used for obtaining preset access time, wherein the preset access time is the midpoint time of the preset time period;
the third array acquisition module is used for calculating and acquiring the distribution probability of a plurality of access times and the preset access time in the access time array according to the preset access time to obtain a distribution probability array, wherein the intervals of the access time and the preset access time are inversely related to the distribution probability;
The first calculation module is used for randomly generating a first dimension reduction access time array according to the access time array, taking the first dimension reduction access time array as a stage dimension reduction result, and combining the preset access time to calculate and obtain a first dimension reduction distribution probability array, wherein the first dimension reduction access time array comprises dimension reduction access time of the dimension reduction quantity;
The first analysis module is used for analyzing the similarity of the distribution probability array and the first dimension reduction distribution probability array to obtain first dimension reduction similarity;
the second calculation module is used for continuing to randomly generate a second dimension reduction access time array and calculating to obtain a second dimension reduction similarity;
The first updating module is used for judging and updating the step dimension reduction result according to the second dimension reduction similarity and the first dimension reduction similarity;
the fourth array acquisition module is used for continuing to perform dimension reduction optimization processing on the stage dimension reduction result until convergence is achieved, so as to obtain the dimension reduction access time array with the maximum dimension reduction similarity;
the time dimension reduction module is used for carrying out dimension reduction processing on the call time length array based on historical average call time length to obtain the dimension reduction call time length array.
Further, the system further comprises:
the evaluation module is used for acquiring a sample distribution probability array set and a sample dimension reduction distribution probability array set and evaluating and acquiring a sample dimension reduction similarity set;
The path construction module is used for constructing a dimension reduction similarity analysis path by adopting the sample distribution probability array set, the sample dimension reduction distribution probability array set and the sample dimension reduction similarity set;
The second analysis module is used for analyzing the distribution probability array and the first dimension reduction distribution probability array based on the dimension reduction similarity analysis path to obtain the first dimension reduction similarity.
Further, the system further comprises:
The interval generation module is used for generating an update probability distribution according to the second dimension reduction similarity and the first dimension reduction similarity, wherein the update probability distribution comprises a first probability interval and a second probability interval which are in direct proportion to the magnitudes of the second dimension reduction similarity and the first dimension reduction similarity;
and the second updating module is used for randomly generating random numbers larger than 0 and smaller than 1, and updating the first dimension reduction access time array or the second dimension reduction access time array into a step dimension reduction result according to probability intervals in which the random numbers fall in the updating probability distribution.
Further, the system further comprises:
the first set acquisition module is used for acquiring a sample dimension reduction access time array set and a sample dimension reduction call duration array set and acquiring a sample security level set;
the branch construction module is used for constructing a time safety recognition branch and a time safety recognition branch by adopting the sample dimension reduction access time array set and the sample dimension reduction call time length array set and combining the sample safety grade set to obtain a safety recognition path;
The analysis and identification module is used for analyzing and identifying the dimension reduction access time array and the dimension reduction call duration array based on the safety identification path, and obtaining the preliminary database safety level through weighted calculation;
And the third calculation module is used for acquiring the distribution probability arrays of the dimension reduction access time array and the dimension reduction calling time length array and the similarity of the dimension reduction distribution probability arrays, and carrying out correction calculation on the preliminary database security level to obtain the database security level as the dimension reduction characteristic restoration degree.
Further, the system further comprises:
The access module is used for obtaining the number of times that the target database is accessed in a preset time period and obtaining access number information;
The decision maker construction module is used for acquiring a sample security level set and a sample intrusion probability set and constructing an intrusion probability decision maker based on decision data;
And the fourth calculation module is used for carrying out classification decision on the security level of the database based on the intrusion probability decision-making device to obtain target intrusion probability, and calculating to obtain a suspected intrusion frequency threshold value by combining the access frequency information.
Further, the system further comprises:
The second set acquisition module is used for acquiring a sample calling duration set;
The node construction module is used for constructing a multi-layer partition node by adopting a plurality of sample call durations in the sample call duration set based on the isolated tree to obtain a suspected call duration partition tree;
the dividing module is used for inputting the call duration array into the suspected call duration dividing tree, dividing the call duration array into K suspected call durations by a plurality of layers of dividing nodes, outputting the call durations divided into single data by the first K to be K suspected call durations, wherein K is the suspected intrusion frequency threshold and is an integer greater than 1;
the behavior acquisition module is used for outputting K access behaviors corresponding to the K suspected call durations as suspected intrusion behaviors and obtaining the suspected intrusion behaviors.
The foregoing detailed description of the network security testing method based on the intrusion detection technology will clearly enable those skilled in the art to know that the network security testing system based on the intrusion detection technology in this embodiment, and for the device disclosed in the embodiment, since the device corresponds to the method disclosed in the embodiment, the description is relatively simple, and relevant places refer to the description of the method section.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (8)
1. The network security testing method based on the intrusion detection technology is characterized by comprising the following steps:
Acquiring the accessed time of a target database in a preset time period, and obtaining an access time array;
Collecting the calling duration of the login interface in the process that the target database is accessed for a plurality of times in the preset time period, and obtaining a calling duration array;
Performing dimension reduction processing on the access time array and the call duration array to obtain a dimension reduction access time array and a dimension reduction call duration array, wherein the dimension reduction processing is performed on the access time array by calculating the distribution probability of a plurality of access times;
according to the dimension reduction access time array and the dimension reduction call time length array, carrying out network security analysis and calculation of the target database, and carrying out correction calculation according to the dimension reduction feature restoration degree of the dimension reduction access time array and the dimension reduction call time length array to obtain the security level of the database, wherein the similarity between the dimension reduction distribution probability array of the dimension reduction access time array and the dimension reduction call time length array and the distribution probability array of the access time array and the call time length array is obtained and is used as the dimension reduction feature restoration degree;
setting a suspected intrusion frequency threshold according to the security level of the database and the frequency of the target database accessed in a preset time period;
And performing suspicious intrusion decision division on the calling duration array according to the suspicious intrusion frequency threshold value to obtain a plurality of suspicious intrusion behaviors, and combining the database security level to serve as a network security test result of a target database.
2. The method of claim 1, wherein performing the dimension reduction process on the access time array and the call time array comprises:
acquiring preset access time, wherein the preset access time is the midpoint time of the preset time period;
Calculating and acquiring distribution probabilities of a plurality of access times and the preset access time in the access time array according to the preset access time to obtain a distribution probability array, wherein the magnitudes of intervals of the access time and the preset access time are inversely related to the magnitudes of the distribution probabilities;
According to the access time array, randomly generating a first dimension-reduction access time array as a step dimension-reduction result, and combining the preset access time to calculate and obtain a first dimension-reduction distribution probability array, wherein the first dimension-reduction access time array comprises dimension-reduction access time of dimension-reduction quantity;
analyzing the similarity of the distribution probability array and the first dimension reduction distribution probability array to obtain first dimension reduction similarity;
continuously randomly generating a second dimension reduction access time array, and calculating to obtain a second dimension reduction similarity;
Judging and updating the step dimension reduction result according to the second dimension reduction similarity and the first dimension reduction similarity;
Continuing to perform dimension reduction optimization processing on the stage dimension reduction result until convergence is achieved, and obtaining the dimension reduction access time array with the maximum dimension reduction similarity;
And performing dimension reduction processing on the call duration array based on the historical average call duration to obtain the dimension reduction call duration array.
3. The method of claim 2, wherein analyzing the similarity of the distribution probability array and the first dimension-reduction distribution probability array to obtain a first dimension-reduction similarity comprises:
Acquiring a sample distribution probability array set and a sample dimension reduction distribution probability array set, and evaluating and acquiring a sample dimension reduction similarity set;
The sample distribution probability array set, the sample dimension reduction distribution probability array set and the sample dimension reduction similarity set are adopted to construct a dimension reduction similarity analysis path;
And analyzing the distribution probability array and the first dimension reduction distribution probability array based on the dimension reduction similarity analysis path to obtain the first dimension reduction similarity.
4. The method of claim 2, wherein the step of updating the step-wise dimension reduction result based on the second dimension reduction similarity and the first dimension reduction similarity comprises:
Generating an update probability distribution according to the second dimension reduction similarity and the first dimension reduction similarity, wherein the update probability distribution comprises a first probability interval and a second probability interval which are in direct proportion to the magnitudes of the second dimension reduction similarity and the first dimension reduction similarity;
And randomly generating a random number larger than 0 and smaller than 1, and updating the first dimension reduction access time array or the second dimension reduction access time array into a step dimension reduction result according to a probability interval in which the random number falls in the updating probability distribution.
5. The method of claim 2, wherein performing network security analysis and calculation of the target database according to the dimension reduction access time array and the dimension reduction call duration array, and performing correction calculation according to dimension reduction feature restoration degrees of the dimension reduction access time array and the dimension reduction call duration array, comprises:
Acquiring a sample dimension reduction access time array set and a sample dimension reduction call duration array set, and acquiring a sample security level set;
Respectively adopting the sample dimension-reduction access time array set and the sample dimension-reduction call time length array set, and constructing a time safety recognition branch and a time safety recognition branch by combining the sample safety grade set to obtain a safety recognition path;
based on the safety recognition path, analyzing and recognizing the dimension reduction access time array and the dimension reduction call time array, and weighting and calculating to obtain a preliminary database safety level;
And obtaining the similarity of the distribution probability array and the dimension reduction distribution probability array of the dimension reduction access time array and the dimension reduction calling time length array as the dimension reduction characteristic restoration degree, and carrying out correction calculation on the preliminary database security level to obtain the database security level.
6. The method of claim 1, wherein setting a suspected intrusion count threshold based on the database security level and the number of times the target database is accessed within a preset time period comprises:
acquiring the number of times that the target database is accessed in a preset time period, and acquiring access number information;
acquiring a sample security level set and a sample intrusion probability set, and constructing an intrusion probability decision-making machine based on decision-making data;
and based on the intrusion probability decision-making device, carrying out classification decision on the database security level to obtain target intrusion probability, and calculating to obtain a suspected intrusion frequency threshold by combining the access frequency information.
7. The method of claim 1, wherein performing a suspected intrusion decision-making on the array of call durations according to the suspected intrusion count threshold to obtain a plurality of suspected intrusion behaviors, comprises:
Acquiring a sample calling duration set;
Based on the isolated tree, constructing a multi-layer partition node by adopting a plurality of sample call durations in the sample call duration set, and obtaining a suspected call duration partition tree;
inputting the call duration array into the suspected call duration division tree, dividing the call duration array into K suspected call durations by a plurality of layers of division nodes, and outputting the first K call durations divided into single data into K suspected call durations, wherein K is the suspected intrusion frequency threshold and is an integer greater than 1;
and outputting the K access behaviors corresponding to the K suspected call durations as suspected intrusion behaviors, and obtaining the multiple suspected intrusion behaviors.
8. A network security testing system based on intrusion detection technology, the system comprising:
the first array acquisition module is used for acquiring the accessed time of the target database in a preset time period and acquiring an access time array;
the second array acquisition module is used for acquiring the calling duration of the login interface in the process that the target database is accessed for a plurality of times in the preset time period and acquiring a calling duration array;
The dimension reduction module is used for carrying out dimension reduction processing on the access time array and the call duration array to obtain a dimension reduction access time array and a dimension reduction call duration array, wherein the dimension reduction processing is carried out on the access time array by calculating the distribution probability of a plurality of access times;
The correction calculation module is used for carrying out network security analysis and calculation of the target database according to the dimension reduction access time array and the dimension reduction call time length array, and carrying out correction calculation according to the dimension reduction feature restoration degree of the dimension reduction access time array and the dimension reduction call time length array to obtain the security level of the database, wherein the similarity between the dimension reduction distribution probability array of the dimension reduction access time array and the dimension reduction call time length array and the distribution probability array of the access time array and the call time length array is obtained and used as the dimension reduction feature restoration degree;
The threshold setting module is used for setting a suspected intrusion frequency threshold according to the database security level and the frequency of the target database accessed in a preset time period;
the test result module is used for carrying out suspicious intrusion decision division on the calling duration array according to the suspicious intrusion frequency threshold value to obtain a plurality of suspicious intrusion behaviors, and combining the database security level to serve as a network security test result of a target database.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410430414.1A CN118041692B (en) | 2024-04-11 | 2024-04-11 | Network security testing method and system based on intrusion detection technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410430414.1A CN118041692B (en) | 2024-04-11 | 2024-04-11 | Network security testing method and system based on intrusion detection technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118041692A CN118041692A (en) | 2024-05-14 |
| CN118041692B true CN118041692B (en) | 2024-06-11 |
Family
ID=90989710
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410430414.1A Active CN118041692B (en) | 2024-04-11 | 2024-04-11 | Network security testing method and system based on intrusion detection technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118041692B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2005189996A (en) * | 2003-12-24 | 2005-07-14 | Fuji Electric Holdings Co Ltd | Network intrusion detection system |
| CN106209902A (en) * | 2016-08-03 | 2016-12-07 | 常熟高新技术创业服务有限公司 | A kind of network safety system being applied to intellectual property operation platform and detection method |
| WO2020016906A1 (en) * | 2018-07-16 | 2020-01-23 | Sriram Govindan | Method and system for intrusion detection in an enterprise |
| CN115150206A (en) * | 2022-09-06 | 2022-10-04 | 广东广泰信息科技有限公司 | Intrusion detection safety early warning system and method for information safety |
| CN115883198A (en) * | 2022-11-30 | 2023-03-31 | 中国电子科技集团公司第五十四研究所 | Multi-factor network abnormal behavior detection method |
| CN116644298A (en) * | 2023-06-14 | 2023-08-25 | 中国平安财产保险股份有限公司 | Method for detecting performance of network attack detection model and related equipment thereof |
| CN116994167A (en) * | 2023-08-09 | 2023-11-03 | 国网河南省电力公司信息通信分公司 | Website security monitoring method based on machine learning algorithm |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7784099B2 (en) * | 2005-02-18 | 2010-08-24 | Pace University | System for intrusion detection and vulnerability assessment in a computer network using simulation and machine learning |
-
2024
- 2024-04-11 CN CN202410430414.1A patent/CN118041692B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2005189996A (en) * | 2003-12-24 | 2005-07-14 | Fuji Electric Holdings Co Ltd | Network intrusion detection system |
| CN106209902A (en) * | 2016-08-03 | 2016-12-07 | 常熟高新技术创业服务有限公司 | A kind of network safety system being applied to intellectual property operation platform and detection method |
| WO2020016906A1 (en) * | 2018-07-16 | 2020-01-23 | Sriram Govindan | Method and system for intrusion detection in an enterprise |
| CN115150206A (en) * | 2022-09-06 | 2022-10-04 | 广东广泰信息科技有限公司 | Intrusion detection safety early warning system and method for information safety |
| CN115883198A (en) * | 2022-11-30 | 2023-03-31 | 中国电子科技集团公司第五十四研究所 | Multi-factor network abnormal behavior detection method |
| CN116644298A (en) * | 2023-06-14 | 2023-08-25 | 中国平安财产保险股份有限公司 | Method for detecting performance of network attack detection model and related equipment thereof |
| CN116994167A (en) * | 2023-08-09 | 2023-11-03 | 国网河南省电力公司信息通信分公司 | Website security monitoring method based on machine learning algorithm |
Non-Patent Citations (3)
| Title |
|---|
| Wireless network intrusion detection model and safety enhancement framework for campus network;Qingyuan Shan;《2022 4th International Conference on Smart Systems and Inventive Technology (ICSSIT)》;20220225;全文 * |
| 云平台恶意网页流量的检测方法研究;沈昊;《硕士电子期刊》;20230915;全文 * |
| 计算机数据库入侵检测技术的应用分析;许颖;孙琦;;电子技术与软件工程;20160728(第15期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118041692A (en) | 2024-05-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20180260723A1 (en) | Anomaly detection for context-dependent data | |
| CN105677791B (en) | For analyzing the method and system of the operation data of wind power generating set | |
| CN110381079B (en) | Method for detecting network log abnormity by combining GRU and SVDD | |
| CN107493277B (en) | Large data platform online anomaly detection method based on maximum information coefficient | |
| CN112910859B (en) | Internet of things equipment monitoring and early warning method based on C5.0 decision tree and time sequence analysis | |
| CN113378990B (en) | Flow data anomaly detection method based on deep learning | |
| CN111177714A (en) | Abnormal behavior detection method and device, computer equipment and storage medium | |
| CN111782484B (en) | Anomaly detection method and device | |
| CN112422531A (en) | CNN and XGboost-based network traffic abnormal behavior detection method | |
| CN114090396A (en) | Cloud environment multi-index unsupervised anomaly detection and root cause analysis method | |
| CN111460441A (en) | Network intrusion detection method based on batch normalization convolutional neural network | |
| CN111695597A (en) | Credit fraud group recognition method and system based on improved isolated forest algorithm | |
| CN114422184A (en) | Network security attack type and threat level prediction method based on machine learning | |
| CN115987615A (en) | Network behavior safety early warning method and system | |
| Zheng | Intrusion detection based on convolutional neural network | |
| CN116842459B (en) | Electric energy metering fault diagnosis method and diagnosis terminal based on small sample learning | |
| CN115858794B (en) | Abnormal log data identification method for network operation safety monitoring | |
| CN115237717A (en) | Micro-service abnormity detection method and system | |
| CN114338351B (en) | Network anomaly root cause determination method and device, computer equipment and storage medium | |
| CN117170915A (en) | Data center equipment fault prediction method and device and computer equipment | |
| CN110166422A (en) | Domain name Activity recognition method, apparatus, readable storage medium storing program for executing and computer equipment | |
| CN115858606A (en) | Method, device and equipment for detecting abnormity of time series data and storage medium | |
| CN118041692B (en) | Network security testing method and system based on intrusion detection technology | |
| CN116405306A (en) | Information interception method and system based on abnormal flow identification | |
| Febriansyah et al. | Outlier detection and decision tree for wireless sensor network fault diagnosis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |