Storage abnormal detecting method based on artificial immunity

Abstract

The invention discloses a storage abnormality detection method based on artificial immunity, which adopts non-self detection mechanism of natural immunity system to judge the legality of data read / write request, realizes immunity abnormality detection on the data of storage element via monitoring the data of storage element formed by data read / write request, induces self learning and forgetting mechanism and the like in natural immunity system to refresh the weight value of a detector after each detection on user's read / write request and periodically eliminate or rebuild the detector according to the weight value, to adapt new non-self ones continuously appearing in storage system. Via the detector refresh mechanism, the method is different from prior storage abnormality detection technology, to realize actual intelligent abnormality detection, and the method has artificial intelligence as self learning and self adaptive characteristics, to effectively recognize new appeared abnormalities.

Description

technical field [0001] The invention belongs to the field of computer storage security, and in particular relates to a storage anomaly detection method based on artificial immunity. This method achieves the abnormal detection purpose of the storage system by analyzing the storage metadata. It not only has the characteristics of artificial intelligence such as self-learning, self-adaptation, and computing parallelism, but also can achieve high detection rate and low false alarm rate detection effect. Background technique [0002] Anomaly detection usually refers to storing the user's normal behavior characteristics in the characteristic database, and then comparing the user's current behavior characteristics with the characteristics in the characteristic database. If the deviation between the two exceeds a certain range, it is considered that an abnormality has occurred. Here, the relevant behaviors or phenomena such as violating access rules and destroying integrity in the s...

AI Technical Summary

Problems solved by technology

But none of them can diagnose the user's access behavior

For example, if an intruder uses a stolen account, the authentication subsystem in the storage system will regard the user as a legitimate user, and the intruder will pose a threat to the storage system and even destroy existing stored data, that is, the traditional authentication system Unable to form an effective detection of legitimate users' ultra vires behavior

[0003] In recent years, some researchers have proposed new technologies such as rule-based filtering, statistical analysis, pattern matching, hidden Markov model, and data mining, which have improved the traditional storage anomaly detection technology that cannot detect user behavior and detection rate to a certain extent. Inferiority and other flaws, but they are all technically congenitally deficient

For example, rule-based filtering is to define a set of rules in advance, and then use this set of rules to match the user's access behavior, that is, it adopts a preset and feature analysis working principle. It is an update that lags behind the attack means, so it cannot achieve active defense against storage anomalies, and does not have real-time and adaptive functions

For more statistical analysis methods, such as Bayesian statistical methods, there is also the problem that the threshold is difficult to effectively determine. Here, the threshold refers to the critical value for judging whether the behavior is abnormal. If the threshold is too small, a large number of false positives will be generated, and if the threshold is too large A large number of false negatives will be generated. They are all passive security protection measures, which can only detect abnormal characteristics under predefined rules, and are powerless to new types of storage anomalies. Therefore, the detection rate cannot be guaranteed and cannot reach the true sense. Storage Security System Requirements

Images