Network penetration identification method based on interactive behavior analysis

Abstract

The invention discloses a network penetration identification method based on interactive behavior analysis, and the method comprises the steps: employing a Seek client to collect the interactive behavior data of a honeypot machine as an analysis object, carrying out feature extraction and cleaning, feature classification and feature coding on collected data to form a feature sequence; according tothe characteristic that an interactive behavior characteristic sequence has uncertain length and time sequence, adopting an LSTM model as an attack recognition classifier, analyzing an activation function, a loss function and a gradient descent algorithm respectively, selecting an appropriate model to be used as the model, and then optimizing a training model through multiple times of hyper-parameter parameter adjustment. Modeling is carried out according to the time sequence of capturing behavior data features, the features are screened to reduce the feature dimension, and the training speedand precision of the model are improved through feature coding. Through repeated parameter tuning training, the penetration attack identification accuracy and the false alarm rate of the model are obviously superior to those of other models.

Description

technical field [0001] The invention relates to a network penetration identification method, in particular to a network penetration identification method based on interaction behavior analysis. Background technique [0002] Network penetration attack is a systematic and progressive comprehensive attack method. Its attack target is clear, the attack purpose is often not so single, and the harm is also very serious. The steps of the attacker to carry out the attack are very systematic. Assuming that they have obtained the authority of the website server in the target network, they will not only be satisfied with controlling this server, but will use this server to continue to invade the target network and obtain the entire network Permissions for all hosts in . In order to realize the penetration attack, the attack method adopted by the attacker is not limited to a simple Web script vulnerability attack. Attackers will comprehensively use multiple attack methods such as remo...

AI Technical Summary

Problems solved by technology

[0003] There are many papers on attack recognition, but as long as they are as follows: first, based on statistical analysis, this method can have a high detection rate for abnormalities that show obvious changes in data statistics, but usually requires a certain Threshold, when the behavior pattern changes, the threshold cannot be adjusted adaptively; the second is based on data mining, this method is especially suitable for massive behavior analysis, mining the relationship between behaviors, but the mining algorithm is more sensitive to behavior data; the third is Based on machine learning, this method does not require prior knowledge of domain experts, but it is complex and requires a long training time

Images